Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
jchw11028yWindows was not designed with a security model. For performance reasons, almost everything was in kernel at first. Before Windows 2000, kernel mode was fully unsecured. Before Windows 8, kernel mode had no signature verification. Everything ran as admin before Vista. Many syscalls had to be hardened to secure the kernel.
Linux and macOS both have much better security stories. Not perfect, but much better. Wayland brings a new level of isolation between apps on Linux, too. Systemd + logind offer a better authentication and authorization system than most other platforms have. Cgroups are and lxc/Docker are entirely on a level of their own. Ubuntu Snaps and Flatpak show an entirely new way to secure the desktop. Almost all packages are signed.
The Linux desktop is still lacking in many ways, but if it were more popular it would likely be much more secure than anything that can be done with current generation Windows. Aside from bugginess, it may already be. -
jchw11028yNot to say that you're wrong- modern OSes are mostly secure enough. Most things nowadays are social engineering. But in this case there were 5 different flaws, remotely exploitable, in a Windows service that's public by default, that allow WannaCry to spread without any interaction. It's not a good look.
-
xia0u658yI'm pretty sure if all people would use Linux then there would be an automation of apt-get update && apt-get upgrade implemented.
Or how is the notification done in ubuntu, mint, fedora, etc? -
curlyDev4698y@jchw the ones they were attacked had windows xp.
They clearly dont care about security or update.... So no money for any "admin guy".
And you can't expect muggles to even understand the complexity...
Hell i dont know if anyone knows what phishing is...
This is a muggle problem that they dont want to learn at all and dont understand that people will steal their information/money. -
jchw11028y@curlyDev That's not entirely true. You are right that only people who were out of date were attacked, but the bug affected almost all versions of Windows. It was patched on March 14th with MS17-010. So if you were not installing security updates, it could easily have impacted you as, for example, a Windows 10 user.
I'm not saying that people are not at fault, but ignoring that Windows 10, Windows 8, Windows 7, Windows Vista and Windows XP have all had the same remote code exploit for this long is unwise. It's a sign of a bigger problem MS has and a reason why they have one of the largest security teams in the world.
The closest similar things on Linux are shellshock, ImageTragick, and Heartbleed. But they all had various special conditions that had to be met to be exploitable - your everyday Linux desktop was safe. SMB 1.0, the exploited module in Windows, is enabled and accessible by default and has been for a very long time. -
sidx6438yI absolutely hate it when people even think that they can compare linux and windows in terms of security. There just no contest here.
-
@jchw I still remember when you could log into any linux os with grub by hitting backspace 23 times. Yeah, what a security record. Dont get me wrong. Linux is great. But wannacry was zser stupidity. Purely. Download the fucking updates. Dont open email attachments. This is basic. And it has been told for 20 years now.
-
@vortexman100 You do realize that WannaCry is also delivered through a remote exploit? But you're right yes!
-
curlyDev4698y@jchw and they attacked after it was made public one month after. Public so anyone had access.
More than tha SMB is disabled in any company i worked so far.
I would really blame Microsoft but they did nothing wrong. Issue was fixed long ago, measures to disable the exploit were.
And i can tell you, heartbleed was waaay worse than any ransomware because you can never know the full extent... What password, what communications were stolent etc.
CVE-2016-5195... Linux bug you can have bigger privilege... An old bug. So nothing is safe.
Exploits will always be around, muggles need to start update their damn devices. -
@linuxxx Yes, eternal blue. But this was fixed by the patch, the common sense advice still stands ;)
-
@curlyDev And ms even gave updates for xp... Its so awesome how spectacular these sysadmins failed.
-
@Jop- There is nothing secure in any operating system. You can exploit everything. Sure, the os makes it harder, but it boils down to what the user does. On linux, most people dont check what they are running as root. Bad admin passwords are users fault and a big reason on both linux and windows for "hacks". Updates. The necessity to restart both os to apply updates. Most people simply cannot restart their servers. This is kinda the users fault too (also linux could support dynamic loading of kernel modules like NT does, but on the windows side there are DLLs so they are on par.) You can kill any os when the user fucks up. This is not a windows only thing.
-
jchw11028y@vortexman100 That is entirely irrelevant - if you have physical access to do that, hardening the system is a much bigger task. You'd not use GRUB, especially not anymore - you'd use EFIstub with Secure Boot and signed kernel modules. Normal machines do not need to do this and can use LUKS for keeping the data safe - you should use crypto if you are securing a physical machine after all, that'll make any GRUB bypass worthless.
