Slashdot Mirror
Windows vs Linux On Security
e8johan writes "NewsFactor is running an article asking whether Linux really is more secure that Windows. I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting makes Windows more insecure than anything I've ever seen, but they do make some good points, especially when discussing Open Source and security."
Which is more secure is such a hard question. UN*X is structurally more secure in many people's opinions. Windows also has the disadvantage that it has many clueless admins (even the certified ones). I think that's a big part here, any OS is as secure as the admin, a well managed Windows box can be more secure than a badly run Linux box... A propper comparison will be much more complicatec than this article.
Security problems exists - it may or may not be worse in Linux than windows...keep your systems updated regardless.
C'mon...this was nothing but flamebait - nothing news worthy there at all.
About the only telling thing is the top line about MS turning towards spending $$$ towards security - perhaps that includes buying blurbs like this saying Linux ain't perfect either.
Is this a new Linux distro I haven't heard about? Is it Debian-based like Storm Linux was?
I've got a fever and the only prescription is more COBOL.
My home box has Apache, but no ssl I really dont need secure transactions that much, if I did I would keep it up to date just like everything esle I use. Now lets look at Nimda, what % of people on windows use outlook/outlook express, and of these how many would not keep their system up to date.
Point is one is a server deamon exploit (used by a very small % of linux servers (say 10-20% tops), and one is a mail client exploit used by a mojority of windows users (so there will be many oure out of date versions per capita)
Yet again, we find an article that points to the significant number of Linux bugs going through BugTrack. The turn-around time for the patch in Linux is usually quite fast. Commercial software makers are starting to sue individuals for disclosing security vulnerabilities.
How many bugs for Windows have been swept under the rug? How many software vendors out there have patch security holes, and requested that their customers download the latest 'maintenance' patch?
Just ask some of the truly gifted individuals in security what they think of security through obfuscation.
It seems that Hemmendinger argues that the newer the software, the higher the likelyhood of bugs. While that argument sounds valid, it would only hold up under the following conditions.
1. Both platforms stem from an equal amount of design history.
2. Both platforms use technology of comparable complexity.
3. Both platforms refused to make concessions in software integrity to deliver their products.
4. Both platforms actively avoid known pitfalls in thier chosen architecture.
5. Both platforms remove flaws at approximately the same rate.
None of these conditions (and I'm sure there are more) exist in the comparison of Linux to Windows making the "age" argument a very weak one.
"Linux is not being considered until the development model is safe."
Translated this reads: "I only know Windows so stop threatening me, for job security reasons we can't use Linux." Anyone that claims that the development model is unsafe is showing their fundamental misunderstanding of said development model. That would be the same as saying that the pharmaceutic industrie's development model is unsafe. It's essentially the same model. OSS allows for peer review, which ALWAYS makes more secure software. Look at crypto algorithms for another example.
"Herbivores eat well cause their food never, ever runs."
um, I don't get it. How does newer == "less secure" in this scenario? Sure, the older and os the more time it's had for the kinks to be worked out of it. But doesn't method have something to do with it also? Linux is developed in an open and peer-reviewed environment. It's maturing much faster than windows. There's no reason to compare the two in the way the author's done. Faulty thinking on his part.
What's also got to be factored in is the severity of the bug. A buffer-overflow that lets a cracker rm / is serious. A buffer-overflow that lets code run with the perms of the user owning the service in a chrooted directory is also serious, but much less so.
The author also babbles about the volume of security-related issues on BugTraq... I'm not the first and I won't be the last to point out the rather obvious logical flaw here. If Bugs are getting reported and being quashed then they don't pose a threat any more. If the bugs aren't reported because a certain company based in Redmond Washington won't allow them to be reported... well, it's kinda obvious from there.
That said, it is indeed encouraging to see more and more people concerned about security. I think the message is slowly being driven home.
Just last night, a buddy of mine did a security scan of the Linux box I use at home as a gateway for my other 4 computers. The only security problem found was with the version of wu-ftpd that I'm running.
No problem, I thought, I'll just upgrade it. So, my first step was to download it from wu-ftp's ftp site, only to realize I was going to have to figure out how to build it (that was simple, except I kept getting two or three errors in the compilation. I'm assuming my gcc is out of date) and then how to install and replace all the existing stuff (I have no idea how, and I don't have time to learn it).
