Slashdot Mirror
Windows vs Linux On Security
e8johan writes "NewsFactor is running an article asking whether Linux really is more secure that Windows. I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting makes Windows more insecure than anything I've ever seen, but they do make some good points, especially when discussing Open Source and security."
From the article:
Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system." BugTraq is a popular forum for discussion of computer security vulnerabilities.
This is probably true, but only because for Linux, every security vulnerability gets posted multiple times, once for each vendor that has released updated packages, plus once by the vulnerability discoverer (so you get one by the discoverer, and one by redhat, debian, mandrake, suse, turbolinux, grandmasfavouritedistro, etc).
In contrast, with Windows, you only see a posting related to a single vulnerability twice - once by the discoverer and once by Microsoft.
It appears to me if you count each vulnerability only once, there have been more Windows-related than Linux-related.
These aren't exactly a part of the operating system, though, are they? Any poorly set up system will be vulnerable. I'm no huge fan of MS's bloated products and crappy license arrangements, but I mean, really...
Roving Web-Teleoperated Robot
It seems that Hemmendinger argues that the newer the software, the higher the likelyhood of bugs. While that argument sounds valid, it would only hold up under the following conditions.
1. Both platforms stem from an equal amount of design history.
2. Both platforms use technology of comparable complexity.
3. Both platforms refused to make concessions in software integrity to deliver their products.
4. Both platforms actively avoid known pitfalls in thier chosen architecture.
5. Both platforms remove flaws at approximately the same rate.
None of these conditions (and I'm sure there are more) exist in the comparison of Linux to Windows making the "age" argument a very weak one.
um, I don't get it. How does newer == "less secure" in this scenario? Sure, the older and os the more time it's had for the kinks to be worked out of it. But doesn't method have something to do with it also? Linux is developed in an open and peer-reviewed environment. It's maturing much faster than windows. There's no reason to compare the two in the way the author's done. Faulty thinking on his part.
What's also got to be factored in is the severity of the bug. A buffer-overflow that lets a cracker rm / is serious. A buffer-overflow that lets code run with the perms of the user owning the service in a chrooted directory is also serious, but much less so.
The author also babbles about the volume of security-related issues on BugTraq... I'm not the first and I won't be the last to point out the rather obvious logical flaw here. If Bugs are getting reported and being quashed then they don't pose a threat any more. If the bugs aren't reported because a certain company based in Redmond Washington won't allow them to be reported... well, it's kinda obvious from there.
That said, it is indeed encouraging to see more and more people concerned about security. I think the message is slowly being driven home.
Just about every major worm, linux or windows, has used an exploit that's been patched for a few months or more. The admin is a far weaker link than the OS.
.NET server look pretty good in this area.
Stating the obvious, I know, but whoever posted this flamebait article didn't think so.
On another topic, the moves MS are making with their auto-update tools should put an interesting light on the security landscape. The previews of
Read reviews of shopping cart software
* Gets out a kleenex, wipes off author's glasses*
IIS - enough said.
The actual number of posts may be greater, but how many people install X on their Linux servers? How many people have xmms on thier linux server?
Also, considering that Linux is open source, and thus, hackers can actually look at the code for the OS, it is AMAZING that it is more secure than Windows! Can you imagine how many exploits their would be for IIS if a good hacker could see the source code for it?
Nothing more to be said here
HallmarkOrnaments.Com
Thus, any bug-counting stats are meaningless.
And for all you folks who think M$'s ways are best: Do you really think Gates and Ballmer have your best interest in mind when they spout off about keeping bugs secret?
This sentence from the article really drew my attention:
Mainframe operating systems, which have been perfected over decades, have very few security flaws. Security problems on mainframes tend to be caused by administrators' errors.
Obviously, this guy does not know what he is talking about.
My father used to be a mainframe security officer at a Fortune 500 company. He knew mainframes inside and out and was always pretty much on top of things -- and he started his career on old IBM with punch cards, if you see what I mean.
Anyway, his company would hire (once every three years) an external consultant to test the security of the systems my father took care of. This consultant could gain the mainframe equivalent of "root" access in 30 minutes or less.
A mainframe operating system is not secure -- it's very stable (uptime=99.9999%), though, but that's a different thing.
My advice? If you want security, get OpenBSD. If you want the latest gizmo, get Linux (a real Linux) and invest some time in securing your installation...
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Many people thought prior to Slapper coming out that Linux was somehow impenetrable to malware ... VB has a good article (written before Slapper came out, as it happens) on why this is largely untrue:
l inux_malware.xml
http://www.virusbtn.com/magazine/archives/200209/
Score:-1, Funny
I wonder if Windows' security problems aren't as much the fault of the everything-but-the-sink integration and legacy support, and abysmal documentation as they are inexperienced and unknowledgable administrators.
