Slashdot Mirror
Study Finds Windows More Secure Than Linux
cfelde writes "A Windows Web server is more secure than a similarly set-up Linux server, according to a study presented yesterday by two Florida researchers." In addition to the Seattle Times article, there is also coverage on VNUnet. From the article: "The researchers, appearing at the RSA Conference of computer-security professionals, discussed the findings in an event, 'Security Showdown: Windows vs. Linux.' One of them, a Linux fan, runs an open-source server at home; the other is a Microsoft enthusiast. They wanted to cut through the near-religious arguments about which system is better from a security standpoint."
... another pissing match.
Before any liberals are tempted to mod up one of my comments, a word of warning: I'm actually making fun of you.
Study finds Slashdot as repetitive as Philip Glass
Well, apparently this is the second time Microsoft has come out on top of a research project by Mr. Richard Ford.
http://www.virusbtn.com/magazine/articles/letters/ 2004/01_01.xml
Apparently there was some question to the validity of an earlier project because it was sponsored by Microsoft.
However, I would like to note that both researchers seem very well educated, especially in computer security. And, additionally, they both note that a lot more could be done to lock down the Linux server.
I don't get it. I guess I need to read the article.
A webserver needs port 80 and maybe 443 open. Any webserver can be secured.
Where's the news?
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Interesting. Some relevant snippets:
.
A Linux enthusiast at the RSA Conference in San Francisco has reluctantly concluded that Microsoft produces more secure code than its open source rivals.
In an academic study due to be released next month Dr Richard Ford, from the Florida Institute of Technology, and Dr Herbert Thompson, from application security firm Security Innovation, analysed vulnerabilities and patching and were forced to conclude that Windows Server 2003 is more secure than Red Hat Linux.
Now, I'll concede that Dr. Ford and Dr. Thompson do sound reputable, but one is an admitted Windows enthusiast and while the other one is a Linux fan who changed his minds, this hardly sounds like a study
It's an interesting question, and I'm sure there is no clear cut answer, but a more systematic study (with more parties, rather than just two scientists) is going to be needed to answer this sort of question before the 'results' are trumpetted. I'm sure Microsoft will pick this one up and run with it, however.. more of those annoying ads that seem peppered throughout Slashdot.
"There's no success like failure, and failure's no success at all."
- Bob Dylan
"Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk -- the period from when a vulnerability is first reported to when a patch is issued."
So Windows is more secure than Red Hat because Microsoft chooses to report less vulnerabilities and release less patches? Hmmm...
(Move along, nothing new to see here.)
Until the report is released this is a non-story, just fuel for the FUD machine. Unfortunately we will have to wait for a month to actually discuss what this means so I don't even no why I am bothering to post to this!
Never underestimate the dark side of the Source
Now let the flaming begin, so you can all argue about the number of patches/updates required for each system, how long it takes for Linux/Windows to respond to problems, and all that good stuff. We all know that's the only reason this kind of story shows up on Slashdot is to start a good flame/troll war!
"...Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance." By his own admission the Linux administrator is a "Wizard" compared to the average MS Systems Admin. Well, that just about says it all doesn't it?
"Sheep just follow the easiest path and run from scary noises and intimidating creatures." - Me
No matter how fast a patch is issued, you still have to install it for it to work.
Doesn't Microsoft encourage delaying announcing vulnerabilities until a patch is available?
How the hell can anyone claim to be a "Microsoft enthusiast"?! It's hardly a hobby.
Smokey, this is not 'Nam, this is bowling. There are rules.
Did you notice that this was a study aimed at IT administrators, not home users?
Loading...
This was a hardly a study. I don't see any data presented here, and certainly no methodology used to gather the data. Sorry, but the scientific method always wins.
Sorry, but this "study" is not a study.
Why was this even posted?
That they actually admit in the article that they set up the linux server as the absolute default change no security settings leave it just as it comes right out of the box... As they specifically state they left minimum configuration in place and linux users might do more. Basically implying the study is a pile of sh*t since no company in there right mind would opt for a total linux solution and then leave the webservers running without changing any settings...
~~ Please keep your arms, legs, and outright stupidity inside the ride at all times. Thank You ~~
Read it for yourself. It reads:
"Believe it or not, a Windows Web server is more secure than a [i]similarly set-up[/i] Linux server, according to a study presented yesterday by two Florida researchers."
So when you load a linux server with software that has known security holes....they are both equally as secure.
It's not groundbreaking news.
. . . 2 florida researchers were seen speeding away from thier work places in new ferarri's wearing armani suits. . .
Pretty Pictures!
OpenBSD runs chroot() Apache. Does IIS have similar capability?
The chroot() patch was never taken up, but it would probably not be that difficult to install on Linux.
I would be disinclined to run any other way at this point.
A Linux enthusiast at the RSA Conference in San Francisco has reluctantly concluded that Microsoft produces more secure code than its open source rivals.
Umm, so MS showed him their source code? I find that a little hard to believe.
If he can't see the source, how can he make any determination at all?
I wish they'd post some info about the tests themselves. At least what kind of setups they user, where they got the info about vulnerabilities and patches, and so forth..
A "Linux fan" and "Microsoft enthusiast" trying to cut through the near-religious arguments?
I'll take a nice report by computer scientists and security experts about overall system design over crap papers like this any day.
I don't know what kind of crack I was on, but I suspect it was decaf.
And, to the grandparent -- if you read your own link, the previous study was not sponsored by Microsoft.
What I'm listening to now on Pandora...
