×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Study Finds Windows More Secure Than Linux

Zonk posted more than 9 years ago | from the an-interesting-definition-of-secure dept.

Security 796

cfelde writes "A Windows Web server is more secure than a similarly set-up Linux server, according to a study presented yesterday by two Florida researchers." In addition to the Seattle Times article, there is also coverage on VNUnet. From the article: "The researchers, appearing at the RSA Conference of computer-security professionals, discussed the findings in an event, 'Security Showdown: Windows vs. Linux.' One of them, a Linux fan, runs an open-source server at home; the other is a Microsoft enthusiast. They wanted to cut through the near-religious arguments about which system is better from a security standpoint."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

796 comments

Just what we need... (5, Insightful)

Rollie Hawk (831376) | more than 9 years ago | (#11701187)

... another pissing match.

Re:Just what we need... (0)

Anonymous Coward | more than 9 years ago | (#11701391)

Windows security vs. Linux security isn't a pissing match, it's a chopsticks vs. axe match.

Another study (5, Funny)

suso (153703) | more than 9 years ago | (#11701189)

Study finds Slashdot as repetitive as Philip Glass

Re:Another study (1)

mpathetiq (726625) | more than 9 years ago | (#11701242)

Insightful? Hilarious!

Multiple orgasms for men (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11701292)

If women can have multiple orgasms, why can't men? I mean what's the biological reason us men are one-shot wonders?

I'm stoned out of my head now, but I really think this requires more research. Imagine the profits if you could develop a drug that would allow men to experience one orgasm after another!

Re:Multiple orgasms for men (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11701371)

If women can have multiple orgasms, why can't men?

Speak for yourself, buddy...

Tantric sex fool (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11701459)

I guess you're one of those fools who believe in tantric-sex? Sorry to rain on your parade, but it's all about self-hypnosis.

Re:Tantric sex fool (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11701494)

So, one shaky pseudo-scientific theory explains another? What are you, a chiropractor?

Re:Multiple orgasms for men (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11701413)

It's simple. Women are designed to receive sperm from multiple male donors. Sperm fight each other for the prize. Men should fuck, come quickly, then faint, to offer no resistance to the next male. Then the next guy should mount her. Multiple orgasms keep the woman interested. This is to garantee hybrid vigor. We fucked it all up with our weird notions of mariage and couples.

Knock Knock Joke (5, Funny)

R2.0 (532027) | more than 9 years ago | (#11701452)

Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?

Phillip Glass

My 8 year old daughter, a great afficionado of knock knock jokes, didn't appreciate it.

Re:Another study (-1)

Anonymous Coward | more than 9 years ago | (#11701460)

Or as repetitive as Rush.

Integrity? (5, Informative)

samtihen (798412) | more than 9 years ago | (#11701190)

Well, apparently this is the second time Microsoft has come out on top of a research project by Mr. Richard Ford [fit.edu].

http://www.virusbtn.com/magazine/articles/letters/ 2004/01_01.xml [virusbtn.com]

Apparently there was some question to the validity of an earlier project because it was sponsored by Microsoft.

However, I would like to note that both researchers seem very well educated, especially in computer security. And, additionally, they both note that a lot more could be done to lock down the Linux server.

Re:Integrity? (2, Informative)

Anonymous Coward | more than 9 years ago | (#11701236)

ummm.... both the article linked in the original story and the article linked by your post are about the same study.

More FUD (0, Redundant)

essreenim (647659) | more than 9 years ago | (#11701265)

Yeah, and I'm getting tired of it.

Oh, Washinton. The same state as the head of Microsoft and the home of the tyrant himself...with a report about Windows security being better than Linux..and with X thousand MS emplyess in Washinton state...oh...it must be credible

leeeeeeese, move along now.....

Re:More FUD (4, Funny)

Otter (3800) | more than 9 years ago | (#11701339)

Ummm, Florida isn't in Washington. Or if it is, we have bigger problems going on than Linux or Windows vulnerabilities.