A lot of the IIS exploits are built around "integration features" turned on by default and not well (at all?) documented. How do you disable what you don't know exists? And that's just IIS -- there's more hidden surprises buried in the OS known by hard-core developers and MS only.
Third party resources? You can't say "take a class" -- I've *taken* MS curricula before and its not a whole lot better than the online documentation. A typical 30 hour (4 day) class has about 2 hours of stuff you'd be unlikely to sort out through the UI and docs. Books? Usually no better than the online docs and often *worse*, and that's if you can manage to wade through a sea of 'em to find one that's not just screenshots of the online docs!
My experience with Linux and (predominately) FreeBSD is that while the UI of these OS's is often less untuitive, the documentation, even man pages, while dense is far closer to complete than Windows and there's a lot less hidden "gotchas". One of the great things about textual config files is that most sample configs, especially with stuff like Apache, Squid, etc is that the configuration docs are integrated with the config. You just can't do that well with Windows, which is moot anyway, since MS *doesn't* do it with their default configs.
My point is that while its fun (and often fair) to blame clueless admins, they're also admining a system that seems to try very hard to defy people who want to learn -- Just Click Here And It'll All Be OK. If they could learn and understand the operation of the system(s) and their archtecture they'd get a lot smarter. MS makes it hard to do this so people don't.
Have you done a recent redhat install? The majority of services don't give clear descriptions of their functionality. How should I (let alone an "Average" user) know what I do actually need?
Nice troll, modded highly.
I highly doubt your statements and evenso more that extreme programming would do any good to an open source project.
And don't even get me started on how complex projects were realized in the "early 90s" (and even earlier) that managed to be successfull without extreme programming.
Sure, XP does have its place and it may work under certain conditions - but for a project where the developers are far away, do not know each other personally and don't have the spare time to work on the project at the exactly same time - it would do much more harm than good.
(And finally I could cite Joel on extreme programming, but I don't because I suspect that you fully know that XP is not the holy grail of programming methodologies)
Real life is overrated.
"I doubt the veracity of your story. The NSA has worked on a secure Linux distribution"
And the government told them not to do it again. It was 'harming american business by encouraging competition to microsoft'
The fact that there are less bugs on BugTraq pertaining to Windows than there are to Linux is beside the point: Most Windows users don't give a damn about posting on BugTraq. Most Linux users want to improve their OS, so they do post on BugTraq. And if Windows users did care...oh boy would BugTraq see some bugs...
``Linux, which is even newer than Windows and is not controlled by a single commercial entity, can be expected to have even more vulnerabilities than Windows.'' .exe attachments disguised as audio/x-midi inserted in HTML mail...WTF? Linux users are more likely to patch or upgrade to more secure software. The programs used matter, but the human factor can't be ruled out, either.
/etc/*
What they're forgetting here, though, is that Linux is actually GNU/Linux. The Linux kernel is a relative newcomer, but the GNU utilities that it uses have been in existense for quite a while, and have a history of testing on various Unices, etc. etc. These days, what matters is mostly the security of programs that connect to the 'Net. Vulnerabilities exists on both sides, but tend to be more braindead with Windows programs. M$ Outlook Express executes
---
Running as root is bad. I don't want to run as root. But now I can't modify my config files... Hmm, chmod -R o+w
Good, now I feel a lot safer...
Please correct me if I got my facts wrong.
'Structurally more secure'? What, with a single root account and no ACLs or capabilities?
NT by *design* is much more secure than Unix, it's just the implementation and the apps (IIS, IE, Outlook, Office) which are royally screwed up.
-- Ed Avis ed@membled.com
Once again we have an article that forgets the history of bug tracking and CERT. There was a time where everyone thought it would be best to alert the company first and let them fix a patch. Then we saw time and time again a company sitting on a problem and not wanting to issue a fix until the next big release they could sell.
/. and everyone in the university using it to crash computers campus wide. However, these idiots, the idiot sys admins and the idiots that made smbdie possible all had equal amount of time to do what they needed to do.
Then, the idea was to make a bug known publically so that the company couldnt hide. Unfortunatly, the company then denied that such an attack was possible. This lead to the requirement of posting source or an example program the exploited the program - which before was just sent to the company - into the wild.
This brings us to where we are now: Everyone (sysadmins, crackers, hackers, the media, and the company) knows about the problem and how it works at the same time. This means the company HAS to patch their software. This also gives your sys admin a better chance since he can know about an exploit and immediately begin watching it or take the effected program away until a patch is issued.
The down side of course is smbdie being posted on
The ultimate network admin tool needs HELP!
Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system."
This makes no sense for several reasons:
1 -- "a lot" more; how much is "a lot"?
2 -- Linux the kernal or does he mean Red Hat?
3 -- Didn't MS make a big deal about NOT posting to BugTraq for (snicker) "Security Reasons"?
