Slashdot Mirror
Windows vs. Linux Security, Once More
TAGmclaren writes "The Register is running a very interesting article about Microsoft and Linux security. From the article: 'until now there has been no systematic and detailed effort to address Microsoft's major security bullet points in report form. In a new analysis published here, however, Nicholas Petreley sets out to correct this deficit, considering the claims one at a time in detail, and providing assessments backed by hard data. Petreley concludes that Microsoft's efforts to dispel Linux "myths" are based largely on faulty reasoning and overly narrow statistical analysis.' The full report is available here in HTML form, and here in PDF. Although the article does make mention of OS X, it would have been nice if the 'other' OS had been included in the detailed analysis for comparison."
What, no macro virus-infected Word file?
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
...Linux is more secure than Windows. Amazing that it took a report to tell us what we already know.
You misspelled "The caress of another man".
Is this a critique of Slashdot's failure to cooperate with third party sites and/or provide basic mirroring, of the editors failure to properly check story submissions, or of both?
I think the "mysterious future" feature available to subscribers allowing them to see upcoming stories ahead of the rest of us is meant to be an ironic joke: you've got to read the stories whilst they are still there, because whether or not the links will be accessible in the future is a mystery...
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
...the Executive summary to your PHB. There's a reason that they're written! While the Reg likely won't be ./'ed, it's below:
Much ado has been made about whether or not Linux is truly more secure than Windows. We compared Windows vs. Linux by examining the following metrics in the 40 most recent patches/vulnerabilities listed for Microsoft Windows Server 2003 vs. Red Hat Enterprise Linux AS v.3:
1. The severity of security vulnerabilities, derived from the following metrics:
1. damage potential (how much damage is possible?)
2. exploitation potential (how easy is it to exploit?)
3. exposure potential (what kind of access is necessary to exploit the vulnerability?)
2. The number of critically severe vulnerabilities
The results were not unexpected. Even by Microsoft's subjective and flawed standards, fully 38% of the most recent patches address flaws that Microsoft ranks as Critical. Only 10% of Red Hat's patches and alerts address flaws of Critical severity. These results are easily demonstrated to be generous to Microsoft and arguably harsh with Red Hat, since the above results are based on Microsoft's ratings rather than our more stringent application of the security metrics. If we were to apply our own metrics, it would increase the number of Critical flaws in Windows Server 2003 to 50%.
We queried the United States Computer Emergency Readiness Team (CERT) database, and the CERT data confirms our conclusions by a more dramatic margin. When we queried the database to present results in order of severity from most critical to least critical, 39 of the first 40 entries in the CERT database for Windows are rated above the CERT threshold for a severe alert. Only three of the first 40 entries were above the threshold when we queried the database about Red Hat. When we queried the CERT database about Linux, only 6 of the first 40 entries were above the threshold.
Consider also that both the Red Hat and Linux lists include flaws in software that runs on Windows, which means these flaws apply to both Linux and Windows. None of the alerts associated with Windows affect software that runs on Linux.
So why have there been so many credible-sounding claims to the contrary, that Linux is actually less secure than Windows? There are glaring logical holes in the reasoning behind the conclusion that Linux is less secure. It takes only a little scrutiny to debunk the myths and logical errors behind the following oft-repeated axioms:
1. Windows only suffers so many attacks because there are more Windows installations than Linux, therefore Linux would be just as vulnerable if it had as many installations
2. Open source is inherently less secure because malicious hackers can find flaws more easily
3. There are more security alerts for Linux than for Windows, therefore Linux is less secure than Windows
4. There is a longer time between the discovery of a flaw and a patch for the flaw with Linux than with Windows
The error behind axioms 3 and 4 is that they ignore the most important metrics for measuring the relative security of one operating system vs. another. As you will see in our section on Realistic Security and Severity Metrics, measuring security by a single metric (such as how long it takes between the discovery of a flaw and a patch release) produces meaningless results.
Finally, we also include a brief overview of relevant conceptual differences between Windows and Linux, to offer an insight into why Windows tends to be more vulnerable to attacks at both server and desktop, and why Linux is inherently more secure.
Find out about the Lexus Rx400h Hybrid!
Nicholas Petreley is a Linux advocate... there is a basic problem with a partisan person presenting a "fair and balanced" argument. Kinda like doing research with fixed goals.
No, Macs have the usability of a Mac, the security of Unix. No one cares about Microsoft. Their products are a usability nightmare (Have you ever used WMP > 7?)
Don't even get me started on microsoft office.
Duh!
Is this really news?
The days of the digital watch are numbered.
Works fine here.
Video Production Support
Windows v Linux security: the real facts
By John Lettice
Published Friday 22nd October 2004 15:30 GMT
Report Considering the publicity that has surrounded - and, despite super new security-focused Service Packs, continues to surround - Windows security issues, Microsoft's determination to demonstrate that Linux is less secure than Windows shows a certain chutzpah. The company has however had some support here; Forrester, for example, provides some numbers that can be used to support the contention that Microsoft flaws are less severe, less numerous and fixed faster. And although there's a general readiness among users to believe that Windows is a security disaster area, there's also a reasonable amount of support for the view that Linux would get just as many security issues if it had anything like Windows' user base.
But what's the truth? For every claim there is, somewhere, a counterclaim. But until now there has been no systematic and detailed effort to address Microsoft's major security bullet points in report form. In a new analysis published here, however, Nicholas Petreley* sets out to correct this deficit, considering the claims one at a time in detail, and providing assessments backed by hard data. Petreley concludes that Microsoft's efforts to dispel Linux 'myths' are based largely on faulty reasoning and overly narrow statistical analysis. Even if you think you know this already (as we fear may be the case for numerous Register readers), we think you'll find it useful to be able to say why you know it, what the facts and the numbers really are, and where you can get the document to back up what you're saying. Appropriately enough, we're offering the report for free. You can browse through it here, and you can download it in PDF format here.
We encourage you all to grab a copy and give it a good read, but as a service for the fast fact junkies, we've produced a few bullet points of our own. All of these are clearly supported (unlike some similar efforts you might find elsewhere) by Nicholas' report, but don't just take our word for that, check it against the full report.
Myths and Facts
Myth Windows only gets attacked most because it's such a big target, and if Linux use (or indeed OS X use) grew then so would the number of attacks.
Fact When it comes to web servers, the biggest target is Apache, the Internet's server of choice. Attacks on Apache are nevertheless far fewer in number, and cause less damage. And in some case Apache-related attacks have the most serious effect on Windows machines. Attacks are of course aimed at Windows because of the numbers of users, but its design makes it a much easier target, and much easier for an attack to wreak havoc. Windows' widespread (and often unnecessary) use of features such as RPC meanwhile adds vulnerabilities that really need not be there. Linux's design is not vulnerable in the same ways, and no matter how successful it eventually becomes it simply cannot experience attacks to similar levels, inflicting similar levels of damage, to Windows.
Myth Open Source Software is inherently dangerous because its source code is widely available, whereas Windows 'blueprints' are carefully guarded by Microsoft.
Fact This 'inherent danger' clearly has not manifested itself in terms of actual attacks. Windows-specific viruses, Trojans, worms and malicious programs exist in huge numbers, so if one gives any credence at all to this claim, one would do better to phrase it 'Open Source Software ought to be more dangerous'. But the claim itself hinges on the view - rejected by reputable security professionals - that obscurity aids security. Obscurity/secrecy can also make it more difficult for the vendors themselves to identify vulnerabilities in their own products, and can lead to security issues being neglected because they are not widely-known. The Open Source model, on the other hand, facilitates widespread review and makes it easier to identify and correct flaws. Modular design principles support this, while the overall appr
Although the article does make mention of OS X, it would have been nice if the 'other' OS had been included in the detailed analysis for comparison."
I am sure it would have been nice. But, you see, the article was comparing Linux Security to Windows Security. Mentioning OSX would have been, oh I don't know... OFFTOPIC!
The latter two links appear to be broken, but match the links provided in TFA. Perhaps the Register forgot to upload the actual reports?
"You're older than you've ever been, and now you're even older."
I'd rather see OSX security compared to Windows. I only have one user adventurous enough to use Linux on their desktop. The rest are about 70/30 Win/Mac.
For the love of Linus and RMS, please use the "Plain Old Text" option when you post an article's text!!
There's a Mercedes gap too. I want one and can't afford one, but it's not government's job to do anything about it.
Microsoft products are more vulnerable, despite that Microsoft uses statistics that says otherwise to make you believe otherwise.
And all the games my Amiga has... Wait, no, it doesn't have that many.
What I would like to see is some security comparison of Microsoft software and FOSS, corrected for target size.
/. can come up with a good test, and some people can carry it out?
FOSS advocates often whine about MS insecurity, whereas MS advocates often claim MS only gets more break-ins because it's used more. The MS folks are probably not right in the Apache vs IIS case, but what about other cases? Is FOSS really more secure?
Unfortunately, I cannot think of any good way to measure this. Perhaps a little brainstorm on
Please correct me if I got my facts wrong.
If you're the idiot who modded this off-topic then you clearly haven't got a fucking clue about:
1. What this story is about; and
2. Irony.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
From TFA: Attacks are of course aimed at Windows because of the numbers of users, but its design makes it a much easier target, and much easier for an attack to wreak havoc. Windows' widespread (and often unnecessary) use of features such as RPC meanwhile adds vulnerabilities that really need not be there. Linux's design is not vulnerable in the same ways, and no matter how successful it eventually becomes it simply cannot experience attacks to similar levels, inflicting similar levels of damage, to Windows.
