Slashdot Mirror
Study Finds Windows More Secure Than Linux
cfelde writes "A Windows Web server is more secure than a similarly set-up Linux server, according to a study presented yesterday by two Florida researchers." In addition to the Seattle Times article, there is also coverage on VNUnet. From the article: "The researchers, appearing at the RSA Conference of computer-security professionals, discussed the findings in an event, 'Security Showdown: Windows vs. Linux.' One of them, a Linux fan, runs an open-source server at home; the other is a Microsoft enthusiast. They wanted to cut through the near-religious arguments about which system is better from a security standpoint."
... another pissing match.
Before any liberals are tempted to mod up one of my comments, a word of warning: I'm actually making fun of you.
Study finds Slashdot as repetitive as Philip Glass
Well, apparently this is the second time Microsoft has come out on top of a research project by Mr. Richard Ford.
http://www.virusbtn.com/magazine/articles/letters/ 2004/01_01.xml
Apparently there was some question to the validity of an earlier project because it was sponsored by Microsoft.
However, I would like to note that both researchers seem very well educated, especially in computer security. And, additionally, they both note that a lot more could be done to lock down the Linux server.
And how many people run Win2003 server at home? People should understand that the plural of anecdote is not data.
I don't get it. I guess I need to read the article.
A webserver needs port 80 and maybe 443 open. Any webserver can be secured.
Where's the news?
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Let the self-rightious defensiveness begin!
YAWN!
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
Interesting. Some relevant snippets:
.
A Linux enthusiast at the RSA Conference in San Francisco has reluctantly concluded that Microsoft produces more secure code than its open source rivals.
In an academic study due to be released next month Dr Richard Ford, from the Florida Institute of Technology, and Dr Herbert Thompson, from application security firm Security Innovation, analysed vulnerabilities and patching and were forced to conclude that Windows Server 2003 is more secure than Red Hat Linux.
Now, I'll concede that Dr. Ford and Dr. Thompson do sound reputable, but one is an admitted Windows enthusiast and while the other one is a Linux fan who changed his minds, this hardly sounds like a study
It's an interesting question, and I'm sure there is no clear cut answer, but a more systematic study (with more parties, rather than just two scientists) is going to be needed to answer this sort of question before the 'results' are trumpetted. I'm sure Microsoft will pick this one up and run with it, however.. more of those annoying ads that seem peppered throughout Slashdot.
"There's no success like failure, and failure's no success at all."
- Bob Dylan
"Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk -- the period from when a vulnerability is first reported to when a patch is issued."
So Windows is more secure than Red Hat because Microsoft chooses to report less vulnerabilities and release less patches? Hmmm...
(Move along, nothing new to see here.)
Until the report is released this is a non-story, just fuel for the FUD machine. Unfortunately we will have to wait for a month to actually discuss what this means so I don't even no why I am bothering to post to this!
Never underestimate the dark side of the Source
Now let the flaming begin, so you can all argue about the number of patches/updates required for each system, how long it takes for Linux/Windows to respond to problems, and all that good stuff. We all know that's the only reason this kind of story shows up on Slashdot is to start a good flame/troll war!
"...Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance." By his own admission the Linux administrator is a "Wizard" compared to the average MS Systems Admin. Well, that just about says it all doesn't it?
"Sheep just follow the easiest path and run from scary noises and intimidating creatures." - Me
No matter how fast a patch is issued, you still have to install it for it to work.
Doesn't Microsoft encourage delaying announcing vulnerabilities until a patch is available?
Oh, Washinton. The same state as the head of Microsoft and the home of the tyrant himself...with a report about Windows security being better than Linux..and with X thousand MS emplyess in Washinton state...oh...it must be credible
leeeeeeese, move along now.....
"I want to start a flame war on Slashdot!" Solution: post an article saying Windows > Linux in any fashion :-P
Don't blame me -- I voted for Roslin.
How the hell can anyone claim to be a "Microsoft enthusiast"?! It's hardly a hobby.
Smokey, this is not 'Nam, this is bowling. There are rules.
This was a hardly a study. I don't see any data presented here, and certainly no methodology used to gather the data. Sorry, but the scientific method always wins.
Sorry, but this "study" is not a study.
Why was this even posted?
You might want to point the FUD author in this direction: http://yro.slashdot.org/article.pl?sid=05/02/16/23 33239&tid=123&tid=185
That they actually admit in the article that they set up the linux server as the absolute default change no security settings leave it just as it comes right out of the box... As they specifically state they left minimum configuration in place and linux users might do more. Basically implying the study is a pile of sh*t since no company in there right mind would opt for a total linux solution and then leave the webservers running without changing any settings...
~~ Please keep your arms, legs, and outright stupidity inside the ride at all times. Thank You ~~
Read it for yourself. It reads:
"Believe it or not, a Windows Web server is more secure than a [i]similarly set-up[/i] Linux server, according to a study presented yesterday by two Florida researchers."
So when you load a linux server with software that has known security holes....they are both equally as secure.
It's not groundbreaking news.
. . . 2 florida researchers were seen speeding away from thier work places in new ferarri's wearing armani suits. . .
Pretty Pictures!
OpenBSD runs chroot() Apache. Does IIS have similar capability?
The chroot() patch was never taken up, but it would probably not be that difficult to install on Linux.
I would be disinclined to run any other way at this point.
A Linux enthusiast at the RSA Conference in San Francisco has reluctantly concluded that Microsoft produces more secure code than its open source rivals.
Umm, so MS showed him their source code? I find that a little hard to believe.
If he can't see the source, how can he make any determination at all?
I wish they'd post some info about the tests themselves. At least what kind of setups they user, where they got the info about vulnerabilities and patches, and so forth..
A "Linux fan" and "Microsoft enthusiast" trying to cut through the near-religious arguments?
I'll take a nice report by computer scientists and security experts about overall system design over crap papers like this any day.
I don't know what kind of crack I was on, but I suspect it was decaf.
in Windows is probably not so much Windows itself as the clueless end-users and lazy sysadmins that often run it. The majority of Windows' virus and worm attacks in the past 2 years were preventable with proactive monitoring and definition updates, but it just wasn't done.
We have a few Win32 servers here, but those are administered by outside vendors. That was the box that got hit by slammer 2 years ago.
I'm not justifying an OS with holes, but there is NO justification for sysadmins who let them go unplugged.
Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
"..The IIS webserver running on Windows performed flawlessly, while the exact same IIS webserver would not even run on Linux, obviously due to Linux's failures of security and interoperability..."
Security Innovation is a certified Microsoft partner for security services. We have both the Microsoft SWI and ACE certifications as an authorized professional services provider for Microsoft technologies.
I'll allow you to jump to your own conclusions.
The first article says that the configurations were basically out of the box, to replicate what your average non-wizard administrator would setup. *coughMCSEscough* Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance. This is not the comparison you are looking for. Move along.
No sig for you!!
Neither article defined "days of risk" to my satisfaction. Is it "days since the vulnerability was published" or "days since the vendor was informed of the vulnerability"? I suspect that Microsoft is more likely to hear things privately early. ASN.1 library anyone? It was discovered in July 2003, and announced and patched in February 2004. Was that six months of risk or one day?
Secondly, there's no discussion of how the criticality of a vulnerability was weighed. If every "day of risk" for Windows was "critical," and every "day of risk" for RedHat was "moderate," then I'd differ with their conclusions. Further, there was no mention of whether they considered actual exploits in the wild.
What I say does not represent the views of my employers, my friends, my cats, or myself.
Windows 2003 loads and installs security patches and service packs by itself. Does Linux do the same?
Does anyone have a link to these researchers' paper -- so the methodology can be actually examined (as opposed to the various slanders above). A couple of brief "executive summaries" written by journos doesn't really cut it.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Don't worry, Tux!
You still have a chance with the subsequent recounts.
[/obligatory Florida defamation post]
And sand is drier than water.
Directly from the article:
"The pair examined the number of vulnerabilities reported in both systems and the actual and average time it took to issue patches. In all three cases Windows Server 2003 came out ahead, with an average of 30 "days of risk" between a vulnerability being identified and patched compared to 71 from Red Hat."
There is nothing said about the severity of the vulnerabilities. This article would never make it in a peer reviewed publication.
So it's not really *ALL* Linux, it's just that particular version of Redhat.
It seems best to wait and see the paper they publish as well as a track record of funding and test conditions before anyone goes and says something about validity.
Besides, as knowledgable as the Linux community can be, I'd trust an IT proffesional over a "Linux fan" with a server in his basement.
Keep the faith, share the code
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
Seriously, how many times does this story or the flip flop of this story have to be posted on /. I have seen this exact same thing atleast 1 to 2 times a month here. Please stop posting this. All this will lead to is flamer wars, Give me a break
Get your FREE MAC MINI
1.42GHz, G4, 80gb HD, 256mb ram, ATI Radian 9200, OS X v10.3, TOTALLY FREE
(For those who did not RTFA, it compares Redhat Enterprise Server to Windows Server 2003)
Redhat has always seemed to be a flashy, large distribution which favored new features and gadgets over stability and security.
I wonder how say, Debian (my personal favorite) might do in terms of security, or better yet, one of the security-centric distributions.
With all of these studies is they typically work on the assumption you are just throwing a server, regardless of OS, on the net. That means there is no load balancer in front, no filtering at the border routers, no firewalls and nothing is ever blocked.
If a company or individual is actually doing this how on Earth can they possibly attest to the security of their server?
--- I do not moderate.
In a previous job at a datacenter where we ran Red Hat Enterprise Linux, I frequently got the comment that there seemed to be a lot more Linux patches than Windows patches. All of the updates for optional software (I tried to do minimal installs and/or remove optional things, but the dependencies sometimes made this awkward) simply made the systems seem more needy than the Windows systems.
Many of the vulnerabilities were of low risk to us, but it was rare for the system owners to say that even with this low risk that it was acceptable to hold off on applying the patches.
From the clouds Zonk looks across the fertile lands of the Slashdotians.
Zonk: This peace and quiet makes me SICK! Boy I wonder what could make discussion on slashdot degenerate to incoherant flamewar.................
cfelde writes "Satanism is less evil than a christianity, according to a study presented yesterday by two Florida researchers." In addition to the Seattle Times article, there is also coverage on VNUnet. From the article: "The researchers, appearing at the RSA Conference of philosophers, discussed the findings in an event, 'Religion Showdown: Good vs. Evil.' One of them, a satanist, performs perverse human sacrifice rituals; the other volunteers at the local homeless shelter. They wanted to cut through the near-political arguments about which religion is less evil from a morality standpoint."
If Microsoft patches more vulnerabilities, then they're obviously insecure, because they have more security holes.
If Microsoft releases fewer patches, then obviously they're insecure, because they're hiding the holes.
Thy logic blows my mind.
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Phillip Glass
My 8 year old daughter, a great afficionado of knock knock jokes, didn't appreciate it.
"As God is my witness, I thought turkeys could fly." A. Carlson
I wonder if Security Innovations provides security consulting and training services for Microsoft?
This should be disclosed in any report that is critical or praises a particular Microsoft product.
Come on, who runs a Windows box on the web without heavy firewalling, software firewalling (blackice with autoblocking for instance) and regular audits?
The same goes for Linux. Security is not something to be taken lightly. People should NOT be putting machines out in the open. The best practice used to be Firewall critical servers. The best practice has become Firewall, IDS, and monitor the crap out of anything touching the internet.
These tests are always like comparing a Factory Model to a Nascar Stock Car.
This "article" doesn't actually provide with any information in what WAY the results were obtained.
From an admin perspective, I want to know what the vulnerbilities were, and what their definition of "vulnerable" is - especially if they say "Windows had 30 days of vulnerbaility, versus 71 for Linux".
On that topic, when are we going to get past the label "Linux"? There is no such thing. There's RedHat, SuSe, Gentoo, and Debian (among hundreds of others) and they all handle security differently. I'm sure I could find distros LESS secure than Windows, and I'm sure I could find distros unquestionably MORE secure, as well.
Ah, well, I guess I'll wait for the report. I would have preferred a headline:
"OS Zealots Face Off in an Anecdotal RedHat vs. Windows Web Server Security Showdown - IIS Triumphs"
The article in sparse on details. It would definitely be nice to know the exact methodology: what else was considered besides the number of disclosed/patched vulnerabilites, how those were determined, etc. Without it, the study is hardly different from hadnwaving.
It really bothers me that simple studies such as this grab the headlines. If you really want to determine which server is more vulnerable, study real servers belonging to real companies handling real traffic/data that someone wants to get.
Also, deciding on a configuration that an "average administrator" would have instead of a "wizard" seems questionable unless they determined those settings by examing dozens (or hundreds) of actual system configurations. Determining something is "too advanced" for an average administrator to use without actually examining real systems seems too arbitrary. Can anyone define the skill level of an average administrator?
You can't determine how secure something is if you aren't going to use its security features. If M$ has all of their security features turned on by default and Linux doesn't, that doesn't mean M$ products are more secure than Linux, it just means that they have a better configuration out of the box. (Not that I believe that, but I use it for the sake of arguement.) While it is important to have fail-safe defaults, it is far more important for someone to know what they are doing. Unfortunately, too many companies don't understand that and hire people who don't know what they are doing.
Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
I would think that a Windows box set up by a MS Certified Professional and a Linux Box set up by some kind of Linux Certified Professional would be a much better comparison than one between a "Linux Fan" and a "Microsoft Enthusiast."
Because patches to RedHat cover the gamut of application ( X, OOo, FF, .... ) where the windows server, just the OS. That's stike one against this "study". They should ONLY count those bugs directly related to the service being studied. Many bugs and patches are against theoretical problems that have no real or even sometime possible local or remote exploit.
... until they get the results they want. Since they are in a position to squash any negative results it guarntees them the upper hand. Once they find one study that gives them the numbers they want.... then they replicate it "independanty" to prove they are right.
The other major problem is that the "days exposed" should start when an exploit is "in the wild" not when an alert is posted to the bug lists.
No study data is availible, but I can imagine that this is just like the pharmasuticals. MS doesn't have to "fake" data, they just run the study again, again, again,
if the power is off
Mid-Eastern Pennsylvania Gaming Convention
i know it sounds kinda lofty that he is a comp sci prof, but look at his credentials - it's all in semiconductor physics. i rather doubt the integrity of fl inst of tech if it places someone in a comp sci professorship with no formal education in comp sci. what is he teaching? his 'opinions'? using a computer for circuit modeling or thesis word processing hardly qualifies...
It's not news when dog bites man but here we have what the news reader has been constantly looking for!
I can make my linux box less secure then windows. It would be simple Install OPENSSHD, allow root axis, set root password to GOD.
This artical dosnt analyse any useful information because yes Linux can be setup as insecure, but you can also enable anomonys unencrypted remote desktop on a windows 2003 machine. The good studies on security try to measure security when both machines are as secure as possible and list what services were being run on both.
This is not the first time this type of subject has come up and it will come up again. Why we bother with it on slashdot I dont know, but then again I bothered to reply.