Linuxs security story covers remote access and running unprivileged code. It's a narrow, but useful subset of security concerns. It sure beats no security concerns, which is the model Windows began with.
It's not a subjective thing. Windows was designed before the internet and it has taken a lot of evolution to introduce better handling of unprivileged code. UNIX based OSes already had this concern due to the multi tenant nature of UNIX, so they had a massive head start. It's a clearly traceable fact. -
@jchw Yes, but that doesnt mean it stays that way. You have a confirmation bias.
-
jchw11028y@vortexman100 I'm saying Linux has a better security story than the current iteration of Windows, the NT-based versions. I'm not saying one is more secure than the other because that is not quantifiable. A security story represents more than the current state of things because for software development, context matters.
Guessing which will practically have more severe exploits is even harder and basically like playing the stock market. And like playing the stock market, you use past performance, fundamentals and statistics to guess who will win. In that race Linux has more evidence to back its own case.
The SMB 1.0 exploit was patched 2 months before WannaCry. But before it was publicly released it existed since XP, for _decades_. The NT kernel and Windows in general has plenty of legacy code from before Windows was more security consiuous, like the Type1 exploit not so long ago. It's totally fair to use this as a reason to assume it will have more security problems in the future. -
xia0u658y@orto
It might be against the linux philosophy in some way, trur.
But don't you think that for standard users like the grandmother who only does some shopping or the parents who only use the box for mailing or a little office stuff:
I personally think atleast security related updates would be fine.
If you'd spread Linux to EVERYONE then you know you defenately have to build some automatef mechanism to kinda "protect" exactly those type of people.
They just want to shop or w/e and only know how to click the little 'x' on the top right corner of the notification.
You can't give linux to completely everyone, tell them 'you make ALL decisions' and wonder why you get sh1tlo4d of rants because two years later people complaining about their unsecure systems.
Sorry for my bad english. I'm german and just woke up xD -
orto11558y@xia0u
A grandma distribution might come out with that preinstalled.
Most likely you could install a system update scheduler yourself.
However this might be the only way to ensure global security (given the update system itself doesn't have vulnerabilites )
I guess as long as there's choice the community wouldn't complain(to much).
But at no point should Linux have a automatic/remote update system that can't be removed. -
xia0u658y@Jop-
No.
Yes.
I know ubuntu and fedora for example already do automatic updates, but you can turn it off if you like (which is the point).
I do prefer manual updates/upgrades on my machines, tho. -
@Jop- Linux has no autoupdate by default. You can enable that, but most do not do this, because they dont know. Livepatch does not exist. It costs money. And it is not installed by defaut, as is every other technology like livepatch.
-
@Jop- My god. You seem to think that windows is a mess and linux is an unbeatable star - it is not. Windows is fine. Linux is fine. But Linux is not more. It is just an operating system, and can be fucked by the user. Windows can be fucked by the user. And its almost always, if not ever, the users fault. User are dumb. People who use windows, have ON AVERAGE, not the technical background. Poweruser of windows, who would have the experience to run a linux os, dont infect their system eather. Linux has security issues, windows has them too. And both has been exploited by hackers and governments. And both will suffer. And both will be infected, and hacked. All the time. They are tools. Equal. So please drop your bias or give me unbeatable prove that its different. With source code examples. Because the argument its better because "ms is shit"/"it comes from unix so it has to be better"/etc is bullshit.
-
@curlyDev Thing to add though, recently a CIA zero day was exposed and although the exploit works well, it's actually prevented by running SELinux! Yeah, the vuln might exist but it's exploitation is prevented if SELinux is active :).
-
@Jop- That they made it doesn't mean it doesn't do its job but yeah the tor thingy is funny haha!
Related Rants
Rant:
Why in the freezing cold all people think that linux = secure. Ransomware... Bla bla not happening on linux bla bla... Linux is secure.
If Linux would have been the most popular one people will pretty much run everything on root and install every stupid package available and never run: apt-get update.
Users were so dumb they got scammed by a phising mail... In freaking 2017... This is user stupidity not OS fault...
God its stupidly annoying seeing the same stuff : Linux secure...
Everything can be secure if you paid attention to the same stuff in freaking 2000.
undefined
security
muggles
ransomware