Slashdot Mirror
WinInformant Says Windows More Secure Than Linux
nihilist_1137 excerpts from this WinInformant article, which reads in part: "For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. ... A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux." I wonder how many sysadmins (Windows or Linux) would agree with this conclusion. Update: 02/04 16:54 GMT by T : Looks like the WinInfo site has gone down since the story was submitted, so you may have to content yourself in the meantime with the Bugtraq numbers. Update: 02/04 19:30 GMT by T :Several readers have pointed out that the conclusions WinInformant makes based on the Bugtraq data are not those of SecurityFocus; the headline has been changed accordingly.
Perhaps windows has had less overall security vulnerabilities, but the ones it has had have completely ruined systems and clogged up the internet (i.e. code red, nimda etc...).
The report doesn't seem to take into account the fact that while the number Windows holes was fewer, they were far more severe. Code Red, anyone?
Btw, I'm not a Linux cheerleader, I'm a Windows guy most of the time, and I subscribe to the "best tool for the job" philosophy.
Does Windows have fewer security holes than Linux? Apparently so.
Are they smaller holes -- that is, exposing less control of the system and less potential for damage? Probably not.
The question becomes, then: would you rather be shot by a dozen BB pellets or a single shotgun blast?
Look, the obvious point about this should be that the reason Linux has more known vulnerabilities is that linux has always been very open about what is wrong with linux.
As for MS, I only have to point to the the major bug, that they knew about for weeks, but didn't let anybody know about!
Now Im not saying that linux is more secure (as much as i would like to) but the data and report based from it, just makes no sense, if you think about how vulnerabilties are and are not reported
Thanks for reading!
Sigs are dangerous coy things
Well, that may be all well and good from a purely technical (or counting reported bugs) standpoint.
But when you consider Microsoft's installed user base, there's just no comparison to how widespread MS is.
It's a damn good thing there were less bugs reported for Windows, as with each one, the repercussions are far far greater.
~sigh~
Simply put, the reason Windows systems seem more vulnerable is because SO MANY MORE people use them, and don't keep them patched. As a rule of thumb, someone running Linux at home knows what the term "security vulnerability" means and keeps his system up to date, where someone running Windows whatever doesn't.
Of course, that's not the case in the server market. If you want to talk about worms, remember one thing - the ONLY reason Code Red and other such worms exist is because of the popularity if the windows platform, on desktops and servers. Don't kid yourself for a second into thinking that the reason there aren't any widespread worms for *nix systems is because it's more secure.
br -Berj
Let's keep in mind that Linux users who find bugs or issues are far more likely to report them, document them, publicize them, and share them.
Microsoft users who finds bugs call Microsoft tech support, who informs them politely that it's a feature, and lets the issue be stored deep in their databases somewhere.
This is not an issue of who has more issues, but whose issues get reported and publicized more.
Technical Writer?
Linux may have had more, but were they as bad?
The IIS holes in 2K that allowed CodeRed to spread and the uPnP holes in XP which, luckily so far, have been pretty much unexploited were both buffer overrun holes which caused, or had the potential to cause, v.serious work outbreaks.
Did Linux have anything on this scale?
---
Oregon
Oh man, I can hear the keyboards typing right now. One thing you don't do to the slashdot community on a monday morning is call their OS less secure than windows.
On a side note, it's all about how you configure your OS. At this point, you can pretty much do the same thing with each OS from a security standpoint. It's all of the other software that usually does it - web server, DB server, application server, etc. But we all know this right?
my sig is so witty and fun - it tickles almost everyone who reads it.
His mathematics is pretty bad. To get the security problems for Linux, he adds all security announcements from each of the major distributions - completely ignoring that most of those announcements are for the same bug. The Linux number is thus about a factor 4 too high.
Also, the Windows announcements are for the OS itself only, while the Linux announcements cover programs that do not count as OS stuff under Windows.
Badly researched piece.
/Janne
Trust the Computer. The Computer is your friend.
What matters is not how many bugs there have been, but the total window of vulnerability per bug -- the time elapsed from bug's discovery to bug'a closing. One really bad bug that remained open for a year is much worse than 10 bugs each remaining open for a week, you see.
--
Victor Danilchenko
After reading the whole thing, I came to the conclusion that this is an unfair comparison:
...
-They only count bugs for one Microsoft OS product. I mean, there's Win95, Win95osr2, Win98, Win98SE, Win2000, WinME, WinCE, WinNT4.0...
-They count one bug for each distribution. I mean, if a bug is detected on rsync, it shows as one different bug for every distribution, that is, one but for Mandrake 7.0, one for Debian, one for Mandrake 7.1
So, this makes me wonder if the journalist is plainly uninformed or if has no idea of what he is talking about (a laid-off journmalist from the gardening section re-hired for a tech-writter position).
The conspiracy theories, black helicopters and Microsoft-payed journalists, from my point of view, do not apply here.
Well, who said the world was fair?
wininformant.com fails to resolve.
/. troll, and they didn't bother to realize the DNS for wininformant.com doesn't exist, or wininformant.com is dead at the moment, or wininformant.com is a group of Microsoft FUD monkeys, or I'm running the wrong desktop OS.
SecurityFocus.com has absolutely nothing on their site about this article.
I would find it at very best to be poor journalism to label an operating system more secure just based on the fact that it has less published vulnerabilities. First off, it's easier to locate vulnerabilities in *NIX software. Windows it isn't, mostly because it's closed up and the Windows common user is not motivated with finding a security exploit.
If you look at the types, and severity (which I'm hoping the article does) of it and summise a judgement based off that I think it's pretty obvious which operating system is more secure.
Either this is a
Dacels Jewelers can't be trusted.
And this is exactly the kind of flawed logic that always creeps into these kinds of discussions: there is no "Linux" to compare with "Windows", there are only a bunch of distros. Totalling up all the holes in all the distros makes no sense at all.
And when you compare Windows to a given Linux distro (much closer to a good comparison), Linux wins every time.
-Esme
Pure quantity of security holes really is not the most question. To me there are two factors:
1. How severe is the hole if exploited.
Are we talking a DOS, a root compromise, the ability to take over a domain controller. The effect of a compromise needs to be taken into account.
2. How easy to exploit is the whole.
Is it a theoretical exploit, or are there tools floating around? Can it be easily mitigated by a good firewall, or can viewing an email cause the problem.
These questions seem to me more important than pure quantity and should be taken into account when building a threat assesment of a system.
But it is possible to have a very secure Windows environent. No, it does not involve turning the box off ;^)
.SCR, etc) were banned long before I Love You came along.
Take this example: you have a highly competent NT/2K administrator (they do exist) and a pitiful *nix administrator. Which one is going to produce a more secure box? Any objective person would have to say the NT/2K guy would, because he knows his platform well enough to shore up vulnerabilities. Nimda, I Love You, and many other worms did not hit affect my company because we took security very seriously beforehand. Malicious attachments (.EXE,
Now, having played devil's advocate for a moment, let me say that if you have a tightly controlled *nix box with a competent admin and a focus on security, you can create a damn near impregnable system. The weaknesses then lie with the applications, not the OS, and that's something ALL vendors need to work on (you listening, Larry "Unbreakable" Ellison?)
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
I can't remember hearing about many *new* security holes in win2K recently.
I can't get to the article right now, so I'm not sure exactly what their argument is, but while I can remember hearing about quite a few major security holes in the unixes (I think everyone was bitten at least once by ptrace race conditions) I can't think of any similar issues in win2k.
XP, on the other hand... but we're not talking about XP here.
Tarsnap: Online backups for the truly paranoid
If Linux did indeed have more bugs, there are two questions worth asking:
:)
1) which versions of Linux? If you were concerned about security you probably wouldn't be running the most bleeding edge version
2) how siginificant were the security holes? Are they remote root compromises or something less severe. Linux might have several more minor vulnerabilities and look numerically worse if windows has one gaping vulnerability
Having said that though, I'm willing to believe this is possible
This sig has been temporarily disconnected or is no longer in service
Surely it's not the number of vulnerabilities that either OS displays that's important but rather their severity?
I mean, an exploit that requires the malicious party to have physical access to a machine and then only gives him access to one specific folder on a system is hardly as big a deal as one that gives a script kiddie sitting in his bedroom complete remote control of your corporate servers, allowing him to copy, overwrite and delete files, folders and hard drives at the click of a button?
Let's try to compare apples and oranges here. Just because McDonalds has more restaurants than Michelin-stared ones it doesn't make the Big Mac a better meal.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
The other camp ain't. We do hear about some vulnerabilities out of Microsoft, but more often it's independent disclosure that open's out eyes. So, how many problems are left unaddressed, and unknown by all but the secret holders? Simple: we don't know.
At least with opensource I can look at the code.
Evan - needs to hit preview before submitting
The SecurityFocus charts seem to say that in the last several years, WinNT/2K has had 2/3 to 3/4 the vulnerabilities of Linux -- all Linuxes combined, that is.
When you break it down, however, Windows has been about equal to Red Hat and well above all the othe Linuxes and Unixes in the chart.
As a willing participant in the capitalist scheme, I don't care how secure everyone else's servers are -- just the one securing my stuff. The only thing this chart tells me is that if I want a secure server OS out of the box, I should start with Mandrake or Debian instead of Red Hat or Windows.
I sent a similar article, but was rejected. Peh, guess I need to work on my editorial skills.
Anyway, before anyone gets on a high horse here. It needs to be said that it's the code. Not the features that allow users to do stupid things. Most of what's out there choking MS-Based networks is becuase of the ease of which users can execute attached scripts and executables. Oh, and a hole in IIS, but that was mentioned in the article.
Yes, MS is a monopoly. Yes, they're trying to squeeze more cash out of their consumers (Stupid WPA). But, damn, they do produce some of the most solid code out there, as well as some of the most feature-rich, usable applications. Alas, that's just my opinion, and considering that I use mostly MS apps, I might be slightly biassed.
The (Hopefully) Great Slashdot Blackout
1. Severity - The issues that exist on Windows platforms are demonstratably larger. There is no administrator/root containment of priveldge (generally), and most of the security issues reported are indeed system-level, remote, and widespread.
2. Activeness - The common issues reported for Windows deployments are almost universally in use and actively being exploited BEFORE the report. Most *ix vulnerabilities are not being actively exploited (and definitely at a lower level of activity), and are generally patched to resolve the issue FAR quicker.
3. Openness - "Linux" has no control over the release of bug reports. Microsoft on the other hand, does, to a degree. They can actively "persue" the matter and encourage the bug reporter to remain quiet about it until they can respond. In some cases for MONTHS even for well established bug hunters like eEye, on very large vulnerabilities like UPNP.
In closing, there are lies, damned lies, and statistics. Sure, you can put whatever spin you want on it, and I think I have in this posting.
ONE thing needs to be clear, there are alot of bugs, and having many eyes isnt preventing them from happening on Linux.
No matter where you sit, its justification to yet again work diligently to reduce the number of potential bugs by secure programming techniques.
GPL'd web-based tradewars themed space game
Unlike Windows, there are many independent distributions of Linux that may or may not be vulnerable to a security hole. Also unlike Windows, each distribution has shorter release cycles. Futhermore, many Linux distributions come with lots of bundled software that not all sys admins install.
This means that security holes discovered against Windows could be far more devastating because of the uniformity of the installed systems. Code Red/Nimda, etc. would've been much harder to pull off against all variants/distributions of Linux. There's much more paydirt in developing good Windows exploits, since they're likely to work against ALL Windows systems, which means the exploits are likely to be very refined and well tested. Compare to Linux exploits which are usually very hard to get working the first time.
It's also harder to find security holes in Windows since it's closed source (which doesn't make them any less severe). Many security analysts won't even bother since it mostly involves using a debugger to poke at a task for hours, rather than simply grepping source trees for unsafe functions.
But yeah, it is pretty disgusting that Linux in general has this many security holes.
Bias isn't necessarily what annoys me. I would like to see more stories which foster discussion as opposed to sensational bullshit. Isn't their an interesting or nerdy or thought provoking or geeky news item that we can discuss? For fuck's sake, we know Microsoft sucks, we know 80% of slashdot's traffic is from IE, we know we don't like .NET, we know Ballmer is a monkey, come on, let's talk about something (ANYTHING) else.
[o]_O
So true =).
Open source haven't proven more secure than closed, as the theory about "given enough eyes all bugs are shallow" says.
The one thing it gives though, is choice. For instance, i dont run rsync(se recent security exploit) and i'll probably never do. Neither will mdk/rh pr. default (Allthough a lot is certainly run by default). Even though rsync comes with mdk/rh.
Frej Rasmussen.
still reading?
In the long term Linux will have progressively fewer bugs/vulnerabilities due to its open source nature. Look at the numbers on the same chart for NetBSD. There were 9 vulnerabilities found in 2001, and 42 found in Win 2K. 54 for RedHat and only 2 for TurboLinux.
Obviously everyone should switch to Turbo Linux.
Lasers Controlled Games!
That this is in large part due to the nature of Open vs. Closed source applications. Linux is open, and a lot of the bugs tracked are found because of just that--it's open, and people can look inside and see. Windows is closed, and has statstically significant (understandment) fewer eyes examining it.
