Slashdot Mirror
WinInformant Says Windows More Secure Than Linux
nihilist_1137 excerpts from this WinInformant article, which reads in part: "For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. ... A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux." I wonder how many sysadmins (Windows or Linux) would agree with this conclusion. Update: 02/04 16:54 GMT by T : Looks like the WinInfo site has gone down since the story was submitted, so you may have to content yourself in the meantime with the Bugtraq numbers. Update: 02/04 19:30 GMT by T :Several readers have pointed out that the conclusions WinInformant makes based on the Bugtraq data are not those of SecurityFocus; the headline has been changed accordingly.
The Slashdot crowd will never stand for this. I expect to see hypocrisy in full swing in about 30 seconds, with the zealots proclaiming bias. Never mind that they've consistently relied on SF for past predictions of MS's ineptitudes.
Does Windows have fewer security holes than Linux? Apparently so.
Are they smaller holes -- that is, exposing less control of the system and less potential for damage? Probably not.
The question becomes, then: would you rather be shot by a dozen BB pellets or a single shotgun blast?
Look, the obvious point about this should be that the reason Linux has more known vulnerabilities is that linux has always been very open about what is wrong with linux.
As for MS, I only have to point to the the major bug, that they knew about for weeks, but didn't let anybody know about!
Now Im not saying that linux is more secure (as much as i would like to) but the data and report based from it, just makes no sense, if you think about how vulnerabilties are and are not reported
Thanks for reading!
Sigs are dangerous coy things
Well, that may be all well and good from a purely technical (or counting reported bugs) standpoint.
But when you consider Microsoft's installed user base, there's just no comparison to how widespread MS is.
It's a damn good thing there were less bugs reported for Windows, as with each one, the repercussions are far far greater.
~sigh~
Simply put, the reason Windows systems seem more vulnerable is because SO MANY MORE people use them, and don't keep them patched. As a rule of thumb, someone running Linux at home knows what the term "security vulnerability" means and keeps his system up to date, where someone running Windows whatever doesn't.
Of course, that's not the case in the server market. If you want to talk about worms, remember one thing - the ONLY reason Code Red and other such worms exist is because of the popularity if the windows platform, on desktops and servers. Don't kid yourself for a second into thinking that the reason there aren't any widespread worms for *nix systems is because it's more secure.
br -Berj
Linux may have had more, but were they as bad?
The IIS holes in 2K that allowed CodeRed to spread and the uPnP holes in XP which, luckily so far, have been pretty much unexploited were both buffer overrun holes which caused, or had the potential to cause, v.serious work outbreaks.
Did Linux have anything on this scale?
---
Oregon
Oh man, I can hear the keyboards typing right now. One thing you don't do to the slashdot community on a monday morning is call their OS less secure than windows.
On a side note, it's all about how you configure your OS. At this point, you can pretty much do the same thing with each OS from a security standpoint. It's all of the other software that usually does it - web server, DB server, application server, etc. But we all know this right?
my sig is so witty and fun - it tickles almost everyone who reads it.
What matters is not how many bugs there have been, but the total window of vulnerability per bug -- the time elapsed from bug's discovery to bug'a closing. One really bad bug that remained open for a year is much worse than 10 bugs each remaining open for a week, you see.
--
Victor Danilchenko
exactly,
linux probably had a multitude of minor, rarely exploited vulnerabilities, whereas win2K/NT had relatively few major holes.
holes that are still now being exploited.
id be interested to see the amount of revenue lost due to linux exploitation versus win2K (taking market share into account of course).
sounds like poor data analysis...
That man tried to kill mah Daddy
And this is exactly the kind of flawed logic that always creeps into these kinds of discussions: there is no "Linux" to compare with "Windows", there are only a bunch of distros. Totalling up all the holes in all the distros makes no sense at all.
And when you compare Windows to a given Linux distro (much closer to a good comparison), Linux wins every time.
-Esme
Today security is measured in how long it takes you to break into a box, and not if you can break into the box. So on the one shoe, you can say windows is much more bombarded and patched than Linux because so many "testers" are willing to "test" the security of windows. But on the other hand, since security is measured in how long it takes to crack something, even though windows may end up with fewer holes, the fact is there are more "hole seekers" which effectively reduces the security.
Surely it's not the number of vulnerabilities that either OS displays that's important but rather their severity?
