Windows Developers Agree: Linux More Secure

theblackdeer writes "eWeek has an article up about an Evans Data Corp survey that the majority of Windows developers agree that linux is a more secure OS. "Linux scored high for innate security among respondents, more than two- thirds of whom 'use or target Windows with their code.' Indeed, only 23 percent of the developers were primarily Linux developers.""

But why would you listen to a Windows developer

Seriously, the people have been programming Windows all their career, and now somehow you ask them for authoritative opinion that requires knowledge of a multitude of platforms.

What's next?

Linus Torvalds agrees, VB is pretty cool.

RMS agrees, Microsoft Visual Studio .NET is the best tool available for J#.NET

Re:But why would you listen to a Windows developer

[gazbo]

It's posted by Michael. He is pretty much universally agreed to be a jerk. He posts anything that fits his agenda, without even paying lipservice to journalistic integrity.

In Michael terms, this could be considered a rational and reasonable post.

Re:But why would you listen to a Windows developer

[Monkelectric]

He posts anything that fits his agenda, without even paying lipservice to journalistic integrity.

shhhhh! He's trying to get noticed by fox news.

Re:But why would you listen to a Windows developer

In related news, a survey also indicated that 99.82% of Windows programmers are currently logged in as "Administrator", and disabled all IE security features to make it easier to develop COM components.

They might think that Linux is more secure, but it's doubtful that they care that much about security.

Re:But why would you listen to a Windows developer

[ajole]

W00t!

Excellent post.

Re:But why would you listen to a Windows developer

[c4ffeine]

Don't forget, another recent study showed that 95% of all statistics are made up... and that 115% of all studies are BSed because the authors didn't really know what they were talking about

Baloney

[prostoalex]

Put the following in your web server cgi-bin:

#!/usr/bin/perl

use CGI;

my $cgi = new CGI;
my $input = $cgi->param("userinput");
system($input);

and let me know what the URL of your Linux box is.

Re:Baloney

[vigilology]

Give us the URL of your Microsoft box. You don't need to give us special permissions. We'll make our own.

Re:Baloney

haheheha change ur lunix pasward to hakked an I hak u! proof lunix si insekure!

Re:Baloney

[AT]

Because it is possible to write an insecure program in Linux, Linux is less secure? What a total non-sequitur.

It is trivial to write the above program in any language on any platform; that has absolutely nothing to do with an operating system's security.

What you will notice, though, is that with most Linux/Apache setups, $input will run as user "nobody" or "apache", with very few privileges, so an additional local root exploit would be necessary to do real damage. Unix was designed from the start to allow untrusted users to run programs locally. Its also worth noting that some Windows services can be locked down the same way, but in general, a remote exploit on a Windows box will almost always give you Administrator access.

Re:Baloney

[prostoalex]

This was intended as humor, perhaps misunderstood by moderators. Of course OS-level security (where you depend on underlying OS code) is different from app-level security (where anyone writing the app can introduce serious holes).

Once again, wasn't intended as a flamebait.

Re:Baloney

[pebs]

My root password is "i2n5i3hs]f ds4 a" without the quotes. I'm running OpenSSH on port 22, open to everyone.

Just try and hack me. You may find the root password is not enough.

Re:Baloney

You may find the root password is not enough.

Well, an IP address might help... ;-)

Re:Baloney

[pebs]

Well, an IP address might help... ;-)

Oh sorry, my bad. 192.168.1.69
If that doesn't work, try 127.0.0.1

Re:Baloney

[pla]

Oh sorry, my bad. 192.168.1.69

ha. Hilarious.

And here I thought perhaps you really had a point to your challenge, rather than a badly overused joke.


Personally, I wanted to find out what sort of security you had that would make knowing your root password not useful. I've had to run a number of systems where far too many people had root access (by order of the geniuses in management, not actually a necessity), and would love to know how to technically satisfy that without really giving people god-like access to a given box.

(Same poster as AC, forgot to log in last time).

Re:Baloney

[pebs]

Personally, I wanted to find out what sort of security you had that would make knowing your root password not useful.

By default, SSH does not allow root login. Granted, a determined hacker would find a way to crack one of my user accounts and then I'd be fucked :) But that would probably be the case even if I didn't hand out the root password.

Re:Baloney

http://www.microsoft.com.

Yeah.. didn't think so.

Re:Baloney

[cakoose]

Um...that URL is for a Linux machine.

Re:Baloney

[molnarcs]

FreeBSD jails?

Re:Baloney

[pebs]

nt

Yeah but...

[curtisk]

"Development experience talks, a higher percentage of Windows developers said Linux is more 'innately secure' than did Linux developers."

