Linux zombies show platforms don't matter

Linux zombies show platforms don't matter

Summary: Building competence in systems administration and disciplined coding practices is the key to a secure infrastructure. It's not a question of which platform is best, it's a question of the right platform for the right organization and it's perfectly normal for various organizations to differ. Picking a platform whether it's open or closed source by catering to an organization's existing pool of IT talent is the most pragmatic and safest thing to do.


[Updated 4/17/2006:]  When fellow blogger Richard Stiennon posted this blog/podcast about new types of alarming DDoS (Distributed Denial of Service) attacks where an army of Linux zombies were used, he got a bit of a bashing by some of the Linux fans.  Ironically, Richard himself has recently bashed the entire Windows Platform and stated unequivocally as an "IT Commandment" but that the Windows Platform should be avoided entirely.  But that doesn't seem to matter and he's now accused of being a Microsoft "fanboy" by a barrage of negative feedback and somehow incompetent for simply reporting the fact that a group of Linux servers running PHP were turned in to zombies by a clever hacker.  While I'm no stranger to this type of feedback, I do find it ironic that Linux zealots would attack someone who has a history of being anti-Microsoft and sympathetic to UNIX and Linux.

As all the evidence indicates, the platform (Operating System and Web Server) really doesn't matter.  This 2005 report of confirmed website defacements by Zone-H shows that even though Linux and Apache were defaced more than Windows and IIS (contrary to popular misconception), it wasn't the OS or Web Server that accounted for the biggest factor but the skill the PHP/ASP programmer or the Server Administrator or the Application Server platform.  Looking at the results for attack method on page 17 of the Zone-H 2005 report, "FTP inclusion" and "file inclusion" were two of the biggest factors for server compromise and stolen administrative credentials along with Application Server bugs were the next big factors.  File inclusion exploits can occur when sloppy PHP or ASP coding is done and it isn't the PHP or ASP language itself that's being exploited.  There is no way a firewall can prevent this sort of application-level attack and even Application Layer Firewalls would have a hard time distinguishing a legitimate application call to a malicious one.

This tends to prove that the focus on platform choice and the whole Monoculture fear is blown out of proportion.  If anything, the added complexity of managing multiple platforms will cause even more configuration and coding errors not to mention that it suffers the combined software flaws of multiple platforms.  I find it ludicrous for the anti-Monoculture crowd to promote the use of multiple platforms for a single website.  Operating Systems and Web Servers can certainly be a small factor, but they can easily be locked down and patched for exploits using automated patching tools but looking for sloppy coding isn't so trivial.  Building competence in systems administration and disciplined coding practices is the key to a secure infrastructure.  It's not a question of which platform is best, it's a question of the right platform for the right organization and it's perfectly normal for various organizations to differ.  Picking a platform whether it's open or closed source by catering to an organization's existing pool of IT talent is the most pragmatic and safest thing to do.

[Updated 4/17/2006:]  For those who still Apache is fundamentally superior to IIS, take a look at these vulnerability statistics.  There are no critical vulnerabilities for IIS 6.0 since its release in 2003 and that is rather amazing.  Apache 2.0.x has far more vulnerabilities including 2 critical ones.  This information is not sufficient to prove that IIS 6.0 is better than Apache 2.0.x, but it certainly shows how silly it is for people to insist that Apache is better or that Microsoft's solution is fundamentally flawed.

Topic: Operating Systems

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Stop whining :-)

    When you expose your words under a byline on the Internet you are going to get critics. You're also going to get unreasonable critics. Some of these critics are going to overstate their case. However, guess what? You've been known to overstate your case a couple of times also.

    With regard to the conclusion that people matter, you're absolutely right. No system, and I don't mean just computer systems, can long endure being run by an incompetent. With that said, some systems are better than others. Without making any controversial claims as to which systems may be obsolete, you don't cater to the knowledge base of your IT staff when all they know are obsolete systems. You also need to remain flexible enough to change before a system becomes completely obsolete.

    Well, that's enough low visibility generalizing for one day.
  • Logical Fallacy

    I agree that the presence of Linux zombies shows a possible trend. I also am disgusted by those individuals who knee-jerk react with negative (and attacking) posts against those who do not share their same blind faith.