I mean, an exploit that requires the malicious party to have physical access to a machine and then only gives him access to one specific folder on a system is hardly as big a deal as one that gives a script kiddie sitting in his bedroom complete remote control of your corporate servers, allowing him to copy, overwrite and delete files, folders and hard drives at the click of a button?
Let's try to compare apples and oranges here. Just because McDonalds has more restaurants than Michelin-stared ones it doesn't make the Big Mac a better meal.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
The other camp ain't. We do hear about some vulnerabilities out of Microsoft, but more often it's independent disclosure that open's out eyes. So, how many problems are left unaddressed, and unknown by all but the secret holders? Simple: we don't know.
At least with opensource I can look at the code.
Evan - needs to hit preview before submitting
The SecurityFocus charts seem to say that in the last several years, WinNT/2K has had 2/3 to 3/4 the vulnerabilities of Linux -- all Linuxes combined, that is.
When you break it down, however, Windows has been about equal to Red Hat and well above all the othe Linuxes and Unixes in the chart.
As a willing participant in the capitalist scheme, I don't care how secure everyone else's servers are -- just the one securing my stuff. The only thing this chart tells me is that if I want a secure server OS out of the box, I should start with Mandrake or Debian instead of Red Hat or Windows.
Bias isn't necessarily what annoys me. I would like to see more stories which foster discussion as opposed to sensational bullshit. Isn't their an interesting or nerdy or thought provoking or geeky news item that we can discuss? For fuck's sake, we know Microsoft sucks, we know 80% of slashdot's traffic is from IE, we know we don't like .NET, we know Ballmer is a monkey, come on, let's talk about something (ANYTHING) else.
[o]_O
In the long term Linux will have progressively fewer bugs/vulnerabilities due to its open source nature. Look at the numbers on the same chart for NetBSD. There were 9 vulnerabilities found in 2001, and 42 found in Win 2K. 54 for RedHat and only 2 for TurboLinux.
Obviously everyone should switch to Turbo Linux.
Lasers Controlled Games!
The fact that you can cite flaws in Windows security proves that Windows security is imperfect, not that Windows is less secure than Linux.
Okay lets break it down:
Linux by default includes:
A mailserver
an ftp serer
a telnet server
a web server
a database server
etc....
Windows by default include:
A store receipt
IIS maybe..
ummm
okay so what are they basing their study on? The same system setups? Are they comparing postfix with exchange server or sendmail with exchange server? Mysql with MSSQL or MySQl with Oracle? I don't understand this study, nor do I believe it. I think this study is biased and fixed. It is funny that this study is released as M$ releases the W2K rollup package to fix the broken/hackable files.
-- Powered By Linux
"Also, the Windows announcements are for the OS itself only, while the Linux announcements cover programs that do not count as OS stuff under Windows."
The funny things is the journalists get all indignant when you point this out to them and ask them to throw in the security holes for IIS, IE, OE, Office, SQL Server, etc.
If Linux had the marketshare of Windows, you can bet there would be lots and lots of scriptkiddies writing Code-Red style worms. Linux has had some pretty major security flaws in the past. Although they were fixed quickly, that doesn't mean that lazy or incompetent sysadmins will patch it right up. This leads to an opportunity for a Code-Red style worm, and if Linux had high marketshare, you can bet that it would have spread rather quickly as well.
That's it. I'm no longer part of Team Sanity.
Anyone remember Code Red? Nimda? I sure do. I still get 300+ scans a day from infected Windows boxen.
Also, most linux vendor security announcements posted to Bugtraq are for add-on software not enabled by default. They are also announced by each vendor individually, and the author of the package. Most Windows announcements are about vulnerabilities in the OS (IE) or widely deployed packages (IIS, Outlook) from the author of the exploit (after secure@microsoft.com has ignored them).
The entire article needs to be modded -1 flamebait.
So, how about we do a serious analysis? I'll put up a system that lets people rate the various bugs by severity along a couple of continuums. (Like theoretical impact and actual impact.) Then people can use this data to draw more accurate conclusions. If at least 10 people respond to this post, and two thirds of them think it is a good idea, I'll put one up and link it here.
They expolited add-ons that IIS happened to use
But are installed by default.
No-one had to take any extra steps to install the indexing DLL to make themselves vulnerable to code red.