Security Innovation is a certified Microsoft partner for security services. We have both the Microsoft SWI and ACE certifications as an authorized professional services provider for Microsoft technologies.
I'll allow you to jump to your own conclusions.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
Neither article defined "days of risk" to my satisfaction. Is it "days since the vulnerability was published" or "days since the vendor was informed of the vulnerability"? I suspect that Microsoft is more likely to hear things privately early. ASN.1 library anyone? It was discovered in July 2003, and announced and patched in February 2004. Was that six months of risk or one day?
Secondly, there's no discussion of how the criticality of a vulnerability was weighed. If every "day of risk" for Windows was "critical," and every "day of risk" for RedHat was "moderate," then I'd differ with their conclusions. Further, there was no mention of whether they considered actual exploits in the wild.
What I say does not represent the views of my employers, my friends, my cats, or myself.
Typical.
A study comes out saying Linux is better than Windows? Praise it to high heavens! We knew it all along!
A study comes out saying Windows is better than Linux? Question the results, Impugn the source and dig as deep as it takes to find some political or financial affiliation between them and Microsoft, no matter how assinine or inconsequential.
Directly from the article:
"The pair examined the number of vulnerabilities reported in both systems and the actual and average time it took to issue patches. In all three cases Windows Server 2003 came out ahead, with an average of 30 "days of risk" between a vulnerability being identified and patched compared to 71 from Red Hat."
There is nothing said about the severity of the vulnerabilities. This article would never make it in a peer reviewed publication.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
With all of these studies is they typically work on the assumption you are just throwing a server, regardless of OS, on the net. That means there is no load balancer in front, no filtering at the border routers, no firewalls and nothing is ever blocked.
If a company or individual is actually doing this how on Earth can they possibly attest to the security of their server?
--- I do not moderate.
In a previous job at a datacenter where we ran Red Hat Enterprise Linux, I frequently got the comment that there seemed to be a lot more Linux patches than Windows patches. All of the updates for optional software (I tried to do minimal installs and/or remove optional things, but the dependencies sometimes made this awkward) simply made the systems seem more needy than the Windows systems.
Many of the vulnerabilities were of low risk to us, but it was rare for the system owners to say that even with this low risk that it was acceptable to hold off on applying the patches.
cfelde writes "Satanism is less evil than a christianity, according to a study presented yesterday by two Florida researchers." In addition to the Seattle Times article, there is also coverage on VNUnet. From the article: "The researchers, appearing at the RSA Conference of philosophers, discussed the findings in an event, 'Religion Showdown: Good vs. Evil.' One of them, a satanist, performs perverse human sacrifice rituals; the other volunteers at the local homeless shelter. They wanted to cut through the near-political arguments about which religion is less evil from a morality standpoint."
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Knock Knock.
Who's there?
Phillip Glass
My 8 year old daughter, a great afficionado of knock knock jokes, didn't appreciate it.
"As God is my witness, I thought turkeys could fly." A. Carlson
Come on, who runs a Windows box on the web without heavy firewalling, software firewalling (blackice with autoblocking for instance) and regular audits?
The same goes for Linux. Security is not something to be taken lightly. People should NOT be putting machines out in the open. The best practice used to be Firewall critical servers. The best practice has become Firewall, IDS, and monitor the crap out of anything touching the internet.
These tests are always like comparing a Factory Model to a Nascar Stock Car.
How many people run Red Hat Enterprise 3 at home? Did you bother to read the article?
This "article" doesn't actually provide with any information in what WAY the results were obtained.
From an admin perspective, I want to know what the vulnerbilities were, and what their definition of "vulnerable" is - especially if they say "Windows had 30 days of vulnerbaility, versus 71 for Linux".
On that topic, when are we going to get past the label "Linux"? There is no such thing. There's RedHat, SuSe, Gentoo, and Debian (among hundreds of others) and they all handle security differently. I'm sure I could find distros LESS secure than Windows, and I'm sure I could find distros unquestionably MORE secure, as well.
Ah, well, I guess I'll wait for the report. I would have preferred a headline:
"OS Zealots Face Off in an Anecdotal RedHat vs. Windows Web Server Security Showdown - IIS Triumphs"
It really bothers me that simple studies such as this grab the headlines. If you really want to determine which server is more vulnerable, study real servers belonging to real companies handling real traffic/data that someone wants to get.
Also, deciding on a configuration that an "average administrator" would have instead of a "wizard" seems questionable unless they determined those settings by examing dozens (or hundreds) of actual system configurations. Determining something is "too advanced" for an average administrator to use without actually examining real systems seems too arbitrary. Can anyone define the skill level of an average administrator?
You can't determine how secure something is if you aren't going to use its security features. If M$ has all of their security features turned on by default and Linux doesn't, that doesn't mean M$ products are more secure than Linux, it just means that they have a better configuration out of the box. (Not that I believe that, but I use it for the sake of arguement.) While it is important to have fail-safe defaults, it is far more important for someone to know what they are doing. Unfortunately, too many companies don't understand that and hire people who don't know what they are doing.
Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
I would think that a Windows box set up by a MS Certified Professional and a Linux Box set up by some kind of Linux Certified Professional would be a much better comparison than one between a "Linux Fan" and a "Microsoft Enthusiast."
"There are some people who are sceptical [of the results]," said Dr Thompson. "We would encourage them to replicate this type of study. If you see flaws please tell us."
Are they joking? Their metric (reported vulnerabilities) is absurd for a number of reasons.
