but but
I thought governments were all in favour of creating back doors these days.
Hackers caused the Russian Ruble to swing 15 per cent in minutes by hacking a bank with a newly-discovered and highly capable malware. The "Metel" or "Corkow" malware was used to break into the Kazan-based Energobank and place on its behalf some US$500 million (£344 million, A$702 million) in orders, sufficient to swing …
The entire banking industry has been surfing on security principles that date from last millennium.
Looks like a few hundred million are going to have to be removed from bonuses and go to actually securing hardware and transactions a lot more than they are now.
Maybe even ATMs will finally be upgraded from Windows XP Embedded to something secure, like a version of Linux.
In any case, I'm shedding no tears for them. This is a much-needed learning experience, and ATM security has been neglected for far too long.
Yeah sure Pascal because no Linux machines have ever suffered from something called heartbleed.
Linux isn't any more or less secure than Windows, it's the numptys that badly configure both OS's that are to blame for 99% of attack vectors.
You can on the other hand say Linux is more secure by default than Windows, but that still doesn't stop numptys configuring it badly from a security point of view.
"it's the numptys that badly configure both OS's that are to blame for 99% of attack vectors."
Numpties clicking on unsolicited files attached to unsolicited emails is another vector. Tell me again, why Windows is configured out of the box to hide suffixes?
Because Windows is aimed at users who aren't technically astute. Barely any of my users at anywhere I've supported would know what a file extension does, or which ones they shouldn't open (even when they're provided a list). However that has never stopped them going through and removing all the file extensions because "the dot exe made it look untidy".
I use Linux for everything. I'm glad however that my users do not. Because there'd probably be a loud gunshot and then blissful silence.
And Windows machines suffered from something even more catastrophic in TLS: CVE-2014-6321 (by some branded "Winshock")
Linux may or may not have less security-critical bugs than Windows.
But applications on Linux definitely have access (and more often than not, actually use) many more technologies for limiting the damage from those bugs; SELinux, ASLR, FORTIFY_SOURCE, stack protector, and so on.
"But applications on Linux definitely have access (and more often than not, actually use) many more technologies for limiting the damage from those bugs"
Nope - Windows has more native technology options in that space:
Attack Surface Reduction (ASR)
Export Address Table Filtering (EAF+)
Data Execution Prevention (DEP)
Structured Execution Handling Overwrite Protection (SEHOP)
NullPage
Heapspray Allocation
Export Address Table Filtering (EAF)
Mandatory Address Space Layout Randomization (ASLR)
Bottom Up ASLR
Load Library Check
Memory Protection Check
Caller Checks
Simulate Execution Flow
Stack Pivot
Control Flow Guard
Protected Processes
Untrusted fonts
Secure Boot
Measured Boot
Virtualization-based security / Hypervisor enforced code integrity
Device Guard
Credential Guard
App Locker
"Attack Surface Reduction (ASR)
Export Address Table Filtering (EAF+)
Data Execution Prevention (DEP)
Structured Execution Handling Overwrite Protection (SEHOP)
NullPage
Heapspray Allocation
Export Address Table Filtering (EAF)"
Did you mention two different versions of "Export Address Table Filtering" twice because it's really good, or did MS simply do half a job the first time around ?
Can you explain how "Untrusted Fonts" work and what vulnerabilities they mitigate ?
Did you mention two different versions of "Export Address Table Filtering" twice because it's really good, or did MS simply do half a job the first time around ?
Poisoning the well. Attack mitigation mechanisms are always an arms race against attackers. The original EMF did a good job of blocking a lot of shellcode - it works by trapping read access to the export table, and when the trap is hit, it checks to see if the code attempting the read is in the associated module.
But it was pretty easy to bypass, using e.g. return-into-library. So Microsoft came up with an enhanced version.
That's typical for these things. It's certainly no grounds on which to criticize Microsoft.
The Vogon's list is stupid dick-waving - counting named features is as meaningless a metric as one could hope for. And, frankly, in the greater scheme of things there's not a lot of difference in the protections of this sort offered by Linux and Windows, as they're both based on workstation OSes of the '70s and '80s and their developers pay attention to the mitigation strategies each employs. Compared to, say, a capability OS or an Orange Book B-level OS, they look pretty fucking similar.
Oh, and anyone paying any attention to workstation vulnerabilities for the past decade or two ought to understand Untrusted Fonts. It's an option that says "don't load any fonts into the OS rendering engine if they didn't ship with the OS". And it's an excellent idea, since font rendering has been a huge source of exploits for years - in a number of cases, due to vulnerabilities in code supplied by third parties (such as Adobe).
While it's true that font-rendering vulnerabilities are exacerbated by NT 4's rightly-maligned move of too much of the rendering code into the kernel, an exploit even in unprivileged userland code can have serious security consequences, like injecting keylogging into the user's browser (a great vector for font-rendering exploits, thanks to CSS font faces).
"The Vogon's list is stupid dick-waving"
If you like, but to correct other "stupid dick waving" claiming that Linux was great because there were no solutions in this space on Windows...
Ooops at another big hole in GLIBC - less than a year after the GHOST one! So much for those Linux security mitigations...
"If you like, but to correct other "stupid dick waving" claiming that Linux was great because there were no solutions in this space on Windows..."
More stupid dick waving doesn't "correct" anything, it just increases the number of dicks waving.
"The Vogon's list is stupid dick-waving - counting named features is as meaningless a metric as one could hope for."
Precisely why I was being snarky. Giving you an upvote for going to the effort of adding some detail & colour to my snarks. :)
"something secure, like a version of Linux."
But Linux has a far worse security record than Windows for standalone servers like ATMs. If you had said something like Open BSD you might have had a point, but suggesting that Linux is a more secure option is just laughable.
"But Linux has a far worse security record than Windows for standalone servers "
You have presented bullshit as "Anon" in the hope that gullible readers will accept that for evidence and presumably base their purchasing decisions on said bullshit. That doesn't speak very well about your opinion of the readers some of whom may be potential customers.
"You have presented bullshit as "Anon""
Nope - it's apparently the case that Linux based internet facing servers are more likely to be successfully attacked than Windows based ones. See for instance http://www.zone-h.org/news/id/4737
Or perhaps you can find statistical evidence to refute this? I have yet to see any.
"Or perhaps you can find statistical evidence to refute this? I have yet to see any."
There's no point in presenting statistical evidence, you are bringing up a blog post from 2011 about web site defacements broken down into categories of Linux (all versions ever released by every single vendor out there) and then one category for each version of Windows. Those stats appear to reflect the "market shares" of the time.
All that you've shown is that Linux hosted most defaced websites because there are zillions more Linux hosts out there. That doesn't constitute evidence of "But Linux has a far worse security record than Windows for standalone servers", so I'm not going to any more waste time refuting it.
"All that you've shown is that Linux hosted most defaced websites because there are zillions more Linux hosts out there"
Nope - when you add together all versions of Windows - and then adjust for market share (as per Netcraft) you still find Linux hosts are circa 4 times more likely to be successfully attacked.
"Nope - when you add together all versions of Windows - and then adjust for market share (as per Netcraft) you still find Linux hosts are circa 4 times more likely to be successfully attacked."
To calculate the likelihood of a successful defacement you would need to divide the number of successful defacements by the number of unsuccessful defacement attempts. All you are showing there is that there are more defaced websites on Linux hosts.
To quote the referenced zone-h article from 2011:
"If you are looking at on the stats, the things remain the same: file inclusion, sql injection, webdav attacks and shares misconfiguration are still at the top ranks of the attack methods used by the defacers to gain first access into the server."