So, measuring how secure an OS (and OS) is, by the number of items in (NT)Bugtraq is a red herring.
i wonder when was the last time someone found a hole in your firewall by exploiting a hole in your apache to get your sendmail sending the contents of your harddrive to everyone and his hamster?
Greetings,
:-
I wonder how they decided what is "more secure", but my guess is that it's based on the number of reported exploits/bugs.
Does anyone know if they used any weighting on the types of exploits/bugs. I would consider a remotely exploitable bug to be much worse than a locally exploitable bug as you can't control people that aren't on your box as well as the people that are. I would consider a root/administrator access bug to be worse than a denial of service type bug.
So, given a weighting scheme of
Remote Root = 4
Remote Denial of Service = 3
Local Root = 2
Local Denial of Service = 1
How would the different OSes stack up?
My guess is that without even taking number of installations into account you would find that Microsoft was at least as bad as the various Linux/Unix versions. I'm not going to say that they were worse.
Anyone want to do some analysis on the same information given a weighting scheme and see what the differences are?
Z.
-- Under/Overrated is meta-moderation, and therefore is Redundant.
Did this study look at just standard Linux distro? Like standard installs of RH, or did it look at hardened versions designed to be secure? It seems to me that there are certainly extremely secure hardened versions of Linux, while Windows is generally limited to relatively standard installations.
1. How many of the Linux vulnerabilities are in services that aren't linux? IE: sendmail, apache, ftp servers, and whatnot? Just because something is packaged with linux doesn't make it linux. Do the windows bugs count IE bugs and every other MS software running on the system? What about other packaged software such as AOL and whatever other links they provide?
2. Sheer number of vulnerabilities mean nothing - are they counting the severity of the vulnerabilities?
3. Are they counting the time it took before A) someone discovered the vulnerability and B) a patch was issued?
4. If there are comparable numbers of linux vs. win2k servers out there, which actually had more break-ins? (This question not valid if there is a wide gap in numbers since then the lower of the two probably benefits from that "security through obscurity").
5. I think having full source code availability leads to people actually FINDING the bugs, whereas Windows could have way more, but we don't know about them unless people are actually TRYING to crack the system (as opposed to finding them working on source or whatever).
n my opinion, the reason for this is that Linux is more used in a non/less-commercial way than WinNT/2k.
WinNT/2k admins have money to buy that OS, so I suppose they also have more money/time to spend on security (and use it in a more professional
way).
Some linux boxes on the other hand are "hacked" together, and thus not always secure. Maybe the popular fact that "linux is more secure than
windows" makes them believe they are not vulnerable.
are you nuts? anything "hacked together" in a business is asking for trouble and will get you fired. the difference between the NT machines and the linux machines in business are pretty much identical... I wouldn't call running redhat 7.2 on a Compaq ML530 "hacked" together. I would call running a fileserver on a old desktop that the company was going to throw away hacked together, but then it will also fail because the hardware cant handle the load you are about to put on it... I.E. acting as a server. as a desktop it's perfect.
Sorry, but companies dont run around screaming about what they use, or place banners on the front of the building.. they use it and use it quietly.
and Linux is in more commercial use than you think or any "survey" can report. I have had these surveys call me, I tell them "that is secret information, no comment." to everything they ask. It's none of their damned business as to what is giving my company a major edge over everyone else.
Do not look at laser with remaining good eye.
The fact that you can cite flaws in Windows security proves that Windows security is imperfect, not that Windows is less secure than Linux.
If this is the same article mentioned on LWN (can't be sure, since it's slashdotted), this article compared the number of bugs reported against Windows against the number of bugs reported against Red Hat. And Debian. And SuSE. And another distro - forgot which one.
I'm sure it was an honest mistake that most Linux bugs were counted multiple times.
But I don't buy into the "bug count" argument anyway. It's a lot like that controversy over the "most decorated US veteran" (Hacksworth?) - a lot of people think that you can have a warehouse full of bronze stars and distinguished service medals and it's all scrap metal next to a single Congressional Medal of Honor (post.).
What was the last remote root exploit for a widely used Unix service? What about local exploit for a widely used Unix application?
Now ask the same thing about Microsoft.
Finally, "NTBugTraq" may be respected but that doesn't mean it never publishes crap -- sometimes for the purpose of shooting it down. I've seen this happen on comp.risks and elsewhere.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
First of all, there's no weighting in the charts. So in other words, an attacker can break into a Win2000 box and control everything about it, or he can telnet into a Linux box but has no access to change anything or even browse the root directory, yet both attacks are chalked up as a "1."
.NET, and there's that one about 6 months ago when the E*Trade mutual funds started to tank and they moved towards more MS stock... draw your own conclusions.
Also, read this from their "about us" section:
The company has approximately 50 employees and is privately held, backed by venture funding from SOFTBANK and E*Trade Ventures.
Funny, I seem to remember a story not too long ago about E*Trade joining
~ now you know
How does Slackware stack up to other distributions and to Win2k? I know Slackware 8.0 (like most other *nix distros) had a remote root exploit in telnetd, and there are updates for about a dozen other packages; how does this compare to RedHat?
Saying "Linux has more security holes than Windows" is at least as stupid as saying "I just got Linux 7.2".
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Anyone remember Code Red? Nimda? I sure do. I still get 300+ scans a day from infected Windows boxen.
Also, most linux vendor security announcements posted to Bugtraq are for add-on software not enabled by default. They are also announced by each vendor individually, and the author of the package. Most Windows announcements are about vulnerabilities in the OS (IE) or widely deployed packages (IIS, Outlook) from the author of the exploit (after secure@microsoft.com has ignored them).
The entire article needs to be modded -1 flamebait.
What it seems to me, is that they compare the bougs announced by the maker in their shipped products.
...
So, from maker "Windows", for the "Windows 2000" product, they would ammount the bugs found in every single application shipped with the "Windows 2000" CD.
Then, from maker "Red Hat", for the "Red Hat Linux 7.0" product, they would ammount the bugs found in every single application shipped with the "Red Hat Linux 7.0" CDs.
So, what they show are ammount of bugs announced from a released product form one vendor.
Anyway, they comparison is flawed because they add for "Linux" all the bugs found on every single distribution.
And this is bogus. A bug found on "bind", for example, would be accounted as 1 bug for Mandrake Linux 7.1 + 1 bug for Mandrake Linux 7.2 + 1 bug for Red Hat Linux 7.0 + 1 bug for Red Hat Linux 7.1 + 1 bug for Debian Linux 2.2 +
You see, it is the same bug. But ther "grouping" is erroneous.
So far for fairness.
Remember people, while we can be pretty damn secure (no pun intended) in the fact that we've gotten most of the security holes out of linux, there could still be many unknown holes in various windows operating systems that simply have yet to be discovered. With the source open, you're going to find more holes, assuming all things were done equally.
Also, are we looking only at the linux kernel itself (compared to the windows kernel) or all the programs that are typically packaged with it? Gnu and Linux usually stand together, but counting vulnerabilities in every program that could ever be run suid root may be reaching a bit far.
-Restil
Play with my webcams and lights here
So, how about we do a serious analysis? I'll put up a system that lets people rate the various bugs by severity along a couple of continuums. (Like theoretical impact and actual impact.) Then people can use this data to draw more accurate conclusions. If at least 10 people respond to this post, and two thirds of them think it is a good idea, I'll put one up and link it here.
The security of any OS lies in the skill of its admin. An idiot with a 2k box is no more secure than an idiot with a linux box and vice versa.
- Toby
Again, Winformant, in a desperate attempt to seem like they aren't a bunch of toadies, has struck an "independent" blow against linux's "security myth," by proving that more holes were found in linux than in Windows.
Well, duh. Linux is full of holes. But that's not winformant's problem. You see, each of those holes was cleared up in a matter of days and a patch was freely available. There were no egos and press releases claiming there are no holes. There were no programmers waiting around while Marketing decided the best colour for the patch's installation wizard. There was no downtime as millions of machines had to get the file from a single MS server because the patch's license didn't allow redistribution. There were no hours of wringing hands as sysadmins watched hackers pick off their boxes one by one because there's no workaround while the patch was built. There was no possibility for diving into the code and fixing it yourself; and if there was there'd be no way to release the patched dll. Oh, and if a linux machine was compromised, there was little chance of it polluting the entire network...because the bug affected less than 1% of the install base of that particular OS, and not 100%.
Not to mention the reason that so many Linux patches were "found" rather than "discovered" is that bored sysadmins can sit around with sheets of source code, hoping to find a hole and make a name for themselves on BugTraq. With windows...well, you'd better be good with BlackIC and ASM, because it's the only way you're finding the hole.
Hey freaks: now you're ju
However, the conclusion being drawn here is invalid. The SecurityFocus vulnerability survey is interesting, but it is not itself a reasonable methodology to generate security metrics between operating systems.
I could pick nits at this ad hoc study for hours, but the biggest problems are also the most obvious:
First: the study associates third-party software with the operating system, and aggregates all the distributions together into a meaningless "Linux" category. This study is literally just pattern matching against advisories.
Second: there is no notion of "severity" or "impact" in the study. This is a shame, because SecurityFocus has actually put some real effort into deriving a taxonomy of vulnerabilities from their (enormous) vulnerability database. There is no way to determine whether the N Linux vulnerabilities were equivalent to the K NT vulnerabilities.
Third: the study compares a kit of open-source software, which has received extensive peer review, to a closed-source product. It should surprise nobody that Linux has more documented problems than Windows: it's actually possible to go find vulnerabilities on Linux. Finding Windows vulnerabilities requires black-box reverse engineering.
Finally, both Linux and Windows do a reasonable job of locking down server configurations out of the box. What IT people need to know is vulnerability breakdown by operating system and by deployed configuration. This study does nothing to inform us of whether a Linux web server is at more risk than a Windows web server, or whether it's safer to expose a Linux print server or a Windows print server. Organizations that deploy homogenous Apache+NFS+ssh server farms don't care about XFree vulnerabilities or Samba problems.
I don't think SecurityFocus is actually trying to make claims about the relative security of Linux and Windows. I think they've been a bit careless with this report though; it's a reasonable thing to try to generate from their database, but more thought should have gone into presentation.
SecurityFocus has the on-staff expertise to publish some real conclusions about the distribution of vulnerabilities between Linux and Windows. Before this database report is misconstrued by the trade press, it would be enormously helpful if they could publish a statement about the conclusions that can be legitimately drawn from it. It'd be good press for them, too.
it's actually win2k .vs. redhat AND mandrake AND suse AND AND AND. the linux numbers are agregate of all the distros they evaluate.
This same thing happened last year... Some guy wrote a piece claiming similar things, and making the same mistake: adding up all the bug entries against all the distributions, so that many bugs were counted several times over (and somehow not adding up Windows 9x bugs with Windows NT bugs..... ). When will people learn.
sigs are a waste of space
They are making some headway with this, the qchain tool, hfnetchk a couple others but it still takes longer to check, deploy and test these damn tings that it does with any other *nix I've worked with.
RANT
/RANT
I think the first thing MS needs to do is get a decent remote shell for Windows servers. There are some okay 3rd party products out there and Terminal Sevices does help too, but I don't need the full GUI just a shell that isn't hadicapped like their silly telnet server.
It tells us that when Microsoft doesn't try to over-burden their operating systems with silly gizmos and features it's actually pretty damned good. Windows 2000 was only an evolutionary change from NT 4 (many of the changes were supposed to originally come with NT 4), had the history of the NT code base behind it, and it got the job done without too much glitz and glamor.
It wasn't until Microsoft thought up NT 5.1 (aka XP) with all sorts of inane bells and whistles to try to convince us that we need to upgrade that the bottom fell through on their security again.
While this does vindicate my continued use of Windows 2000 in the XP era, I really don't feel this vindicates Microsoft too much. When it comes to operating system releases, Windows 2000 was a bit of a fluke. A fluke because nine times out of ten Microsoft tries to overload a new OS with silly features (think 98 compared to 95), and this time they "messed up."
While Windows 2000 is secure, the underlying philosophy in Microsoft that made them decide to release XP is not.
What someone said--a primary security hole (something you drive side-by-side trucks through) are Windows applications. Visual Basic and, by extension, Outlook, are big culprits.
But many of the things that make Windows unsecure do extend at the OS level. Here on my Macintosh, my firewall is set to lock out IPs that try a NETBIOS check, as well as various port scans. It's also aware of the Code Red variants.
My Mac OS (9 or X) ignore them. As with Linux, my OS doesn't know or care for NETBIOS.
And OS X, as a better example for all the huff, is a *nix family OS--and still in its infancy compared to the older Linux distros and UNIX itself. A UNIX class OS is only unsecure in the magnitude of Windows when we open up all the elements of the OS that are normally closed by default--permissions, certain root access, and so on. Therefore, you have to be a Raving Buffoon(tm) to set Linux or any *nix for a fall.
Window's faults are inherent to perpetuate its market share as well as stupid coding. And now MS wants to "fix" it? Give us a break.
/.
Vos teneo officium eram periculosus ut vos recipero is.
Again, I find it disturbing how easily everyone shrugs this off as propaganda or something.