1) Microsoft reports only a fraction of its vulnerabilities. Remember when Win2000 had over 65000 known (to Microsoft) flaws? No more than a handful were ever reported. Microsoft reports flaws only after bearing enormous public humiliation. Of course Microsoft's flaw count is going to be low. Microsoft hides them all until forced to disclose.
2) Linux vendors report every hair out of place. It doesn't matter if the flaw causes a D to look like an O on the third day of the Summer Solstice, but only if that day matches the 4th digit of PI, and only if the computer has calculated the cure for cancer at exactly 15 milliseconds after the user's orgasm.
3) Seriousness of vulnerabilities. Due to the nature of full disclosure under Linux, it will -always- have higher reported flaw counts than Windows. The vast majority of reported Linux flaws, however, are relatively benign, while the vast majority of reported Windows flaws hand over complete control of your computer to some third party.
4) Widespread Propagation. Windows, by its intended design, makes propagating exploits to these vulnerabilities trivially easy (automatic, actually), while this has yet to be accomplished on Linux (and likely won't be).
Sorry, but this "study" is complete nonsense.
One datapoint makes a terrible graph.
All that really says is that the foundation is secure. It doesn't say that Windows will be free from succesful attacks or that Linux will not.
Try this analogy on, If you buy both Porsche and a dodge neon. Park them both on a city street and leave them overnight, unattended. Which one is most likely to get stolen? Anyone with common sense says the Porsche. But the Porsche has a much better security system than the neon has. But gosh, nobody want the neon either, so it doesn't need the over zealous security. Now that's a bit of a stretch for a Windows vs Linux comparison, but it does denote the reason why a Windows server is going to quickly 'become' insecure, while the less secure Linux platform is probably going to fine and left alone.
... and squint your eyes, you'll see the 'clear' results.
The researchers used reported vulnerabilites as their guideline, and 'days of risk;' quote: "the period from when a vulnerability is first reported to when a patch is issued."
Windows Server 2003 had 30 days of risk, Linux (Red Hat Enterprise Server 3) 71 days.
But which reports of vulns are they considering? Microsoft often provides their own reports, which are released WITH THE PATCH. I wouldn't give those reports the same weight, since the vuln could have been there (and unofficially known) for MONTHS.
I fully expect Linux to have MORE vulns in any case, since Linux ultimately is a collection of separate programs working together, each of which has their own potential insecurities. But, a vuln in sendmail is NOT going to affect my webserver, because I'm going to turn that OFF (if I'm a smart admin).
In fact, the researchers only used a "hypothetical" system to show "what an average system administrator may do." I'm sorry, but if an admin is using anything like a default setup he is BELOW average.
In conclusion, this really sounds like a comparison of how vulnerable the respective systems with a 'default' install. Wake me up when they go head-to-head with OpenBSD.
P.S. Hey researchers- RED HAT IS NOT LINUX.
They need to explain exactly what they did to come to this determination. As I read it, they compared default setups... which avoids the "security is a process, not a product" debate.
However, it sounds like they compared the number of reported vulnerabilities as if they were apples and apples--which is a big error. Open Source should yield discovery of more vulnerabilities--the more, the better it's working.
On the other hand, if critical vulnerabilities are not being patched as quickly as for Windows then that would be a problem. What are the statistics on that?
Matthew
The study posts the "days of risk" defined as the time between announcement of a vulnerability and the availability of a patch. But this definition misses two big factors. First, there will be some number of days between the discovery of the vulnerability and the announcement of it. Second, there will be some number of days between the patch being available and the downloading of it. Both factors increase the days of risk and mean that a quickly-patch OS with lots of holes has higher practical risk than an slowly-patched OS with few holes.
I don't know which OS has more risks, has a greater delay between discovery and announcement, or has a greater delay between patch availability and patch application. Does MS or Linux get more slack from vulnerability finders? Do MS or Linux admins patch faster? DOes MS or Linux get more vulnerabilities? These data points would help evaluate the true risk.
Two wrongs don't make a right, but three lefts do.
... what they're paid to do. How much does a license cost to run Windows 2003? How much does Apache cost? Really, it's not that surprising that full-time salaried employees can build a better server. I mean, that's what they're paid to do. I don't get excited when the guy at the donut store gets my order right, why should I care that Microsoft's server works?
I don't know about other people, but I don't run Apache because I think it's more secure. I run it because it's free, opensource, and secure enough for my needs.
One is that as someone pointed out earlier, the 'linux enthusist' has accepted research grants from Microsoft before. That's a little suspect.
Two is the data they present as 'proof' that windows is more secure, the delay between announcement and patch. "the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup". Besides the point that it doesn't prove one more secure than the other, Microsoft has released patches the same day they announced the exploit because they've kept it supressed.
Three, if your server is behind a firewall (as all web servers should be!), you need to protect two ports and the software associated with them. Did they limit the study to just those details? Or was this a stock install of these machines directly on the internet?
And fourth, there was no demonstration, this was simply an announcement by two guys who ran some numbers against an undisclosed exploit database. Which thing was it that ran 71 days or stretched everything that long? How many total exploits was it? If I had 2 exploits on redhat, one at one day and one at 141 days, but 10 exploits on windows varying from 1 day to how many days for the ASN exploit... which is more secure again?
Stock install, no patches, then yes, I would say the windows server is more 'secure' than the linux server, dispite vulnerabilities in each. But that's like saying that this screen door is more secure than this paper door.
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
I wish I could mod you up, bonch. I've experiened the head-in-the-sand Linux mentality too, and it is scary. It misses the whole point of linux.
