Slashdot Mirror
Windows vs Linux On Security
e8johan writes "NewsFactor is running an article asking whether Linux really is more secure that Windows. I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting makes Windows more insecure than anything I've ever seen, but they do make some good points, especially when discussing Open Source and security."
Which is more secure is such a hard question. UN*X is structurally more secure in many people's opinions. Windows also has the disadvantage that it has many clueless admins (even the certified ones). I think that's a big part here, any OS is as secure as the admin, a well managed Windows box can be more secure than a badly run Linux box... A propper comparison will be much more complicatec than this article.
Security problems exists - it may or may not be worse in Linux than windows...keep your systems updated regardless.
C'mon...this was nothing but flamebait - nothing news worthy there at all.
About the only telling thing is the top line about MS turning towards spending $$$ towards security - perhaps that includes buying blurbs like this saying Linux ain't perfect either.
Lies, damned lies and statistics.
Windows applications will always be less secure than OSS because it's much more complex and used by millions more users. This is the fact that tends to get missed by people who blindly quote stats that they don't comprehend.
Actually this is yet more hardcore evidence that the FSF and open source proponents need to shift to a more modern Extreme Programming model of development and away from their legacy "hacker working alone in a basement" methodologies. I've done this using a modified P2P client for real-time distribution of code amongst a team of 3 other coders over high bandwidth connections and it works out very nicely-even though we were all in different states at the time. It's generally known that studies have shown that teams of four can develop code one order of magnitude faster than 4 coders working separately and my experience backs that up.
This hits at the very heart of the Achilles heel of open source as it tends to be rather unprofessional and willy-nilly in it's approach to development and project management which was fine back in the early 90's but suffers from severe limitations in todays modern and complex software development paradigm. Sure they make more secure software becasue it's easy to make an Xterm secure and not so easy to make an giant enterprise ERP package secure. Lets see these "experts" comapare apples to apples sometime.
Wagner LLC Consulting Co. - Getting it right the first time
My home box has Apache, but no ssl I really dont need secure transactions that much, if I did I would keep it up to date just like everything esle I use. Now lets look at Nimda, what % of people on windows use outlook/outlook express, and of these how many would not keep their system up to date.
Point is one is a server deamon exploit (used by a very small % of linux servers (say 10-20% tops), and one is a mail client exploit used by a mojority of windows users (so there will be many oure out of date versions per capita)
Yet again, we find an article that points to the significant number of Linux bugs going through BugTrack. The turn-around time for the patch in Linux is usually quite fast. Commercial software makers are starting to sue individuals for disclosing security vulnerabilities.
How many bugs for Windows have been swept under the rug? How many software vendors out there have patch security holes, and requested that their customers download the latest 'maintenance' patch?
Just ask some of the truly gifted individuals in security what they think of security through obfuscation.
I doubt the veracity of your story. The NSA has worked on a secure Linux distribution. The big laboratories were also pioneers on the Internet. They've had a lot of experience with that type of software development and your rubber stamp story doesn't fit in with that.
Get your stinking paws off me you damn dirty ape
I think that most of linux's security risks are there because of administrators. They should only run services and modules that are essential, but nothing else.
Administrators should have physical access to machine, so they can disable anykind of remote shell access. Do not run ftpd as root.. and so on. I think that would minimize security risks.
"Linux is not being considered until the development model is safe."
Translated this reads: "I only know Windows so stop threatening me, for job security reasons we can't use Linux." Anyone that claims that the development model is unsafe is showing their fundamental misunderstanding of said development model. That would be the same as saying that the pharmaceutic industrie's development model is unsafe. It's essentially the same model. OSS allows for peer review, which ALWAYS makes more secure software. Look at crypto algorithms for another example.
"Herbivores eat well cause their food never, ever runs."
Just last night, a buddy of mine did a security scan of the Linux box I use at home as a gateway for my other 4 computers. The only security problem found was with the version of wu-ftpd that I'm running.
No problem, I thought, I'll just upgrade it. So, my first step was to download it from wu-ftp's ftp site, only to realize I was going to have to figure out how to build it (that was simple, except I kept getting two or three errors in the compilation. I'm assuming my gcc is out of date) and then how to install and replace all the existing stuff (I have no idea how, and I don't have time to learn it).
So, I figure I'll go to RedHat, download the RPM and just install that. Which I do. Ran RPM to install it, no messages, try to FTP in, still running the old version. Shut-down and re-start, same thing.
Folks, I know most of you are Linux fanatics, but if a programmer with 23 years of programming experience can't manage to upgrade a simple application in under 30 minutes, Linux will never make it to the masses.
