Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Windows vs. Linux Security, Once More

michael posted more than 9 years ago | from the horse-all-but-deceased dept.

Security 489

TAGmclaren writes "The Register is running a very interesting article about Microsoft and Linux security. From the article: 'until now there has been no systematic and detailed effort to address Microsoft's major security bullet points in report form. In a new analysis published here, however, Nicholas Petreley sets out to correct this deficit, considering the claims one at a time in detail, and providing assessments backed by hard data. Petreley concludes that Microsoft's efforts to dispel Linux "myths" are based largely on faulty reasoning and overly narrow statistical analysis.' The full report is available here in HTML form, and here in PDF. Although the article does make mention of OS X, it would have been nice if the 'other' OS had been included in the detailed analysis for comparison."

cancel ×

489 comments

Sorry! There are no comments related to the filter you selected.

Geez.. (-1, Offtopic)

Ikn (712788) | more than 9 years ago | (#10599858)

Already /.'ed, and no comments? Or a bad link maybe?

Re:Geez.. (2, Informative)

WIAKywbfatw (307557) | more than 9 years ago | (#10599908)

Is this a critique of Slashdot's failure to cooperate with third party sites and/or provide basic mirroring, of the editors failure to properly check story submissions, or of both?

I think the "mysterious future" feature available to subscribers allowing them to see upcoming stories ahead of the rest of us is meant to be an ironic joke: you've got to read the stories whilst they are still there, because whether or not the links will be accessible in the future is a mystery...

Re:Geez.. (1)

tonsofpcs (687961) | more than 9 years ago | (#10599944)

Works fine here.

Re:Geez.. (3, Informative)

RangerRick98 (817838) | more than 9 years ago | (#10599973)

The latter two links appear to be broken, but match the links provided in TFA. Perhaps the Register forgot to upload the actual reports?

Re:Geez.. (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10600106)

LINUX SUCKS GOAT BALLS!!!

HTML and PDF? (5, Funny)

WIAKywbfatw (307557) | more than 9 years ago | (#10599860)

What, no macro virus-infected Word file?

Message to the moderators... (1, Troll)

WIAKywbfatw (307557) | more than 9 years ago | (#10599988)

If you're the idiot who modded this off-topic then you clearly haven't got a fucking clue about:

1. What this story is about; and
2. Irony.

Re:Message to the moderators... (5, Funny)

Anonymous Coward | more than 9 years ago | (#10600430)

Tut, tut, Mr. Mytzlplk:
In /.land, it is bad form to accept the null hypothesis that moderators have RTFA, and clue #1 about irony.

Just buy a Mac :-) (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10599875)

The security of Unix.

The usability of Microsoft.

The best of both worlds !!!!

Just buy a mac :-)

Re:Just buy a Mac :-) (0, Funny)

Anonymous Coward | more than 9 years ago | (#10599888)

You misspelled "The caress of another man".

Ugggghhhh (1)

Anonymous Coward | more than 9 years ago | (#10599938)

Usability of Microsoft? You mean, like horrible usability?

No, Macs have the usability of a Mac, the security of Unix. No one cares about Microsoft. Their products are a usability nightmare (Have you ever used WMP > 7?)

Don't even get me started on microsoft office.

Re:Just buy a Mac :-) (0)

Anonymous Coward | more than 9 years ago | (#10599982)

And all the games my Amiga has... Wait, no, it doesn't have that many.

Linux is more secure. Once more. (-1, Troll)

Pan T. Hose (707794) | more than 9 years ago | (#10599876)

Now, please, stop asking!

Re:Linux is more secure. Once more. (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10599912)

And only more secure because there is far, far less money in attacking linux systems. Don't bring out the old faithful "but there are more apache systems and it's attacked less". The worms that earn spammers money don't give a hoot about tens of thousands of servers when they can infect tens of millions of desktops instead. Because they are the most numerous is why they're attacked more. Simple simple statistics.

When linux systems become the majority and are cracked just as often as windows, I hope you'll be wearing a hat you can eat.

Re:Linux is more secure. Once more. (2, Informative)

RangerRick98 (817838) | more than 9 years ago | (#10600007)

From TFA: Attacks are of course aimed at Windows because of the numbers of users, but its design makes it a much easier target, and much easier for an attack to wreak havoc. Windows' widespread (and often unnecessary) use of features such as RPC meanwhile adds vulnerabilities that really need not be there. Linux's design is not vulnerable in the same ways, and no matter how successful it eventually becomes it simply cannot experience attacks to similar levels, inflicting similar levels of damage, to Windows.

Re:Linux is more secure. Once more. (1, Insightful)

Anonymous Coward | more than 9 years ago | (#10600036)

Linux's design is not vulnerable in the same ways, and no matter how successful it eventually becomes it simply cannot experience attacks to similar levels, inflicting similar levels of damage, to Windows.

So because someone says something it should be taken as truth? Crackers are an ingenious lot, and security holes are security holes are security holes. They WILL be exploited in linux sooner or later.

Yeah. right. And there is a world market for perhaps 5 computers. Famous last words, that.

Re:Linux is more secure. Once more. (3, Insightful)

RangerRick98 (817838) | more than 9 years ago | (#10600179)

I'm not taking that statement as true simply because someone said it. If I did that, I'd believe all of Microsoft's claims in the other direction, too. I believe it's true because it's a logical argument and can be backed up with evidence, whereas the claim that if Linux were more popular it would be just as vulnerable is pure conjecture.

Holes are holes, no doubt about that. Linux just has fewer of them because of good design principles.

Re:Linux is more secure. Once more. (5, Informative)

Theatetus (521747) | more than 9 years ago | (#10600393)

Crackers are an ingenious lot, and security holes are security holes are security holes. They WILL be exploited in linux sooner or later.

Will be exploited? Download the metasploit framework [metasploit.com] sometime; there are more exploits for Linux than for Solaris or Windows. But this is where the guy's point becomes important: because of how Windows deals with security tokens (here [wiley.com] is a good place to start if you're curious), any exploit that gains access can probably execute code in the SYSTEM context.