Listen, everyone: Times are changing. Linux has gotten big and complicated, and is no longer automatically secure. Long gone are the Slackware days where you'd download a minimal kernel/utilities package and then compile only the apps you need, by yourself, and understand everything. Complex software has security problems, and the linux community has done little but use the "lots of eyeballs" method to counter that. Microsoft software is also quite complex, and they have fewer eyeballs (I hope, though I am not sure), but they have publicly recognized the problem and are at least pretending to try to fix it. Microsoft also has a bunch of research into technologies for producing machine-checked code so that they don't even need lots of eyeballs. (I really wish that linux had this too; see a related rant http://slashdot.org/comments.pl?sid=26315&cid=2851 880 ).
My linux box has been rooted twice. I keep up to date on patches, I read bugtraq. My windows box, also connected to the internet all the time (and getting a lot more use), has never been compromised through 95, 98, 2000, and XP.(I have been Winnuked, that's the worst thing that's happened.)
I guess my point is: this is not something to laugh at. Some day soon, people will not think of Microsoft operating systems as crashy (already happening to an extent) and insecure (...), and then linux will have a much tougher sell to the average guy who doesn't care about Free Software. Instead of laughing smugly about an article like this, maybe we should be worrying?
This argument applies in both directions. While the Linux apologists use the "Linux is just the kernel" argument, the Microsoft apologists trot out the tired old "it's only third-party apps and drivers that are buggy" line.
I agree that it makes sense to look at vulnerabilities in systems that people actually use to get stuff done. (After all, a box running nothing but a kernel with no I/O, no network connection, etc. is impregnible, but useless.) But if we apply that logic to Linux, we should apply it to Windows as well.
How many bugs do you think would show up if we included not only Windows kernel exploits (of which there are a fairly good number, I'm betting more than those strictly in the Linux kernel) but also those in IIS, Outlook, Exchange Server, etc.?
As someone who's seen the results of having these beasts running in a production environment, I can tell you which OS I feel more secure running, and it ain't from Redmond.
- fader
Linux is a target. When the black hats are sweeping the network, they see a bunch of windows boxes that are easy to break into; whoopty-shit, who cares. No challenge, no glory, and no use. On the other hand, when they find a linux box, it's a gold mine. Linux is the friendly unix which give it's owners a false sense of security. Linux, being easy, tends to install so much, which gives greater opportunities to install security flaws. Linux is also far more useful to a black hat. He's probably also using linux; he can just run his root kit with out thinking and then all of his tools are installed and ran without a recompile or any fuss. It's easier for black hats to own a linux box and use it's network tools than it is for a black hat to do the same with a windoze box. Most linux boxes have a compiler installed (which is right and good thing), the opposite is in windoze land.
Conclusion: Linux is still better and more powerful than windoze any day, which makes is a more attrative target. Since the barrier to entry with linux has been deeply lowered, may nieve good people are installing a powerful OS for fun, just to find out that with power, comes resposibility.
Democrats and Republicans only disagree about how to enslave you
Well, I've never used a computer in my life, so I obviously have no bias whatsoever in this. I don't know the details of why Windows is said to be more secure than linux (slashdotted already, of course) but it seems pretty obvious.
I'm not one to bash Linux, though I prefer a real *nix any day. However, I'm not one to bash Windows either, it's actually a pretty good OS. (Something that I can see a lot more now that I work with a copmpany designing systems dozens of time more bloated and complicated than even XP) The real reason Windows seems so much more insecure is because so many people use it, and it's become such a standard that it makes an easy target for custom made cracking tools. It's just as easy, if not easier, for someone who knows what he's doing to break into a linux system and completely take over. In fact, it's always seemed to me like someone could do more damage with a cracked linux box than with a Windows one.
But of course windows doesn't stand a chance here, it's hard to argue with an "I'm right because I said so" attitude that a lot of the more vocal people seem to have. I honestly thought my monitor was going to burst into flames when I started reading the above comments...
-Space for rent
It's a great-sounding theory. It _could_ be true in reality, if everyone were perusing source code, but who really does? Now, some folks _have_ looked at the code for OpenBSD, so it's what I run at home.
OTOH, open source is amenable to extremely quick fixes for exploits. Once a weakness is known, the eyeballs look at the code, and it gets fixed quickly. I hope. In other words, I don't really know, but it sounds like it's true, so why not promulgate another fine-sounding theory, heh heh.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Not only that.
This kind of study don't see what is Linux, and what is agregated software. They say Linux and Windows, but I'm sure they don't include IIS.
In any case, impact and severity must also be taken into account. Most Windows bugs are remotely exploitable, and give full control of the machine. Most linux bugs are only localy exploitable, or only leak information.
It's very easy to say that car acidents happen more often then plain crashes. Anyone cares to count the casualities ? Well, I'm not sure this is a good example, once car acidents casuality numbers are, AFAIK, higher, but I think you get what I mean.
morcego
... and it should be ridiculed. The article compares Windows +bundled services with Linux +all possible services. Add in the security holes by all Windows ISVs, and the number will be astronomical. You can't compare Linux +8 MTAs and 5 HTTP servers with 12 embedded scripting languages with NT+IIS+ASP. Add holes for Cold Fusion and all the other "Server" role exploits under Windows and you'd have a far more valid comparison.
Ok, here's what I noticed. The SUM of all Linux's put together had a higher bugcount than windows 2000.
Now, how many people do you know that install redhat, then add to it all the security bugs in caldera, Connectiva, Mandrake, Slackeware, Suse, and Turbo Linux?? None, that would be extremely difficult. This is akin to saying the Ford Taurus has fewer bugs than all of the Nissans put together, therefore it is a better product.
Also, we are assuming that all bugs are created equal. Guess what, not so. Windows bugs have superpowers, faster than a speeding packet, stronger than a firewall, able to leap entire networks in a single bound! Linux security bugs take down processes, sometimes servers. Windows bugs take down Networks, or internets!!!
But I'm sure they'll never get called on it, because their readership is windows users. They are preaching to the choir, and they will ignore us and our quest for accuracy.
Do not meddle in the affairs of sysadmins, for they are subtle, and quick to anger.
Well, now we know what they were really talking about when Microsoft said they were going to place a new focus on security - "SecurityFocus", or focus on Linux security and not Microft security.
Of corse it's been known for a long time that Linux has more security flaws *REPORTED* simply because it 's open source, and people do alot of intense study of it's security. But this does not mean that Linux is less secure, it means that we find and fix security flaws faster than Microsoft can find them.
I was thinking to myself yesterday about how the nature of open-source lends itself to a lack of "talent auditing". Meaning, there **MAY** be a greater chance of bugs being introduced into an open-source project because the programmers are often not hired professionals.
:-P
I would like to see a comparison in bugcounts (say, per line of source code) between open-source projects supported by professionals (i.e. people trying to make money off of it, i.e. mySQL) and projects supported by weekend programmers.
I just had an ironic thought. Since most open-source business plans revolve around providing support, would that make those companies want to introduce MORE bugs?
Take another look at the data refrenced by the article! It actually shows the Windows 2000 was one of the worst as far as security goes. The linux aggregate score does not resemble any of the individual linux distros mentioned. What I would like to know is, How did the author ever draw the conclusion that Windows 2k was more secure ? And what was the point of comparing the score of an os with an aggregate score ? That makes no sense either!
X
I can't connect to WinInformant, but if you look at the numbers available at SecurityFocus, you'll see that they did not simply add up the numbers. Linux is listet with 96 aggregated vulnerabilities for 2001, while e.g. Red Hat has 54, Debian got 28, and Mandrake got 36. There are more Linux distributions listed, but these numbers allone show that your claim is wrong (unless WinInformant has different numbers).
You'll also see that Red Hat had 54 vulnerabilities while Windows 2000 had only 42.
However, I'd still agree that the WinInformant article is badly researched (but please note that, as stated above, I've not read it, I only know the part that Slashdot quoted). The article claims that Windows is more secure "according to the reputable NTBugTraq," however, SecurityFocus does not make any claim concerning the security of either Windows or Linux, they just make the numbers available as a statistic. In other words, WinInformant doesn't have any source for their claims, they just found some more or less interesting numbers and made up a story.
Sig (appended to the end of comments I post, 54 chars)
Sigh...
I can't read the original article, It's been Slashdotted to death. But I think I can make a pretty good guess as to what happened.
First off, we host Bugtraq, not NTBugtraq, which is Russ Cooper's list. (Any chance we can get that fixed in the story intro? Anyone know if the same mistake is in the original article?)
Secondly, I'm constantly amazed at how people mis-read our stats page. The Linux aggregate stats are the total of all unique bugs across all the various distributions we track. It's supposed to answer the question "How many Linux-related bugs were there that year." It's based on things like which distro ships a particular package, and when that package is found to have a hole, it also gets attached to the distro. This is so you can look up your distro, and see what bugs you might need to patch.
Take a look at the top of the page, our script hasn't been running since August, when we switched from Roxen to Apache. So, we're missing the whole last quarter of 2001 stats.
Regardless of anything else, using these number to declare that one thing is more secure than another is a mistake. Based on our numbers, why didn't they declare that everyone should run MacOS for security? Or that if you want to be more secure, run Debian instead of Win2K?
Are they referring to the core OS? Regarding kernel vulnerabilities? Regarding Apache vs. IIS? I noticed one of the tables on the SecurityFocus site, show "Top Vulnerable Packages 2001" - what exactly does that mean? , installed packages and running daemons? or the kernel each OS is packaging?
Look at those tables. How can you refer to Windows NT 4.0 versus Internet Explorer versus IIS versus RedHat Linux 5.2!!!
Those are really huge apples and massive oranges... This is marketing fluff, vague and doesn't do anyone any good! Doesn't matter if you are referring to Windows, Linux, Solaris, QNX, or whatever. These are raw stats, without enough detail to make an informed decision regarding their meaning.
Look deeper into statistics, et al. before flaming one way of the other!
OK , so let's narrow it down Microsoft IIS servers are more secure than Linux/*NIX/Apache servers? How about the immesnse propogation of crap that unpatched IIS servers are propogating on the 'net?
I am running a little hobby server at home, running FreeBSD and I have been getting a HUGE number of NIMDA requests, so , is NIMDA resolved? ummm I think not...
Here's the proof, it's a quick and dirty generation of the requests my apache is getting from the clueless IIS dorks on Rogers@Home (an informal traceroute has shown most of the requests coming from within the @Home network).
I like SF , I read SF, but those tables and statistics are completely ridiculous and I'm not even slamming MSFT one way or the other....
When I was in tech support, everybody thought USRobotics modems sucked. We spent a lot of time dealing with USRobotics problems, much more than any other modem. Then we realized that USRobotics modems were in 70-80% of the PCs on the market. That meant that if USR modems caused 60% of our problems, they were actually better than the average modem!
I can't get to the article, but if they are talking about desktops, then anything less than 90% of the security problems coming from Windows actually means that Windows is better than average. For servers that number would have to be what, 30%?
There are other statistics involved here too. For example, Linux people always point out that Linux bugs get fixed faster than Windows bugs. True, but if the Windows patch gets released after 2 weeks, you still are still running clean more than 90% of the time--it just doesn't make that big a statistical difference.
Then of course there is the difference between "bugs found" and "bugs exploited". I imagine fewer "hackers" exploit Linux bugs because of sheer hate for "M$". If they ever let an AOLinux loose on the market, it might become a hate-target, and then all of the sudden Linux looks a lot less secure.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Looks like the WinInfo site has gone down since the story was submitted, so you may have to content yourself in the meantime with the Bugtraq numbers.
Musta been hacked.
The moron at wininformant added all exploits for all linux distributions together. Image the obvious scenerio, where bind8.x.x has a root compromise. This would only count as a single exploit, however the article counts it once for eash distribution that acknowledged it.
If you look at the charts yourself, you see that Win2k had 42 exploits in 2001. In comparison, SuSe had 21. Redhat had 54. OpenBSD had 14. The figures also are not focused on a particular release. I would expect that the numbers would be substantially lower if it only look into account the current releases. Suprise, SuSE still publishes security announcements for 6.x in addition to 7.x, and those are counted.
THe author of the atricle need to look up Aggregate and try writing an article again.
Squash
Well, no offense, but: "Duh!" Of coruse alot more Windows-based machines were exploted. You've got 2 very good reasons for this:
1) Wide distribution. Yep. Contrary to your belief, Windows is distributed more widely than Linux. So, of course more boxes will be hit.
2) Idiot users. I mean, lets face it, There's a reason why most windows users aren't on Linux. They're morons! Anyone and I mean anyone that runs an attachment from someone they hardly know that's written in worse english than a retarded 7 year old would write deserves what they get. Unfortunantly, they're the reason the network was clogged with NIMDA. Code Red was more a result of wide spread use of IIS.
Gawd, I'm sick and tired of the linux bigotry around here. Linux is great and all, but I sure wouldn't want to join a group of the most closed minded bigots in the world, just to have the privelege of using a free OS that's actually pretty decent. I think I'll stick with Windows. Monopoly and all. You people are doing Linux a great disservice. Don't get me wrong, I like Linux, but it doesn't serve my needs as a desktop OS. Maybe instead of basing MS someone could make it more useful for the masses?
The (Hopefully) Great Slashdot Blackout
Of course, that's not the case in the server market. If you want to talk about worms, remember one thing - the ONLY reason Code Red and other such worms exist is because of the popularity if the windows platform, on desktops and servers. Don't kid yourself for a second into thinking that the reason there aren't any widespread worms for *nix systems is because it's more secure.
