Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

WinInformant Says Windows More Secure Than Linux

timothy posted more than 12 years ago | from the ho-hum dept.

Security 935

nihilist_1137 excerpts from this WinInformant article, which reads in part: "For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. ... A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux." I wonder how many sysadmins (Windows or Linux) would agree with this conclusion. Update: 02/04 16:54 GMT by T : Looks like the WinInfo site has gone down since the story was submitted, so you may have to content yourself in the meantime with the Bugtraq numbers. Update: 02/04 19:30 GMT by T :Several readers have pointed out that the conclusions WinInformant makes based on the Bugtraq data are not those of SecurityFocus; the headline has been changed accordingly.

cancel ×

935 comments

Sorry! There are no comments related to the filter you selected.

Why page widening is evil (-1, Offtopic)

IAgreeWithThisPost (550896) | more than 12 years ago | (#2950558)

The average Joe Q Slashdot reader may read slashdot at -1. He, rightly so,

thinks some -1 is underrated and actually some of it is very good stuff.

However, he gets quickly annoyed by the -1 page widenings and simply moves his

threshold to 0 or 1. So now you have all the regular "good citizens of

slashdot" reading slashdot at higher thresholds. So nobody is reading at -1.

Now, Crap Flounderson says his intention is to destroy slashdot. However, it's

obvious his attention is just to flaunt his own ego(much like the numerous

linux zealots) because page widening no longer works(as everyone has found the

workaround to go to a higher threshold).

That would be fine if it weren't for the fact that page widening is having an

ADVERSE affect to the time honored art of trolling. Trolls post at -1 to be

seen. If noone sees their work, trolls get bored with slashdot. So what page

widening is essentially doing, is running off the trolls. And this is why it

won't be fixed. CmdrTaco wins. The trolls have run off, and all the

"upstanding" citizens of slashdot are reading and posting at higher

thresholds. This is hardly contributing to the destruction of slashdot.

What?!? (-1, Troll)

TrollMan 5000 (454685) | more than 12 years ago | (#2950559)

Do the names "Nimda", "Code Red" and "I Love You" ring a bell?

Re:What?!? (-1)

cyborg_monkey (150790) | more than 12 years ago | (#2950593)

Shut up you filthy linux hippy.

Re:What?!? (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2950633)

Shhhh...I'm karma-whoring in order to see if this account has been bitchslapped like Trollaxor's and Anomymous Coward's.

Full report when 0 karma is reached.

-TM5K

in a related story... (1, Funny)

resonator (151559) | more than 12 years ago | (#2950620)

Scientists have discovered that internal combustion is cleaner and more efficient than anit-matter.

Pirst Fost! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2950560)

Pirst Fost!

response to article... (0, Offtopic)

Lumpy (12016) | more than 12 years ago | (#2950561)

Hell I have karma to burn....

Nt more secure?

HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA...

Ohhh, wow.... Didnt know it was April 1st already...

This, of course, will be ignored and ridiculed (1, Insightful)

Anonymous Coward | more than 12 years ago | (#2950563)

The Slashdot crowd will never stand for this. I expect to see hypocrisy in full swing in about 30 seconds, with the zealots proclaiming bias. Never mind that they've consistently relied on SF for past predictions of MS's ineptitudes.

Re:This, of course, will be ignored and ridiculed (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#2950576)

Looking at Toby's post right below you, I see you didn't have to wait long. ROFL. Linux lusers.

bias (3, Insightful)

Lord Omlette (124579) | more than 12 years ago | (#2950693)

Bias isn't necessarily what annoys me. I would like to see more stories which foster discussion as opposed to sensational bullshit. Isn't their an interesting or nerdy or thought provoking or geeky news item that we can discuss? For fuck's sake, we know Microsoft sucks, we know 80% of slashdot's traffic is from IE, we know we don't like .NET, we know Ballmer is a monkey, come on, let's talk about something (ANYTHING) else.

Re:This, of course, will be ignored and ridiculed (4, Insightful)

KeyserDK (301544) | more than 12 years ago | (#2950697)

So true =).

Open source haven't proven more secure than closed, as the theory about "given enough eyes all bugs are shallow" says.

The one thing it gives though, is choice. For instance, i dont run rsync(se recent security exploit) and i'll probably never do. Neither will mdk/rh pr. default (Allthough a lot is certainly run by default). Even though rsync comes with mdk/rh.

Frej Rasmussen.

Re:This, of course, will be ignored and ridiculed (0)

jandrese (485) | more than 12 years ago | (#2950705)

Or maybe the Slashdot regulars (not the people who hang out at 0 and -1) will look at the piece calmly and discover other very valid flaws with the study. If they don't it will likely lead to an active discussion on bug fixing and exploits. This will happen mostly in the 3+ moderated posts.

I shouldn't even have to moderate you, but it seems like sometimes anybody who critisizes Slashdot (however unfounded it may be) gets automatic mod points these days. Sad.

In Other News (5, Funny)

Toby Truman (555615) | more than 12 years ago | (#2950564)

In unrelated news, Microsoft yesterday announced that it had purchased an unnamed but reputable security group...

but which were more severe? (4, Interesting)

Brandon T. (167891) | more than 12 years ago | (#2950566)

Perhaps windows has had less overall security vulnerabilities, but the ones it has had have completely ruined systems and clogged up the internet (i.e. code red, nimda etc...).

Re:but which were more severe? (3, Insightful)

Prowl (554277) | more than 12 years ago | (#2950614)

exactly,

linux probably had a multitude of minor, rarely exploited vulnerabilities, whereas win2K/NT had relatively few major holes.

holes that are still now being exploited.

id be interested to see the amount of revenue lost due to linux exploitation versus win2K (taking market share into account of course).

sounds like poor data analysis...

Re:but which were more severe? (1)

cyclist1200 (513080) | more than 12 years ago | (#2950674)

"id be interested to see the amount of revenue lost due to linux exploitation versus win2K (taking market share into account of course)."

I know many who would be interested to see that. Obviously they didn't look at the cost of damage control and fixing the various security holes.

Gee, I wonder which OS had less damage on the bottom line?

Severity of vulnerabilities (4, Redundant)

SiW (10570) | more than 12 years ago | (#2950568)

The report doesn't seem to take into account the fact that while the number Windows holes was fewer, they were far more severe. Code Red, anyone?

Btw, I'm not a Linux cheerleader, I'm a Windows guy most of the time, and I subscribe to the "best tool for the job" philosophy.

Define "more secure" (3, Insightful)

mblase (200735) | more than 12 years ago | (#2950571)

Does Windows have fewer security holes than Linux? Apparently so.