There's nothing I'd like more than to see Linux replace Windows on every desktop. When Linux is ready. Frankly, I don't think it is, and I think it's still got a long way to go. Sorry.
The user makes all the difference. What software you choose to run, and how you choose to configure and audit things. How much care you give to security issues and how much knowledge of basic security you have.
However, if you are competent and security-minded, it is quite easy to make a Linux box extremely secure against all but the most directed and knowledgeable attackers, which are quite rare. If you run Windows, no matter how hard you try you're still gonna be fairly hosed. Some things just can't be fixed reasonably on that platform.
11*43+456^2
Security holes happen for any development model, shit happens. With open source, GNU/Linux in particular, I keep an eye on security updates to my distro and that's it. Almost no effort if you use a friendly distro. Well, that and I check not to run services I do not need, use a firewall, etc. I know that as fast as a hole is found a fix will appear and I'll download new packages in a couple days. If I am really concerned I can compile and install in the meantime. Here is where the freedom meaning of free software shines.
Oh, and the title should better be "Open source vs propietary security". Old same old ...
Microsoft has worked very hard to make ActiveX an integral 'part of the operating system' - it's a pain to get rid of it even on older systems, and I don't believe anyone has even worked out a way to properly disinfect it from XP to date (if I'm wrong give me a link, litepc.com is still working on it, it's a tough problem.) ActiveX is also the very exemplar of security hole from the ground up. Despite all the lip-service given recently to the concept of security by Microsoft, this particular policy, by far the biggest cause of security flaws, has been intensified over time, not backed off from. This makes Microsoft systems and security antonymical.
Now there are some smart folks at Microsoft, I can't credit the theory that no one there understands what they are doing. The alternative, of course, leads to what may be denigrated as 'conspiracy theory' but in this case it seems reasonable, for the reasons stated above. What does Microsoft gain by making their systems inherently insecure? A rationale for the 'necessity' of so-called security schemes (that really don't have anything to do with security, but rather with centralised control) such as DRM. Flood the net with insecure boxes and then cash in later by 'solving' the problem in a way that makes you the effective gatekeepers of the internet. Now there's a business model with some profit potential.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
> I think that's a big part here, any OS is as secure as the admin...
I would have said "the admin sets an upper bound on system security". The OS could still undershoot that bound.
Sheesh, evil *and* a jerk. -- Jade
Who is better, bigger faster? That doesn't help any community very much either.
.rpms, .isos or .exes.
.isos to prevent man in the middle virus patch attacks.
What is good is to ask how to make actual systems better, to catch up faster with patches an so on.
My try:
Besides disabling unneeded daemons, automatic updating should be a priority for almost all users, at least for every desktop (not hardcore) user. MS would have that right if they weren't pushing EULA changes with every update. And checksums of packages would start to be a serious thing, not something we saw but ignore in the same web page as the
But this automatic updating should be entirely configurable, because hardcore users, admins and so on can't rely on third parts to check the compatibility of every patch with the endless configuration they have done. Auto-update could be enabled in any vanilla system, and disabled per package with dependencies with a CLI and GUI tool.
Ohhh, and making sure that this autoupdate doesn't have any bugs too! (as far as possible). May be SSH and server keys in the
Just a though.
We are Turing O-Machines. The Oracle is out there.
apache bugs : Application problems, not OS problems, big difference.
openssh bugs : Application problems, not OS problems, big difference.
xchat & other programs bug : Application problems, not OS problems, big difference.
Linux kernel symlink dos vulnerabilty ( 1 vulnerabilty about kernel I have ever seen in 1 year ) : os bug
See if you think like that Linux has only 1 bug....
Never learn by your mistakes, if you do you may never dare to try again
I thought the article didn't really stack the deck at all, in fact, it was very favorable to windows - it actually legitamized it (you motherless whore). when a security flaw is discovered in linux, a community of people work together to release a patch while a company that issues a distro/release works on their own patches. MS sits on known security issues for years without addressing them, doing damage to their customers and user base. Linux users don't pretend that their is no problem running X servers (or ttdbserver.rpc for you solaris people, holla *^_^*), they come up with solutions. MS has finally gotten around to releasing patches as they come out - but what about inherent flaws in the OS that are unpatchable - like the Windows Messaging system?
No, Windows STILL sucks.
-Frank
"Other bands play, but Manowar KILLS"
Comment removed based on user account deletion
Playing devil's advocate here but....
MS could have documentation that is just as good, and contextual like a squid conf file.
