I'll take the first step. Here's the all-things-Linux thread. Have at me.

Is IE less secure than Firefox. Yes. Is Firefox bulletproof? No way, Jose.

http://www.i-hack.com/content/images/ie.jpg

http://www.i-hack.com/content/images/mozilla.jpg

System access? Privilege escalation? Say it ain't so, Joe!

The pie graph also represents the number of ways Palimax has been rejected by women.

LOL Grey that would have been funnier if you had said that it also shows the many ways Pali has been "taken" by women. ;)

Good stuff though Pali I can't wait to see the comments on this.

Is it just me or does that 11:63 ratio not exactly scream "I told ya so"?

http://www.cox-internet.com/dogood/images/Mozilla_crit.png

http://www.cox-internet.com/dogood/images/IE_crit.png

So, over that same period, Secunia has IE running at 41% of security vulnerbilities at > highly critical. Firefox is 100% < highly critical.

But let us consider that this time span is unfair to IE. Let us only examine the time from the very first Security Advisory for Firefox ( Aug 04 ). In that time, Firefox has 11 advisories and IE has 25. 3 of Firefox's 11 do not have at least partial fixes in place yet. 11 of IE's 25 are not fixed ( in all fairness, only 3 of those are of a "moderate" status ).

And that 1 privilege escalation? Reported on 3/1/05. It's fixed.

Fil

The more people that use Firefox the more people will work on making programs just to exploit it. One of the reasons that IE gets hit so hard and so often is that more people are actively working at fucking it in its pretty little (95% of users) ass.

Well, of the two arguments Filatal's is quite a bit more convincing.

I wonder if there is (or should be) a correlation between the number of man hours into development and the degree of vulnerability of a product. ;)

The more people that use Firefox the more people will work on making programs just to exploit it. One of the reasons that IE gets hit so hard and so often is that more people are actively working at fucking it in its pretty little (95% of users) ass.Reputation! :) - nice observation. It's not so much that Firefox or IE is more secure, but what causes IE to be less "secure" is that Microsoft controls a big part of the browser market, which puts IE in a precarious position. Firefox has a relatively small user base (I use Firefox at home), but it has an advantage over IE when its use is well below IE's.

As Firefox gains more market exposure, there will be more exploits and security advisories arising from its greater use. No code is perfect--especially code written by humans.

Firefox's greatest bane and boon is that it's an open-source project. On one hand, it will be checked comprehensively by users across the world. On the other hand, exposing the code could bring some risk, especially for users of the older versions of Firefox. You cannot also deny the number of people who take advantage of the open source code to find exploits and not report them to Mozilla.

-r

There should be an Internet Drivers License Test.

That way we don't have people giving all their money to Dr. Nubougi Umbgo of disputed zone, Nigeria or clicking "yes" when the cute "gator" character tells them they've won 25 grand.

The best internet defense is not being a gullible retard.

Reputation! - nice observation. It's not so much that Firefox or IE is more secure, but what causes IE to be less "secure" is that Microsoft controls a big part of the browser market, which puts IE in a precarious position.

Well... yeah, that does have an effect on it, but that is by no means the only reason that MS stuff has generally been less secure than Linux/Unix. I can't speak much for their web browsers, but for a long time, Microsoft has favored obscure functionality over security. Think Windows ME...

One quick point about internet security and how it correlates to Linux.

At all times in Linux you are logged in as a user, which basically means, you cannot alter the system, without first logging in as administrator.

i.e: -su
password:XXXXXX

why is this important?

By default, 99% of windows xp and nt based systems the users are logged in as administrators. Therefore you can alter system files, etc.

This is all a adware/spyware/virus program needs in order to plant itself deep in your computers registry and really fuck your computer up.

While changing users in windows sucks, especially if you just need admin access to change a mere firewall or pop-up blocker setting, it is alot safer than just running in admin mode all the time.

Well, additionally, I believe you need to set up a user account that can't make any real changes to the system whatsoever. Specifically, when on the account, you should disallow the installation of *anything* and the changes of any registry files in any program. However, most viruses don't give a shit about account security, as they're designed to work around them at least 75% of the time, and even with those security settings, there are still plenty of ways to let some shit slide into your system.

As far as Windows is concerned, it's mostly safe if you keep updating (I got lazy once after a reinstall, and my computer was fucked with spyware and adware almost instantly ;p), and don't do stupid shit like the stuff Marz mentioned.

Also, WeatherBug is zee devil.