Are they smaller holes -- that is, exposing less control of the system and less potential for damage? Probably not.

The question becomes, then: would you rather be shot by a dozen BB pellets or a single shotgun blast?

Re:Define "more secure" (5, Insightful)

blakestah (91866) | more than 12 years ago | (#2950671)

You apparently didn't check out NTBugTraq. They simply added up vulnerabilities from different linux distros to come up with a high aggregate number. This is plain wrong because

1) If a package has a security issue, usually all distros announce the security bug. Thus, the bug gets counted multiple times.

2) Windows security bugs are all remote compromises, either email attachments, or remote roots. Over 90% of the linux security problems are local security issues.

As another poster noted, this is a very poorly researched article.

Re:Define "more secure" (0, Redundant)

denzo (113290) | more than 12 years ago | (#2950694)

would you rather be shot by a dozen BB pellets or a single shotgun blast?
Since a shotgun (usually) fires out many small pellets (smaller pellets with larger gauge number), perhaps a modification to this analogy should go along the lines of: would you rather be shot at a distance by a .410 shotgun or a 50-caliber rifle?

I'd pick the shotgun, I'd just like to bring along a piece of plywood to take the sting out. ;)

Slashdot announces (-1)

neal n bob (531011) | more than 12 years ago | (#2950572)

Katz's ass is more secure than Microsoft windows.
Just another lie

Oh well (0, Troll)

bomek (63323) | more than 12 years ago | (#2950574)

Whatever OS you put in the hand of a loser, there is risk...

Anyway, what's linux? i think it's a kernel, no?

Re:Oh well (0, Insightful)

IAgreeWithThisPost (550896) | more than 12 years ago | (#2950631)

Maybe then we shouldn't count the IIS and Outlook type bugs either then, eh? After all, they aren't really part of Windows(although, remember, IE is of course integral to the survival of the OS, so it's bugs count)

Re:Oh well (1)

LiENUS (207736) | more than 12 years ago | (#2950660)

IIS embeds itself into the kernel as well... does it not?

Re:Oh well (1)

oregon (554165) | more than 12 years ago | (#2950708)

No.

Rumour [theregister.co.uk] has it that the next version will though.

Less because MS doesnt tell (5, Insightful)

peripatetic_bum (211859) | more than 12 years ago | (#2950575)

Look, the obvious point about this should be that the reason Linux has more known vulnerabilities is that linux has always been very open about what is wrong with linux.

As for MS, I only have to point to the the major bug, that they knew about for weeks, but didn't let anybody know about!

Now Im not saying that linux is more secure (as much as i would like to) but the data and report based from it, just makes no sense, if you think about how vulnerabilties are and are not reported

Thanks for reading!

Re:Less because MS doesnt tell (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2950638)

IS THERE A SPIN DOCTOR IN THE HOUSE? iIl|iIl|iIl|iIl|iIl|iIl|iIl|iIl|iIl|iIl|iIl|iIl|

Re:Less because MS doesnt tell (1)

TMLink (177732) | more than 12 years ago | (#2950656)

As for MS, I only have to point to the the major bug, that they knew about for weeks, but didn't let anybody know about!

Which one?

Re:Less because MS doesnt tell (1)

peripatetic_bum (211859) | more than 12 years ago | (#2950683)

ah this one
the universal plug and play

http://stacks.msnbc.com/news/676671.asp?cp1=1#BO DY

Thanks

Re:Less because MS doesnt tell (1)

quantaman (517394) | more than 12 years ago | (#2950659)

I think a more accurate application of your comment should be which one has had more breaks. This is where the security through obscurity that M$ subscribes to would hurt them more. Also when a bug is discovered which OS is usually first in providing a fix for the OS?

Sure ... (1)

NWT (540003) | more than 12 years ago | (#2950578)

Hum, this must be a joke ... i'll go and see right now it that article wasn't written by a M$ employee!
But ... perhaps there are people who enjoy patching their WinNT Servers every 2 days, who knows ...

From a technical standpoint. (4, Insightful)

llamalicious (448215) | more than 12 years ago | (#2950579)

Well, that may be all well and good from a purely technical (or counting reported bugs) standpoint.

But when you consider Microsoft's installed user base, there's just no comparison to how widespread MS is.
It's a damn good thing there were less bugs reported for Windows, as with each one, the repercussions are far far greater.

~sigh~

Did anyone get a look at the article? (1)

lemox (126382) | more than 12 years ago | (#2950582)

The damn thing was already /.ed before the first comment was posted...

Re:Did anyone get a look at the article? (1)

Score Whore (32328) | more than 12 years ago | (#2950658)

There is no article to speak of. It's a one paragraph blurb, most of which was copied directly into the slashdot posting.

Response. (1)

saintlupus (227599) | more than 12 years ago | (#2950583)

Send in the trolls, one and all.

--saint

Oh, boy. Just another example... (1)

aslagle (441969) | more than 12 years ago | (#2950584)

I think we've just seen another example of the old adage, "You can make statistics say anything you want them to."

Simply put, (3, Insightful)

Andorion (526481) | more than 12 years ago | (#2950585)

Simply put, the reason Windows systems seem more vulnerable is because SO MANY MORE people use them, and don't keep them patched. As a rule of thumb, someone running Linux at home knows what the term "security vulnerability" means and keeps his system up to date, where someone running Windows whatever doesn't.

Of course, that's not the case in the server market. If you want to talk about worms, remember one thing - the ONLY reason Code Red and other such worms exist is because of the popularity if the windows platform, on desktops and servers. Don't kid yourself for a second into thinking that the reason there aren't any widespread worms for *nix systems is because it's more secure.
br -Berj

Re:Simply put, (0)

Anonymous Coward | more than 12 years ago | (#2950615)

When presented with a FACT that doesn't jive with your reality wish list, you shouldn't try to explain it away. That's intellectual dishonesty, Andorion.

Statistics.... (2, Interesting)

Toby Truman (555615) | more than 12 years ago | (#2950586)

How valid are these statistics?

Let's keep in mind that Linux users who find bugs or issues are far more likely to report them, document them, publicize them, and share them.

Microsoft users who finds bugs call Microsoft tech support, who informs them politely that it's a feature, and lets the issue be stored deep in their databases somewhere.

This is not an issue of who has more issues, but whose issues get reported and publicized more.

Re:Statistics.... (1)

Score Whore (32328) | more than 12 years ago | (#2950711)

This is bullshit. No offense intended, but what support do you have for your theory? That's like saying that there isn't any descrepancy between the AIDS epedemic in Africa (> 25%) vs. North America (< 1%), it's just reported more in Africa.