"You're older than you've ever been, and now you're even older."
Windows Design
Windows has only recently evolved from a single-user design to a multi-user model
Windows is Monolithic by Design, not Modular
Windows Depends Too Heavily on the RPC model
Windows focuses on its familiar graphical desktop interface
Linux Design
Linux is based on a long history of well fleshed-out multi-user design
Linux is Modular by Design, not Monolithic
Linux is Not Constrained by an RPC Model
Linux servers are ideal for headless non-local administration
Oh yeah thats unbiased.
Two roads diverged in a wood, and I - I took the one the bus load of girls just went down.
Sorry, but as long as something like 90% of all the 'reports' about Linux being more secure and 'mythbusting' reports are writen by Linux supporters or have some business in seeing Linux succeed, I'm going to take this with a grain of salt. I'm not trying to say Windows is safe, but you can't expect me to believe this when a 'report' like this comes out every other week. If this guy was an ex-Windows programmer I'd be more understanding, but "former lives include editorial director of LinuxWorld"? Somehow I doubt they ran Windows on their machines.
Well when one side has research that is correct, and the other side is making shit up, who are you going to believe?
The article was written by a person who has a vested interest in Linux. Im not saying that Windows is more secure or not, but you need to take in the bias in the article objectively. It's like politics, one side always think there side is the right side.
And besides, last night while I was watching $stupid_cable_news_show I saw an ad for Microsoft. It said they were secure. Then I saw that same ad in $idiot_management_magazine. They can't advertise it if it's not true, so we should go with Windows Server 2003 for our new application.
And, besides, I just got Microsoft to sell Windows Server 2003 for $50 per copy by saying we'd switch to Linux. Here's the box, now go install it.
You have two hands and one brain, so always code twice as much as you think!
I look forward to the Fedora SELinux project getting a good workable set of policies so that SELinux can default to being on for Fedora installs. Once that happens the "Linux is more Secure" claim will actually have some serious hard evidence behind it. SELinux and other Mandatory Access Control systems (anything hooking into the Linux Security Module in the kernel really) really are a serious step up in security, and there really is nothing comparable in the windows world.
A good way to think of MAC or SELinux is as a firewall between processes on your machine and the files and devices etc. on your machine. At the kernel level there is a set of rules, at pretty much as fine a grained level as you care to write, as to what can access what. It's well worth readign the FAQ to et a fuller idea of what we're talking about here.
Jedidiah.
Craft Beer Programming T-shirts
for every time someone wrote yet another comparison between the two OS' to reinstate what's already known... well I don't know what I'd do with the money, probably buy some computer parts, but I'd have a lot of it!
...are usually dismissed as "astroturfing" when Microsoft comes out on top.
There's a Mercedes gap too. I want one and can't afford one, but it's not government's job to do anything about it.
Linux's design is not vulnerable in the same ways, and no matter how successful it eventually becomes it simply cannot experience attacks to similar levels, inflicting similar levels of damage, to Windows.
So because someone says something it should be taken as truth? Crackers are an ingenious lot, and security holes are security holes are security holes. They WILL be exploited in linux sooner or later.
Yeah. right. And there is a world market for perhaps 5 computers. Famous last words, that.
Obviously not. Look, this is not an issue where you're going to get unbiased reporting. No one's going to do your critical thinking for you! You have to look at both sides, consider what they present, and use your brain (Yes, I believe many humans do have this strange device in their skulls).
I know it may be painful because you don't use it too much, but, do give it a try. It really helps.
meh..any system is only as secure as its users anyway..which i suspect is why linux has practically no problems.
Basically anyone who knows what a terminal window is isn't likely to run suspect attachments or not configure a firewall
I have discovered a truly remarkable sig which this post is too small to contain.
The author bashes Enterprise Server 2003 as being unstable, quoting MS's average uptime of around 59 days as evidence of this.
What people forget to mention is that MS security patches seem to like reboots, do the way filelocking works on Windows. Thus, whenever a "critical" flaw is released, they have to either patch it with a workaround (firewall rules, etc.) or they need to reboot the server.
When I was running an internal-only Enterprise 2003 server (behind several firewalls, no public IP) the only reboots I ever experienced were those related to environmental factors: the power went out for longer than the UPS could keep the server online for; etc.
After I started maintaining an externally-accessible 2003 server, I configured autopatching on it from Windows Update, and it reboots itself about once a month.
According to my calculations, this still meets the 99.9999% reliability that MS claims the server to be able to provide, on enterprise-grade hardware (and what I am running on is decidedly not enterprise-grade, unless eMachines has recently broken into the enterprise market and I forgot to read the press release.) Reboots take about 4 minutes to shut down, restart, wait for the services to resolve themselves, and try again. If I was so inclined, I could tweak this to be lower (1 whole minute is that the web server loads before the network module does, can't find an IP to bind to because IP isn't enabled yet, and fails to load, then waits to retry.)
It's a different design philosophy. My systems don't get "crufty" and crash, but they do have to be rebooted to apply security fixes. However, 4 minutes a month isn't a hardship, and anyone who says it is needs to either look into something transparently redundant, fault-tolerant, or reevaulate why they are so dependant on that one system in the first place.
Windows security versus Linux security. What's better?
I bet the next article will be "the Miami Dolphins versus the Arizona Cardinals. Who's better?" For non-football fans, we can discuss the LA Clippers vs the Washington Wizards.
Fascinating!
Petreley concludes that Microsoft's efforts to dispel Linux "myths" are based largely on faulty reasoning and overly narrow statistical analysis.
Microsoft, official platform of the 2004 presidential campaign.
... turning to the 3-D map, we see an unmistakable con
I'm not taking that statement as true simply because someone said it. If I did that, I'd believe all of Microsoft's claims in the other direction, too. I believe it's true because it's a logical argument and can be backed up with evidence, whereas the claim that if Linux were more popular it would be just as vulnerable is pure conjecture.
Holes are holes, no doubt about that. Linux just has fewer of them because of good design principles.
"You're older than you've ever been, and now you're even older."
..at the head of the article
Someone tried to get it in there quickly for extra mod points or something, please mod it back down--yuck
Though this was interesting, it would be nice to see something comparing OS X security to Windows security. When you think about it, they're both relatively proprietary OSes. Sure, Microsoft has there "Shared Source" stuff, and OS X is based on Open Darwin, but really the two would be a better match because of thier commercial status.
Sure, there are enterprise Linux distros from coimpanies like Red Hat, but you can still get a lot of use out of a non-commercial distro. There are so many ways that you can change Linux to make it more secure that comparing it to a rigid commercial OS is a bit inappropriate. I'm not saying that I think the article was pointless, just that we should give equal attentention to systems like OS X or even some of the other commercial UNIX distros for that matter.
Saying "I'll probably get modded down for this" in a post is the best way to get it modded up.
http://www.infoworld.com/articles/hn/xml/02/09/05/ 020905hnmssecure.html
The failure of windows and success of linux has nothign to do with linux's unique design. It is a mimic of unix to some degree, which does things in layers and all that goodness. The same can be said about OpenBSD, HP-UX, OSX and a few others.
-
ping -f 255.255.255.255 # if only
a proof-of-concept, but a good enough incentive to keep your machines patched!.
r eaky.staticusers.net/ugboard/viewtopic.ph p?t=10712
http://www.macintouch.com/opener.html
http://f
...no, I'm not kidding and I'm not talking about slashdotting. So special thanks are due to the poster of the "In case of slashdotting" article.
I haven't been able to connect to The Register for three days now, BTW. I'm glad that others have been able to.
"How to Do Nothing," kids activities, back in print!
Haven't we all heard this stuff before?
Will be exploited? Download the metasploit framework sometime; there are more exploits for Linux than for Solaris or Windows. But this is where the guy's point becomes important: because of how Windows deals with security tokens (here is a good place to start if you're curious), any exploit that gains access can probably execute code in the SYSTEM context.
So, of the Linux exploits that are trivially available to exploit, none can reliably execute arbitrary system code, while all of the Windows exploits can. That's not this one guy's opinion, that's just how the operating systems work.
All's true that is mistrusted
Hahahahahahahaaahahahahahaahahahahahahahaha*cough* hahaahaaahahahaaaaa...
What a load of tripe.
Just when you thought MS Marketing were the best at this kind of thing, along comes an article like this from the Linux camp. Of course it's immediately hailed as the gospel form /.ers without any discussion on the merits of its actual content. But if you look closely, isnt this just reverse FUD?
I peck shit out in OpenOffice.org these days. You still stuck with Word, huh?
RSBAC should perhaps be considered. It is far more modular, been in production use a lot longer, has none of the disadvantages of selinux(eg works with any filesystem, needs no patches to filesystems, doesnt break other kernels on the same machone). It has a list of protections, has official PaX and virus(malware) scanner support, and the developer is always willing to take ideas from people and quickly fix issues. I would be interested for a detailed comparison of the two between slashdotters, thoughts and experiences etc.. But from everything I can see, RSBAC seems far superior. RSBAC.org
OK, shocker subject line. But, in a sense, it's true!