Dont kid yourself. The various free o/s's are simply a harder target. They are more diverse, both across O/S's and distributions, and even within a distribution there are different configurations. On top of all that any individual box can be a totally custom system built from the source pool.
There are countless email readers, multiple web browsers, all types of competing server daemons. When you take the windows monoculture you simply dont find such diversity. The competing software are simply wiped out.
Its a well known and intuitive fact that monocultures are far more vulnerable to disease and parasites than a healthy diverse population.
Is this news? We all know that Windows is reliable, secure and easy to use. My MCSE friend told me that, so it must be true!
On a more serious note, there might have been more reported Linux vulnerabilities, but the Windows vulnerabilities were much more serious. Also, you can't compare the number of vulnerabilities discovered in the code of open-source software with the number of vulnerabilities discovered in closed-source, not-allowed-to-be-reverse-engineered software.
aka... It's much harder to find a Windows vulnerability than it is to find a Linux one.
Connectiva has been declared the safest operating system ever with combined vulnerabilities over the last 5 years equalling 0. Everyone in corporate america and those banks too should immediately through out all other operating systems and switch over to Connectiva.
Warning: Connectiva does not support vulnerabilities and all calls will be redirected to the nearest OS distributor.
If you're going to look at hardened Linux installs, why not look at a hardened Windows install too? You know: one that has been locked properly to meet its C2 certification, e.g. via the resource kit tool c2config.exe or from this page. As it stands, the most common distros of Linux do not install with good security, and that is why things like Bastille Linux exists.
Get off my virtual lawn, you damned virtual kids!
Windows security holes typically have exploits in the field, whereas linux vulnerabilities are commonly realeased from code review- hence having no preexisting exploits (that are known and demonstrated). Some are in fact purely theoretical, and may have to use to a malicious user.
So even if you keep on top of your windows updates religiously, keep in mind that they are generally reactive. So there is always that window of vulnerability...
Linux (aggr.) has more, but each individual distribution does not. Simply put, if you add up every security issue with every OEM release of Windows (Compaq, Dell, HP, etc.), Windows would aggregate to a much, much higher number. The worst Linux distribution, RedHat, had 95 compared to W2k/NT's 97 (in 2000). And while Redhat was worse in 2001, the Windows numbers don't include XP. (Before you bitch at me about the "single" RedHat vs. the "aggregate" W2k/NT, RedHat had multiple versions out these years.
What is the Linux (aggr.) anyway? The individual distribution numbers don't add up to that aggregate total. Does bugtraq not even know the Linux distros?
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
It isn't. These particular numbers were presented on SecurityFocus without commentary. I'd guess the aggregate number was only added for completeness' sake.
It is all the pro-windows pundits that try to bend these numbers to their agenda.
Mart"I know I will be modded down for this": where's the option '-1, Asking for it'?
Since its release, there have been 29 security fixes. So, lets have a look at them:
- 1 fix for syncookie vulnerability (not enabled by default
- 1 fix for apache-devel where you could trick apache into displaying a directory index
- 1 fix for OpenSSH, must be enabled by admin to be vulnerable
- 1 fix for xchat which would allow other IRC users to execute IRC commands as you - not exactly a root exploit
- 1 fix for uucp - RedHat 7.2 is not vulnerable, down to 28
- 1 fix for at - RedHat 7.2 is not vulnerable, down to 27
Given that 2 have to be enabled to be vulnerable, we're down to 25.All in all, almost all vulnerabilities were from different packagea. Only 1 kernal problem. So, you would need to be running ~25 specific packages to be vulnerable. So, any reports using the 29 patches on RedHat's site (see above link) without actually reading the descriptions is going to be way off base. Now the same thing may be true for W2K machines, but I haven't looked to see.
Most were not remotely exploitable, and some weren't even local-root exploitable. Some all you could do was view files!
In any case, at the bottom of the SecurityFocus's page should be slashdot's poll disclaimer:If you're using these numbers to do anything important, you're insane
Well Mr. Black, if you had spent a few minuts on COLA, you'd have seen these numbers debunked multiple times, yet every time one of the MS apologist regulars tries to bring them up again!
Mart"I know I will be modded down for this": where's the option '-1, Asking for it'?
This is pure bullshit, and its even old bullshit. SecurityFocus have themselves claimed so. It's been around before.
This always comes up due to several problems with the statistics:
First, they're comparing Linux distributions with everything from several database servers through webservers, through rsh, ssh, telnet, ftp, compilers, etc to plain Windows. Include IIS, SQL server, shareware telnet servers windows, ftp servers, Outlook, etc and do it again. It is not quite the same thing, nor will your average linux machine have those services running anymore than your average Windows machine. Still, the vulnerabilities are counted if they ship with the CDs.
Second, the 'aggregate' statistics are completely misleading. Those statistics add up every vulnerability in every program that any Linux distribution vendor has seen fit to put on a cd. That is even more farfetched.
Sigh.
Ill tell you what the flawed logic is. You can completely ignore that stats, and you can completely ignore direct comparisons. It all lays in the software. Most of the Linux vulnerabilities were for software that most people dont install, non standard stuf. Like, bitchx exploits or exim exploits. Not everyone installs that by default. So this aggregated Linux number is basically exploits from the tens of thousands of pieces of software available for unix systems. This is why its flawed logic. Most of the Windows vulnerabilities are default install problems. They are standard with the OS. Even under the break down by Mandrake, that includes all software you find on the Mandrake cd. Not only software that is by default installed (under all install options even). If you include ever peice of software that runs on the windows platform, that was exploitable last year, I think you would get a number that would blow it out of water. On a side note, thats not even taking into consideration source is available for most of this linux software, so it is easier to find more exploits. This is a good thing, not a bad thing. This just means they havent found all the exploits yet, because they use closed source. Security by obscurity does not mean its more secure :P
Jeff Knox
have been filed under 'Humor'?
You are dead wrong.
I suppose if you interpret "OS" as "kernel" you're right, but that isn't very sensible.
Windows (beyond DOS or the NT kernel) is crippled by "legacy support." Recall that the typical install of NT 4 used FAT as the filesystem. A filesystem with NO NOTION OF FILE OWNERSHIP. This IMO is an OS issue. Another example is that, as I understand it, services that drop privileges can just take those privilages back. This turns a potential DOS into a "Administrator" exploit.
MS puts just as much effort into ease of use for developers as they do for end users. Easy and secure tend to be in conflict.
Bottom line is that software has bugs, and applications can't be trusted. What the OS can control is localizing the damage. IMO the UNIX model does a far better job of this than NT/Win2k.
Another example that is from the Win9x world, but perfectly illustrates what I am saying is that there was an exploit for IE that cause the browser to overwrite the boot sector with the browsers "Favorites." It is completely the OSes fault that it gives a web browser write access to the boot sector.
-Peter
The "raw numbers" have always been a point of contention. What is the phrase? "There are lies, damn lies, and statistics." This is almost certainly a case of adding up the numbers and drawing conclusions from them without seeing what they represent.
The raw number of reported vulnerabilities is not an accurate reflection of security of an OS. Add to that the fact that the many of the "Linux" vulnerabilities are in applications that are common across multiple distros and often (in the case of the numerous bind and sendmail vilnerabilities for example) common to many flavors of UNIX.
I would be actually interested in seeing an Apples to Apples compareson done here. How many "remote root exploits" (Admin access for Windows boxen) have been reported, v "Local root" v "Elevated privilege."
Also, should vendor software exploits that simply RUN under Windows be included in the numbers? In the case of "Linux vulnerabilities" that's often exactly what's happening.
Raw numbers really don't mean jack.
Never attribute to malice what can as easily be the result of incompetence...
Anyone who has used linux knows that all the different distros are slightly different and that this is not a fair comparison.
In looking into the data further it would be more plausable to compare the aggregate of Linux vs the aggregate of BSD. Then you could say that the BSD's ahve less security flaws.
If you compare lets say Redhat to WinNT4.0/2k then you have an almost even amount of bugs per year. Okay so neither has less security issues.
The real questions then become 1) how serious the bugs? 2) how long a fix took? 3) Were people who installed the OS and then used NOTHING but what came with the OS to secure still affected?
In the case of Redhat or BSD you can turn off all your services and thus you are not affected by bugs in the ftp daemon. You can do this on NT as well, but by default NT does not come with an ftp daemon. (NT server maybe?)
In the case of BSD and Linux you can enable the firewall that comes with the distro/OS. Once again NT 4 (maybe 2k does?) does not have one by default install.
Lastly how many windows machines were takes over last year by the security flaws vs Linux? Now rather than do this on a 1 to 1 comparison a more reasonalbe level of comparison would be a perscent, like % of linux boxes take over by a security flaw out of the total linux server numbers, vs the % of Windows boxes taken over due to security flaws. I.E. if you have 1000 windows boxes adn 100 linux boxes but 10 of the linux boxes were taken over and 50 of the windows boxes were taken over then you have 50/1000 or .05 and 10/100 or .1 which is 5% and 10% respectivly, thus windows would be better but these number I have made up so real numbers are needed. The same could be done with BSD as well as Sun and the other OSes they mention.
Only 'flamers' flame!
I'm not sure I agree. How can you contrast a "security through obscurity" system like Windows to an open one like Linux. It's natural that more bugs are found and reported in Linux, but that says nothing about the number of existing bugs. In addition, having the bug known isn't always the sole indicator either, how long does the bug exists once it is known about . I'd like to see some sort of measurement based on "bug-hours" that measures not only the number of bugs but the summation of the time the bugs were exploitable.
I'm the big fish in the big pond bitch.
Or maybe it's that truck A is tricked out like a sports car and sold mainly to idiots that can't drive and don't have the sense to stay home, while truck B is designed so that you can't get it out of the dealer's lot until you've studied how to drive it. It might or might not be inherently more dangerous, but I'd worry about the one that's operated by idiots more. ;-)
Seriously, your numerical argument applies somewhat to e-mail viruses, but not to direct attacks on servers. Crackers don't go after the entire population of computers -- they mainly go after those that can be reached directly on the web, since you probably have to first compromise a firewall to reach the rest. Windows sells on lots of desktops and laptops, but it isn't the biggest player in servers. (Or not in machines that are _intentionally_ servers -- I've heard stories about home computer users, who couldn't define "server", clicking a single checkbox and totally exposing their machines on the web.) If Windows is attracting most of the cracking efforts, it's because they think they have a much better chance of succeeding there. If they thought they'd have as easy a time cracking into *nix servers, they'd be doing that, because there are plenty of targets.
Please, tell me: adding the numbers of vulnerabilities of win9x to win2k is fair to you? Or is it more fair to just compare the win2k vulnerabilities with the linux vulnerabilities? I don't know, but I know who will 'win' according to those numbers.
Never underestimate the relief of true separation of Religion and State.
I'm still a little unclear on what you mean by "unique bugs." So if there's a glibc vulnerability in all distributions, it gets counted only once in the aggregate?
If so, I'll consider the numbers a little less suspect.
Thanks in advance.
Stating on Slashdot that I like cheese since 1997.
Let's be fair. Some of the malicious hackers are extremely good. Does source code peer reviews improve security? If the guy reviewing the code is dumber than mr. evil hacker, then he might leave open an exploit for mr. evil hacker to enjoy and abuse.
With closed source, mr. evil hacker will need to spend more time discovering the inner workings of the software than he will with open source.
So - will he then produce more exploits running through open source software grepping for common starting points for exploits than he will when dissecting closed source programs?
Remember - at any moments, the black hat community knows about exploits the rest of us don't know about. No computer has yet been classified as formally secure (to the best of my knowledge). We could all be at risk.
Stop the brainwash
Exactly right.
... years of it, all in the public record.
These numbers only reflect that GNU/Linux is more open and public in reporting its bugs than Windows, which is not surprising given Bill Gates & Co.'s efforts to suppress information about existing bugs in their operating system (the rightly rediculed notion of achieving security through obscurity).
There is absolutely no correlation between number of bugs reported and number of bugs existing, be they security related or not. This is doubly true when one party (Microsoft) is actively working to suppress such information about their own products.
The incompetence of the author writing this story, and of the Security Focus editorial staff for letting it through, is staggering. With this kind of security "expertise" is it any wonder at all that Nimda worms and the like run rampent across the net?
Indeed, if one wants to draw correlations (always a risky endeavor without corraborating evidence) it would make far more sense to correlate the percentage (vs. installed base) of demonstrably compromized systems running one operating system vs. another. As Code Red, Nimda, etc. have demonstrated, Microsoft's products win this one hands down. Indeed, in this case there is massive corraborating evidence to back up the conclusions of such a correlation
The Future of Human Evolution: Autonomy
I thought this was probably true, but I could not confirm it until I manually added up the bugs for a given year. Maybe you could explain the terms a little better on the page itselft?
Regardless of anything else, using these number to declare that one thing is more secure than another is a mistake.
That sounds like another piece of advice that should be on the stats page, not buried in a slashdot comment. Its unfortunate that someone misinterprets your statistics and publishes a misleading article every 6 months, but I can't help but wonder why you don't take proactive steps to help people understand the meaning of your web page.
-Mike
I think it is important to note that 99% of "linux vulnerabilities" are not linux vulnerabilities, but actually non-essential, third party programs. These programs have nothing to do with linux, but do run on the OS. DNS, sendmail, rsync etc are not a part of the OS but have vulnerabilites. We should say that any os that these utilities/services run on has the vulnerability.