Linux is awesome, this study doesn't change that but we always need to work to make it better and easier to secure. Critics of Linux are our best friends, because they do the work of finding out where we need to improve for free.
The best thing about linux is that when people have a legitimate complaint, it's well within our power to fix it! If Linux is temporarily less secure, so what? After reading this, everyone will adapt their linux distros to render the complaints moot.
This is part of why we love open source, right?
Slashdot. It's Not For Common Sense
is that an average windoze SA or an average Linux SA?
I dunno if that qualifies it as scientific or not, but I've found trying to run servers and scripts on Windows to be a great joy after installing their anti-spyware, which interefers with my scripts. It's so secure even *I* can't get very far.
A feeling of having made the same mistake before: Deja Foobar
My guess is that someone else in the program has Microsoft funding for his project, but you could be right. In any case, the OP's assertion is incorrect.
What I'm listening to now on Pandora...
These researchers mention they are not "wizards" and I think this illustrates an important difference between Open Software and Windows. Linux is great if you know what you're doing. There are lots of resources out there to help you properly configure your system, and if done right you will have minimal issues.
And you're going to need those resources if you're not a "wizard". Open Source software is not as easy to use as most MS products, and in many cases the documentation isn't very good either.
Sure doesn't sound like it's aimed at IT admins. If your IT department doesn't have anyone who's competent to secure and maintain the system(s) you use, it's the fault of management, not the software (nor the admin).
Hey, my plywood outhouse is more secure than Fort Knox.. as long as the outhouse has a padlock and Fort Knox is unlocked and unoccupied. Putting one competent gaurd in front of the entrance to each highlights the real defendability of both.
A crayon is ready to use right out of the box - a pencil has to be sharpened. Strangely, we use more pencils than crayons in the workplace. Why? Because it's better. Someday, a PHB will touch the obelisk, and stand upright. Until then, we're stuck with cray^H^H^H^H windows.
"A witty saying proves nothing." ~Voltaire
"d'Oh!" ~Homer
...is too hard to handle for most:
An OS is only as secure as it's admin is competent. This will NEVER change no matter what platform you are dealing with.
If you give some RedHat CDs to a complete goof off and have them install it on a system that is going to be directly exposed to the internet, that box is going to get rooted eventually. It might take longer to get rooted than a Windows box, but it will be cracked.
If you give Windows 2003 Server to a knowledgable admin, he will secure the box and make certain that the likelihood of it getting cracked is fairly low. He will know not to put the box on the internet until he's applied all SPs and critical updates. He will know to use an internal SUS or WUS to make sure that the box is updated without exposure to the internet.
If you give a complete moron who *thinks* he knows all about [insert platform] any installation media, you're going to have an insecure box.
It's been my experience that the best people to set up an internet exposed box using any OS are people who are most familiar with all OSes and have a good understanding of how to secure each one. It's not that hard to hit the main security points and still keep on top of all OSes. However, since egos aer so intrinsically tied to how secure a box is, people point the finger at the OS distributor. Sure, they are to blame in many cases, but the implementor is usually far more guilty of being lax. That's the hard truth and it cannot be refuted.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
The article compares the window of times of vulnerability between reports of security flaws and available fixes to them. Based on that, Linux should come out WAAY ahead, and yet it didn't... And then I noticed the one importat detail - they were comparing Redhat to Windows, and thus the window of vulnerabilty counts from when the vulnerability is reported to when REDHAT gets the fix packaged up and pushed out through *their* channels, which is signifigantly after the fix is available if you didn't go through redhat to get it.
So, the research is very true - a straight redhat install with no outside packages does have longer windows of vulnerability than a straight Windows install with no outside packages. But the person writing the article told a MAJOR LIE when summarizing it for the article, by attributing the long windows of time to linux in general, when really it's a problem with just redhat.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
I'm going to dump my Fedora Installation(TCO $0.00)
.....
and run to the store and buy me Server 2003(TCO $599-$3522 + Licencing).
Definitly not going for RHEL(TCO $349-$2499 + Licencing) because no matter how hard I try, I could never get as secure with up2date, SELinux, Pax and Firefox as I could be with Windows Update, Third party antivirus, Windows Firewall and Security Center. NEVER!
And I shouldn't even be comparing Fedora to Server 2003 because Fedora could never be used as a server of any kind. Neither could Slackware(TCO $0.00), Suse(TCO ~$100.00), Mandrake(TCO ~$100.00), Debian(TC0 $0.00) or any other of those insecure Linux distros! They're not SOLD as servers so they absolutely cannot be compared to server 2003. No way, never, uh-uh.
Wow! This study has really opened my eyes to the lie. Why did I abandon my XP installation(TCO $200.00) after only a few dozen major worm outbreaks? I could have done anything on XP that I can do in Linux. It would only have cost be a few thousand dollars, but I could have!
These researchers have really opened my eyes to the lies. I believe everything they say, even without the data to prove it they.....
Ok here my sarcasm must crack under the sheer enormity of the following statement.
The pair said that they lacked the funding to test other operating systems, such as the Apple OSX kernel(TCO $100.00), although they thought it was "amazingly" stable.
WTF!? Are these guys for real? Is this study just a troll? I mean... WTF!!?
I will however take a wild guess that their next server security study will have OpenBSD mysteriously absent.
May the Maths Be with you!
The article states that the configurations where done using the typical, basic options that an adminisrator may do and not any kind of security wizard.
I would like to know how many companies are out there that would take their pimply faced intern and have him to a default installation for an internet server with databases on it. They may have found a valid point, but their premise is fucking retarded.