And, to the grandparent -- if you read your own link, the previous study was not sponsored by Microsoft.

Re:More FUD (0)

Anonymous Coward | more than 9 years ago | (#11701393)

They way I took it was that the program was sponsored by Microsoft, the specific study was not funded by them.

Re:More FUD (3, Insightful)

Anonymous Coward | more than 9 years ago | (#11701383)

Typical.

A study comes out saying Linux is better than Windows? Praise it to high heavens! We knew it all along!

A study comes out saying Windows is better than Linux? Question the results, Impugn the source and dig as deep as it takes to find some political or financial affiliation between them and Microsoft, no matter how assinine or inconsequential.

A lot more could certainly be done... (5, Insightful)

emil (695) | more than 9 years ago | (#11701313)

OpenBSD runs chroot() Apache. Does IIS have similar capability?

The chroot() patch was never taken up, but it would probably not be that difficult to install on Linux.

I would be disinclined to run any other way at this point.

Re:Integrity? (5, Insightful)

leuk_he (194174) | more than 9 years ago | (#11701376)

from the article

Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk -- the period from when a vulnerability is first reported to when a patch is issued.


I hoped for a deeper analysis, like the security model used or how it behaves in networks. But it just back to counting vulnerabilities.

--Nothing to see here, move on.

Re:Integrity? (1, Informative)

bonch (38532) | more than 9 years ago | (#11701443)

It said the criteria "included" the number of vulnerabilities. It didn't say that was the whole basis of the study; it was just one factor. Hardly a reason to dismiss the study.

Re:Integrity? (5, Insightful)

jedidiah (1196) | more than 9 years ago | (#11701434)

This study appears to be a clear example of redifining terms and using statistics to muddle an issue. While the conclusion of the study might be valid given the assumptions, I challenge the assumption.

I challenge the assumption that Redhat vulnerabilities are equal to Microsoft vulnerabilities.

Given the history of malware, they clearly are not.

This study is nothing more than a more formalized version of a certain form of trolling once popular on COLA.

Credibility? (-1, Troll)

drgonzo59 (747139) | more than 9 years ago | (#11701473)

The "two Florida researchers" phrase is where I stopped reading the article. The only things they should be researching is beach parties, mixed drinks and slutty Spring break chicks.

I can see them submitting a paper to a journal with the conclusion "Well, like, you see, Laynex is this new windowz thang, but not as cool cuz Microsoft gave us money to party and do like research and stuff"

I LIEK PIE (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11701198)

I LIEK PIE

Hardly scientific isn't it? (0, Flamebait)

gelfling (6534) | more than 9 years ago | (#11701200)

And how many people run Win2003 server at home? People should understand that the plural of anecdote is not data.

Re:Hardly scientific isn't it? (3, Insightful)

Assmasher (456699) | more than 9 years ago | (#11701282)

Did you notice that this was a study aimed at IT administrators, not home users?

Re:Hardly scientific isn't it? (1, Informative)

Anonymous Coward | more than 9 years ago | (#11701423)

And how many people run Win2003 server at home? People should understand that the plural of anecdote is not data.

If you are going to make a comment about the validity of the data, at least RTFA you ignorant clod.

"They compared Windows Server 2003 and Red Hat Enterprise Server 3 running databases, scripting engines and Web servers (Microsoft's on one, the open source Apache on the other). "

How many people run RH Enterprise Server at home?

Re:Hardly scientific isn't it? (2, Insightful)

Soukyan (613538) | more than 9 years ago | (#11701471)

How many people run Red Hat Enterprise 3 at home? Did you bother to read the article?

Re:Hardly scientific isn't it? (0, Redundant)

bonch (38532) | more than 9 years ago | (#11701492)

Just as many as who run a Linux server at home? Why not?