The setups were hypothetical, however. Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features.
translates to:
Companies who employ admins who use default setups because they're doing a job beyond their understanding leave their servers open to attack.
Alternatively, company bosses could employ admins who have a clue rather than leaving it to Joe in accounts who's good with computers i.e. can use macros in office.
Hmmmmmm..... Deep fried and look like Squirrel.
In other news, TNT is more powerful than thermonuclear warheads because more TNT is used to get a nice explosion.
Bear with me, here. They're comparing the amount of time between the announcement of a vulnerability and the release of the fix, right? But many vulnerabilities exist underground before they're publicly announced. A lot of them are discovered by security people because they're seen in use in the wild.
So why is the announcement date for a vuln used to start the clock on the time spent vulnerable? The REAL value you need is "when was this actually discovered by the cracker community". Does their study look at that?
But it's even more complicated than that--if three black hats in the whole world know about a bug, it's less dangerous than if thousands know about it. So the rate at which the underground becomes aware of a vuln is an important part of this, too. And I'm not sure how this study can figure that out, or find an acceptable proxy on which to estimate it.
Just counting days between vuln announcement and patch announcement is crap. Sure, there's a grain of truth in there, somewhere, but the lack of any data on the rest of these factors is potentially a huge difference in the conclusion.
Put differently, you can usefully estimate a quantity if you know enough about the factors to be sure that you're with 5% of the correct answer. Maybe even 10%, or 20%. But your estimate is useless and misleading if you can't get within 90%. And even worse, if you don't know how far off your estimate is going to be (because you don't know enough about your factors to even establish an error range), your estimate is pretty fucking close to a lie.
I can think of a couple more, too. The methodology seems kind of, well, pre-scientific. I don't want to say "barbaric", exactly, but...
"There are some people who are sceptical [of the results]," said Dr Thompson. "We would encourage them to replicate this type of study. If you see flaws please tell us."
Are they joking? Their metric (reported vulnerabilities) is absurd for a number of reasons.
1) Microsoft reports only a fraction of its vulnerabilities. Remember when Win2000 had over 65000 known (to Microsoft) flaws? No more than a handful were ever reported. Microsoft reports flaws only after bearing enormous public humiliation. Of course Microsoft's flaw count is going to be low. Microsoft hides them all until forced to disclose.
2) Linux vendors report every hair out of place. It doesn't matter if the flaw causes a D to look like an O on the third day of the Summer Solstice, but only if that day matches the 4th digit of PI, and only if the computer has calculated the cure for cancer at exactly 15 milliseconds after the user's orgasm.
3) Seriousness of vulnerabilities. Due to the nature of full disclosure under Linux, it will -always- have higher reported flaw counts than Windows. The vast majority of reported Linux flaws, however, are relatively benign, while the vast majority of reported Windows flaws hand over complete control of your computer to some third party.
4) Widespread Propagation. Windows, by its intended design, makes propagating exploits to these vulnerabilities trivially easy (automatic, actually), while this has yet to be accomplished on Linux (and likely won't be).
Sorry, but this "study" is complete nonsense.
"MY box could beat up YOUR box.."
One datapoint makes a terrible graph.
On top of that, my "home" server doesn't get handled the same as my production boxes. And Redhat's patches don't necessarily have a DAMN thing to do with Apache's patches.
I seem to recall a comparison I saw on
There's probably 1000 more software packages in redhat than there are in Windows. Of COURSE there's going to be more patches.
You know, I renember as a kid about how people would argue tirelessly about how the USSR was better because they "guaranteed" more economic security for their citizens. While it was true that that form of government guaranteed free room and board to every citizen - it was done so in a way that guaranteed people would also loose freedom, so in effect their promise was never tenable, and effectively worthless.
Well today we have parallel situation with Microsoft. You have no freedom to modify code, you have no freedom to redistribute MS created code bases, all you have is a "guarantee" that is backed up by nothing other than their ability to sue the crap out of (and possibly imprision) people who redistribute Microsoft created source and software. This is not a good position to be in - in the middle of an information age defined by the unrestricted flow of information. Perhaps MS should stop beliving their own propaganda that tries to pretend that copyrights are the same as any free market property right, and start seeing them more as a government microregulation on how people can use and distribute information at a time when such a social burdon can no longer be tolerated.
Be it economic security, or application security, you can argue tirelessly about all sorts of crap - but without the "freedom" part, it is an exercise in futility. The bottom line is that no matter what kind of "problem" is pointed out, there is always the freedom to do somthing about it where with MS products there isn't.
All that really says is that the foundation is secure. It doesn't say that Windows will be free from succesful attacks or that Linux will not.
Try this analogy on, If you buy both Porsche and a dodge neon. Park them both on a city street and leave them overnight, unattended. Which one is most likely to get stolen? Anyone with common sense says the Porsche. But the Porsche has a much better security system than the neon has. But gosh, nobody want the neon either, so it doesn't need the over zealous security. Now that's a bit of a stretch for a Windows vs Linux comparison, but it does denote the reason why a Windows server is going to quickly 'become' insecure, while the less secure Linux platform is probably going to fine and left alone.
... and squint your eyes, you'll see the 'clear' results.
The researchers used reported vulnerabilites as their guideline, and 'days of risk;' quote: "the period from when a vulnerability is first reported to when a patch is issued."
Windows Server 2003 had 30 days of risk, Linux (Red Hat Enterprise Server 3) 71 days.
But which reports of vulns are they considering? Microsoft often provides their own reports, which are released WITH THE PATCH. I wouldn't give those reports the same weight, since the vuln could have been there (and unofficially known) for MONTHS.
I fully expect Linux to have MORE vulns in any case, since Linux ultimately is a collection of separate programs working together, each of which has their own potential insecurities. But, a vuln in sendmail is NOT going to affect my webserver, because I'm going to turn that OFF (if I'm a smart admin).
In fact, the researchers only used a "hypothetical" system to show "what an average system administrator may do." I'm sorry, but if an admin is using anything like a default setup he is BELOW average.
In conclusion, this really sounds like a comparison of how vulnerable the respective systems with a 'default' install. Wake me up when they go head-to-head with OpenBSD.
P.S. Hey researchers- RED HAT IS NOT LINUX.
"I actually was wrong. The results are very surprising, and there are going to be some people who are skeptical," said Richard Ford, a computer-science professor at the Florida Institute of Technology who favors Linux, as he pocketed what appeared to be a check from Microsoft.
Security is a process, not a product.
You'd think two 'researchers' would know this.
They need to explain exactly what they did to come to this determination. As I read it, they compared default setups... which avoids the "security is a process, not a product" debate.
However, it sounds like they compared the number of reported vulnerabilities as if they were apples and apples--which is a big error. Open Source should yield discovery of more vulnerabilities--the more, the better it's working.
On the other hand, if critical vulnerabilities are not being patched as quickly as for Windows then that would be a problem. What are the statistics on that?
Matthew
The study posts the "days of risk" defined as the time between announcement of a vulnerability and the availability of a patch. But this definition misses two big factors. First, there will be some number of days between the discovery of the vulnerability and the announcement of it. Second, there will be some number of days between the patch being available and the downloading of it. Both factors increase the days of risk and mean that a quickly-patch OS with lots of holes has higher practical risk than an slowly-patched OS with few holes.
I don't know which OS has more risks, has a greater delay between discovery and announcement, or has a greater delay between patch availability and patch application. Does MS or Linux get more slack from vulnerability finders? Do MS or Linux admins patch faster? DOes MS or Linux get more vulnerabilities? These data points would help evaluate the true risk.
Two wrongs don't make a right, but three lefts do.
Obviously those "security researchers" didn't do their homework. I can cite a number of recent papers that show that Linux is more secure than Windows in almost any aspect, not just due to its services and permissions model. Anyone who ever had to deal with security issues knows that.
The real question is: What did those two "researchers" get for publishing such a false and misleading study? Did Microsoft pay them?
How many people run WEBSERVERS out of their house? That's not the point of the study, XP et al. not the Microsoft Server product, Server 2003 is. Few Desktop Linux users use Redhat Enterprise Server either.
So how did they add all the IIS exploits to Apache? mod_iis_root_me.c?
This post expresses my opinion, not that of my employer. And yes, IAAL.
Yes, but will it matter?
One of the key issues with "near-religious" people is that they will never listen let alone agree with test results that prove them wrong, however fairly conducted.
(as an aside, I have no opinion on the testing methodology and hence am not commenting on that)
Avantslash - View Slashdot cleanly on your mobile phone.
o Smoking, Microsoft and Linux are the root causes all the studies.
o 99.99% studies useless.
o 99.87% studies are not unbiased.
A similarly set up server? They purposely broke Linux to make it work just like Windows?
Well, I guess you can't argue the fairness of that.
... what they're paid to do. How much does a license cost to run Windows 2003? How much does Apache cost? Really, it's not that surprising that full-time salaried employees can build a better server. I mean, that's what they're paid to do. I don't get excited when the guy at the donut store gets my order right, why should I care that Microsoft's server works?
I don't know about other people, but I don't run Apache because I think it's more secure. I run it because it's free, opensource, and secure enough for my needs.
One is that as someone pointed out earlier, the 'linux enthusist' has accepted research grants from Microsoft before. That's a little suspect.
Two is the data they present as 'proof' that windows is more secure, the delay between announcement and patch. "the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup". Besides the point that it doesn't prove one more secure than the other, Microsoft has released patches the same day they announced the exploit because they've kept it supressed.
Three, if your server is behind a firewall (as all web servers should be!), you need to protect two ports and the software associated with them. Did they limit the study to just those details? Or was this a stock install of these machines directly on the internet?
And fourth, there was no demonstration, this was simply an announcement by two guys who ran some numbers against an undisclosed exploit database. Which thing was it that ran 71 days or stretched everything that long? How many total exploits was it? If I had 2 exploits on redhat, one at one day and one at 141 days, but 10 exploits on windows varying from 1 day to how many days for the ASN exploit... which is more secure again?
Stock install, no patches, then yes, I would say the windows server is more 'secure' than the linux server, dispite vulnerabilities in each. But that's like saying that this screen door is more secure than this paper door.
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
Doesn't this just mimic the same arguments that have been used about browser vulnerabilities? Apache is on more servers, so more vulnerabilities have been found. As for the time to implement and release fixes, the important issue is how quickly people update their own servers. That might make Linux come out worse, since its a PITA to update Apache and people who believe Linux is more secure may not update often enough.
A more interesting study might be about actual website defacements? How many on each type of server and how many used already known vulnerabilities.
In the article, the following passage appeared:
A serious challenge to Passport was unveiled separately by RSA Security, the Bedford, Mass., company hosting the conference.
The company, which runs America Online's authentication system, announced it's making its SecurID program for consumers available in the third quarter.
A key feature is a device that saves users from having to create or remember secure passwords. The system uses a key fob that plugs into a computer USB port and generates a new password each time a user logs in. To authenticate themselves during an online session, users enter the serial number on the back of the device and the password or code that appears on a small LCD display.
RSA did not provide pricing information. But in demonstrating the system by logging in to a fictional online bank, the company's slides showed an annual fee of $9.95 a year.
The system is being tested now by E-Trade, Yahoo! and Sony Online Entertainment.
Does anybody know what this is referring to? Is there a new SecurID form factor and how is it being marketed?
I wish I could mod you up, bonch. I've experiened the head-in-the-sand Linux mentality too, and it is scary. It misses the whole point of linux.
Linux is awesome, this study doesn't change that but we always need to work to make it better and easier to secure. Critics of Linux are our best friends, because they do the work of finding out where we need to improve for free.
The best thing about linux is that when people have a legitimate complaint, it's well within our power to fix it! If Linux is temporarily less secure, so what? After reading this, everyone will adapt their linux distros to render the complaints moot.
This is part of why we love open source, right?
Slashdot. It's Not For Common Sense
My whole reason for choosing any *nix variant vs. Windows....THE PRICE. I am sorry, but I am not a rich guy. If I want to have my own webserver from home, or even have a server that I can mess practice with, I have to shell out $600 for Windows 2003. Why do that, when I can shell out....$0.00 for a *nix variant? Nah, I'll pass thank you. IMHO, if MS wants more people to be pro MS Server. Maybe offer a community version of it? Or an affordable version of it? ($20 a month or lower?)
Nevertheless, I am interested in looking at the study. When it gets realeased.
If you read more about Dr. Ford and Dr. Thompson's backgrounds it becomes very clear that both of them are Microsoft evangelists. Having run an open-source server once does not make you an open-source person. I just wonder how much Microsoft pays them to conduct and publish "studies" like that. Over the past two years Windows has certainly demonstrated that it is lacking a number of essential security mechanisms in comparison to Linux. If someone publishes such bullshit he is either getting paid or promoted well or he is a hopeless fanatic who ignores all the facts.
With Open Source, you can see the source code, hence it's easier to speculate about security holes and develop attack theories. Thus it's easier to SEE vulnerabilities. Even if such vulnerabilities aren't in the wild.
With Microsoft generally someone has to make the vulnerability. Then it has to be put into use. Then someone has to discover that it was being used on them. Then be smart enough to determine that it's a vulnerability and not an improper setup or bad hardware. Then notify Microsoft who then has to verify that it's a vulnerability and issue a fix but will NOT publicize the vulnerability until it's fixed. If you're lucky, a researcher will discover the vulnerability first but it's harder to do that with a closed source base than it is with an open source one.
In any event, the test is engineered to give Microsoft the best results. Because the test is based on Microsoft's strengths (a paid for, targetted development team concentrating... right now.. on security, over a loose confederation paid for people and hobbyists donating their time.)
Doctor dude #1 who screws around with Windows professionally was better able to lock down a box than doctor dude #2 who kinda likes linux but has no clue about its core operation. In an effort to keep him from becoming glum, doctor dude #1 convinces doctor dude #2 that it's really not his fault; it's the system.
Microsoft service provider prints up story, er, study. Bored Slashdot editor clicks "OK".
Apparently the researchers thought that all of the current studies were simply not rigorous enough. The truth is that rigor is not the problem: it's the framing of the questions and the parameters of the experiments that make most studies to date completely useless.
Bringing more rigor to the question of "how many vulnerabilites are there in a stock installation" is a worthless endeavor, because no level of accuracy in the answer can make the question useful.
Also I would agree the comment somewhere above... it's a web server for crying out loud. Who can't keep a simple web server secure? All you need it ports 80 and maybe 443.
There is also a complete lack of parameters mentioned. Are the web servers serving static pages? If dynamic, what languages? Basically these are two complete idiots doing a lot of hand-waving.
is that an average windoze SA or an average Linux SA?
poop
poop
...water is wet.
Until the results favor Linux and/or Firefox, I refuse to support this study.
PS. MICROSOFT IS EVIL!
Burn the witches!
....."two researchers in Florida" announce they have found a miricale drug that will solve all your male enhancement, hair replacement and weight loss problems!!!!!! Seriously, who puts out this stuff?
