WinInformant Says Windows More Secure Than Linux

nihilist_1137 excerpts from this WinInformant article, which reads in part: "For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. ... A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux." I wonder how many sysadmins (Windows or Linux) would agree with this conclusion. Update: 02/04 16:54 GMT by T : Looks like the WinInfo site has gone down since the story was submitted, so you may have to content yourself in the meantime with the Bugtraq numbers. Update: 02/04 19:30 GMT by T :Several readers have pointed out that the conclusions WinInformant makes based on the Bugtraq data are not those of SecurityFocus; the headline has been changed accordingly.

Severity of vulnerabilities

[SiW]

The report doesn't seem to take into account the fact that while the number Windows holes was fewer, they were far more severe. Code Red, anyone?

Btw, I'm not a Linux cheerleader, I'm a Windows guy most of the time, and I subscribe to the "best tool for the job" philosophy.

Unfair comparison, uninformed journalist.

[opkool]

After reading the whole thing, I came to the conclusion that this is an unfair comparison:

-They only count bugs for one Microsoft OS product. I mean, there's Win95, Win95osr2, Win98, Win98SE, Win2000, WinME, WinCE, WinNT4.0...

-They count one bug for each distribution. I mean, if a bug is detected on rsync, it shows as one different bug for every distribution, that is, one but for Mandrake 7.0, one for Debian, one for Mandrake 7.1 ...

So, this makes me wonder if the journalist is plainly uninformed or if has no idea of what he is talking about (a laid-off journmalist from the gardening section re-hired for a tech-writter position).

The conspiracy theories, black helicopters and Microsoft-payed journalists, from my point of view, do not apply here.

Well, who said the world was fair?

Re:Define "more secure"

[denzo]

would you rather be shot by a dozen BB pellets or a single shotgun blast?

Since a shotgun (usually) fires out many small pellets (smaller pellets with larger gauge number), perhaps a modification to this analogy should go along the lines of: would you rather be shot at a distance by a .410 shotgun or a 50-caliber rifle?

I'd pick the shotgun, I'd just like to bring along a piece of plywood to take the sting out. ;)

Re:This, of course, will be ignored and ridiculed

[Mr+Teddy+Bear]

It's very easy to say that car acidents happen more often then plain crashes. Anyone cares to count the casualities ? Well, I'm not sure this is a good example, once car acidents casuality numbers are, AFAIK, higher, but I think you get what I mean.

I agree totally, but a better way to look at that same analogy is to think of the amount of people who fly and get killed compared to the amount of people who drive and get killed. Obviously with the 100's of millions of drivers (in the US alone) the percentage of people killed is far greater in plane crashes.

Bad thing is though, this seems to have the opposite effect on MS vs Linux. MS is deployed on way too many systems (my way of saying they control the market) And they still have the most security breeches per capita. One could argue that the hackers aren't the ones with Windows, and hackers hate Windows and love Linux which is why they never hack Linux systems... And while this is true to an extent this doesn't explain everything. The truest power of Linux over Windows is that Linux patches its stuff very quickly. Also GOOD Linux admins will actually get the patches and put them on. (After evaluating them to make sure they are effected by the security breech and making sure they won't effect anything else in production etc etc etc) I know the service packs for NT were very badly conceived. (Anyone remember SP6... then a week later SP6a?)

To bring these ramblings to a close... Things tend to be quite different in a real world situation than they are in a controled lab. And enough money can control a lab to make sure it brings out the results wanted.

Damnit, I want modded up on this. :-P

Well ok...

[Bob+Smith+157]

Sigh...

I can't read the original article, It's been Slashdotted to death. But I think I can make a pretty good guess as to what happened.

First off, we host Bugtraq, not NTBugtraq, which is Russ Cooper's list. (Any chance we can get that fixed in the story intro? Anyone know if the same mistake is in the original article?)

Secondly, I'm constantly amazed at how people mis-read our stats page. The Linux aggregate stats are the total of all unique bugs across all the various distributions we track. It's supposed to answer the question "How many Linux-related bugs were there that year." It's based on things like which distro ships a particular package, and when that package is found to have a hole, it also gets attached to the distro. This is so you can look up your distro, and see what bugs you might need to patch.

Take a look at the top of the page, our script hasn't been running since August, when we switched from Roxen to Apache. So, we're missing the whole last quarter of 2001 stats.

Regardless of anything else, using these number to declare that one thing is more secure than another is a mistake. Based on our numbers, why didn't they declare that everyone should run MacOS for security? Or that if you want to be more secure, run Debian instead of Win2K?