I've read about the fact that while XP/SP2 contains numerous changes that present real improvements, it is largely a recompile of XP with a new compiler that enforces buffer size.
While that doesn't fix buffer overrun bugs, it certainly limits their potential negative security implications. When will this buffer enforcement be available for gcc!?!? I know, there are 3rd party apps, but as long as it's a 3rd party app, I won't get these benefits with a torrent-obtained Debian CD...
I would be perfectly happy to live with a few percentage points of performance hit to get this benefit!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
The article is not misleading because the author is a linux advocate.
e .html
Now you are right if you want to remind readers to keep that in mind, but dismissing an article not on the base of its merits, but because the author is supposedly biased (mind, you didn't show or prove in any way that he was actually biased, you just wanted us to take it for granted) is a logical fallacy.
If you don't like the findings of the article, please tell us why, simply accusing the author of bias won't change the facts, sorry.
Argumentum ad Hominem
"Circumstantial: A Circumstantial Ad Hominem is one in which some irrelevant personal circumstance surrounding the opponent is offered as evidence against the opponent's position. This fallacy is often introduced by phrases such as: "Of course, that's what you'd expect him to say." The fallacy claims that the only reason why he argues as he does is because of personal circumstances, such as standing to gain from the argument's acceptance."
http://www.fallacyfiles.org/adhomin
When I open some page on IE6, it asks me "do you want to allow software such as activeX controls and plugins to run"... What am I supposed to think ?? and how should I respond ? Yes ? No ? (s/me/my parents/). Why on earth it does not tell me that this page contains something that require "macromedia flash" to render ? At least, I could somewhat distinguish between spyware and things that I need to see. And if they were even a little smarter, I could memorize this choice for later instead of bugging me every time.
This type of implementation of security related features is precisely why nobody use them and get their machine bloated of spyware, malware, viruses and such.
The inability to update a machine via a 56k modem is probably another reason why I know so many friends running unpatched OSes (any offline installable M$ update anyone ?). Grrrrrrr....
I used to wonder at the blinders-on group think of the hidden source folks. The elaborate unreality of their arguments was a puzzle, until I figured it out. Now I understand; it's all about the dream.
While some might dismiss the article because he is a Linux advocate, that's missing the point. His piece is geared toward Linux advocacy, but avoids the usual rhetoric. I kept looking for the usual Gates bashing, but didn't find any.
What I found instead were hard facts, distilled from public data. He didn't say, "I performed some tests which prove Linux is better." He took the publicly available information, analyzed it, and reported the results.
The response by the Microsoft marketing droids and vassal fudmeisters will be instructive to anyone who really thinks about it. Don't take away their dreams of a gold mine, at least not until they've got a Ferrari just like the guy in the next cube.
sigs, as if you care.
"Open Source Software is inherently dangerous"
Weasel words like "inherent" are convincing to dumbed-down folks. ./ ain't buying it though. God bless individualism.
"Statistics 'prove'..."
Ahhhh, the old "who can argue with scientific fact" line.
Provide us with "science" to back up this claim. Properly vetted, peer-reviewed science from an unbiased source, unfunded by those with a vested interest in the outcome please.
The psychological use of fear and "scientific" studies to convince the average American is not new. Read carefully the language of Microsoft and you'll hear JD Rockefeller, Andrew Carnegie, JP Morgan, etc. What you have to read carefully to find is their own fear that they are losing monopoly control. Big Oil was able to buy corrupt officials and maintain their decidedly un-capitalist ways. Will Microsoft?
Very well -here's why. This article neatly sidesteps the results of the Forrester survey which showed that MS patches faster than people like Redhat. And the whole paper is highly unprofessional. I mean - at point of time, they complain that they can't get enough information because the CERT search engine isn't good enough. What should have been a rant on a fringe newsgroup is being given overdue importance
I mean, RTFA, it's mostly about servers.
And btw., you're anecdotal evidence about the market share of linux on the desktop disagrees with some not so anecdotal studies that claimed Apple and Linux having about the same market share on the desktop.
I hate to say it, but at first glance the article looks dead wrong. The linux kernel is monolithic by design, however it also incorporates modular (dynamic loading) drivers.
Granted, the general population reading this article won't know the difference, but it still seems misleading. At least they do expose the truth, just hidden well: "The Linux kernel supports modular drivers, but it is essentially a monolithic kernel where services in the kernel are interdependent."
# fuser -v
#
All I see there is a scared monkey...
I don't know what this guy is talking about. Windows uses spheres for permisions to run stuff. On the inside, you have all Microsoft Programs and on the outside you have all Non-Microsoft programs. See? They use spheres just like Linux.
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
Oh wait, there's none, you just claim the article is biased.
Interesting indeed.
And I'm shocked your mother didn't swallow you. What's your point?
I think the author of the report is correct in many ways, he is far too biased. Besides being clearly in the Linux camp for a long time, he is very deceptive in his explanation of the operating systems. For example, he claims Windows is monolithic by design while Linux is modular by design, citing that you can't unentangle pieces like IE.
However, it is clear that Windows is monolithic in practice and modular by design, as all those pieces actually can be swapped, it just can't be reasonably done because of third-party programs and a lack of replacements.
Linux, by contrast, is designed with a mix of monolithic and modular, with some monolithic components which just don't budge (the Kernel, X) and many which can be swapped to high hell (browsers, desktops, mail readers).
First, Petreley is biased. Those with a memory will remember him from the OS/2 wars. He is a long-term Microsoft critic with a long-established track record. This is a comment on the author, not on the work.
Second, comparing patches is inane. This is by no means a comprehensive security audit, just an enumeration of the fixes released by two vendors. It does nothing to compare the number of vulnerabilities in the respective products, it simply compares patches. Since Windows is used by far more people than Linux, it's reasonalbe to expect more bugs to be discovered in the Windows product. Assuming all other things are equal, which we know they're not.
Linux vs. Windows cannot be allowed to devolve into a repeat of OS/2 vs. Windows. I have nothing against Nick -- I often enjoy his writing -- but you have to recognize an established perspective.
http://drteknikal.blogspot.com/
"Circumstantial: A Circumstantial Ad Hominem is one in which some irrelevant personal circumstance surrounding the opponent is offered as evidence against the opponent's position. This fallacy is often introduced by phrases such as: "Of course, that's what you'd expect him to say." The fallacy claims that the only reason why he argues as he does is because of personal circumstances, such as standing to gain from the argument's acceptance."e .html
http://www.fallacyfiles.org/adhomin
I think you got your 9 key stuck down.
There are 60 x 24 x 30 = 43200 minutes in a month
If you are down for 4 minutes a month, you have
((43200 - 4) / 43200) x 100 = 99.9907% reliability,
That's 4 nines, not the 6 nines claimed. Each additional nine is way harder to achieve, e.g. 5 nines is about 5 minutes per year so you only get to reboot once a year at that speed!
PDF mirrored at:
Security Report: Windows vs Linux
I read the article and it seems more like a linux strengths, windows weakness type of article. I suspect he went through securityfocus advisories, located the major culprits in windows security vulnerabilities and then came up with his os analysis. I was hoping someone more educated in the operating system development/design field had come up with this analysis.
did you forget to take your meds?
just so you know, the grafic rendering process DOES ... ... a REAL
belong into the inner most core sphere. it's the
future!
i know (reading the article) that in linux the
say JPEG rendering function runs with the same
rights as the program needing it. but looking ahead
the regular "shell" will be a functinal antice, like
a typewriter. you can make analogies with many
ancient office entintity like typewriter, folders,
desk etc. but since a average joe in a modern
office will have no knowledge of this what-so-ever
it is ime for a new paradigma. the computer is
not a ancient office but modern and this and next
year it will pull it's out from this "old look"
into something truely binary, true computeraized
and not a stale image/copy of a ancient (non
computer ) office
so during this time we will see many (difficult)
exploits and flaws but this is because the
computer is steping into a new era
computer based era.
folder, desktop, etc. are terms from the ancient
office paradigma
I read the article but it really doesn't address much.
It is clearly a Linux slanted piece. There are plenty of myths on both sides and he only examines a few, all in a specific effort to make Linux look better, but even then some of the reasoning is not that solid.
He brings up attacks on Apache as being proof that Linux is attacked as much as windows, but virtually all security breeches these days are done on the desktop and Windows does get attacked here more verociously than Linux because of it's ubiquitouness(SP?).
If you really do pay attention to Security Focus and to the security bullitins of your favorite distro, you'd be hard pressed to say that Windows or Linux had any demonstrative lead in security patches. I get just as many securiy bullitins from Red Hat as I do from Micorosft. I mean it's nearly 1:1
A small sampling (These are kind of old now, RH kicked me off their service for some unexplained reason and I've gotten no alerts for months now)
* RHN Errata Alert: Updated OpenOffice packages fix security vulnerability in neon
* RHN Errata Alert: Updated libpng packages fix crash
* RHN Errata Alert: Updated mc packages resolve several vulnerabilities
* RHN Errata Alert: Updated utempter package fixes vulnerability
* RHN Errata Alert: An updated LHA package fixes security vulnerabilities
* RHN Errata Alert: An updated X-Chat package fixes vulnerability in Socks-5 proxy
* RHN Errata Alert: Updated httpd packages fix mod_ssl security issue
* RHN Errata Alert: Updated kernel packages resolve security vulnerabilities
* RHN Errata Alert: Updated Subversion packages fix security vulnerability in neon
* RHN Errata Alert: Updated cadaver package fixes security vulnerability in neon
* RHN Errata Alert: Updated CVS packages fix security issue.