From the article:

"I actually was wrong. The results are very surprising, and there are going to be some people who are skeptical," said Richard Ford, a computer-science professor at the Florida Institute of Technology who favors Linux.

Clearly, we're seeing that happen in this discussion!

Re:Hardly scientific isn't it? (0)

Anonymous Coward | more than 9 years ago | (#11701497)

Also if it's similarly set-up, how come one is more secure than the other? Isn't that by definition not similarly set up? Research: conclusion denies premise.

These studies are pointless. Both can be secure (5, Insightful)

Mustang Matt (133426) | more than 9 years ago | (#11701217)

I don't get it. I guess I need to read the article.

A webserver needs port 80 and maybe 443 open. Any webserver can be secured.

Where's the news?

Re:These studies are pointless. Both can be secure (-1)

Anonymous Coward | more than 9 years ago | (#11701277)


I don't get it. I guess I need to read the article.

Are you sure you belong here?

A webserver needs port 80 and maybe 443 open. Any webserver can be secured.

You are definitely in the wrong section. This is slashdot, and it's a "windows is bettah than linux, w00t!" story. Your logic and common sense has no place here, get with the program!

Re:These studies are pointless. Both can be secure (2, Insightful)

orion41us (707362) | more than 9 years ago | (#11701336)

Yea, but I can overrun the buffer by posting a grapload of data to 80 and winsock will crash and execute some code I cooked up.... better yet unless the website designers were deligent in using valid charecter checking I can use sql injection on ms sql server (mysql?) and have the server ftp out to my system and download any software I want....

Re:These studies are pointless. Both can be secure (0)

Anonymous Coward | more than 9 years ago | (#11701392)

In the article?

Re:These studies are pointless. Both can be secure (2, Insightful)

Tackhead (54550) | more than 9 years ago | (#11701422)

> I don't get it. I guess I need to read the article.
>
> A webserver needs port 80 and maybe 443 open. Any webserver can be secured.

A workstation doesn't even need that.

Not counting the (numerous) local exploits caused by IE, WMP, Outleak and other applications getting pwn3d by their handling of hostile content, the big (i.e. "remotely exploitable without user intervention") holes in Windows all stem from M$'s unstated design assumption that "all the world's an office LAN", and the open/listening status of ports 135, 445, 5000 (anyone remember uPnP, the first 2K/XP remote exploit?), UDP-1434 (SQL server) and the like.

If your business is based on selling an office application suite (and you're trying to extract a few more bucks from your office suite sales by requiring that someone buy your operating system to run it), then assuming that all the world's an office LAN is a pretty natural thing to do. It's wrong, it's flawed by design, and it's the canonical example of valuing ease of use over security, but it's pretty natural.

Sigh... (1, Funny)

Anonymous Coward | more than 9 years ago | (#11701223)

Let the self-rightious defensiveness begin!

Newsflash... ONE Linux Fan.. (4, Insightful)

Staplerh (806722) | more than 9 years ago | (#11701237)

Interesting. Some relevant snippets:

A Linux enthusiast at the RSA Conference in San Francisco has reluctantly concluded that Microsoft produces more secure code than its open source rivals.

In an academic study due to be released next month Dr Richard Ford, from the Florida Institute of Technology, and Dr Herbert Thompson, from application security firm Security Innovation, analysed vulnerabilities and patching and were forced to conclude that Windows Server 2003 is more secure than Red Hat Linux.


Now, I'll concede that Dr. Ford and Dr. Thompson do sound reputable, but one is an admitted Windows enthusiast and while the other one is a Linux fan who changed his minds, this hardly sounds like a study .

It's an interesting question, and I'm sure there is no clear cut answer, but a more systematic study (with more parties, rather than just two scientists) is going to be needed to answer this sort of question before the 'results' are trumpetted. I'm sure Microsoft will pick this one up and run with it, however.. more of those annoying ads that seem peppered throughout Slashdot.