Major/minor security issues are well reported by third parties pretty much across the board. What's more people want to give MS black eyes. They actively search for problems there and when they do they wave their hands above their heads, jump up and down, hoot and holler, and in general try and get as much attention for themselves as they can. It's not a reporting issue. It's just one of those things about life. (ie. OS coders are often doing it out of curiousity and once that itch has been scratched and it's Good Enough(tm), they are "done" regardless of the actual state of their project.)

??? (0)

toolo (142169) | more than 12 years ago | (#2950587)

Just because there are vulnerabilities in joeblow3rdparty software means Linux, as a kernel is more insecure? Pretty funny, considering I still have Nimda spiders hitting every box I see.

How severe though? (2, Insightful)

oregon (554165) | more than 12 years ago | (#2950589)


Linux may have had more, but were they as bad?

The IIS holes in 2K that allowed CodeRed to spread and the uPnP holes in XP which, luckily so far, have been pretty much unexploited were both buffer overrun holes which caused, or had the potential to cause, v.serious work outbreaks.

Did Linux have anything on this scale?

There goes the Slashdot Neighborhood (2, Insightful)

BRO_HAM (543601) | more than 12 years ago | (#2950590)

Oh man, I can hear the keyboards typing right now. One thing you don't do to the slashdot community on a monday morning is call their OS less secure than windows.

On a side note, it's all about how you configure your OS. At this point, you can pretty much do the same thing with each OS from a security standpoint. It's all of the other software that usually does it - web server, DB server, application server, etc. But we all know this right?

You know what they say... (1)

Eagle7 (111475) | more than 12 years ago | (#2950592)

"Lies, Damned Lies, and Statistics."

Lousy research (3, Interesting)

JanneM (7445) | more than 12 years ago | (#2950594)

His mathematics is pretty bad. To get the security problems for Linux, he adds all security announcements from each of the major distributions - completely ignoring that most of those announcements are for the same bug. The Linux number is thus about a factor 4 too high.

Also, the Windows announcements are for the OS itself only, while the Linux announcements cover programs that do not count as OS stuff under Windows.

Badly researched piece.

/Janne

Re:Lousy research (1)

orkysoft (93727) | more than 12 years ago | (#2950652)

I recall having read on Slashdot about a statistics report where the researchers made exactly the error you're describing: counting the same hole in two distros twice.

Re:Lousy research (2)

Florian Weimer (88405) | more than 12 years ago | (#2950667)

And the argument that you would expect less security holes in GNU/Linux systems because they are not as widely deployed as Microsoft-Windows-based systems is not convincing at all. Security vulnerabilities are there even if hardly anybody uses the piece of software inquestion.

Re:Lousy research (2)

Col. Panic (90528) | more than 12 years ago | (#2950681)

Also they capitalize on the fact that Redhat major release versions at x.0 are untested in the field. x.1 is somewhat patched and x.2 is near rock-solid. Of course they only mention those first 8 months of 2001 because 7.2 was released in 10/2001.

Re:Lousy research (2)

mpe (36238) | more than 12 years ago | (#2950696)

His mathematics is pretty bad. To get the security problems for Linux, he adds all security announcements from each of the major distributions - completely ignoring that most of those announcements are for the same bug. The Linux number is thus about a factor 4 too high.

Wonder how impartial an entity called "wininformant" is likly to be in the first place?

Also, the Windows announcements are for the OS itself only, while the Linux announcements cover programs that do not count as OS stuff under Windows.

Even with Microsoft's creative definition of what makes up an "operating system".

Re:Lousy research (1)

dup_account (469516) | more than 12 years ago | (#2950707)

I agree. This, to me is one of the two most important points. The other being about the severity of the bugs. I think a really really interesting number would be the cost that each security vulenerability has cost. Using the same standard that companies use when they complain about piracy, I would estimate that M$ vulenerabilities have cost billions vs low millions for linux.

Another thought, How many of the problems are with default configurations vs properly configured? I believe that some of the Linux distributions had problems with lax default security, but could be tuned up for much better security

All stock OS'es? (1)

soupforare (542403) | more than 12 years ago | (#2950596)

Do they mean out-of-box?

(the site's been slashdotted already)
If so, than that's stupid, no Sysadmin worth his salt would leave a machine without proper updates/securing.
An workstation/server is only as secure as you want it to be, that's it.

Alan Thicke. DEAD. (-1)

Alan_Thicke (553655) | more than 12 years ago | (#2950597)

First let me say Thats the dumbest headline I've ever read. Who do these guys work for? MS?. (not slashdot) Now back to your trolling.......enjoy!!! I just heard the sad news on CBC radio. Comedy actor/writer Alan Thicke was found dead in his home this morning. Even if you never watched his work, you can appreciate what he did for 80's television. Truly a Canadian icon.
He will be missed :(



Show me That Smile (The Growing Pains Theme Song):

Show me that smile again.
Ooh show me that smile.
Don't waste another minute on your crying.
We're nowhere near the end.
We're nowhere near.
The best is ready to begin.

As long as we got each other
We got the world
Sitting right in our hands.
Baby rain or shine;
All the time.
We got each other
Sharing the laughter and love. [goatse.cx]

it's not the OS stupid (1)

SpacePunk (17960) | more than 12 years ago | (#2950600)

It's the administrators. If you have someone administrating either OS that's incompetant then you will have security holes. A competant administrator will close up either OS tight.

-

Why Slashdot Is Gayer than Dude Porn (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2950601)

Let me start out by saying Timothy is to complete fag for
posting this article... here is something else to consider.

* Intel Processors Deliver Leading-Edge Processing Power For Applied
Computing Solutions * ClearCube and Kontron to Build Applied Computing
Applications on IntelÃfÂf' ÃfÂî PentiumÃfÂf' 4 ÃfÂî Processor and IntelÃfÂf'
845 ÃfÂî Chipset

Long Beach, Calif., Jan. 21, 2002 -- Intel Corporation today announced
that ClearCube and Kontron, two leading vendors in the applied
computing marketplace, chose the IntelÃfÂf' ÃfÂî PentiumÃfÂf' 4 ÃfÂî
processor at Ãf GHz with the IntelÃfÂf' ÃfÂî 845 chipset to develop
leading-edge applied computing solutions such as client blades and
networking appliances.

The Pentium 4 processor at Ãf GHz is built on the semiconductor
industry' s most advanced manufacturing technology -- Intel' s
0,13-micron fabrication process -- and uses highly efficient copper
interconnects that enable an increase in the chip' s on-board memory
while reducing overall processor size by over 30 percent. Intel
offers extended lifecycle support for the Pentium 4 processor at ÃfÂ
GHz, which is required for applied computing applications.

