Windows Developers Agree: Linux More Secure

theblackdeer writes "eWeek has an article up about an Evans Data Corp survey that the majority of Windows developers agree that linux is a more secure OS. "Linux scored high for innate security among respondents, more than two- thirds of whom 'use or target Windows with their code.' Indeed, only 23 percent of the developers were primarily Linux developers.""

But why would you listen to a Windows developer

Seriously, the people have been programming Windows all their career, and now somehow you ask them for authoritative opinion that requires knowledge of a multitude of platforms.

What's next?

Linus Torvalds agrees, VB is pretty cool.

RMS agrees, Microsoft Visual Studio .NET is the best tool available for J#.NET

Re:But why would you listen to a Windows developer

[gazbo]

It's posted by Michael. He is pretty much universally agreed to be a jerk. He posts anything that fits his agenda, without even paying lipservice to journalistic integrity.

In Michael terms, this could be considered a rational and reasonable post.

Re:But why would you listen to a Windows developer

[Monkelectric]

He posts anything that fits his agenda, without even paying lipservice to journalistic integrity.

shhhhh! He's trying to get noticed by fox news.

Re:But why would you listen to a Windows developer

In related news, a survey also indicated that 99.82% of Windows programmers are currently logged in as "Administrator", and disabled all IE security features to make it easier to develop COM components.

They might think that Linux is more secure, but it's doubtful that they care that much about security.

Re:But why would you listen to a Windows developer

[ajole]

W00t!

Excellent post.

Re:But why would you listen to a Windows developer

[c4ffeine]

Don't forget, another recent study showed that 95% of all statistics are made up... and that 115% of all studies are BSed because the authors didn't really know what they were talking about

Baloney

[prostoalex]

Put the following in your web server cgi-bin:

#!/usr/bin/perl

use CGI;

my $cgi = new CGI;
my $input = $cgi->param("userinput");
system($input);

and let me know what the URL of your Linux box is.

Re:Baloney

[vigilology]

Give us the URL of your Microsoft box. You don't need to give us special permissions. We'll make our own.

Re:Baloney

haheheha change ur lunix pasward to hakked an I hak u! proof lunix si insekure!

Re:Baloney

[AT]

Because it is possible to write an insecure program in Linux, Linux is less secure? What a total non-sequitur.

It is trivial to write the above program in any language on any platform; that has absolutely nothing to do with an operating system's security.

What you will notice, though, is that with most Linux/Apache setups, $input will run as user "nobody" or "apache", with very few privileges, so an additional local root exploit would be necessary to do real damage. Unix was designed from the start to allow untrusted users to run programs locally. Its also worth noting that some Windows services can be locked down the same way, but in general, a remote exploit on a Windows box will almost always give you Administrator access.

Re:Baloney

[prostoalex]

This was intended as humor, perhaps misunderstood by moderators. Of course OS-level security (where you depend on underlying OS code) is different from app-level security (where anyone writing the app can introduce serious holes).

Once again, wasn't intended as a flamebait.

Re:Baloney

[pebs]

My root password is "i2n5i3hs]f ds4 a" without the quotes. I'm running OpenSSH on port 22, open to everyone.

Just try and hack me. You may find the root password is not enough.

Re:Baloney

[pebs]

Well, an IP address might help... ;-)

Oh sorry, my bad. 192.168.1.69
If that doesn't work, try 127.0.0.1

Re:Baloney

[pla]

Oh sorry, my bad. 192.168.1.69

ha. Hilarious.

And here I thought perhaps you really had a point to your challenge, rather than a badly overused joke.


Personally, I wanted to find out what sort of security you had that would make knowing your root password not useful. I've had to run a number of systems where far too many people had root access (by order of the geniuses in management, not actually a necessity), and would love to know how to technically satisfy that without really giving people god-like access to a given box.

(Same poster as AC, forgot to log in last time).

Re:Baloney

[pebs]

Personally, I wanted to find out what sort of security you had that would make knowing your root password not useful.