However, if a program is included in a distribution, it *should* be included in those numbers. Comparing a "third party" program like DNS to AIM or ICQ is highly irresponsible, as neither of those come on your friendly WinOS CD.
Where are we going and why am I in this handbasket?
I wonder if these stats would look the same if a count of the bugs in the fix packages were counted and not just the BugTrax ones..... hummmm.
>
> This is not an issue of who has more issues, but whose issues get reported and publicized more.
>
Well said. The best defense to this FUD I've seen so far. Be sure that there are 100's of Microsoft employees who's only job is to figure out holes in the Linux model such that it makes Windows look better. There was the re-surgence of communism and the GPL cracks the foundation of our economy to name 2 off the top of my head.
The Microsoft model is to hide the bugs because it makes the product "look" more flawed. Having flown the BSOD flag over Redmond for the last few years shows they NEED to hide the bugs because perception is that the product IS FLAWED. Now the flag is SECURITY and they need to hide the bugs again.... Linux and opensource on the other hand, project reliability and security through openness. So like always, Microsoft uses manipulated statistics to ATTEMPT to show Windows is better. Remember in 1995 when NT sould 100% explosive growth of NT?....
Your one-liner blows the thousands of dollars spent on that report right out of the water. IMHO.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
>> So the statistics don't support what you groundlessly believe to be fact. Therefore the statistics are wrong. Get a life.
No, that's not what I said.
Let's look at the methodology behind these statistics - and why it 'skews' the results.
1. Each 'bug' is treated as the same, whatever the severity.
2. The individual reports from the distros are combined to form a 'linux' category that doesn't exist in real life.
3. 'Linux' actually refers to a kernel, not the entirety of the programs included in a distribution.
4. The 'Windows' category does not include programs by MS that would need to be included to make the comparison valid vis-a-vis the programs included in the Linux distros.
5. The comparison includes 'reported' bugs. So, we're comparing reports from a host of people who do this for linux, versus a 'closed' company like MS who seems to believe in 'security through obscurity'.
As a result, even though this may not have been intentionally skewed in Microsoft's favor, it certainly gives the appearance of same.
This is why the adages about statistics exist. You can collect your numbers and publish them, but if you compare apples to oranges, your numbers are invalid by definition.
This has nothing to do with whether I use MS or Linux. In fact, I use Opera instead of IE, but if you look inside my house, you won't find an installed distro of Linux anywhere.
So you thought you saw bias and assumed it was fact. Therefore it was. Get a life yourself.
Worms thrive on total volume, not specifically servers.
Umm... Can you think of really a more damaging worm lately than Code Red?
Did it need clients/volume? Or just he 2X% of NT/2K servers out there unpatched?
while Windows is generally limited to relatively standard installations
I once got my hands on the oem installation kit and read through the licensing and instructions. Although I didn't understand everything, one thing I did understand is the OEMs, with a few very minor exceptions, must do a default install. They are prohibited, for instance, from removing or disabling IIS. I bet that'll make a big difference in the exploitablity of any bug and hence security.
You mean, like this? The NTBugTraq site itself says (emphasis mine):
So, while there may be a stack of Outlook vulnerabilities, those won't get lumped in with Windows. But sendmail vulnerabilities might get lumped in with RedHat. They go on to say (emphasis theirs):
Further, the numbers themselves do not support the conjecture that Windows 2000/NT had fewer reported vulnerabilities reported over the 5-year period. Let's compare RedHat (the Linux distro for which the largest number of vulnerabilities was reported) vs. Windows 2000/NT from their data:
So even though the numbers are potentially skewed against Linux, the totals still come up less for RedHat than for Win2000/NT.
What the other article must be doing (I haven't read it yet, since I wasn't able load it) is totalling across all distributions, which is wrong. One FTPD vulnerability would get multiplied by all the vendors that ship that FTPD, which isn't quite fair.
--JoeProgram Intellivision!
The argument that "Linux has a smaller installed base, so its security holes are less important" sounds like a paraphrasing of the old "security through obscurity" canard.
After all, aren't you really saying that those security flaws are less critical because script kiddies and crackers are less likely to come across a Linux box than a Windows one?
In order to meet C2, the NT box can't be connected to a network, a serial connection, or a modem. Well, you can, but you can't allow anybody access to it, same thing. What the hell good is it? I remember this from when an employer bribed me to go to a NT class by letting me keep the FreeBSD 1.7 box as the webserver/dns. Heh. I'm not sure about Win2k and C2, though.
--- Think of it as evolution in action ---
I can't connect to WinInformant, but if you look at the numbers available at SecurityFocus, you'll see that they did not simply add up the numbers. Linux is listet with 96 aggregated vulnerabilities for 2001, while e.g. Red Hat has 54, Debian got 28, and Mandrake got 36. There are more Linux distributions listed, but these numbers allone show that your claim is wrong (unless WinInformant has different numbers).
I thought that too after looking at the SecurityFocus numbers, but then I figured it out. Scroll down the page a bit to the "Top Vulnerable Packages 2001 Packages", and there you'll see the numbers that the article references -- "MandrakeSoft Linux Mandrake 7.2: 33", "RedHat Linux 7.0: 28", etc.
The incompetence of the author writing this story, and of the Security Focus editorial staff for letting it through, is staggering. With this kind of security "expertise" is it any wonder at all that Nimda worms and the like run rampent across the net?
We didn't write the article in question, nor are we hosting, nor did we have any opportunity to see it ahead of time. (Or now... still can't see it.) Sadly, we have very little editorial control over other people's websites.
The problem here is just that there is no "aggregate Microsoft" category. Heck, there's not even a W95/98/ME category! But if you lumped together all W95/98/ME/2K/NT/XP vulnerabilities, then made sure that you dealt with apps evenhandedly, "aggregate Linux" would start looking great all of a sudden.
Now consider exploitability. Let's take Mandrake for example -- although their figures are already way lower than NT's (or, no doubt, 95/98/ME's), a default install includes 'libsafe', which means that none of the buffer overflows or format bug exploits will work. There go 3/4 of the theoretical vulnerabilities, including the ones which haven't been discovered yet. And a libsafe rpm could be installed on almost any Linux system in a matter of seconds without breaking anything, making the whole raw tally concept very questionable.
The only way to secure an MS system that broadly and quickly is to cut the Ethernet cable.
I leave my Linux box on the Internet without worry, and my investment in security has been maybe an hour and $0.00. I can and do take my time on patches because I know that almost none of the bugs have any chance of being exploited on my system. That is a realistic measure of Linux security, and I will delightedly compare it to Windows any day of the week. Securityfocus' figures, taken by themselves, don't mean anything.
And the game is 2 to 1
OS:Linux
--------------
Virus:Sendmail, Wu-ftpd
OS:Windows
--------------
Virus:Windows
They neglect the 600 OE viruses each year...
forget it.
Screw securityfocus, let's look at bulletins released by manufacturers.
:)
Microsoft security bulletins released in 2002:
MS02-001
Redhat security bulletins released in 2002:
2002-018
2002-015
2002-014
2002-012
2002-011
2002-009
2002-007
2002-004
2002-005
2002-003
2002-002
2001-171
2001-168
2001-165
And if you look at 2001 results you'll see a somewhat similar trend, although not near as pronounced. Somethink like 80 versus 60.
Are these statistics meaningful? Of course not. If you have read Paul's columns you would know he reported this tongue and cheek. It was a slow news day, he noticed this, had to make fun of it.
What makes this story interesting, and why Paul reported it is because if the numbers had been reversed you would be assured that would be the headline of the day on slashdot, and if anybody questioned it they would be called Microsoftie apologists.
And look at the responses you see here. They're almost comical. Reminds me of the responses to the Mindcraft benchmark. Fear, Uncertainty and Denial.
It gets worse than that. Let's consider:
Most bugs that show up for redhat or any other linux distribution will NOT affect a well-secured machine in the first place. If you plan, for example, a standard web or database server, you're only going to permit ssh and apache or ssh and your brand of sql. How many vulnerabilities in the past year have been on those services? Practically none. Only 1 in ssh, and there was AMPLE warning to get patched before exploits were in the wild. The majority of bugs are for packages not often deployed, or not relevent to a server system where there is no user access.
Meanwhile, an enormous number of these linux bugs are irrelevent on a firewalled system, never mind the incompetency of sysadmins. A firewall will protect your X font server or your installed-by-default nfsd/statd, but Microsoft has had many high-profile, extremely-widely-abused holes in a server's primary services (IIS, MS-SQL, etc).
Anyhow, trying to say these statistics show that NT is more secure than Linux is not only irresponsible but absurd.
Sigh...
I can't read the original article, It's been Slashdotted to death. But I think I can make a pretty good guess as to what happened.
First off, we host Bugtraq, not NTBugtraq, which is Russ Cooper's list. (Any chance we can get that fixed in the story intro? Anyone know if the same mistake is in the original article?)
Secondly, I'm constantly amazed at how people mis-read our stats page. The Linux aggregate stats are the total of all unique bugs across all the various distributions we track. It's supposed to answer the question "How many Linux-related bugs were there that year." It's based on things like which distro ships a particular package, and when that package is found to have a hole, it also gets attached to the distro. This is so you can look up your distro, and see what bugs you might need to patch.
Take a look at the top of the page, our script hasn't been running since August, when we switched from Roxen to Apache. So, we're missing the whole last quarter of 2001 stats.
Regardless of anything else, using these number to declare that one thing is more secure than another is a mistake. Based on our numbers, why didn't they declare that everyone should run MacOS for security? Or that if you want to be more secure, run Debian instead of Win2K?
"It's funny. On the outside, I was an honest man. Straight as an arrow. I had to come to prison to be a crook."
Looks like the Linux aggregate has just been pulled from our site, probably since that has been the source of a lot of confusion in the past. But, to answer your question: Yes, the Linux aggregate is done in such a way as to keep the same bug from being counter once per distro.
If I recall from earlier today, the aggregate number was around 90. If you take all of the Linux distros on the page, and just add the numbers, you get 178.
I'm sorry, I just don't understand your argument.
Are you still defending them counting a single bug in the source code up to four times if all distros fixed it? And that it's legitimate to count the same bug fewer times if some distros never issued an advisory for it? (Shades of the usual closed source "it's not a bug until we admit its a bug!" attitude!)
Or are you using the author's inability to add a few two-digit numbers as some perverse proof that we should trust those numbers? Unless we have a list of the vulnerabilities behind those numbers, that explanation makes as much sense as anything else I've heard.
Ultimately, it's all irrelevant anyway since Microsoft itself has come out strongly against public discussion of vulnerabilities. Some vulnerabilities are undeniable because of exploits, but there's a huge grey area where it's not clear if its a bug or a vulnerability - and many people defer to the authors on these reports. This policy wasn't as explicitly stated at the time in question, but it's obviously been their policy for some time.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
The title of this story is "SecurityFocus says windows is more secure than Linux" but that is a clear lie. SecurityFocus said nothing of the sort.
Look at the chart on security focus and count the local root exploits... Oh wait! Windows 98 doesn't have any protection to begin with so how can the protection fail?
It's embarassing when Linux weenies can't see that they are being trolled.
Securityfocus is the definitive sight for security news. To say the numbers are "purely for entertainment" is the most ridiculous thing I've ever heard. You only proved your ignorance later in the post when you said, "the WinInformant site is Slashdotted (they must be running Windows, haha)" when OBVIOUSLY this would have more to do with their BANDWIDTH than their OS. I know I'll get modded down for posting this, but I don't care. I hate to see people discount anything that doesn't agree with their opinions. Oh, and I run Windows NT at work, Windows2000 and Mardarke 8 at home. I love Linux, but I love MS more for some things (games, word processing, etc.)
"Da ist ein Technölüst in mein Unterpanten!"
They are looking at this from the wrong perspective. Instead of saying "Linux had more bugs than Windows in 2001" it should say "Linux *fixed* more bugs than Windows in 2001". Simply becuase those Windows bugs haven't been found yet does *NOT* mean tha they are not there waiting to be exploited (or are already being exploited).
"Your superior intellect is no match for our puny weapons!"
Easy.
Because you didn't say so.
We know who SecurityFocus is. It's Alfred Huger and Oliver Friedrichs and Art Wong, the Secure Networks, Inc. crew.
Secure Networks dealt with exactly the same problem we're talking about now: the trade press doesn't know a damn thing about technology and software engineering. Everything in the trade press is based off of newswire press releases and superficial articles. Alf and Art and Oli had to deal with this problem constantly as their competitors made bogus claims about SNI and their products.
Towards the end of their work on the Ballista product, Alf had gotten pretty good about educating the trade press about the issues, or at least at swaying them towards his way of thinking.
Alf and Oli and Elias are scrupulous guys, and they know how the world works. It is simply an embarassing oversight that there aren't loud disclaimers on the vulnerability report at your site explaining how to interpret the results. You all know how the page is going to be interpreted. You just saw Slashdot interpret it the wrong way. Slashdot is dumb, but InfoWorld is a million times dumber.