So, of the Linux exploits that are trivially available to exploit, none can reliably execute arbitrary system code, while all of the Windows exploits can. That's not this one guy's opinion, that's just how the operating systems work.

So... (0, Troll)

Anonymous Coward | more than 9 years ago | (#10599878)

...Linux is more secure than Windows. Amazing that it took a report to tell us what we already know.

Re:So... (4, Funny)

savagedome (742194) | more than 9 years ago | (#10600009)

Amazing that it took a report to tell us what we already know

We already knew this. This report is for them.

Re:So... (5, Interesting)

JPriest (547211) | more than 9 years ago | (#10600114)

Ask some people that admin a mixed environment. Our Linux boxes get owned just the same as our Windows boxes do. When comparing older version of windows there is no doubt Linux owns windows but 2003 server it a pretty big improvement in security over NT 4.0 or 02. SP2 (with firewall) is also a huge improvement, just too bad it took MS this long to get it.

Re:So... (1)

airjrdn (681898) | more than 9 years ago | (#10600568)

Do you systems actually get "owned" that often?

This Old Garage [thisoldgarage.com] - a friends site, check it out

Make Sure That You Only Present... (1, Informative)

datastalker (775227) | more than 9 years ago | (#10599915)

...the Executive summary to your PHB. There's a reason that they're written! While the Reg likely won't be ./'ed, it's below: Much ado has been made about whether or not Linux is truly more secure than Windows. We compared Windows vs. Linux by examining the following metrics in the 40 most recent patches/vulnerabilities listed for Microsoft Windows Server 2003 vs. Red Hat Enterprise Linux AS v.3: 1. The severity of security vulnerabilities, derived from the following metrics: 1. damage potential (how much damage is possible?) 2. exploitation potential (how easy is it to exploit?) 3. exposure potential (what kind of access is necessary to exploit the vulnerability?) 2. The number of critically severe vulnerabilities The results were not unexpected. Even by Microsoft's subjective and flawed standards, fully 38% of the most recent patches address flaws that Microsoft ranks as Critical. Only 10% of Red Hat's patches and alerts address flaws of Critical severity. These results are easily demonstrated to be generous to Microsoft and arguably harsh with Red Hat, since the above results are based on Microsoft's ratings rather than our more stringent application of the security metrics. If we were to apply our own metrics, it would increase the number of Critical flaws in Windows Server 2003 to 50%. We queried the United States Computer Emergency Readiness Team (CERT) database, and the CERT data confirms our conclusions by a more dramatic margin. When we queried the database to present results in order of severity from most critical to least critical, 39 of the first 40 entries in the CERT database for Windows are rated above the CERT threshold for a severe alert. Only three of the first 40 entries were above the threshold when we queried the database about Red Hat. When we queried the CERT database about Linux, only 6 of the first 40 entries were above the threshold. Consider also that both the Red Hat and Linux lists include flaws in software that runs on Windows, which means these flaws apply to both Linux and Windows. None of the alerts associated with Windows affect software that runs on Linux. So why have there been so many credible-sounding claims to the contrary, that Linux is actually less secure than Windows? There are glaring logical holes in the reasoning behind the conclusion that Linux is less secure. It takes only a little scrutiny to debunk the myths and logical errors behind the following oft-repeated axioms: 1. Windows only suffers so many attacks because there are more Windows installations than Linux, therefore Linux would be just as vulnerable if it had as many installations 2. Open source is inherently less secure because malicious hackers can find flaws more easily 3. There are more security alerts for Linux than for Windows, therefore Linux is less secure than Windows 4. There is a longer time between the discovery of a flaw and a patch for the flaw with Linux than with Windows The error behind axioms 3 and 4 is that they ignore the most important metrics for measuring the relative security of one operating system vs. another. As you will see in our section on Realistic Security and Severity Metrics, measuring security by a single metric (such as how long it takes between the discovery of a flaw and a patch release) produces meaningless results. Finally, we also include a brief overview of relevant conceptual differences between Windows and Linux, to offer an insight into why Windows tends to be more vulnerable to attacks at both server and desktop, and why Linux is inherently more secure.

My eyes!! (1)

TrollBridge (550878) | more than 9 years ago | (#10599979)

For the love of Linus and RMS, please use the "Plain Old Text" option when you post an article's text!!

Re:Make Sure That You Only Present... (5, Funny)

Wudbaer (48473) | more than 9 years ago | (#10599984)

Good grief ! Hereby I donate to you a couple of line breaks:
<br>
<br>
<br>
<br>
You are welcome.

Re:Make Sure That You Only Present... (1)

bill_kress (99356) | more than 9 years ago | (#10600079)

Thank you!

Re:Make Sure That You Only Present... (1)

pete-classic (75983) | more than 9 years ago | (#10600350)

May I suggest the more modern
?

-Peter

Re:Make Sure That You Only Present... (1)

pete-classic (75983) | more than 9 years ago | (#10600416)

Hey, look at me! I'm stupid.

Anyway, I meant <br />.

Man, I should use preview more.

-Peter

Re:Make Sure That You Only Present... (1)

G-Licious! (822746) | more than 9 years ago | (#10600398)

That's not valid XHTML Strict, mister!

Re:Make Sure That You Only Present... (5, Interesting)

pdxaaron (777522) | more than 9 years ago | (#10600302)

Nice fuzzy logic there. How many of those 40 Microsoft vulnerabilities were related to Internet Explorer? Yes, it's Microsoft's fault for integrating it in the OS, but if you are using Server 2003 O/S to cruise the web with an admin rights role, you are the security problem, not the OS.

Why don't we look instead at security vulnerabilities in a Server OS that are relative to functions a server should be performing. How many vulnerabilities has IIS 6.0 had versus Apache in the year and a half Server 2003 has been out?

Hmmm one of those has had zero, and it sure the hell ain't Apache.

Re:Make Sure That You Only Present... (1)

Quixote (154172) | more than 9 years ago | (#10600630)

if you are using Server 2003 O/S to cruise the web with an admin rights role, you are the security problem, not the OS.

