Schneier on Security: Linux Security

Schneier on Security: Linux Security

I'm a big fan of the Honeynet Project (and a member of their board of 
directors). They don't have a security product; they do security 
research. Basically, they wire computers up with sensors, put them on 
the Internet, and watch hackers attack them.

They just released a report about the security of Linux:

Recent data from our honeynet sensor grid reveals that the average 
life expectancy to compromise for an unpatched Linux system has 
increased from 72 hours to 3 months. This means that a unpatched 
Linux system with commonly used configurations (such as server builds 
of RedHat 9.0 or Suse 6.2 ) have an online mean life expectancy of 3 
months before being successfully compromised.

This is much greater than that of Windows systems, which have average 
life expectancies on the order of a few minutes.

It's also important to remember that this paper focuses on vulnerable 
systems. The Honeynet researchers deployed almost 20 vulnerable 
systems to monitor hacker tactics, and found that no one was hacking 
the systems. That's the real story: the hackers aren't bothering with 
Linux. Two years ago, a vulnerable Linux system would be hacked in 
less than three days; now it takes three months.

Why? My guess is a combination of two reasons. One, Linux is that 
much more secure than Windows. Two, the bad guys are focusing on 
Windows - more bang for the buck.

Kayode Okeyode
1/6/2005 8:33:34 PM 16608 articles. 3 followers. Follow

0 Replies

Similar Articles

[PageSpeed] 7
Get it on Google Play
Get it on Apple App Store


Similar Artilces:

when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...

security too secure
Name: joe Product: Firefox Summary: security too secure Comments: The security thing won't let me in this sight no matter how I accept, confirm, get certificate, etc. Browser Details: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 From URL: Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

How secure is secure?
Thanks to this group and all the high tech individuals who frequent it I have learned how to protect my PC from the inside out. But what about security risks to my info 'before' it gets to my computer? Like my mail box on the server. Could someone hack into that and thumb through my mail? If so, how would I ever know? (The short story) We have a rogue employee at my work who one day decided to run the web site, she got in tight with the ISP, got tools to set and delete passwords on a protected directory on the server. Who knows if she has telnet access to other things, li...

Secure By Design: How Guardian Digital Secures EnGarde Secure Linux
"EnGarde Secure Linux is not just another "repackaged" Linux distribution, but a modern open source system built from the ground up to provide secure services in the threatening world of the modern Internet."... ...."The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are freely available with GDSN registration."... -- js ...

How secure is secure enough?
July 28, 2008 (Computerworld) This story originally appeared in Computerworld's print edition. If there is a Holy Grail in the information security industry, it surely is the answer to the question, "How secure is secure enough?" It's a question that many security managers have either avoided answering altogether or tried to quickly sidestep by throwing a fistful of mainly pointless operational metrics at anyone who cared to ask. -- "Never d...

This is a multi-part message in MIME format. --------------080100010401000103080002 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit I'm a Mac user 10.4.8 of Thunderbird & am wondering how "Enabling FIPS" will improve my security? I can't seem to find any explanation of FIPS under Thunderbird help. -- Have a good day R Schwager --------------080100010401000103080002 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Tr...

Secure connections: how secure are they?
*QUOTE* ......... both useful and malicious information can be transmitted via network connections. Standard solutions protect computers against threats present in standard network connections, but aren't able to counter threats present in secure connections. Verifying the contents of a secure connection is impossible by virtue of its secure nature, as demonstrated by the different types of protection listed above. As a result, malicious data within secure channels can cause a significant amount of damage, and sometimes more than if it were to be transmitted via a standard, non-s...

Password it secure?
Yes I just got this baby and I LOVE it! Its great. I have stored all my passwords inside of it (and yes made a few backups from them in secure locations) How secure is this program really? It uses blowfish to encrypt the database but how strong blowfish? 128bits? 256? 448? Anything else I should think about it? I have putted it and its databases inside PGPdisk just to play it safe...but then again Im a paranoid. :) -- Markus Jansson ************************************ My privacy related homepage and PGP keys: ********...

How secure is AuthenticationTypes.Secure?
I understand that AuthenticationTypes.Secure requests secure authentication using Kerberos or NTLM (??). However, here is a scenario I am trying to understand. Let us say that I am having a regular ASP.NET site - with SSL certificates not installed on the web server. The login sends the request out to an AD server which also does not have certificates installed. However, I have set Secure flag to AuthenticationTypes.Secure. When the username and password data gets transmitted between the application and the LDAP server, how secure are the password and username info? In other words is this in...

form security against security
i have a form in my website which is to be filled by user and that form stores in database(sql server 2005). but someone told me that anyone can run script  in textboxes in that form and can damage database, so how to avoid such security lack.  it is common practice to use parameterized sql statements or stored procs to insure you are protected from sql injections attacks. if you concatenate user input directly into a sql statement, then you are at risk.Mike Banavige~~~~~~~~~~~~Need a site code sample in a different language? Try converting it with: http://converte...

F-Secure Readies Security Software For Linux
F-Secure Corp. on Tuesday unveiled security software for open-source Samba file servers and Linux, addressing a need that's growing within the enterprise market. The Finnish company announced the availability of antivirus software for Samba that automatically detects and removes viruses from files stored on the server. The new product is meant to protect all Samba-attached computers from malicious code that could enter the network from a Windows or Linux machine. Next month, F-Secure plans to ship a Linux version of F-Secure Policy Manager, which will extend centrally managed ...

Schneier on Security: The Doghouse: Internet Security Foundation
Schneier on Security: The Doghouse: Internet Security Foundation *********************************************************** Quote *********************************************************** This organization [] wants to sell their tool to view passwords in textboxes "hidden" by asterisks on Windows. They claim it's "a glaring security hole in Microsoft Windows" and a "grave security risk." Their webpage is thick with FUD, and warns that ...

Secure page to Secure page
Name: Jonathan Email: jbeldonatopenwaterloansdotcom Product: Firefox Release Candidate Summary: Secure page to Secure page Comments: I have had several crashes going from a secure page to another secure page. The response I often get is that the page does not exist. This only seems to occur on secure pages. Browser Details: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b4) Gecko/2008030714 Firefox/3.0b4 From URL: ...

To Secure Boot or Not To Secure Boot...
I just bought a new desktop which of course had Windows 8 installed. Just my opinion, but I don't think Windows 8 is the turd it's made out be. I loaded Classic Shell to get the start menu back and it's basically back to normal Windows--except that they've taken away Aero and everything looks like Windows 3.1 again. Regardless, after doing a lot of reading about Secure Boot and the associated problems I wanted to try to dual boot Win 8 with Kubuntu. I never got out of the gate. For some reason I can't get Kubuntu 13.04 to boot from usb or cd with secure ...

Web resources about - Schneier on Security: Linux Security -

Resources last updated: 12/12/2015 8:06:17 PM