By default, SSH does not allow root login. Granted, a determined hacker would find a way to crack one of my user accounts and then I'd be fucked :) But that would probably be the case even if I didn't hand out the root password.

Re:Baloney

[cakoose]

Um...that URL is for a Linux machine.

Re:Baloney

[molnarcs]

FreeBSD jails?

Re:Baloney

[pebs]

nt

Yeah but...

[curtisk]

"Development experience talks, a higher percentage of Windows developers said Linux is more 'innately secure' than did Linux developers."

What do they base this perception or opinion on? Actual roll-up-your-sleeves analysis or the "features list" on their distro's box? Its kinda vague.

Re:Yeah but...

[PainKilleR-CE]

What do they base this perception or opinion on? Actual roll-up-your-sleeves analysis or the "features list" on their distro's box? Its kinda vague.

The survey was simply asking about perception, not why that perception existed. More than likely a great deal of that has to do with the number of security patches that have come out for Windows XP over the last year, and the more general press about Linux and security.

I think the idea that any OS is 'innately secure' is somewhat rediculous, though, as almost anything you put on a network is going to have to be locked down to make it secure. Linux may be more secure by default than Windows, but either one takes good administration to be really secure.

Re:Yeah but...

[Feztaa]

The grass is always greener on the other side of the fence, of course.

I think most windows developers are just fed up with all of windows' flaws, and when they responded to the poll, they were thinking "whatever 'linux' is, it has to be better than this" :)

What do Windows administrators say?

[cfadam]

I don't see how a VB programmer can speak with any authority about the security of servers since that is most likely not their primary job function. I'd rather hear what Windows admins think (preferrably ones who also admin Unix systems).

I administer a large network of both Windows and Unix server. Yes, I patch my Windows systems more often, but that is because patches are brought to my attention more often (via email as well as released more often _and_ they are easier to apply. Get SMS into the works and patching servers/desktops is even easier.

I see no reason to apply every security patch Microsoft (or Sun or Red Hat) releases, a large number of them are for apps/services I don't utilize. Not patching them immediately (or ever) doesn't necessarily compromize my security model, nor have I had any issues in the past re: this scheme. Good luck exploiting a hole in WMP on my servers.

As for which is more secure, its hard to say. That is really up to the administrator. I can make a Windows server more secure than most Linux installs out there.. but nothing is inherently secure.

Re:What do Windows administrators say?

[josepha48]

Windows 2k's firewall is severly lacking. Linux 2.2 kernel firewall is much better and Linux 2.4 is even better. Yes you can get forewall software for Windows (eg zonealarm) but it really should, in this day and age come with a good stateful firewall.

Also it seems by default windows has ALOT of ports open for services eg 135-139, 445, countless 1xxx ports. Not sure what it does with all these servies. Linux with X just listens on 6000 / 7000 (I think those are the ports) probably one or two more. Point is, why does windows listen so much? and Why don't they include a real firewall? I mean Linux has had firewalling since 2.0 and Windows just gets it in 2k?

With Linux security has been built as part of the product, with windows it is now an afterthought. That is the real problem. Yes you can make windows more secure, but Linux seems to make that job easier, but that is just IMHO.

Re:What do Windows administrators say?

[prostoalex]

it really should, in this day and age come with a good stateful firewall

By not having the firewall in their server product and user product until Windows XP, Microsoft has allowed a cottage industry of independent software vendors to appear that sell such software.

Bundling something complex and of high quality with the product will basically kill off those guys, and give them good reasons for antitrust investigation.

From a different perspective, Microsoft did buy that Romanian security vendor, although an antivirus company, not network security company, but who knows what projects are currently being set up for the team.

Re:What do Windows administrators say?

[I8TheWorm]

I don't see how a VB programmer can speak with any authority about the security of servers since that is most likely not their primary job function

This is pretty late in the game, but here goes.