And so on...
I really hate to see these kinds of articles that try to play into the "Relax: Linux is secure by [Design|default]" mindset because it actually hurts Linux' overall security. The mass mind set will not even think they have to pay attention to keeping their systems up to date and actually secure because the mantra is dangerously overriding real information.
Yes, it goes both ways, but is FUD vs FUD better than FUD vs Honest reality?
Contrary to popular belief, coding is not all free blow-jobs and beer. Those things cost MONEY!
Come on people, any OS can be secured or insecured. If the admin takes the time to secure the box it will be secure. If a hacker takes the time to hack the box it will be hacked.
I understand that certain parts of each operating systems are more or less secure than the other due to the way they were written, but the bottom line is both can be secured "sufficently" if the user / admin takes the time to do the work.
No sig for you. YOU GET NO SIG!
According to my calculations, this still meets the 99.9999% reliability that MS claims the server to be able to provide, on enterprise-grade hardware (and what I am running on is decidedly not enterprise-grade, unless eMachines has recently broken into the enterprise market and I forgot to read the press release.)
.009% is very difficult and really doesn't give you much in terms of real world reliability for MOST business needs.
Nope.
Reboots take about 4 minutes to shut down, restart, wait for the services to resolve themselves, and try again.
4 minutes/month == 48 minutes/year.
99.999 availablility means 5.26 minutes of downtime per year.
At best, you've got around 99.99% availability.
However, 4 minutes a month isn't a hardship, and anyone who says it is needs to either look into something transparently redundant, fault-tolerant, or reevaulate why they are so dependant on that one system in the first place.
It isn't about "hardship". It's about reliability. Getting that last
But for those that require it, it is available. And because it is available to those, it is available to everyone. Even those who do not need it.
Sure, my print server probably doesn't need 99.999% reliability. But because it has it, I don't have to worry about it.
In my experience, it's the reboot that causes the hardware failures. The fewer reboots, the fewer chances for hardware failure.
I warn all you Windows users, get your computers ready for a huge increase in malware during 2005.
Congress just passed a law against SpyWare, which will not come into effect until October of 2005. It will have no effect in stopping SpyWare. It will only encourage more spyware from foreign countries. When some states started passing laws against spam email, the amount of spam just increased. Good luck with your Windows boxes.
I am getting sick and tired of fixing peoples computers that have Worms, Viruses, SpyWare, etc. All my friends and family come to me for fixes, because they keep getting malware. I hear that a lot of people just buy new computers because the cost is low for a new computer, and their Windows current Windows box has 95% of the CPU dedicated to malware, which they are powerless to remove.
Sure, a few of you Windows users know how to set up your XP with security software, and run with an account that is not Administrator. But that is not the default configuration for Windows. And, most Windows users would not know how to set up the computer in any way other than the default insecure installation.
There are 10 types of people in the world... those that understand binary and those that don't.
From the article:
Fact Quite a broad collection of 'facts' exist in this category, but what they have in common is the (actual) fact that they are usually based on single metrics, on a single aspect of measuring security. Claims that all Windows flaws get fixed are baffling when we consider that there are Microsoft Security Bulletins saying some flaws will never be fixed, and the existence of these also makes it tricky to understand how the fix rate could ever get to be 100 per cent. In the case of Forrester, which produces the 100 per cent as the Windows result for one of several metrics, it is arrived at through tallying flaws and fixes within a specific period. In the same metric Red Hat 'comes second', on the basis that one flaw was not fixed within the period. This is a rickety base for Microsoft (not, note, Forrester) to build a security campaign on.
Of course you can find even more on the subject in the actual study. Try actually reading it, it's worth it.
It was a joke dammit. Meh..
Just as the authors of this report claim "it takes only a little scrutiny to debunk the myths and logical errors behind the oft-repeated axioms (that suggest Windows is more secure)" their myth busting arguments also do not stand up to scrutiny.
For one, they speak at length about the uptime of web servers. While some downtime is related to security flaws, there is not a direct corrospondance between security flaws and uptime. I find this metric completely unreliable as a method of assessing web server security.
This is essentially their only argument for the first two myths.
For the third, they mention that flaws Microsoft will NEVER fix. They don't bother to mention that these flaws only occur in older, "obsolete" operating systems. Does Red Hat issue patches for version 1.0 anymore? The rest of their argument makes much more sense, however.
(Haven't read the rest yet.. but this thus far makes me skeptical that this is an unbiased report.. )
I am the maverick of Slashdot
Given the default restrictions in the modular nature of Linux; it is nearly impossible to send an email to a Linux user that will infect the entire machine with a virus. It doesn't matter how poorly the email client is designed or how badly it may behave - it only has the privileges to infect or damage the user's own files.
Apparently this guy forgot about the (repeated) Send Mail vulnerability of the pipe '|'. Or was that Unix only?
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
And it simply ignores that normal users would not be able to just run an attachment by clicking on it on a linux box and that with linux it is even possible and convenient to work as a normal user and not as an "administrator".
Thanks to the mods for modding parent insightful, btw.
I read through the article, and was honestly shocked at some of the claims the author made when describing Windows in relation to Linux.
.htaccess, some odd batchfile script attacks with args to copy httpd.conf into htdocs, etc.)
Note that the purpose of this post is not to say "omg windows >>>> linux all you penguin lovers rot in hell" like a lot of this story will be. I am merely trying to clarify some of the author's points.
"Myth: Safety in Small Numbers"
"Furthermore, we should see more successful attacks against Apache than against IIS, since the implication of the myth is that the problem is one of numbers, not vulnerabilities.
Yet this is precisely the opposite of what we find, historically."
Running through 3GB of archived log files, from Apache running on 2003 Enterprise Server, I have concluded the following:
54% of attacks against IIS (Unicode traversal, buffer overflow, cgi, alternate data streams, etc.)
46% of attacks against Apache (htpasswd.exe, httpd.conf,
"Precisely the opposite" is hardly the right phrase to use in this situation. Sampling error among different web sites (due to different audiences, traffic rates, etc.) could easily account for the fact that IIS out-edged Apache here.
As for the *successful* part of the author's claim, there was a 0% success rate across all queries directed at servers I either have access to logs on, or directly control. I have also experienced Apache servers being compromised (more often due to user-induced security holes than design flaws.) but in the end, the user leaving a filedrop which allows php scripts to execute, and such, is as dangerous as a buffer overflow. They are each different but functionally equivilant ways to circumvent the security of the system it is running on.
"But it does notexplain why Windows is nowhere to be found in the top 50 list. Windows does not reset its uptime counter. Obviously, no Windows-based web site has been able to run long enough without rebooting to rank among the top 50 for uptime."
Part of the Windows operating system's underlying design involves its file locking symantics. Files in-use by the operating system, providing needed functionality, can't be easily replaced while the system is running. Windows solution? The in-use-file replacement tool is able to change the bits on disk, but not the memory addresses they map to. So, the copy in memory doesn't match the copy on disk -- and the copy in memory is the old (flawed) copy. This is rectified by...you guessed it...refreshing the copy in memory. And what's the easiest way to do this? Reboot the server and reload it from the disk, if the module you're talking about happens to be, say, the Local Security Authority or the Windows Kernel.
I mentioned (with some flawed math) (http://slashdot.org/comments.pl?sid=126724&cid=10 600161) in more detail the reasons Windows servers are often down there on the patches. I did miscalculate availablilty. My servers average in the 99.9952% range. Which means they're down for a few hours a year. Sure, not carrier grade, but not too shabby either. Well within the reasonable expectations of most businesses. (Source: http://slashdot.org/comments.pl?sid=126724&cid=106 00658 by hehman) Note that the situations where Windows is likely to be used probably aren't nuclear power plants, airplane control software, etc. Thus, the additional powers of 9 aren't really a factor.
"Myth: Open Source is Inherently Dangerous"
I agree with the author here. Having the source code doesn't really have an impact as to whether or not a hacker can find an exploit -- there are enough tools to automate exploit finding in streamed data, especially web connections.
"Myth: Conclusions Based on Single Metrics"
Another valid point. One can spin statistics any way you want to, and have the math be perfectly valid, to reach a meaningless conclusion. Anyone who's taken statis
yeah but wasnt the main problem with buffer overflows something to do with system memory? isnt AMD and Intel set to release chips with this kind of security capability by christmas? then all we need is kernel modules for it, right?
Mirror of the full report
Why didn't you start with discussing the merits of the study instead of simply claiming it was FUD?
What this report does is focus on the default potential for abuse by looking at recient publically known issues.
That's handy, though if you only go with that and expect that your systems are secure you'd be better off doing what my friend did.
General rules;
If it's visible over a network, it's potentially abuseable. (http://www.nessus.org, http://www.insecure.org/nmap)
If it's running locally, it's also abuseable. If you don't absolutely positively require it, remove it -- even if it runs by some proxy process (inetd/xinetd or a similar daemon under Windows).
Wrappers, permissions, isolation at the router level...all should be configured.