The problem is that people stop clicking the question mark cursor (contextual help) after doing it about 10 times and getting "This is a text box, you enter text into it" or "click the check box to toggle this option on or off".
So, IMO, it's not so much that they can't, it's that they don't.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
I'm not trying to have it both ways. I would no more include past problems with Bind, Apache or WU-FTPD when evaluating Linux security than I would MS-Office when discussing Windows security. Nowhere have I said that I feel windows is particularly more or less secure than Linux -- In fact, using BugTraq reports as a basis for comparison is a fairly clueless means of comparing OSs for relative security. Not to put too fine a a point on it, but comparing "Linux" to "Windows" is itself a meaningless exercise, since the two are not equivalent in any sense.
The bottom line is that (as mentioned elsewhere) the weakest link in any system from a security standpoint is the operator of the system, period. If you want to make any kind of meaningful comparison, compare Windows against a particular distibution of Linux with an emphasis on securability. How easy is it to secure the system? How effective are the means provided? Then you might have a study worth reading.
Roving Web-Teleoperated Robot
I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting makes Windows more insecure than anything I've ever seen
That would be a good point if not for the fact that 1) Microsoft Office is not part of Windows, and 2) a lot more people would switch to Linux on their desktop if Microsoft Office (and not some pale imitation) were available on Linux. But it isn't, is it ?
Because security through obscurity has worked out so well for Microsoft in recent years, hasn't it?
While there may be a significant number of vulnerabilities that have existed in Linux applications (a rare few in "Linux" itself, I might add), they're almost always fixed in a timely manner. More than can be said for our Cathedral competitor.
Moreover, the security model of even a relatively loosely secured Linux system helps prevent overall system damage and widespread deployment of such vulnerabilities. Consider the spread of CodeRed or Nimda compared to that of Slapper or Ramen. I'm no mathematician, but I do believe we're talking an order of magnitude in difference here. Before somebody reminds me for the umpteenth time that Microsoft is more widespread; let's concentrate on web server vulnerabilities. These guys disagree wholeheartedly.
Also to be considered is the sheer number of updates that appear on the WindowsUpdate site with no big uproar, and the potential number that are buried deep inside their service packs (104MB for XP, 106MB Win2k SP2 with a 17MB "security roll-up" and subsequent SP3, etc.). With atleast a quarter GB of updates to Win2k systems - that's a lot of fixes! The open source community is just a lot more ... open about the chinks in our armour, which gives statisticians a field day in coming up with reports and editorials about how bad off we are.
Of course, were I to deploy a mission-critical server installation running Linux, I still have the ability to audit the entire codebase (or hire somebody/a team of somebodies to do it for me). With Windows, that's apparently possible, in a small part, and at a very large price (I understand that enterprises can purchase large chunks of the Windows codebase for a few hundred thousand dollars, but don't quote me on it.) on top of the expense in hiring the programmers. This is not to mention the fleet of tens of thousands of eyes always staring at the code of larger projects day in, day out.
Of course I wouldn't install a GUI on my server - but does Win2k or WinXP give you that option? Of course not.`Microsoft's bread-and-butter is having that GUI shoved in your face at all times with the Internet Explorer icon emblazoned on the desktop and etched forever into the back of your retinas. The Windows Scripting Host and VBS support are all part and parcel with their Master Plan to have integrated desktops with unified interfaces (remember, Microsoft server administration is aimed at monkeys, not trained professionals. (Disclaimer: This isn't to say there aren't talented Microsoft administrators out there, only a comment on the target market of the Windows point-and-shoot interface for servers)).
Interesting to note, BTW, that Windows Professional and Server operating systems ship with RPC, Remote Registry Editing, Background Information Transfer Service (BITS), among other things enabled PER DEFAULT . Microsoft claims to be shifting their focus to security, but quite frankly, the default "Automatic" services list in Windows XP doesn't impress upon me a great feeling of security either.
Remember too that Windows (both the 9x and NT trees) were designed to be single user platforms (the NT tree coming from OS/2 - a single user platform) with multi-user support kludged into place. Only recently is there some form of organization as to where users store their individual documents and settings, but the de facto software installation course sees users installing things throughout the root of the filesystem still, because that's the way it's always been.
