Slashdot Mirror
Windows vs Linux On Security
e8johan writes "NewsFactor is running an article asking whether Linux really is more secure that Windows. I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting makes Windows more insecure than anything I've ever seen, but they do make some good points, especially when discussing Open Source and security."
From the article:
Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system." BugTraq is a popular forum for discussion of computer security vulnerabilities.
This is probably true, but only because for Linux, every security vulnerability gets posted multiple times, once for each vendor that has released updated packages, plus once by the vulnerability discoverer (so you get one by the discoverer, and one by redhat, debian, mandrake, suse, turbolinux, grandmasfavouritedistro, etc).
In contrast, with Windows, you only see a posting related to a single vulnerability twice - once by the discoverer and once by Microsoft.
It appears to me if you count each vulnerability only once, there have been more Windows-related than Linux-related.
These aren't exactly a part of the operating system, though, are they? Any poorly set up system will be vulnerable. I'm no huge fan of MS's bloated products and crappy license arrangements, but I mean, really...
Roving Web-Teleoperated Robot
It seems that Hemmendinger argues that the newer the software, the higher the likelyhood of bugs. While that argument sounds valid, it would only hold up under the following conditions.
1. Both platforms stem from an equal amount of design history.
2. Both platforms use technology of comparable complexity.
3. Both platforms refused to make concessions in software integrity to deliver their products.
4. Both platforms actively avoid known pitfalls in thier chosen architecture.
5. Both platforms remove flaws at approximately the same rate.
None of these conditions (and I'm sure there are more) exist in the comparison of Linux to Windows making the "age" argument a very weak one.
um, I don't get it. How does newer == "less secure" in this scenario? Sure, the older and os the more time it's had for the kinks to be worked out of it. But doesn't method have something to do with it also? Linux is developed in an open and peer-reviewed environment. It's maturing much faster than windows. There's no reason to compare the two in the way the author's done. Faulty thinking on his part.
What's also got to be factored in is the severity of the bug. A buffer-overflow that lets a cracker rm / is serious. A buffer-overflow that lets code run with the perms of the user owning the service in a chrooted directory is also serious, but much less so.
The author also babbles about the volume of security-related issues on BugTraq... I'm not the first and I won't be the last to point out the rather obvious logical flaw here. If Bugs are getting reported and being quashed then they don't pose a threat any more. If the bugs aren't reported because a certain company based in Redmond Washington won't allow them to be reported... well, it's kinda obvious from there.
That said, it is indeed encouraging to see more and more people concerned about security. I think the message is slowly being driven home.
This sentence from the article really drew my attention:
Mainframe operating systems, which have been perfected over decades, have very few security flaws. Security problems on mainframes tend to be caused by administrators' errors.
Obviously, this guy does not know what he is talking about.
My father used to be a mainframe security officer at a Fortune 500 company. He knew mainframes inside and out and was always pretty much on top of things -- and he started his career on old IBM with punch cards, if you see what I mean.
Anyway, his company would hire (once every three years) an external consultant to test the security of the systems my father took care of. This consultant could gain the mainframe equivalent of "root" access in 30 minutes or less.
A mainframe operating system is not secure -- it's very stable (uptime=99.9999%), though, but that's a different thing.
My advice? If you want security, get OpenBSD. If you want the latest gizmo, get Linux (a real Linux) and invest some time in securing your installation...
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Many people thought prior to Slapper coming out that Linux was somehow impenetrable to malware ... VB has a good article (written before Slapper came out, as it happens) on why this is largely untrue:
l inux_malware.xml
http://www.virusbtn.com/magazine/archives/200209/
Score:-1, Funny
I wonder if Windows' security problems aren't as much the fault of the everything-but-the-sink integration and legacy support, and abysmal documentation as they are inexperienced and unknowledgable administrators.
A lot of the IIS exploits are built around "integration features" turned on by default and not well (at all?) documented. How do you disable what you don't know exists? And that's just IIS -- there's more hidden surprises buried in the OS known by hard-core developers and MS only.
Third party resources? You can't say "take a class" -- I've *taken* MS curricula before and its not a whole lot better than the online documentation. A typical 30 hour (4 day) class has about 2 hours of stuff you'd be unlikely to sort out through the UI and docs. Books? Usually no better than the online docs and often *worse*, and that's if you can manage to wade through a sea of 'em to find one that's not just screenshots of the online docs!
My experience with Linux and (predominately) FreeBSD is that while the UI of these OS's is often less untuitive, the documentation, even man pages, while dense is far closer to complete than Windows and there's a lot less hidden "gotchas". One of the great things about textual config files is that most sample configs, especially with stuff like Apache, Squid, etc is that the configuration docs are integrated with the config. You just can't do that well with Windows, which is moot anyway, since MS *doesn't* do it with their default configs.
My point is that while its fun (and often fair) to blame clueless admins, they're also admining a system that seems to try very hard to defy people who want to learn -- Just Click Here And It'll All Be OK. If they could learn and understand the operation of the system(s) and their archtecture they'd get a lot smarter. MS makes it hard to do this so people don't.
Once again we have an article that forgets the history of bug tracking and CERT. There was a time where everyone thought it would be best to alert the company first and let them fix a patch. Then we saw time and time again a company sitting on a problem and not wanting to issue a fix until the next big release they could sell.
/. and everyone in the university using it to crash computers campus wide. However, these idiots, the idiot sys admins and the idiots that made smbdie possible all had equal amount of time to do what they needed to do.
Then, the idea was to make a bug known publically so that the company couldnt hide. Unfortunatly, the company then denied that such an attack was possible. This lead to the requirement of posting source or an example program the exploited the program - which before was just sent to the company - into the wild.
This brings us to where we are now: Everyone (sysadmins, crackers, hackers, the media, and the company) knows about the problem and how it works at the same time. This means the company HAS to patch their software. This also gives your sys admin a better chance since he can know about an exploit and immediately begin watching it or take the effected program away until a patch is issued.
The down side of course is smbdie being posted on
The ultimate network admin tool needs HELP!
Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system."
This makes no sense for several reasons:
1 -- "a lot" more; how much is "a lot"?
2 -- Linux the kernal or does he mean Red Hat?
3 -- Didn't MS make a big deal about NOT posting to BugTraq for (snicker) "Security Reasons"?
Hemmdinger sounds like a shill to me, and I don't even use Linux (Red Hat, et al) anymore.
This
Those awfully expensive Micro$oft courses do a la-la job of telling you what the software can do, but leave out entirely *how the software works*, which is exactly what serious admins need to know.
I've always wondered why people don't offer more in-depth courses that cover more than just remedial networking-101 and basic dialog box entry, since the "official" curricula is so empty. The answer is probably twofold:
Most people are taking the classes for bad reasons: to pass the MS cert tests, to get out of work for a few days or because of work requirement. They're not actually interested in how it works.
-or-
Even scarier, it's because nobody (outside of 500 or so developers, MS employees and other who aren't telling) REALLY knows how it works! 15 years of weird coding, new features, parallel development paths, diverse coding groups, ad nauseum have rendered an OS and system that simply is too byzantine to be understandable by anyone. It's like a fractal design -- the closer you get, the more detail is revealed, which brings you closer, to more detail...