And how do you download the latest service packs? Check on MS advisories?? etc. etc. Unless you have some sort of a telepathic connection to Ballmer, where are you going to get this information from?

The Internet has become critical in the delivery of upgrades and new features. Gone are the days of floppies and CDs being shipped in the mail. For Microsoft to leave its browser so bug-ridden and standards-averse is negligent.

Re:Make Sure That You Only Present... (2, Informative)

AKAImBatman (238306) | more than 9 years ago | (#10600349)

Let's try that again, shall we?

...the Executive summary to your PHB. There's a reason that they're written!

While the Reg likely won't be ./'ed, it's below:

Much ado has been made about whether or not Linux is truly more secure than Windows. We compared Windows vs. Linux by examining the following metrics in the 40 most recent patches/vulnerabilities listed for Microsoft Windows Server 2003 vs. Red Hat Enterprise Linux AS v.3:

1. The severity of security vulnerabilities, derived from the following metrics:
1. damage potential (how much damage is possible?)
2. exploitation potential (how easy is it to exploit?)
3. exposure potential (what kind of access is necessary to exploit the vulnerability?)
2. The number of critically severe vulnerabilities

The results were not unexpected. Even by Microsoft's subjective and flawed standards, fully 38% of the most recent patches address flaws that Microsoft ranks as Critical. Only 10% of Red Hat's patches and alerts address flaws of Critical severity. These results are easily demonstrated to be generous to Microsoft and arguably harsh with Red Hat, since the above results are based on Microsoft's ratings rather than our more stringent application of the security metrics. If we were to apply our own metrics, it would increase the number of Critical flaws in Windows Server 2003 to 50%.

We queried the United States Computer Emergency Readiness Team (CERT) database, and the CERT data confirms our conclusions by a more dramatic margin. When we queried the database to present results in order of severity from most critical to least critical, 39 of the first 40 entries in the CERT database for Windows are rated above the CERT threshold for a severe alert. Only three of the first 40 entries were above the threshold when we queried the database about Red Hat. When we queried the CERT database about Linux, only 6 of the first 40 entries were above the threshold.

Consider also that both the Red Hat and Linux lists include flaws in software that runs on Windows, which means these flaws apply to both Linux and Windows. None of the alerts associated with Windows affect software that runs on Linux.

So why have there been so many credible-sounding claims to the contrary, that Linux is actually less secure than Windows? There are glaring logical holes in the reasoning behind the conclusion that Linux is less secure. It takes only a little scrutiny to debunk the myths and logical errors behind the following oft-repeated axioms:

1. Windows only suffers so many attacks because there are more Windows installations than Linux, therefore Linux would be just as vulnerable if it had as many installations
2. Open source is inherently less secure because malicious hackers can find flaws more easily
3. There are more security alerts for Linux than for Windows, therefore Linux is less secure than Windows
4. There is a longer time between the discovery of a flaw and a patch for the flaw with Linux than with Windows

The error behind axioms 3 and 4 is that they ignore the most important metrics for measuring the relative security of one operating system vs. another. As you will see in our section on Realistic Security and Severity Metrics, measuring security by a single metric (such as how long it takes between the discovery of a flaw and a patch release) produces meaningless results.

Finally, we also include a brief overview of relevant conceptual differences between Windows and Linux, to offer an insight into why Windows tends to be more vulnerable to attacks at both server and desktop, and why Linux is inherently more secure.

Misleading article (5, Insightful)

Anonymous Coward | more than 9 years ago | (#10599918)

Nicholas Petreley is a Linux advocate... there is a basic problem with a partisan person presenting a "fair and balanced" argument. Kinda like doing research with fixed goals.

Uhm (0)

Anonymous Coward | more than 9 years ago | (#10600014)

Well when one side has research that is correct, and the other side is making shit up, who are you going to believe?

Re:Uhm (0)

Anonymous Coward | more than 9 years ago | (#10600121)

Not saying anything about believability. I just think both should be represented with a level of clarity of who exactly the content is coming from... Kinda like Baystar being a MS front, trying to look unassociated. Would you take one of their press releases without a grain of salt?

...you should read this article with the same speculation.

Re:Misleading article (2, Insightful)

RangerRick98 (817838) | more than 9 years ago | (#10600056)

Funny; doesn't Microsoft fund most/all of the "Get the Facts" surveys?

Re:Misleading article (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10600200)

Exactly!

It's bullshit. But how is that a license to return the favor? I'm just saying - read this article with the same level of speculation as you would a Get the Facts survey - because it too is coming from one side.

Re:Misleading article (3, Funny)

savagedome (742194) | more than 9 years ago | (#10600201)

They funded this too. But this time they forgot to check the "Study in favor of Windows" checkbox.

*evil grin*

Re:Misleading article (0)

Anonymous Coward | more than 9 years ago | (#10600536)

And that invalidates the parent's post how?

No (5, Insightful)

Anonymous Coward | more than 9 years ago | (#10600505)

The article is not misleading because the author is a linux advocate.

Now you are right if you want to remind readers to keep that in mind, but dismissing an article not on the base of its merits, but because the author is supposedly biased (mind, you didn't show or prove in any way that he was actually biased, you just wanted us to take it for granted) is a logical fallacy.

If you don't like the findings of the article, please tell us why, simply accusing the author of bias won't change the facts, sorry.

Argumentum ad Hominem
"Circumstantial: A Circumstantial Ad Hominem is one in which some irrelevant personal circumstance surrounding the opponent is offered as evidence against the opponent's position. This fallacy is often introduced by phrases such as: "Of course, that's what you'd expect him to say." The fallacy claims that the only reason why he argues as he does is because of personal circumstances, such as standing to gain from the argument's acceptance."
http://www.fallacyfiles.org/adhomine .html

Why the article is FUD (1)

sriram_2001 (670877) | more than 9 years ago | (#10600577)

Very well -here's why. This article neatly sidesteps the results of the Forrester survey which showed that MS patches faster than people like Redhat. And the whole paper is highly unprofessional. I mean - at point of time, they complain that they can't get enough information because the CERT search engine isn't good enough. What should have been a rant on a fringe newsgroup is being given overdue importance

summary (0, Troll)

uberjoe (726765) | more than 9 years ago | (#10599941)

For the people who are slashdotted out, the article basically says that linux is more secure than windows. I will speak for everyone here when I say

Duh!