Not only that, but I find this quote odd.. (5, Insightful)

schon (31600) | more than 9 years ago | (#11701317)

A Linux enthusiast at the RSA Conference in San Francisco has reluctantly concluded that Microsoft produces more secure code than its open source rivals.

Umm, so MS showed him their source code? I find that a little hard to believe.

If he can't see the source, how can he make any determination at all?

Re:Not only that, but I find this quote odd.. (0)

Anonymous Coward | more than 9 years ago | (#11701407)

If he can't see the source, how can he make any determination at all?

Most OSS people would never recognize a security hole in a program. Source is irrelevant. You lurk the whitehat/blackhat sites and try their best tools against your setup. That's how you do it.

Re:Newsflash... ONE Linux Fan.. (0, Flamebait)

alienw (585907) | more than 9 years ago | (#11701472)

Reputable my ass. The Ford guy is at a crappy school, doing what basically amounts to fluff "research" in BS areas like e-commerce or "software testing". On top of that, his PhD is in semiconductor physics, of all things. Why he is a research professor of computer science I do not know, but he does not seem to be someone who knows what he is talking about.

Not again... (5, Insightful)

PoprocksCk (756380) | more than 9 years ago | (#11701238)

"Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk -- the period from when a vulnerability is first reported to when a patch is issued."

So Windows is more secure than Red Hat because Microsoft chooses to report less vulnerabilities and release less patches? Hmmm...

(Move along, nothing new to see here.)

Latter day McCarthyism in action (0)

Anonymous Coward | more than 9 years ago | (#11701450)

If Microsoft patches more vulnerabilities, then they're obviously insecure, because they have more security holes.

If Microsoft releases fewer patches, then obviously they're insecure, because they're hiding the holes.

Thy logic blows my mind.

Re:Not again... (1)

TheABomb (180342) | more than 9 years ago | (#11701470)

Wow. Not only is that airtight logic, it's also the first time such a bold claim has ever been postulated. These researchers may go down in history for that.

Non Story (4, Insightful)

bfree (113420) | more than 9 years ago | (#11701241)

Until the report is released this is a non-story, just fuel for the FUD machine. Unfortunately we will have to wait for a month to actually discuss what this means so I don't even no why I am bothering to post to this!

The security of a server... (5, Insightful)

jmcmunn (307798) | more than 9 years ago | (#11701244)

...is only as good as the security of the admin setting it up. It doesn't matter how many updates need to be run, whether one or one hundred. If the system admin doesn't keep the server up to date, it's only a matter of time until the server will be vulnerable.

Now let the flaming begin, so you can all argue about the number of patches/updates required for each system, how long it takes for Linux/Windows to respond to problems, and all that good stuff. We all know that's the only reason this kind of story shows up on Slashdot is to start a good flame/troll war! :-)

Re:The security of a server... (3, Insightful)

cameroon33 (720410) | more than 9 years ago | (#11701382)

Exactly. Don't miss the part where they say that both servers were generic builds:

-----------
Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features.

Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance.
---------

Define 'Wizard', and this may be informative. Otherwise, it's bunk.

Self-Evident (5, Insightful)

Wvyern (701666) | more than 9 years ago | (#11701246)

"...Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance." By his own admission the Linux administrator is a "Wizard" compared to the average MS Systems Admin. Well, that just about says it all doesn't it?

I'm no zealot (5, Insightful)

InfallibleLies (654694) | more than 9 years ago | (#11701259)

of either Linux or Windows, but really, how is one more secure than the other? If there's an equally exploitable hole in each, is it the one that gets fixed faster more secure? If it is, then the only thing making one more secure than the other is the administrator. He/She's the only one who can patch their systems by actually downloading the patch and applying it.

No matter how fast a patch is issued, you still have to install it for it to work.