It may not be part of the core webserver, but the indexing DLL is, to all intents and purposes, part of IIS.
---
Oregon
The security of any OS lies in the skill of its admin. An idiot with a 2k box is no more secure than an idiot with a linux box and vice versa.
- Toby
Again, Winformant, in a desperate attempt to seem like they aren't a bunch of toadies, has struck an "independent" blow against linux's "security myth," by proving that more holes were found in linux than in Windows.
Well, duh. Linux is full of holes. But that's not winformant's problem. You see, each of those holes was cleared up in a matter of days and a patch was freely available. There were no egos and press releases claiming there are no holes. There were no programmers waiting around while Marketing decided the best colour for the patch's installation wizard. There was no downtime as millions of machines had to get the file from a single MS server because the patch's license didn't allow redistribution. There were no hours of wringing hands as sysadmins watched hackers pick off their boxes one by one because there's no workaround while the patch was built. There was no possibility for diving into the code and fixing it yourself; and if there was there'd be no way to release the patched dll. Oh, and if a linux machine was compromised, there was little chance of it polluting the entire network...because the bug affected less than 1% of the install base of that particular OS, and not 100%.
Not to mention the reason that so many Linux patches were "found" rather than "discovered" is that bored sysadmins can sit around with sheets of source code, hoping to find a hole and make a name for themselves on BugTraq. With windows...well, you'd better be good with BlackIC and ASM, because it's the only way you're finding the hole.
Hey freaks: now you're ju
What someone said--a primary security hole (something you drive side-by-side trucks through) are Windows applications. Visual Basic and, by extension, Outlook, are big culprits.
But many of the things that make Windows unsecure do extend at the OS level. Here on my Macintosh, my firewall is set to lock out IPs that try a NETBIOS check, as well as various port scans. It's also aware of the Code Red variants.
My Mac OS (9 or X) ignore them. As with Linux, my OS doesn't know or care for NETBIOS.
And OS X, as a better example for all the huff, is a *nix family OS--and still in its infancy compared to the older Linux distros and UNIX itself. A UNIX class OS is only unsecure in the magnitude of Windows when we open up all the elements of the OS that are normally closed by default--permissions, certain root access, and so on. Therefore, you have to be a Raving Buffoon(tm) to set Linux or any *nix for a fall.
Window's faults are inherent to perpetuate its market share as well as stupid coding. And now MS wants to "fix" it? Give us a break.
/.
Vos teneo officium eram periculosus ut vos recipero is.
Again, I find it disturbing how easily everyone shrugs this off as propaganda or something.
Listen, everyone: Times are changing. Linux has gotten big and complicated, and is no longer automatically secure. Long gone are the Slackware days where you'd download a minimal kernel/utilities package and then compile only the apps you need, by yourself, and understand everything. Complex software has security problems, and the linux community has done little but use the "lots of eyeballs" method to counter that. Microsoft software is also quite complex, and they have fewer eyeballs (I hope, though I am not sure), but they have publicly recognized the problem and are at least pretending to try to fix it. Microsoft also has a bunch of research into technologies for producing machine-checked code so that they don't even need lots of eyeballs. (I really wish that linux had this too; see a related rant http://slashdot.org/comments.pl?sid=26315&cid=2851 880 ).
My linux box has been rooted twice. I keep up to date on patches, I read bugtraq. My windows box, also connected to the internet all the time (and getting a lot more use), has never been compromised through 95, 98, 2000, and XP.(I have been Winnuked, that's the worst thing that's happened.)
I guess my point is: this is not something to laugh at. Some day soon, people will not think of Microsoft operating systems as crashy (already happening to an extent) and insecure (...), and then linux will have a much tougher sell to the average guy who doesn't care about Free Software. Instead of laughing smugly about an article like this, maybe we should be worrying?
Ok, here's what I noticed. The SUM of all Linux's put together had a higher bugcount than windows 2000.
Now, how many people do you know that install redhat, then add to it all the security bugs in caldera, Connectiva, Mandrake, Slackeware, Suse, and Turbo Linux?? None, that would be extremely difficult. This is akin to saying the Ford Taurus has fewer bugs than all of the Nissans put together, therefore it is a better product.