Is this really news?

Re:summary (0)

Anonymous Coward | more than 9 years ago | (#10600013)

It may well not be news to the readership of /. However, is is a well researched, well argued piece that goes a long way to confirm that gut reaction may of us have when this topic comes up.

Its is useful in that it counters specific MS propaganda in language that could be presented to non-technical people (management ?)

In case of Slashdotting (1, Informative)

Anonymous Coward | more than 9 years ago | (#10599949)

Windows v Linux security: the real facts
By John Lettice
Published Friday 22nd October 2004 15:30 GMT

Report Considering the publicity that has surrounded - and, despite super new security-focused Service Packs, continues to surround - Windows security issues, Microsoft's determination to demonstrate that Linux is less secure than Windows shows a certain chutzpah. The company has however had some support here; Forrester, for example, provides some numbers that can be used to support the contention that Microsoft flaws are less severe, less numerous and fixed faster. And although there's a general readiness among users to believe that Windows is a security disaster area, there's also a reasonable amount of support for the view that Linux would get just as many security issues if it had anything like Windows' user base.

But what's the truth? For every claim there is, somewhere, a counterclaim. But until now there has been no systematic and detailed effort to address Microsoft's major security bullet points in report form. In a new analysis published here, however, Nicholas Petreley* sets out to correct this deficit, considering the claims one at a time in detail, and providing assessments backed by hard data. Petreley concludes that Microsoft's efforts to dispel Linux 'myths' are based largely on faulty reasoning and overly narrow statistical analysis. Even if you think you know this already (as we fear may be the case for numerous Register readers), we think you'll find it useful to be able to say why you know it, what the facts and the numbers really are, and where you can get the document to back up what you're saying. Appropriately enough, we're offering the report for free. You can browse through it here, and you can download it in PDF format here.

We encourage you all to grab a copy and give it a good read, but as a service for the fast fact junkies, we've produced a few bullet points of our own. All of these are clearly supported (unlike some similar efforts you might find elsewhere) by Nicholas' report, but don't just take our word for that, check it against the full report.
Myths and Facts

Myth Windows only gets attacked most because it's such a big target, and if Linux use (or indeed OS X use) grew then so would the number of attacks.
Fact When it comes to web servers, the biggest target is Apache, the Internet's server of choice. Attacks on Apache are nevertheless far fewer in number, and cause less damage. And in some case Apache-related attacks have the most serious effect on Windows machines. Attacks are of course aimed at Windows because of the numbers of users, but its design makes it a much easier target, and much easier for an attack to wreak havoc. Windows' widespread (and often unnecessary) use of features such as RPC meanwhile adds vulnerabilities that really need not be there. Linux's design is not vulnerable in the same ways, and no matter how successful it eventually becomes it simply cannot experience attacks to similar levels, inflicting similar levels of damage, to Windows.

Myth Open Source Software is inherently dangerous because its source code is widely available, whereas Windows 'blueprints' are carefully guarded by Microsoft.
Fact This 'inherent danger' clearly has not manifested itself in terms of actual attacks. Windows-specific viruses, Trojans, worms and malicious programs exist in huge numbers, so if one gives any credence at all to this claim, one would do better to phrase it 'Open Source Software ought to be more dangerous'. But the claim itself hinges on the view - rejected by reputable security professionals - that obscurity aids security. Obscurity/secrecy can also make it more difficult for the vendors themselves to identify vulnerabilities in their own products, and can lead to security issues being neglected because they are not widely-known. The Open Source model, on the other hand, facilitates widespread review and makes it easier to identify and correct flaws. Modular design principles support this, while the overall approach is far more in line with security industry thinking than is 'security through obscurity.'

Myth Statistics 'prove' that Windows has fewer, less serious security issues than Linux, that Windows issues are always fixed, and that they are fixed faster.
Fact Quite a broad collection of 'facts' exist in this category, but what they have in common is the (actual) fact that they are usually based on single metrics, on a single aspect of measuring security. Claims that all Windows flaws get fixed are baffling when we consider that there are Microsoft Security Bulletins saying some flaws will never be fixed, and the existence of these also makes it tricky to understand how the fix rate could ever get to be 100 per cent. In the case of Forrester, which produces the 100 per cent as the Windows result for one of several metrics, it is arrived at through tallying flaws and fixes within a specific period. In the same metric Red Hat 'comes second', on the basis that one flaw was not fixed within the period. This is a rickety base for Microsoft (not, note, Forrester) to build a security campaign on.

This aside, simply claiming that Windows is more secure than Linux because the time from discovery of vulnerability to release of patch is greater for Linux skips consideration of the importance of what gets fixed. A comparison of 40 recent security patches with reference to Windows Server 2003 and Red Hat Advanced Server AS v3 shows that Windows experienced the most severe security holes, while Red Hat had only a handful (four) which rated as critical. It is also arguable that Microsoft understates vulnerabilities in Windows Server, because some flaws are deemed not critical for Server on the basis of system defaults which are in many operational scenarios impossible to adhere to. For Red Hat, on the other hand, there is an argument that in Petrelely's analysis we have overstated the extent of critical vulnerabilities (Red Hat does not assign severity levels), and very few of them would allow a malicious hacker to perform mischief at administrator level.

If we reality-check these conclusions against another scale, we find that vulnerability metrics used by the US Computer Emergency Readiness Team (CERT) return 250 results for Microsoft, with 39 having a severity rating of 40 or greater, and 46 for Red Hat, with only three scoring over 40. So simply making claims based on that one metric (as Steve Ballmer did, again, earlier this week) is like judging a hospital's effectiveness in dealing with emergency cardiac care from its average speed in dealing with all patients.