You could fix this problem right away, and pre-empt unethical use of your data, by releasing a statement explaining that the numbers on the page aren't a legitimate security metric. It won't cost you anything and it will help (us, and you!),
Or you could act like Russ Cooper and try to use the polarizing effect of the unexplained numbers to generate controversy, page hits, and press.
It's all a question of how much your credibility means to you.
Comparing the two on security issues is tough. With windows-based systems, your 'configurable' options are limited (unless prepared to scour ms knowledge base for occasional registry fixes + patches - of course the patches typically lock you in to a certain behaviour.. not always desired).
With linux, you can make a system as secure or insecure as you wish - with the 'HOWTO's' coming from a wide variety of sources. So..
Limited security configurability and limited knowledge base or massively configurable system in terms of security with large knowledge base? I'll stick to linux (or *bsd
A strange game. The only winning move is not to play. How about a nice game of chess? - Joshua (Wargames)
Until you start using IE, it doesn't create a vulnerability. You could immediately go get Netscape or Opera and boom, no more need for IE. Even if it is part of the OS, until you go to the internet with it, it's not much of a vulnerability.
Should it be better out of the box? Certainly!! But I consider that a bug of IE rather than a bug in the OS, even if the OS is dependent on it.
"Derp de derp."
NTBugtraq is actually part of TruSecure, not SecurityFocus. What SecurityFocus has in a separate list called BugTraq. Very confusing...
requires some methods, and since I'm too lazy today to look for the mothods they used to compile all that data, I'll create my own.
1- let's stablish what's a windows OS and what's a Linux OS (and the nots too)
1.1 Windows 3.1 is NOT an operational system. is a graphic user interface (GUI) for DOS. let's assume win 95/98/me and NT 3.5/4.0/2000/XP are OSes.
1.2 Linux is NOT an OS. Is a KERNEL. the combination between Linux and GNU OS makes the operational system we know as GNU/Linux
2 Let's determine the minimum instalation of each one that's capable of doing usefull work, including user tasks such as reading e-mail and browsing the web and server tasks such as serving web pages, sharing files, routing e-mail, et al.
2.1 Both in Windows and GNU/Linux you'll have to select all the packages neccessary to the proposed tasks using the minimum ofered by the standard install CD. If the CD doesn't ofer some of the functionalities they must be downloaded from the manufacturer's site.
2.2.1 for windows you'll keep only:
- networking drivers;
- the standard MS file sharing;
- Internet Explorer;
- Outlook express/MS mail;
- IIS/personal web server
- Exchange server;
2.2.1 For GNU/Linux:
- Network modules and associated tools;
- NFS or Samba;
- Mutt os pine (remember, in GNU/Linux you can read e-mail/browse from command line, so XFree is not installed);
- Lynx or Links
- Apache;
- Sendmail;
3 count the number of security holes in the test systems, including:
- vulnerabilities to e-mail virii;
- vulnerabilities to malicious web-pages;
- remote exploits that grant root/administrator access;
- local exploits that grant root/administrator access;
- holes that allows an atacker to succesfully launch a DoS atack, freezing the machine;
- unauthorized read and/or write access to files;
- any other vulnerability you can think of;
In a test like this who do you think'll win ? please post your comments.
What ? Me, worry ?
Open Source projects use the public internet to keep everyone well informed of software weaknesses and we're not afraid to keep doing that because it makes the software stronger.
Besides the fact that it is unfair to count 6 releases of Red Hat as one OS and not count NT and Win2k as one release over the same period, the initial period for a Linux distro is going bring issues to the surface, that is part of the process.
The linux bug finders are, as a rule, supported, appreciated and recognised in the open source community as pioneers. There findings are widely shared and listenned to -- I'm glad you can find the reports.
The Windows Bug Finders are threatenned, hushed, denied information, ignored and actively discouraged. Furthermore any recovery data is typically horded till a shiny executable can be sent out in a subdued and 'professional' manner when it wont embarrass Microsoft.
Where would you rather be???
I'll take linux any day.
As of this morning, however, the dog seems to be dead (www.wininformant.com.) Coincidence? You tell me.
It's Linux, damnit! Pay no attention to renaming attempts by self-aggrandizing blowhards.
Nah, they've published these statistics for several years, and every year someone like this article comes along and says 'hey, look, if I cant read and have no idea what these statistics are, I can believe that Windows is more secure than linux'. The statistics are always there, it's just that you dont have anyone making anything of them until you find a really inexperienced new journalist who hasnt seen them before, tried to understand them, or seen the last newbie guy getting them explained to him in a friendly fashion. I think its some sort of initiation rite of passage in security journalism.
The three names you mentioned are all viruses in APPLICATIONS ran on Windows, not the operating system itself.
Nimda was an Outlook virus (...right?)
Code Red was an IIS virus,
and I Love You was an Outlook virus as well.
All of these are not flaws in the operating system, rather they exploit the applications running on Windows. Consider this: is Linux itself insecure because a large majority of Linux computers exploited are running BIND, and BIND runs on Linux?
void women (int money, time_t time);
I think it is important to note that 99% of "linux vulnerabilities" are not linux vulnerabilities, but actually non-essential, third party programs. These programs have nothing to do with linux, but do run on the OS. DNS, sendmail, rsync etc are not a part of the OS but have vulnerabilites. We should say that any os that these utilities/services run on has the vulnerability.
So, by that theory, we shouldn't include any IIS vulnerabilities in the NT exploits either. Because, of course, "IIS has nothing to do with NT, but it runs on the OS." After all, it's an optional component.
Bullshit.
Why are you not including BIND and sendmail? Hello? Most Linux servers are either web, DNS, or mail servers... NT, Novell, and Sun far outnumber them as file servers. So, if we can't include BIND, nor sendmail, then we can't include IIS or Exchange/Outlook. Cause, after all, they are "nonessential third-party programs." Oh wait, heh, they were written by "M$" (using obligatory dollar sign so the author of the parent post can understand who I'm talking about) so I guess they're not thrid-party. But then again, it's not Linux either, it's GNU/Linux. So I guess we can only count kernel exploits. Hmmm. Maybe that means we can only count NT kernel exploits (go ahead, count them.)
I dare you to root an NT file/print server that isn't running any other services. You can't (or at least, not on any easier level than you could root a Linux or Sun box... heh Sun and their automountd... heheheheh). Anyway, I hope you understand where I'm coming from. Your thinking is flawed.
But then again, what should I expect? This is Slashdot. It's kind of like going to the Democratic convention and shouting "Gore sucks! Dubya forever!" I didn't really expect too many pro-Microsoft replies here.
but over time the bugs will be found by the thousands of people who are looking at the code every week. Meanwhile Windows will continue to have a steady stream of bugs that will never begin to taper off.
The amount of code that is being generated by Microsoft is much greater than the amount of lines Windows hackers can disassemble. Therefore the number of bugs is growing, but the number discovered is staying the same. IMO, I have written exploits and done disassembly for both Linux/BSD/Opensource and Solaris/Microsoft/ClosedSource and naturally it takes TONS more time to look over your average daemon in the latter. There are more holes, but they're more difficult to find. Eventually they will be found and the disparity will become more clear.
Windows users who jump in without having a single idea what they're doing, who download and run countless virii...
Linux users who jump in without having a single idea what they're doing, who ignore security updates entirely because they live under the myth that Linux is all that is good in the world, and can do no wrong...
In the end, it's user error on both sides that cause the security prolems, and the skript kiddiez who exploit them...
Just because you can mod me down, doesn't mean you're right. Shoes for industry!
That is a consequence of the C2 standard which was written by the military for the US govt in the days before networking.
C2 was obsolete before the Web existed. Back in 1993 when I was asked to do a security audit of the Web standards against the Orange book I concluded that the standard was no help at all.
The other reason that C2 is not very useful is that the main concern in Orange book is partitioning multiple users data on the same machine. These days each user has their own machine, a one person computer that does not meet C2 mandatory access control requirements can be perfectly secure - look at a Palm or Pocket PC or a smartcard.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
There is a distinct difference in the way that vulnerabilities are counted for Microsoft
This context was just added to the SecurityFocus page. It rules that they added the disclaimer, but don't pretend like it was there before and WinFormant simply ignored it.
just sick of the crap streaming from Redmond. without their monopoly on the OS, they would be a much smaller application company. MUCH SMALLER. And by reading the dial on the FUD METER, it looks like Linux is THE target. Therefore Bill and Steve are FUD-WRESTLING again and the media is at ringside taking notes. A tinfoil hat is all I need to keep the FUD from getting on me. It's THAT weak these days. ;/
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
I think the problem is that people were misreading the numbers both ways. The use of the raw Bugtraq numbers against Windows was always a canard, the use of the raw figures in the reverse direction is a canard.
The article's argument is sufficient to demonstrate that the 'Linux is more secure' argument is false, but insufficient to prove 'Windows is more secure'. As you point out few bugs are found on the MacOs, that is not surprising since these days they hold MacWorld in a telephone booth and in any case just how many security holes did Edison have in his desk lamp?
The problem is that security really is complex, it certainly is not a linear issue and it is completely determined by your operating environment. An O/S configuration to secure server will almost certainly prevent a user getting useful work done.
As a security professional who is pretty well known in the field, I can tell you that both the Linux is more secure and Windows more secure religious arguments are wrong.
Windows cannot currently compete in the real high end security configuration where we strip down the O/S to run only the services that are absolutely essential. However Microsoft make no secret of the fact they are working on a platform of that type. If I could find a way to audit that work I would rather buy a secure kernel in than have to spend seven figure sums doing the strip down in house.
The multiple eyes argument in favor of Open software only works up to a point. The problem is that you rely on the defenders being more vigilant than the attackers, that is not always the case. Although these days the trend in hacking has been to go for the binaries rather than muck arround with source code.
The biggest problem with Windows is the predeliction for supporting active code in email messages. But Microsoft is not the only company that does not understand the importance of code/data separation. Sun and Netscape have both been guilty of equally eggregious abominations.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
I'm confused here. Is IE just an application or "subcomponent" of a MS operating system? That's not what they've been argueing in court. They say they've "integrated" it with the operating system, that it's an "integral part"! They even went on to argue (unsucessfully) that the operating system cannot function without it.
And why does which ever answer I get smell like an Enron balance sheet?
... is when a windows exploit comes out, it effects most windows systems in opperation. When a linux exploit comes out (proftpd, apache, etc) it rarely effects all the systems in the field. I know about 90% of the bugs that show up in bugtraq and else where dont apply at ALL to my system because I dont run those daemons. Where in windows... how many people DONT run activex scripting or diable javascript in outlook?
Shadus
Where did we claim it was useful? Why does data have to have an obvious conclusion in order to be useful?
The reason we put it up is because we were constantly getting mail from students and others who wanted to do studies on the number of vulnerabilities in one OS vs. another. So, we made the data available. We really can't help it if people accidentally or intentionally draw some sort of strange conclusion from it. We've added some text that will hopefully make someone think twice about drawing the most obviously-wrong conclusions.
I was just at the Security Focus Vulnerabilities page and the page has had the linux aggregate stat removed from the list, sometime between 9am pdt and 12:30pm pdt. I guess some good came out of the article.
www.WinInformant.com came back up a little while ago, the text of the "article" is basically what was quoted for the topic subject. I tried to do a little digging to find out if the author or the company he works for is affiliated/owned by MS, but wasn't able to really turn up a lot. However, I did find this little rant at one site talking about how the credibility of the author is pretty much nil. Can anyone else turn up other info?
This is not the greatest sig in the world, no. This is just a tribute.
Hehe.
It's not that I take advocacy groups very serious, but given the tone of that poster, I assume he used to be a regular at the particular advocacy group I frequent.
Otherwise, I just like debate (and flamewars), so why not spend some time on a .advocacy group?
And on a serious note, this particular article has been fodder for discussion for about two weeks now. Slashdot is a little slow on this one.
Mart"I know I will be modded down for this": where's the option '-1, Asking for it'?
If Microsoft halts all new feature development for a month to fix bugs!
http://www.ntsecurity.net/Articles/Index.cfm?Artic leID=23971
Posted by the same author of the misleading bug brief, Paul Thurrott.
Too big to fail? Does that make me to small to succeed?
In the US I think something like 50,000 people are killed a year in car accidents. This is equivalent to a fully-loaded 747 crashing every other day.
All the servers infected with a virus hitting my web server requesting http://www/root.exe are UNIX machines, uh huh.
//WORKGROUP/C\$ -I 207.88.220.61
Why not try this.
With any of the following IPs, type 'smbclient -L 207.88.220.61'
If you're more of a cracker than I am, you might then try smbclient
and just hit return when prompted for a password.
this also works with:
203.228.232.188
203.231.119.70
203.231.166.49
203.233.20.86
203.231.216.208
203.199.54.26
203.231.217.5
203.231.122.227
203.244.13.72
and countless others.
These machines (all Win2K) have their entire filesystems exposed over the internet, and are promiscuously advertising their presence because they are infected by a virus that leaves a clear trail in the logs of any web server they attempt to infect.
These machines are engaged in abuse of my web services, and I hold Microsoft at least partly responsible for this situation.
Presumably the virus itself is responsible for opening their shares with guest access, but maybe it's M$'s lame out-of-the-box security.
If your machine's IP is on this (small fragment of my) list of machines banned from accessing my web server due to virus infection, then i suggest you replace your hopelessly insecure OS with a decent one.
