Slashdot Mirror
Linux and Windows Security Neck and Neck
Linurati writes "According to vnunet.com, Linux and Windows are neck and neck when it comes to security, but 'misleading figures and surveys are muddying the waters.' The article lays blame on both sides for the misleading information." From the article: "...Microsoft had made real progress on security in the past two years, but that the increasing number of Linux enthusiasts coming into the market would help the open source alternative in the long run."
I think there are two main factions here, and the answer for what constitutes better security has slightly different context with significantly different results.
For all of these people their machines are ticking time bombs, and I'm usually the one who gets the call when their world of computer technology explodes. This by itself is reason enough to consider other technologies where by default they are secure. For example, Apple does a good job (not perfect) of making their machines secure... I won't go into great depth -- I'm not a heavy Mac user.
Also, linux by default comes out of the box with decent security. Even if users do try to just use, e.g., KDE an root only, they (as I recall) have to fight off the big red screen background, kind of like the enunciator lights and bells in cars when you don't fasten your seat belts.
So, in the lay community, though Windows carries the popular vote, I think linux out of the box is by far the more secure and safe way to go.
May or may not be true, but if it would nice if I could run as LUA under Windows without having to jump through a bunch of hoops. I'm not talking about 3rd party apps, I'm talking about explorer.exe. There are a lot of little quirks and workarounds you have to deal with, although it's not impossible. It's clear that even XP was not designed with this in mind. Longhorn should do a better job of it. How good remains to be seen. That said, as an semi-experience Linux user, I still have no idea if I am really safe under Linux. Maybe that's because I have not put much effort into it.
yawn...
Generally, bash is superior to python in those environments where python is not installed.
Right. Whatever you say. Windows is JUST as secure as Linux.
I don't think its that far from the truth, really. It's like painting.. it's the artist, not the brush. A competent system administrator can secure Windows and keep it secure, just as with Linux. An incompetent sysadmin will fail with both.
Of course, it could be said Windows makes it easier to be incompetent.
Not using IE for browsing has solved my spyware problem pretty much and since that's the major headache for most Windows users I'd always advise people to use Firefox instead of IE.
Does a Christian soccer team even need a goalkeeper?
I'm not sure what Microsoft is shipping in its Windows XP boxes anymore, not having ever purchased a retail version of it.
Having just purchased an OEM copy for a custom built machine, I can answer this question. XP Professional tends to ship with SP2 preinstalled. XP Home, however, only comes with SP1 installed to provide for better compatibility for "home" programs. (read: Programs that didn't behave themselves in the first place.)
Javascript + Nintendo DSi = DSiCade
You must really not be in the trenches much. You are way off base. I would say more than 90% of the stuff that I see is from IE problems.
1. Documents with embedded Macro viruses.
Haven't seen one of these in *years*. All office versions since 2000 have made major steps to reduce malicious code in documents, and they were few and far between in the first place.
2. False email attachments
There's been a huge upsurge lately in server side virus scanning for email, and you just don't see a lot of spyware in email.
3. RPC Vulnerabilities
Not really since windows 2000.
4. Buffer overflows on network services (e.g. IIS)
How many XP machines do you see with IIS?
Honestly, though there may be a higher percentage of vulnerabilities in other products, the VAST majority of actual infections happen b/c of IE. No IE, no spyware.
The number 2 cause of infections on end user machines I would say is the "Click here to download and install the RAD SCREENSAVER OF THE MONTH" bug, or the "Click here to get (spyware supported) WEATHER REPORTS, FREE FREE FREE ON YOUR TASKBAR" bug.
sig?
It lasted about four seconds.
Haven't seen one of these in *years*. All office versions since 2000 have made major steps to reduce malicious code in documents, and they were few and far between in the first place.
They were anything *but* few and far between. Back when I worked at a help desk, we had an Excel virus that had been prevalent in the company for YEARS. Every so often someone would give us a call and say that all the info had been wiped from their Excel spreadsheet. And that's despite the fact that Norton Anti-Virus was blocking most of these viruses before the attachment could be downloaded from the mail server. And I've never seen a user pay much heed to the "This Document is Potentially Unsafe. Open? (Y/N)" prompt.
They are certainly less common, but they are far from gone.
There's been a huge upsurge lately in server side virus scanning for email, and you just don't see a lot of spyware in email.
The problem with these worms is less the corporate email system, and more the matter of users running them from personal email. GMail does an excellent job of sorting the little buggers out, yet it still manages to let a few slip through every once in awhile.
[RPC Vulnerabilities] Not really since windows 2000.
Sasser doesn't seem like it cared for your interpretation much.
How many XP machines do you see with IIS?
XP Professional and up. Thankfully most admins are replacing their servers with Win2003, which is somewhat less vulnerable to these exploits. Of course, SQL Server is still a problem with occasional flaws being found. (Why the blasted things were ever publically accessable, I'll never know.)
It's not that I'm disagreeing that IE is the biggest problem. I'm just saying that Windows has seen (and continues to see) a LOT more vulnerabilities than that. It just so happens that exploiting IE is en vouge right now, so that's what crackers do.
Javascript + Nintendo DSi = DSiCade
So yes I would readily say that 80% of new out of box PCs are infected.... If i did all this and I knew what I was doing and still got infected in 30 minutes, could you imagine someone who didnt.
"Slashdot, where telling the truth is overrated but lying is insightful."
I've never seen a user pay much heed to the "This Document is Potentially Unsafe. Open? (Y/N)" prompt.