With a pretty basic set of hardening scripts (filesystem permissions, firewall rules, etc..) Linux can be made infinitely more secure than Windows, and I believe it will always be more secure if the administrator (behind both the Linux and Windows keyboards) are on the ball. Why? Because I believe OSS vulnerabilities will always be patched sooner, tested by a wider range of people, and applied sooner than the alternative closed-source Windows patches. Also, auditing a patch (diff) file is entirely do-able for one or two programmers in an afternoon - something that makes rapid mass-deployment of patches far more plausible, whereas in the Microsoft world the patch/update method is essentially "Test patch on several machines with similar configuration. If nothing breaks, apply it to the front-line servers."
Morality and security wise, I think I'll stick it out with Linux and let the statisticians throw around all the numbers they want. I'm comfortable right where I am, thankyouverymuch.
BD Phone Home!
Shameless plug. Like you weren't expecting it.
And sometimes only once, when the discoverer posts and then nothing from Microsoft. Heck, by this logic, the most secure system is the one where the vendor never ever acknowledges security problems, much less fixes them.
I read the internet for the articles.
Most OSs can be made secure. Even windows. By a good sysadmin.
Unfortunately this doesn't say much for your dad.
http://twitter.com/onion2k
I've used UNIX and Linux for close to ten years, and by now I have a pretty good idea how to do things in a secure and functional way. I've only had to admin an NT box once, and I migrated services off of it as quickly as I could.
Why? Not because I had any direct evidence of insecurity (this was before the real flood of NT vulnerabilities began), but because I knew I could do a better job with the tools I knew best.
But also:
- the NT machine tended to bluescreen every month or so for no apparent reason. The MCSE on staff was not overly troubled ("Oh I see the problem, it just needs a reboot"), but its flakiness did not fill me with confidence.
- the MS tactic of bundling the kitchen sink with the OS is just asking for trouble. Linux's modularity means you don't have to have a graphics layer on the server, for example, or any other unnecessary frills that provide opportunities for crackers.
- I believe the full-disclosure bug reporting model is orders of magnitude more responsive than what you get from proprietary vendors. Afaik, lots of reported linux bugs == lots of bugs get fixed because lots of people have access to the code.
- really excellent security tools are freely available: iptables, xinetd, snort, tripwire, nessus, nmap, chroot, etc. An interested beginner could make a linux server very hard to break into. I know {NT,W2K,XP} has more wizards and stuff, but is it easier (or even possible) to really see and control what's happening with the OS?
1) The author cited as fact that the age of the operating system is directly related to its security, without any kind of proof. This makes sense at first glance, but it ultimatly glosses over the fact that both OSes are in constant development. New features are added every day. This might make sense if, after developing the system, all the time after that was spent patching and debugging, but this isn't the case.
2) The author has no concept of service vs. system. Most vulnerabilites are in sevices, not at the kernel level. All Linux is just a kernel. Packages are added to make a usable Linux distro.
3) The author cites number of bugtraq entries as a way of gauging relative security, without considering the severity. Also, bugs, like those reported to Security Focus aren't the only vectors of compromise
4) Open source software, by virtue of being free, allows an administrator to install much more security software for his dollar. Firewalls, IDSes, advanced cryptographic file systems, HIDS, and virus scanners can all be downloaded for free.
I'm subscribed to just about every Security Focus mailing list that has anything to do with security, viruses, bugs, incidents, events, etc. and I really haven't even seen many (any?) "Visit this URL for details" posts from Microsoft. I'd have to say that they've gone quite mum in recent months.
Of course, when you stop announcing your vulnerabilities in an open forum, then threaten legal action against anybody else who tries to do it for you, that open forum will slowly start to tilt towards the other guys. Sure, Linux/UNIX application vulnerabilities (don't forget that Apache, Sendmail, and BIND still run on FreeBSD et al!) are more popular on the list - but that's because people aren't ALLOWED to publicize Microsoft vulnerabilities!
I know that recent MS EULAs forbid people from disclosing benchmarks relating to the ".NET" suite of applications without Microsoft's prior consent - is it feasible that they've buried something in there about vulnerability disclosure as well?
BD Phone Home!
Shameless plug. Like you weren't expecting it.
(Ok, so that subject isn't that great, sue me) ;)
I submitted this same story on the 11th and was amazed that it wasn't posted as it's an important debate, not to mention one that is extrememly volitile (which might be why it wasn't until now--get the Monday crowd, so to speak)..
At any rate, there have been tests done that disprove the OSS-is-more-secure model, basically stating that either style (OSS or Closed-Source) can be equally secure. We all know that. What I think is interesting is exactly how both camps go about the same thing (ie: security).
The OSS people find a bug, the author of the affected application is notified (probably by hundreds of affected people, or by bugtraq, or something like that, and he/she fixes the bug, releases a patch or new version and the world is more or less happy. (Some apps might not work, but then that's not the problem of the author.) Time from bug to "fix": about 2 weeks (at most).