Monitor log files and check systems. Automate what you can.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
He brings up attacks on Apache as being proof that Linux is attacked as much as windows, but virtually all security breeches these days are done on the desktop and Windows does get attacked here more verociously than Linux because of it's ubiquitouness(SP?).
Then do not count the desktop issues.
Compare Windows/IIS to Linux/Apache and check the following:
#1. Which is exploited more frequently.
#2. What level of access is gained.
(root is different than defacing a webpage)
#3. How was that access gained.
(Local escalation of rights vs remote crack)
You'll still find that Linux/Apache is more secure if only because Linux/Apache is modular and you can easily identify and remove services and access you do not need (killing services you don't need is the second step in security, right after physical security).
If you really do pay attention to Security Focus and to the security bullitins of your favorite distro, you'd be hard pressed to say that Windows or Linux had any demonstrative lead in security patches.
Determining security by the number of patches released is beyond stupid. Yet lots of people do so. By that standard, MS-DOS is one of the most secure OS's available. Also, that leads into the Forrester "report" when holes are not counted unless (and until) the are formally recognized/patched by the vendor.
The best approach (IMO) is simple, Real World statistical analysis. Count the machines compromised and weight them by their marketshare (estimated in Linux's case).
100 million Windows machines, with 1% cracked == 1 million cracked Windows boxes.
5 million Linux boxes, with 1% cracked == 50,000 cracked Linux boxes.
Yet if we see 10 million cracked Windows boxes and 1,000 cracked Linux boxes, it is not because of marketshare.
Marketshare != security.
Circles within circles. Look within the numbers to find the facts. A remote root exploit on Linux, in a module that isn't used by anyone is not the same as a remote system exploit on Windows which most people don't even know they're running (or why).
While I agree with some of what he said, his writing style ended up creating just about the most biased article I have ever read.
being a rather strange person, I hangout on slashdot... err, I mean I think of totally weird stuff and wonder "what if"? I wonder "what if" there is a way to take a fax full of code and parse it into something useable and automagically? That might be -if it exists or if it can be done- a way between slow snail mail CDs or Floppies and "normal" but potentially insecure and coming too late internet-based traditional update methods....
for an article comparing the strengths and weakness of MS and Linux, there is very few MS bash modded up.
Anyways, to the posts that the guy is biased, well he is.
But then again so is everyone.
I consider other peoples bias(and mine) based on the rational behind it, and the lucidity.
The article, whilst I have some contention, is quite good overall.
The numbers of Linux desktops does contribute to numbers insecure systems. Given (hypothetical) probality of Linux desktop to be insecure 1/1000, a million Linux desktops will have more insecure systems than 100'000 desktops.
My view:
Security is a combination of the inherent strengths/weakness of a system, its users(admins) capabilities and numbers deployed.
Timang tinggi tinggi
parang sudah asah
alang alang mandi
biar sampai basah
Not that Linux is any better. The RPC systems for Linux/UNIX are clunky afterthoughts built on top of sockets.
Ummm.... Ummm... if all doctors are fobs, and all fobs are blue, are all doctors blue?
I understand what he is trying to say (i hope), but the logic... won't somebody think of the child nodes?
From the article:
According to the Summer 2004 Evans Data Linux Developers Survey, 93% of Linux developers have experienced two or fewer incidents where a Linux machine was compromised. Eighty-seven percent had experienced only one such incident, and 78% have never had a cracker break into a Linux machine. In the few cases where intruders succeeded, the primary cause was inadequately configured security settings.
So does that mean:
7 % experienced more than 3 incidents?
And how can 87% have experienced 1 incident while 78% had none?
I found the discussion of server uptime interesting. I know that for just about every Windows Security Patch the server must be rebooted. Given the release of critical security patches about once a month, the servers with 56 day uptimes haven't had the required patches applied and are vulnerable. The expense of redundant equipment necessary to keep windows applications running with no down time is far greater than other OS's.
I Bill Gates can prove that Windows is more secure than Linux. Watch as I write it down on this piece of paper. SEE? See what it says? It says 'Windows is more safe'. Don't believe me? Watch me pay someone else to say it. Believe it yet? Well how about if I buy an expensive report and tell them to say Windows is safer. Now do you believe it? NO!!
Damn, who do I have to buy off to make you people believe that Windows is safer?
This is my sig. There are many like it but this one is mine.
A system can have 99.999% reliability and be offline more than 5.26 minutes per year.
The point of a reliability metric is that there is less than 5.26 minutes of unplanned downtime per year.
Applying a system patch and rebooting a system, as part of a normally scheduled maintenance routine, is perfectly legitimate.
That 4 minutes a month is planned downtime though and therefore exempt from the uptime accounting.
Anyone else tired of this stuff?
I'm sorry, I love linux (I use slack at home) but this "report" seems to be nothing more than another "yea linux!" cheerleader piece. I couldn't help but notice the authors' obliviousness to the other side of the argument (I'm not saying Windows is better, far from it, BUT there are points that need to be addressed. ) I was hoping that this would be a calm, well thought out piece on something that I believe in: Linux is more secure and stable than Windows. How I was wrong. What the linux community needs is a comprehensive BELIEVEABLE and intelligent paper on this subject. I need something that I can take to my boss and say, "Look! See, linux is better." If I gave him this paper, he'd laugh and say, "This is why we don't use linux, you people are nuts."
"When I want your opinion, I'll give it to you." --leonstryker
I know it's going to be modded -1 Redundant, but you asked for it.
So then what is every "research article" on the MS site, then? Pretty words with shaky backing...
Further, at the risk of you reading the entire thing - they also describe how the overall archtecture of the Windows vs. Linux system affects security as well as address many other misconceptions and issues with the "official" Forrester report. You're picking on, and mis-representing, a small number of the issues in the paper - a vaery large amount of which is completely valid. Through that, you want to discount the entire document?
Whatever, it doesn't sound like you'd pay attention regardless of what it said.
I think it's YOUR post that should be a rant on a fringe ---
Oh wait...
Computer Science is Applied Philosophy
Now, take a recent Linux box (the distro doesn't matter) and apply all official patches and upgrades, as released by the distro and the various package maintainers.
Each machine must have directly comparable software installed. Where possible, this should actually be the same software. You don't want to have too many variables in this. You're going to have some, but by keeping things uniform, you should be able to keep things sane. The other thing is that you want SOME closed-source software on Linux and SOME open-source software on Windows.
Before we do the tests, we need some diagnostics software on the machines. Memory bounds checkers, system load monitors, host intrusion detection software, etc. This will tell us what impacts we are having, beyond simply seeing if the servers and/or OS fall over or not.
At this point, we get to the tests themselves. Throw absolutely everything you can at the computers. Use every vulnerability scanner on the planet, every worm or trojan you can locate, use stress-testers, etc. Find DoS and DDoS packages, if any have been openly released.
Now we have some actual data, based on comparable usage and comparable attacks. The data will show that the different OS' respond differently to different attacks. (Surprise there, Sherlock!) We now need to determine which of the remaining variables are important.
The remaining variables are "underlying flaws within the OS", "inherent flaws, due to errors in the design methodology itself" and "unequal reporting of equal errors".
What you want to do then is a four-way analysis of variance. The first of the three components is the different vulnerabilites found within the different applications. The second way is looking at the variation between the different vulnerabilities within the OS' themselves. The third way is the variation of bugs reported for any given application, OS or combination, vs. what actually gets reported by groups such as CERT. The fourth way would be the difference in licensing policy.
The NULL Hypothesis for the applications is that all applications will have roughly the same number of vulnerabilities, regardless of what they do, what they're written for, the philosophy of the programmer, and the company producing the software.
It's doubtful you'd find enough applications, and enough vulnerabilities in each, to split the study in sufficient ways to cover all these points. However, it should be possible to collect enough to do a statistically meaningful study on a few of them.
The problem with AOVs is that you've got to have a lot of data, and that the amount of data you need increases very rapidly. You do get plenty of idiots out there who ignore the confidence level and even the methods of the study, looking for any slight comment that proves whatever they're wanting to say. Other times, even nominally sane people will do this, because they want/need the results too fast or too cheaply to do the work properly.
Let's say, for example, that the number of vulnerabilities found within the applications, when studying the variance between them, is pretty random. There's no discernable pattern. Let's also say that there's no significant variance found between FOSS and Closed Source. Then, let's say that we're in the 1% confidence level for both of these, which means that this will likely hold true 99% of the time.
We could then conclude that Closed Source vs. Open Source is purely a matter of personal choice. The net difference simply isn't significant to warrant going for one and ignoring the other.
Continuing with this fictional scenario, let's say that Linux and Windows showes a VERY signficant level of variance. We know, at this point, that it's not the Closed vs. Open nature,
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
MS is so messed up on uptime. I recently changed IP blocks on my web/mail servers. No reboot, 1 minute downtime once scripts triggered to reset everything. Blamo, new IP addresses all around, uptime almost 500 days.
Why waste the time or even bother, I think we all know what the results will be (with the exception of lindows) ohh im sorry linspire
Clear Winner here is Linux. You could thrown RH 9 onto the net with no firewall or anything and there it would sit until someone hacked it.
Do the same with XP or W2k and within 20 minutes or less it would become infected and begin zombie operations.