At all times in Linux you are logged in as a user, which basically means, you cannot alter the system, without first logging in as administrator.NO! Good management of a Linux system would include not being logged into root or a root equilivilent account at all times, but the reality is that many MANY linux users are logged in as root or the equlivilent.
By default, 99% of windows xp and nt based systems the users are logged in as administrators. Therefore you can alter system files, etc.NO! Nearly all HOME users are logged into Windows as a local administrator. By default ALL "professional" installations do not make users local administrators. When joining a domain on NT, 2000, or XP/2003, only one group is made a member of local administrators, and that's <domain>\Administrators. The domain administrative group does not contain "normal" domain members. Your suggestion that "all windows users are administrators" is flat out false. All domain-based installations of Windows are by default not inclusive of normal users as administrators. Additionally, when creating users in XP (after the first users), on home systems, you're given the choice as to if the user has elevated prilivges or not.This is all a adware/spyware/virus program needs in order to plant itself deep in your computers registry and really fuck your computer up.Equally true in Linux. Similarly not being root doesn't deny a program to end up running in YOUR context, and if you're the primary user, there isn't much distinction.While changing users in windows sucks, especially if you just need admin access to change a mere firewall or pop-up blocker setting, it is alot safer than just running in admin mode all the time.Or, you could just right-click on something in Windows and choose RUN AS... Why change users? Afraid to use the RUN-AS feature? You think SU-like functions are unique to Linux? Puhleeze.

Please try to stay on task. Windows XP vs. Linux is its own thread.

There's an important thing many of you seem to forget: no matter how "secure" a software is, if the user does not know how to adequately protect a system, there's no point in discussing the merits of Windows or Linux system.

People claim that Windows is less secure than Linux because it's not open-source, the users are mostly blockheads, and that Microsoft does not know how to write software. To an extent, some of this is true. But people tend to blame Microsoft more than they deserve. The fact is, administrators have the option to select permissions for a user. You do not have to run your system in Administrator mode all the time. Windows XP allows you to create standard, regular users who don't have the authority to write anywhere else except for their Documents folder and allows you to come up with sophisticated policies to prevent users from installing ActiveX controls or running Java applications. They even make this pretty clear with the Add User wizard, showing three tiers of user permissions: Standard, Power User, and Administrator.

Like Palimax said, if the user is a complete security idiot, there's not much one can do whether or not it's on Linux or Windows XP. Linux is not much more secure if the user runs everything as root or has incorrectly setup filesystem permissions. In Linux or Windows XP, it's very easy to overlook permissions and provide users with more power than they deserve. I've seen Linux systems that do not use shadow password files and I've seen administrators for both systems that ignore patches and security advisories as if they were minor annoyances. I've seen Linux administrators login as root and run everything as root. Please. How is this any different from users logging in as an administrator on Windows for everything?

As a general rule, Linux users are more knowledgeable in this area than most Windows users. And for good reason; they have to, because Linux is open-source and exploits are readily available. Like any user, they need to update their software very frequently. Do not assume that because a product has the label of "open-source" it is immediately the most-secure product in the world. It may be a better product, but like the adage goes, a sense of security is a false sense of security. Remember what chaos ensued when people discovered a criticial flaw in PHP. Consider the security of MySQL. It's so insecure that people have to block out the MySQL port (3306) in order to protect the integrity of their databases.

mmmm.... non-shadowed /etc/passwd ...tasty

when it comes to Firefox vs. IE I look at 2 real world examples.

1. Home. In the past, I'd spend a couple of hours a month cleaning up my wife's computer. It would be infested with spyware, etc. I got disgusted after a while and installed Firefox. I don't have to spend those few hours a month anymore.

2. Work. New IE worm/hack? Guess what? The server support teams can't even fix it. We (the network team) have to come in and fix things. Thousands of hours put in by teams worldwide. We lock stuff down (these things all seem to saturate WAN links with their yapping), then the server teams can start patching servers and pushing patches to users.

The hours spent on fixing this crap is bad enough. The fact that the Windows support teams can't fix the issues makes me laugh out loud.

mmmm.... non-shadowed /etc/passwd ...tasty

I would hate to think that any admin would use a non-shadowed or non-encrypted /etc/passwd. That is just asking for it.

The fact is both OS's have flaws, loop holes, and reasons to avoid them. But it all boils down to personal choice for your home PC.

/hugs the toasty G-5 running OS X .... that is all right baby not enough people use you like I do so no viruses for you.......

Hehe, Apple's single-user mode lets you access the password database and uses an encryption that doesn't take very long to crack a password. I think they've fixed this in later versions, though.

toasty G-5


toasty is right, and i thought prescotts/tbirds were hot

My favorite exploit of all time was (I think it was PWS, but it could have been IIS) where you could go to http://www.blah.com/..\ and read from directories above the root web directory.

Programming at it's finest.

Ah, those clever ad folks! Fucking it up for everybody!

http://www.theregister.co.uk/2005/03/11/alternative_slimeware/

I look at it this way. When I used IE I had mad pop ups and spyware problems. I use mozilla firefox and have no popups and no problems.