Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study Finds Windows More Secure Than Linux

Posted by Zonk on from the an-interesting-definition-of-secure dept.

cfelde writes "A Windows Web server is more secure than a similarly set-up Linux server, according to a study presented yesterday by two Florida researchers." In addition to the Seattle Times article, there is also coverage on VNUnet. From the article: "The researchers, appearing at the RSA Conference of computer-security professionals, discussed the findings in an event, 'Security Showdown: Windows vs. Linux.' One of them, a Linux fan, runs an open-source server at home; the other is a Microsoft enthusiast. They wanted to cut through the near-religious arguments about which system is better from a security standpoint."

6 of 796 comments (clear)

  1. Integrity? by samtihen · · Score: 5, Informative

    Well, apparently this is the second time Microsoft has come out on top of a research project by Mr. Richard Ford.

    http://www.virusbtn.com/magazine/articles/letters/ 2004/01_01.xml

    Apparently there was some question to the validity of an earlier project because it was sponsored by Microsoft.

    However, I would like to note that both researchers seem very well educated, especially in computer security. And, additionally, they both note that a lot more could be done to lock down the Linux server.

  2. Re:Newsflash... ONE Linux Fan.. by EvilTwinSkippy · · Score: 4, Informative
    Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance.

    Um, no. Your average system administrator earns about $62k has at least 2 years experience, and generally a bachelors degree in a related field. At least according to most industry figures.

    The job title also entails tweaking system configurations for security, evaluating patches, etc. etc.

    --
    "Learning is not compulsory... neither is survival."
    --Dr.W.Edwards Deming
  3. Re:A lot more could certainly be done... by jc42 · · Score: 4, Informative

    Why would it take a patch to make a server run in a chroot jail? This can be done with any program. It requires no cooperation from the program itself.

    Of course, running anything chrooted usually requires making a list of subprocesses that the program calls, and linking them into the program's directory tree. You'd want to do this in this case, because web servers typically do invoke some subprocesses. Not always, of course; some web sites are completely static. In any case, this doesn't require any sort of patch; just a list of what files are needed in the chroot area.

    So what's in the OpenBSD chroot patch? What sort of vulnerability existed without it?

    --
    Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  4. Re:These studies are pointless. Both can be secure by dioscaido · · Score: 4, Informative

    What on earth are you talking about? Are you trying to imply that sql injection is a windows only problem? And about 'winsock' crashing... do you know of a vulnerability we don't? Or are you harking back to windows 95 vulnerabilities? The fact is, the parent post is the one that is Insightful. Both Linux and Windows servers can be secured very easily. The XP desktop might still have issues, but Win2k3 server is solid and secure.

  5. Bruce Schneier on Linux security by frozenray · · Score: 5, Informative
    Which is more secure, Windows or Linux? It depends on whom you ask. Here's what Bruce Schneier, a reputable security researcher and author of "Applied Cryptography" and other computer-security related books has to say on the matter:

    Linux Security

    I'm a big fan of the Honeynet Project (and a member of their board of directors). They don't have a security product; they do security research. Basically, they wire computers up with sensors, put them on the Internet, and watch hackers attack them.

    They just released a report about the security of Linux:

    Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months. This means that a unpatched Linux system with commonly used configurations (such as server builds of RedHat 9.0 or Suse 6.2) have an online mean life expectancy of 3 months before being successfully compromised.

    This is much greater than that of Windows systems, which have average life expectancies on the order of a few minutes.

    It's also important to remember that this paper focuses on vulnerable systems. The Honeynet researchers deployed almost 20 vulnerable systems to monitor hacker tactics, and found that no one was hacking the systems. That's the real story: the hackers aren't bothering with Linux. Two years ago, a vulnerable Linux system would be hacked in less than three days; now it takes three months.

    Why? My guess is a combination of two reasons. One, Linux is that much more secure than Windows. Two, the bad guys are focusing on Windows -- more bang for the buck.

    Bruce Schneier
    Posted on January 06, 2005 at 01:45 PM
    ------------
    Different methodology, different results. My money's on Schneier.
    --
    "There are already a million monkeys on a million typewriters, and Usenet is NOTHING like Shakespeare." - Blair Houghton
  6. Re:More FUD by 1u3hr · · Score: 4, Informative
    A study comes out saying Windows is better than Linux? Question the results

    Having read TFA, the "study" consisted of counting security flaws for RH and Windows, and comparing how long it took to issue patches -- from the date of the vulnerability being announced. This is really shallow; we've seen lots of such studies and laughed at them. I note the spin put on this is "One of them, a Linux fan, runs an open-source server at home..." which makes it look like a Linux zealot has been hacked in his own home, while the happy Windows guy is unscathed. In fact, it was all hypothetical, there were no trials of real servers (none mentioned anyway), just "potential" vulnerabilities in default setups.