Lets go to a patched server in both cases they're still vulnerable. However there is a clear difference in vulnerabilities with the majority of Linux ones being in the realm of local hacks where in Windows you're still dealing with remote hacks and buffer overflows.
Yes in many cases both problems can be blamed on 3rd party apps but even in kernel to kernel comparisons Windows still is high on the list of being vulnerable.
Check back here for the answer at 3am...
You should respond, "No." Always.
With extremely limited exceptions, there are no sites out there that need to be fscking around with ActiveX. Any sites that require it are the result of unprofessional design and should be considered highly suspect.
ActiveX does have one or two limited uses, confined almost entirely to a corporate intra-net environment. As such, the extremely limited exceptions to the above rule are sites or systems you trust implicitly (basically, systems inside your own or your company's firewall); and windowsupdate.microsoft.com. There are no other exceptions.
As a garden variety Web surfer, ActiveX offers you nothing except an intrusion/exploit vector. It's worse than useless; it's dangerous. Turn it off.
Schwab
Editor, A1-AAA AmeriCaptions
You can (and maybe should) order a XP SP2 CD from Microsoft - it's free, al expenses paid by M$. Not patching your machine will only make the hackers and spammers happy. .... at least I'm secured against known vulnerabilities.
I'm on ISDN, so downloading XP SP2 isn't an option. I ordered the patch CD, and now my XP machines are patched & secure - so I hope
Does security really matter? I mean neither Windows nor Linux are secure, we see new ways to exploid them every few weeks or even days, be it some obscure attacks via manipulated pdf files or some remote root exploids via ssh or whatever. If people don't patch their system regularly they are lost no matter which one they use. So I see little point in comparing them on a my system "has more remote holes than yours" basis, especially when the breakins are more the result of popularity of the OS/app then anything else.
The real question should not be which system is more secure, since neither are, the question should more focus on which system is easier to maintain and mak upgrades and patches easy to install. If a system fails at that, no matter how few exploids it has, one unpatched is enough to get you into a hell of a lot of throuble.
Another question would be, what are the real alternatives and what will the future bring? I mean just patching C-bufferoverflow into all enternity is really not something on which I would build 'security', neither is the OpenBSD way of 'no features, no bugs' a real solution, since people will end up using 'features' and thus get bugs.
Let me see: the last 40 vulnerabilities for Windows 2003 means all vulnerabilities from September 10 2003 to date. The last 40 vulnerabilties from RHAT AS 3.0 means all vulnerabilities from April 14 2004 to date.
So it means for a start that it takes 1 year to find 40 vulnerabilities in Windows 2003, and just 5 months in RHAT AS 3.0. Not good for Red Hat.
A fair comparison would be including 1 year of security bulletins from Red Hat and from Microsoft. That way we could compare how many critical vulnerabilities they've had during the same time lenght. As it is right now, this report is BS (e.g. exactly what I expected from a biased/clueless guy like Petreley).
From everything I've read, NT has a good security model, under the covers - even better than most Unix variants. (like Linux) It's just that they don't use it effectively. Even further, the Windows culture is pretty much contrary to their making effective use of their own security.
Perhaps Unices haven't had as much security capability, but we've had the culture to at least understand separation between root and users. We've also had the open exchange that gets bugs reported and fixed, another cultural aspect.
But then again, now we have run-as-root Lindows / Linspire. This distribution REALLY SCARES ME, especially when they sell it into the novice market - the ones least likely to do proper maintenance and most likely to click on silly attachements. (as root, no less)
I understand Lindows / Linspire is trying to make something simple for the novice. But IMHO, they've done it in entirely the wrong way. Far better than running the user as root would be to have standard setup of "user" and make the new user that. Then make a comprehensive set of sudu scripts, with extensive error checking, to administer the system.
BTW, the Linux security model isn't standing still, either.
The living have better things to do than to continue hating the dead.
Well, my Win2k box is fully patched and behing a FreeBSD firewall, etc etc. I've not seen any virus, from the begining.
But, how about those numerous friends/relatives who still run win98 and can't update to something else without changing their hardware ? I find rather embarassing that none of those update packs can'be downloaded and installed *later* on other machines, it's pure nonsense to me.
Zone alarm is like this. It is an application based firewall that works well, but can be confusing to configure because it ask to let each program access the net. Not all programs that want to access the net are named after thier respective applications. I have had several people just turn it off out of frustration.
So windowsupdate.microsoft.com is an example of unprofessional design - update functionality doesn't require ActiveX in a webbrowser, as dozens of automatic update packages prove. I use automatic updates for many software products, and only windowsupdate.microsoft.com does 'require' ActiveX in a webbrowser.
The reason MS uses ActiveX at windowsupdate.microsoft.com is simple - you have to update Windows, and if you want to update Windows in a convenient way, then you have to use ActiveX and therefore Internet Explorer. It's just a part of the browser war, there is no technological necessity to use ActiveX for this purpose.
The point of a reliability metric is that there is less than 5.26 minutes of unplanned downtime per year.
No, it is downtime. Any downtime.
Otherwise, a machine that's only powered up 1 hour a year would still have 99.9999999999999999999%+ uptime for that year.
It's total downtime, planned and unplanned. Deal with it.
I agree. And there's more to it. One of Windows biggest pains is the inability to backup the patches that have been downloaded by auto-update - I asked a MCSE and he didn't know how, so it must be impossible. ... GGGRRRRR.
So if you reinstall Windows (and you have to reinstall Windows every now and then - it's a feature), then you have to download all those patches again. Which is a problem, because the mean time for an unpatched machine to get infected is much smaller than the time needed to download all the patches
Thank you for that post. Posts of that quality are a rarity on Slashdot...
I still have some concerns, though.
``At this point, we get to the tests themselves. Throw absolutely everything you can at the computers. Use every vulnerability scanner on the planet, every worm or trojan you can locate, use stress-testers, etc. Find DoS and DDoS packages, if any have been openly released.''
See, that, right there, leads to the problem I cannot see how to circumvent. You throw everything _you_ can find at the machines - but what if you can more easily find exploits for certain software than for others? Conversely, if you don't use available tools, but have a bunch of people try to break systems from scratch, their might be a bias in their skills that favors certain software.
``The third way is the variation of bugs reported for any given application, OS or combination, vs. what actually gets reported by groups such as CERT.''
I assume this corrects the problem mentioned above somewhat. You could try to exploit your test systems by hand, then compare your stast with CERT's, and conclude that either there is no apparent bias in either set of figures, or one of them is biased - but you wouldn't know which one. Or is there a thinko on my part?
I am an OS enthusiast, and I have a decent number of OSes here to test with. If I can really get convinced that such a test can be conducted in a meaningful way, I would like to actully do it.
Please correct me if I got my facts wrong.
SOoooooo, linux doesn't need reboots?
Sooooooo, compiling a new kernel doesn't require a reboot??
Alllllll those errata pages for linux are there for giggles, since it has no flaws???????
Point is, Linux does have flaws, and does need rebooting for MAJOR fixes, such as a kernel flaw, as Windows does. Change the core, you have to reboot to let the new core take over.
as far as security, wellllllllllll, no OS is secure if the user has no clue how to cfg it. Linux users are not NEWBS. While a huge portion of MS users are...and they wonder why they get attacked more...
Think of linux users as a gym full of pro boxers.
Think of MS user as a gym full of weight watchers (bloatware jab at MS intended).
Now, which gym will the mugger walk into and hold up the attendees???? think about it!
As the bloatware blimps learn more, and trim down, they move into the pro MS gym, and those folks are mugged about as often as a Linux gym attendee.
So if the users don't want to be 'mugged', they need to RTFM and stop blaming the OS for THIER mistakes.
No, it doesn't work well - when you download newgroup postings, then ZA will trash the attachments. It's a known problem, and it isn't fixed yet.
This fight is worse than the damn US Presidential Election. "My OS is better than your OS". BLAH, BLAH.
Do you know what matters? Cash, sales and total installations and lastly PERCEPTION.
The truth of the matter is that it doesn't matter which is better, it only matters which LOOKS BETTER, or is PERCEIVED AS BETTER or MORE SECURE for that matter.
Microsoft has pumped BILLIONS into making people BELEIVE that there products are the best,the most secure and the easiest to use and maintain. How much money has gone into the marketing of Linux vs. the amount that has goen into the marketing of Windows?
When was the last time you went to a "kick off" of a new version of the Linux Kernel?
Some people just never learn, you can spit the facts out until you are blue in the face, but the winner will have a bigger marketing budget!
People are warming up to Linux and are realizing the benfits of Linux, in addition, they are taking hard looks as to how secure their current OS is. It will tke time for the Linux based ditributions to take a foothold in the enterprise.
The problem is that Linux is so widely dispersed, there is no way that you can compete with the Marketing power of Microsoft.
I am pgnas and I support this message
Maybe Darrell Huff's "How to lie with statistics" should become a mandatory read at all high schools - read an review here.
A very good read if you want to know how statistics can be (and is) abused to 'prove' all kind of things.
Correct. Since ActiveX is completely unnecessary to the task of keeping software up to date, I would normally keep ActiveX turned off even for Microsoft. However, keeping Windows patched and up to date trumps that. And since Microsoft can (mostly) be trusted to not 0wnz0r our machines, I make an exception for windowsupdate.microsoft.com.
Schwab
Editor, A1-AAA AmeriCaptions
While I agree that it would be a good book to read I am not sure why anything, including high school should be mandatory.
