[Seraph]

Quote:

Originally posted by LennonCook: quote: Originally posted by Seraph: quote: Originally posted by LennonCook: Not realy. It isn't possible to elminate the viruses and the spyware, but it's definately possible to reduce the effect it can have. Just look at Linux: most security vulernabilities in it require someone to be physically sitting at your computer, and be logged in.

The slapper worm back in 2002 showed just how solid linux systems are.[/QUOTE]One worm. Three years ago. Nothing prior, nothing since. Compare to... how many for Windows?
[/QUOTE]All I know are the virus and worms that I've been infected with.
Windows: 0
Linux: 1
I've been running windows as a home OS for 8 years, I ran Apache on Linux for 6 months and was compromised.

Quote:

quote: From the standpoint of remote buffer-overruns, all operating systems are vulnerable to sloppy programming.

Remote buffer overruns are more than sloppy coding. They need bad design for them to be able to be executed remotely, relying only on a computer to be logged in.

Quote:

From the standpoint of social engineering e-mail worms, all systems are vulnerable to stupid users.

OK, now, why are there stupid users? Mainly because when something goes wrong, Windows says "Something went bang! Go tell Microsoft".
Linux gives you some idea of what went wrong, and possible ways to fix it yourself. Linux teaches you to be able to fix simple problems, Windows encourages stupid users.

Quote:

If you can explain why any software that is going to bind to a port 1-1024 needs to be started as root then I might start to belive in some of the mythical security that Linux has.

If that were true, you would need to start a web browser as root since they bind to port 80. FTP clients, mail clients, GAIM and its kin. They all connect to ports, inbound and outbound, and yet they can be started by anyone who can access the executable. I run aMSN, Thunderbird, Firefox, xChat, ncFTP, and GAIM regularly as me. Check your facts.[/QUOTE]I don't know how you're system is setup, but if it is anything like 99.99% of the systems out there it will use a process that goes something like this:
Start some program with root privliges, the program binds the port(s), listens, and then calls setuid() and setgid() and friends to drop root privliges. At this point it should still be able to call accept() on the ports, but it will not still have root privliges. However everytime you start aMSN, Thunderbird, Firefox, xChat, et al. you are opening a hole that could in theory allow someone who has compromised that porgram to do all sorts of nasty things. I suspect that you're undergoing the same thing that you accuse windows users of doing, ignoring things because they are happening outside of plain sight.

Like I origionally said, security is all smoke and mirrors. The holes in Linux security are harder to get to, and difficult to exploite, but there are still holes, and I feel it is only a matter of time before someone comes up with a way to get at them.

Quote:

quote: Other then crapy design there is no good reason why something like Apache needs to be started as root,

How about, it is designed specifically to allow other people to connect directly to your computer? That makes it an admin level function. And this is Windows mistake - it not only allows anyone to start something like Apache, it has other servers running by default which most people should not need to care or know about. And yet, if they don't disable them, it can cause major problems. Ever wondered why things like trojan droppers can exist?[/QUOTE]If you're going to only allow admins to connect to the outside world then you've effectively isolated your computer from the net. It's a heck of a lot more then Apache that suffers from this problem, anything that uses a port below 1024 will need to be started as root. An awful lot can happen between the time that a program starts, and the time that it binds to a port.