    However, your conclusion that "platforms don't matter" is quite invalid.

    Seatbelts save lives. It is a documented fact. However, if I see a fatal accident where the occupents were wearing seat belts, I can't conclude that seatbelts don't matter.

    Some real data and thoughtful analysis (not just looking at where bigger numbers are) must be done. Otherwise you are left with mere journalistic hype and a person's pre-existing opinions being self-justified.
    • that's a good point actually

      it's a good point, but i think that george got
      that through in the article, just not in the
      title. perhaps you should hire someone to come up
      with good titles eh george ;)
      Scott W
  • Not alone

    "...I do find it ironic that Linux zealots would attack someone who has a history of being anti-Microsoft and sympathetic to UNIX and Linux."

    That's happened to Paul Murphy, too, although if I recall it was open-source zealots attacking him for being "anti-open source" when he dared to suggest that FOSS could do some things better. Same attack fervor, though. :)

    I'd hate to be in that congregation, walking such a tight wire that even the slightest "slip" from orthodox thinking automatically brands one as an enemy and therefore precludes the faithful from even considering one's words. Thankfully, I've been firmly stereotyped as an "M$hill", where at least people can comfortably pigeon-hole me without having to think. Makes life easier for them. :)

    Carl Rapson
    • Funniest of all...

      You read their "responses" and can tell they only read the title. :P
  • You're absolutely right!

    Good point, George -- unlikely, uncommon, unusual as it may be, even the best OS available can be mismanaged into vulnerability. What a testament to the need for lesser operating systems, such as the inherently vulnerable MS Windows, to either be strictly controlled or simply barred from the internet!

    Great article!
  • sounds like People whom

    Sounds like people whom write code for Microsoft were writing code for PHP or ASP programs in the Linux servers ( hired to run and did in the linux servers purposely )
    • Sounds like pure paranoia to me

      What a crock! Any platform or software package can have bugs and security issues without it being the fault of someone intentionally sabotaging them. Code reviews aren't perfect and obviously not every PHP vulnerability is getting patched by admins. That doesn't mean that [i]people whom [sic] write code for Microsoft were writing code for PHP or ASP programs in the Linux servers[/i]. There is no logic to that assertion whatsoever.
      Still Lynn
    • Uh huh...

      ...Sooooo....companies deliberately hired certain web developers so that their own sites would be sabotaged? Makes sense to me...Not!
      Mark Miller
  • Hmm, how many attacks have been executed

    Using Window's botnets? I don't think anybody actually thinks Linux is invunerable to hacking. It just takes more work on the part of the hacker hence the hacker would rather go after the easier target in the Window's OS. As Window's tightens it's security and becomes more like a true networkable OS we'll probably see more attacks using Linux as it becomes less work to hack Linux than Windows. The difference is Linux is only as easy to hack as the SysAdmin makes it, while Windows is an open book out of the box.

    One of the great ironies of computing is the greatest weakness of a product such as Windows is it's greatest strength, namely it's ability to configure itself to nearly any user. That flexibility has been exploited by criminals. Blaming the OS for such breaches is a joke. Though most of the anger with Microsoft has little to do with it's OS more it's strongarm business tactics. Which tends to make people overly sensitive to any perceived flaw in any MS software.

    Afterall, you should be able to leave your door unlocked without getting your stuff stolen. But in this day and age of people who could care less about their neighbors on the net you just can't leave it unlocked anymore. The problem with computing is "locking the door" can be somewhat complex for the ordinary user.
  • There is a difference though...

    Yes, there are zombie boxes running Linux.

    However, the majority of them are compromised servers, while with windows, the majority are compromised workstations.

    For a typical linux box to get rooted and turned into a zombie generally requires that it be exposed to the internet and running sloppily coded web applications. For a typical windows box to be rooted and zombied, it takes only visiting a hostile web page.

    They're both vunlerable, true. But Windows has a much lower barrier to entry into the zombie army. That does matter.
  • George Ou's comments show he does not matter

    It get's tiresome that George Ou can see nothing but hatred fro Linux. He is biased and not rational in his conclusions. I work with several different platforms, and operating systems. Each have their own issues. George, blind pumping of MS product does no one any good. You only demonstrate over-and-ever that you are blindly biased in favor of MS and their products. Personally I think MS has lost sight of what an operating system is supposed to do. Vista is not looking good, it is slow, bloated, and more than what the desktop wants or need. MS has used its near total position on the desktop to further their own products and operating systems, and lock out others. MS products are not always, or even in many cases the best option.
    • Going a bit far there.