I was incredulous when i analysed my web-servers logfiles and found the sheer number of virus-infected hosts, all Windows NT and 2000, and most of which were sharing the entire contents of their hard-drives over the public internet.
I know Windows can be secure as the admin is competent, but the ease with which it's security is breached through Outlook/IE is breathtaking.
The idea that Windows is somehow more secure than Linux/UNIX is laughable to me.
I gots ta ding a ding dang my dang a long ling long
I posted a couple years ago on this topic. My hypothesis at the time was that Open Source would show more bugs for quite some time, as people poked through the code, but would gradually settle down and become very secure. I also believed that Windows vulnerabilities would continue to be discovered at a more or less constant rate.
The jury is still out.
The SecurityFocus statistics broke in August, 2001, per their web page, so one has to extrapolate the partial 2001 total to get the projected total for the year.
In that extrapolation, one sees that the expected number of bugs (assuming the 96 reported bugs cover through the end of August) would be 144. There were 153 the year prior, which is likely well within the margin of error. In addition, many of the black hats have STOPPED REVEALING their exploits, so in fact there may be many more than what we see.
Now, it's worth pointing out that this is not necessarily a good measurement of security. We may be measuring the wrong thing.
An example of bad measurement is the one the government used to determine how many cod were left out in the ocean, to prevent overfishing. Year after year, the catches were about the same, so the government assumed that the fish stocks were constant. But suddenly there were no more fish -- the industry collapsed.
Why? Because they were measuring the wrong thing. They weren't measuring the total number of fish, they were measuring the fish that were caught. They didn't realize, as the fish stocks dwindled rapidly, that the fishers were getting newer and better technology to fish with. The total number of fish coming out of the water was constant -- but as a fraction of the total fish in the water, was going up very quickly. Eventually the fish were all but wiped out.
Measuring security by bugs reported is very similar. It may or may not reflect the number of bugs in the 'ocean'. It is an indirect measurement at best.
We need to differentiate between fish 'caught' and fish 'available'. From a security perspective, I think we are talking about TRUE security (the number of fish in the water) versus FUNCTIONAL security (the number of fish actually being caught).
Now, as security people, our goal is to reduce the fish catch as much as possible. There's two ways to do this; we can reduce the number of fish, or we can somehow control, limit, or damage the profession of fishing.
The real professonals are trying to reduce the number of fish in the water. That's the true long-term solution. But from a short-term perspective, what I care about personally is how many fish are CAUGHT. Every time they come up with a new exploit, I have to run around like a maniac patching systems.
However, the fishing analogy starts to break down, as most do eventually. Truly secure systems are still run by people, and people make mistakes. Even if the OS is perfect, the attack will often come against the weakest link, the employees. Thus, even though I would prefer to have true security, I have to argue that it isn't really necessary. The OS just has to be stronger than the other avenues of attack. ("Why are you putting on tennis shoes? You can't outrun a bear!" "I don't have to. I just have to outrun you.")
Security through obscurity, in other words, may be adequate for most uses. It slows down the rate of fish catching. If nobody discovers the bug until the next version of the OS is out, the bug is less important. The longer it takes to discover the bug, in general, the less damage it will do -- at least as long as we're on the upgrade treadmill.
But, a counter-argument to that just occurred to me: Security through obscurity may be long-term counter-productive -- making it hard to catch fish may have the effect of increasing the fish supply. Every time a fish is caught, it can't breed, and reduces the total population by that much. Likewise, in code, once a vulnerability is discovered, many related vulnerabilities may also be patched. Thus, security through obscurity may work well for a long time, but may actually be making the fundamental problem worse.
Another observation I have to add is that programmers like to create new programs. Very few of them like to audit code. New projects and programs are being added to the Open Source world at an amazing speed, and I don't think they're being stringently audited. In other words, they're adding to the fish stocks every day. There is no QA department in Open Source, and the code is getting more complex than individual people can understand anymore. I think, unless we come up with a better development method, Microsoft's ability to fund a billion dollar a year QA department is likely to reduce their fish count below that of Open Source.
So I think I will need to expand on my original hypothesis. I now believe that Open Source will probably lag behind closed source in terms of FUNCTIONAL security. In terms of TRUE security (absolute number of exploitable bugs, known or unknown) -- there's no easy way to tell. If catching fish reduces the fish supply, and if the programmers don't add too many new fish, eventually Open Source will start winning. But if Microsoft's QA department does a good job with their nets and lures, their fish supply may drop just as fast or faster. Money is definitely a good way to motivate people, and Microsoft has a lot of it.
It's also worth pointing out that even if things are getting more secure, the catch rates may be roughly constant, because presumably the crackers will get better and better, catching a higher and higher percentage of the fish. If the analogy holds, and I suspect it may, then eventually the fish stocks will be exhausted and the black hats will be very suddenly unable to crack machines anymore.
It's going to take at least five more years to know -- and twenty might be a more reaonable time frame. It took a long time to wipe out all those billions of cod. It may take just as long to wipe out the pool of security flaws.
<<RON>>
I'm not really surprised by this. Following the recent long Microsoft DNS outage when it was revealed that quite a few of Micrposoft's own DNS servers were running Linux (not to mention they use akamai for their downloads), Paul Thurrot came out with the classic report that although this might be true `its proves Open Source zealots wrong as Linux wasn't being used for anything mission critical'
What the fuck? According to WHAT kind of logic is DNS not mission critical? If it its not critical, let's take those DNS servers offline (both Microsoft's and WinInfo's) and see how long either MS or Thurrot last.
[Here's what I posted to the comments section of wininformant.com. Doubtful they'll display it.]
Excellent satire.
One only needs to look at the SecurityFocus stats referenced to find holes in most (if not all) statements made by Paul's article. An example:
"A look at the previous 5 years [there were only four previous years reported on - tsmith]--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux..."
Lets take a look at the previous "five" years, starting with 2000. Redhat Linux 6.2 i386, listed as the most vulnerable of the linux flavors with 65 vulns, is bested outright by MS Windows NT with a whopping 71 vulnerabilities. To compare apples to apples requires adding in MS IIS 4.0, with 29 reported vulns, for a total of 100 vulns, or over %50 more vulnerabilities than the _buggiest_ distribution of linux. Even the combination of the lowly, four-years-on-the-market, mature Windows95 with IIS (if such a combination were possible - it matters not, because if not then W95 cannot honestly be compared to RHL) results in 64 vulns. Note that Win95 had the least vulns reported (at 35) of all the Wins. Also not that despite it being out a solid 3 years longer than RHL, it can only best the mark by 1 vuln. Not quite what I'd describe as "far fewer".
Paul's statement is even more humorous in light of the data from 1999. In that year, Microsoft's products fill the top of the list almost exclusively, with the exception of Solaris 7.0 having slightly more vulnerabilities than IIS and NT4.0SP5. That's right folks, IIS _alone_ had more vulns than any flavor of Linux and most of the Solari. NT4.0 without a service pack? 75 vulns.
1998 is the only year during which Paul may have a contention regarding NT besting Linux. 8 vulns vs RHL's 10. Note, however, that this is not including bugs from IIS, and is akin to comparing apples to oranges. In any case a difference of two is not what I would consider "far fewer". The comparison of RHL to Win95 is laughable in this case - what does a count of security vulnerabilities show in a system which has virtually no security?
Once again in 1997, RHL's 6 bests WinNT's 10.
Paul, how exactly are we to interpret the phrases "five", "each year", and "far fewer"? Perhaps as "four", "maybe one year", and "a little bit"? I suppose your wording was close enough though - I mean, it _is_ just your journalistic integrity on the line, right?
"Win2K had fewer vulnerabilities than RedHat Linux 7.0 or MandrakeSoft Mandrake Linux 7.2"
Note that niether BO nor IIS are reported on in the 2001 tables, thus no conclusion may be drawn.
"...despite the fact that Windows is deployed on a far wider basis than any version of Linux"
Excellent heresay. Well un-supported by reliable references. After reading the prior claims in your article, I'll be sure to give this little tidbit all the credit it deserves (incidentally, none).
Thanks again for the good laugh Paul! What's next week? "WinXP Embedded Has Smaller Footprint Than vxWork? Yepppp!" I can almost imagine you shaking your pom-poms in the air.
There are 11 types of people in the world: those who understand unary, and those who don't.
From the article:
A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux
Win2K had zero reported security vulnerabilities before it was released....
The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
If I run a webbrowser as root on a Unix system, there's nothing preventing it from overwriting anything, including my bootsector. Are you saying that Unix is defective?
.NET, and they'll probably get there before Unix does.
No the admin who does that is.
Bitching that Windows doesn't have a "sandbox" system is kind of silly because no commonly available OS has this feature. (and no, FBSD Jail doesn't cut it). Included in that is every complaint that Administrative users should be prevented from running the VBS equiv of rm -rf.
Moving to a capabilities sandbox system is a huge deal, will break tons of programs. However Microsoft is going in that direction with
1. I didn't say sandbox. The original example was about priveleged serviced that drop privs being able to take them back. So for instance, if you are running an anon ftp server on NT and on Linux, and they both bind the port then drop the root/admin privleges, and they both have a hole that allows a remote user to execute arbitrary commands as the ftp server the NT box is "rooted" and the Linux box is not. This has nothing to do with a "sandbox."
2. A lot of what you are talking about is available on *NIX today via ACLs. So it would seem that Windows is already beaten.
-Peter
"For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they are shipped with. For Windows, applications and subcomponents such as Explorer often have their own packages that are considered vulnerable or not vulnerable outside of Windows and therefore may not be included in the count."
And yet, Microsoft claims that it can't remove IE from Windows without destroying the operating system. The irony, the irony...
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
Actually, there have been no new vulnerabilites for IIS since August and very few "nasty" ones at all for all of MS products since August. I think you'll find there are WAY more RedHat ones since then...
Please change the way inwhich stats are reported. IIS, IE, Index Server, and the like all ship now with Windows 2000/XP just like Apache, WuFTP ship with most Linux Distros. Since this is the case, those security flaws are also security flaws in Windows 2000/XP in the much in the same way that Apache, WuFTP and other packages security flaws are being reports with Linux Distros.
Thank You.
Lots of misinformation going on around here.
It seems that the site(s) are back up, I've appended the meat of both in case they go down again. The good deal of the posts I'm reading stat the stats are invalid because it is an aggregate of all linux distros in comparison to windows 2k. This is not true, the stats make a clear distinction between distro's and count them separately, for example Redhat 7.2 had 28 exploits in 2001 where Win2k had 24.
Which is what this article was attempted to exploit itself. Its very clear that the original article (as shown below) is a blatant attempted to drum of a flame war between linux and windows supporters. With a headline like 'Windows More Secure Than Linux? Yep!' it doesn't try to hide that fact either. The entire basis is of the article is a 4 "exploit" difference between Redhat linux and win2k within the last year. Of course the severity of these exploits are not detailed.
Considering that windows has dramatically improved its numbers from the previous years I think a more accurate headline would have been "Windows security much improved from previous years"
As many people has said far my eloquently them myself, these statistics do nothing to prove or disprove a superiority between linux and windows security, as there are so many problems with even trying to prove such a thing.
-Jon
below is the full text of the article and the stats from Security Focus.
------------------- WinInfo artical ------------------
Thanks to David Byrne for this tip: For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. (The company's 2001 statistics are available only through August 2001 for the time being.) According to NTBugTraq, Windows 2000 Server had less than half as many security vulnerabilities as Linux during the reported period. When you break the numbers down by Linux distribution, Win2K had fewer vulnerabilities than RedHat Linux 7.0 or MandrakeSoft Mandrake Linux 7.2, and it tied with UNIX-leader Sun Microsystems Solaris 8.0 and 7.0. A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux. So once again, folks, you have to ask yourselves: Is Windows really less secure than Linux? Or is this one of those incredible perception issues? For more information and the complete stats, visit the SecurityFocus Web site. I'll check back on this story to see how all of 2001 shapes up.