Re:I'm no zealot (1)

AviLazar (741826) | more than 9 years ago | (#11701484)

I think they took a number of factors: 1) how many security holes 2) their severity (so probably a severe threat is worth 3 points, while a minor threat is worth 1 point), and 3) the speed of the patches once the threat becomes known to the company.

Number three is very important and easily rated. If a company finds out today of a breach, and takes a few hours to fix it -- that is a whole lot better then a company that takes two weeks to fix it.

As for the speed of the admin - The OS providers responsibility ends once they release a sucessfull patch (as far as this study is concerned). If it takes the admin a month to install it because he has been sitting on his butt for a month - that is his fault alone and has ZERO relation to this study or the quality of the OS.

Delay in announcing MS vulnerabilities? (4, Insightful)

Saint Stephen (19450) | more than 9 years ago | (#11701262)

Doesn't Microsoft encourage delaying announcing vulnerabilities until a patch is available?

Re:Delay in announcing MS vulnerabilities? (1)

InfallibleLies (654694) | more than 9 years ago | (#11701310)

Seems like a good idea to me.....

So we found this hole in sendmail that can bring down a mailserver by...hmm, my email isn't working....

Want to start a flame war? (1, Redundant)

Chris Daniel (807289) | more than 9 years ago | (#11701278)

"I want to start a flame war on Slashdot!" Solution: post an article saying Windows > Linux in any fashion :-P

Enthusiast?! (4, Funny)

Vollernurd (232458) | more than 9 years ago | (#11701281)

How the hell can anyone claim to be a "Microsoft enthusiast"?! It's hardly a hobby.

Re:Enthusiast?! (1)

tehshen (794722) | more than 9 years ago | (#11701337)

I think it could be more of an occupation. Anyone else think he got paid to say what he did?

Re:Enthusiast?! (0)

Anonymous Coward | more than 9 years ago | (#11701355)

By being enthusiastic in their use of Microsoft products.

Just like one could say that you appear to be a "Retarded Comment Enthusiast".

Re:Enthusiast?! (1)

Quiet_Desperation (858215) | more than 9 years ago | (#11701372)

How the hell can anyone claim to be a "Microsoft enthusiast"?!

My grandmother claimed to be a lemur before exiting this mortal coil. You can *claim* anything.

It's hardly a hobby.

Only to the extent that heroin addiction is a hobby.

Bob: Hello. My name is Bob.
MS Anonymous members: Hi, Bob.
Bob: I'm a 41 year old IT manager at a fortune 500 company... and I'm a Microsoft-aholic...
Joe's pal Ned who runs the hardware store: We're here for you, Bob.

Hardly a study (4, Insightful)

metatruk (315048) | more than 9 years ago | (#11701289)

This was a hardly a study. I don't see any data presented here, and certainly no methodology used to gather the data. Sorry, but the scientific method always wins.

Sorry, but this "study" is not a study.

Why was this even posted?

Well at least it's nice... (3, Insightful)

Caeda (669118) | more than 9 years ago | (#11701295)

That they actually admit in the article that they set up the linux server as the absolute default change no security settings leave it just as it comes right out of the box... As they specifically state they left minimum configuration in place and linux users might do more. Basically implying the study is a pile of sh*t since no company in there right mind would opt for a total linux solution and then leave the webservers running without changing any settings...

Do Linux companies provide free service packs? (0)

Anonymous Coward | more than 9 years ago | (#11701365)

Uh. Whenever I set up a server at work I expect it to be secure out of box or at least update itself automatically. Fiddling around with the kernel and following up on the security releases might be your cup of tea, but in a corporate environment you don't have time for all that.

Windows 2003 loads and installs security patches and service packs by itself. Does Linux do the same?

RTFA then talk (4, Funny)

digitalgimpus (468277) | more than 9 years ago | (#11701306)

Read it for yourself. It reads:

"Believe it or not, a Windows Web server is more secure than a [i]similarly set-up[/i] Linux server, according to a study presented yesterday by two Florida researchers."