I have always given MSFT the benefit of the doubt that they would have the option to configure a server with the intention of meeting security requirements and similarly doing the same with Linux and then see who's the most secure. While Microsoft has made ground against the *NIXes of the world, I really don't believe that a reasonable attempt at security is any better on Windows than it is on Linux. Considering the damage they've been suffering, I would expect their default installations to be increasinbly severe.
I would equate this study to testing the security of a 4 foot high brick wall or a 3 foot high set of four horizontal wires. The wall is obviously more secure, until you turn on the high voltage supply to the electric fence...
LOL, tell me about it. Ever wrote a SOAP web service that you wanted to do things besides call other COM objects/CORBA objects? Fo' gedd aboud it... ;)
Loading...
Funny thing that seems to be missing in the discussion so far: I don't see anyone pointing out that this is a "sample of one" study. So any generalization at all about which system (or admin ;-) is more secure is laughable at best.
It is useful as an anecdotal example. Especially in the area of security, where real security tends to mean knowing a lot of very specific examples of how things can go wrong. Documenting how these guys could have inadvertently left holes open would be useful. Then we need several hundred more such paired tests, with a more extensive report listing all the ways that admins of both systems can get it wrong.
But concluding that, because two guys didn't get it right in a single test, therefore one of the systems is more or less secure than the other, shows little other than a total lack of understanding what security is all about.
That, or intentional FUD on the part of either or both.
I'd go with the lack of understanding. People are really good at generalizing from a single case with no statistical significance.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Sure most people will have 1 server handling all tasks running somewhere outside their reach but there are ways around having every damn service in the world open to the entire world.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I did some work at a local University a while back. The faculty I worked in used HP-UX for their core services, Linux on the desktop, a couple of Solaris labs and 1 small (less than a dozen) windows lab. The other faculties used Windows almost exclusively.
/my2cents
The faculty that ran the *nix based services had almost no complaints of intrusion or other security problems from the "global" IS department of the university, while some of the windows using faculties were being threatened with losing their internet access because of too many security breaches.
No, this isn't a study. But it's evidence of how it works in the real world.
The reason I think *nix is more secure is because of how configurable it is. You can configure almost anything. Hell, you could write your own TCP drivers if you felt like it (not that I've ever known anyone to do that). On Windows you're limited to the security options given to you from the vendor. Or you have to pay a 3rd party for their innovation... With *nix the power is in your hands.
'Out of the box' software/systems are usually never ready for production environments right? But sufficiently tweaked most systems can be reasonably secure and centrally manageable. I just think that level of tweakability is higher with *nix.
Hmm:
:(
Who's there?
Knock Knock.
Who's there?
nock Knock.K
Who's there?
ock Knock.Kn
Who's there?
ck Knock.Kno
Who's there?
kKnock. Knoc
Who's there?
Knock. Knock
Who's there?
Steve Reich
She probably wouldn't like that one any better.
It's unfortunate RedHat has acquired Windows' weak security posture in it's effort to attract Windows server market share. I've personally had to administer 3 compromised Redhat boxes, and this after converting that client over from Windows due to a compromise.
But, RH isn't Linux. Linux is many distributions, some good, some not so good, but if you take the pool of Linux administrators against the pool of Windows administrators, you'll find Linux administrators are more knowledgeable about their systems and do smarter things in securing them. This isn't as true as it was a few years ago before the reluctant Windows administrative masses took refuge in RedHat, but you won't see _any_, not even one Linux defector to Windows. Perhaps BSD, but definitely _not_ Windows!
I've never seen one of my Slackware servers (running sendmail, _even_ and FrontPage extensions with PHP on the Apache server) compromised. It's never happened in the 10 years I've been using them.
I've been wasting a lot of time lately poring through logs for a new project and it's ludicrous how much additional coding I've had to put into my Perl scripts to make allowances for compromised Windows boxes that have inundated my web server with traffic during their Code Red and Slammer compromises, not to mention all the other little oddities Windows clients do when downloading mp3s from the server, such as client caching and sending 32k+ search strings in the URL. It creates work to have these obnoxiously configured client machines on the Internet.
I'm not going to complain too loudly since without all these Windows users on the Internet surfing my site, there wouldn't be much of interest to process in these logs, but to assert Windows as more secure than Linux?! Really....
Could someone please post the name of which Micro$oft C?O's budget backed this study, so we can move on to a more interesting and valid discussion?
www.dedserius.com
VB != VisualBasic
As far as it can go as a novelty act? Apache runs 50% of the internet, Firefox alone has has 25 million downloads, Bind runs a large portion of the DNS infrastructure. YOU are the novelty act with your shiny graphics that consume 50% of your CPU, worthless office applications that "enable business" by locking up constantly, and not being able to boot XP without a 150mb footprint.
We were here before you and we'll be here after you're gone.
Religion is a gateway psychosis. -- Dave Foley
A Windows Web server is more secure than a similarly set-up Linux server
I would have to agree. Windows IIS servers are insecure, if you set up an Apache server similarly (insecure), it will also be insecure.
Bruce Schneier
Posted on January 06, 2005 at 01:45 PM
------------
Different methodology, different results. My money's on Schneier.
"There are already a million monkeys on a million typewriters, and Usenet is NOTHING like Shakespeare." - Blair Houghton
I'm gonna give it a try and quote here what I read in the VNUnet article (which is the most informative one IMO since it contains a few details, in contrast to the other one) and try to express some reasoning. Until the real analysis is out we cannot be sure about anything though.