As applied computing solutions such as communications equipment,
transaction terminals and industrial devices become increasingly
complex, they to require the increased performance of the Pentium 4
processor at Ãf GHz.

ClearCube provides client blade systems for use in manufacturing
linens monitoring stations and secured military installations.
Because they to require high computing and thermal chose performances,
ClearCube the Pentium 4 processor at Ãf GHz for its high-density
client blade products.

" Our customers need client blades that have the intense computing
power needed to perform multiple calculations and simulations, " said
Mike Frost, ClearCube president and CEO. " Additionally, our client
blades to are packed tightly in to constrained space in order to
adjust thermal dissipation to allow for great system reliability and
uptime. The Intel Pentium 4 processor Ãf GHz enables us to meet our
customers' demands. "

Kontron, one of the industry' s largest applied computing companies,
will use the Pentium 4 processor at Ãf GHz and the Intel 845 chipset
to deliver PICMG 1.0 compliant boards, Private serveur and systems
that can be used in such networking appliances as Virtual Networks
(VPN) and firewalls, as well as DSL and SSL applications.

" We chose to base our networking appliances on the Pentium 4
processor at Ãf GHz because its high frequencies allow for faster
processing of transactions, while the IntelÃfÂf' ÃfÂî NetburstÃfÂfÃÂÃfÂ"ÃfÂÃÂ
micro-architecture accelerates the computations that to are required
for these devices to operated, " said executive Benoit Robert, Kontron
director of product marketing.

IntelÃfÂf' ÃfÂî PentiumÃfÂf' 4 ÃfÂî Processor and IntelÃfÂf' 845 ÃfÂî Chipset
The IntelÃfÂf' ÃfÂî PentiumÃfÂf' 4 ÃfÂî Processor is based on the IntelÃfÂf'
ÃfÂî NetBurstÃfÂfÃÂÃfÂ"ÃfÂàmicro-architecture. This allows for faster
processing of given and provides new scalable to architecture that
translates into lower long-term total cost of ownership, to benefit
valued by vendors and their customers in the applied computing market
segment. The processor is validated with the IntelÃfÂf' ÃfÂî 845 chipset
that also has extended life cycle support.

The Intel 845 chipset supports three SDRAM memory up to gigabytes and
DDR memory up to two gigabytes. Together, price these products offer
customers and performance for applied computing platforms needing long
life cycle support.

Pricing and Availability The Pentium 4 processor at Ãf GHz with 512KB
level two cache is priced at $364. Intel is also shipping boxed Intel
Pentium 4 processors up to 2.2 GHz to distributors and system builders
worldwide. The Intel 845 chipset sells for $39, in 1,000-unit
quantities.

Intel, the world' s largest chip maker, is also to leading
manufacturer of computer, networking and communications products.
Additional information about Intel is available at
www.intel.com/pressroom

Intel and Intel NetBurst to are trademarks or registered trademarks of
Intel Corporation or its subsidiaries in the United States and other
countries.

* Other names and brands may be claimed as the property of others.

Redhat!= Linux (1)

gmack (197796) | more than 12 years ago | (#2950602)

This should be a wakeup call to RedHat to fix their distro. They are making everyone else look bad.

It's time to get rid of apps with bad security records. This means you Bero!

Vulnerabilities vs Exploits (1)

MasterOfErm (99608) | more than 12 years ago | (#2950605)

Perhaps a better statistic to look at if you're interested in which is more secure is the actual number of boxes which were exploited... and I'd guess that last year the windows machines win that category by a landslide.

Of course, it all comes down to the admin in the end, so any talk of which OS is more secure doesn't really mean much. A clueless admin on a very secure OS can still open the gates wide to anyone that tries.

Number of bugs is the wrong metric! (3, Insightful)

Victor Danilchenko (18251) | more than 12 years ago | (#2950606)

What matters is not how many bugs there have been, but the total window of vulnerability per bug -- the time elapsed from bug's discovery to bug'a closing. One really bad bug that remained open for a year is much worse than 10 bugs each remaining open for a week, you see.

Re:Number of bugs is the wrong metric! (0)

Anonymous Coward | more than 12 years ago | (#2950675)

The "$" is the correct metric, or manhours, or whatever. If Application XYZ is not an industry wide application, the "$" factor is very low. Now, if it's UPnP...

Eye of the beholder (1)

Lothar (9453) | more than 12 years ago | (#2950610)

It's all in the eye of the beholder. Especially if you have a borg eye. hehehe.
They can't be serious!

Lies, lies, and damn statistics! You can always manipulate numbers. I suspect they have a different idea of vulnerability and seriousness than the rest of us.

But we know by ourselves that linux is better and we strive every day to make that happen. Keep that in focus and don't let this bother you at all.

There might be some reasons (1)

Tompie (38567) | more than 12 years ago | (#2950611)

In my opinion, the reason for this is that Linux is more used in a non/less-commercial way than WinNT/2k.
WinNT/2k admins have money to buy that OS, so I suppose they also have more money/time to spend on security (and use it in a more professional way).
Some linux boxes on the other hand are "hacked" together, and thus not always secure. Maybe the popular fact that "linux is more secure than windows" makes them believe they are not vulnerable.

Unfair comparison, uninformed journalist. (3, Redundant)

opkool (231966) | more than 12 years ago | (#2950612)

After reading the whole thing, I came to the conclusion that this is an unfair comparison:

-They only count bugs for one Microsoft OS product. I mean, there's Win95, Win95osr2, Win98, Win98SE, Win2000, WinME, WinCE, WinNT4.0...

-They count one bug for each distribution. I mean, if a bug is detected on rsync, it shows as one different bug for every distribution, that is, one but for Mandrake 7.0, one for Debian, one for Mandrake 7.1 ...

So, this makes me wonder if the journalist is plainly uninformed or if has no idea of what he is talking about (a laid-off journmalist from the gardening section re-hired for a tech-writter position).

The conspiracy theories, black helicopters and Microsoft-payed journalists, from my point of view, do not apply here.

Well, who said the world was fair?

Look everybody! I can hate MicroSHIT too!!! (-1)

ringbarer (545020) | more than 12 years ago | (#2950613)

*whinge whinge* Nimda *whinge whinge* Code Red *whinge whinge* Outlook attachment viruses (Which have nothing to do with Win2000 Servers, but I'll throw them in anyway because everything coming out of MickyShaft is the same) *whinge whinge*

Err, anyway.

Fact 1: Microsoft has acknowledged the security risks in its products has caused severe problems in the past. AND IS DOING SOMETHING ABOUT IT! All development is now FOCUSED towards security.