The issue arises when some zealotous penguinite starts yapping their mouth off making unsupported claims about how great open source is and how we should ditch everything MS. I often end up having to knock these people off their milk-crates with a bucket of cold, hard reality. Again, not anti-open source, just realistic.
This is a serious behavioral problem that the OS community needs to address. Open Source has gone as far as it can as a novelty act, and if it wants to make any REAL headway, the immature zealotry has be substituted for thoughtful realistic competitiveness.
Something needs to be done with the names too. They sound like toys.
Just as an example, if you were to rename firefox to something sounding corporate, professional and "boring" you would probably double the rate of acceptance and bring some OEMs on board.
People who think they know everything really piss off those of us that actually do.
I'm highly sceptical of the figures quoted in that report. I recently studied the data for Windows Server 2003 vulnerabilities and patches over the last year, and found that the average time to patch for serious or critical updates was closer to 120 days. For non-critical updates, forget it, the figure was in the 1 year - never range.
Yes, I have the data to back up *my* figures.
These researchers mention they are not "wizards" and I think this illustrates an important difference between Open Software and Windows. Linux is great if you know what you're doing. There are lots of resources out there to help you properly configure your system, and if done right you will have minimal issues.
And you're going to need those resources if you're not a "wizard". Open Source software is not as easy to use as most MS products, and in many cases the documentation isn't very good either.
Hypothetical? This isn't a study, it's hand-waving with added pulling-numbers-out-of-arse goodness. (I don't see a source for the numbers, do you?)
Oh, and they manged to prove that even for hypothetical machines a competent admin is needed. Bravo! Who'da thunk?
StrayByte.Net
Dear Sir/Madam(s),
/ 1616232&tid=172&tid=109&tid=106, and it occurred to me that one thing that could be done to counter the FUD that is certain to be drummed up in the wake of this survey is to provide a simple ip(6)tables front end GUI that is readily visible in the "start here" menu. It would also be very useful to increase the testing of non-standard routing policies, and help to solve (for example) packet filtering issues for the average user. An example of the application of such a policy would be the use of bittorrent to distribute files without choking the connection.
I came upon this article http://linux.slashdot.org/article.pl?sid=05/02/17
From a security angle, such a utility would immediately make articles such as this moot: if it's easy to tighten your security, people will do it. When they search a security issue, they're likely to be greeted with a basic tutorial on how to use the GUI. To provide such a GUI would enhance both security and the functionality of one's internet connection: it would be welcome indeed!
Yours Faithfully,
Wikileaks, no DNS
MSFT will release the bug fix 4 years afterwards, while never admitting it ever had a bug.
-- Tigger warning: This post may contain tiggers! --
...only on their last album. Everything before that was pretty good!
Oh yes but there are those of us in Redmond who work for MS related companies and are getting management to move to Linux and open source apps.
There are a few of us up here and I'm amazed at how none of the schools in this area (minus the U of W) teach anything but MS scripting and coding shit.
And the students wonder why they can't get jobs.
This is my sig. There are many like it but this one is mine.
"Windows Web server is more secure than a similarly set-up Linux server"
So, they had to degrade the secruity on the Linux server to allow it to be "similarly" set up to the Windows server?
Basically they were saying to companies "If you are employing a HTTP server admin who knows *NOTHING* about administering web servers, as of this version/patchlevel of each of these OS, this is what you can expect." (Relative security varying more or less with each new patch, etc.) ;-)
If they were really trying to scientifically compare, they would have gotten a certified MCSE and RHCE with equal years experience managing servers, and let them set up their servers in what they considered "Common usable yet secure state" and then run another comparison. (The most secure of course, being unconnected to the Net and unplugged
I also noticed that despite the fact that they claimed they compared risk levels, when they listed total days "at risk" they did NOT list how many of those days for each were highly critical, non-critical, etc.
So Redhat is now Linux.
I guess I missed the fucking press release.
toast on the Windows setup.
Questions?
one example does not a statistical study make.
get back to me when we have more than 100 such trials - public ones that are allowed to survive in the wild for a few months.
-- Tigger warning: This post may contain tiggers! --
Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk -- the period from when a vulnerability is first reported to when a patch is issued.
Doesn't Microsoft, for the most part, control both the announcements of vulnerabilities and the release of patches???
And even if Microsoft doesn't control ALL announcements of vulnerabilities, it controls enough to make the statistics worthless; for instance Microsoft can arbitrarily lower the metric "days of risk" by delaying announcement of vulnerabilities until a patch is ready, therefore skewing the true number of "days of risk"
This "study" assumes that both Linux and Microsoft have equal levels of control/non-control over the variables examined.
Just do what you do best
Arnold "Red" Auerbach.
Bill Gates thanks his brother for completing the comprehensive study.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
There is an obivous problem with the numbers, and statistics that are coming out of this "study".
RHEL releases updates and such ona a quarterly basis, thus the 71days without patching doesn't seem that odd (when you have a 90 or so window).
Windows Update puts major stuff up, typically, once a month.
The simple fact that there is a difference in release schedule is pointless and not a good basis for comparison.
Last I looked, Windows IIS ran fewer than 1/3 as many sites as Apache, but had 3 times as many defacements. In perspective, you're 9 times as likely to be hacked if running Windows.
Obviously my research methodology isn't perfect, but intuitively it's obvious that a Windows-based web server is less secure simply based on real-world observation.
I always find it interesting that the pro-Microsoft crowd is forced to talk about "theoreticals" while deftly ignoring reality.
Do you have ESP?
One bit of religious FUD I see here is "If you use MSIE (Internet Explorer), you will get spyware on your computer". The people who spread this FUD neglect to point out that Windows XP service pack two has a number of security improvments that make it harder for spyware to be installed on a computer.
Yes, there are a number of advantages to open source software, but it does not look good to continually point out security problems what Windows XP SP2 has addressed.
...is too hard to handle for most:
An OS is only as secure as it's admin is competent. This will NEVER change no matter what platform you are dealing with.
If you give some RedHat CDs to a complete goof off and have them install it on a system that is going to be directly exposed to the internet, that box is going to get rooted eventually. It might take longer to get rooted than a Windows box, but it will be cracked.
If you give Windows 2003 Server to a knowledgable admin, he will secure the box and make certain that the likelihood of it getting cracked is fairly low. He will know not to put the box on the internet until he's applied all SPs and critical updates. He will know to use an internal SUS or WUS to make sure that the box is updated without exposure to the internet.
If you give a complete moron who *thinks* he knows all about [insert platform] any installation media, you're going to have an insecure box.
It's been my experience that the best people to set up an internet exposed box using any OS are people who are most familiar with all OSes and have a good understanding of how to secure each one. It's not that hard to hit the main security points and still keep on top of all OSes. However, since egos aer so intrinsically tied to how secure a box is, people point the finger at the OS distributor. Sure, they are to blame in many cases, but the implementor is usually far more guilty of being lax. That's the hard truth and it cannot be refuted.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
I admit that I have neither the time, nor experience to properly execute this, but I would find the most value in a study which involved either a meta analysis of server logs and setups from major ISPs, online vendors and other service providers or a double blind all-out hack-fest in which an equal number of IIS and Apache systems (which is what we're really testing here) were attacked, probed and analyzed.
These 2 setups running in tandem would provide the most useful and hard to fudge data. Getting the server admins and legal departments of eBay, Amazon, AOL, Google and others to actually divulge any information would be a feat within itself but remarkably valuable.
Simply comparing two hypothetical setups and measuring patches (time/number) leaves way too much room for marketing hype and tainted research. Give me some real-world data and some hard core researchers who know server security and we can have a study worth funding.
-KS
The article compares the window of times of vulnerability between reports of security flaws and available fixes to them. Based on that, Linux should come out WAAY ahead, and yet it didn't... And then I noticed the one importat detail - they were comparing Redhat to Windows, and thus the window of vulnerabilty counts from when the vulnerability is reported to when REDHAT gets the fix packaged up and pushed out through *their* channels, which is signifigantly after the fix is available if you didn't go through redhat to get it.
So, the research is very true - a straight redhat install with no outside packages does have longer windows of vulnerability than a straight Windows install with no outside packages. But the person writing the article told a MAJOR LIE when summarizing it for the article, by attributing the long windows of time to linux in general, when really it's a problem with just redhat.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
I'm going to dump my Fedora Installation(TCO $0.00)
.....
and run to the store and buy me Server 2003(TCO $599-$3522 + Licencing).
Definitly not going for RHEL(TCO $349-$2499 + Licencing) because no matter how hard I try, I could never get as secure with up2date, SELinux, Pax and Firefox as I could be with Windows Update, Third party antivirus, Windows Firewall and Security Center. NEVER!
And I shouldn't even be comparing Fedora to Server 2003 because Fedora could never be used as a server of any kind. Neither could Slackware(TCO $0.00), Suse(TCO ~$100.00), Mandrake(TCO ~$100.00), Debian(TC0 $0.00) or any other of those insecure Linux distros! They're not SOLD as servers so they absolutely cannot be compared to server 2003. No way, never, uh-uh.
Wow! This study has really opened my eyes to the lie. Why did I abandon my XP installation(TCO $200.00) after only a few dozen major worm outbreaks? I could have done anything on XP that I can do in Linux. It would only have cost be a few thousand dollars, but I could have!
These researchers have really opened my eyes to the lies. I believe everything they say, even without the data to prove it they.....
Ok here my sarcasm must crack under the sheer enormity of the following statement.
The pair said that they lacked the funding to test other operating systems, such as the Apple OSX kernel(TCO $100.00), although they thought it was "amazingly" stable.
WTF!? Are these guys for real? Is this study just a troll? I mean... WTF!!?
I will however take a wild guess that their next server security study will have OpenBSD mysteriously absent.
May the Maths Be with you!
TFA mentions that this is a default implementation of both, unhardened. To that I would reply, "Well, DUH!!!" If your administrator doesn't know enough to grab one of the multitude of Apache hardening checklists off the web http://www.google.com/search?hl=en&lr=&q=apache+ha rdening+script then they shouldn't be allowed within 100 meters of your datacenter. Period.
The article states that the configurations where done using the typical, basic options that an adminisrator may do and not any kind of security wizard.
I would like to know how many companies are out there that would take their pimply faced intern and have him to a default installation for an internet server with databases on it. They may have found a valid point, but their premise is fucking retarded.
I have always given MSFT the benefit of the doubt that they would have the option to configure a server with the intention of meeting security requirements and similarly doing the same with Linux and then see who's the most secure. While Microsoft has made ground against the *NIXes of the world, I really don't believe that a reasonable attempt at security is any better on Windows than it is on Linux. Considering the damage they've been suffering, I would expect their default installations to be increasinbly severe.
I would equate this study to testing the security of a 4 foot high brick wall or a 3 foot high set of four horizontal wires. The wall is obviously more secure, until you turn on the high voltage supply to the electric fence...
Windows has an autoupdate option, for windows update, to download and install the update automatically.
And part of what makes an admin "secure" is his experience in what operating systems to use due to their history and security.
It simply doesn't matter how careful an admin is; it is still possible an unknown OS flaw can bite him in the ass. If he's experienced, however, he knows about certain flaws and security holes, and takes corrective action, thus diminishing the chances of being hacked.
This study may or may not be valid, but it behooves admins everywhere to pay attention to the kinds of security holes that are found in every operating system.
To that point, I'd argue that a competent admin who sets up windows servers and one who sets up linux servers will never have the same success rate. The question is, who's is better? I have no idea--it's too difficult to quantify.
-Dan
"The setups were hypothetical, however. Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features.
Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance.
The presentation was a preview of a report they plan to issue in 30 days"
This article doesn't present anything actually news worthy in my opinion but I would be interested in seeing the actual study.
I am skeptical from the standpoint of what I have highlighted in bold, but again, the actual study may flesh out more details about what constitutes "average", etc. and the criteria used to determine these factors. So as it stands, I am in no position to refute or praise anything regarding this study.
Everything aside, computers networked with access to users are insecure, period; regardless of your OS. I have no study just my own empirical knowledge to back this claim up. I like to refer to it as common sense. Now if a study comes out that proves my root perception wrong, then I would be suprised at the results.
BSD is designed. Linux is grown. C++ libs
Study should say, "Microsoft theoretically more secure than Linux, if both sustained the same level of malicious attacks and exploit scrutiny"
I'd rather live in a hut than a castle always under siege. Not that I'm conceding the accuracy of their study in any event. I don't have any experience with their server software, but use both Linux and Windows, and don't need a study to tell me which one is more secure. Thank GOD for Firefox.
Letter To Iran
so that proves it is.
What's nice about 'hypothetical setups' is that you can make up your mind without paying attention to confusing facts. I can 'hypotheticall configure' my LG cell phone so that is superior to any OS. Accordingly, the code in my LG cell phone makes a much more secure server than Windows 2003.
Running with Linux for over 20 years!
Quite frankly, it is 'correct', although misleading, to state that the criteria "included" the number of vulnerabilities, even if that is all the study was based upon. If that line was followed up with some other criteria that was also included in the study, then it would be much more difficult to dismiss this study.
Of course, at this moment, I am not aware of any other criteria being included in the study. If they publish the study and it also happens to include additional criteria, then the study can be accepted upon its merits.
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
"Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk -- the period from when a vulnerability is first reported to when a patch is issued. "
Microsoft has a number where people can report a vulnerability, and Microsoft can sit on it. Microsoft favors security vendors who approach them about vulnerabilities first.
Apache is not Linux. Apache vulnerabilities are discussed on bugtraq. There is no controlled release of information.
Microsoft IIS is closed source. Vulnerabilities are discovered only through chance or procedural hacking.
Apache 2 is open source. Vulnerabilities are discovered by people looking through the source code and finding problems.
So "more secure" seems to be defined in terms of what you can hide from people. If you hide the bugs in your source code and make people use trial and error to find the bugs, yes, you find less bugs. If you control the release of information so that you may get reports 5 months earlier of a bug, and then only later release a statement when someone finds it and posts it publically, its very easy to fix quickly because you've known about it for 5 months.
This is apples to oranges and completely glosses over the important facts of how bugs are reported and how they are discovered.
If one believes that having source code enables one to find more bugs than you find by clean-room hacking, you could only conclude that apache is more secure because the source code is open and there must be plenty of bugs that were never found in IIS because it has not been open to scrutiny.
And again, Apache is not Linux. Apache runs on Windows too, does this mean Windows is more vulnerable? Remember, IIS is a product as Windows is a product. Linux is a product as Apache is a product. Lets not confuse the barnacles with the boat.
I'll admit that I didn't RTFA, but Zone-H did a study on windows vs. linux security, and the conclusion was similar.
secrurity has something todo with knowledge of the Admins an only a little with the OS. my e cent
Sure most people will have 1 server handling all tasks running somewhere outside their reach but there are ways around having every damn service in the world open to the entire world.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I did some work at a local University a while back. The faculty I worked in used HP-UX for their core services, Linux on the desktop, a couple of Solaris labs and 1 small (less than a dozen) windows lab. The other faculties used Windows almost exclusively.
