Slashdot Mirror
Windows vs. Linux Security, Once More
TAGmclaren writes "The Register is running a very interesting article about Microsoft and Linux security. From the article: 'until now there has been no systematic and detailed effort to address Microsoft's major security bullet points in report form. In a new analysis published here, however, Nicholas Petreley sets out to correct this deficit, considering the claims one at a time in detail, and providing assessments backed by hard data. Petreley concludes that Microsoft's efforts to dispel Linux "myths" are based largely on faulty reasoning and overly narrow statistical analysis.' The full report is available here in HTML form, and here in PDF. Although the article does make mention of OS X, it would have been nice if the 'other' OS had been included in the detailed analysis for comparison."
Nicholas Petreley is a Linux advocate... there is a basic problem with a partisan person presenting a "fair and balanced" argument. Kinda like doing research with fixed goals.
I'd rather see OSX security compared to Windows. I only have one user adventurous enough to use Linux on their desktop. The rest are about 70/30 Win/Mac.
Sorry, but as long as something like 90% of all the 'reports' about Linux being more secure and 'mythbusting' reports are writen by Linux supporters or have some business in seeing Linux succeed, I'm going to take this with a grain of salt. I'm not trying to say Windows is safe, but you can't expect me to believe this when a 'report' like this comes out every other week. If this guy was an ex-Windows programmer I'd be more understanding, but "former lives include editorial director of LinuxWorld"? Somehow I doubt they ran Windows on their machines.
meh..any system is only as secure as its users anyway..which i suspect is why linux has practically no problems.
Basically anyone who knows what a terminal window is isn't likely to run suspect attachments or not configure a firewall
I have discovered a truly remarkable sig which this post is too small to contain.
Though this was interesting, it would be nice to see something comparing OS X security to Windows security. When you think about it, they're both relatively proprietary OSes. Sure, Microsoft has there "Shared Source" stuff, and OS X is based on Open Darwin, but really the two would be a better match because of thier commercial status.
Sure, there are enterprise Linux distros from coimpanies like Red Hat, but you can still get a lot of use out of a non-commercial distro. There are so many ways that you can change Linux to make it more secure that comparing it to a rigid commercial OS is a bit inappropriate. I'm not saying that I think the article was pointless, just that we should give equal attentention to systems like OS X or even some of the other commercial UNIX distros for that matter.
Saying "I'll probably get modded down for this" in a post is the best way to get it modded up.
The article is not misleading because the author is a linux advocate.
e .html
Now you are right if you want to remind readers to keep that in mind, but dismissing an article not on the base of its merits, but because the author is supposedly biased (mind, you didn't show or prove in any way that he was actually biased, you just wanted us to take it for granted) is a logical fallacy.
If you don't like the findings of the article, please tell us why, simply accusing the author of bias won't change the facts, sorry.
Argumentum ad Hominem
"Circumstantial: A Circumstantial Ad Hominem is one in which some irrelevant personal circumstance surrounding the opponent is offered as evidence against the opponent's position. This fallacy is often introduced by phrases such as: "Of course, that's what you'd expect him to say." The fallacy claims that the only reason why he argues as he does is because of personal circumstances, such as standing to gain from the argument's acceptance."
http://www.fallacyfiles.org/adhomin
"Open Source Software is inherently dangerous"
Weasel words like "inherent" are convincing to dumbed-down folks. ./ ain't buying it though. God bless individualism.
"Statistics 'prove'..."
Ahhhh, the old "who can argue with scientific fact" line.
Provide us with "science" to back up this claim. Properly vetted, peer-reviewed science from an unbiased source, unfunded by those with a vested interest in the outcome please.
The psychological use of fear and "scientific" studies to convince the average American is not new. Read carefully the language of Microsoft and you'll hear JD Rockefeller, Andrew Carnegie, JP Morgan, etc. What you have to read carefully to find is their own fear that they are losing monopoly control. Big Oil was able to buy corrupt officials and maintain their decidedly un-capitalist ways. Will Microsoft?
After I started maintaining an externally-accessible 2003 server, I configured autopatching on it from Windows Update, and it reboots itself about once a month.
According to my calculations, this still meets the 99.9999% reliability that MS claims the server to be able to provide
Better revisit those calculations. Six 9s of reliability means that you're down for no more than 30 seconds a year. Unless your reboots take less than 3 seconds, you're already not meeting that metric.
Besides which, five 9s (5 minutes a year) is considered carrier-grade. There isn't as firm a standard for enterprise-grade, but it usually permits occasional scheduled downtime outside business hours, and is usually in the two to four 9s range.
BTW, I couldn't find anywhere that MS claims six nines of reliability; do you have a source?
"Circumstantial: A Circumstantial Ad Hominem is one in which some irrelevant personal circumstance surrounding the opponent is offered as evidence against the opponent's position. This fallacy is often introduced by phrases such as: "Of course, that's what you'd expect him to say." The fallacy claims that the only reason why he argues as he does is because of personal circumstances, such as standing to gain from the argument's acceptance."e .html
http://www.fallacyfiles.org/adhomin
Our Linux boxes get owned just the same as our Windows boxes do.
Then your Linux admins don't know what they're doing.
I read through the article, and was honestly shocked at some of the claims the author made when describing Windows in relation to Linux.