So, I figure I'll go to RedHat, download the RPM and just install that. Which I do. Ran RPM to install it, no messages, try to FTP in, still running the old version. Shut-down and re-start, same thing.
Folks, I know most of you are Linux fanatics, but if a programmer with 23 years of programming experience can't manage to upgrade a simple application in under 30 minutes, Linux will never make it to the masses.
There's nothing I'd like more than to see Linux replace Windows on every desktop. When Linux is ready. Frankly, I don't think it is, and I think it's still got a long way to go. Sorry.
The user makes all the difference. What software you choose to run, and how you choose to configure and audit things. How much care you give to security issues and how much knowledge of basic security you have.
However, if you are competent and security-minded, it is quite easy to make a Linux box extremely secure against all but the most directed and knowledgeable attackers, which are quite rare. If you run Windows, no matter how hard you try you're still gonna be fairly hosed. Some things just can't be fixed reasonably on that platform.
11*43+456^2
Linux, which is even newer than Windows and is not controlled by a single commercial entity, can be expected to have even more vulnerabilities than Windows. Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system." BugTraq is a popular forum for discussion of computer security vulnerabilities.
Very few of these messages are related to the Linux kernel itself. I find most of these to be about packages included with most major distributions.
So many programs get lumped into 'linux' and this is forgotten.
Imagine if EVERY time there was a patch for a Windows app, it was checked off in the 'windows' category.
Then again, there are more Windows apps than Linux...
This sentence from the article really drew my attention:
Mainframe operating systems, which have been perfected over decades, have very few security flaws. Security problems on mainframes tend to be caused by administrators' errors.
Obviously, this guy does not know what he is talking about.
My father used to be a mainframe security officer at a Fortune 500 company. He knew mainframes inside and out and was always pretty much on top of things -- and he started his career on old IBM with punch cards, if you see what I mean.
Anyway, his company would hire (once every three years) an external consultant to test the security of the systems my father took care of. This consultant could gain the mainframe equivalent of "root" access in 30 minutes or less.
A mainframe operating system is not secure -- it's very stable (uptime=99.9999%), though, but that's a different thing.
My advice? If you want security, get OpenBSD. If you want the latest gizmo, get Linux (a real Linux) and invest some time in securing your installation...
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Microsoft has worked very hard to make ActiveX an integral 'part of the operating system' - it's a pain to get rid of it even on older systems, and I don't believe anyone has even worked out a way to properly disinfect it from XP to date (if I'm wrong give me a link, litepc.com is still working on it, it's a tough problem.) ActiveX is also the very exemplar of security hole from the ground up. Despite all the lip-service given recently to the concept of security by Microsoft, this particular policy, by far the biggest cause of security flaws, has been intensified over time, not backed off from. This makes Microsoft systems and security antonymical.
Now there are some smart folks at Microsoft, I can't credit the theory that no one there understands what they are doing. The alternative, of course, leads to what may be denigrated as 'conspiracy theory' but in this case it seems reasonable, for the reasons stated above. What does Microsoft gain by making their systems inherently insecure? A rationale for the 'necessity' of so-called security schemes (that really don't have anything to do with security, but rather with centralised control) such as DRM. Flood the net with insecure boxes and then cash in later by 'solving' the problem in a way that makes you the effective gatekeepers of the internet. Now there's a business model with some profit potential.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
> I think that's a big part here, any OS is as secure as the admin...
I would have said "the admin sets an upper bound on system security". The OS could still undershoot that bound.
Sheesh, evil *and* a jerk. -- Jade
Many people thought prior to Slapper coming out that Linux was somehow impenetrable to malware ... VB has a good article (written before Slapper came out, as it happens) on why this is largely untrue:
l inux_malware.xml
http://www.virusbtn.com/magazine/archives/200209/
Score:-1, Funny
I wonder if Windows' security problems aren't as much the fault of the everything-but-the-sink integration and legacy support, and abysmal documentation as they are inexperienced and unknowledgable administrators.
A lot of the IIS exploits are built around "integration features" turned on by default and not well (at all?) documented. How do you disable what you don't know exists? And that's just IIS -- there's more hidden surprises buried in the OS known by hard-core developers and MS only.