Also, we are assuming that all bugs are created equal. Guess what, not so. Windows bugs have superpowers, faster than a speeding packet, stronger than a firewall, able to leap entire networks in a single bound! Linux security bugs take down processes, sometimes servers. Windows bugs take down Networks, or internets!!!
But I'm sure they'll never get called on it, because their readership is windows users. They are preaching to the choir, and they will ignore us and our quest for accuracy.
Do not meddle in the affairs of sysadmins, for they are subtle, and quick to anger.
I was thinking to myself yesterday about how the nature of open-source lends itself to a lack of "talent auditing". Meaning, there **MAY** be a greater chance of bugs being introduced into an open-source project because the programmers are often not hired professionals.
:-P
I would like to see a comparison in bugcounts (say, per line of source code) between open-source projects supported by professionals (i.e. people trying to make money off of it, i.e. mySQL) and projects supported by weekend programmers.
I just had an ironic thought. Since most open-source business plans revolve around providing support, would that make those companies want to introduce MORE bugs?
Take another look at the data refrenced by the article! It actually shows the Windows 2000 was one of the worst as far as security goes. The linux aggregate score does not resemble any of the individual linux distros mentioned. What I would like to know is, How did the author ever draw the conclusion that Windows 2k was more secure ? And what was the point of comparing the score of an os with an aggregate score ? That makes no sense either!
X
I can't connect to WinInformant, but if you look at the numbers available at SecurityFocus, you'll see that they did not simply add up the numbers. Linux is listet with 96 aggregated vulnerabilities for 2001, while e.g. Red Hat has 54, Debian got 28, and Mandrake got 36. There are more Linux distributions listed, but these numbers allone show that your claim is wrong (unless WinInformant has different numbers).
You'll also see that Red Hat had 54 vulnerabilities while Windows 2000 had only 42.
However, I'd still agree that the WinInformant article is badly researched (but please note that, as stated above, I've not read it, I only know the part that Slashdot quoted). The article claims that Windows is more secure "according to the reputable NTBugTraq," however, SecurityFocus does not make any claim concerning the security of either Windows or Linux, they just make the numbers available as a statistic. In other words, WinInformant doesn't have any source for their claims, they just found some more or less interesting numbers and made up a story.
Sig (appended to the end of comments I post, 54 chars)
"Take this example: you have a highly competent NT/2K administrator (they do exist) and a pitiful *nix administrator."
Every time someone brings this up I keep thinking it's sort of redundant. I guess, being a rather pitiful administrator in both respects; I find it easier to at least start locking down a unix box (FreeBSD in my case). With Unix you can tighten a box up instantly just by looking through hosts.allow (and hosts.deny in Linux's case) - it certainly doesn't take a genius to figure out what's going on. By contrast windows has a lot more to do with disabling services which (in my opinion) you're never sure what they do or if you need them. And sooner or later you'll end up fishing in the registry...
To me Unix systems are easier to secure because security is a part of the system, and not an afterthought / "oh so we're getting bad press so we'll start an inititive" sort of deal.
Well, no offense, but: "Duh!" Of coruse alot more Windows-based machines were exploted. You've got 2 very good reasons for this:
1) Wide distribution. Yep. Contrary to your belief, Windows is distributed more widely than Linux. So, of course more boxes will be hit.
2) Idiot users. I mean, lets face it, There's a reason why most windows users aren't on Linux. They're morons! Anyone and I mean anyone that runs an attachment from someone they hardly know that's written in worse english than a retarded 7 year old would write deserves what they get. Unfortunantly, they're the reason the network was clogged with NIMDA. Code Red was more a result of wide spread use of IIS.
Gawd, I'm sick and tired of the linux bigotry around here. Linux is great and all, but I sure wouldn't want to join a group of the most closed minded bigots in the world, just to have the privelege of using a free OS that's actually pretty decent. I think I'll stick with Windows. Monopoly and all. You people are doing Linux a great disservice. Don't get me wrong, I like Linux, but it doesn't serve my needs as a desktop OS. Maybe instead of basing MS someone could make it more useful for the masses?
The (Hopefully) Great Slashdot Blackout
Of course, that's not the case in the server market. If you want to talk about worms, remember one thing - the ONLY reason Code Red and other such worms exist is because of the popularity if the windows platform, on desktops and servers. Don't kid yourself for a second into thinking that the reason there aren't any widespread worms for *nix systems is because it's more secure.