      While I certainly think George has a bit of a bias for Microsoft, it's not like he hates on Linux. More like he has too little experience and expertise with Unix to make an informed decision, and tends to view things a bit too simplistically.

      This article is a fine example of that.

      Most Windows boxes that are zombies got that way from spyware while browsing the web. These are machines sitting on someone's desktop being used by the whole family, and if you let timmy go anywhere he wants on the web, he'll eventually get your windows box rooted.

      The linux zombies, OTOH, are generally hosted servers that have poorly configured web applications or open ports (most notable ftp with anon-ftp enabled, a BIG no-no). These machines are insecure because they were set up that way and then placed in an exposed position.

      The windows boxes are insecure because they are running windows and a web browser.

      That, my friend, is a big difference. It means that for my mom, running a linux box with firefox is significantly safer than for running a windows box with IE.

      About servers, it tells us that if you set them up poorly, linux or windows, they'll get rooted.

      Not the same thing at all, and George is prone to these reductions into absurdity quite often, and he seems to wear redmond made rose colored glasses that make him see Windows in a better light than it should likely be viewed.
    • rtfa

      try reading the article before you start
      mindlessly flaming people
      Scott W
  • The heterogeneity needs to be expanded

    I say this tongue in cheek. I can just see it now. Some Linux fanboy will say, "What really needs to happen is we need to not only not use the same OS on each machine, but stop using the same application server and the same language across multiple machines. Use Tomcat on one, and use Zope on another. Don't use PHP for the whole app. Use Ruby on Rails for part of it, and throw in JSP, too. That'll fix it. And RoR is better anyway." Oh what a tangled web that'll weave (snicker).
    Mark Miller
  • the zombie

    what i find ironic is the extent to which george ou tries to use stats from zone-h to bolster his blatent pro-M$ positions without ever recognizing one simple truth: at zone-h -- the masters of web security matters -- it's APACHE/LINUX...just swallow that and digest it georgie..."queso"..get over it.. all things being equal, dump windows, just like your experts at zone-h
  • Mangled statistics

    Candidly, if I had noticed who had written the article before I read it, I would have passed on reading this.

    But since I'm here....

    I'm detecting an inability to handle statistics. If Apache servers are, say, 3 times as more commonly found on the internet than IIS servers, (more like 65% to 21%) and about an equal number of each are defaced, then you have just "proved" that Apache is 3 times as hard to deface as IIS. Otherwise, Apache would be also be defaced 3 times as often as IIS.

    Now the focus of this article is OS, but the premise you're trying to support -- that the platform doesn't matter -- is already proven false.

    If not for unabashed Windows bias, you'd have given up this whole argument long ago.

    I'm ignoring the question of whether the Windows bias is purchased or heartfelt....
  • Here's why they complained

    It's not an army of *Linux* zombies.
    It's an army of *PHP* zombies.

    PHP by its nature encourages insecure and sloppy coding. A sloppily written PHP app is equally exploitable whether it's running on Windoze or unix. Spammers are't moving from exploiting MSFT boxes to exploiting Linux boxes, they're moving from exploiting computers *on residential broadband* to computers *in poorly managed Web farms*. They're moving because email admins like me are blocking the residential bot-farms now, and our users won't let us block the low-rent Web farms yet.

    So your buddy really did get the story wrong. It wasn't a Linux story, it was a PHP story. He *spun* it into a Linux story. Perhaps he didn't know the difference. Perhaps Linux "vulnerability" stories attract more eyeballs than PHP-is-a-toy stories. Perhaps they please a certain ZD-net advertiser too.

    Wanna talk about *Linux'* vulnerabilities? Linux is fifteen years old now. Still not one virus successful in the wild. Plenty of "proof of concept" laboratory curiosities and ridiculous attempts at social engineering, and every one of them generating more ink than any actual Windoze threat. No successful viruses here. Not one. Zip. Zero.