Fact 2: As there is no centralised development path in Open Source software, there is no focus.

Fact 3: Microsft will win. By virtue of having more money to throw at the problem.

Vindication! (-1)

gamorck (151734) | more than 12 years ago | (#2950616)

Finally more than a few of us are starting to get it :-) Open Source != Security and anybody who thinks so doesnt understand the nature of security in general. Open Source by definition is an insecure development methodology based on loose or nonexistant trust relationships which can obviously lead to insecure code.

In the world of security - assumed trust is a mortal sin. In the world of Open Source - it goes without saying. The two concepts obviously do not jive and its nice to see that the security community is finally starting to understand this.

As for this post - none of you will probably ever see this as my karma went straight to hell in a handcart many months ago. Perhaps a few generous moderators could spare a few points though I doubt that will happen since the ProLinux rheotoric will be in a full swing within a few minutes of this posting.

Gam

Something strange... (2)

Xerithane (13482) | more than 12 years ago | (#2950617)

wininformant.com fails to resolve.

SecurityFocus.com has absolutely nothing on their site about this article.

I would find it at very best to be poor journalism to label an operating system more secure just based on the fact that it has less published vulnerabilities. First off, it's easier to locate vulnerabilities in *NIX software. Windows it isn't, mostly because it's closed up and the Windows common user is not motivated with finding a security exploit.

If you look at the types, and severity (which I'm hoping the article does) of it and summise a judgement based off that I think it's pretty obvious which operating system is more secure.

Either this is a /. troll, and they didn't bother to realize the DNS for wininformant.com doesn't exist, or wininformant.com is dead at the moment, or wininformant.com is a group of Microsoft FUD monkeys, or I'm running the wrong desktop OS.

flawed logic (2, Insightful)

esme (17526) | more than 12 years ago | (#2950618)

When you break the numbers down by Linux distribution, Win2K had fewer vulnerabilities than RedHat Linux 7.0 or MandrakeSoft Mandrake Linux 7.2

And this is exactly the kind of flawed logic that always creeps into these kinds of discussions: there is no "Linux" to compare with "Windows", there are only a bunch of distros. Totalling up all the holes in all the distros makes no sense at all.

And when you compare Windows to a given Linux distro (much closer to a good comparison), Linux wins every time.

-Esme

Re:flawed logic (0)

zzyzx (15139) | more than 12 years ago | (#2950692)

Read what you pasted. It says that Win2K had FEWER vulnerabilites than Red Hat7.0

The more accurate question (5, Interesting)

Gothmog (21222) | more than 12 years ago | (#2950621)

Pure quantity of security holes really is not the most question. To me there are two factors:

1. How severe is the hole if exploited.

Are we talking a DOS, a root compromise, the ability to take over a domain controller. The effect of a compromise needs to be taken into account.

2. How easy to exploit is the whole.

Is it a theoretical exploit, or are there tools floating around? Can it be easily mitigated by a good firewall, or can viewing an email cause the problem.

These questions seem to me more important than pure quantity and should be taken into account when building a threat assesment of a system.

To use bit of old wisdom.... (1, Troll)

MxTxL (307166) | more than 12 years ago | (#2950624)

It's quality not quantity.

Perhaps linux has a greater number of security flaws but Window's security flaws, while less in number, are much more serious, drastic and more devastating in terms of network infrastructure.

Using a number to rate things like this is absurd.

Yes and No--Security is time (1, Insightful)

dnoyeb (547705) | more than 12 years ago | (#2950625)

Today security is measured in how long it takes you to break into a box, and not if you can break into the box. So on the one shoe, you can say windows is much more bombarded and patched than Linux because so many "testers" are willing to "test" the security of windows. But on the other hand, since security is measured in how long it takes to crack something, even though windows may end up with fewer holes, the fact is there are more "hole seekers" which effectively reduces the security.

Learn to mirror the damn pages, Slashdot. (0, Offtopic)

Xzzy (111297) | more than 12 years ago | (#2950629)

Two freakin' comments in this thread when I view it, and wininformant is already refusing connections. Shame too, cuz I got plenty to say on the subject but it's kinda hard to make informed statements when you can't even read the link.

Suppose I could just base my post off the story submission like most other readers do, but nah, that'd be irresponsible. ;)

/rant off

Not being a Windows apologist (5, Funny)

prisoner-of-enigma (535770) | more than 12 years ago | (#2950632)

But it is possible to have a very secure Windows environent. No, it does not involve turning the box off ;^)

Take this example: you have a highly competent NT/2K administrator (they do exist) and a pitiful *nix administrator. Which one is going to produce a more secure box? Any objective person would have to say the NT/2K guy would, because he knows his platform well enough to shore up vulnerabilities. Nimda, I Love You, and many other worms did not hit affect my company because we took security very seriously beforehand. Malicious attachments (.EXE, .SCR, etc) were banned long before I Love You came along.

Now, having played devil's advocate for a moment, let me say that if you have a tightly controlled *nix box with a competent admin and a focus on security, you can create a damn near impregnable system. The weaknesses then lie with the applications, not the OS, and that's something ALL vendors need to work on (you listening, Larry "Unbreakable" Ellison?)

Actually, to be fair... (4, Informative)

cperciva (102828) | more than 12 years ago | (#2950635)

I can't remember hearing about many *new* security holes in win2K recently.

I can't get to the article right now, so I'm not sure exactly what their argument is, but while I can remember hearing about quite a few major security holes in the unixes (I think everyone was bitten at least once by ptrace race conditions) I can't think of any similar issues in win2k.

XP, on the other hand... but we're not talking about XP here.

Two worthwhile questions... (2)

sterno (16320) | more than 12 years ago | (#2950640)

If Linux did indeed have more bugs, there are two questions worth asking:

1) which versions of Linux? If you were concerned about security you probably wouldn't be running the most bleeding edge version

2) how siginificant were the security holes? Are they remote root compromises or something less severe. Linux might have several more minor vulnerabilities and look numerically worse if windows has one gaping vulnerability

Having said that though, I'm willing to believe this is possible :)

WIDNOWS is secure, APPS aren't... (1, Troll)

fzammett (255288) | more than 12 years ago | (#2950642)

Let's make this perfectly clear, shall we?

Look at all the security issues that have come to light for Windows over the past year or two. I'd bet my newly purchased house that over 90% of them are APPLICATIONS that are insecure, NOT the OS.

How many security problems are a result of Outlook alone? 70%? Wouldn't surprise me a bit.