Dont kid yourself. The various free o/s's are simply a harder target. They are more diverse, both across O/S's and distributions, and even within a distribution there are different configurations. On top of all that any individual box can be a totally custom system built from the source pool.
There are countless email readers, multiple web browsers, all types of competing server daemons. When you take the windows monoculture you simply dont find such diversity. The competing software are simply wiped out.
Its a well known and intuitive fact that monocultures are far more vulnerable to disease and parasites than a healthy diverse population.
Let's just put it this way. More people use windows, more people want to exploit windows... and at the very least, from a social perspective, windows is bound to be less secure.
This last year the window community has really taken quite the widespread beating with viri (as usual). The linux community has not. Less people use linux, less people know what to do with linux, less people hate linux, less people wish to exploit it, and therefore less people are going to screw with it.
No operating system is perfect and or totally secure, however the more you scrutinize something the more apparent its flaws become. The Windows operating system has a hell of a lot more people looking at it under the micro scope...and that's an understatement. This, along with geek loathing and common software variables, is the reason why windows is less secure. The widespread common viri are just the result of all of this BS, and in my mind they totally prove that Windows is less secure. This is the same argument that us Mac diehards have been spitting out for years.
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
Windows security holes typically have exploits in the field, whereas linux vulnerabilities are commonly realeased from code review- hence having no preexisting exploits (that are known and demonstrated). Some are in fact purely theoretical, and may have to use to a malicious user.
So even if you keep on top of your windows updates religiously, keep in mind that they are generally reactive. So there is always that window of vulnerability...
So yes the story is probably very true. Linux appears less secure but in the end who is more secure? You know I dont recall hearing very many blurbs about IIS holes recently... Maybe its because anyone in their right mind isnt using it anymore.
Ill tell you what the flawed logic is. You can completely ignore that stats, and you can completely ignore direct comparisons. It all lays in the software. Most of the Linux vulnerabilities were for software that most people dont install, non standard stuf. Like, bitchx exploits or exim exploits. Not everyone installs that by default. So this aggregated Linux number is basically exploits from the tens of thousands of pieces of software available for unix systems. This is why its flawed logic. Most of the Windows vulnerabilities are default install problems. They are standard with the OS. Even under the break down by Mandrake, that includes all software you find on the Mandrake cd. Not only software that is by default installed (under all install options even). If you include ever peice of software that runs on the windows platform, that was exploitable last year, I think you would get a number that would blow it out of water. On a side note, thats not even taking into consideration source is available for most of this linux software, so it is easier to find more exploits. This is a good thing, not a bad thing. This just means they havent found all the exploits yet, because they use closed source. Security by obscurity does not mean its more secure :P
Jeff Knox
Let's be fair. Some of the malicious hackers are extremely good. Does source code peer reviews improve security? If the guy reviewing the code is dumber than mr. evil hacker, then he might leave open an exploit for mr. evil hacker to enjoy and abuse.
With closed source, mr. evil hacker will need to spend more time discovering the inner workings of the software than he will with open source.
So - will he then produce more exploits running through open source software grepping for common starting points for exploits than he will when dissecting closed source programs?
Remember - at any moments, the black hat community knows about exploits the rest of us don't know about. No computer has yet been classified as formally secure (to the best of my knowledge). We could all be at risk.
Stop the brainwash
Exactly right.
... years of it, all in the public record.
These numbers only reflect that GNU/Linux is more open and public in reporting its bugs than Windows, which is not surprising given Bill Gates & Co.'s efforts to suppress information about existing bugs in their operating system (the rightly rediculed notion of achieving security through obscurity).
There is absolutely no correlation between number of bugs reported and number of bugs existing, be they security related or not. This is doubly true when one party (Microsoft) is actively working to suppress such information about their own products.
The incompetence of the author writing this story, and of the Security Focus editorial staff for letting it through, is staggering. With this kind of security "expertise" is it any wonder at all that Nimda worms and the like run rampent across the net?
Indeed, if one wants to draw correlations (always a risky endeavor without corraborating evidence) it would make far more sense to correlate the percentage (vs. installed base) of demonstrably compromized systems running one operating system vs. another. As Code Red, Nimda, etc. have demonstrated, Microsoft's products win this one hands down. Indeed, in this case there is massive corraborating evidence to back up the conclusions of such a correlation
The Future of Human Evolution: Autonomy
I thought this was probably true, but I could not confirm it until I manually added up the bugs for a given year. Maybe you could explain the terms a little better on the page itselft?