What do they base this perception or opinion on? Actual roll-up-your-sleeves analysis or the "features list" on their distro's box? Its kinda vague.

Re:Yeah but...

[PainKilleR-CE]

What do they base this perception or opinion on? Actual roll-up-your-sleeves analysis or the "features list" on their distro's box? Its kinda vague.

The survey was simply asking about perception, not why that perception existed. More than likely a great deal of that has to do with the number of security patches that have come out for Windows XP over the last year, and the more general press about Linux and security.

I think the idea that any OS is 'innately secure' is somewhat rediculous, though, as almost anything you put on a network is going to have to be locked down to make it secure. Linux may be more secure by default than Windows, but either one takes good administration to be really secure.

Re:Yeah but...

[Feztaa]

The grass is always greener on the other side of the fence, of course.

I think most windows developers are just fed up with all of windows' flaws, and when they responded to the poll, they were thinking "whatever 'linux' is, it has to be better than this" :)

go ahead

quote.com

Please report on your progress.

Re:go ahead

wtf?

Proportion of programmers

[tickticker]

Isn't it something, how Linux developers made up almost 25% of respondents, but Linux supposedly only owns about 5-10% market share?

Couple thoughts on this:

-Poor sampling of programmers
-The world of developers is aiming at Linux as it's install base will grow.
-Linux is a better platform to program for.

I'm sure there's more idiosyncracies to find in this report, but these are just my $.02

--My sig is having emotional problems today so it won't be in.

Re:Proportion of programmers

[bluGill]

Which market share are you counting? Market share of desktop computers is my guess. Overall though, comptuers cover a lot more territory. Embedded systems make up more computers than desktop systems. (Appearently some cars have 70 computers!) Even that isn't the right market to count though, becuase programers work on future releases. What a programer works on today is a reflection of what the future market will look like.

However all the above is wrong, because it is based on market share. Professional programers work on what they are paid to work on. If a product that will only have 2 sales needs 25,000 linux programmers, while 75 different products each with 1000 windows programers and sales of one million, your market share for linux is tiny, but the share of programers is 25%!

Re:Proportion of programmers

[tickticker]

You bring up some valid points, especially the embedded systems issue. I don't think that I was wrong, I was simply pointing out how wildly innacurate this (could be/is) as well as what could be interpreted from the given dataset. My assertions are no wilder than the ones that the surveyers made, just different.

What do Windows administrators say?

[cfadam]

I don't see how a VB programmer can speak with any authority about the security of servers since that is most likely not their primary job function. I'd rather hear what Windows admins think (preferrably ones who also admin Unix systems).

I administer a large network of both Windows and Unix server. Yes, I patch my Windows systems more often, but that is because patches are brought to my attention more often (via email as well as released more often _and_ they are easier to apply. Get SMS into the works and patching servers/desktops is even easier.

I see no reason to apply every security patch Microsoft (or Sun or Red Hat) releases, a large number of them are for apps/services I don't utilize. Not patching them immediately (or ever) doesn't necessarily compromize my security model, nor have I had any issues in the past re: this scheme. Good luck exploiting a hole in WMP on my servers.

As for which is more secure, its hard to say. That is really up to the administrator. I can make a Windows server more secure than most Linux installs out there.. but nothing is inherently secure.

Re:What do Windows administrators say?

[josepha48]

Windows 2k's firewall is severly lacking. Linux 2.2 kernel firewall is much better and Linux 2.4 is even better. Yes you can get forewall software for Windows (eg zonealarm) but it really should, in this day and age come with a good stateful firewall.

Also it seems by default windows has ALOT of ports open for services eg 135-139, 445, countless 1xxx ports. Not sure what it does with all these servies. Linux with X just listens on 6000 / 7000 (I think those are the ports) probably one or two more. Point is, why does windows listen so much? and Why don't they include a real firewall? I mean Linux has had firewalling since 2.0 and Windows just gets it in 2k?

With Linux security has been built as part of the product, with windows it is now an afterthought. That is the real problem. Yes you can make windows more secure, but Linux seems to make that job easier, but that is just IMHO.

Re:What do Windows administrators say?

[prostoalex]

it really should, in this day and age come with a good stateful firewall

By not having the firewall in their server product and user product until Windows XP, Microsoft has allowed a cottage industry of independent software vendors to appear that sell such software.

Bundling something complex and of high quality with the product will basically kill off those guys, and give them good reasons for antitrust investigation.

From a different perspective, Microsoft did buy that Romanian security vendor, although an antivirus company, not network security company, but who knows what projects are currently being set up for the team.