How many are direct results of VBA? 80% or more? Yeah, I'd think so (and I happen to love VBA but there's no arguing the danger that is opened up when you allow that level of integration and automation in software).

I don't think there were a massive number of problems that arise from protocol-level problems, security subsystem abuses or kernel hacks. Sure, there is always the occassional buffer overflow and things of that nature, but I'd bet the number is about equal with what you get on any other OS out there.

It's the apps folks, not the OS. Compare the Linux kernel with the NT kernel and I bet they are both secure as hell. It's what's on top of them that's a problem sometimes.

Let's start with the defense... (0, Flamebait)

Score Whore (32328) | more than 12 years ago | (#2950645)

Of course now we're going to get tons of people who say "Linux is just the kernel." Or "It's the distros that are insecure, not Linux." Or "It's apache/lpd/sendmail/wuftpd/bind/etc that's insecure, not Linux." But let's get our ass on straight here. Nobody posting here is just running Linux-the-kernel. We're all running Linux-the-kernel plus apache, plus userland tools, plus bind, plus sendmail, plus proftpd, plus etc. And we all tell people we are running Linux on our servers, and perhaps sometimes we'll say "with apache as our webserver." But ultimately it's "Linux" that is our OS. And all the mainstream apps that we include are part of that "Linux" that we tell people we use. And, yes, it is appropriate that we take our lumps on issues like this. This isn't a dick measuring contest, it's about running a quality IT enviroment and providing a quality service to our customers. Denial won't provide that.

And for those who really really want to argue that it's not Linux at fault, then make sure that you point the finger squarely where it belongs: at yourself! Right? I mean, Linux-the-kernel doesn't have any remote buffer overflows in it's webserver. It doesn't provide for local root escalation. It's the tools that you, the admin, are responsible for having in place there that are the problem. And since you obviously chose to put them there (via installing them with the standard RedHat installer, or dl-ing, compiling and installing by hand) you are the one who is responsible. So there.

Quality vs Quantity (3, Insightful)

WIAKywbfatw (307557) | more than 12 years ago | (#2950646)

Surely it's not the number of vulnerabilities that either OS displays that's important but rather their severity?

I mean, an exploit that requires the malicious party to have physical access to a machine and then only gives him access to one specific folder on a system is hardly as big a deal as one that gives a script kiddie sitting in his bedroom complete remote control of your corporate servers, allowing him to copy, overwrite and delete files, folders and hard drives at the click of a button?

Let's try to compare apples and oranges here. Just because McDonalds has more restaurants than Michelin-stared ones it doesn't make the Big Mac a better meal.

Wait for the fury. (1, Troll)

freakboy303 (545077) | more than 12 years ago | (#2950647)

The *nix junkies are going to make this thread 1000 posts long but the numbers are there. I can heartily belive that Windows has less security holes it's just that with Linux not having a viable market share no one really bothers to take the time to exploit those vulnerabilities. It's security by obscurity. Let's say two auto makers each make a truck and company A sells 100,000 units of truck A and company B sells 1,000 units of Truck B. Truck A explodes into a fire ball 20 times and Truck B does the same 2 times. The popular conclusion is that Truck A must be unsafe because it exploded so much but the truth of the matter is that Truck B is actually 100 times more dangerous....but it only blew up twice so nobody will believe the facts. Thats my .02 cents

Re:Wait for the fury. (0)

forgeeks (470786) | more than 12 years ago | (#2950670)

Are you stupid?

Facts?! (1)

Kargan (250092) | more than 12 years ago | (#2950649)

"Facts, schmacts, you can use facts to prove anything that's even remotely true." - Homer J.

You mean KNOWN vulnerabilities, right? (2, Insightful)

chancycat (104884) | more than 12 years ago | (#2950650)

One camp (Linux) is pretty open, and honest about those holes.


The other camp ain't. We do hear about some vulnerabilities out of Microsoft, but more often it's independent disclosure that open's out eyes. So, how many problems are left unaddressed, and unknown by all but the secret holders? Simple: we don't know.

At least with opensource I can look at the code.

Linux as a whole, or just MY Linux? (3, Insightful)

mblase (200735) | more than 12 years ago | (#2950651)

The SecurityFocus charts [securityfocus.com] seem to say that in the last several years, WinNT/2K has had 2/3 to 3/4 the vulnerabilities of Linux -- all Linuxes combined, that is.

When you break it down, however, Windows has been about equal to Red Hat and well above all the othe Linuxes and Unixes in the chart.

As a willing participant in the capitalist scheme, I don't care how secure everyone else's servers are -- just the one securing my stuff. The only thing this chart tells me is that if I want a secure server OS out of the box, I should start with Mandrake or Debian instead of Red Hat or Windows.

Consider what is included in RedHat or Mandrake (1)

cornice (9801) | more than 12 years ago | (#2950657)

Well I can't seem to reach the site but I imagine that that the comparison is again invalid. If this is a comparison of Linux kernel vs bare Win2K install then I suppose the stats speak for themselves. However, if this is Win2K vs RedHat or Mandrake then this is skewed since RedHat and Mandrake contain many times over all of the software one might need for a server and a desktop. This skews the exposure rating unless the comparison is between Redhat or Mandrake and Win2K + MSOffice + everything else imaginable for a desktop and serevr PC. A comparison of Win2K with a hardened, stripped down version of Linux might be more accurate. Otherwise this is simply saying that a complete install of RedHat or Mandreake is less secure than a plain install of Win2K which is a worthless statement.

Interesting they do not mention OpenBSD (0)

Lord Hugh Toppingham (319381) | more than 12 years ago | (#2950661)

OpenBSD [openbsd.org] is widely regarded as the most secure OS there is, due to its open security audit model.

I wonder where OpenBSD ranked in this survey ? Apparently there has not been a remote root exploit in the out-of-the-box configuration for over four years.

Despite all the BSD is dying trolls out there, BSD is alive and kicking Linux and NTs asses (in security terms)

paul thurrot works for windows and .net magazine (0, Flamebait)

K7001 (472671) | more than 12 years ago | (#2950664)

"Paul Thurrott
Paul Thurrott is the news editor for Windows & .NET Magazine. He writes a weekly editorial for Windows & .NET Magazine UPDATE (http://www.win2000mag.net/email) and writes a daily Windows news and information newsletter called WinInfo Daily UPDATE "

nice timing with the windows security initiative

Read between the lines. (1)

theLunchLady (97107) | more than 12 years ago | (#2950665)

NTBugTrack -- `nuff said.

Hey look at that (2, Informative)

Archanagor (303653) | more than 12 years ago | (#2950669)

I sent a similar article, but was rejected. Peh, guess I need to work on my editorial skills.