/my2cents
The faculty that ran the *nix based services had almost no complaints of intrusion or other security problems from the "global" IS department of the university, while some of the windows using faculties were being threatened with losing their internet access because of too many security breaches.
No, this isn't a study. But it's evidence of how it works in the real world.
The reason I think *nix is more secure is because of how configurable it is. You can configure almost anything. Hell, you could write your own TCP drivers if you felt like it (not that I've ever known anyone to do that). On Windows you're limited to the security options given to you from the vendor. Or you have to pay a 3rd party for their innovation... With *nix the power is in your hands.
'Out of the box' software/systems are usually never ready for production environments right? But sufficiently tweaked most systems can be reasonably secure and centrally manageable. I just think that level of tweakability is higher with *nix.
Instead of setting up both servers in a 'basic configuration', how about locking them down as much as possible? Why not apply all available patches, install the latest version of the software and then run the security tests? I imagine their results might be different if they chose this method instead.
As an aside, the title of this article could be improved: "Study finds Windows more secure than Redhat Linux". They are not testing linux as a whole- Just Red Hat's distro. Again, the result might be different if they tested against [insert random distro here].
Hmm:
:(
Who's there?
Knock Knock.
Who's there?
nock Knock.K
Who's there?
ock Knock.Kn
Who's there?
ck Knock.Kno
Who's there?
kKnock. Knoc
Who's there?
Knock. Knock
Who's there?
Steve Reich
She probably wouldn't like that one any better.
Hell freezes over.
SPAM email messages stop being sent.
The Earth starts revolving around Philip Glass.
Nothing new to see here, folks...oh, wait, it IS new to you, isn't it, Slashdotter?
Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
http://www.workorspoon.com
Well my Windows system is frequently in a BSOD, or rebooting after installing this mornings/afternoons/evenings patches, so it spends a lot of it's life in the POR cycle.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
You had it somewhat out of order.
SELinux -- even if apache has holes, linux is _more_ securable. You can run apache with fine-grained mode telling what it can or cannot do. So even if someone finds a buffer-overrun vunerability, the most they can do is whatever apache is _allowed_ to do.
The point with Linux is: the choice is there to make it MORE secure. Windows doesn't even have any type of MAC security. And last-time I checked, SELinux was supported for Redhat Linux ES.
And those who want to give SELinux a run can try it out on Fedora Core 3, before shelling out for RHES.
Kashif
It's unfortunate RedHat has acquired Windows' weak security posture in it's effort to attract Windows server market share. I've personally had to administer 3 compromised Redhat boxes, and this after converting that client over from Windows due to a compromise.
But, RH isn't Linux. Linux is many distributions, some good, some not so good, but if you take the pool of Linux administrators against the pool of Windows administrators, you'll find Linux administrators are more knowledgeable about their systems and do smarter things in securing them. This isn't as true as it was a few years ago before the reluctant Windows administrative masses took refuge in RedHat, but you won't see _any_, not even one Linux defector to Windows. Perhaps BSD, but definitely _not_ Windows!
I've never seen one of my Slackware servers (running sendmail, _even_ and FrontPage extensions with PHP on the Apache server) compromised. It's never happened in the 10 years I've been using them.
I've been wasting a lot of time lately poring through logs for a new project and it's ludicrous how much additional coding I've had to put into my Perl scripts to make allowances for compromised Windows boxes that have inundated my web server with traffic during their Code Red and Slammer compromises, not to mention all the other little oddities Windows clients do when downloading mp3s from the server, such as client caching and sending 32k+ search strings in the URL. It creates work to have these obnoxiously configured client machines on the Internet.
I'm not going to complain too loudly since without all these Windows users on the Internet surfing my site, there wouldn't be much of interest to process in these logs, but to assert Windows as more secure than Linux?! Really....
Could someone please post the name of which Micro$oft C?O's budget backed this study, so we can move on to a more interesting and valid discussion?
www.dedserius.com
VB != VisualBasic
than the person doing the considering hasn't really thought about it
/. overlords
this is a great example of what over-paid incompetent people do in order to serve their masters
in a real study, there would be a) a meaningful methodolgy, b) meaningful data and c) peer review
this is just junk science being used as propoganda
imho, just another useless article, way to go
why, oh why can't they stop being egotistical tyrants and let us the readers decide which articles deserve posting
you guys are just as bad as Bill
Hmmmmm. Microsoft has its Patch Tuesday (although if there were something critical that was already widely known, I suspect they'd consider a quicker release), but it would surprise me if Red Hat did not release updates more frequently. Even if they have a regular release schedule (for more regression testing or whatever), it may still be faster to update the Linux box -if- an admin reads the relevant mailing lists and there's either a workaround (disable something until it's patched, for instance) or a patch for another distribution that can be adapted.
But if there were truly no faster reasonable way to update (which I do doubt for the above reasons), it actually would matter because people looking to exploit won't be waiting for your update to be rolled out.
Only the dead have seen the end of war.
This type of generalizing was all over the Seattle Times article. I'd like to see the actual report the researchers are going to publish to see where this generalizing is coming from.
To make the conclusion that Windows is more secure than Linux by taking a single case of comparing Windows Server 2003 to Red Hat Enterprise Server 3 and title your presentation "Windows vs. Linux" is very misleading and inaccurate. Yes, maybe Windows Server 2003 in its basic configuration is "more secure" than RHES 3 in its basic configuration but to make the sweeping generality that Windows is more secure than Linux from this one case is uncalled for.
Another issue I had with the article is their idea of risk assessment. Typically with many (not all) active open source projects you can get a security patch within a few days of the exploit/vulnerability becoming known. Now if you wait for Red Hat to create a new RPM and do their testing of the package before releasing it through RHN it's obviously going to take longer to get the patch. I may compare this to drivers in Windows. ATI will release a new version of their Catalyst drivers and I can go get the package from them right away but if I wait for the new Catalyst drivers to become available through Windows Update it's going to take noticeably longer.
Erik http://yakko.cs.wmich.edu/~rattles
after you've posted your comment dismissing the report because it contrdicts your beliefs.
No, I'm New Here
I'm glad that issue is finally settled.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
So everyone just laughed and spotted the fatal flaw. There is a HUGE difference between a security hole that is wide open on EVERY install of your OS even if the user never installed the webserver part on purpose (ISS) vs most of the apache ones wich only applied if your installed some obscure expansion.
What counts is not the number of security problems but how serious they are and how many people are affected.
The real truth is the there are lies, damn lies and statistics. You can always twist the figures to suit your angle. Measure the number of "hacked" sites? But do you count "amateur" sites? How do you classify "amateur" sites. Measure the amount of security holes in a default install? But MS OS used to install ISS default even if never used making the chance of a ISS having the default setup far greater then on a linux install. Hell most "proper" distros only install what you want it might have changed but apache used to be an optional extra.
All to often I have read a security alert on apache but on reading the details could conclude that it did not apply to me as my install was to different or my setup already had the suggested fix applied.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
A Windows Web server is more secure than a similarly set-up Linux server
I would have to agree. Windows IIS servers are insecure, if you set up an Apache server similarly (insecure), it will also be insecure.
OSX
Critics of Linux are our best friends, because they do the work of finding out where we need to improve for free.
Now that I would like to hear from someone else:
"Critics of Windows are our best friends, because they do the work of finding out where we need to improve for free."
- Bill Gates
"Consensus" in science is _always_ a political construct.
I think the most damage to the reputation and progress of linux is that this comparison gets the imprimatur of syndication and publication in "respected" newspapers. (Of course, nestled in the byline, one may notice the AP reporter is from Seattle, hmmmmmmm). For those who may not have read the article, it is worth the read.... and if you have thoughts about this (as in, IMO, it's a puff piece for Microsoft), note that the column thoughtfully includes the e-mail address (I'll include here for even MORE convenience: Brier Dudley) for the reader to easily contact the reporter...
Bruce Schneier
Posted on January 06, 2005 at 01:45 PM
------------
Different methodology, different results. My money's on Schneier.
"There are already a million monkeys on a million typewriters, and Usenet is NOTHING like Shakespeare." - Blair Houghton
I'm gonna give it a try and quote here what I read in the VNUnet article (which is the most informative one IMO since it contains a few details, in contrast to the other one) and try to express some reasoning. Until the real analysis is out we cannot be sure about anything though.
Classic strategy: minimize your enemy by defining it tightly as a dogma, then attack that dogma. I've seen this from Sun Microsystems as well. Basically, they ignore e.g. Novell. At least Novell is also a big player in terms of market share.
That said I remain interested in learning why they chose to compare to Red Hat and Red Hat alone.
Definition of 'vulnerability counts' and which vulnerabilities are counted. For example, lets say Red Hat has a patch for OpenLDAP while i run LAMP or LAPP then who cares about the fact that there's an OpenLDAP patch? Not me.
71 days is long! How they got to these numbers is also very interesting. For example, does this include e.g. the Mozilla bug which was alleged to be known (but not fixed) in 2001? It reminds me about MSIE for which vulnerabilities took long as well and remember 1 patch != 1 vulnerability either.
Statements like these may just as well be from astroturfers. Its also a classic strategy: basically, you play as if you're convinced by the study you conducted yourself while you expected a different result. In all honesty, why would you believe the judgement about the conclusion ("FUD!") from someone who hasn't read the study over the one from the person who's got convinced by his own study? This is why there's not much we can currently do except arguing over the existing details! This is why we need to stress about where the missing details are. This is why we cannot judge yet.
One last note:
With that last statement he Dr Ford basically says to take this study with a grain of salt because thats precisely what he hasn't researched!
WE DON'T NEED NO BLOG CONTROL.
I'd agree, accept that it says these researchers will release thier results in 30 days. So this is a not open report covered in the Seattle times that can not be assessed.
If someone:
a) conducts a scientific study
b) makes claims public
c) doesn't reveal the methodology for a month
then that's FUD and not science.
Jeff Carr
In an academic study due to be released next month Dr Richard Ford, from the Florida Institute of Technology, and Dr Herbert Thompson, from application security firm Security Innovation, analysed vulnerabilities and patching and were forced to conclude that Windows Server 2003 is more secure than Red Hat Linux.
I see.
Here is another related report in which Windows is compared with Linux in terms of security. Interesting read.
[alk]
How time flies..April first already?
Keep in mind that most admins are lazy, and that while we can yell and scream that a default setup is not secure nor is it a good indication of being secure, it still should be somewhat secure out of the box. If it's not, then we have a problem and we're supplying the ammunition to the FUD machine that is MS.
Who is John Galt?
Their contention was that for lower skill admins, Windows was more secure. Now, assuming the research was done correctly and the data does indeed support the conclusion, it's a good thing to know. That's something ot try and improve in Linux, espically since less competent admins are the real problem.
It's not all that useful to research how tight a competent admin can lock down a box because the answer for almost any OS is "very well". You get a good admin that knows their OS and is on top of things, they can keep anything secure, even Windows. So it's not of much use to say a compentent Linux admin can make a secure system, we already knew that.
It is useful, however, to know that a less competent admin will have trouble. More useful would be to know what specificly need to be done to fix it, but just knowing that it's a problem is a start. If Linux continues to gain in popularity, more people that are not as competent will be running it. While you can never truly protect someone from themselves, there are things you can do to make things more secure for those that don't know what they are doing, and that's a good thing for Linux developers to be looking in to.
I have a Linux server with qmail and publicfile. No other open ports except SSH which is firewalled to a small set of hosts, runs on a different port, works with keys only, and doesn't use PAM. I haven't rebooted or patched anything on it in months. Unless there is a remote root hole the kernel I won't bother with it.
Maybe Red Hat is less secure than Windows, who cares. They both have greater than zero security holes, which makes them both insecure. All I know is I have a fairly secure server and I know how to set up another one for zero dollars on my lunch break. Plus djb has a $500 reward for security holes in his software, I don't see Microsoft even pretending they have anything like that.
Folks, don't fool yourself. Both Windows and Linux distros are mostly crappy software full of holes. It doesn't need to be that way, and admins shouldn't need to be "wizards". But that's how it is.
At least with Linux you 1) don't have to pay and 2) have access to the source code. I don't see how Windows can ever win this argument, except maybe with inexperienced or ignorant admins, or special windows-only software.
It's about contracting the PC muscle, you dolt.
I think it is likewise valid to say that conclusions drawn from studying the actual source of one OS are not directly comparable to conclusions drawn merely by observing the apparent effects of the other and speculating about the contents of the actual source.
It is somewhat similar to attempting to determine the members of Falconiformes without looking at the DNA
As someone said, "extraordinary claims demand extraordinary evidence". In a lot of peoples' opinion, the claim that Windows is more secure than Linux is just that, an extraordinary claim.
How would the authors of their study reconcile it with something like this one, which showed that a default installation of Windows got infected with a virus within 20 minutes?
From TFA:That sounds good. A real comparision of real services running on real servers.
But wait!They aren't real setups.
And it gets worse.Hmmmm, I wonder if they included the info from www.eeye.com http://www.eeye.com/html/research/advisories/AD20
So, a "study" that doesn't test any real world criteria is somehow valid?
Oh, it's not that the study is not valid, it's that pointing out the flaws in the study shows the groupthink on
And pointing out that perceived groupthink gets you mod'ed up as "insightful".
know what I mean?
Not to start a flame war, but ...
The grass is always greener on the other side of the light cone.
"They wanted to cut through the near-religious arguments about which system is better from a security standpoint."
Which of course will lead to more religious arguments...
It's good to use your head, but not as a battering ram.
I for one would like to see them put NetBSD (or any BSD) into the mix. I would also like to see a different distro used for these kinds of tests or studies. Anything besides Redhat or Suse...
As is common with the focus on features and price, there's no accounting for software freedom. I would not want to deploy a server that was essentially a black box instead of a server I could run, inspect, modify anytime, and share with anyone. I'll never inspect all the software I run, but I rely on a community of inspectors and a huge collection of improvements made by people near and far. I think that when people share source code under a free software license, they don't have the room to get away with the nasty problems that plague proprietary software. I don't see Microsoft's IIS giving me software freedom, but Apache does. I remain uncomfortable handing over the integrity of a client's website to a proprietor.
Digital Citizen
that would be laughable.
i can't believe people still think linux is secure and flawless. get over it.
linux is nothing more than the windows of the *nix world... bloated w/ too much shit added because corporations want it...it's no longer the OS of the 'hobbyist'...and if you think otherwise, you are fooling yourselves.
My Linux Command of the Day site : LCOD
1) There's more than one flava of windows like there is more than one flava of linux. I want results from windows xp, windows 2000 and even windows nt along with Suse Enterprise, Mandrake and whatever other popular distribution is out there.