I think better would be allowing children to grow up with free minds and then they would not need a book to tell them someone was lying to them...using statistics. American's used to be able to smell bullshit twenty miles away.
This essay describes Windows as having evolved from a "single user" system. It also describes Windows as "monolithic in nature."
Both of those claims are unfounded. He says that Windows XP is a "big step" in multi-user support. However, he apparently (without saying so) is comparing Windows XP to the Windows 9x and DOS line of products.
The real comparison should be to the Windows NT line, as that is where XP evolved from.
Windows NT was designed from the ground up to be a multi-user system. It was also designed to be the single most modular OS around. Furthermore, it was designed with a network environment in mind and includes security features based upon those found in older Unix architectures (as well as VMS, where NT finds a good deal of its heritage).
This kind of thinking is also clear when comparing NT's scalability features. NT was designed for multi-threading - Linux was not. Only recently have Linux's threading and scheduler functions come close in capaility to those of more modern OSes like NT and the defunct BeOS. BSD systems, while based on older technology than even Linux, advanced in this area much faster as well.
The misrepesentation of Windows' history is indicative of the author's bias. If you set out wanting to find a certain result, you'll probably give a one-sided treatment to attain your goal.
Yeah oh yeah - DRM and 'Trusted' Computing are just the first two examples that come to mind. And a couple of minutes searching my memory will turn up more examples of MS 0wnz0r our machines. I trust MS to 0wnz0r my machine on every occasion that makes them some money.
LRC, the best-read libertarian site on the web
Your post was so stupid that I fell down and hit my head when i was reading it.
I'll argue that rebooting on a scheduled time frame (with admins present) is very important. I cannot tell you how many times we've had a power outage only to find that critical systems have not come back online and a major panic ensues.
Why? Because these machines are so reliable they have uptimes for 200+ days. People install "beta" systems that become mission critical and never think about setting up the code to autostart in the rc files. Then then we learn the lesson during panic time that starting up the system has never been truly scripted. IE, you need to set environmental variables, start from a specific directory, etc...
When I am put in charge of any system. I immediatly create a reboot schedule to make sure I am learning these issues on my terms. Not during panic time
-Nuke the moon
I think it would be interesting to create a 3D plot of the threat space using the metrics from the article as axes. Comparing the shape and size might be enlightening.
PS Note I said "it would be interesting", not "I would be willing" - it would be a daunting task.
It's interesting that they identify the entry-point for a majority of windows mal-ware as MSIE or any app that utilizes MSIE components.
This is just a "what-if" that I never expect any developer to take seriously but it would be quite interesting if someone did:
What if someone were to write some patches that links all connections to MSIE to the Mozilla rendering code? So that applications would either open up Mozilla/Firefox or call on their functions instead of MSIE components? I'm guessing it would erradicate a great deal of the vulnerabilities currently suffered. But I doubt anyone would seriously go through that much effort and work to attempt it given the complexity of the unseverable ties between the browser, the OS and various apps out there... but still... makes me wonder how Windows with an MSIE replacement would fare.
What's so special about the way Windows handles "security tokens"? If the exploit is in a component that runs as a limited user, you'll need an additional local root exploit to get System rights - same as in any other OS.
So, of the Linux exploits that are trivially available to exploit, none can reliably execute arbitrary system code, while all of the Windows exploits can.
Really? How?
The Vole has learnt a lot about security: Ballmer's quiet arguments
Some interesting quotes:
- Microsoft has admitted that it can't beat hackers all the time, but will do its best.
- Steve modestly said that Microsoft knew more about security than anyone else in the world, but hackers were getting much brighter to [Me: That is modest??]
-He also added that the biggest security problem Microsoft had were customers who did not upgrade their systems.
I use KDE and KMail and Kopete, both of which crash daily -- the 3.3.0 release of KDE sucked, but there is no FreeBSD port of 3.3.1 yet.
Neither is a big problem, because they only talk to the trusted servers and KMail uses SSL to check them. But both can be taken over by a properly crafted e-mail or instant message. I just hope, that nobody will figure out, how exactly to do it (rather than just cause it to crash). I compile stuff myself (from port) with my own compiler options, which should make any attack a lot more difficult...
Once in a while Mozilla crashes too, BTW, but Konqueror has been pretty good lately.
In Soviet Washington the swamp drains you.
... especially nowadays.
:)
:)
The administrator determines how secure an OS is, not the OS itself. OpenBSD is the definitive "secure OS", but one of it's biggest warnings during the install is that it's secure until you play with it, what you do after that can compromise the security.
As an administrator and a software developer, this just seems like a bunch of bullshit made-up stastistics by a bunch of people who don't know the slightest about security or programming in general. After all, they address Apache like it's a part of Linux, but gloss over the fact that Apache runs on Windows, too... People just don't use it (en masse) because it's not the best choice on windows for many reasons.
Bugs happen. A security hole is a grave bug indeed, but it's just another bug. If the hole were intentional, it would be a different thing.
Quality Assurance and robust design practices prevent bugs, not marketing or architecture or anything else. While design practices do include architecture. It's easy to write a shell script which is bug free:
-- cut --
#!/bin/sh
-- end cut --
One could say this is a "robust design practice". It doesn't need to do anything, so it doesn't. Get it?
MS has gone far in improving themselves, as it seems they're at a point where relying on their marketing over their integrity as software developers (one could say that marketing in the context of integrity is an oxymoron) is not working for them anymore.
To aid understanding of the conclusion, Linus's "World Domination" has already been achieved, just making sure we're still in power is the important thing.
After all, are you interested in better software or the complex equivalent of "mine's better than yours"? For those of you who want to keep singing the praises of Amazon and Google, keep in mind that eBay and Hotmail both make liberal use of IIS for it's features, but they don't put it on the front line, either.
But the problem is (if you read the article...) that there are far more processes in Windows that run with privilege than those that are restricted.
To quote TFA:
THAT is what makes Windows different from any other OS and thus more vulnerable.How come Slashdot never gets Slashdotted?
Just learned a new expression "burning a straw man". Knew about straw man arguments; the burn part is new to me. Yesterday discovered "arguing the toss". I could find no definition, but the couple dozen examples google found, made a definition unneccesary.
This is comparing apples and oranges and is a complete waist of time. It's also incredibly stupid to compare just one flavor of the hundreds of available flavors of Linux, each with it's own set of flaws. It's also stupid to compare 3rd party applications. So what if MySQL turns off network access by default.. it's the idiotic company (like Microsoft with SQL) that turns it on, not Windows's fault. If I developed my own program on Linux that opened up a security risk should all Linux distro's be blamed for that? No! Same goes for dumb-programmer-001 on any OS, Mac, Windows, Linux, Unix, whatever...
/rant off
This whole OS war just pisses me off. If you need ActiveX and the industry standard Windows platform, by all means, use Windows and be smart about it. If you don't need Windows-only stuff and enjoy a challenge, jump to Linux (please do, more people on Linux means the sooner Linux will have "real" software.. by that I mean software that actually is useable by corporations with more than 5 employees and no business-to-business relationships).
I wasn't replying to the article. I replied to the person who said "all of the Windows exploits can reliably execute arbitrary system code" which is false.
RPCs are potential security risks...
RPC is not the problem, the problem is that too many network services are enabled by default.
But if each service implemented its own authentication mechanism instead of relying on RPC, things would have been even worse.
Well, then just disable that pesky RPC service on your workstation and then write back and let us know how that works.
Far too many services in Windows depend on that RPC service. So many so that you can't even use the system effectively without it.
How come Slashdot never gets Slashdotted?
I guess you didn't RTFA. Your reasoning is well disputed in comparing the monolitic, RPC and "old" single-user design of Windblows with the "old" modular, multi-user design of *nix.
n/t
Well, then just disable that pesky RPC service on your workstation and then write back and let us know how that works.
How is that related to what I've said? Let me repeat it again: RPC simply provides functionality that other services need. If there was no RPC then those other services would have to implement this functionality themselves, instead of relying on a single well tested implementation.
The problem therefore is not with RPC, it's with those other services like DCOM, WMI etc. that are enabled by default and rely on RPC. If you are sure that you don't need any of these services, you can block RPC traffic using built in firewall or ipsec.
But if you want to be able to use some of these services (let's say WMI) then stop bitching about having to open RPC ports because if WMI implemented its own authentication layer it would have been less secure, not more.
Which is precisely why I never download updates to Windows Media Player (and no one else should, either). I use vlc and Media Player Classic.
Schwab
Editor, A1-AAA AmeriCaptions
Slashdot has been, and does get Slashdotted quite frequently. At least 3 times a week for a period of 5-8 hours I get error 500 or nothing at all. Just because you don't see it, doesn't mean it doesn't happen.
-]Phreak Out[-
This is another example of an article where the writer is on the right track, but doesn't still doesn't know what the hell he's talking about. I guess he's just another journalist who got his notes all mixed up. The person he pumped all this information out of should have been the author.
Perhaps there should just be a "Lin vs. Win" section, so I can look at the icons and save my self the 1/2 a second of reading and go directly to rolling my eyes like a teenager. Hey, it could use the ol' 'Rocky IV' logo (with a penguin and squares on the gloves). I guess I'm saying, if even the submitter finds this topic so ridicously trite they must mock it in the headline itself, why did he/she post it, and why did it get approved? Is there really no other news for Nerds? Is there nothing else that Matters?