That's because instead of actually analysing the macros to see whether they could do anything malicious, Office just warns you about every single document that contains any sort of macro whatsoever. So if you use macros at all yourself, you either stop taking any notice of the prompt, or you turn the prompt off. It is the crappest security measure ever.
It's like an antivirus program that does nothing but pop up a window every time a new process starts that says "A new process has started that could potentially be a virus. Terminate it? (Yes/No)" - and nothing else.
A better approach would have been... oh, not including a macro language that could delete any file on the computer with a single command, for example?
Hubbard didn't *do* scientology. He had joked for years that he always wanted to invent a religion....so he did. My father read the entire Battlefield Earth series when I was a kid -- we still have the shelf of books in our basement. (The series is ungodly long.) I remember the first time I saw "DIANETICS" advertised -- I thought "how quaint! more L Ron Hubbard Fiction!!!!" -- how true, how true.
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
Look at what's actually happening, from http://www.us-cert.gov/cas/bulletins/SB05-194.html #trends;
Top Ten Virus Threats
All Win32 Worms. Pick any security site, and look at the top 10 threats. Then tell me which OS is the most secure. We can argue all day about the reasons, the facts speak for themselves.
but windows 2003 is pretty rock solid.
Riight. Like this?
Go on, pull the other one. Windows is just as leaky as it's ever been.
www.lucernesys.comHorizon: Calendar-based personal finance
Riight. Like this?
Go on, pull the other one. Windows is just as leaky as it's ever been.
no, like this
oh, and btw, microsoft offered has had a fix for those issues for at least a week now.
How do you conclude Windows has more serious flaws than Linux. I've seen no evidence to support that claim. In fact a major security flaw in Kerberos was just announced (that isn't in the MS version). Your post is just anti-MS FUD
;))? The point is that the flaws within Windows and Microsoft software have simply affected too many people and businesses, and there are simply too many easy ways into Windows.
And just how many people are going to be infected tomorrow by this shocking Kerberos flaw on a Unix or Linux platform (Microsoft uses Kerberos you know
Microsoft's reaction with Windows 2003 has been to panic create several hundred permissions and group policy applications, most now off by default, to cover all the holes like sealing wax. Result? Nothing works and people simply don't have the time to deal with everything they might need, so they have to turn it all back on again. What's worse is that it simply isn't structured. People can have no real idea what is or isn't turning something off. If I start a service (and am stupid enough not to think about it) on a Unix or Linux system I know what I'm getting. If I start something on Windows 2003 it might sort of run, but it probably won't work for certain users except administrators and there'll be some setting somewhere (not in a universal place) stopping it. It makes testing an absolute nightmare. Quite how they think this makes them more secure, I don't know.
Microsoft have simply taken this 'off by default' thing they've heard about Linux and Unix and completely misunderstood it, or they've had to kludge things because their existing technology and software isn't up to it. That, I'm afraid, is simply not anti-MS FUD. It's just plain and simple reality.
Extrapolate this:
..."
The respective (2003..2005) results for the Debian Woody, which has been out for nearly three years:
Unpatched 1 of 488 total (read this line twice)
Etremely or Highly Critical 30 of 84 total
Remotely exploited 52 of 84 total
You didn't know that the Woody is one of most secure distros available.
The actual reason to worry is NOT the amount of vulnerabilities but their severity and how long it takes them to be fixed. Microsoft often names vulnerabilities as "seveval bugs in
One other (serious) problem with Windows is that the owners the pirated copies can not get the security fixes and their systems pollute the internet.
By the way, I couldn't help noticing: the add just beside the article was by, you guessed it, Microsoft ! But I don't think it could have any influence on the article...No, not possibly...
There is something I don't get in those graphs. Take look at them - Windows XP's last hole is dated on 2005-07-14, Red Hat's last hole is dated on 2004-05-03 - there *were* lot of holes in software that Red Hat was shipping after that date... I don't want to bother to check but the last security advisory for Red Hat is not ovelaping with end of line for RHL9? I mean those graphs are irrevelant since they measure different time peroids (Windows XP is longer than RHL9). I am all about Linux but this comparsion is not worth too much.
One very important point is that Micsosoft patches bundle several fixes into one "issue" quite often. Also, Windows vulnerabilities are kept hush hush in mny cases until a fix is already made. By the time a patch comes out for Windows, the damage is usually done and rectified by 3rd party removal tools.
The ~25% unpatched monthly stat is horrific.
Yes you can run as a restricted user. I've run that way on my home machine for months now. There are a few program that I've had trouble with but overall it works.
My day job is with a software company and I can guarantee you that there are a lot of people running as restricted users, because our customers demanded that it work.
So yeah, restricted users work fine.
Here is a list of things that won't run under Limited Account Outlook Express (Managed to get thunderbird working though and now runs in it's own account) Word Clipart comes with a read-only database error (Tried Open Office. The other users don't like it) Quite a few games also don't run as limited user. So I had to bite the bullet and make the other users Administrators.
My Transformation Website
Kindle Books http://www.catprog.org/rev
Interactive CYOA http://www.catprog.org/st
If I start a service (and am stupid enough not to think about it) on a Unix or Linux system I know what I'm getting.
Just to be fair, you have to remember that by default, a lot of distros launch a hell of a lot of unnedded services (Fedora does this), so you don't need to "start" a service, it's already mischievously running. You have to positively act out to stop those useless services.
I believe OpenBSD is the best in this area since I think it has a "not running by default" policy. Even though I'm an Ubuntu/Debian person myself.