2) As educated as they may be you clearly have 2 biased guys. One for windows and the other for linux who ODDLY converted over after one study. This may be really tough but I want a study done by people who isn't biased and who don't give a rats ass one way or the other which side wins out, maybe a mac user would be good for this? ;)
3)THE RESULTS NEEDS TO BE PUBLISHED. Granted I skimmed the article so I do not know if they did this but I want written in a paper, like any other good scientific study, who broke in at what time, what DOCUMENTED vulneribilities exist, did it cause any down time to the server and how long and what was done, if any to correct it any known bugs(i.e. sending in a bug report and responsiveness to it).
So until reports with at least these criteria gets published, I'm gonna ignore any study done in this nature.
From TFA: It wasn't even comparing one Linux admin vs one Windows admin.
They had agreed to run in the "most basic configuration" for their systems.The "study" was setup to limit the options available to the admins.
The only information that can be gained from this "study" is the identity of two people who are too stupid to be trusted with any actual security study.
A real study would be having both of them setup their systems, any way they wanted to, and having every step documented and the reason for it given.
Then put both servers on the Internet and compare the compromise rates.
Lots of Windows attacks exploit multiple vulnerabilities in combination. I don't think many attackers trying to break into a Red Hat system would stop just because they had to use two exploits instead of just one.
The researchers probably found more than two exploits for Red Hat, otherwise they don't have much of a story.
I'll probably be modded down for this...
Basically, this was a comparison of Apache and IIS. Even then, I'd argue that Apache hardened would be preferred over IIS. But as is, who knows? They may have a point. You can't, however, make a broad statement and say Windows is more secure than Linux. Just today my company sent out another virus alert. Everyone on Earth whose been infected with a Linux-based virus raise your hand. Now all you Windows users, anyone infected with a Windows-based virus raise your hand. Now do a percentage breakdown and you just can't hide from those numbers. Yes, Windows is more ubiquitous and therefore your numbers will be higher. But the basic philosophy of the two systems are a large reason for the desparate numbers too. Microsoft and their fans are running from that. You don't see such comparisons done because they can't win. They take things like Apache and do a breakdown app-wise. Given Windows basic insecurity underneath IIS, how secure is the app after all?
There are far to many configurations to generalize and say, "Linux is more secure than windows" or visa versa. And there are varying degrees of security that people will talk about. Some people are probably thinking of the permissions side of things for their desktop while others mean network security. As far as patches and how long it takes to release the updates; Why do you think a lot of people are still running in the 2.2 series of kernels? On top of that, the version of apache, the plug-ins they have installed and so on and so forth. Linux can have varying degrees of security depending on the configuration. Do we honestly think the newest offering from Red Hat is going to be sound? Just as we might ask the same question about the newest microsoft offering or the newest offering of the AmigaOS. There's no way a brand new piece of software won't have problems.
If I was in charge of this shitty site, parent post would get 5: Insightful
What a load....
How about:
Study Finds Windows More Secure Than Linux (default installation, for web service, based on the threat of vulnerability and date to be patched, waited for patch issued directly from redhat instead of just recompiling the damn thing)
I think thats a *little* more accurate.
If you want to see which car is safer than another, you would do things like controlled crash tests and use crash test dummies.
You would NOT factor in how many crashes they had both been in. One moron who keeps hitting telephone poles would alter the stats too much.
The material in TFA does NOT show them comparing the security models or even the patch severity. One bug in a seldom used perl module that lagged on the fix could result in very bad stats for Red Hat.
Once upon another time I had to run another webserver, Apache, on a different operating system, Linux. Once I set it up I did have to spend some time on the security of it, let's see, I had to upgrade PHP once for a serious vulnerability, in, oh what was it now, 13 months? That did take about 2 hours to upgrade....
So, do you really mean to ask if his time is worthless, or do you mean to ask if he has the requisite skills?
My Linux Command of the Day site : LCOD
If the result of the research was that Linux beats the hell out of Microsoft - would you give it a second glance? This way, hundrends of people are refering to those two chaps. It don't matter what they write about you, as long as they spell your name right.
Apache 39821368 68.43 40681140 68.83 0.40
...
Microsoft 12137446 20.86 12322111 20.85 -0.01
Sun 1830008 3.14 1835718 3.11 -0.03
Zeus 690193 1.19 618599 1.05 -0.14
Given those statistics (source - netcraft) why is it then, that we dont see malware attacking apache on such a grand scale as we do IIS? If its possible for an operating system with such a small percentage of the (server)market to suffer from such virulent malware attacks - then why do we not see these problems on linux which has a comparatively small share of the desktop market?
I call bullshit!
I've been seeing this coming for a while though as people find new and exciting FUD campaigns. Does anyone know who funded this report ? need I even ask that question?
Nick
Electronic Music Made Using Linux http://soundcloud.com/polyp
I couldn't agree more. :)
Erik http://yakko.cs.wmich.edu/~rattles
...when we read something like They wanted to cut through the near-religious arguments
I do not believe that security evaluation has anything to do with religious beliefs. However, wishing that Windows (including server applications like IIS) is superior in security than Linux counterparts does indeed require a somewhat meditational deep religious vocation.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
. . . we let our opinions be influenced by first-hand experience. And
there's certainly no need to put extra scrutiny on people who praise
deep pockets.
We can tell these guys are bogus even without extra scrutiny because
they've used the obviously flawed method of getting all their
information from the people who wrote the code.
-- . . ramblin' . . .
I believe it. If you set up a Linux server that poorly you'd be sure to have problems.
See the Pictures of the Flood of '08
Microsoft may make it easier to get a machine up and running. But it will be in an UN-SECURED mode and will quickly be infected.
Microsoft has had to purchase anti-virus / anti-spyware companies because THEY CANNOT SECURE THEIR OWN SOFTWARE.
A Linux box is EASIER to secure than a Windows box.
WINDOWS IS MORE SECURE THAN LINUX should read like this: (a professionally installed and maintained) WINDOWS (2003 server on a porfessionally secured network) IS MORE SECURE THAN (a crappy out-of-the-back-of-a-book and out of date amature install of) LINUX (on a home pc). Can we get on with this now.
Here will be an old abusing of God's patience and the king's English.
These results are only applicable to servers that are never connected to the internet, or similar computer network. Connection of a computer to the internet, a known source of uncontrolled computer viruses, invalidates these results and would be an unfair appraisal.
Second, as many other posters have said, things that directly contradict our technical experience, need real proof. I've run IIS webservers AND Apache/linux servers and have experienced the difference. Also, I have a bit of security experience, including a nifty CISSP certification from the ISC^2. Now, I would trust my experience, my technical knowledge, and my security experience over the guy who "runs an open-source server at home" any day.
My Linux Command of the Day site : LCOD
and independently concluded that it has a lower cost of 0wn3r5h1p.
But would I be stoned should I admit here that I listen to Philip Glass?
I mean, you must disagree with maybe 80% of the music in the stores if you are to disagree with Philip Glass' idea on music --- if you want to be philosophically sound, at least.
"Windows Server 2003 had 30 days of risk, Linux (Red Hat Enterprise Server 3) 71 days.
But which reports of vulns are they considering? Microsoft often provides their own reports, which are released WITH THE PATCH. I wouldn't give those reports the same weight, since the vuln could have been there (and unofficially known) for MONTHS."
If they were using vulnerability reports that were released with the patch wouldn't that make the number of Microsoft days of risk zero?
MS gets plenty of scrutiny about their patches. If you don't like the statistic you should probably look at Red Hat more closely, not Microsoft. When a Linux vulnerability was disclosed did Red Hat fix it as quickly as they could have? As quickly as the other distros?
Slashdot think:
Prior to the explosion of the internet, MS released a desktop OS for consumers that was designed for ease of use rather than security. I therefore conclude that a fully patched, competently installed, and well administered Windows Server 2003 computer is completely insecure and Linus Torvalds walks on water. If you disagree or fail to spell Microsoft without a $ in place of the S then you are a troll.
A subtle point they made that I agree with is they evaluated RedHat's distro and they compared the time that it took redhat to propogate fixes to the time it took microsoft to propogate fixes.
I stopped using redhat's network update for my internet-exposed packages long ago because it took so long for fixes released from projects to make it into RPM. I used auto-updates for all the components down stream from the network daemons and their apps as no users had logins or shell access to my servers and I could afford to wait for those. I maintained my own packages and customized compiles for everything that was exposed.
You could argue that their study was comparing redhat to windows, not linux to windows. You could also argue that their scenario was a little off in common practice. But I think they may have at least exhibited the slow-down that a middle-man (redhat) interjects between maintainers and consumers. There is some value in the idea they touched on (unintentionally or not) and some areas where we could do better.
How many of these reports get published every month? So what if Windows is more secure?
I am an amateur at kernel modification, but when I have a problem with some Linux component or another nix OSS app, I dive into the source and fix it, and THAT is why linux is prefered. Because you don't have to wait for MS to relase a patch that might or might not screw up your system.
Windows is a good product. It really is. For all its errors it is capable of handling problems gracefully and that's perfect for my mom. But my mom doesn't run a web server (neither do i, for that matter) and doesn't need to make quick changes to her OS. Even if most sys-admins don't do this, it is still a very convenient aspect of Linux. -- AP
What's a "sig"?
Ok, let's honestly read through this article. They compared Windows 2003 to Red Hat Enterprise 3 "...On average, the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup, their study found...."
There isn't enough detail on how this study was actually preformed. Days of risk? What is that. I'll be honest that I do use Linux on all my computers but one, but I'm not a Linux Natzi. Windows 2003 isn't that bad, but studies like this are flawed because they don't explain in detail how they actually came up with their results.
has a hanging chad.
This applies to mainly a few Systems Integrators, who are designing servers. They'll typically pick Linux or Windows based on security, but also weighed against performance, or application compatability or other criteria. A competent Systems Integrator knows how to secure Windows servers. Inherent security isn't really that big of an issue.
The vast majority of people out there aren't concerned really with how secure servers are.
They're concerned with how secure their DESKTOP systems are.
With all the spyware problems I've had to fix on freinds' systems lately, I don't think we need a study to know the answer to this one.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
One person's experience (as in TFA) can be dismissed.
But the statistics of what systems were infected last year and how they were infected can not be. Yet each of those systems has an admin who's personal report could be dismissed.Ah, the old "marketshare == security" claim.
No, the reason you don't see reports of Linux worms on CNN is that there aren't any Linux worms that are spreading.
CNN will report on a new vulnerability, if it is a slow news day. But they will definately report on a new worm spreading.
Linux is more secure. That's why there aren't any major worm outbreaks.And I use Debian and update almost every night.
Most of those "vulnerabilities" are not exploitable remotely. Nor do they give elevated privileges. They are minor "vulnerabilities". Here's an example:
and
There are worse ones there, but just counting them shows the individual's cluelessness. The criteria are:
#1. How widely deployed is the package? A vulnerability in the kernel is far worse than a vulnerability in some app that 10 people run.
#2. Remote or local? Remote is far worse than local.
#3. What is the result? A denial of service is annoying. Executing arbitrary code is critical.
So,
#1. a remote kernel exploit that executes arbitrary code is VERY VERY VERY BAD.
But,
#2. a local exploit in some app that 10 people run that causes that service to crash is not even a threat.
Yet just counting them treats them as if they were the same.
So does averaging the days to release a patch. Who really cares if #2 took 200 days to fix? (Aside from the "researchers" doing these "studies").No. Some of us have a lot more experience with these things.
There are major fucking flaws with that "study" as it is presented in the article. In fact, it goes beyond "flaws". From their decision to limit the options of the admins, it looks like intentional bias.No one is ignoring any criticism.
The fact is, there are more infected Windows machines than Linux machines. Both in pure numbers and as a percentage of marketshare.
THAT fact shows that Microsoft's approach has not been successful and that Linux APPEARS to be doing better.
Could this be why such notables like Debian, Gentoo, FSF, Gnome and now Jabber have had rootkits installed on them????
I would be interested in a list of major OS X or Windows sites (with similiar setups or 3rd party access) that had such problems.
you'd be using Mac OS X.
Check it out. It looks like someone was playing with markov chains and slashdot articles!
Without knowing the study in detail it is exremely difficult to comment, but from what I could read in the news article, there could be a crucial and severe flaw in the study: simply counting vulnerabilites won't tell anything about how critical they are, how easy they can be exploited etc. With opensource apps there is a tendency that many vulnerabilities get reported which are low risk while the number of real vulnerabilites in closed source systems is probably only known to core developers and a few hackers, who won't tell us.
Bottom of barrel, meet scraper.
-- Free software on every PC on every desk
http://www.cert.org/advisories/CA-2003-23.html
Microsoft doesn't change anything unless forced to.
As Long As You Don't Count NSA Backdoor Access.
Taking away from their study, I came to this conclusion:
- They examined win server 2k3 along with it's posted fixes
- They examined redhat linux with its posted fixes
- They compared the number of patches along with the time it took to release it
- They concluded microsoft was better
This is like saying the sun is made of hot mozzarela cheese because its about the same colour.
I have YET TO SEE ANY study that takes the REAL vulnerability of security threats into account. Just because on intel platforms it's possible to have buffer overflows and security compromises, what exactly is a security compromise anyway? I have two analogies.
1) An OS/platform is like a house. You might live in a glass house reinforced with lexan where it's far too easy to get gawked at, and your lawn is infested with peeping toms, but you're relatively safe from being robbed. On the other hand you might live in a crumbling brick house with boards covering broken windows. The latter would be far easier to break into, but gives you the illusion of security.
2) An OS/platform is like a car. You can be at the mercy of the manufacturer to issue recalls due to design flaws, some of which could be fatally dangerous, or have a communal approach to a car design where anyone with the knowledge can spot and eliminate the flaws in the design making the subsequent cars that much more safe.
In their study, did they take into account the security vulnerabilities that are capable of compromising the systems (as opposed to gaining access to the system)? Buffer overflow in DLLs in windows, can often and often do allow for complete access to key vulnerable areas of the OS. This of course causes many problems.
It's easy enough for any semi-competent system administrator to configure apache to run only as a specific user, specifically if it's going to be on the internet. If set up that way, once initialized, it gives up root access be setuid and/or seteuid to that user. Once that happens, it's up the the core OS and any tools that can escalate privilges to prevent that from happening. Can the same be said for windows?
Is it also possible that windows simply has fewer 'bugs' or security vulnerabilities because the bug list is tightly controlled and the source code is protected with microsoft's interests at stake? Additionally, pretty much all linux distributions have so many tools/utilities and apps bundled that the bug/vulnerability to lines of source code ratio may actually be lower than that for windows server 2003 which provides a very small tool and utility set in comparison.
The only secure computer is a non-powered computer with no cables attached. But then security is relative and saying that beige cars get into more accidents and are thus less safe completely sidesteps the root cause that they may simply be harder to see by other motorists.
I don't dismiss linux vulnerabilties, in fact I find linux security to be very important. My belief is that the fundamental design and development of linux/unix is far better and far easier to ultimately provide proper security over that of windows. When reputation and profit are not your driving force, but a better product is, you will ultimately and eventually produce a better product. Can anyone truly say microsoft is not working for reputation and profit?
Thank god you're not in charge then...
