[kwlug-disc] Security arguments

Tue Sep 22 10:36:39 EDT 2009

Once again, you're 'facts' are fud.

They're talking about defacements as if that's a security breach - or 
more specifically that it's a security breach on linux.  I disagree.

I've suffered two or three defacements through the years.  Every single 
time it's been the result of a mysql injection.  Every single time I 
have suffered a mysql injection it's been due to programming issues - we 
corrected the defacement by changing some php/mysql scripts.

I have had someone take advantage of a weakness in a script to use my 
server to send out spam, many years ago.  Again, all they were doing was 
calling the script with some kooky parameters and the fault was poor 
programming.

I have never once had someone breach my servers in any other fashion 
that I can recall.  And my servers are anything but hardened - they're 
pretty much out of the box installs.  But in all the years I've had a 
server online nobody has ever managed to run a script they weren't given 
access to, gain login access, or change anything at the OS level. 

In other words - defacements = programming issues.   Characterizing 
defacements (which are almost always mysql injections) as some sort of 
linux security breach is completely misleading.

The fact is, linux is extremely secure.  10 years of throwing a base 
install of linux on the web with no firewall or real security measures 
and 0 real hacks.  That's pretty secure IMO.

g.

Raul Suarez wrote:
> Hi,
>
> I made the mistake of making an of the cuff remark regarding web server security without doing my homework.
>
> One of the arguments from Khalid in his Apache presentation was that there were more Apache servers but still more attacks on windows servers, disproving the theory that Linux is not attacked because it just has a low market share. What I understood was that the IIS breaches were more frequent and more public and I took that understanding at face value.
>
> Of course I may need to eat my hat as this person brought up this link,
>
> http://www.h-online.com/news/Linux-web-servers-broken-into-most-often--/110341
>
> I've said in the past that facts should trump FUD and I've tried to be very objective when talking about Linux to maintain credibility but now I feel that that link breaks one of my "strong" arguments.
>
> I know that facts and interpretation of the facts aren't always the same thing. Even facts could be perceived differently depending on the angle you look at them at.
>
> Up until now I've been convinced by what I've seen that Linux is safer than Windows but my Linux experience is on the desktop. Now I realize that I've extrapolated that to servers without having first hand experience.
>
> The question is clear and open: 
>
> What are the facts, hopefully statistically based, that prove that Linux Web servers are safer than Windows Web servers?
> Or even that Apache is more secure than IIS?
>
> I think it's a valid question and one that may help us better position our arguments in favour of Linux.
> Raul Suarez
>
>
> Technology consultant
> Software, Hardware and Practices
> _________________
> http://rarsa.blogspot.com/ 
> An eclectic collection of random thoughts
>
>
>
>       __________________________________________________________________
> Make your browsing faster, safer, and easier with the new Internet Explorer® 8. Optimized for Yahoo! Get it Now for Free! at http://downloads.yahoo.com/ca/internetexplorer/
>
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>
>   

-- 
Glenn Cooke
Insurance Squared Inc.
www.insurancesquared.com
1-866-779-1499

Agent discussion forum: http://www.americaninsurancebroker.com
Free US broker directory: http://directory.americaninsurancebroker.com
Free Canadian broker directory: http://www.canadianinsurancebroker.com