Third party resources? You can't say "take a class" -- I've *taken* MS curricula before and its not a whole lot better than the online documentation. A typical 30 hour (4 day) class has about 2 hours of stuff you'd be unlikely to sort out through the UI and docs. Books? Usually no better than the online docs and often *worse*, and that's if you can manage to wade through a sea of 'em to find one that's not just screenshots of the online docs!
My experience with Linux and (predominately) FreeBSD is that while the UI of these OS's is often less untuitive, the documentation, even man pages, while dense is far closer to complete than Windows and there's a lot less hidden "gotchas". One of the great things about textual config files is that most sample configs, especially with stuff like Apache, Squid, etc is that the configuration docs are integrated with the config. You just can't do that well with Windows, which is moot anyway, since MS *doesn't* do it with their default configs.
My point is that while its fun (and often fair) to blame clueless admins, they're also admining a system that seems to try very hard to defy people who want to learn -- Just Click Here And It'll All Be OK. If they could learn and understand the operation of the system(s) and their archtecture they'd get a lot smarter. MS makes it hard to do this so people don't.
In many respects, Linux isn't so much a "newer operating environment" - its pedigree is Unix, and it owes much of its core to long-established developments for much older systems. To say that it is "even newer than Windows" and to cite this as evidence that Linux is therefore less secure than Windows is rather irresponsible, to say the least.
Similarly, the quoting of a few minor-but-exaggerated viruses etc., and to imply that these stack up to anything remotely comparable to the plethora of such issues that plague the Windows OS, is quite ridiculous.
Let's face it - this is FUD. "Microsoft has organized a huge security program" and (Linux is) "less disciplined but more timely" -- such soundbites have been carefully calculated.
Of *course* security comes to more than the Operating System alone; still, one can only gape at such inane comments as "the existence of security flaws -- and of hackers willing to exploit them -- does not necessarily add up to more risk for users".
This is FUD that is based on the vaguest understanding of security, upon one man's comments, upon old, tired misunderstandings about the merits of "single commercial entities" -- in short, it is the usual chest-pumping pro-Microsoft FUD from someone who knows very little about which he speaks.
I think your IT director is right, rely on an American Operating System, coded 100% by Americans, yes, we're talking Microsoft Windows 2000. Deep in their heart of hearts, Bill Gates, Staver Ballmore and Jim Allchin know that America is the best country for them to live in (if they lived in England, half their personally generated wealth would be taken away to buy heroin for junkies), and they will work hard to make a safe OS that willl ensure the American hegemony.
Linux is fine for a hobby, but I wouldn't trust my country with it.
Playing devil's advocate here but....
MS could have documentation that is just as good, and contextual like a squid conf file.
The problem is that people stop clicking the question mark cursor (contextual help) after doing it about 10 times and getting "This is a text box, you enter text into it" or "click the check box to toggle this option on or off".
So, IMO, it's not so much that they can't, it's that they don't.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Because security through obscurity has worked out so well for Microsoft in recent years, hasn't it?
While there may be a significant number of vulnerabilities that have existed in Linux applications (a rare few in "Linux" itself, I might add), they're almost always fixed in a timely manner. More than can be said for our Cathedral competitor.
Moreover, the security model of even a relatively loosely secured Linux system helps prevent overall system damage and widespread deployment of such vulnerabilities. Consider the spread of CodeRed or Nimda compared to that of Slapper or Ramen. I'm no mathematician, but I do believe we're talking an order of magnitude in difference here. Before somebody reminds me for the umpteenth time that Microsoft is more widespread; let's concentrate on web server vulnerabilities. These guys disagree wholeheartedly.
Also to be considered is the sheer number of updates that appear on the WindowsUpdate site with no big uproar, and the potential number that are buried deep inside their service packs (104MB for XP, 106MB Win2k SP2 with a 17MB "security roll-up" and subsequent SP3, etc.). With atleast a quarter GB of updates to Win2k systems - that's a lot of fixes! The open source community is just a lot more ... open about the chinks in our armour, which gives statisticians a field day in coming up with reports and editorials about how bad off we are.
Of course, were I to deploy a mission-critical server installation running Linux, I still have the ability to audit the entire codebase (or hire somebody/a team of somebodies to do it for me). With Windows, that's apparently possible, in a small part, and at a very large price (I understand that enterprises can purchase large chunks of the Windows codebase for a few hundred thousand dollars, but don't quote me on it.) on top of the expense in hiring the programmers. This is not to mention the fleet of tens of thousands of eyes always staring at the code of larger projects day in, day out.