Regardless of anything else, using these number to declare that one thing is more secure than another is a mistake.
That sounds like another piece of advice that should be on the stats page, not buried in a slashdot comment. Its unfortunate that someone misinterprets your statistics and publishes a misleading article every 6 months, but I can't help but wonder why you don't take proactive steps to help people understand the meaning of your web page.
-Mike
Worms thrive on total volume, not specifically servers.
Umm... Can you think of really a more damaging worm lately than Code Red?
Did it need clients/volume? Or just he 2X% of NT/2K servers out there unpatched?
The argument that "Linux has a smaller installed base, so its security holes are less important" sounds like a paraphrasing of the old "security through obscurity" canard.
After all, aren't you really saying that those security flaws are less critical because script kiddies and crackers are less likely to come across a Linux box than a Windows one?
Oh please. This is the same Slashdot that touted 30K bugs for Windows 2000 (like every other major tech publisher) regardless of the fact that the bugs were not known and many were probably "We spelled "maximize" wrong here".
It gets worse than that. Let's consider:
Most bugs that show up for redhat or any other linux distribution will NOT affect a well-secured machine in the first place. If you plan, for example, a standard web or database server, you're only going to permit ssh and apache or ssh and your brand of sql. How many vulnerabilities in the past year have been on those services? Practically none. Only 1 in ssh, and there was AMPLE warning to get patched before exploits were in the wild. The majority of bugs are for packages not often deployed, or not relevent to a server system where there is no user access.
Meanwhile, an enormous number of these linux bugs are irrelevent on a firewalled system, never mind the incompetency of sysadmins. A firewall will protect your X font server or your installed-by-default nfsd/statd, but Microsoft has had many high-profile, extremely-widely-abused holes in a server's primary services (IIS, MS-SQL, etc).
Anyhow, trying to say these statistics show that NT is more secure than Linux is not only irresponsible but absurd.
Securityfocus is the definitive sight for security news. To say the numbers are "purely for entertainment" is the most ridiculous thing I've ever heard. You only proved your ignorance later in the post when you said, "the WinInformant site is Slashdotted (they must be running Windows, haha)" when OBVIOUSLY this would have more to do with their BANDWIDTH than their OS. I know I'll get modded down for posting this, but I don't care. I hate to see people discount anything that doesn't agree with their opinions. Oh, and I run Windows NT at work, Windows2000 and Mardarke 8 at home. I love Linux, but I love MS more for some things (games, word processing, etc.)
"Da ist ein Technölüst in mein Unterpanten!"
Let's keep in mind that Linux users who find bugs or issues are far more likely to report them, document them, publicize them, and share them.
Good point, but it would be better if you took it out of the context of the "users" and put it in the context of the developers. It works out more like this:
Open Source Project X Developer (who may well be on someone's payroll) finds a previously unknown security bug. He patches the bug and informs RedHat and other distro vendors, who then issue a security bulletin. One strike against Linux in the security count.
Meanwhile Microsoft Product Y Developer finds 100 unknown security security bugs in his big Feburary cleanup period. They are all rolled in to service pack 3. Microsoft issues a bulletin recommending all customers upgrade immediately. Zero strikes against Microsoft.
So you are counting ALL security bugs on the Linux side verus only publically reported security bugs on the Windows/Solaris/whoever side.
(Furthermore, it seems nobody considers local root exploits on Windows to be that big of a deal. I remember when RedHat put out multiple advisories for vi, joe, ed, and a bunch of other editors for a temp file vulnerability. [You'd think that "ed" would be rock solid by now...] Would that sort of thing even be considered a bug on the Windows side?)
Business. Numbers. Money. People. Computer World.
Open Source projects use the public internet to keep everyone well informed of software weaknesses and we're not afraid to keep doing that because it makes the software stronger.
Besides the fact that it is unfair to count 6 releases of Red Hat as one OS and not count NT and Win2k as one release over the same period, the initial period for a Linux distro is going bring issues to the surface, that is part of the process.
The linux bug finders are, as a rule, supported, appreciated and recognised in the open source community as pioneers. There findings are widely shared and listenned to -- I'm glad you can find the reports.