I write code for both Windows and Linux (very little Linux so far admittedly). On the Windows platform I write C, C++, Perl, and yes, VB. I'm not sure if you were saying that Windows developers are VB developers, but that's not what I have issue with. There are good VB developers out there. Granted, since VB made it easy for any yahoo to write what they would call an application, there are many more bad VB developers out there. VB uses security context like any other development platform. When I write an ASP app that uses a VB dll, I place many security checks along the way to make sure I'm running in the right context against the web server. And if something screwy has gone on, I give a 403.

The problem doesn't lie with VB itself, it lies with the implementation of VB programs. The same applies to Windows security. If you don't disallow extremely large strings/integers to pass through your code, you'll wind up allowing one of MS's numerous buffer overruns. That can be stopped at the UI. While it's true that developers shouldn't have to worry all the time about MS's failure to debug their own code, it's also true that security in applications starts with the developer, whatever platform they happen to be coding on.

In other news...

[ERJ]

In other news, 3/4 of all carpenters polled agree that plastic tubing is better then metal tubing for plumming.

Re:Proportion of programmers

[bluGill]

Which market share are you counting? Market share of desktop computers is my guess. Overall though, comptuers cover a lot more territory. Embedded systems make up more computers than desktop systems. (Appearently some cars have 70 computers!) Even that isn't the right market to count though, becuase programers work on future releases. What a programer works on today is a reflection of what the future market will look like.

However all the above is wrong, because it is based on market share. Professional programers work on what they are paid to work on. If a product that will only have 2 sales needs 25,000 linux programmers, while 75 different products each with 1000 windows programers and sales of one million, your market share for linux is tiny, but the share of programers is 25%!

More secure for what?

[foooo]

I have often wondered why windows is less secure. Could it be that a larger installed base means more exposure to security issues?? (ie. popularity = more exploits?)

If that is the case one would assume that if linux grows in popularity it will begin to get exponentially more volume as it's *unskilled* user base grows.

Is the difference between security merely a product of linux admins being more excellent or more fanatical than windows admins?

Until someone answers these questions I won't start *blaming* MSFT for bad security. It could simply be inevitable that a popular system has more exploits.

~fooo

Re:More secure for what?

[Dan+Ost]

I have often wondered why windows is less secure. Could it be that a larger installed base means more exposure to security issues?? (ie. popularity = more exploits?)

No, the problem with Windows is that just about any exploit allows for the running
of arbitrary code with full privileges (equivelent to rooting a Linux box).

With a real OS (Linux, BSD, etc), to get similar privileges, you need both
a exploit to gain access to a machine and some way of escalating your privilege.
There has historically been a fraction of exploits that granted root from the
start, but that fraction has become vanishingly small.

Re:More secure for what?

> With a real OS (Linux, BSD, etc)...

Damn, how foolish of me to assume that Windows was a real OS! I mean, it's only controlling my hardware, managing my files, and running my programs. I will delete it at once and install a real OS. This said "real OS" won't work with my hardware, won't be able to access my files, and won't run any of my programs, but at least the likelihood of someone breaking into my computer will be reduced from one in a billion to one in a gazillion!

Re:More secure for what?

[iantri]

Until someone answers these questions I won't start *blaming* MSFT for bad security. It could simply be inevitable that a popular system has more exploits.

Netcraft says that Apache web server has 64.61% marketshare, while IIS has 23.46%.

We all know which one has more security flaws..

There goes the theory that more popular == more exploits.

Security is not a product.

[DjReagan]

When will people realise that security is not about products and operating systems. Security is a process that is ongoing and evolving.

Re:Security is not a product.

[Ohreally_factor]

It's a process that involves using tools. Now, do you want a workbench with Makita, Dewalt, Milwaulke, and Porter Cable tools, or do you want the Playskool workbench?

I'd have to word this differently...

[pr0c]

I would not agree that Linux is more secure. I would however say that linux is less vulnerable as a desktop. I saw some numbers on slashdot somewhere (I'm not gonna look) that said that more linux servers are hacked than windows servers EVEN if windows is less secure due to the fact that there are more linux SERVERS than windows servers out therre. Now the same is true for desktops... more windows desktops are hacked than linux desktops because of the numbers. Bigger target = more attacks.