Hemmdinger sounds like a shill to me, and I don't even use Linux (Red Hat, et al) anymore.
This
Jack Wagner writes:
It's generally known that studies have shown that teams of four can develop code one order of magnitude faster than 4 coders working separately and my experience backs that up.
Really? Have any links to real studies to point this out? Did you get the information from a friend of a friend, too?
Sorry, my experience does not agree with you. A great team of four can *maybe* be faster than four on their own, but certainly not 10x the speed.
Extreme Programming has some interesting points, some of which I have taken to heart, but in general its just a way to sell books and consulting services. I was consulting for Chrysler while Kent Beck (the "father" of extreme programming) was working on the C3 project (the foundational project for extreme programming), and the project was not exactly the success story its made to be.
Like I said, some good ideas, but it isn't worth the religious status people have given it.
First of all is hard to nail down what exactly that means. When most peoople utter those words, they refer to Apache/Linux/Linux Apps vs. IIS/Windows/Office.
Very few security issues in the recent past have really had much to do with Windows itself, mostly IIS and some Office/IE vulnerabilities. Even with those, frequently the problem is that the administrators of targeted systems are not sufficiently security minded. Also, MS products draw a lot of attacks, simply because the systems are such a large target.
The enhanced security of Linux, at least in part, is a self-fulfilling prophecy. When administrators are highly security concious, they will often go to Linux to drastically reduce the sheer number of attacks they receive and are influenced by reputation. Sure Linux boxes with Apache have had a number of problems and worms, but those administrators are far more likely to update Apache than IIS administrators.
One thing that really does make me think it would be difficult to update Windows as easily as Linux systems is the model for updating busy files. Under linux, the in-use inodes are kept open for the processes that need them, but the filesystem is updated for future processes. Under windows, the file updates are scheduled for reboot. Since so many of the updates for Windows touch so many files, updating IIS will likely require a reboot, huge no-no for mission critical apps..... Aside from that, I'm not so sure that Windows is that much less secure. However, I prefer linux because it *is* more flexible..
XML is like violence. If it doesn't solve the problem, use more.
You removed ActiveX *CONTROLS* and ActiveX scripting of IE, which is completely different from removing ActiveX.
Look under your registry HKEY_CLASSES_ROOT/CLSID. If you have *ANY* entries under there, you are using ActiveX
Not quite, that's COM,
Yes, it is. The official definition of an ActiveX object is "implements IUnknown". Sound familiar? ActiveX is just the marketing name for COM.
Windows applications will always be less secure than OSS because it's much more complex and used by millions more users. This is the fact that tends to get missed by people who blindly quote stats that they don't comprehend.
Your reasoning for windows applications being less secure than OSS makes no sense.
Closed source software is no more complex than its open source counterpart. The fact that millions uses software package A over software package B does not make A less secure than B.
I've never worked on an open source project because the closed source world keeps me too busy. But I would imagine its very similar to working on a closed source project, the main difference being teams are not working at the same location. Still, everyone works on their assigned piece of the project and checks it in and hopefully the project leader and others on the team review the code and perform walkthroughs. In either world security holes (buffer overflows, etc.) should be spotted. So its not the open or closed source model that leads to more secure code, it is the project management methodology and the people on the projects who lead to more secure code.
The code most prone to errors in my opinion would be the code written by teams of one where virtually no review would be done. I believe you would find this type of development more often in an open source project but it could happen in either environment.
The thought that security problems in commercial software being a conspiracy to make way for DRM and DRM based operating systems is laughable. I remember back in the early 90's a similar theory that IBM was writing the more common DOS viruses as a method to promote the usage of OS/2 because at the time no one had ever heard of any OS/2 virii. The fact that there was little OS/2 file swapping because there was little OS/2 native software never came into people's minds.
'Same speed C but faster'
If the old UNIX permissions bits are so much better than ACLs, why did Solaris and all the other commercial UNIXes switch to ACLs years ago?
The suggestion that the old UNIX method gives more finely-grained control than ACLs is perplexing. The ACLs on NT and Solaris, for example, can perfectly simulate old UNIX permissions bits for software that uses them (both are certified as UNIX by The Open Group), but old UNIX permissions bits couldn't possibly simulate the typical permutations of ACLs used on, for example, NT systems.
The big drawback of ACLs is they're so much more powerful and complex that they're often confusing and often overkill for simple systems (e.g. cases where Linux is commonly used).
I've *taken* MS curricula before and its not a whole lot better than the online documentation. A typical 30 hour (4 day) class has about 2 hours of stuff you'd be unlikely to sort out through the UI and docs.
My thoughts exactly when I took the NT server/admin/whatever course. I realy felt like I had been had (or that the company I worked for had been had).