So when you load a linux server with software that has known security holes....they are both equally as secure.

It's not groundbreaking news.

Re:RTFA then talk (1)

nberardi (199555) | more than 9 years ago | (#11701332)

I think you are missing the point. Two simularly set-up machines. What use is Linux as a server if it doesn't have any software on it used for servering web pages.

In other news . . . (2, Funny)

Leroy_Brown242 (683141) | more than 9 years ago | (#11701312)

. . . 2 florida researchers were seen speeding away from thier work places in new ferarri's wearing armani suits. . .

Reproducebility? (3, Insightful)

RenHoek (101570) | more than 9 years ago | (#11701319)

I wish they'd post some info about the tests themselves. At least what kind of setups they user, where they got the info about vulnerabilities and patches, and so forth..

Such professional sources (2, Insightful)

diamondsw (685967) | more than 9 years ago | (#11701320)

A "Linux fan" and "Microsoft enthusiast" trying to cut through the near-religious arguments?

I'll take a nice report by computer scientists and security experts about overall system design over crap papers like this any day.

The real vulnerabitlity (1)

cyberchondriac (456626) | more than 9 years ago | (#11701325)

in Windows is probably not so much Windows itself as the clueless end-users and lazy sysadmins that often run it. The majority of Windows' virus and worm attacks in the past 2 years were preventable with proactive monitoring and definition updates, but it just wasn't done.
We have a few Win32 servers here, but those are administered by outside vendors. That was the box that got hit by slammer 2 years ago.
I'm not justifying an OS with holes, but there is NO justification for sysadmins who let them go unplugged.

Similarly set up? (1)

PoopJuggler (688445) | more than 9 years ago | (#11701349)

"..The IIS webserver running on Windows performed flawlessly, while the exact same IIS webserver would not even run on Linux, obviously due to Linux's failures of security and interoperability..."

From the website of the sponsor (2, Informative)

Hockney Twang (769594) | more than 9 years ago | (#11701350)

Security Innovation is a certified Microsoft partner for security services. We have both the Microsoft SWI and ACE certifications as an authorized professional services provider for Microsoft technologies.

I'll allow you to jump to your own conclusions.

What a joke (1)

aztektum (170569) | more than 9 years ago | (#11701353)

The first article says that the configurations were basically out of the box, to replicate what your average non-wizard administrator would setup. *coughMCSEscough* Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance. This is not the comparison you are looking for. Move along.

"Days of Risk" vs. Full Disclosure (5, Insightful)

Daedala (819156) | more than 9 years ago | (#11701361)

Neither article defined "days of risk" to my satisfaction. Is it "days since the vulnerability was published" or "days since the vendor was informed of the vulnerability"? I suspect that Microsoft is more likely to hear things privately early. ASN.1 library anyone? It was discovered in July 2003, and announced and patched in February 2004. Was that six months of risk or one day?

Secondly, there's no discussion of how the criticality of a vulnerability was weighed. If every "day of risk" for Windows was "critical," and every "day of risk" for RedHat was "moderate," then I'd differ with their conclusions. Further, there was no mention of whether they considered actual exploits in the wild.

Actual Information (1)

gowen (141411) | more than 9 years ago | (#11701367)

Does anyone have a link to these researchers' paper -- so the methodology can be actually examined (as opposed to the various slanders above). A couple of brief "executive summaries" written by journos doesn't really cut it.

From the Hanging Chad Dept. (1)

Alapapa (723716) | more than 9 years ago | (#11701369)

Don't worry, Tux!
You still have a chance with the subsequent recounts.
[/obligatory Florida defamation post]

Severity of Vulnerabilities? (3, Insightful)

rjune (123157) | more than 9 years ago | (#11701395)

Directly from the article:

"The pair examined the number of vulnerabilities reported in both systems and the actual and average time it took to issue patches. In all three cases Windows Server 2003 came out ahead, with an average of 30 "days of risk" between a vulnerability being identified and patched compared to 71 from Red Hat."