In short... more people looking for holes = more holes. A hole is not a hole until it is discovered. If nobody looked for windows holes it would be the most secure OS in the world! But this is not the case it is the opposite of course.

Vulnerability != Security, there is much more to it. Comparing windows security to linux is similar to comparing Walmarts shoplifting security to a local stores. Many people will say stealing from walmart is easy but when it comes to the local store fewer people will know.

What's a URL?

/home/www/cgi-bin doesn't exist, where to I put it? And how do I tell what the URL of my linux box is? I don't think Dell put a URL in when I bought the machine, can I get one a Best Buy?

Full Page virus warnings in last weekend's papers

[koogydelbbog]

i'm surprised nobody has mentioned that in the previous weekend Microsoft took out a full page in a lot of the English papers (Guardian on saturday, Observer on sunday at least) telling people how to update their computers to guard against viruses etc. wasn't an advert (no pictures, just text) but a warning, like some kind of product recall notice.

andy

Ya indeed! (Re:Yeah but...)

[aphor]

Your question is actually more critical of Windows security than the results of the survey: you doubt that the Windows developers surveyed can (or will) actually assess and report software security..

The end result is that either Windows developers know their software is insecure on an insecure platform, or that they are not qualified to make that distinction, and by default their software is untrusted and insecure.

"Windows developers"

[skookum]

This summary, and the article it links to, both seem to paint the picture that there are two distinct sets of developers in the world, those that target Windows and those that target Linux (or other open source platforms). This is just simply misleading, as I don't think it's the case at all.

First of all, most people who write code for a living have little control over what target OS they are developing for. These things tend to be dictated by the business that the company is in, or their clients, or the decisions of upper management, or historical reasons, etc. Most developers write code for Windows at work because that's where most software development happens, not because that's really their choice.

And just because you code for Windows at work doesn't mean you don't use Linux or participate in open source development at home or in your free time.

I guess what I'm getting at here is that I'm not surprised at all that Windows developers thought Linux was more secure, as a lot of them probably have used Linux or use it at home in some form (such as for a firewall.) In other words, you can't just break software people up into "Windows people" and "Linux people" and expect the members of each set to view their target OS as more secure, more stable, etc. People develop software for Windows for lots of reasons -- "it's a day job", "that's what the client demanded", "it's just corporate policy", etc. I guess what I'm saying is that this article doesn't really prove much, other than the fact that a lot of people think Linux is secure, but we knew that much already. Or simply: "Sure I write code for Windows for $DAYJOB, but that doesn't mean I think Windows is secure, and I use FreeBSD for my firewall at home."

how about root pwd?

[Xtifr]

I'll do better than that. How about the address and root password of a public Linux box. As seen in Linux Journal. Please feel free to log in and play around -- that's what it's there for. (I'm hoping that the fact that this is a second level comment in a not-posted-just-this-second article will help keep the poor box from getting slashdotted.) Sure, it's SELinux, not quite the same as an off-the-shelf RH boxed set, but what does Windows offer that's anywhere near this level of security?

UML?

[Slashamatic]

Um it aint going to do a lot if the perl instance runs under User-Mode Linux and in a chroot jail - effectively a poor man's VM with features enough for secure hosting. I looked for it on Windows, but unless I buy VMware, not such feature.

Re:Proportion of programmers

[tickticker]

You bring up some valid points, especially the embedded systems issue. I don't think that I was wrong, I was simply pointing out how wildly innacurate this (could be/is) as well as what could be interpreted from the given dataset. My assertions are no wilder than the ones that the surveyers made, just different.

Closed source is the problem.

[SHEENmaster]

Commies can review the Windows source code, while I cannot. M$ refuses to let me on the grounds that I will find security problems.

Products and operating systems are unique by nature, each with their own benefits and drawbacks. Any good security arrangement will avoid Windows like the plague.

Security as a process is important, but a strong foundation will make static security possible.

Re:JEWS CONTROL THE MEDIA

[MoxFulder]

Too bad that Oskar Schindler wasn't Jewish, dumbass.