Anyway, before anyone gets on a high horse here. It needs to be said that it's the code. Not the features that allow users to do stupid things. Most of what's out there choking MS-Based networks is becuase of the ease of which users can execute attached scripts and executables. Oh, and a hole in IIS, but that was mentioned in the article.

Yes, MS is a monopoly. Yes, they're trying to squeeze more cash out of their consumers (Stupid WPA). But, damn, they do produce some of the most solid code out there, as well as some of the most feature-rich, usable applications. Alas, that's just my opinion, and considering that I use mostly MS apps, I might be slightly biassed.

Break it down.. (3, Interesting)

iamsure (66666) | more than 12 years ago | (#2950677)

1. Severity - The issues that exist on Windows platforms are demonstratably larger. There is no administrator/root containment of priveldge (generally), and most of the security issues reported are indeed system-level, remote, and widespread.

2. Activeness - The common issues reported for Windows deployments are almost universally in use and actively being exploited BEFORE the report. Most *ix vulnerabilities are not being actively exploited (and definitely at a lower level of activity), and are generally patched to resolve the issue FAR quicker.

3. Openness - "Linux" has no control over the release of bug reports. Microsoft on the other hand, does, to a degree. They can actively "persue" the matter and encourage the bug reporter to remain quiet about it until they can respond. In some cases for MONTHS even for well established bug hunters like eEye, on very large vulnerabilities like UPNP.

In closing, there are lies, damned lies, and statistics. Sure, you can put whatever spin you want on it, and I think I have in this posting.

ONE thing needs to be clear, there are alot of bugs, and having many eyes isnt preventing them from happening on Linux.

No matter where you sit, its justification to yet again work diligently to reduce the number of potential bugs by secure programming techniques.

All Should Be Aware (-1, Offtopic)

LunchLady (555057) | more than 12 years ago | (#2950678)

See - it's simple, Timothy and Jon Katz raped my little brother just over the weekend. What a shame.

Cisco Extends Catalyst 4000 Switching Platform with Next Generation Capabilities
Industry Leader Raises Bar for Modular Ethernet Access with Optimal Control for Converged Networks
COMNET - Booth # 826

WASHINGTON, DC - January 29, 2002 - Cisco Systems, Inc., the worldwide leader in networking for the Internet, today announced the Supervisor Engine III for the Catalystî 4006 series of switches, which offers enhanced control over converged voice, video and data networks. As a result, Enterprise and Metro Ethernet customers with the Catalyst 4000 can quickly and cost-effectively roll out converged networks that deliver Internet Protocol (IP) data, streaming video, telephony, and other Internet-based business applications to boost productivity and organizational flexibility.

"Once again Cisco is setting the pace in the industry with the introduction of the Catalyst 4006 Supervisor Engine III," stated Joel Conover, senior analyst at Current Analysis. "The new engine raises the bar for enterprise wiring closet switching performance and functionality, and provides phenomenal investment protection for Cisco customers. The performance and control found in the new Catalyst switching engine redefines the expectations for intelligent network services in the wiring closet."

The Catalyst 4006 Supervisor Engine III is the control module that defines and delivers all operational capabilities of the Catalyst 4000 platform. A key component of Cisco's Architecture for Voice Video and Integrated Data (AVVID), the Catalyst 4000 is a family of scalable modular switches that extend network control from the backbone to the network edge. The Catalyst 4006 Supervisor Engine III integrates multi-layer switching capabilities to deliver control in the form of intelligent network services including sophisticated Quality of Service (QoS), non-blocking Layer 2/3/4 switching, advanced security and comprehensive management - each of which is required to realize the business benefits associated with running a converged network.

"Adding the Catalyst 4006 Supervisor Engine III modules to the Catalyst 4000 switches gave us the ability to efficiently deploy network services with greater security and control," said Ying-Yuang Chen, principal network architect at Carnival Cruise Lines, the largest and most popular cruise line in the world.

Carnival moved to a converged IP (Internet Protocol) network to fully maximize the value of their network infrastructure, lowering overall costs and simplifying their network management structure as part of an ongoing cost management strategy. As with all converged IP-based networks, Carnival needed a switching infrastructure that could differentiate traffic types and handle each according to its own unique requirements with comprehensive management and security.

Chen explained, "The Catalyst 4006 Supervisor Engine III gave us an integrated package with the Layer 3 security and Layer 4 quality of service capabilities that make it easier to manage point-to-point voice and data traffic and quickly introduce new network-wide services and applications in a controlled manner."

Catalyst 4006 Supervisor Engine III Features and Benefits

The Catalyst 4006 Supervisor Engine III is a Cisco IOS-based platform, offering feature rich end-to-end services and designed for interoperability with Cisco platforms. Compatible with all Catalyst 4000 switching line cards, the Catalyst 4006 Supervisor Engine III provides enhanced investment protection for the Catalyst 4000 installed base, extending the deployment life of the platform.

Key Catalyst 4006 Supervisor Engine III features include:

ÃÂ Sophisticated QoS: Integrated Layer 2/3/4-based QoS and traffic management capabilities classify and prioritize mission-critical and time-sensitive traffic based on 32,000 QoS policies. The system has the ability to shape and rate-limit bandwidth-intensive traffic with mechanisms such as input and output policers based on user, network and application information.

ÃÂ Predictable performance: Wire-speed 48 Mpps forwarding rate in hardware for both Layer 2 and Layer 3/4 traffic. Switching performance is independent of the number of route entries or advanced Layer 3 services enabled.

ÃÂ Advanced security: Supports 32,000 wire-rate Layer 2/3/4 access lists, and includes other advanced security capabilities such as user authentication and client security.

ÃÂ Comprehensive management: Web-based management for the configuration and control of all ports resulting in fewer network management elements overall.

Pricing and Availability

The Catalyst 4006 Supervisor Engine III is available now for $14,995. The Catalyst 4006 Chassis, with Supervisor Engine III and 2 AC (Alternating Current) power supply bundle is $19,995. For more information, please visit http://newsroom.cisco.com

About Cisco Systems
Cisco Systems, Inc. (NASDAQ: CSCO) is the worldwide leader in networking for the Internet. Information on Cisco can be found at http://www.cisco.com.