From reading the article it appears that they are only hanging their hat on one item. The said typical turnaround for a Windows patch is around 30 days vs. 71 for Linux.
There are two points that need to be brought up. They state that it was a test of web servers. Should this be a IIS vs. Apache thing vs. Windows/Linux? Second, I'd like for them to actually discuss quantities of vulnerabilities of the two servers.
Additionally, its on Seattle times? A possible slant to their Redmond neighbors?
In fact the MS server was running unplugged from the network and no intruder was able to break into that patended defense schema. The same test has not been done on the Linux machine because the online help, that was not compatible with industry standard help format, failed to explain how to unplug the network cable.
Maybe computers will never become as intelligent as humans. For sure they won't ever become so stupid. [VR-89]
"The setups were hypothetical, however. Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features."
Ok, these results clearly were skewed in favor of M$ just by that statement alone. An unpatched apache in its base vanilla form vs IIS in its vanilla form , only because M$ has to set everything that could cause a problem to OFF or N/A by default. Bullshit.
The comment about a "wizard" for an "average" admin is also crap. MSCE's these days are book read idiots with no real time training. Having and MCSE now is just saying you sat down and read a book for x number of days, and you passed a test.
I really wish that these jokes of IT Researchers wouldnt make such outrageous claims.
"God of Rock, thank you for this chance to kick ass. "
On the other hand, the sky is very often not blue. It's often black or various shades of grey, orange, hell I've seen it look green with bad thunderstorms coming in. Even mauve.
As long as there are people who really believe that this is something that can be settled "once and for all" there is going to be an endless series of tedious willy-waving contests with more or less random outcomes.
This is almost editorial trolling to get more pageviews from the feeble of mind.
Certainly the competance of the admin is a major factor. However that doesn't make every OS equally secure. There is still a huge responsibility on the OS programmers to do their job correctly.
If I am using openbsd, and I am competant, and you are using windows and you are competant, I will have a more secure machine. Why? Because openbsd software is written with security in mind, so there are fewer exploits than windows. Even if we are using the same software (apache for instance), openbsd has significant protections against buffer overflows, as well as protections against running arbitrary code. Windows does not, therefore the openbsd machine has an order of magnitude less chance of getting hacked in the time an apache exploit is found, and when the admins patch their machines.
Telling half the truth isn't telling the truth.
If we're talking about webservers, zone-h.com is a great resource. A quick examination of thier defacement stats shows that linux based webservers are hacked more often than windows web servers.
Granted... these are only webpage defacements that have been reported to zone-h....
I can see further studies like this comparing the weaker points of each linux distribution vs MS, and say that are comparing against linux in general.
If I read the article correctly, what's really being tested is how fast RH and MS turned out patched to their httpd stacks. 30 days is not something I'd be particualrly proud of. 71 days on the part of RH is laughable.
What I want to know is how fast did the Apache/PHP/MySQL crowd have their problems patched. Just because RH dropped the ball doesn't mean that the entire *AMP community was left holding the bag.
Testing a single (albeit popular) distrbution is like condeming the entire US highway system because one stretch of it in downtown Boston is littered with potholes.
I would guess that the exploits are entirely different for the different types of machines. It seems as if Windows machines are cracked in bulk, and used as bots or key capture spyware, whereas Linux machines are more the target of DDoS, database theft, and traffic tracking malware.
Any thoughts?
daniel
The good/bad doctors do say "point out the flaws."
Okay, there are plenty of flaws.
Where do we send them?
Sure it's nice that OpenBSD was developed in that way, but it doesn't apply to the conversation any more than OpenVMS on DEC Alpha does. Buffer overflows are impossible in OpenVMS on Alpha, but that doesn't help a Windows or Linux shop, now does it? The reality is that most sites are heterogenous. So, maybe there are a handful of *BSD boxes running Apache but I'll guarantee you that there are far more boxes running Windows/IIS, Solaris/SunOne or Linux/Apache for web services. And every one of those boxes can be just as secure as the *BSD boxes as long as the admin is able to configure them properly. Odd features aside (like the no buffer overflow factor), it really is about a 50/50 split: OS distributor/Admin.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
Not sure why this is flamebait...the article is NOT a study, nor is it all that scientific, except for the fact that two computer scientists were involved. I think it's time to bring out the red meta-moderation marker pen.
This was A CONTEST--they billed it as a "showdown". It involved one server of one variant of each platform, in basic (non-typical) configurations. It was meant to settle a bet, or prove a point--the point is proven too: Just because a server is Linux-based doesn't make it more secure than a Windows-based server. Configuration and maintenance makes a difference too. Too many Linux fanboys overlook the fact that OS quality/design notwithstanding, there ARE production Linux webservers out there that are not as secure as production Windows servers. I still maintain that Linux is a superior alternative in terms of efficiency and security, but admins still have to be viligant.
Yes, Win2K3 is not used on the desktop (not that it matters--the contest wasn't aimed at the desktop user). However, using a simple/default Win2K3 setup makes for a very incomplete study. MS has admittedly made great strides in locking down the default installation in Win2K3, but there are still a great deal of Win2K-based IIS servers out there. Putting Win2K/IIS on the public internet without external firewalls/protections/etc is reckless. Furthermore, a lot of Win2K3 servers were upgrades to older versions, and IIS has been configured in a "backwards-compatible" mode which could result in potential security issues. To top it all off, you have to look at how well-written IIS/ASP apps are and the overall security model. I'd argure that MS has done good with the default config but there is more potential for serious remote exploits than with Apache (I am not aware of any hardening options in IIS such as running chroot, etc). The number of desktop PCs running 2k or XP pro with an inappropriately-enabled "personal web server" is a major security factor as well.
The Linux situation is not very typical either. Firstly, the article shouldn't be "Microsoft beats Linux" but rather "Win2K3 beats RHEL3". RHEL3 is a linux distro but Linux is NOT just RHEL3. How about trying out Novell/SuSE or Mandrake or Slakware or others? What about Apache 1.3.x vs 2.0.x vs IIS? How about seeing if there is any improvement in RHEL4? After all, that IS the current version.
Also, the config was very simple in both cases. What happens if you put a mod_perl or PHP app up against ASP.NET for example? What about including database backends? I find it an interesting contest that could spark further study but on its own it is of no use in evaluating alternative platforms for security. The whole thing is just too superficial.
I'm sory but RH / Fedora dose not make a linux fan IMHO.
And That's All I Got To Say About That!
I'd Tell you all my secrets but I lie about my past
No, those boxes cannot be just as secure as the openbsd boxes, because they do not impliment the same security features as openbsd. You can't say "odd features aside", those features add security. That's like saying all cars are equally safe, if you ignore features like air bags, crumple zones, etc. Sure, the person driving has an impact on how safe any given car is, but so does what model of car it is.
where are the details? why was this conclusion made? did i miss something? do people believe everything they read?
Is slashdot required to try and balance the amount of pro-microsoft articles with the amount of anti-microsoft articles? I would guess yes. Microsoft does advertise here and I think in return wants compensation. Slashdot is just Microsoft's whore. Am I right? /watch this get modded -1 //the truth can not be suppressed!
Meh.
Don't use a kernel that a majority of the world's PCs run on. It's as simple as that.
If you use an obscure OS, chances are you've flown under the radar of most crackers. Windows 2003 Server would be more secure if ran on some obscene kernel that nobody else used.
If linux were ever to become a dominant desktop OS, all of a sudden all of the kiddie scripters would be putting all of their attention on the same platform that also runs servers. The security vulnerabilities would be the same. Two for the price of one.
Knock Knock.
Who's there?
Who's there?
Is anyone there?
Who's there?!
- John Cage
Is that too obscure?
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
Red Hat isn't the only source for Linux nor is it the only source for applications that run on Linux. So, were they literally testing how long it took Red Hat to release a fix? Or were they checking when the patch was actually available elsewhere?
For instance lets say they detect vulnerabilities in Apache and Apache releases a patch in 2 days but it takes 5 days for Red Hat to make it available. Which amount of time did they record?
Don't belive in Tantric sex? Try Taoist sex. All the technical points without the usless religion attached.
From my previous post: http://www.cert.org/advisories/CA-2003-23.html
From Microsoft's web site:
http://support.microsoft.com/kb/823980
Look for the string "Windows Server 2003, 32-Bit Edition".
Summary:
Windows 2003 is vulnerable to the Blaster worm and I still see those attacks in my firewall logs.
Sorry but this is Slashdot where showing contempt for anyone who isn't at brilliant as yourself is a way of life.
It can't be...
Colegio Paula Montal Escolapias Astorga
I can't believe no one's said this yet... but I think I'd be scared if my Linux web server was "similary set up" as a Windows one.
Comment removed based on user account deletion
What worries me is the fact that something (silly) like this got to the RSA conference.
No offense, but something like this couldn't even REMOTELY pass on CCC, (older) BlackHat and similar types of conferences.
This is really silly.
Why does this shit keep making headlines? Egad! FUD! FUD! FUD! Windows more secure, WHAT A JOKE.
I didn't know that all of the security features in Linux could be turned off. Where is the config file for that anyway?
The comparison was "which OS is more secure". You claimed that there is no way to make that comparison because the admin matters, not the OS. But clearly you actually know otherwise, since you think its cheating to use a secure OS.
...to use an OS that has special features. But it sure is limiting compared to using more mainstream OSes. The comparison of the article was Windows vs. Linux. My point is that it doesn't matter which OS you use as long as you know how to secure it. If your OS has special features and you don't mind the restrictions that come with them, then have at it. But the discussion is still Windows vs. Linux. If it was All OSes vs. All OSes, then you would have a point.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
- 1. "ONE" Linux fan concedes yet few others have
- 2. That this appeared in a paper published in the shadow of Redmond's campus.
Looking at the total number of listed vulnerabilities for Linux-based server daemons and comparing it to the number of requisite CORE patches for Windows 2000/03 server is silly. A linux server typically does not run all of those services. Likewise, a Windows server doesn't either. But head-to-head, Apache vs IIS? I'd like to see a bake-off for which can get cracked the fastest.I might know what I'm talkin' about, but then again, this is Slashdot...
"On average, the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup, their study found."
From the article it seems like this is the only measure of security. How about other tangible measures:
1) Local vs Remote exploit
2) Escalation of priv.'s
3) How about time to compromise.
Various details seem to have been ignored or glossed over. The report mentions your typcial admin. Now what is your typcial admin? Is he a windows user that just discovered linux? This seems very un-scientific especially coming from a professor.
How about getting windows and linux security professionals together for a head to head competition and see where that goes. The result: both OS' get locked down. It then falls to patch management, which should be more than 1 dimensional.
Need I say anything about default installs. Actually MS has gotten better w/2003 on the basic default install. Try this with 2000 server.
O'Well....
There are linux distros that have some of the features from openbsd to prevent exploits. So, again the OS does matter. And you look foolish when you start blathering about "it sure is limiting" when you've clearly got no idea what you are talking about. Install openbsd some time. You don't have to do anything special, or know anything special, w^x, propolice, randomized library loading, privsep daemons, audited code, its all done for you, you don't have to do anything. Which part is limiting, and what exactly is it limiting?
So, that's it then. We're doomed!
"I'm not impatient. I just hate waiting." - My Dad
Googling after "Richard Ford" Florida Institute gives the following information: Richard Ford the "Linux fan" is an author of an online article from 2003, where he argues that OS moncultures do not increase securtity risks. In a 2004 Conference on computer viruses, he has given a talk together with an employee of Microsoft. I would seriously doubt that he was biased against Microsoft ;)
First: From the article:
"The setups were hypothetical, however. Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features.
Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance."
In other words, an MS mouse monkey is considered better than someone who knows what he's doing.
Let's try that again - namely, let's set up the Windows server with it set to max lockdown versus a Linux server set the same way. Then let the hackers at both of them and see which falls first.
Didn't try that, did they? Didn't think so...
Second: this is a WEB SERVER test - a system set up to ALLOW access. NONE of this has ANY bearing on Windows predilection for allowing spyware, viruses, trojans, worms, etc. into the operating system.
Not to mention that IIS 6 is reputedly much more secure than IIS 5. Let's try it with IIS 5 which is probably in more use than 6 worldwide.
In other words, the headline that Windows is more secure than Linux is BULLSHIT AS USUAL.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
The issue from a security point of view in my opinion is not which OS has more periods of security holes during which they can be hacked.
It is in fact a function of one immutable fact.
MS Windows is as secure as Microsoft makes it and linux is as secure as the sys-admin makes it.
Thus, out of the box MS is probably more secure, but given a few hours of tweaking, the linux box can be made very secure. Where as the MS box doesn't get much better with tweaking. (I'm not talking about detection, I'm talking about prevention)
And one other point (the point from my subject line). These guys compared servers. Servers in general are better than desktop machines because they lack the main security weakness: A human being with a mouse and web browser.
Lets compare desktop linux to Desktop windows and see which is more secure. Lets assume the biggest security ignorant user one can imagine and see which machine gets the most infections.
Right now the MS Windows box will be owned by hackers and spyware.
The why's for that fact are unimportant. The issue is: windows is insecure and thousands of machines are infected with hundreds of viruses and spywares and Microsoft is having a hell of a time fixing it.
The linux / windows pissing contest is pointless and wasting valuable resources. Fix the freaking problems, please!
The article is not even worth reading if it says that Red Hat is Linux (I've read it anyway :P ). If they'd used Gentoo the results would have been VERY different... but anyway, it a very shallow comparison, I mean, just the time it takes to patch vulnerabilities means nothing.
An out of the box study proves nothing.
C'mon. Linux is more securable than Windows. More options, more things to lock down, and more access to the kernel to create hardened installations (ie the NSA kernel).
Windows is easier to secure than Linux. It takes the length of a reboot to install a high security INF from NSA, NIST, SANS or other security site. Lack of access to internals limit the ability of most users to really tweak its security.
Both OS's need to be installed, patched and hardened prior to network connection. Both OS's need competent administrators or all bets are off.
Windows is more susceptable to malware/virus attack, but as Linux installations gain marketshare they will get hit as well. Thats a fact of life.
That may be true, I'll check the web server logs to see what the Windows2003 hits are.
Please allow me to quote:
you - "You do realize that you use the SMB client every time a share is accessed."
Me - "No, a server does not use the SMB -client- to -serve- data out through an SMB share. "
you - " That's what I said. "
You, sir, are a nitwit. An SMB -server- does NOT use a -client- whenever one of -it's- shares are -accessed- (IE -IT- IS THE SMB SERVER, SERVING DATA OUT IT'S SHARE).
In the purely canonical sense, no, a server does not run a client - for the given context, which is SMB. Can a server run a client for SMB? Sure. BUT THAT'S NOT WHAT YOU SAID, NOR WHAT ANYONE IS TALKING ABOUT WHEN THEY SAY 'SERVER'. The word SERVER means - the machine serving, in a client-server relationship. Can a machine be BOTH? Yes, but not in a single given relationship.
Get sites like slashdot to say it enough times... and the geeks will eventually believe you.
Meh.