Re:What do Windows administrators say?

MS doesn't include a free stateful firewall because they are able to sell one called "ISA Server" for a lot of money.

Re:What do Windows administrators say?

sure, so do I, but securing a linux system to the same degree of security will take my 1/8th of the time to do so in a Windows Server. :-D sometimes life is easier from the command line.
Basic security can be done using a homegrown scripts, and the other 99% pf the 1/8th is spend on the details that matters the most!

Re:What do Windows administrators say?

I won't provide any evidence, so just consider this an unfounded rumor.

MS was blackmailed into buying that Romanian company!

Re:What do Windows administrators say?

> Linux with X just listens on 6000 / 7000 (I think those are the ports) probably one or two more.

X listens on a *local socket* (aka, PF_LOCAL), by default. Ie, you can't just remotely connect up to X. Now, you can make it use PF_INET (aka, the internet) with tcp, if you do want to do remote connections. I don't know why you'd be running X at all on a server, anyways. Even if you were, it'd be better to use ssh to have a compressed and encrypted connection, anyways.

Now, Windows 2003 from what I've heard has done a much better job of not leaving ports open everywhere. The problem is, XP is still wide open. You'd think MS would have learned to block the ports by default back when Windows 95 machines were being nuked..

Re:What do Windows administrators say?

[I8TheWorm]

I don't see how a VB programmer can speak with any authority about the security of servers since that is most likely not their primary job function

This is pretty late in the game, but here goes.

I write code for both Windows and Linux (very little Linux so far admittedly). On the Windows platform I write C, C++, Perl, and yes, VB. I'm not sure if you were saying that Windows developers are VB developers, but that's not what I have issue with. There are good VB developers out there. Granted, since VB made it easy for any yahoo to write what they would call an application, there are many more bad VB developers out there. VB uses security context like any other development platform. When I write an ASP app that uses a VB dll, I place many security checks along the way to make sure I'm running in the right context against the web server. And if something screwy has gone on, I give a 403.

The problem doesn't lie with VB itself, it lies with the implementation of VB programs. The same applies to Windows security. If you don't disallow extremely large strings/integers to pass through your code, you'll wind up allowing one of MS's numerous buffer overruns. That can be stopped at the UI. While it's true that developers shouldn't have to worry all the time about MS's failure to debug their own code, it's also true that security in applications starts with the developer, whatever platform they happen to be coding on.

OSX's Place?

Where do people think OSX comes in on the security spectrum?

Is the lack of mainstream press about OSX exploits because of the smaller userbase, or are there just not exploits?

And if there are no exploits, is this because of, again, the smaller userbase or is OSX truly a hardened OS?

The Linux cover

Dissertation on the uselessness of Linux zealots

A spectre is haunting the world -- the spectre of the Linux zealot.

What the Linux zealot is will appear evident to whoever has experienced or came in contact with the discussions which daily rage the Web disguised as news, e-mails, reference material, etc. The Linux zealot, is nothing but an animal wandering unceasingly in virtual and true reality (which moreover he treats in the same way) claiming to be an authority on the Linux operating system, an out-and-out guarantor for everyone's freedom, opposed to any safeguard of intellectual works (for a Linux zealot, the expression "copyright" is tantamount to sin against the Holy Spirit: there is no kind of expiation); in fact, he champions software freedom as a fundamental point for world evolution.

But first and foremost, the Linux zealot is a deeply dangerous being as he claims to be the guardian of truth, and looks with suspicion (when it goes off well) or scorn (for the rest of cases, i.e. most of them) those people who simply think differently from him.