There is nothing said about the severity of the vulnerabilities. This article would never make it in a peer reviewed publication.

Not Linux, Just Redhat Linux (1)

Yonkeltron (720465) | more than 9 years ago | (#11701412)

So it's not really *ALL* Linux, it's just that particular version of Redhat.

It seems best to wait and see the paper they publish as well as a track record of funding and test conditions before anyone goes and says something about validity.

Besides, as knowledgable as the Linux community can be, I'd trust an IT proffesional over a "Linux fan" with a server in his basement.

Study did not prove Windows more secure than linux (2, Insightful)

EvilTwinSkippy (112490) | more than 9 years ago | (#11701414)

It showed one configuration of Windows 2003 server to be more secure than one configuration of RedHat Enterprise running Apache.

Seriously (0)

Anonymous Coward | more than 9 years ago | (#11701417)

Seriously, how many times does this story or the flip flop of this story have to be posted on /. I have seen this exact same thing atleast 1 to 2 times a month here. Please stop posting this. All this will lead to is flamer wars, Give me a break

Get your FREE MAC MINI [freeminimacs.com]
1.42GHz, G4, 80gb HD, 256mb ram, ATI Radian 9200, OS X v10.3, TOTALLY FREE

Redhat is the Windows of the Linux world. (1)

Renegrade (698801) | more than 9 years ago | (#11701421)

(For those who did not RTFA, it compares Redhat Enterprise Server to Windows Server 2003)

Redhat has always seemed to be a flashy, large distribution which favored new features and gadgets over stability and security.

I wonder how say, Debian (my personal favorite) might do in terms of security, or better yet, one of the security-centric distributions.

My problem. (2, Insightful)

juuri (7678) | more than 9 years ago | (#11701430)

With all of these studies is they typically work on the assumption you are just throwing a server, regardless of OS, on the net. That means there is no load balancer in front, no filtering at the border routers, no firewalls and nothing is ever blocked.

If a company or individual is actually doing this how on Earth can they possibly attest to the security of their server?

Hope This Study Didn't Cost Much (3, Interesting)

Spudnuts (21990) | more than 9 years ago | (#11701437)

In a previous job at a datacenter where we ran Red Hat Enterprise Linux, I frequently got the comment that there seemed to be a lot more Linux patches than Windows patches. All of the updates for optional software (I tried to do minimal installs and/or remove optional things, but the dependencies sometimes made this awkward) simply made the systems seem more needy than the Windows systems.

Many of the vulnerabilities were of low risk to us, but it was rare for the system owners to say that even with this low risk that it was acceptable to hold off on applying the patches.

Storyline: (1)

rejecting (824821) | more than 9 years ago | (#11701438)

From the clouds Zonk looks across the fertile lands of the Slashdotians.

Zonk: This peace and quiet makes me SICK! Boy I wonder what could make discussion on slashdot degenerate to incoherant flamewar.................

Also in the news... (4, Funny)

NoMoreNicksLeft (516230) | more than 9 years ago | (#11701444)

cfelde writes "Satanism is less evil than a christianity, according to a study presented yesterday by two Florida researchers." In addition to the Seattle Times article, there is also coverage on VNUnet. From the article: "The researchers, appearing at the RSA Conference of philosophers, discussed the findings in an event, 'Religion Showdown: Good vs. Evil.' One of them, a satanist, performs perverse human sacrifice rituals; the other volunteers at the local homeless shelter. They wanted to cut through the near-political arguments about which religion is less evil from a morality standpoint."

Does Microsoft pay Security Innovations bills? (0, Insightful)

Anonymous Coward | more than 9 years ago | (#11701454)

I wonder if Security Innovations provides security consulting and training services for Microsoft?

This should be disclosed in any report that is critical or praises a particular Microsoft product.