# # #

Cisco, Cisco Systems, PIX, IOS and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0005R)

Contact Information

Press Contact(s):
Larry Yu
Cisco Systems, Inc.
(408) 853-4200
lwbyu@cisco.com

Investor Relations Contact(s):
Blair Christie
Cisco Systems, Inc.
408 525-4856
blchrist@cisco.com

how Orwellian (1)

xah (448501) | more than 12 years ago | (#2950680)

It is Orwellian to blame Linux for the lion's share of security problems, when the Microsoft platform is far less secure, as evidenced by the many Outlook related e-mail viruses. Correct me if I'm wrong, but this study doesn't include viruses, which are security vulnerabilities. Neither does it include exploits against the commonly installed Microsoft Office programs. OTOH, does the study include Linux security bugs from both the core OS and distro packages?

I apologize grievously if my assumptions are incorrect. The "winformant" article is Slashdotted, and the NT Bugtraq chart was not entirely clear to me.

If Windows went open source... (1)

axehind (518047) | more than 12 years ago | (#2950682)

how many exploits do you think people would find in the first month?

These numbers aren't really relevant (1)

ralphj (164586) | more than 12 years ago | (#2950685)

What is relevant, is the severity of the securityholes and the time it takes before the producer of the app in question puts patches out and how soon these get installed by the sysadmins. The latter seems to be the biggest problem anyway.

Much harder to compare "Linux" versus Windows (3, Troll)

defile (1059) | more than 12 years ago | (#2950686)

Unlike Windows, there are many independent distributions of Linux that may or may not be vulnerable to a security hole. Also unlike Windows, each distribution has shorter release cycles. Futhermore, many Linux distributions come with lots of bundled software that not all sys admins install.

This means that security holes discovered against Windows could be far more devastating because of the uniformity of the installed systems. Code Red/Nimda, etc. would've been much harder to pull off against all variants/distributions of Linux. There's much more paydirt in developing good Windows exploits, since they're likely to work against ALL Windows systems, which means the exploits are likely to be very refined and well tested. Compare to Linux exploits which are usually very hard to get working the first time.

It's also harder to find security holes in Windows since it's closed source (which doesn't make them any less severe). Many security analysts won't even bother since it mostly involves using a debugger to poke at a task for hours, rather than simply grepping source trees for unsafe functions.

But yeah, it is pretty disgusting that Linux in general has this many security holes.

Does that Include all the apps? (1)

QuantumRiff (120817) | more than 12 years ago | (#2950689)

is this a comparison of Windows2k to linux or of Windows 2k to linux, gnome, sendmail, office applications, etc.

There are many more applications bundled with linux than with windows. If the case is the latter, I would like to see how many bugs are reported for Win2k when office, Exchange, and SQl server are added. I have a strong feeling that they don't count things from Outlook in this.

This... (1)

rmadmin (532701) | more than 12 years ago | (#2950690)

doesn't really surprise me much. It doesn't really matter in my opinion which is more secure out of the box (which is probably where these statistics came from). Because as any good admin knows, you can't trust anything straight out of the box!(OpenBSD is close, but I still lock it down more) I've installed both 2k and RH servers, and I'd never leave either of them without hardening them down. Regardless, when a box is totally secured down, I think they come out about even also. Just my opinion.

Hook, (1)

Xapp (523391) | more than 12 years ago | (#2950691)

Line and sinker. Quick /. real em' in! It looks like a big one. Almost got em'. Almost. Bill, get the net! Not you Linus. No, Linus that knife is for cleaning fish. No! Bill, help ol /. out here. Come on. TBC...

I have read this before... (3)

Junta (36770) | more than 12 years ago | (#2950701)

Essentially, concluding that Windows is more secure based on that data alone is rather ridiculous. Not to say it couldn't be true, but that data is inconclusive at best.

For one, in total vulnerabilities Windows come in second only to aggregate linux, which, as far as I can tell is a compilation of vulnerabilities across the board for linux distributions and therefore includes mostly duplicates, so that figure is best thrown out the window completely. So numerically the argument doesn't hold up. Additionally, within a distribution a widespread vulnerability may impact several packages. For example, say a widespread vulnerability in FTP servers was found. In Windows, that means one vulnarability, IIS. For a linux distribution, it could be several (wu-ftpd, proftpd, etc...) So in another way Linux figures are inflated by duplicates.

Second, no matter how the numbers add up, it still proves nothing for either side. The numbers state simply that X # of vulnerabilities are known for platform. Nothing is said of severity or exploitability. Very minor or virtually non-exploitable vulnerabilities count as much as serious, wide-open delete data vulnerabilities in these stats. Also, no consideration is given for what would be considered a vulnerability on each platform. Windows tends to by design allow users to do more without Admin privs. So, a theoretical bug that allowed change of color depth in XFree86 might be considered a vulnerablity (since root privs are typically required for that operation), while in Windows it is a normal, harmless feature. This example has all sorts of problems with it, but I think it illustrates the point that some things normal in Windows would be considered vulnerabilities in a Linux environment (and vice-versa to some extent).

In short, no simple chart can show one platform to be more secure than another....

Remote Vs. Local exploits (2, Insightful)

trandles (135223) | more than 12 years ago | (#2950702)

What about a breakdown of remote root exploits vs. local escalation of privileges exploits for linux? It seems to me that most linux vulnerabilities are of that later kind and wouldn't give a remote cracker total control of your system, while most if not all of the windows exploits leave your entire system open to remote takeover.

Open source nature of Linux (5, Insightful)

John Harrison (223649) | more than 12 years ago | (#2950704)

Is it a surprise that there were more vunerabilities DISCOVERED for Linux than for Win 2K? How many people are looking over the source code of Win 2K for bugs? Now how many have access to the couse code for Linux? It seems pretty obvious where you will find more bugs in the short term. Also, do you think that Microsoft "announces" any and all bugs that it finds internally or are these just bugs that were found outside of Microsoft? How easy is it to find these bugs in Windows without the source? How many more would be found if source code was availible?

In the long term Linux will have progressively fewer bugs/vulnerabilities due to its open source nature. Look at the numbers on the same chart for NetBSD. There were 9 vulnerabilities found in 2001, and 42 found in Win 2K. 54 for RedHat and only 2 for TurboLinux.

Obviously everyone should switch to Turbo Linux.

Keep in mind... (2)

buffy (8100) | more than 12 years ago | (#2950706)

That this is in large part due to the nature of Open vs. Closed source applications. Linux is open, and a lot of the bugs tracked are found because of just that--it's open, and people can look inside and see. Windows is closed, and has statstically significant (understandment) fewer eyes examining it.

So, measuring how secure an OS (and OS) is, by the number of items in (NT)Bugtraq is a red herring.

sircam, code red, nimda (2, Interesting)

demon-cw (162676) | more than 12 years ago | (#2950710)

i wonder when was the last time someone found a hole in your firewall by exploiting a hole in your apache to get your sendmail sending the contents of your harddrive to everyone and his hamster?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?