Reliance on a single metrics is a major feature of Microsoft's Get the Facts campaign, and this is perhaps understandable if we consider what the campaign is. It is essentially a marketing-driven campaign intended to 'get the message across' with data used to back up the message (note that Microsoft would not necessarily disagree with us here). However, by their nature marketing campaigns push specific, favourable headline items and magnify their significance. They do not necessarily (even usually) accurately reflect the underlying data, and frequently outrun it by some distance. And this process is actually easily illustrated by the Forrester report we linked to earlier on. Get the Facts pulls out the 100 per cent fix and fewest vulnerabilities bullets, while the report itself talks of its use of three metrics and (if we're doing headline items) also says: "ICAT classified 67% of Microsoft's vulnerabilities as high severity, placing Microsoft dead last among the platform maintainers in this [high severity] metric."

So here right on the front page of its 'data-backed' campaign, Microsoft has stripped a single metric out of the underlying data, paraphrased it and put it in the headline. You don't want to be doing this, so you really do want to read the report. Security: Linux versus Windows (HTML)
Security: Linux versus Windows (PDF)

* Nicholas Petreley's former lives include editorial director of LinuxWorld, executive editorial of InfoWorld Test Center, and columns on InfoWorld and ComputerWorld. He is the author of the Official Fedora Companion and is co-writing Linux Desktop Hacks for O'Reilly. He is also a part-time Evans Data Analyst and a freelance writer.

Duh. (0)

Anonymous Coward | more than 9 years ago | (#10599951)

Although the article does make mention of OS X, it would have been nice if the 'other' OS had been included in the detailed analysis for comparison."
I am sure it would have been nice. But, you see, the article was comparing Linux Security to Windows Security. Mentioning OSX would have been, oh I don't know... OFFTOPIC!

I'd rather see (5, Insightful)

bucketoftruth (583696) | more than 9 years ago | (#10599977)

I'd rather see OSX security compared to Windows. I only have one user adventurous enough to use Linux on their desktop. The rest are about 70/30 Win/Mac.

Re:I'd rather see (1)

Djupblue (780563) | more than 9 years ago | (#10600030)

And OSX is how big on servers? --Apple Zealot Alert!---

Re:I'd rather see (1)

Djupblue (780563) | more than 9 years ago | (#10600130)

Why?
Very few uses OSX compared to Linux, (i.e websites running apache on Linux).
Zealots are annoying

Re:I'd rather see (3, Insightful)

Lumpy (12016) | more than 9 years ago | (#10600177)

who cares about desktop...

I know of no one brave enough to put a windows server DIRECTLY on the internet microsoft even strongly suggests that a firewall exist between the server and the net.

Yet with the right configuration a linux or BSD box is as safe as that admin can make it.

Re:I'd rather see (4, Insightful)

caluml (551744) | more than 9 years ago | (#10600508)

Come on, stop spreading the FUD. Of course it is possible to keep a Windows machine naked on the net without it getting cracked.

It's the amount of work needed to keep it updated that means I'd never want to do it.

Hm, and security on servers doesn't count? (0)

Anonymous Coward | more than 9 years ago | (#10600614)

I mean, RTFA, it's mostly about servers.

And btw., you're anecdotal evidence about the market share of linux on the desktop disagrees with some not so anecdotal studies that claimed Apple and Linux having about the same market share on the desktop.

Article Summary: (1, Troll)

haxor.dk (463614) | more than 9 years ago | (#10599980)

Microsoft products are more vulnerable, despite that Microsoft uses statistics that says otherwise to make you believe otherwise.

What I Would Like to See (3, Interesting)

RAMMS+EIN (578166) | more than 9 years ago | (#10599985)

What I would like to see is some security comparison of Microsoft software and FOSS, corrected for target size.

FOSS advocates often whine about MS insecurity, whereas MS advocates often claim MS only gets more break-ins because it's used more. The MS folks are probably not right in the Apache vs IIS case, but what about other cases? Is FOSS really more secure?

Unfortunately, I cannot think of any good way to measure this. Perhaps a little brainstorm on /. can come up with a good test, and some people can carry it out?

Re:What I Would Like to See (1)

eln (21727) | more than 9 years ago | (#10600261)

I think comparing relative security based on the number of break-ins is flawed to begin with. Just because people break into one type of system more doesn't mean it's less secure, it just means people break into it more. Would you use a system for your enterprise if you knew that there was a huge root exploit in it, but it only gets used once every few months, so chances are good you'll never get hit? I would certainly hope not.

The only way to really measure relative security is by the number and severity of known security holes in each system. If an operating system has 10 different security holes that are hard to exploit, and ony give user-level access, it's more secure than another operating system that has 2 or 3 holes that are fairly easy to exploit and give root-level access.

Re:What I Would Like to See (4, Informative)

RealAlaskan (576404) | more than 9 years ago | (#10600324)

Well, he did address your question in the article [theregister.co.uk] .

He did use the Apache case as a counter-example, because that's one of the few cases where MS and Libre software compete, and Libre is the larger target. In that case, the smaller target comes out looking more vulnerable. Is there something special about Apache which makes you think that it wouldn't work that way for other Libre projects? If you know something we don't, by all means share it.

... I cannot think of any good way to measure this.

Oddly enough, Petreley covered that question, too [theregister.co.uk] .

Re:What I Would Like to See (1)

RAMMS+EIN (578166) | more than 9 years ago | (#10600578)

Actually, I don't think my questions have really been addressed.

The Apache case is one example where bigger target -> more break-ins doesn't apply, but that doesn't mean there isn't a trend.

The metrics set up are indeed good ones, but how do you gather data? Is Windows less secure, just because more critical holes are found? Just as many holes may lie undiscovered in GNU/Linux or some BSD. How do you make sure the search for flaws is well balanced? I don't think it's even possible.

amazing (-1, Troll)

plastic.person (776892) | more than 9 years ago | (#10600003)

I just visited this site for the first time in a year. It's truly amazing that you losers are still bitching about the M$ vs. Linux issue.