Could we wait until the study is actually published because I think the highlights in that article were far too sketchy to form an opinion either way.
The irony of the posts I'm reading here make me laugh. I'm reading posts talking about poor analysis and bias written by people who are critiquing a study before it even comes out.
Folks, it's hard to maintain credibility if you heap praise on one study that agrees with you and then critique another sight unseen.
Wait for the study to be published, examine its assumptions, and try to reproduce it. I know it's not as exciting, but that's the only way anyone is going to get to the truth.
sigs are a waste of space
An interesting quote from the article is this : "On average, the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup, their study found."
Which to me indicates that these guys are indeed comparing distros (Win vs RH). It seems more convenient from an OSS standpoint to compare the "days of risk" of the application, in which case we would still have 30 DOR for Win (as security patches are only distributed through the OS channel), whereas for example Apache (not the RH package) patches would be available sooner than the 71 days.
Having said this, I consider the point rather moot, as (i quote again) "Both were in the most basic configuration", which I would be amused to find in any professionaly set up config. Few (and fewer) are the companies who don't either have the competence to set up a secure-ish configuration or outsource the config to someone who is competent.
This study does show that IS security and IS infrastructure setup in general is not to be handed to newbies. This is where Windows is dangerous, as it lulls you into a false sense of security.
Atheism is a non-prophet organisation
Any idiot can make any OS insecure. Linux is more flexible, so that makes it a lot easier for any idiot to make it insecure. Linux includes source code, so any idiot can even remove the security parts and make it completely insecure. But it is a lot harder for any idiot to make Windows insecure. So that's why it has to be insecure by default. Else, Microsoft would have to supply the source code to any idiot that asked for it so they could make it insecure.
now we need to go OSS in diesel cars
Security is a process, not a product. A hardware firewall is useless if it's firmware can't be updated and a vulnerability is found. But software, in the right hands, due to it being more configurable, is generally safer.
-Myke
myke@compassionatecoalition.org
http://www.compassionatecoalition.org
Every time someone does one of these studies they start from the same flawed logic. They calculate exposure time as "time from vulnerability disclosure to patch availability". In Microsoft's world, a vulnerability doesn't exist until they've disclosed it. And guess what? They don't disclose it until there's a patch available. They're also quick to brand any researchers who post vulnerabilities before they get patches as irresponsible.
So it's a self-fulfilling prophecy: Microsoft products will always have lower exposure time for vulnerabilities because most Linux distro maintainers practice full disclosure.
Yes, my only tool is a hammer. And you're starting to look like a nail.
"Similarly" setup :P
No, linux is not easier than openbsd, depending on the distro of linux, openbsd is often much easier and more user-friendly. I can do anything I want on openbsd with minimum of effort. Either give a real example of how hard openbsd is, or stfu.
And the vast majority of software that works on linux, also works on openbsd. Seriously, what apps do you think you are going to be using? If you consider giving up a miniscule amount of closed-source software "limiting" then you would also have to agree that linux is limiting, so your argument is still dumb. Again, try openbsd and see what its actually like, don't just spread lies because you are ignorant.
The comparison of Windows 2003 server to RH appears a bit tricky. For fair comparison the levels have to be set to the same. The security screws in Windows 2003 server has been tightened. So comparing that with RH cannot be considered a fair comparison, if it were compared with XP it could be considered fair. If they were to compare to a security concious distribution (best of them , as thier choice of distribution seems to be based on security). There is something that goes unnoticed here, large number of attacks in recent years have been caused by malicious code. The resistance to malicious code in GNU/Linux does not seem to appear in the study. This has to considered with the fact Dr.Ford is on the editorial boards of one of these bulletins. All this makes it look like a stage managed show. That too at a very reputed security conference
That you take a default Redhat Linux install and run apache, php,mysql, and make it a web server, then ya, its going to be insecure.
/dev/shm)
Where Linux + Apache has the advantage is other open source tools:
SE Linux modules
mounting world writable partitions as noexec,nosuid (/tmp,
Apache mod_security
Tripwire
IP Tables firewall with stateful packet filtering
If I forgot anything good, let me know.
When are people going to realize, your Linux distro is like a ball of clay, you have to mold it. If you just want to do a default install of an OS and serve pages, install Win2003, don't install Linux.
Q. Who decided what is a vulnerability in Microsoft?? A. Microsoft. Q. Who decided what is a vulnerability in RedHat???? Q. Why didn't Brier Dudley mention the dubious impartiality of Ford and Thompson? (relationship between Microsoft and Richard Ford -Thompson and Microsoft TCO studies). Breir must be a "researcher's" wet dream - the report hasn't even been released yet - and Breir claims to be a journalist.
No offense. But it sounds like people are searching for things to dismiss this study.
It is more than right to check the validity of the study. And some googling suggests that Robert Ford dilapidates his scientific reputation for money. Being a self proclaimed Linux enthusiast there is little evidence to be found for that. But he closly works together with Microsoft:
From: http://www.virusbtn.com/conference/vb2004/programm e/
Gatekeeper II: new approaches to generic virus prevention Richard Ford, Florida Institute of Technology Matt Wagner, Microsoft Corporation Jason Michalske, Florida Institute of Technology
Doing talks together with Microsoft employees is certainly not a sign for his independence and Linux attachment.
IMHO he should immediatley be expelled from the Florida Institue of Technology.
So, we have a researcher who insists that counting the number of Red Hat reported vulnerabilities, versus the number of MS vulns.
BUT, almost -all- MS vulns are exploitable and present in the base OS. I hope these idiots weren't counting every Linux report to bugtraq for every little piffy exploitable CGI that nobodys ever heard-of or installed..
With Reich its....
Knock....Knock....Knock....Knock
To Reich's credit, at least his work is somewhat coherent.
Why not default Debian, Mandrake or SuSE? All of them have more secure defaults. Mandrake even has an app with a simple security slider from "normal" to "draconian" (we're talking login timeouts, tab-completion not working 'coz you can't scan /bin as a user, and needing to be in a special group to run X here).
Got time? Spend some of it coding or testing
The complicated (and therefore easy to muck up) Windows security model was made necessary by Microsoft doing bizarre things like run their friggin' webserver in Ring 0. The Linux equivalent would be to make your scripting do-everything hello-code-red webserver a kernel module. Even today, many common apps need to run with Administrator privs which kind of defeats the purpose in having ACLs in the first place.
If you want piles of ACLs, an SE-Linux kernel defacates all over Windows from a great height. The amount of control you can have over not just files but transitions between states and all manner of other stuff is pretty staggering. Mandrake is one distro which ships with an SELinux kernel.
In most situations, you'll never need it. The typical service will leave a small, difficult-to-crack do-nothing listener open which accepts an incoming connection on a priviledged port and then immediately drops privileges before doing any heavy lifting. Services like PostgreSQL and Squid don't even need to do that 'coz their ports don't need superuser. SELinux, chroot, UserMode and so on are mostly belt-and-braces stuff, options you simply don't have under Windows. Period.
Funny thing is, 2003/XP is derived from 2000 from NT. NT started life as a spelling-error-compatible clone of a VMS variant called MICA. VMS can be locked down to high military security levels in a matter of seconds. So... Microsoft started with a secure system, it turned to pooh in their hands, and now they're bandaiding and splinting it in the hope of making it halfway secure again. D'oh!
Got time? Spend some of it coding or testing
I can't remember seeing a public disclosure of a Linux (or any Unix) vulnerability that did not contain a description of either patch or workaround, or wasn't followed by such within hours in Bugtraq, so unless those researchers used sources unavailable to the public, the vulnerability window for a system administered by a bugtraq-reading admin would be zero, or hours per vulnerability.
Counting the time that Red Hat takes to issue their official patch for their "Enterprise" product would show the upper limit that applies to "infinitely lazy" admin that only run auto-update. This is reasonable for a home desktop system, however I doubt that anyone runs RHEL on those. I guess, even counting "infinitely lazy" admin's updates in Debian or Gentoo, the disclosure to patch time would be much less than for Red Hat.
Another issue is that disclosure does not mean exploit -- exploit could exist before, or appear after the disclosure. Many Linux vulnerabilities end up unexploited because they are published after the patch is issued, and only few are exploited before the first patch or workaround release. Famous Debian servers' compromise was a result of a known by that time kernel hole, and even though Debian project's sysadmins initially believed that it was an unknown hole, it happened to not be the case, and I guess, they have changed their security policy based on that.
On the other hand, Windows exploits commonly happen before the disclosure, there is no workaround published at the time of disclosure, and often patches are issued late, don't cover all vulnerable versions, have dangerous side effects, or are bundled with things that can be only described as "unrelated shit".
Contrary to the popular belief, there indeed is no God.
RPC vulnerability from 2 years ago taken advantage of by several worms since.
Use PostgreSQL or FireBird (yes, there are Win32 versions) which don't run with elevated privileges and you won't risk a Slammer.
Microsoft first makes the software, and then nails it down after the fan sloshes to a halt. Almost everyone else makes it secure from Day One.
Got time? Spend some of it coding or testing
1. Red Hat is NOT Linux. This threw me for a bit, but after consulting a friend, we came to the conclusion that it is probably OS/2 then.
2. The whole thing is FUD. Why? Well, there are almost as many arguments as there are posters. What's really interesting about this, though, is how many clairvoyant Linux zealots there are out there. I mean, the research hasn't even been published yet - but they know the truth!
Microsoft are telling (not directly of course) that Windows Server is easy and everyone who knows Windows from the desktop could manage a server, there are Wizards for everything... and anything can be done from the familiar and well-known GUI
...and this is btw. also one of the reasons why MS became big in the server business... "You don't need any expensive employee to manage your new server"
Nobody tells anything like that about any other server OS...
TCO still involves the total cost of OWNERSHIP and not merely installation. You don't give yourself enough credit in how much your time is worth. I deal almost exclusively with Windows technologies and bill out at $200/hour.
I made about $10,000 last year... so I guess my time is worth $1.14 an hour. If it takes me 50 hours to install and configure Linux, I still win, yay!
My point is, TCO can be applied to individual consumers, as well as corporations. As such, TCO can vary *dramatically* depending on the user(s) and application(s).
So one "study" ran by a pair of guys says Microsoft is more secure. Fuck-a-doodle-doo. How many tests and real-life experiences say Linux/BSD/etc. is more secure?
If this were hockey (we'd all be somewhere else, maybe talking about Mac's) the score would be MS-1 : Linux/BSD-1000000000000 (or something to that effect).
Ah, fuck it. I really don't give a shit.
Their analysis was based on number of patches and time it took to get patched from the time it was publically released. Microsoft stays quiet about most vulnerabilities until a patch is ready and will ship it some time that month, thus the average 30 days. In addition to this, there are still IE holes unpatched from last july. This didn't make the report because its a server. Also, Linux comes with *much* more software by default and much more functionality. They said that these were default setups. That means that if they were using a distro like Red Hat, every single program gets updated as necessary over 2000 programs judging from one of my boxes). Far fewer programs get updated from Windows Update (usually only core programs and utilities... or things that Microsoft deems necessary).
Also, many OSS exploits are theoretical in nature... if a strcpy() passes an unchecked ptr and some coder sees this... whether or not that code could have been exploited... he fixes it and out goes the patch. Its a patch for something that may have never been even able to be taken advantage of. That would never happen in a commercial project. All this study shows is that these researchers define security as the ability to hide security problems as long as possible until a patch is ready and if the patch never gets ready, just never tell anyone about the problem. Following the two above stated rules would easily make any software company "secure" by their standards. As stated previously, their criteria was # of patches and time to release. Time to release is shortened by waiting until the patch is ready (which Microsoft does) and # of patches is shortened by simply not releasing non-major patches and just rolling them out with the next version. The criteria these guys used was meaningless and if anything shows that linux is doing something right if they are updating several times more programs with only twice the delay (which i really doubt is the true delay time). One other thing worth noting, the Ford guy has been paid by Microsoft several times to do studies and release them in favor of MS, I'd hardly call him a true linux fan. Maybe this time they just covered it up better... you wouldn't want to bite the hand that feeds you.
It's unfortunate RedHat has acquired Windows' weak security posture in it's effort to attract Windows server market share. I've personally had to administer 3 compromised Redhat boxes, and this after converting that client over from Windows due to a compromise.
But, RH isn't Linux. Linux is many distributions, some good, some not so good, but if you take the pool of Linux administrators against the pool of Windows administrators, you'll find Linux administrators are more knowledgeable about their systems and do smarter things in securing them. This isn't as true as it was a few years ago before the reluctant Windows administrative masses took refuge in RedHat, but you won't see any not even one Linux defector to Windows. Perhaps BSD, but definitely not Windows!
I've never seen one of my Slackware servers (running sendmail, even and FrontPage extensions with PHP on the Apache server) compromised. It's never happened in the 10 years I've been using them.
I've been wasting a lot of time lately poring through logs for a new project and it's ludicrous how much additional coding I've had to put into my Perl scripts to make allowances for compromised Windows boxes that have inundated my web server with traffic during their Code Red and Slammer compromises, not to mention all the other little oddities Windows clients do when downloading mp3s from the server, such as client caching and sending 32k+ search strings in the URL. It creates work to have these obnoxiously configured client machines on the Internet.
I, too, would like to see a more involved, academic analysis of the security of each platform. But even as a quick quantitative analysis, this technique for deciding how secure a system is falls on its face. Instead of counting vulnerabilities, I would be interested in
I'm from Florida and I would like to say that these "researchers" do not speak for all Floridians.
Thank you.
Where are the ISOs? ISOs are the standard these days. I don't want to have to do an install with FTP or RSYNC and I certainly don't want to pay for a free OS. It looks like the only option I have is to mirror an FTP site and then figure out how to make my own ISO. This is EASIER than Linux? Feh!
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
If not because the OS security model sucks, of course. (-:
You also need to learn a bit more about how earlier versions of IIS worked.
Got time? Spend some of it coding or testing
Lots of other people have already attacked the validity of this study, called it FUD, etc, so I won't bother.
My impression, as an administrator, is that security is very much a function of the administrator. While I don't use Windows myself, my impression is that someone who knows a lot about the system -- which does not include me -- would be able to secure it very efficiently. I've known some Windows guys, and they definitely seem to be able to lock their systems down.
Of course, a stupid admin -- which includes your average user -- will have his box rooted immediately. What I'm pointing out (and many people have pointed it out before) is that security is very much a function of administration.
Having said that, though, not all OSs are created equal.
If I'm in charge of UNIX security, and I'm working with a competent Windows admin, I have the utmost faith that he'll be able to keep his systems as secure as mine. But because his vendor doesn't practice full disclosure, he will always have less to work with than I will. Whereas I will know about a vulnerability within days of it being discovered, and will have the option to shut off the relevant service and hopefully (quickly) patch the relevant files, he is essentially at the mercy of the vendor.
Even if the vulnerability is exposed, he is stuck because he must wait for the vendor to get off their butts and supply a patch. This may take quite some time. When he gets the patch, it is (necessarily) a binary patch, and he cannot examine it to make sure it doesn't break his existing setup. This is not a Windows-specific problem; it is a problem of closed source operating systems.
