On 10/9/07, Daniel Lawson <daniel(a)meta.net.nz> wrote:
It could just be an SQL injection vulnerability or arbitrary shell command execution vulnerability in some PHP plugin module of some web app framework, yet Linux as a whole gets blamed.
The thing is that Linux these days means what your distro ships with it. You could argue that Linux itself is just the kernel which is not very vulnerable, but also useless without programs such as Apache, PHP etc.
If Linux is "what your distro ships with", then you should cut it some slack, because last I checked distros didn't ship with broken (exploitable) PHP code on a public facing webserver.
Yes and this is part of the flaw if PHP code is constantly being exploited doesn't it mean that the language has an issue?? It would be interesting to see how much is user code exploits and how much is old software exploits (e.g. how Ubuntu local servers got hacked). I suspect a lot more of the latter as you can easily use scripts to find these.
Microsoft has put a lot of effort into lowering the attack space with Longhorn and Linux distros could probably learn from this.
I don't really agree with this point, but I'm willing to be swayed. Can you give an example of something that MS is doing that usefully improves security, and which could be applied to a linux server system?
I'm thinking of a couple of things offhand: - Server 2008 (and to a lesser degree 2003) has roles where it preselects the components, and only the components, needed for a role. - other software when installed still won't work (or be hacked) unless you configure it. I wasn't claiming Microsoft is more secure than Linux at all. I'm saying we can learn from Microsoft, just as they can learn from Linux. Microsoft does some things extremely badly and would be better off doing it the Linux way - e.g. user account security and it can't really be fixed despite attempts like UAC. -- Web1: http://wand.net.nz/~iam4/ Web2: http://www.jandi.co.nz Blog: http://iansblog.jandi.co.nz