INSECURE!???
Has your sponsor ever heard of Windows NT, Windows 98 first edition, IIS, Windows 2000, Windows 2003, Windows XP, Outlook Express, Internet Explorer or Outlook?
How many CRITICAL UPDATES have reached global news stations regarding the deadly nature of an unpatched linux system?
AHHHHHHH! Run for the doors! It's all going down!
I think your sponsor, while delightfully generous, is ignorant to the beauty of linux. It's sad that he relies on Microsoft (and we're not going to even talk about Macs here because eqemu doesn't work with them) to keep him safe from the world of viruses or personal intrusions. If mysql and slackware 9.1 aren't enough to keep a computer secure, then there is
no safe computer.
Tell your sponsor gently that you assure him linux is safer than he would believe. Am I wrong here? I've had my ports scanned tons of times, and have stumbled upon insecure systems and exploited them out of curiosity a few times. The systems that were easily exploited were 3rd party Windows programs, which were all closed source. The only other compromised systems I've ever met with had easily guessed passwords or a computer terminal open with no protection on it.
My friends claim that I'm a hacker, but I'm nothing of the sort. I just find anomalies and learn what happens when you tinker with them. The systems that I have compromised, how, and my reasons are:
1. System:
School VAX server
OS: VAX, duh
How: username listed on website as email address, no password
Reason: curious.
How Compromised: Not much... Just a username that was given to my school to use on the server... I didn't have root access, but I had access to all of the email.
2. System:
School workspace terminal
OS: Windows 3.1
How: Netscape granted me access to notepad, despite notepad and all text editing programs being locked down by a 3rd party security program. Notepad gave me write access to autoexec.bat. removed security program from bootup, rebooted
Reason: curious.
How Compromised: Completely, for any single computer, network was unaffected.
3. System:
Work system java connection
OS: Windows 2000
How: clicked "about us" on 3rd party program when logged into our partner's java system and it opened IE with a website. Typed C:\ into IE, compromised main server of partnered company, as it always booted that process as Administrator
Reason: Total fluke, then curiosity.
How Compromised: Access to main server, logged in as Administrator, with explorer open over a secure internet connection. I was allowed to be there, along with 50 other people and the logging on the server would have blamed the java program. Reported problem to manufacturer, got no response.
4. System:
College workspace terminal
OS: Windows NT4
How: rebooted, quickly used CTRL ALT DEL, alt F (file menu), R (run), and typed "explorer" (enter) to load up windows before the login screen started, and closed the login screen
Reason: heard it could be done, did it to be sure.
How Compromised: Access to anything and everything on the single system without username logging. Access to everything but network printer. Internet access allowed, and read/write access to everything except regedit.exe. The school's IP address was often the source of a friend's workplace's pingflood. He liked doing that trick and writing "broken" on a slip of paper on the monitor.
5. System:
High School Novell Network
OS: Novell? I'm not sure what the setup was. I only knew Windows 98 at the time, but I think it was early command-line Novell
How: Using wordperfect (only program we had access to) on my keyboarding class terminal, located 30 or so files with the first 4 letters of the teachers' names. Used one or two as logins. No passwords on the logins
Reason: Boredom, and frustration that 60wpm earns a B+ with extra credit and only 1 or 2 errors per document
How Compromised: could alter grades, schedules, etc, as if I were the teacher of a course. Two teachers had passwords.
I never caused damage to the systems that I compromised, and I didn't realize that I was compromising them until I succeeded, because I didn't have any "hacking" skills. I didn't know anything about VAX when I logged in the first time, but I know enough now. I had no training or malicious intent. Curiosity kills the cat, no?
I would have been caught messing with half of the listed systems, but I had complete access with no logging to track me down on three of them.
Linux server running only mysql and eqemu should have
equal to or less security risk from network hacks than a Windows Server doing the same. Lock down the other ports and network services, especially rpc, excepting perhaps ssh and scp. The only security risk comes from the terminal being physically available and with an input device (like a keyboard).
If he's worried about security, have him look at the defensive reputation of Windows, and the defensive reputation of linux.
The only time I've ever compromised Linux is with a boot and root disk bootup that let me change the root password. That's part of the physical integrity thing. Keep guys with disks and keyboards away from it, and it's pretty secure.
I'm a linux user and have been since 1999. I'm very comfortable with the safety of the default install for all distributions except redhat and mandrake. While I'm no guru or anything, I have seen a lot of it, and understand how it works. Windows is all closed-source, and I don't trust it at all.
P.S. If I violated any terms of the website by posting this, I will remove the offensive text.