Classic strategy: minimize your enemy by defining it tightly as a dogma, then attack that dogma. I've seen this from Sun Microsystems as well. Basically, they ignore e.g. Novell. At least Novell is also a big player in terms of market share.
That said I remain interested in learning why they chose to compare to Red Hat and Red Hat alone.
Definition of 'vulnerability counts' and which vulnerabilities are counted. For example, lets say Red Hat has a patch for OpenLDAP while i run LAMP or LAPP then who cares about the fact that there's an OpenLDAP patch? Not me.
71 days is long! How they got to these numbers is also very interesting. For example, does this include e.g. the Mozilla bug which was alleged to be known (but not fixed) in 2001? It reminds me about MSIE for which vulnerabilities took long as well and remember 1 patch != 1 vulnerability either.
Statements like these may just as well be from astroturfers. Its also a classic strategy: basically, you play as if you're convinced by the study you conducted yourself while you expected a different result. In all honesty, why would you believe the judgement about the conclusion ("FUD!") from someone who hasn't read the study over the one from the person who's got convinced by his own study? This is why there's not much we can currently do except arguing over the existing details! This is why we need to stress about where the missing details are. This is why we cannot judge yet.
One last note:
With that last statement he Dr Ford basically says to take this study with a grain of salt because thats precisely what he hasn't researched!
WE DON'T NEED NO BLOG CONTROL.
In an academic study due to be released next month Dr Richard Ford, from the Florida Institute of Technology, and Dr Herbert Thompson, from application security firm Security Innovation, analysed vulnerabilities and patching and were forced to conclude that Windows Server 2003 is more secure than Red Hat Linux.
I see.
Here is another related report in which Windows is compared with Linux in terms of security. Interesting read.
[alk]
Keep in mind that most admins are lazy, and that while we can yell and scream that a default setup is not secure nor is it a good indication of being secure, it still should be somewhat secure out of the box. If it's not, then we have a problem and we're supplying the ammunition to the FUD machine that is MS.
Who is John Galt?
Their contention was that for lower skill admins, Windows was more secure. Now, assuming the research was done correctly and the data does indeed support the conclusion, it's a good thing to know. That's something ot try and improve in Linux, espically since less competent admins are the real problem.
It's not all that useful to research how tight a competent admin can lock down a box because the answer for almost any OS is "very well". You get a good admin that knows their OS and is on top of things, they can keep anything secure, even Windows. So it's not of much use to say a compentent Linux admin can make a secure system, we already knew that.
It is useful, however, to know that a less competent admin will have trouble. More useful would be to know what specificly need to be done to fix it, but just knowing that it's a problem is a start. If Linux continues to gain in popularity, more people that are not as competent will be running it. While you can never truly protect someone from themselves, there are things you can do to make things more secure for those that don't know what they are doing, and that's a good thing for Linux developers to be looking in to.
I have a Linux server with qmail and publicfile. No other open ports except SSH which is firewalled to a small set of hosts, runs on a different port, works with keys only, and doesn't use PAM. I haven't rebooted or patched anything on it in months. Unless there is a remote root hole the kernel I won't bother with it.
Maybe Red Hat is less secure than Windows, who cares. They both have greater than zero security holes, which makes them both insecure. All I know is I have a fairly secure server and I know how to set up another one for zero dollars on my lunch break. Plus djb has a $500 reward for security holes in his software, I don't see Microsoft even pretending they have anything like that.
Folks, don't fool yourself. Both Windows and Linux distros are mostly crappy software full of holes. It doesn't need to be that way, and admins shouldn't need to be "wizards". But that's how it is.
At least with Linux you 1) don't have to pay and 2) have access to the source code. I don't see how Windows can ever win this argument, except maybe with inexperienced or ignorant admins, or special windows-only software.
Having read TFA, the "study" consisted of counting security flaws for RH and Windows, and comparing how long it took to issue patches -- from the date of the vulnerability being announced. This is really shallow; we've seen lots of such studies and laughed at them. I note the spin put on this is "One of them, a Linux fan, runs an open-source server at home..." which makes it look like a Linux zealot has been hacked in his own home, while the happy Windows guy is unscathed. In fact, it was all hypothetical, there were no trials of real servers (none mentioned anyway), just "potential" vulnerabilities in default setups.
As someone said, "extraordinary claims demand extraordinary evidence". In a lot of peoples' opinion, the claim that Windows is more secure than Linux is just that, an extraordinary claim.
How would the authors of their study reconcile it with something like this one, which showed that a default installation of Windows got infected with a virus within 20 minutes?
From TFA:That sounds good. A real comparision of real services running on real servers.
But wait!They aren't real setups.
And it gets worse.Hmmmm, I wonder if they included the info from www.eeye.com http://www.eeye.com/html/research/advisories/AD20
So, a "study" that doesn't test any real world criteria is somehow valid?
Oh, it's not that the study is not valid, it's that pointing out the flaws in the study shows the groupthink on
And pointing out that perceived groupthink gets you mod'ed up as "insightful".
Oh sure I did. Do you even bother to think about what you say? Lemme ask you a question oh keeper of the 20-sided die.
.....the fact that your average Win server deployed in a commercial environment has >12 accounts in the admin group just to get the basic work done and that the restrictions imposed by those accounts.......
How easy do you think it is to unpak a windows machine 2003 or other, plug it in and have it be relatively secure w/o doing much of anything at all? Compare that to whatever the normal effort is in getting a Linux box up and running with the barest amount of bit twiddling that the install proc makes you do. For the most part - at 400+ distros there are always a few that really suck at this.