But what's Linux? A Linux zealot will never give an authentic answer to this kind of question. He won't, not because he doesn't want to (even if this is the case), but because this question has been answered already, somewhere else by someone else. Linux is nothing but an operating system. The Linux zealot will claim that it is a different operating system from all other ones. But this is not the case. Because an OS is an OS, its main function is to manage the resource of a machine we will call "computer" from now on, for comfort of description. By the term "computer" we mean what is commonly meant by this expression, i. e. the system of hardware resources which are fixed to a certain purpose, be it home use, business use, or server management. Linux is an operating system. Like Windows, MS-DOS, OS/2, etc. There is no difference, in this sense, between Linux and other operating systems. Linux manages a computer, no more, no less. So do MS-DOS, Windows and OS/2. What the Linux zealot self-importantly and arrogantly highlights, is the fact that Linux is a free operating system, i.e., it is made available free of charge to the end user. This of course isn't true at all, but the Linux zealot believes it. Linux is freely distributable, not free of charge. This means that the kernel and everything included in the operating system's minimal requirements can be freely distributed, not that they must be distributed free of charge. This is the first great misapprehension of the Linux zealots, who find their claim challenged by facts: if the essential parts which make the operating system, and some additional software, are freely distributable, they should explain the reason of the costs -- not prohibitive but certainly notable -- of the most popular Linux distributions, Red Hat and SuSE foremost. And most of all, they should explain the fact that companies like Red Hat are regularly listed on the stock exchange, and Mr. Linux Torvald enjoys a rather high standard of living. These benefactors of mankind, these software alternatives, these computer non-conformists (so much non-conformist as to be terribly conformist in their non-conformism) naturally justify the distributing companies' profits with excuses like "but there's a printed manual", "but the bundled software is qualitatively and numerically superior compared to the most popular distribution". "but it is easier to install" and other unspeakable nonsense. "On the other hand" they say "if someone wants Linux, they can just as easily download it from the Internet". Sure. Download it from the Internet. But how long must you stay connected, if you regularly pay an Internet bill, to complete the download of an updated version of a decent distribution of an operating system? So what? Is Linux free? No. Linux is not free, same as nothing downloaded from the Internet is free, unless you have access to an University server or can in whatever way scrounge a connection. If you ask a Linux zealot

In other news...

[ERJ]

In other news, 3/4 of all carpenters polled agree that plastic tubing is better then metal tubing for plumming.

Re:In other news...

and its lesser-known cousin, plumbing.

And now to sports...

The Cincinnati Bengals defeat the Arizona Cardinals 3 - 0 with a field goal with 0:03 left in overtime.

Really people. Comparing Linux security to Windows security is like comparing the Bengals to the Cardinals.

Re:And now to sports...

[nate+nice]

I still can't believe the Packers lost to the Cards. Gonna be a long season.

More secure for what?

[foooo]

I have often wondered why windows is less secure. Could it be that a larger installed base means more exposure to security issues?? (ie. popularity = more exploits?)

If that is the case one would assume that if linux grows in popularity it will begin to get exponentially more volume as it's *unskilled* user base grows.

Is the difference between security merely a product of linux admins being more excellent or more fanatical than windows admins?

Until someone answers these questions I won't start *blaming* MSFT for bad security. It could simply be inevitable that a popular system has more exploits.

~fooo

Re:More secure for what?

[Dan+Ost]

I have often wondered why windows is less secure. Could it be that a larger installed base means more exposure to security issues?? (ie. popularity = more exploits?)

No, the problem with Windows is that just about any exploit allows for the running
of arbitrary code with full privileges (equivelent to rooting a Linux box).

With a real OS (Linux, BSD, etc), to get similar privileges, you need both
a exploit to gain access to a machine and some way of escalating your privilege.
There has historically been a fraction of exploits that granted root from the
start, but that fraction has become vanishingly small.

Re:More secure for what?

> With a real OS (Linux, BSD, etc)...

Damn, how foolish of me to assume that Windows was a real OS! I mean, it's only controlling my hardware, managing my files, and running my programs. I will delete it at once and install a real OS. This said "real OS" won't work with my hardware, won't be able to access my files, and won't run any of my programs, but at least the likelihood of someone breaking into my computer will be reduced from one in a billion to one in a gazillion!

Re:More secure for what?

OK, so he used some biased wording, but the fact remains that too many things run as root on a windows box. Only a moron would run Apache as root on a *nix box, but running the swiss-cheese IIS as root is the only option.

As for being inherently less secure, I agree with that based on one simple fact. *nix has de-coupled the GUI from the core OS. GUI=complexity, complexity is a security no-no. Why in the nine hells does anyone need a GUI on a file server anyway?

Re:More secure for what?

[iantri]

Until someone answers these questions I won't start *blaming* MSFT for bad security. It could simply be inevitable that a popular system has more exploits.

Netcraft says that Apache web server has 64.61% marketshare, while IIS has 23.46%.

We all know which one has more security flaws..

There goes the theory that more popular == more exploits.

Re:More secure for what?

If you don't understand the difference, the chances are excellent that your system is already compromised.

Re:More secure for what?

I don't know what "real OS" you're thinking of but Linux and BSD will almost certainly work with your hardware, let you access your files, and maybe even run most of your programs under WINE in the event you don't want to use a native equivalent.

Security is not a product.

[DjReagan]

When will people realise that security is not about products and operating systems. Security is a process that is ongoing and evolving.

Re:Security is not a product.

[Ohreally_factor]

It's a process that involves using tools. Now, do you want a workbench with Makita, Dewalt, Milwaulke, and Porter Cable tools, or do you want the Playskool workbench?

Re:Security is not a product.