Linux is as good as dead, M$ rules the world. Yes their software sucks but it's still worlds more usable than anything you idiots will ever peck out in emacs, vi, or whatever the fuck editor you use nowadays.

Re:amazing (0)

Anonymous Coward | more than 9 years ago | (#10600428)

I peck shit out in OpenOffice.org these days. You still stuck with Word, huh?

biased? (2, Interesting)

Cat_Byte (621676) | more than 9 years ago | (#10600008)

Windows Design
Windows has only recently evolved from a single-user design to a multi-user model
Windows is Monolithic by Design, not Modular
Windows Depends Too Heavily on the RPC model
Windows focuses on its familiar graphical desktop interface
Linux Design
Linux is based on a long history of well fleshed-out multi-user design
Linux is Modular by Design, not Monolithic
Linux is Not Constrained by an RPC Model
Linux servers are ideal for headless non-local administration

Oh yeah thats unbiased.

Re:biased? (1)

NardofDoom (821951) | more than 9 years ago | (#10600102)

How can the truth be biased? All of those statements are truthful, with only the last one showing any opinion whatsoever.

Re:biased? (0, Insightful)

Anonymous Coward | more than 9 years ago | (#10600533)

If you take good and bad statements and only apply the good to one and the bad to the other, it is bias. Do you think there isn't one bad thing about linux?

Linux is Modular by Design, not Monolithic ??? (1)

ktulu1115 (567549) | more than 9 years ago | (#10600615)

I hate to say it, but at first glance the article looks dead wrong. The linux kernel is monolithic by design, however it also incorporates modular (dynamic loading) drivers.

Granted, the general population reading this article won't know the difference, but it still seems misleading. At least they do expose the truth, just hidden well: "The Linux kernel supports modular drivers, but it is essentially a monolithic kernel where services in the kernel are interdependent."

Where's your argument? (0)

Anonymous Coward | more than 9 years ago | (#10600672)

Oh wait, there's none, you just claim the article is biased.

Interesting indeed.

Yet another Pro-Linux, Anti-Windows 'report' (4, Insightful)

MMaestro (585010) | more than 9 years ago | (#10600010)

Nicholas Petreley's former lives include editorial director of LinuxWorld, executive editorial of InfoWorld Test Center, and columns on InfoWorld and ComputerWorld. He is the author of the Official Fedora Companion and is co-writing Linux Desktop Hacks for O'Reilly. He is also a part-time Evans Data Analyst and a freelance writer.

Sorry, but as long as something like 90% of all the 'reports' about Linux being more secure and 'mythbusting' reports are writen by Linux supporters or have some business in seeing Linux succeed, I'm going to take this with a grain of salt. I'm not trying to say Windows is safe, but you can't expect me to believe this when a 'report' like this comes out every other week. If this guy was an ex-Windows programmer I'd be more understanding, but "former lives include editorial director of LinuxWorld"? Somehow I doubt they ran Windows on their machines.

Who's this mystical unbiased person? (0)

Anonymous Coward | more than 9 years ago | (#10600088)

Who's gonna do this? Are you suggesting that a Pro-Microsoftie is capable of unbiased coverage?

Obviously not. Look, this is not an issue where you're going to get unbiased reporting. No one's going to do your critical thinking for you! You have to look at both sides, consider what they present, and use your brain (Yes, I believe many humans do have this strange device in their skulls).

I know it may be painful because you don't use it too much, but, do give it a try. It really helps.

Of course it is more secure (1, Insightful)

Anonymous Coward | more than 9 years ago | (#10600019)

The article was written by a person who has a vested interest in Linux. Im not saying that Windows is more secure or not, but you need to take in the bias in the article objectively. It's like politics, one side always think there side is the right side.

PHB Mode - (*)On ( )Off (5, Funny)

NardofDoom (821951) | more than 9 years ago | (#10600020)

There are lots of long words and numbers in that article. And it's really long. It makes my brain hurt. Linux must be complicated if it takes that long to explain its security benefits. And if they have to hide them in a long article like that

And besides, last night while I was watching $stupid_cable_news_show I saw an ad for Microsoft. It said they were secure. Then I saw that same ad in $idiot_management_magazine. They can't advertise it if it's not true, so we should go with Windows Server 2003 for our new application.

And, besides, I just got Microsoft to sell Windows Server 2003 for $50 per copy by saying we'd switch to Linux. Here's the box, now go install it.

SELinux (4, Interesting)

Coryoth (254751) | more than 9 years ago | (#10600022)

I look forward to the Fedora SELinux project getting a good workable set of policies so that SELinux can default to being on for Fedora installs. Once that happens the "Linux is more Secure" claim will actually have some serious hard evidence behind it. SELinux and other Mandatory Access Control systems (anything hooking into the Linux Security Module in the kernel really) really are a serious step up in security, and there really is nothing comparable in the windows world.

A good way to think of MAC or SELinux is as a firewall between processes on your machine and the files and devices etc. on your machine. At the kernel level there is a set of rules, at pretty much as fine a grained level as you care to write, as to what can access what. It's well worth readign the FAQ [nsa.gov] to et a fuller idea of what we're talking about here.

Jedidiah.

Or a better alternative (5, Informative)

Anonymous Coward | more than 9 years ago | (#10600429)

RSBAC should perhaps be considered. It is far more modular, been in production use a lot longer, has none of the disadvantages of selinux(eg works with any filesystem, needs no patches to filesystems, doesnt break other kernels on the same machone). It has a list of protections, has official PaX and virus(malware) scanner support, and the developer is always willing to take ideas from people and quickly fix issues. I would be interested for a detailed comparison of the two between slashdotters, thoughts and experiences etc.. But from everything I can see, RSBAC seems far superior. RSBAC.org [rsbac.org]

If I had a nickel... (1)

Ninwa (583633) | more than 9 years ago | (#10600027)

for every time someone wrote yet another comparison between the two OS' to reinstate what's already known... well I don't know what I'd do with the money, probably buy some computer parts, but I'd have a lot of it!

Re:If I had a nickel... (1, Funny)

Anonymous Coward | more than 9 years ago | (#10600482)

but what if you had a nickel taken away for everytime the conclusion was wrong?