I'll end this with an anecdote. In my professional opinion, the most secure OS that anyone is likely to deploy today is OpenBSD. Ironically, of all the myriad OSs I have had the pleasure of running, the only time I have ever been rooted was on OpenBSD.
I was in university at the time, and I had setup a NAT-type home setup for my housemates and I to share our DSL line. I had obtained a 486 on the cheap and ran OpenBSD on it as a firewall... I believe it was 3.0. I was on IRC and had to go to class, so I left. Around that time, the SSH vulnerability was announced and someone (I presume) fished my IP off of IRC and wacked me. I had the SSH port open because I often logged in from the computer lab at school to check my e-mail.
Now, he didn't do any damage -- he changed my root password and tried his best to attack the other computers on my network. Thankfully, my roommates' WinME boxes were turned off, so all he found was Solaris 8 on SPARC and OpenVMS on Alpha, the latter being my primary machine. He attempted an x86 attack on my Sun, which obviously failed, and I very much doubt he had any idea what to do about the VMS box.
Despite this experience, I still see OpenBSD as a tremendously secure platform. I was just lax, as an administrator, and I hadn't heard about the SSH vuln.
It's always amused me, though. When people ask what they should run if they care about security, I never hesitate to point them to OBSD. But it's the only machine I've ever had broken into.
Just goes to show, no amount of work on the vendor's part can make up for a lazy admin.
W: My OS reports less vulnerabilities!
L: Oh yeah? Well my vulnerabilties get FIXED!!
W: YOUR morons need a degree to fix YOUR OS, our morons only need to click a button!!!
L: OUR morons WROTE our OS in vi!!!! =P
I'll make one teeny tiny observation: how is it, when Linux and Windows is compared, it's always the Windows vulnerabilites that affect the entire OS far outnumber individual application problems, whereas the Linux vulnerabilities are mainly problems with individual applications, and root-level vulnerabilities are a much smaller percentage of the total pool? And why are we always comparing Windows Server 2003 and Red Had Server [insert favourite version here]?
insecurity asks the wrong question irritation gives the wrong answer
Is that the Red Hat server was running Wine, an emulated version of IE, and several versions of MyDOOM variants all at the same time. Don't forget the cheese spread stuck in the CPU too.
Help me, help you. - Jerry McGuire
Comparing what the average administors would do only reveals how little they're trained in security; hence, their test shows little in how secure a particular OS is, but how lazy/inept/ignorant an average administrator is towards security.
Besides, it isn't necessary that they have to wait for RH to patch the software, they could always get the source and recompile if they feel the exploit is important to be patched now.
From the article: On average, the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup, their study found.
To me it seems that this was a key point in the result.
But what is a risk? Risk as "Joe Hacker, owns this machine through a remote buffer overflow" or risk as "I could become root, if I would have a local account"?
It sounds more like an old argument that is mentioned by Microsoft again and again and again...
With all due respect, you've just found the problem. Their methodology is terrible, and fails to account for so many large issues, that it utterly misses being able to make that statement.
In simple terms, they counted vulnerabilities and bugfixes, the way that Microsoft has been trying to get us to assess security for a year now. It's not a reliable indicator in so many ways...
If you want to explore the effect of less experienced admins, then you install a couple of machines using default settings, connect them to the Internet (with or without a hardware firewall etc., but make it uniform) and see which one gets compromised first. You also do a second test with machines that auto-update themselves every day and see which of those gets broken into.
That's a far better measure of how an OS performs with an unskilled admin than not doing any testing and just counting vulnerabilities.
There was a study a few months ago which did indeed compare the TTL for multiple machines connected to the network (by the HoneyNet folks?), which had real figures, and was quite insightful for it.
Good methodology helps find the truth. Bad methodology only finds *your truth*.
I mean, the number of things people would believe...
Counting the number of patches? WTH? So it's better and more secure to have bugs unannounced, and patches issued once a month?
The Chewbacca defence in action again.
Sad.
Experience tell me, however, that people who buy such "expert results" go out of business quickly, so perhaps there's nothing to worry about after all.
your .sig is brilliant:
> Those who can, do. Those who can't, sue.
>
> All my foes are spelling or grammar Nazis.
now combine these ideas, and you get:
Those who can write, do. Those who can't write, accuse their foes of being grammar nazis.
haha! hoist by your own petard! what a dope! i'm tempted to add you to my own foes list just for this alone! hahaha!
'I am become Shiva, destroyer of worlds'
Lots of people are criticizing comments with the point of view that the study is BS, as they have drawn conclusions before the study is published. I'd like to point out that the article in question does exactly the same thing, draws the conclusion before the study is published.
Aside from that, it's not unreasonable to bash the study before we see it, because we've seen it before. We see one about every six months, and they're all the same. They use some "new math" snake oil test or benchmark that says Windows is faster, safer, more secure, less communist, and/or lowers your cholesterol. I'll bet you dollars to doughnuts this one's the same. We'll see in 30 days.
And finally, never mind that Red Hat isn't linux. Just remember that out of all the distros RH was the least secure. And my favorite, Slackware (shameless plug, deal with it) was the most secure. This was a while ago, but I'm sure not much has changed, as it's a result of the philosophy behind the distros. Slack is cautious, and uses packages that are known to be very stable, RedHat always grabs the latest and greatest, without the same scrutiny. There are merits to both, decide what works for you. Again, this is going on out of the box configuration, so you can tweak any distro to be as secure as you want, but I always like sane defaults.
--Not to be worried, Pitr fix.
I refuse to download a big fat ISO that contains a bunch of stuff I don't need, and then waste a cd burning it. The only linux distros I will use are ones that support an ftp install. And no, you don't have to mirror an ftp site and make your own ISO. The ftp/http install only requires you make a single boot floppy. If you really insist on using a cd for no reason, you just download the i386 (or whatever arch you are using) directory, and burn it to cd. Use the iso image provided as the boot image.
I can't find any specs on that card, so I don't know if its supported or not. I'm sure its a big issue when comparing the security of webservers like we are though.
X isn't in ports, its part of the system. And it is X.org, unless you use an old release for some reason. And even if you weren't wrong on this, it would still have nothing to do with the argument of secure webserver platforms would it?
And of course linux specific drivers don't work on openbsd, there's a suprise. Still nothing to do with the secure webserver thing though.
I don't have an axe to grind, I am just sick of morons like you spreading FUD when you have no idea what you are talking about. You act like openbsd couldn't possibly be a webserver and dismiss it from the discussion, because its so arcane and difficult and limiting, yet it is in fact perfectly suited to being a webserver. To make it a secure webserver you start apache, wow, that was fucking tough.
Your red herrings about unsupported hardware are laughable, if you dismiss openbsd because some companies are stupid and don't release hardware specs, then you have to throw linux out of the equation too. I want to use my ATI card to play counter-strike source. Oops, linux can't do that and therefore its too limiting to be a secure webserver. I don't know about you, but I am perfectly willing to give up support for something that won't be in a webserver, in order to get more security for my webserver. You are the one who needs to be more open minded and realize different OSs have their strengths, like for instance openbsd can be good for a webserver without being good as supported closed, proprietary hardware that would be a security issue to support in the first place. Linux can be good at supporting closed source drivers for odd hardware without being good at being a secure webserver.
Face it, the OS plays just as much a role in security as the admin. If you use hardened debian instead of plain old debian, you are going to be more secure. So quit pretending all OSs are equally secure and its only the admin that matters. And quit pretending openbsd is too limiting to be a webserver.
I don't think openbsd is the greatest OS. I think given equally capable admins, an openbsd webserver will be more secure than a redhat or windows webserver. There is no greatest OS, they all suck in their own special ways. Maybe you need to remember what the discussion was about, and spend less time throwing red herrings at me.
I'm not always connected to the internet. It's so much nicer to have a CD with everything on it. FTP/HTTP installs suck. I did install one of the BSDs that way in the past. It's not as fast as a CD-ROM install. And it may be opinion but I'm not of the view that there is "one true OS" like you seem to be. I believe that each OS has it's pros and cons and I pick and choose what I need when I need it. I'm not going to be selling Linux or *BSD to my in-laws since they've NEVER used computers before. Instead I got them to go with Windows XP Pro even though it does ethically bother me deep down. I just knew it would allow them to do the things they want to do with a minimum of intervention from me. My folks, I moved to a custom Linux build and they've never been happier although they still have trouble grasping the idea that nearly any application they want is either included or free. I think my approach is more honest and fairer than your approach because I don't advocate for a specific OS for every need. If I was going to be that pigheaded I'd probably recommend Mac OS X anyway. This has gotten so far off topic that I will open a JE if you want to discuss this further. Since you're being so pushy, I'm going to try OpenBSD out of spite in order to nit-pick it to death. Congratulate yourself for making me possibly hate what could be a decent OS if it weren't for the idiot advocacy.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
If you need a cd, burn one. I already told you how. Just download the i386 directory and the boot image and burn it. Or if you don't want X for instance, only download the tarballs you do want in the i386 dir.
And you are very much ignoring what I am saying, and arguing against some imaginary person. I don't think there is one true OS, nor have I ever said anything to imply that there was. Try to read very hard this time: "THE OS MATTERS TO SECURITY". Are we clear yet? OpenBSD was an example of how the OS matters. You are now trying to dismiss it because it can't do something totally different. That doesn't change the fact that it makes a more secure webserver than windows or redhat. This is the point, stop ignoring it.
And go ahead and hate whatever you want, I don't care. At least if you tried openbsd you might have valid issues when you spread hate about it, instead of just vague FUD like you spread now.
There are many reasons for picking an OS. You seem to be hung up on the idea that OpenBSD is the ONLY secure platform for computing (and webserving) and I'm calling you out on the table for it. It's not. It's a decent platform but it has a steep learning curve and moronic advocates like you. And you wonder why people aren't interested.
Face it, the OS plays just as much a role in security as the admin. If you use hardened debian instead of plain old debian, you are going to be more secure. So quit pretending all OSs are equally secure and its only the admin that matters. And quit pretending openbsd is too limiting to be a webserver.
I never said anything to the contrary. I said that the skills of the admin will determine how secure your set up is. This is true no matter which OS we're talking about. OpenBSD demands that you have a greater skillset than most Linux or Windows admins have. The very fact that there are no ISOs and no Live CDs is one element that proves this. If I want to try out OpenBSD I have to commit myself to it.
There is also no GUI based installer. This doesn't bother me, but it's sure going to bother most Windows admins who want to give it a try as well as newer Linux users who never dealt with character based installs. Without a GUI install an OS is useless for most admins. I can deal with it, but I'm not typical.
The configuration of the network interfaces was a pain the last time I tried a BSD. It took a while to figure out where the configuration file was and again... no GUI to set it up. I can deal with it, but I'm not typical. I think you'd be hard pressed to find a lot of Windows admins who would be willing to deal with this level of complexity. Most of them (even the good ones) gripe when they have to write a CMD script. They're certainly not going to want to hunt down some obscure configuration file just to get a network interface or two working.
Face it. You're all wet. OpenBSD is probably decent but it doesn't provide what is needed in a modern OS to get a foot in the door in most shops. Until it doesn't require that strong of a skillset, it's always going to take a back seat to other OSes.
And BTW... my primary statement was that it's really about 50% admin skill and 50% OS that determines the security of a platform in general. It's nice that you personally find OpenBSD to be the perfect OS, but you can't deny that it takes a lot more skill to actually customize it to a realworld environment. Just flipping the switch to start Apache isn't the whole story if you want WebDAV, SSL or other modules. No matter which platform you are on, you are going to need to configure Apache beyond just turning it on. And since security is such a strong goal for OpenBSD, they are always going to be behind on the featureset. If that doesn't affect what the user wants to do, great! But if it does, then OpenBSD is not the right choice.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
Screw what the discussion was about. I specifically said that the OS doesn't matter if you have a capable admin. This is truth. 50% admin skills + 50% OS = security. That's it. You are arguing that this formula would work (which it wouldn't):
OpenBSD + capable admin = security
That's not true. You might have a secure but unusable system with that combo. So what good is your secure system if it doesn't do the job?
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
I never imagined you would be this dense. I am sorry to have bothered trying to explain this to you, you are clearly too stupid to grasp a simple concept like "the OS matters to security".
The OS does matter if you have a capable admin, and you pretending otherwise does not change the fact. Enjoy your fantasy world where common sense doesn't exist and you can blather on about random irrelivancies and win arguments through attrition. It works well.
What are the credentials of these guys? I mean, FIT is a vocational school, not a real academic facility.
...I never said I was a master debater. :) I know I lost the argument with you a while back. ;P Off to try out OpenBSD once again and see if it suits my needs. It hasn't been ported to Xen yet. :(
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
They talk about "average days of risk". First we have to define "days of risk". Simply put it would be defined as the time between when the vulnerability is announced to the world and when the software is patched.
In Microsofts world a vulnerability is found in two ways. 1) None M$ employee(hacker, user, admin, ect..), or 2) a Microsoft developer. If you were Microsoft and found a vulnerability when would you announce it? Not until you atleast had a patch in the works (and during that unknown length of time hope to god that someone else does not find that vulnerability). Thus the days the vulnerability is know about and the actual days of risk are skwed.
In the linux world who finds these vulnerabilities? 1) The linux community. If the community finds a vulnerability , the announcement is made immediatly and thus a patch is in the works immediatly.
So to put it simply, you can't compare "days of risk" between linux and windows because the process of discovery and resolution is different between the two Operating Systems.
Side note: I have not looked at what kind of vulnerabilities were talked about, but the majority of linux vulnerabilities rely on local user access. This is not so for Windows. So I'm curious how they messure "levels of risk".
Part and parcel of Microsoft's continued desire to improve the overall security of its products, Microsoft Corporation looks to augment their internal security testing and turns to their trusted partner, Security Innovation, for an additional round of security vulnerability testing for Internet Explorer.
I'm not sure why you're so angry, since we seem to be saying the same thing. I barely even mentioned TFA in my post, we were talking about criticism to Linux in general.
Legitimate complaints from critics are like free money for the OSS community, because they tell us what's wrong without having to spend the resources to discover it. It doesn't matter if these two are security researchers or your parents. What matters is that we admit that it's possible they have a point.
If they don't really have a point, then we dismiss them. But we have to keep an open mind and welcome criticism, because occasionally people will hit on real points.
What concerns me is the rabid Linux fans who got the message that Linux is terrific, but never seemed to understand why. Knee-jerk reactions like yours suggest a closed-mind. I mean, here I say, "Criticism is good, we can find legit complaints every now and then!" and you come down like a ton of bricks. That's what we're talking about.
Linux has reached it's current state only by fixing many bugs, redesigning many components, and outright admitting that sometimes the other teams had it right. That's what makes Linux such an unstoppable phenomenon.
Slashdot. It's Not For Common Sense
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
WILD !!!!! jasd@dts-security.de