Of course I wouldn't install a GUI on my server - but does Win2k or WinXP give you that option? Of course not.`Microsoft's bread-and-butter is having that GUI shoved in your face at all times with the Internet Explorer icon emblazoned on the desktop and etched forever into the back of your retinas. The Windows Scripting Host and VBS support are all part and parcel with their Master Plan to have integrated desktops with unified interfaces (remember, Microsoft server administration is aimed at monkeys, not trained professionals. (Disclaimer: This isn't to say there aren't talented Microsoft administrators out there, only a comment on the target market of the Windows point-and-shoot interface for servers)).
Interesting to note, BTW, that Windows Professional and Server operating systems ship with RPC, Remote Registry Editing, Background Information Transfer Service (BITS), among other things enabled PER DEFAULT . Microsoft claims to be shifting their focus to security, but quite frankly, the default "Automatic" services list in Windows XP doesn't impress upon me a great feeling of security either.
Remember too that Windows (both the 9x and NT trees) were designed to be single user platforms (the NT tree coming from OS/2 - a single user platform) with multi-user support kludged into place. Only recently is there some form of organization as to where users store their individual documents and settings, but the de facto software installation course sees users installing things throughout the root of the filesystem still, because that's the way it's always been.
With a pretty basic set of hardening scripts (filesystem permissions, firewall rules, etc..) Linux can be made infinitely more secure than Windows, and I believe it will always be more secure if the administrator (behind both the Linux and Windows keyboards) are on the ball. Why? Because I believe OSS vulnerabilities will always be patched sooner, tested by a wider range of people, and applied sooner than the alternative closed-source Windows patches. Also, auditing a patch (diff) file is entirely do-able for one or two programmers in an afternoon - something that makes rapid mass-deployment of patches far more plausible, whereas in the Microsoft world the patch/update method is essentially "Test patch on several machines with similar configuration. If nothing breaks, apply it to the front-line servers."
Morality and security wise, I think I'll stick it out with Linux and let the statisticians throw around all the numbers they want. I'm comfortable right where I am, thankyouverymuch.
BD Phone Home!
Shameless plug. Like you weren't expecting it.
And sometimes only once, when the discoverer posts and then nothing from Microsoft. Heck, by this logic, the most secure system is the one where the vendor never ever acknowledges security problems, much less fixes them.
I read the internet for the articles.
I've used UNIX and Linux for close to ten years, and by now I have a pretty good idea how to do things in a secure and functional way. I've only had to admin an NT box once, and I migrated services off of it as quickly as I could.
Why? Not because I had any direct evidence of insecurity (this was before the real flood of NT vulnerabilities began), but because I knew I could do a better job with the tools I knew best.
But also:
- the NT machine tended to bluescreen every month or so for no apparent reason. The MCSE on staff was not overly troubled ("Oh I see the problem, it just needs a reboot"), but its flakiness did not fill me with confidence.
- the MS tactic of bundling the kitchen sink with the OS is just asking for trouble. Linux's modularity means you don't have to have a graphics layer on the server, for example, or any other unnecessary frills that provide opportunities for crackers.
- I believe the full-disclosure bug reporting model is orders of magnitude more responsive than what you get from proprietary vendors. Afaik, lots of reported linux bugs == lots of bugs get fixed because lots of people have access to the code.
- really excellent security tools are freely available: iptables, xinetd, snort, tripwire, nessus, nmap, chroot, etc. An interested beginner could make a linux server very hard to break into. I know {NT,W2K,XP} has more wizards and stuff, but is it easier (or even possible) to really see and control what's happening with the OS?
1) The author cited as fact that the age of the operating system is directly related to its security, without any kind of proof. This makes sense at first glance, but it ultimatly glosses over the fact that both OSes are in constant development. New features are added every day. This might make sense if, after developing the system, all the time after that was spent patching and debugging, but this isn't the case.
2) The author has no concept of service vs. system. Most vulnerabilites are in sevices, not at the kernel level. All Linux is just a kernel. Packages are added to make a usable Linux distro.
3) The author cites number of bugtraq entries as a way of gauging relative security, without considering the severity. Also, bugs, like those reported to Security Focus aren't the only vectors of compromise
4) Open source software, by virtue of being free, allows an administrator to install much more security software for his dollar. Firewalls, IDSes, advanced cryptographic file systems, HIDS, and virus scanners can all be downloaded for free.