.htaccess, some odd batchfile script attacks with args to copy httpd.conf into htdocs, etc.)
Note that the purpose of this post is not to say "omg windows >>>> linux all you penguin lovers rot in hell" like a lot of this story will be. I am merely trying to clarify some of the author's points.
"Myth: Safety in Small Numbers"
"Furthermore, we should see more successful attacks against Apache than against IIS, since the implication of the myth is that the problem is one of numbers, not vulnerabilities.
Yet this is precisely the opposite of what we find, historically."
Running through 3GB of archived log files, from Apache running on 2003 Enterprise Server, I have concluded the following:
54% of attacks against IIS (Unicode traversal, buffer overflow, cgi, alternate data streams, etc.)
46% of attacks against Apache (htpasswd.exe, httpd.conf,
"Precisely the opposite" is hardly the right phrase to use in this situation. Sampling error among different web sites (due to different audiences, traffic rates, etc.) could easily account for the fact that IIS out-edged Apache here.
As for the *successful* part of the author's claim, there was a 0% success rate across all queries directed at servers I either have access to logs on, or directly control. I have also experienced Apache servers being compromised (more often due to user-induced security holes than design flaws.) but in the end, the user leaving a filedrop which allows php scripts to execute, and such, is as dangerous as a buffer overflow. They are each different but functionally equivilant ways to circumvent the security of the system it is running on.
"But it does notexplain why Windows is nowhere to be found in the top 50 list. Windows does not reset its uptime counter. Obviously, no Windows-based web site has been able to run long enough without rebooting to rank among the top 50 for uptime."
Part of the Windows operating system's underlying design involves its file locking symantics. Files in-use by the operating system, providing needed functionality, can't be easily replaced while the system is running. Windows solution? The in-use-file replacement tool is able to change the bits on disk, but not the memory addresses they map to. So, the copy in memory doesn't match the copy on disk -- and the copy in memory is the old (flawed) copy. This is rectified by...you guessed it...refreshing the copy in memory. And what's the easiest way to do this? Reboot the server and reload it from the disk, if the module you're talking about happens to be, say, the Local Security Authority or the Windows Kernel.
I mentioned (with some flawed math) (http://slashdot.org/comments.pl?sid=126724&cid=10 600161) in more detail the reasons Windows servers are often down there on the patches. I did miscalculate availablilty. My servers average in the 99.9952% range. Which means they're down for a few hours a year. Sure, not carrier grade, but not too shabby either. Well within the reasonable expectations of most businesses. (Source: http://slashdot.org/comments.pl?sid=126724&cid=106 00658 by hehman) Note that the situations where Windows is likely to be used probably aren't nuclear power plants, airplane control software, etc. Thus, the additional powers of 9 aren't really a factor.
"Myth: Open Source is Inherently Dangerous"
I agree with the author here. Having the source code doesn't really have an impact as to whether or not a hacker can find an exploit -- there are enough tools to automate exploit finding in streamed data, especially web connections.
"Myth: Conclusions Based on Single Metrics"
Another valid point. One can spin statistics any way you want to, and have the math be perfectly valid, to reach a meaningless conclusion. Anyone who's taken statis
What this report does is focus on the default potential for abuse by looking at recient publically known issues.
That's handy, though if you only go with that and expect that your systems are secure you'd be better off doing what my friend did.
General rules;
If it's visible over a network, it's potentially abuseable. (http://www.nessus.org, http://www.insecure.org/nmap)
If it's running locally, it's also abuseable. If you don't absolutely positively require it, remove it -- even if it runs by some proxy process (inetd/xinetd or a similar daemon under Windows).
Wrappers, permissions, isolation at the router level...all should be configured.
Monitor log files and check systems. Automate what you can.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
"And how do you download the latest service packs?"
Certainly not by downloading them directly to the server via IE, that's for sure.
In small shops, you would download the patches with your workstation, and then copy them to the server over the network or using a CD-R, and install them manually.
In larger shops, you would set up a Software Update Services (SUS) server or SMS server to deploy the patches to the servers exactly when you're ready to do so (after testing in your lab first, of course).
You should never be using IE on a critical production server. End of story.
Carpe Cerevisi - Seize the Beer
Fair enough - I'll modify my question then. If IE should never be used on production servers, why is IE so heavily integrated into the shell environment in which the server runs?
BTW, to say that the integration of IE in Windows is somehow equivalent to the integration of Konquerer in KDE is rather ridiculous. It is trivial to entirely replace one browser with another on a GNU/Linux system. Eradicating all traces of IE on MS Windows machines is nowhere near as simple.
flossie
Write now. Defend liberty
I don't use KDE so I can't answer that for certain, but I would be very surprised if you couldn't. It is certainly possible to remove all traces of a web browser from the alternative desktop environment: GNOME.
Then again, why would you even want to run KDE or GNOME on a server? You can have a fully functional, graphical GNU/Linux machine without running those extra desktop applications.
Of course, for a server, there is probably no need to run any graphical stuff at all. It is perfectly possible (and common) to have a GNU/Linux server without installing X11 - all configuration can be performed via the command line, or remotely if you prefer a graphical configuration interface.
flossie
Write now. Defend liberty