At any rate Transformicon Master+200, Given the reality of say
Now I know... oh wizard of the volcano of half assed wisdom.. this is going to shock you right out ya jammies.......
How does that fact, that essentially busted windows security model protect the system from one another of the admins. You see in the real, non-basement dwelling R0xx0R world, the largest number of threats are from the INSIDE.
So unless you have enviroment that isolates and manages the system at least as well as Unix or RACF then you will have a system, no matter how harded from the tools @ Un-Root that is still profoundly broken.
There, was that thought out enough for you or do I need a new magic sword and 2 bags of fairy dust?
My Linux Command of the Day site : LCOD
From TFA: It wasn't even comparing one Linux admin vs one Windows admin.
They had agreed to run in the "most basic configuration" for their systems.The "study" was setup to limit the options available to the admins.
The only information that can be gained from this "study" is the identity of two people who are too stupid to be trusted with any actual security study.
A real study would be having both of them setup their systems, any way they wanted to, and having every step documented and the reason for it given.
Then put both servers on the Internet and compare the compromise rates.
If you want to see which car is safer than another, you would do things like controlled crash tests and use crash test dummies.
You would NOT factor in how many crashes they had both been in. One moron who keeps hitting telephone poles would alter the stats too much.
The material in TFA does NOT show them comparing the security models or even the patch severity. One bug in a seldom used perl module that lagged on the fix could result in very bad stats for Red Hat.
That's a critical difference. So many people pour over the Apache source code that most vulnerabilities are discovered prior to when they actually become "in the wild" exploits. The same cannot be said about MS IIS. Worse, the odds are very good that many the IIS exploits were in the wild prior to when they were first publicly reported, while most of the Apache exploits were, in all likelihood, patched prior to the first exploit.
When viewed from that perspective, the Windows/IIS server was likely vulnerable to exploit for many, many more weeks than the Linux/Apache server. And that assumes that half the vulnerabilities are ever even reported. With a closed source product, there could be tons of security holes being subtly exploited by clever crackers every day and there would be no way to find out about it.
No, this article is pure and unadulterated FUD.
There are three kinds of lies: lies, damned lies, and statistics.
---Benjamin Disraeli
Check out my sci-fi/humor trilogy at PatriotsBooks.
Apache 39821368 68.43 40681140 68.83 0.40
...
Microsoft 12137446 20.86 12322111 20.85 -0.01
Sun 1830008 3.14 1835718 3.11 -0.03
Zeus 690193 1.19 618599 1.05 -0.14
Given those statistics (source - netcraft) why is it then, that we dont see malware attacking apache on such a grand scale as we do IIS? If its possible for an operating system with such a small percentage of the (server)market to suffer from such virulent malware attacks - then why do we not see these problems on linux which has a comparatively small share of the desktop market?
I call bullshit!
I've been seeing this coming for a while though as people find new and exciting FUD campaigns. Does anyone know who funded this report ? need I even ask that question?
Nick
Electronic Music Made Using Linux http://soundcloud.com/polyp
...when we read something like They wanted to cut through the near-religious arguments
I do not believe that security evaluation has anything to do with religious beliefs. However, wishing that Windows (including server applications like IIS) is superior in security than Linux counterparts does indeed require a somewhat meditational deep religious vocation.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Their analysis was based on number of patches and time it took to get patched from the time it was publically released. Microsoft stays quiet about most vulnerabilities until a patch is ready and will ship it some time that month, thus the average 30 days. In addition to this, there are still IE holes unpatched from last july. This didn't make the report because its a server. Also, Linux comes with *much* more software by default and much more functionality. They said that these were default setups. That means that if they were using a distro like Red Hat, every single program gets updated as necessary over 2000 programs judging from one of my boxes). Far fewer programs get updated from Windows Update (usually only core programs and utilities... or things that Microsoft deems necessary).
Also, many OSS exploits are theoretical in nature... if a strcpy() passes an unchecked ptr and some coder sees this... whether or not that code could have been exploited... he fixes it and out goes the patch. Its a patch for something that may have never been even able to be taken advantage of. That would never happen in a commercial project. All this study shows is that these researchers define security as the ability to hide security problems as long as possible until a patch is ready and if the patch never gets ready, just never tell anyone about the problem. Following the two above stated rules would easily make any software company "secure" by their standards. As stated previously, their criteria was # of patches and time to release. Time to release is shortened by waiting until the patch is ready (which Microsoft does) and # of patches is shortened by simply not releasing non-major patches and just rolling them out with the next version. The criteria these guys used was meaningless and if anything shows that linux is doing something right if they are updating several times more programs with only twice the delay (which i really doubt is the true delay time). One other thing worth noting, the Ford guy has been paid by Microsoft several times to do studies and release them in favor of MS, I'd hardly call him a true linux fan. Maybe this time they just covered it up better... you wouldn't want to bite the hand that feeds you.
Regards,
Steve
One person's experience (as in TFA) can be dismissed.
But the statistics of what systems were infected last year and how they were infected can not be. Yet each of those systems has an admin who's personal report could be dismissed.Ah, the old "marketshare == security" claim.
No, the reason you don't see reports of Linux worms on CNN is that there aren't any Linux worms that are spreading.
CNN will report on a new vulnerability, if it is a slow news day. But they will definately report on a new worm spreading.
Linux is more secure. That's why there aren't any major worm outbreaks.And I use Debian and update almost every night.