> security is not about products and operating systems.

Security is not *just* about products and operating systems. If IIS has a major security flaw when serving web pages and there's no fix, you have to either firewall off http or just firewall off any malformed request. No, using a particular operating system or product will not guarantee security. But using a particular operating system or product revision can very well guarantee insecurity. And using particular operating systems or products can make it a lot more difficult to secure a setup. Why not use the software that makes it easier to secure your setup if you can?

I'd have to word this differently...

[pr0c]

I would not agree that Linux is more secure. I would however say that linux is less vulnerable as a desktop. I saw some numbers on slashdot somewhere (I'm not gonna look) that said that more linux servers are hacked than windows servers EVEN if windows is less secure due to the fact that there are more linux SERVERS than windows servers out therre. Now the same is true for desktops... more windows desktops are hacked than linux desktops because of the numbers. Bigger target = more attacks.

In short... more people looking for holes = more holes. A hole is not a hole until it is discovered. If nobody looked for windows holes it would be the most secure OS in the world! But this is not the case it is the opposite of course.

Vulnerability != Security, there is much more to it. Comparing windows security to linux is similar to comparing Walmarts shoplifting security to a local stores. Many people will say stealing from walmart is easy but when it comes to the local store fewer people will know.

What's a URL?

/home/www/cgi-bin doesn't exist, where to I put it? And how do I tell what the URL of my linux box is? I don't think Dell put a URL in when I bought the machine, can I get one a Best Buy?

Full Page virus warnings in last weekend's papers

[koogydelbbog]

i'm surprised nobody has mentioned that in the previous weekend Microsoft took out a full page in a lot of the English papers (Guardian on saturday, Observer on sunday at least) telling people how to update their computers to guard against viruses etc. wasn't an advert (no pictures, just text) but a warning, like some kind of product recall notice.

andy

Ya indeed! (Re:Yeah but...)

[aphor]

Your question is actually more critical of Windows security than the results of the survey: you doubt that the Windows developers surveyed can (or will) actually assess and report software security..

The end result is that either Windows developers know their software is insecure on an insecure platform, or that they are not qualified to make that distinction, and by default their software is untrusted and insecure.

"Windows developers"

[skookum]

This summary, and the article it links to, both seem to paint the picture that there are two distinct sets of developers in the world, those that target Windows and those that target Linux (or other open source platforms). This is just simply misleading, as I don't think it's the case at all.

First of all, most people who write code for a living have little control over what target OS they are developing for. These things tend to be dictated by the business that the company is in, or their clients, or the decisions of upper management, or historical reasons, etc. Most developers write code for Windows at work because that's where most software development happens, not because that's really their choice.

And just because you code for Windows at work doesn't mean you don't use Linux or participate in open source development at home or in your free time.

I guess what I'm getting at here is that I'm not surprised at all that Windows developers thought Linux was more secure, as a lot of them probably have used Linux or use it at home in some form (such as for a firewall.) In other words, you can't just break software people up into "Windows people" and "Linux people" and expect the members of each set to view their target OS as more secure, more stable, etc. People develop software for Windows for lots of reasons -- "it's a day job", "that's what the client demanded", "it's just corporate policy", etc. I guess what I'm saying is that this article doesn't really prove much, other than the fact that a lot of people think Linux is secure, but we knew that much already. Or simply: "Sure I write code for Windows for $DAYJOB, but that doesn't mean I think Windows is secure, and I use FreeBSD for my firewall at home."

how about root pwd?

[Xtifr]

I'll do better than that. How about the address and root password of a public Linux box. As seen in Linux Journal. Please feel free to log in and play around -- that's what it's there for. (I'm hoping that the fact that this is a second level comment in a not-posted-just-this-second article will help keep the poor box from getting slashdotted.) Sure, it's SELinux, not quite the same as an off-the-shelf RH boxed set, but what does Windows offer that's anywhere near this level of security?

UML?

[Slashamatic]

Um it aint going to do a lot if the perl instance runs under User-Mode Linux and in a chroot jail - effectively a poor man's VM with features enough for secure hosting. I looked for it on Windows, but unless I buy VMware, not such feature.

Closed source is the problem.

[SHEENmaster]

Commies can review the Windows source code, while I cannot. M$ refuses to let me on the grounds that I will find security problems.

Products and operating systems are unique by nature, each with their own benefits and drawbacks. Any good security arrangement will avoid Windows like the plague.

Security as a process is important, but a strong foundation will make static security possible.

Re:JEWS CONTROL THE MEDIA

[MoxFulder]

Too bad that Oskar Schindler wasn't Jewish, dumbass.