Those awfully expensive Micro$oft courses do a la-la job of telling you what the software can do, but leave out entirely *how the software works*, which is exactly what serious admins need to know.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
To get even more picky, Windows is used as a generic term. Most GNU/Linux distros are older than Windows XP or 2000. Some Linux and BSD distros are older than Windows NT. The core security model of all *nix systems is much older than any Windows security model.
I didn't think much of this article, basically because it didn't really say anything.
My beliefs do not require that you agree with them.
In these type of discussions, Linux is equated with the Linux kernel, some device drivers, and maybe a handful of utilities like sendmail and so on. After that you get into debates about scripting languages and window managers and desktop environments and all that--none of which could be considered part of "standard" Linux.
Standard Windows, however, includes graphics libraries and scripting systems and a GUI, and even tools like file browsers and Internet Explorer are considered part of Windows. Not surprisingly, most of the security problems are in those high-level tools, not the kernel itself. Now it could be argued that the kernel shouldn't allow tools to cause problems, but that's wishful thinking. Microsoft introduced a scripting language into Word, and that's been the cause of so-called "document viruses," for example.
To do a fair comparison, you need to put together a Linux machine running KDE, Star Office, a graphical email client, and so on. And then you have to consider all security exploits in KDE and all applications that come with it. But of course that's never how comparisons like this are done. If a KDE application is at fault, then we're quick to dismiss it as a KDE problem, not a Linux problem. And so we run in circles with this kind of meaningless argument.
Show me an out of the box windows OS with an ftp server in it
windows 2000 advanced server. I've got it running because I'm doing some development work on the side and they want me to have the same OS as the servers have. I'm not a windows admin by nature but know my way around a server pretty well. the windows FTP service starts by default; as well as http, nntp, smtp, and probably many others I don't know about - the point being that yes, windows does start BY DEFAULT with all these services running. Granted, it is a server OS but still; not the most secure way of doing things...
Linux kernel
GNU binutils
glibc
Microsoft Windows 2000:
Windows 2000 kernel and DLLS
Internet Explorer
Outlook Express
NetMeeting
Pinball
The Kitchen Sink
etc.
The choices of what you don't want to install in Windows is very limited. I do custom installs whenever I install any operating system. Windows comes with all the bells and whistles, free of charge (yeah, right!) and installed whether you want them or not.
Ever try removing the pinball executable in Windows 2000? "System Protection Services" pops it right back in place! Since when can a pinball game be considered part of the operating system?!?
At least Linux allows you to install just the pieces and parts you want. Especially on servers, a minimal system is inherently more secure. Its simple guys and gals: if it ain't installed, you can't exploit it!
Note for the purists: Yes, I've left out some packages that are required for a functional Linux install. Stop nit picking and get my point.
* The article lacks credibility. Security is a complex issue. There are very few organizations qualified to present it authoritatively. Who is NewsFactor? Who is Masha Zager? What is the "Informations Systems Security Association"?
Masha is an author for hire. http://www.bridgewriter.com/examples.html
This time the client is m$. Hope they paid well.
GUI administration is not necessarily more or less difficult than CLI administration.
Knowing which menus you have to wind your way through to bring up the ipconfig utility is not any easier than just remembering the ipconfig command name. I, for one, have sometimes spent half an hour or more trying to remember what magical sequence of menus and options are required to get to the 'friendly' GUI display that I know is there, but I forgot to click on some obscure option 4 menus back. Navigating those menu options is like running a rat's maze. Anybody ever run into a user who never knew that you had to click on a folder to get the 'find file' menu in Win/95? Is this really easier than typing ' find -name "purple*" -size +50 '? s.
Besides having to remember where to find the GUI commands, one also has to take into account that GUI interfaces inherently take way more resources than a CLI interface. If I'm in Atlanta for a conference and I find out that there's something wrong with my Linux server in Seattle, I can call in using my laptop's modem and fix the system from anywhere (even in flight). Trying to do the same with a Windows box pretty much requires me to have an ADSL connection. One also has to take into account the resources demanded on the Server end of things. If my server is already within an inch of crashing, the last thing you want to do is load it down further with a 50MB GUI that eats 15% of the machine's CPU. -- and if I want a 'user friendly' interface without the load of X, CLI interfaces can include menu-drivern utilities that are about as easy to use as GUI interfaces, but cause 1% of the CPU load.
There's also the question of scripting. If I have something that I'm going to be doing more than a few dozen times, I'll often write a shell script that does most of the work for me. Preferrably, the script can just run entirely automated, then I can just run it as needed with cron or triggered by some other program. That's something that's a lot harder to do with a GUI -- and a lot less portable.
Unix doesn't require one to use CLI solutions -- They're available as an optional tool. The availability of those tools is, I think, part of the reason why your average Unix admin can handle way more machines than your average Windows admin. GUI tools are also available to a UNIX admin, but I only use them when they're appropriate to what I'm doing.
OS Software is like love: The best way to make it grow is to give it away.