Most of those "vulnerabilities" are not exploitable remotely. Nor do they give elevated privileges. They are minor "vulnerabilities". Here's an example:
and
There are worse ones there, but just counting them shows the individual's cluelessness. The criteria are:
#1. How widely deployed is the package? A vulnerability in the kernel is far worse than a vulnerability in some app that 10 people run.
#2. Remote or local? Remote is far worse than local.
#3. What is the result? A denial of service is annoying. Executing arbitrary code is critical.
So,
#1. a remote kernel exploit that executes arbitrary code is VERY VERY VERY BAD.
But,
#2. a local exploit in some app that 10 people run that causes that service to crash is not even a threat.
Yet just counting them treats them as if they were the same.
So does averaging the days to release a patch. Who really cares if #2 took 200 days to fix? (Aside from the "researchers" doing these "studies").No. Some of us have a lot more experience with these things.
There are major fucking flaws with that "study" as it is presented in the article. In fact, it goes beyond "flaws". From their decision to limit the options of the admins, it looks like intentional bias.No one is ignoring any criticism.
The fact is, there are more infected Windows machines than Linux machines. Both in pure numbers and as a percentage of marketshare.
THAT fact shows that Microsoft's approach has not been successful and that Linux APPEARS to be doing better.
Without knowing the study in detail it is exremely difficult to comment, but from what I could read in the news article, there could be a crucial and severe flaw in the study: simply counting vulnerabilites won't tell anything about how critical they are, how easy they can be exploited etc. With opensource apps there is a tendency that many vulnerabilities get reported which are low risk while the number of real vulnerabilites in closed source systems is probably only known to core developers and a few hackers, who won't tell us.
Knock Knock.
Who's there?
Who's there?
Is anyone there?
Who's there?!
- John Cage
Is that too obscure?
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
The same cannot be said about MS IIS. Worse, the odds are very good that many the IIS exploits were in the wild prior to when they were first publicly reported, while most of the Apache exploits were, in all likelihood, patched prior to the first exploit.
Did you read the article? The server tested is Windows 2003. The web server is IIS 6.0. These "many exploits" that you refer to, which ones are they? Last time I checked there were no reported remote exploits for IIS 6.0. There ARE exploits for 2003 as a platform, but not for 6.0 as a product.
I think the flaw in this post is that you assume that open source software is more secure because people "COULD" look at the source code. I think its been proven several times that you can't quantify security by its OSSness or lack there of. COULD and SHOULD are two different things.
:)
:)
Personally, I do feel that apache is more secure than many OSS projects but with apache we have many third party modules being used which are not secure. In general web servers have extensions enabled on them that open the flood gates for more attacks.
For example, a webserver may have mod_php, mod_perl or any number of third party add-ons. apache httpd may be safe, but how many "problems" have we seen with PHP in the past few years. People don't like to talk about it because PHP is the big OSS competator to ASP/ASP.NET.
Likewise, an IIS server most likely has ASP or ASP.NET enabled and possibly another language like PHP, PERL, or (insert here). I think its more common for IIS servers to just run microsoft languages though and so microsoft has an opportunity to lock that down further. (if they do or not is another story)
I'm subscribed to bugtraq and i see an equal number of linux security vulnerabilities to windows. Why? Because with linux, you have a kernel written by one group and a ton of third party software. Each programmer or group may have different knowledge of secure programming. At microsoft, they have the same people making the same mistakes.. and bad as that is its a subset of the total mistakes they could make. You can't just look at kernel holes, but rather all common software that most distros have. Look at gentoo or fedora.. if it were paper we'd have no trees left. Likewise with microsoft's
In case you haven't guessed, I'm not a fan of either system.
C'mon. Linux is more securable than Windows. More options, more things to lock down, and more access to the kernel to create hardened installations (ie the NSA kernel).
Windows is easier to secure than Linux. It takes the length of a reboot to install a high security INF from NSA, NIST, SANS or other security site. Lack of access to internals limit the ability of most users to really tweak its security.
Both OS's need to be installed, patched and hardened prior to network connection. Both OS's need competent administrators or all bets are off.
Windows is more susceptable to malware/virus attack, but as Linux installations gain marketshare they will get hit as well. Thats a fact of life.
The irony of the posts I'm reading here make me laugh. I'm reading posts talking about poor analysis and bias written by people who are critiquing a study before it even comes out.
Folks, it's hard to maintain credibility if you heap praise on one study that agrees with you and then critique another sight unseen.
Wait for the study to be published, examine its assumptions, and try to reproduce it. I know it's not as exciting, but that's the only way anyone is going to get to the truth.
sigs are a waste of space
Security is a process, not a product. A hardware firewall is useless if it's firmware can't be updated and a vulnerability is found. But software, in the right hands, due to it being more configurable, is generally safer.
-Myke
myke@compassionatecoalition.org
http://www.compassionatecoalition.org
Every time someone does one of these studies they start from the same flawed logic. They calculate exposure time as "time from vulnerability disclosure to patch availability". In Microsoft's world, a vulnerability doesn't exist until they've disclosed it. And guess what? They don't disclose it until there's a patch available. They're also quick to brand any researchers who post vulnerabilities before they get patches as irresponsible.
So it's a self-fulfilling prophecy: Microsoft products will always have lower exposure time for vulnerabilities because most Linux distro maintainers practice full disclosure.
Yes, my only tool is a hammer. And you're starting to look like a nail.
Don't give Microsoft too much credit. Here.It's actually a really good track record, but not flawless.
regards,
Steve