Closed-Source people get a bug report, then they have to see where it is in the code, fix it (and here the similarities end) because there is (at least in the commercial business) a desire for backward compatibility and what MS likes to call "regression testing." Once that arduous process is done a patch is released. Time from bug to "fix": at least 2 weeks (unless your'e lucky.)
Really, the only thing I see different is the time involved, both bugs get fixed, but OSS doesn't have to test it with previous releases--the author only has to make sure it works on a "vanilla" install; whereas someone like MS has to make sure that it doesn't break anything going as far back as, say, Windows 98. (Which is pretty far back in computer time.)
I think the real way to describe it is that OSS is made secure faster than Closed-Source. Speed being the essence, that's the rub. If I want security I'd like it now, not later.
Almost nothing is routinely secure "out of the box". And even OpenBSD has had its share of black eyes.
It's not a question of "How secure is it"...it's a question of how securABLE it is. IIS is securable, so is Apache. The problem with IIS is that it's usable by the low end of the technical spectrum who don't know or don't take the time to secure it. People who use *nix/*nux and Apache are almost techies by definition. They generally have the attitude to secure their boxes.
The irony is that with a flurry of points and clicks, IIS is easier to secure than Apache. However, nobody does it.
He knows well enough to be aware of what has actually been exploited. The article is infact a "Fear mongering" piece. It presents only the information that the author wishes you to see. It is clear the author has an axe to grind against Linux in particular.
The author ignores the common pedigree that Linux shares with Unix. The author ignores the underlying design issues that distinguish Unix versus Windows in theory and practice. The author plays a naieve numbers game with the bugtrack figures while conveniently ignoring the fact that Linux is more transparent.
He also makes the absurd assertion that more vendors == less secure.
If anything, competition and diversity should allow for vendors of varying quality and priorities.
A Pirate and a Puritan look the same on a balance sheet.
What everyone seems to be missing is the difference in scale between a windows exploit, and a linux exploit.
Linux, if you hack a mail client you can send spam to people on YOUR mailing lists.
Windows, if you hack a mail client you can send mail to people on THEIR mailing lists.
Most times linux exploits get you the very lowest level of security access. Yea, you got in, but you hardly got root priviledges out of it.
Windows on the other hand, has several known and documented exploits that not only get you in, but get you admin priviledges to go along with it.
Linux is very protective of it's hardware access (As anyone who's ever tried to run games will tell you. =P). Windows, on the other hand, goes out of its way to make hardware access easy and painless, both to the user and the abuser.
Exploits exist for both systems. But which ones would you rather have to deal with?
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Of course I wouldn't install a GUI on my server - but does Win2k or WinXP give you that option?
Simply put windows just doesn't have much functionality without a GUI, and many MS tools absolutely depend on it. Aside from that, strategically MS must to focus on their GUI. Why? Look at the functionality of cmd.exe vs bash . When you take things to a CLI level, UNIX is far superior. And lets face it, many in the MS world are just afraid of the command prompt.
he has access to.
My experience is that it is really hard to find *good* documentation for advanced topics in the Microsoft world. (especially when you need it). I guess that there are good books out there, but when I needed information I was not at the bookstore.
On the other hand, Linux/Unix is very well documented. And when you hit the wall, you can always look around in the source code.
Panayotis.
In fact, pushing all the responsibility down on the user is a very bad way of securing anything. Most poeple care more about functionality than security. We as developers need to pay more attention to finding ways of implementing non-intrusive security. It may include more lines of code, but it will certainly pay off in how many of your users end up screwed by an exploit in YOUR app.
I'm just waiting and hoping for automated code audit for security. That would possibly be the greatest contribution to computer security since encryption!
Stop the brainwash
...because they are both insecure enough to be a hazard in a real world situation. If I want to run a secure box, I'll run a BSD (probably OpenBSD). One remote exploit in six years is a bit better than a new one every month (a trend both Linux and Windows seem to share). The only way to keep a Linux or Windows box secure is to patch it almost constantly. To be honest, that is a task that sysadmins don't want to be doing all the time. There are much more important things to be doing.
This is why we should not allow programmers to moonlight as system administrators. As a programmer, of course I expect you to never, ever, code up a buffer overflow exploit. But please leave system administration to professionals who know how to do the job. A system administrator of 2 years experience or less (usually way less) could do this with ease and correctly.
now we need to go OSS in diesel cars
BD Phone Home!
Shameless plug. Like you weren't expecting it.