Articles like this... (2, Insightful)

TrollBridge (550878) | more than 9 years ago | (#10600032)

...are usually dismissed as "astroturfing" when Microsoft comes out on top.

Notice they compare to Windoze to Dead Rat Linux (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10600037)

I noticed they picked Dead Rat Linux to compare Windoze to. From my reviews os security update lists Dead Rat has the most patches to fix vulnerabilities they added in.

.Net and windoze sucks (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10600118)

.Net and windoze sucks its buggy as hell. I am shocked morons still use it.

Re:.Net and windoze sucks (0)

Anonymous Coward | more than 9 years ago | (#10600678)

And I'm shocked your mother didn't swallow you. What's your point?

meh... (5, Insightful)

The_reformant (777653) | more than 9 years ago | (#10600133)

meh..any system is only as secure as its users anyway..which i suspect is why linux has practically no problems.

Basically anyone who knows what a terminal window is isn't likely to run suspect attachments or not configure a firewall

enterprise 03 (3, Insightful)

man_ls (248470) | more than 9 years ago | (#10600161)

The author bashes Enterprise Server 2003 as being unstable, quoting MS's average uptime of around 59 days as evidence of this.

What people forget to mention is that MS security patches seem to like reboots, do the way filelocking works on Windows. Thus, whenever a "critical" flaw is released, they have to either patch it with a workaround (firewall rules, etc.) or they need to reboot the server.

When I was running an internal-only Enterprise 2003 server (behind several firewalls, no public IP) the only reboots I ever experienced were those related to environmental factors: the power went out for longer than the UPS could keep the server online for; etc.

After I started maintaining an externally-accessible 2003 server, I configured autopatching on it from Windows Update, and it reboots itself about once a month.

According to my calculations, this still meets the 99.9999% reliability that MS claims the server to be able to provide, on enterprise-grade hardware (and what I am running on is decidedly not enterprise-grade, unless eMachines has recently broken into the enterprise market and I forgot to read the press release.) Reboots take about 4 minutes to shut down, restart, wait for the services to resolve themselves, and try again. If I was so inclined, I could tweak this to be lower (1 whole minute is that the web server loads before the network module does, can't find an IP to bind to because IP isn't enabled yet, and fails to load, then waits to retry.)

It's a different design philosophy. My systems don't get "crufty" and crash, but they do have to be rebooted to apply security fixes. However, 4 minutes a month isn't a hardship, and anyone who says it is needs to either look into something transparently redundant, fault-tolerant, or reevaulate why they are so dependant on that one system in the first place.

Re:enterprise 03 (1)

Lolaine (262966) | more than 9 years ago | (#10600523)

AFAIK, UPS backup is meant to shut the server down safely, not to make uptime numbers look better :) ... On the other hand, Why reboot a machine once a month? Memory Leaks? 4 min rest time?

Uh, I forgot that those Patches required rebooting the system (not the service involved), sorry.

Re:enterprise 03 (0)

Anonymous Coward | more than 9 years ago | (#10600634)

The only reason to reboot a *nix machine is for a kernel upgrade so what you seem to be saying is:

4 minutes a month isn't a hardship, and anyone who says it is needs to either look into something transparently redundant, fault-tolerant, or reevaulate why they are so dependant on that one system in the first place.


For high availability: use *nix! Which I assume is the point you were contesting?

Re:enterprise 03 (4, Insightful)

hehman (448117) | more than 9 years ago | (#10600658)

After I started maintaining an externally-accessible 2003 server, I configured autopatching on it from Windows Update, and it reboots itself about once a month.

According to my calculations, this still meets the 99.9999% reliability that MS claims the server to be able to provide


Better revisit those calculations. Six 9s of reliability means that you're down for no more than 30 seconds a year. Unless your reboots take less than 3 seconds, you're already not meeting that metric.

Besides which, five 9s (5 minutes a year) is considered carrier-grade. There isn't as firm a standard for enterprise-grade, but it usually permits occasional scheduled downtime outside business hours, and is usually in the two to four 9s range.

BTW, I couldn't find anywhere that MS claims six nines of reliability; do you have a source?

Alright! (0)

Anonymous Coward | more than 9 years ago | (#10600176)

Windows security versus Linux security. What's better?

I bet the next article will be "the Miami Dolphins versus the Arizona Cardinals. Who's better?" For non-football fans, we can discuss the LA Clippers vs the Washington Wizards.

Fascinating!

Trite Political Joke (4, Funny)

Mad Martigan (166976) | more than 9 years ago | (#10600178)

Petreley concludes that Microsoft's efforts to dispel Linux "myths" are based largely on faulty reasoning and overly narrow statistical analysis.

Microsoft, official platform of the 2004 presidential campaign.

This is simply a very poor copy of the summary.. (1)

bill_kress (99356) | more than 9 years ago | (#10600205)

..at the head of the article

Someone tried to get it in there quickly for extra mod points or something, please mod it back down--yuck

Window vs OS X (5, Insightful)

linuxpyro (680927) | more than 9 years ago | (#10600251)

Though this was interesting, it would be nice to see something comparing OS X security to Windows security. When you think about it, they're both relatively proprietary OSes. Sure, Microsoft has there "Shared Source" stuff, and OS X is based on Open Darwin, but really the two would be a better match because of thier commercial status.

Sure, there are enterprise Linux distros from coimpanies like Red Hat, but you can still get a lot of use out of a non-commercial distro. There are so many ways that you can change Linux to make it more secure that comparing it to a rigid commercial OS is a bit inappropriate. I'm not saying that I think the article was pointless, just that we should give equal attentention to systems like OS X or even some of the other commercial UNIX distros for that matter.

In other news.. (-1, Offtopic)

Lazy T (788616) | more than 9 years ago | (#10600308)

Kerry vs Bush? Read all about it here: http://www.georgewbush.com/ [georgewbush.com]

Re:In other news.. (0)

Anonymous Coward | more than 9 years ago | (#10600666)

All I see there is a scared monkey...