Just because someone has a different opinion that yours does not mean he is wrong and you are right.
Sometimes I find slashdot highly biased. I think the karma of your comment of +4 is a little to overated since its biased.
Most highly secure military labs like the dod use VMS because they have a license to see and audit the source code? I remember reading a comment earlier this year mentioning this but I do not know if its true. I would not be supprised if the military uses their own operating sytems for critical systems that handle nukes and keep tract of military operations worldwide. You need alot of certification to run an approved os with approved hardware. I believe c3 certification is required.
1.) c2 certication is required.
Yes, Windows2k and NT are c2 certified while Linux is not. What we need to do is fund a lab to make it certified. People who do government purchasing will not buy a system that is not c2 certified. I believe this was probably one of the reasons linux was turned down. I am aware of the fact that Microsoft's c3 tests were not connected to a network but that is really part of the certifaction process. Any server that is connected or has a floppy drive is automatically disqualified so please don't rant on this.
2.) The second issue has to deal with the development model. The labs security department does has a valid concern that you may or may not agree with. I too would rather trust a proprietary OS with a special license to look at and audit the source code or a homebrew OS for such a situation.
They do not know who Linus is and yes it is possible that the government of China for example can add some worms or backdoors into it. Remember that China is standardizing on linux and maybe funding part of it and donating code!
Yes their is no security in the linux development environment and no having Linus decide which code gets patched in the kernel is not good enough for military use! The bsd crowd has been complaining about this for awhile. They would like cvs to prevent someone from adding something to the kernel. I do not agree with this analogy but if their was a cvs tree with at least minimal security on who gets to commit and write, then it would not bother the security freaks as much. From what I heard, Linus still does not use cvs and just patches code he receives from email. I remember several commits by him in which he says he will never use CVS.
The preference for Windows2000 however does not make any sense. Its all closed source and a few spies could actually work for Microsoft. You never know. If they can look at the code, then they can do an extensive audit. However like I mentioned above, win2k is c2 certifed so thats why they use it.
http://saveie6.com/
Once again we have an article that forgets the history of bug tracking and CERT. There was a time where everyone thought it would be best to alert the company first and let them fix a patch. Then we saw time and time again a company sitting on a problem and not wanting to issue a fix until the next big release they could sell.
/. and everyone in the university using it to crash computers campus wide. However, these idiots, the idiot sys admins and the idiots that made smbdie possible all had equal amount of time to do what they needed to do.
Then, the idea was to make a bug known publically so that the company couldnt hide. Unfortunatly, the company then denied that such an attack was possible. This lead to the requirement of posting source or an example program the exploited the program - which before was just sent to the company - into the wild.
This brings us to where we are now: Everyone (sysadmins, crackers, hackers, the media, and the company) knows about the problem and how it works at the same time. This means the company HAS to patch their software. This also gives your sys admin a better chance since he can know about an exploit and immediately begin watching it or take the effected program away until a patch is issued.
The down side of course is smbdie being posted on
The ultimate network admin tool needs HELP!
Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system."
This makes no sense for several reasons:
1 -- "a lot" more; how much is "a lot"?
2 -- Linux the kernal or does he mean Red Hat?
3 -- Didn't MS make a big deal about NOT posting to BugTraq for (snicker) "Security Reasons"?
Hemmdinger sounds like a shill to me, and I don't even use Linux (Red Hat, et al) anymore.
This
Almost nothing is routinely secure "out of the box". And even OpenBSD has had its share of black eyes.
It's not a question of "How secure is it"...it's a question of how securABLE it is. IIS is securable, so is Apache. The problem with IIS is that it's usable by the low end of the technical spectrum who don't know or don't take the time to secure it. People who use *nix/*nux and Apache are almost techies by definition. They generally have the attitude to secure their boxes.
The irony is that with a flurry of points and clicks, IIS is easier to secure than Apache. However, nobody does it.
he has access to.
My experience is that it is really hard to find *good* documentation for advanced topics in the Microsoft world. (especially when you need it). I guess that there are good books out there, but when I needed information I was not at the bookstore.
On the other hand, Linux/Unix is very well documented. And when you hit the wall, you can always look around in the source code.
Panayotis.