The Windows Bug Finders are threatenned, hushed, denied information, ignored and actively discouraged. Furthermore any recovery data is typically horded till a shiny executable can be sent out in a subdued and 'professional' manner when it wont embarrass Microsoft.
Where would you rather be???
I'll take linux any day.
This really isn't a badge that Linux can hide behind. Many people, myself included, would like to see linux replace Windows as the mainstream OS. It's hard to say you should switch to linux because it isn't mainstream. If everyone did switch, then it would be mainstream and thus more targeted.
That said, however, I also whink that this report is exaggerated because of the whole same bug-different ditro thing, the bugs in packages that aren't common for anyone to use (and your can use a root exploit on a package you don't have), plus the fact that I would assume that open source projects would have more security bug reports than closed source ones because it is easier to find them with the source.
-no broken link
I'm confused here. Is IE just an application or "subcomponent" of a MS operating system? That's not what they've been argueing in court. They say they've "integrated" it with the operating system, that it's an "integral part"! They even went on to argue (unsucessfully) that the operating system cannot function without it.
And why does which ever answer I get smell like an Enron balance sheet?
... is when a windows exploit comes out, it effects most windows systems in opperation. When a linux exploit comes out (proftpd, apache, etc) it rarely effects all the systems in the field. I know about 90% of the bugs that show up in bugtraq and else where dont apply at ALL to my system because I dont run those daemons. Where in windows... how many people DONT run activex scripting or diable javascript in outlook?
Shadus
I posted a couple years ago on this topic. My hypothesis at the time was that Open Source would show more bugs for quite some time, as people poked through the code, but would gradually settle down and become very secure. I also believed that Windows vulnerabilities would continue to be discovered at a more or less constant rate.
The jury is still out.
The SecurityFocus statistics broke in August, 2001, per their web page, so one has to extrapolate the partial 2001 total to get the projected total for the year.
In that extrapolation, one sees that the expected number of bugs (assuming the 96 reported bugs cover through the end of August) would be 144. There were 153 the year prior, which is likely well within the margin of error. In addition, many of the black hats have STOPPED REVEALING their exploits, so in fact there may be many more than what we see.
Now, it's worth pointing out that this is not necessarily a good measurement of security. We may be measuring the wrong thing.
An example of bad measurement is the one the government used to determine how many cod were left out in the ocean, to prevent overfishing. Year after year, the catches were about the same, so the government assumed that the fish stocks were constant. But suddenly there were no more fish -- the industry collapsed.
Why? Because they were measuring the wrong thing. They weren't measuring the total number of fish, they were measuring the fish that were caught. They didn't realize, as the fish stocks dwindled rapidly, that the fishers were getting newer and better technology to fish with. The total number of fish coming out of the water was constant -- but as a fraction of the total fish in the water, was going up very quickly. Eventually the fish were all but wiped out.
Measuring security by bugs reported is very similar. It may or may not reflect the number of bugs in the 'ocean'. It is an indirect measurement at best.
We need to differentiate between fish 'caught' and fish 'available'. From a security perspective, I think we are talking about TRUE security (the number of fish in the water) versus FUNCTIONAL security (the number of fish actually being caught).
Now, as security people, our goal is to reduce the fish catch as much as possible. There's two ways to do this; we can reduce the number of fish, or we can somehow control, limit, or damage the profession of fishing.
The real professonals are trying to reduce the number of fish in the water. That's the true long-term solution. But from a short-term perspective, what I care about personally is how many fish are CAUGHT. Every time they come up with a new exploit, I have to run around like a maniac patching systems.
However, the fishing analogy starts to break down, as most do eventually. Truly secure systems are still run by people, and people make mistakes. Even if the OS is perfect, the attack will often come against the weakest link, the employees. Thus, even though I would prefer to have true security, I have to argue that it isn't really necessary. The OS just has to be stronger than the other avenues of attack. ("Why are you putting on tennis shoes? You can't outrun a bear!" "I don't have to. I just have to outrun you.")
Security through obscurity, in other words, may be adequate for most uses. It slows down the rate of fish catching. If nobody discovers the bug until the next version of the OS is out, the bug is less important. The longer it takes to discover the bug, in general, the less damage it will do -- at least as long as we're on the upgrade treadmill.