Seriuously, I'd rather hear about vi vs. emacs, at least that debate is nebulous (to me and many, and some new insight might be gleaned from opinions. Bye, bye, karma?
Looks good for your age..
Just because you don't see it, doesn't mean it doesn't happen.
Thats the exact same reasoning that I use to try to convince people that its the Invisible Pink Unicorn that steals their socks!
Linux has the huge advantage that it was built on the lessons of unix, while NT went on a wild tangent from VMS, probably avoiding the good ideas so that no-one could every accuse it of being anything other than its own thing. Linux also was devised in the days of the boot sector virus, so basic security ideas were obvious to almost anyone using a PC at the time.
.... I meant for security. 14.4 is fast enough for security purposes for most patches. I was replying to the conundrum of having an insecure machine that needs an update, but it needs to go onto the internet to *get* the update. It's a catch 22 then. Snail mail and getting it mailed to you is too slow, going online in insecure mode is too lame, so I was thinking what is an alternative, and I thought of fax. You would need some way to read the fax and get it parsed into your binary or whatever so it could be transferred.
Granted, a fax could be middlemaned or hijacked, but it's *much* less likely to be compromised than a PPP connection.
Just another potential method. I am aware that you can use a another (maybe secure) machine,then sneakernet, but what happens if ALL your machines need the same patch then? Then it becomes a problem. I am just wondering if it is even possible to do this, fax to a -> workable transferrable patch, and throwing it out for braniac review. I know they have worked on reading JPEGs some, I guess that would come the closest.
lmfao
Mod Parent UP!!
Looking at securityfocus.com and secunia.com it seems that IIS 6.0 has had at least 3 vulnerabilities discovered, one of which is still unpatched.
Apache 2.0.x, on the other hand, has at least 20 vulnerabilities listed so your point about IIS vs Apache is valid, but I just don't want you to fool yourself into thinking IIS 6.0 is somehow the savior of the web.
Its also interesting to note that Windows Server 2003 Enterprise Edition has 31 advisories while Red Hat Enterprise Linux AS 3 has 89 advisories
Now what is really interesting is to see the number of vulnerabilities that are unpatched when comparing Microsoft's solutions to the FOSS solutions. It seems that even though Microsoft has fewer advisories they also have more of them that seem to be unpatched. So that seems to be good news for FOSS and perhaps is proof in what has been said all along on the FOSS side, the bugs get fixed faster than on the closed source side.
Its interesting to look at the numbers anyhow, but I still see no reason to dump my linux installs for any expensive Microsoft offerings anytime soon.
burnin
http://shit.slashdot.org/article.pl?sid=04/10/22/1 647239
Actually you are right. NT's kernel is very competitive with unix, and can provide what is available in the unix kernels.
The problem is everything else added on top of the kernel, and the fact that graphics drivers have been integrated with the kernel instead of seperated out. Though XP has made progress by moving sound drivers out of the kernel -- in contrast to Linux which has sound drivers in the kernel, and graphics drivers in userland (with two notable exceptions -- Nvidia and Ati's 3d drivers).
Even with the RPCs, if they were each seperated into seperate user accounts with access rights to only allow what is needed for each service, security would be vastly improved.
And while NT may have a more feature rich access rights model, it hasn't been exercised very well.
Also you would be more convincing if "Don't run as Administrator" was as popular a phrase in the windows world as "Don't run as root" is in the Unix world.
There: Something at a specific location.
Their: Owned by someone.
Please make sure your english compiles.
Neither Gator nor Whenu or Doubleclick are "from foreign countries". You have a case with CoolWebSearch and Xupiter - but they aren't the most common malware applications that infect people.
It's just like with spam - mortgage spam for american mortgage companies and drug spam for american mail-order drugs aren't foreign-source no matter where the email pretends to originate.
Just believe in the faith of the LORD and don't mind bout security.
The only solution is : Bild a quantum reactor bomb and make some Cookies out of it !
I've only skimmed through the full report a little bit, and there's already a problem with some of its logic and data. It mentions that Microsoft's web site restarts on an average of only 59 days; yet, this does not necessarily represent the true uptime of their servers, as they are actually proxied and protected by linux servers on the front end [http://news.zdnet.co.uk/software/linuxunix/0,3902 0390,39115920,00.htm]
It's really great to get away from all the negative, smelly engineers and to not have to care about the latest defective software issues.
How does a post like this geta +5?
Does MS pay for people to create point so that they can moderate up their point of view?
After reading the article, I agreed with everything until I saw the ratings given to the various vulnerabilities. First of all, browser holes should not be counted (or at least counted equally) on the various platforms. Just because Microsoft emphasizes their interface doesn't mean they tell you to fire up your browser and download the patches from the server.
Second, I agree with Microsoft(gasp!) when they lower the severity of the vulnerability on win2003 because it has more secure defaults. He argues that IE and Outlook are useless with the defaults on win2003. He's right, they are useless because you don't(tm) use IE or Outlook on a server! If you are using the server as a desktop at the same time and you aren't very careful (only use the Admin account when required and etc) then you are screwed anyway and all assumptions about security go out the window.
Third, several DoS (RHSA-2004:413-07, RHSA-2004:255-10), samba (RHSA-2004:064-11) and especially the complete control (RHSA-2004:259-23) had their severity lowered (in some cases to "low"!) because they required a valid login account. There are valid business scenarios that require creation of accounts for non-employees. The first two that come to mind are vendor relationships with b2b software and remote shell/web/ftp accounts. Also many protocols are used that transmit passwords in the clear over the internet and this is a stupidly easy (and unfortunately common) way to give a password out like that.
Yes those two scenarios can be argued about, but with the trend to have single signon systems that refer to one password, any single system that sends the password hash in the clear is the weak link. And you know the ones in control who don't know crap about computers will push you to get something working "now!" and you will have to open a weak link -- security in the face of something taking longer to get working is not an option in the minds of the typical business person -- for the most part (I'm sure there are exceptions -- I'd love to hear about them). Not to mention that most sucessful break-ins are said to be from people on the inside.
Don't forget "real" application servers that provide the power for thin clients. Be that Linux and VNC/NX or Windows and Citrix/TS it is another scenario where all of the assumptions about servers are stood up on their head -- finally a valid reason to run IE and Outlook on the server! Or not -- Go Firefox, Thunderbird, Open Office, Evolution, Kontact (and soon Sunbird!), Gimp, Sodipodi, Inkscape and Scribus!
There: Something at a specific location.
Their: Owned by someone.
Please make sure your english compiles.
But look very closely. IIS 6 integrates part of itself in *kernel* mode (and I mean kernel mode).
So god help us if it has such priviledged system access that ACL's etc al go out the window).
Yucky system. Not subject to peer review. Inherently flakey. A+ for effort, E- for implementation. Nuff said. The initial NT vision seemed good, but over time it seems to have grown a heck a lot of cruft...
UNIX in all it's variants is *well understood*, just like the latin alphabet, printing presses and other ancient obsolete technologies.
We move on people, and don't re-invent the letter "A" so Joe BimboHead (IQ: less than 3) can write it. Better to teach Joe, or just look after him somewhere...
Violating abstraction boundaries just for the hell of it implies no central point of architecture or vision which persists at MS. This is BAD. Hint: if you really are an architect, you have to stand by your (one chance) vision for 20-30 years. (See also posts re "Alvin" here on slashdot).
1. You can't connect an unpatched MS-Windows machine to the 'Net. Even Redmond admits that in their blame-the-admin campaign. See also articles like, "Unpatched {Windows} PC "Survival Time" Just 16 Minutes".
2. Even if you download the patch and install it before exposing the MS-Windows machine to the 'Net, the patch may not work. MS Patches are infamous for being incomplete, breaking 3rd party applications, failing to patch what they claim to patch, or even resurrecting old security problems. e.g. Attack pierces fully patched Windows XP
3. Even if the patch does work, there are many widely known problems left unaddressed by the patch, such as this problem that MS still hasn't acknowledged.
4. Even if the points above are magically resolved, you still have reality bite you: You can't patch fast enough.
A lot of folks are heavily in denial about just how bad shape MS really is in. It's been a great ride, but it's time to get off. If you weren't early in and at the top of the pyramid scheme, then don't even think about it. Either way it's time to look away from Redmond and back to software that works and is actually designed to work.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Just one point: Like the author of a book on Windows programming wrote, the only reason threads are so damn popular on Windows is that it's so slow doing anything like a fork().
Threads are shit from a programming point of view. It makes it so damn easy to have one part of the program overwrite a different parts data, that it is almost impossible to avoid (to avoid it, you would have to go through every possible ordering of instructions, which increases exponentially, and gets to insane numbers after a few lines of code). Separate processes are a much better solution, as it makes sure that only the memory explicitly marked for communication between processes (shared memory) can be written to by others. There is a reason that threaded programs like Outlook (no, I didn't say Express) are full of race conditions.
Come again once Windows is able to fork() fast enough that people don't need to use threads as a workaround, and only use them when they really want different parts of the program to trample all over eachothers data.
Every single thing that argues *against* OSS or *for* Windows includes the comment "that statistic is meaningless". Typical bias. Not fair and balanced.