Basic is not just stupid, it's asking for it (2, Interesting)

Oriumpor (446718) | more than 9 years ago | (#11701463)

The setups were hypothetical, however. Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features.


Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance.


Come on, who runs a Windows box on the web without heavy firewalling, software firewalling (blackice with autoblocking for instance) and regular audits?

The same goes for Linux. Security is not something to be taken lightly. People should NOT be putting machines out in the open. The best practice used to be Firewall critical servers. The best practice has become Firewall, IDS, and monitor the crap out of anything touching the internet.

These tests are always like comparing a Factory Model to a Nascar Stock Car.

The article doesn't actually tell you anything (2, Interesting)

rpdillon (715137) | more than 9 years ago | (#11701476)

This "article" doesn't actually provide with any information in what WAY the results were obtained.

From an admin perspective, I want to know what the vulnerbilities were, and what their definition of "vulnerable" is - especially if they say "Windows had 30 days of vulnerbaility, versus 71 for Linux".

On that topic, when are we going to get past the label "Linux"? There is no such thing. There's RedHat, SuSe, Gentoo, and Debian (among hundreds of others) and they all handle security differently. I'm sure I could find distros LESS secure than Windows, and I'm sure I could find distros unquestionably MORE secure, as well.

Ah, well, I guess I'll wait for the report. I would have preferred a headline:
"OS Zealots Face Off in an Anecdotal RedHat vs. Windows Web Server Security Showdown - IIS Triumphs"

It would be nice to see the actual report (1)

shura57 (727404) | more than 9 years ago | (#11701480)

The article in sparse on details. It would definitely be nice to know the exact methodology: what else was considered besides the number of disclosed/patched vulnerabilites, how those were determined, etc. Without it, the study is hardly different from hadnwaving.

Simplistic study (2, Interesting)

Bender0x7D1 (536254) | more than 9 years ago | (#11701481)

It really bothers me that simple studies such as this grab the headlines. If you really want to determine which server is more vulnerable, study real servers belonging to real companies handling real traffic/data that someone wants to get.

Also, deciding on a configuration that an "average administrator" would have instead of a "wizard" seems questionable unless they determined those settings by examing dozens (or hundreds) of actual system configurations. Determining something is "too advanced" for an average administrator to use without actually examining real systems seems too arbitrary. Can anyone define the skill level of an average administrator?

You can't determine how secure something is if you aren't going to use its security features. If M$ has all of their security features turned on by default and Linux doesn't, that doesn't mean M$ products are more secure than Linux, it just means that they have a better configuration out of the box. (Not that I believe that, but I use it for the sake of arguement.) While it is important to have fail-safe defaults, it is far more important for someone to know what they are doing. Unfortunately, too many companies don't understand that and hire people who don't know what they are doing.

A valid comparison? (3, Insightful)

EmagGeek (574360) | more than 9 years ago | (#11701491)

I would think that a Windows box set up by a MS Certified Professional and a Linux Box set up by some kind of Linux Certified Professional would be a much better comparison than one between a "Linux Fan" and a "Microsoft Enthusiast."

So biased... (0, Flamebait)

_LORAX_ (4790) | more than 9 years ago | (#11701496)

Because patches to RedHat cover the gamut of application ( X, OOo, FF, .... ) where the windows server, just the OS. That's stike one against this "study". They should ONLY count those bugs directly related to the service being studied. Many bugs and patches are against theoretical problems that have no real or even sometime possible local or remote exploit.

The other major problem is that the "days exposed" should start when an exploit is "in the wild" not when an alert is posted to the bug lists.

No study data is availible, but I can imagine that this is just like the pharmasuticals. MS doesn't have to "fake" data, they just run the study again, again, again, ... until they get the results they want. Since they are in a position to squash any negative results it guarntees them the upper hand. Once they find one study that gives them the numbers they want.... then they replicate it "independanty" to prove they are right.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...