Windows vs Linux On Security

e8johan writes "NewsFactor is running an article asking whether Linux really is more secure that Windows. I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting makes Windows more insecure than anything I've ever seen, but they do make some good points, especially when discussing Open Source and security."

Bugtraq

[qurob]

Linux, which is even newer than Windows and is not controlled by a single commercial entity, can be expected to have even more vulnerabilities than Windows. Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system." BugTraq is a popular forum for discussion of computer security vulnerabilities.

Very few of these messages are related to the Linux kernel itself. I find most of these to be about packages included with most major distributions.

So many programs get lumped into 'linux' and this is forgotten.

Imagine if EVERY time there was a patch for a Windows app, it was checked off in the 'windows' category.

Then again, there are more Windows apps than Linux...

Flamebait indeed

[kafka93]

In many respects, Linux isn't so much a "newer operating environment" - its pedigree is Unix, and it owes much of its core to long-established developments for much older systems. To say that it is "even newer than Windows" and to cite this as evidence that Linux is therefore less secure than Windows is rather irresponsible, to say the least.

Similarly, the quoting of a few minor-but-exaggerated viruses etc., and to imply that these stack up to anything remotely comparable to the plethora of such issues that plague the Windows OS, is quite ridiculous.

Let's face it - this is FUD. "Microsoft has organized a huge security program" and (Linux is) "less disciplined but more timely" -- such soundbites have been carefully calculated.

Of *course* security comes to more than the Operating System alone; still, one can only gape at such inane comments as "the existence of security flaws -- and of hackers willing to exploit them -- does not necessarily add up to more risk for users".

This is FUD that is based on the vaguest understanding of security, upon one man's comments, upon old, tired misunderstandings about the merits of "single commercial entities" -- in short, it is the usual chest-pumping pro-Microsoft FUD from someone who knows very little about which he speaks.

Re:Flamebait indeed

[Reziac]

Well, I would have thought it flamebait too, and then I picked up a copy of "Hacking Linux Exposed" (http://www.hackingexposed.com/) This companion volume to "Hacking Exposed" is almost as thick as the original, which covers all other OSs combined.

BTW, they're both very good reads; indeed, I would say *required* reading for sysadmins of ANY platform.

Re:I trust Linux's security implicitly

[Billly+Gates]

Just because someone has a different opinion that yours does not mean he is wrong and you are right.

Sometimes I find slashdot highly biased. I think the karma of your comment of +4 is a little to overated since its biased.

Most highly secure military labs like the dod use VMS because they have a license to see and audit the source code? I remember reading a comment earlier this year mentioning this but I do not know if its true. I would not be supprised if the military uses their own operating sytems for critical systems that handle nukes and keep tract of military operations worldwide. You need alot of certification to run an approved os with approved hardware. I believe c3 certification is required.

1.) c2 certication is required.

Yes, Windows2k and NT are c2 certified while Linux is not. What we need to do is fund a lab to make it certified. People who do government purchasing will not buy a system that is not c2 certified. I believe this was probably one of the reasons linux was turned down. I am aware of the fact that Microsoft's c3 tests were not connected to a network but that is really part of the certifaction process. Any server that is connected or has a floppy drive is automatically disqualified so please don't rant on this.

2.) The second issue has to deal with the development model. The labs security department does has a valid concern that you may or may not agree with. I too would rather trust a proprietary OS with a special license to look at and audit the source code or a homebrew OS for such a situation.

They do not know who Linus is and yes it is possible that the government of China for example can add some worms or backdoors into it. Remember that China is standardizing on linux and maybe funding part of it and donating code!

Yes their is no security in the linux development environment and no having Linus decide which code gets patched in the kernel is not good enough for military use! The bsd crowd has been complaining about this for awhile. They would like cvs to prevent someone from adding something to the kernel. I do not agree with this analogy but if their was a cvs tree with at least minimal security on who gets to commit and write, then it would not bother the security freaks as much. From what I heard, Linus still does not use cvs and just patches code he receives from email. I remember several commits by him in which he says he will never use CVS.

The preference for Windows2000 however does not make any sense. Its all closed source and a few spies could actually work for Microsoft. You never know. If they can look at the code, then they can do an extensive audit. However like I mentioned above, win2k is c2 certifed so thats why they use it.

Re:ActiveX is...

[Arker]

s/pain/impossible

Not at all. I have a fully functional system at home running win98 with no trace of mshtml, totally invulnerable to exploits that rely on ActiveX (which is the vast majority of exploits that affect 98.) You can do the same thing with ME, the easy way is here. NT based systems are harder, but it's possible to achieve most of these improvements there as well, elsewhere on the same site you'll see he's still putting the finishing touches on a similar product for XP.

The APIs are moving to ActiveX (cf .NET),

Yes they are, an excellent reason to step up the pace on eliminating MS from any environment where security is important.

I don't know that you could remove it even on Win 3.1

Win 3.1 didn't include any of this, that's a very bad memory or some FUD, depending on your internal state when you wrote it. Some of the earliest versions could be run on 3.1, but that required installing Iexplore updates, it wasn't on the system by default.

Not really. All ActiveX is is a codification of C++ virtual tables and object instatiation into a language independent standard. That's it. It's all in how you use it.

Not quite, that's COM, ActiveX is how COM is made available to arbitrary code, as from a webpage or an email opened using MS tools, which as a rule don't just neglect to give the user proper warning before executing proper code, they typically give no warning at all. Click on a URL or just an email header in Outlook and you can run code without knowing you are doing so. This is a fundamental architectural flaw.

Re:Security depends on many things.

[1010011010]

You're right. NT, like its VMS predecessor, is more secure by design. It's just that the Windows User Interface and Windows applications are written under the assumption that users have complete control of the machine. Unix apps are written with the understanding that there are any number of users, none of which are root.