But, a counter-argument to that just occurred to me: Security through obscurity may be long-term counter-productive -- making it hard to catch fish may have the effect of increasing the fish supply. Every time a fish is caught, it can't breed, and reduces the total population by that much. Likewise, in code, once a vulnerability is discovered, many related vulnerabilities may also be patched. Thus, security through obscurity may work well for a long time, but may actually be making the fundamental problem worse.
Another observation I have to add is that programmers like to create new programs. Very few of them like to audit code. New projects and programs are being added to the Open Source world at an amazing speed, and I don't think they're being stringently audited. In other words, they're adding to the fish stocks every day. There is no QA department in Open Source, and the code is getting more complex than individual people can understand anymore. I think, unless we come up with a better development method, Microsoft's ability to fund a billion dollar a year QA department is likely to reduce their fish count below that of Open Source.
So I think I will need to expand on my original hypothesis. I now believe that Open Source will probably lag behind closed source in terms of FUNCTIONAL security. In terms of TRUE security (absolute number of exploitable bugs, known or unknown) -- there's no easy way to tell. If catching fish reduces the fish supply, and if the programmers don't add too many new fish, eventually Open Source will start winning. But if Microsoft's QA department does a good job with their nets and lures, their fish supply may drop just as fast or faster. Money is definitely a good way to motivate people, and Microsoft has a lot of it.
It's also worth pointing out that even if things are getting more secure, the catch rates may be roughly constant, because presumably the crackers will get better and better, catching a higher and higher percentage of the fish. If the analogy holds, and I suspect it may, then eventually the fish stocks will be exhausted and the black hats will be very suddenly unable to crack machines anymore.
It's going to take at least five more years to know -- and twenty might be a more reaonable time frame. It took a long time to wipe out all those billions of cod. It may take just as long to wipe out the pool of security flaws.
<<RON>>
What the fuck, chuck? So what? I don't care if the thing is running SupaOS/Linux/HP-UX et al. Put Google on a T1 and it too will dry heave and puke. I don't suspect that Any Old Bush League site is equipped to get about 40,000 hits in a 2 hour period.
It has nothing to do with it being IIS or Tux or Apache or anything.
But you already knew this, and just got lucky that some zealot with moderation points fell for the Typical Windows Slam. Don't think I'm slamming you. Its not like you modded yourself up, so my beef isn't with you. It's with the Fanatics.
No sig is worth reading.
Please change the way inwhich stats are reported. IIS, IE, Index Server, and the like all ship now with Windows 2000/XP just like Apache, WuFTP ship with most Linux Distros. Since this is the case, those security flaws are also security flaws in Windows 2000/XP in the much in the same way that Apache, WuFTP and other packages security flaws are being reports with Linux Distros.
Thank You.
Just to cut throught the FUD on both sides here:
/. a tabloid now?
Paul: Fuck You. You don't know shit. How's the page views today? That's what I thought.
CmdTaco: Stop feeding the trolls. This guy just made $x money because you decided to link to his crappy site. Now everyone is here literally frothing at the mouth. If this was real life someone would've been stoned to death by now or branded a witch. Is
Everyone:
Lies and statistics. August 2001 huh? So the stats were last compiled just after Code Red, but not since Code Red II, not since the UPnP fiasco, not since the most secure Windows OS ever? Nice to see "journalists" grouping distros together on the basis of which *kernel* they use. If you want to assess the security of *linux* then only focus on expoits that compromise the kernel. If it's just another BIND or wuFTP vulnerability, count it just once for "OSes that use that GPL'd kernel*" *note: packages included with each distro are not uniform across platforms. Not all Linux distros are alike.
But that is rational and fair, and we can't have that can we? No. We need to increase page views and banner hits, we need to convince so-and-so in management that *OS-not-right-for-the-job* is the right tool for the job.
Windows on the desktop and *nix in the server room; the Buddha smiled and farted. And God said "It is Good".
Another closed-minded Linux Zealot. The kind I bitch about all the time.
Pull your head out of your ass, Moron. Linux is just a play-toy. If they actually made a halfway decent and usable desktop OS it'd actually be a worthy competitor. MS has no real competition. It's a monopoly by choice. And if you could see more than 2 inches in front of your own pimply face, you'd see that.
Read the sig. Friggin moron!
Slashdot. News for Zealots, Stuff that matters (if you're a linux zealot!)