Not designed for security (5, Interesting)

QuietLagoon (813062) | more than 9 years ago | (#10600322)

"I'm not proud," [Brian] Valentine [senior vice president in charge of Microsoft's Windows development] said, as he spoke to a crowd of developers here at the company's Windows .Net Server developer conference. "We really haven't done everything we could to protect our customers ... Our products just aren't engineered for security."

http://www.infoworld.com/articles/hn/xml/02/09/05/ 020905hnmssecure.html [infoworld.com]

Nothing to do with linux (1)

sporty (27564) | more than 9 years ago | (#10600326)

The failure of windows and success of linux has nothign to do with linux's unique design. It is a mimic of unix to some degree, which does things in layers and all that goodness. The same can be said about OpenBSD, HP-UX, OSX and a few others.

Re:Nothing to do with linux (0)

Anonymous Coward | more than 9 years ago | (#10600661)

I think you mean "faults of Windows" as opposed to failures. If those billions upon billions of dollars is a failure, you'd be hard pressed to find any successes in the history of anything.

I'll mention the "other os"... (0)

Anonymous Coward | more than 9 years ago | (#10600334)

a proof-of-concept, but a good enough incentive to keep your machines patched!.

http://www.macintouch.com/opener.html
http://fr eaky.staticusers.net/ugboard/viewtopic.ph p?t=10712

The Reg is experiencing a DDOS attack... (1)

dpbsmith (263124) | more than 9 years ago | (#10600352)

...no, I'm not kidding [thewhir.com] and I'm not talking about slashdotting. So special thanks are due to the poster of the "In case of slashdotting" article.

I haven't been able to connect to The Register for three days now, BTW. I'm glad that others have been able to.

Is this really another Roland Piquepaille post? (1)

samberdoo (812366) | more than 9 years ago | (#10600360)

Haven't we all heard this stuff before?

Linux modular? (0)

Anonymous Coward | more than 9 years ago | (#10600394)

Hahahahahahahaaahahahahahaahahahahahahahaha*cough* hahaahaaahahahaaaaa...

What a load of tripe.

Reverse FUD... (0)

Anonymous Coward | more than 9 years ago | (#10600427)

Just when you thought MS Marketing were the best at this kind of thing, along comes an article like this from the Linux camp. Of course it's immediately hailed as the gospel form /.ers without any discussion on the merits of its actual content. But if you look closely, isnt this just reverse FUD?

Windows just might be ahead of *NIX here... (1, Interesting)

mcrbids (148650) | more than 9 years ago | (#10600478)

OK, shocker subject line. But, in a sense, it's true!

I've read about the fact that while XP/SP2 contains numerous changes that present real improvements, it is largely a recompile of XP with a new compiler that enforces buffer size.

While that doesn't fix buffer overrun bugs, it certainly limits their potential negative security implications. When will this buffer enforcement be available for gcc!?!? I know, there are 3rd party apps, but as long as it's a 3rd party app, I won't get these benefits with a torrent-obtained Debian CD...

I would be perfectly happy to live with a few percentage points of performance hit to get this benefit!

IE messages, security features and windows updates (2, Informative)

herve_masson (104332) | more than 9 years ago | (#10600544)

When I open some page on IE6, it asks me "do you want to allow software such as activeX controls and plugins to run"... What am I supposed to think ?? and how should I respond ? Yes ? No ? (s/me/my parents/). Why on earth it does not tell me that this page contains something that require "macromedia flash" to render ? At least, I could somewhat distinguish between spyware and things that I need to see. And if they were even a little smarter, I could memorize this choice for later instead of bugging me every time.

This type of implementation of security related features is precisely why nobody use them and get their machine bloated of spyware, malware, viruses and such.

The inability to update a machine via a 56k modem is probably another reason why I know so many friends running unpatched OSes (any offline installable M$ update anyone ?). Grrrrrrr....

The MS take on it (4, Interesting)

RealProgrammer (723725) | more than 9 years ago | (#10600565)

I used to wonder at the blinders-on group think of the hidden source folks. The elaborate unreality of their arguments was a puzzle, until I figured it out [healconsulting.com] . Now I understand; it's all about the dream.

While some might dismiss the article because he is a Linux advocate, that's missing the point. His piece is geared toward Linux advocacy, but avoids the usual rhetoric. I kept looking for the usual Gates bashing, but didn't find any.

What I found instead were hard facts, distilled from public data. He didn't say, "I performed some tests which prove Linux is better." He took the publicly available information, analyzed it, and reported the results.

The response by the Microsoft marketing droids and vassal fudmeisters will be instructive to anyone who really thinks about it. Don't take away their dreams of a gold mine, at least not until they've got a Ferrari just like the guy in the next cube.

Microsoft - Standard Oil (4, Insightful)

jxs2151 (554138) | more than 9 years ago | (#10600569)

Read a book or two about coal, railroads, oil, computers and you'll find the verbiage and scare tactics used by the leaders of these industries are pretty similar to what Microsoft is saying now.

"Open Source Software is inherently dangerous"

Weasel words like "inherent" are convincing to dumbed-down folks. ./ ain't buying it though. God bless individualism.

"Statistics 'prove'..."

Ahhhh, the old "who can argue with scientific fact" line.

Provide us with "science" to back up this claim. Properly vetted, peer-reviewed science from an unbiased source, unfunded by those with a vested interest in the outcome please.

The psychological use of fear and "scientific" studies to convince the average American is not new. Read carefully the language of Microsoft and you'll hear JD Rockefeller, Andrew Carnegie, JP Morgan, etc. What you have to read carefully to find is their own fear that they are losing monopoly control. Big Oil was able to buy corrupt officials and maintain their decidedly un-capitalist ways. Will Microsoft?

Windows Uses Spheres (4, Funny)

Ironsides (739422) | more than 9 years ago | (#10600671)

I don't know what this guy is talking about. Windows uses spheres for permisions to run stuff. On the inside, you have all Microsoft Programs and on the outside you have all Non-Microsoft programs. See? They use spheres just like Linux.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?