-------------------SecurityFocus Stats -------------
Number of OS Vulnerabilities by Year
OS 1997 1998 1999 2000 2001
AIX 21 38 10 15 6
BSD/OS 7 5 4 1 3
BeOS 0 0 0 5 1
Caldera 4 3 14 28 27
Connectiva 0 0 0 0 0
Debian 3 2 31 55 28
FreeBSD 5 2 17 36 17
HP-UX 9 5 11 26 16
IRIX 28 15 9 14 7
MacOS 0 1 5 1 4
MacOS X Server 0 0 1 0 0
Mandrake 0 0 2 46 36
NetBSD 2 4 10 20 9
Netware 1 0 4 3 1
OpenBSD 1 2 4 17 14
RedHat 6 10 47 95 54
SCO Unix 3 3 10 2 21
Slackware 4 8 11 11 10
Solaris 24 33 34 22 33
SuSE 0 1 23 31 21
TurboLinux 0 0 2 20 2
Unixware 2 3 14 4 9
Windows 3.1x/95/98 3 1 46 40 14
Windows NT/2000 10 8 78 97 42
Top Vulnerable Packages 2001
Packages # Vulns
MandrakeSoft Linux Mandrake 7.2 33
RedHat Linux 7.0 28
MandrakeSoft Linux Mandrake 7.1 27
Debian Linux 2.2 26
Sun Solaris 8.0 24
Sun Solaris 7.0 24
Microsoft Windows 2000 24
MandrakeSoft Linux Mandrake 7.0 22
SCO Open Server 5.0.6 21
RedHat Linux 6.2 i386 20
MandrakeSoft Linux Mandrake 6.1 20
MandrakeSoft Linux Mandrake 6.0 20
Wirex Immunix OS 7.0-Beta 19
Sun Solaris 2.6 19
RedHat Linux 6.2 sparc 18
RedHat Linux 6.2 alpha 18
Debian Linux 2.2 sparc 18
Debian Linux 2.2 arm 18
Debian Linux 2.2 alpha 18
Debian Linux 2.2 68k 18
Top Vulnerable Packages 2000
Packages # Vulns
Microsoft Windows NT 4.0 71
RedHat Linux 6.2 i386 65
RedHat Linux 6.2 sparc 53
RedHat Linux 6.2 alpha 53
Microsoft Windows 2000 52
Debian Linux 2.2 48
RedHat Linux 6.1 i386 47
Microsoft Windows 98 40
RedHat Linux 6.1 sparc 39
RedHat Linux 6.1 alpha 39
MandrakeSoft Linux Mandrake 7.0 37
Microsoft Windows 95 35
RedHat Linux 6.0 i386 33
Microsoft IIS 4.0 29
Microsoft BackOffice 4.5 29
Microsoft BackOffice 4.0 29
RedHat Linux 7.0 28
MandrakeSoft Linux Mandrake 7.1 26
RedHat Linux 6.0 alpha 25
Conectiva Linux 5.1 25
Top Vulnerable Packages 1999
Packages # Vulns
Microsoft Windows NT 4.0 75
Microsoft Windows 98 44
Microsoft Windows 95 40
Microsoft Windows NT 4.0SP3 33
Microsoft Windows NT 4.0SP1 32
Microsoft Windows NT 4.0SP2 31
Microsoft Windows NT 4.0SP4 30
Microsoft Internet Explorer 5.0 for Windows 98 29
Microsoft Internet Explorer 5.0 for Windows NT 4.0 28
Microsoft Internet Explorer 5.0 for Windows 95 28
Microsoft BackOffice 4.0 28
Microsoft BackOffice 4.5 27
Sun Solaris 7.0 26
Microsoft IIS 4.0 25
Microsoft Windows NT 4.0SP5 23
RedHat Linux 5.2 i386 22
Sun Solaris 7.0_x86 21
Sun Solaris 2.6_x86 21
Sun Solaris 2.6 21
RedHat Linux 6.0 i386 21
Top Vulnerable Packages 1998
Packages # Vulns
IBM AIX 4.3 36
IBM AIX 4.2.1 29
IBM AIX 4.2 29
Sun Solaris 2.6 28
Sun Solaris 2.6_x86 25
IBM AIX 4.1 25
IBM AIX 4.1.5 24
IBM AIX 4.1.4 24
IBM AIX 4.1.3 24
IBM AIX 4.1.2 24
IBM AIX 4.1.1 24
Sun Solaris 2.5.1_x86 23
Sun Solaris 2.5.1 23
Sun Solaris 2.5_x86 22
Sun Solaris 2.5 21
Sun Solaris 2.4 18
Sun Solaris 2.4_x86 17
Sun Solaris 2.3 13
Sun Solaris 2.5.1_ppc 10
SGI IRIX 6.4 10
Top Vulnerable Packages 1997
Packages # Vulns
SGI IRIX 6.2 25
Sun Solaris 2.5.1 23
Sun Solaris 2.5 23
SGI IRIX 5.3 23
Sun Solaris 2.5_x86 22
Sun Solaris 2.5.1_x86 22
Sun Solaris 2.4 22
Sun Solaris 2.4_x86 21
SGI IRIX 6.3 20
IBM AIX 4.1 19
Sun Solaris 2.3 18
SGI IRIX 6.1 18
IBM AIX 4.2 17
SGI IRIX 5.2 15
SGI IRIX 6.4 14
IBM AIX 4.1.5 14
IBM AIX 4.1.4 14
IBM AIX 4.1.3 14
IBM AIX 4.1.1 14
Sun Solaris 2.5.1_ppc 13
Privacy Statement
Copyright © 1999-2001 SecurityFocus
this is my sig.
The trouble with comparing Linux distros to Windows lies in the fact that Linux distros include so many different applications. I just did a count of installed packages on a RedHat box I am using, and I got 780 installed packages. I'd like to see a comparison of the number of exploits between the RedHat distro and Windows installed with 700 of the most common applications for it. That might be a more useful comparison. Also, I will readily acknowledge the weakness and lack of true usefulness of the numbers below, so no need to flame me for the lack of usability...I'm only posting the info I found, so no need to stone the messenger.
Windows
4336 Windows NT
1070 Windows 2000
2 Windows 95
5408 Windows total
All UNIX and Like
1185 Linux Red Hat
999 Linux unknown distributions
36 Linux Connectiva
23 Linux Debian
17 Linux Cobalt
17 Linux SuSE
13 Linux ALZZA
12 Linux Mandrake
1 Linux Slackware
2304 Linux total
485 Solaris & Sun OS (1)
267 IRIX
163 FreeBSD
121 BSDI
44 SCO
28 Generic UNIX
18 Compaq Tru64 UNIX
9 AIX
7 HPUX HP
4 Digital UNIX DG
3 OpenBSD
2 NetBSD
1 PowerBSD
1 Digital OSF1
1153 UNIX & Like total
3457 UNIXs & Linux
8865 Total Windows and all UNIX
Other
2 Mac OS
1 Netware
63 unidentified
--It's Pimptastic!--
I have a few points to make.
1: Linux is a kernel. Name the last security hole in the kernel.
2: There are TONS of Linux distributions. Hundreds. There's also gobs of software includd in your standard Windows distribution. If you count ALL of their security vulnerabilities from ALL DISTRIBUTIONS and ALL SOFTWARE PACKAGES, I'm not surprised it's a bit higher than the number of holes in the *core Windows OS*.
3: The rate of release of Linux is much faster.
4: Linux distributors are still relying on the wrong software (sendmail/bind/inetd).
I don't think you can say that Redhat had 171 bulletins in 2001. They seem to have a bizarre numbering scheme and skip numbers occasionally. Maybe this is because the issue turned out to be a non-issue or something.
On the other hand while looking through 2001 I did notice that some of the bulletins replaced other ones, and in those cases they deleted the original from the web site.
So Redhat definately does make it confusing. Their bulletins also don't have much detail, they don't attribute to who found the problem, on what date it was first reported to them, etc.
From what I could find, across all of the Redhat products they had somewhere around 80-90. Now I count 60 bulletins from Microsoft, not sure where you got the 51 number from.
Or are you taking these from the securityfocus article?
I happened to be using a Mac running OS X and Classic (OS9).
I wanted to comment on the article (I still think it's some sort of joke) and use of I.E. (X), Mozilla (X), iCab (X), WannaBe (9), Mozilla (9), and iCab (9) all crashed on the "add comment link."
Well, at least it was a good exercise in net-non-compatibility and the non-coder who wrote the html for that pop up window you get clearly knows what he's doing.....coding html exclusively for a Windoze world.
Excellent. Mod parent up.
Bush's education improvements were
Both Linux and NT have plenty of security holes to go around. But Linux is also clearly far preferable from a security point of view: it is much easier to run only the software/servers you actually need on Linux, it comes with full sources, and serious security holes are fixed usually within hours of being reported.
Claims like those on WinFormant mainly demonstrate the incompetence and inexperience of their authors.
The numerical titles are merely references to the bulletins posted at www.redhat.com. There ye shall find the text and become enlightened.
I checked my dictionary and there is no such word as enronian. The only reference I could find to it on the web was in discussing President Bush's deficit spending package.
Later I upgraded Kenny to a recent Redhat release, either 7.1 or maybe 7.2, running in a medium-security configuration. I didn't notice any problems after that - whatever the popular security holes were had been patched or they were in services I hadn't turned on. I had some other serious problems with those distributions - basically they're not made to be installed on small machines unless you do one big partition or a lot of hand-tuning, and you can't netinstall from a single CDROM drive any more, so you'd better have at least one machine with a lot of disk space. But the security was much improved.
By the way, a couple of the intrusion detection techniques I used were:
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Have you ever *seen* these lists of bugs found in Linux and published publicy? While the occasional real bad humdinger is found, most are of the form, "I read the source and found out that someone could in theory do such-and-such, but I don't know if anyone has actually done this yet."
In linux, the white-hat hackers and the black-hat hackers operate on equal footing with regards to
access to the information. That's the key difference.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
...run an HTTP server on it. Don't tell anyone that it's there. What will you see?
In my case it was few hundreds of Code Red requests from few tens of hosts per day.
Contrary to the popular belief, there indeed is no God.
Just to cut throught the FUD on both sides here:
/. a tabloid now?
Paul: Fuck You. You don't know shit. How's the page views today? That's what I thought.
CmdTaco: Stop feeding the trolls. This guy just made $x money because you decided to link to his crappy site. Now everyone is here literally frothing at the mouth. If this was real life someone would've been stoned to death by now or branded a witch. Is
Everyone:
Lies and statistics. August 2001 huh? So the stats were last compiled just after Code Red, but not since Code Red II, not since the UPnP fiasco, not since the most secure Windows OS ever? Nice to see "journalists" grouping distros together on the basis of which *kernel* they use. If you want to assess the security of *linux* then only focus on expoits that compromise the kernel. If it's just another BIND or wuFTP vulnerability, count it just once for "OSes that use that GPL'd kernel*" *note: packages included with each distro are not uniform across platforms. Not all Linux distros are alike.
But that is rational and fair, and we can't have that can we? No. We need to increase page views and banner hits, we need to convince so-and-so in management that *OS-not-right-for-the-job* is the right tool for the job.
Windows on the desktop and *nix in the server room; the Buddha smiled and farted. And God said "It is Good".
If you have just begun reading this discussion, maybe you shouldn't waste your time. Basically, the original article is a troll, or a paid MS public relations stunt, and Slashdot fell for it.
If you must read this discussion, just browse at +5.
Bush's education improvements were
What is the problem with the moderators?
... specialy if your first language it is not English.
When I posted my comment there was no comments at all on this story. You know, it takes time to write a message longer than 2 lines, preview, correct and send
And, then, I see no other previous post with the same ideas. Maybe there are some in the answers to previous comments, but sended way after mine.
What's all this "redundant" thing?
Please, check the timestamp of the comment before being ridiculous.
We didn't write the article in question, nor are we hosting, nor did we have any opportunity to see it ahead of time. (Or now... still can't see it.)
/. link did make it look like your article to the casual glance (though the /. effect did preclude many of the banners, etc. from ever loading, and a more precise look at the URL does reveal it to be hosted elsewhere).
I'm curious why you would like to an article without reviewing it. If this is to be believed, you linked to an article without even reading it. While I expect that sort of looseness with slashdot to some degree, I confess I'd always held Security Focus in a little higher regard, and consiquently expected more selectivity in what articles they choose to headline and link to.
Unfortunately this thread is already ancient history and probably no longer being followed, but if you see this I would very much like some clarification on exactly how articles like this are selected for inclusion in SecurityFocus' headlines. Following the
The Future of Human Evolution: Autonomy
With that many vulnerabilities and that much press, I would say that Linux has arrived! (All the *BSD folks are green with envy and wish they had such attention)
You could say that old distros and less experienced sysadmins are facing a hacker culture that probably is more adept with open source tools than they are shooting bullets into Windows and IIS for BO's.
So, then, how much monetary loss is attributed to Windows insecurities vs Linux insecurities, eh?
"Provided by the management for your protection."
Another Microsoft public relations employee. Look at the name: LinSux.
Bush's education improvements were
I'm curious why you would like to an article without reviewing it. If this is to be believed, you linked to an article without even reading it. While I expect that sort of looseness with slashdot to some degree, I confess I'd always held Security Focus in a little higher regard, and consiquently expected more selectivity in what articles they choose to headline and link to.
What makes you think that we linked to it? We didn't, they linked to us. We run a little stats page because people were asking us for the numbers all the time. These other people wrote a short blurb and claimed, based on their misunderstanding of the numbers, that SecurityFocus was claiming that Windows was more secure than Linux. We make no such claim, that's their conclusion.
The article in question was not linked to by us, was not in our headlines, was not endorsed by us, wasn't even known to us until the Slashdot story.
The article in question was not linked to by us, was not in our headlines, was not endorsed by us, wasn't even known to us until the Slashdot story.
... I'm usually better at attributions, and I shouldn't have gotten that one wrong.
I went back and looked at the article more thoroughly (now that it isn't slashdotted, and the grafics, etc. come up, ie. it is no longer filled with blank spaces). Amazing how much more obvious these relationships become once you can see the whole thing without 10 minute lags (and once someone has pounded you over the head with a clue stick).
You are absolutely right, I was absolutey mistaken, and my comments misaimed. My sincere apologies. The diatribe to which you replied should have been directed at WinInformant, not Security Focus which, as you clearly point out, remained above reproach in this fiasco. Sorry about that
Thanks for your reply, and pointing out what should have been obvious (but apparently wasn't, to me at least, on that day).
The Future of Human Evolution: Autonomy