Slashdot Mirror
MS Security Chief Says Windows is Safer Than Linux
Kip Winger writes "Mike Nash, Microsoft's Chief Security Executive, has made claims that Windows is more secure than Linux. In a recent online chat, he staunchly defended Microsoft's record on security, basing part of his argument on how Windows Server 2003's 15 patches in the past year are far less than what RedHat or SuSE have had to endure." He also mentioned the recent purchase of Sybari and their Antivirus product.
Windows 2003 Currently, 5 out of 44 Secunia advisories, is marked as "Unpatched" in the Secunia database. Red Hat rrently, 0 out of 133 Secunia advisories, is marked as "Unpatched" in the Secunia database. I think I would rather take a system that is all patched then one that is Unpatchable.
Hopefully the Linux community can move forward with SELinux, or some other system that has mandatory access controls. Once that is properly in place Linux will have a significant tangible security advantage over Windows.
Yes Fedora currently has SELinux in the default install. Unfortunately they have had to use a fairly permissive policy because too many applications and libraries don't properly respect the sort of security bounds that ought to be in place. Right now SELinux on Fedora is like user account permissions on Windows. While it is technically there, the majority of applications simply aren't written with it in mind (eg. all those Windows apps that need to run as Administrator), so in practice it doesn't do much.
SELinux is done though, and Fedora has integrated it in nicely (including into the rpm system). What is needed now is for all those open source developers out there to realise that there is a new level of security, other than just filem permissions, that they need to consider and respect. If they can just restrict where they write files to, and what files they want to access to the minimum required that would be great. If they can compartmentalize operations so that each can run as a seperate process with least privilege all the better. This is work that needs to be done though.
Once such things are seriously in place all this harping by Microsoft about "Windows being more secure" will be so obviously the hot air that it is that we won't even have to worry about it anymore.
Jedidiah.
Craft Beer Programming T-shirts
Here's another example of making stats say what you want.
Sure, WINDOWS only had 15 patches in the last year however. IE6 had how many (at least anotehr 18-24), Remote desktop connection on 2k3 Server had 2 security fixes, IIS had about 6 patches....
Need I continue?
Fact is, yes, Windows had 12 updates in a year, but it's components had many more.
And also looking at the time from exploit discovery to fix, not lookin good for them there either.
DarkMantle I been bored, so I started a blog.
Put identity in the browser.
Switch to grub.
It's got the great advantage of being able to boot any kernel you have, as long as it can access the partition. Screwed up configuration, kernel with a bad filename, etc, all don't matter when you can load any kernel you want from grub's command line.
It's a bit strange in some things, like that it counts disks starting at 0 and not 1, but overall it's quite nice when you get used to it, and it's definitely a lot better than LILO when something unexpected happens.
Screwed up configuration, kernel with a bad filename, etc, all don't matter
:)
It can also boot Windows on an IDE drive that isn't primary master too, something that Windows can't seem to manage by itself.
Usually the make install of a new kernel reruns LILO anyway. I use LILO on some servers and GRUB on others.
/etc/rc.d/ or using chkconfig.
Usually a bigger issue is that you installed some critical service but forgot to enable it either by dropping symlinks into
When one of my servers needs any new services installed or kernels patched, I actually schedule reboot testing. In fact essentially all of my reboots are due to this testing. It does cut into uptime but it means that when I need it, it will be up.
LedgerSMB: Open source Accounting/ERP