Slashdot Mirror
Linux and Windows Security Neck and Neck
Linurati writes "According to vnunet.com, Linux and Windows are neck and neck when it comes to security, but 'misleading figures and surveys are muddying the waters.' The article lays blame on both sides for the misleading information." From the article: "...Microsoft had made real progress on security in the past two years, but that the increasing number of Linux enthusiasts coming into the market would help the open source alternative in the long run."
Security in Windows itself had definately improved over the last few years. But almost all of the current and recent vulnerabilities have somehow been related to IE.
Not using IE and using Firefox instead almost completely secures an up-to-date Windows box. Get rid of IE, get rid of 90% of Windows' security problems.
Maybe for servers, but not home users. When was the last time you saw a home Linux machine 0wn3d?
(Granted, most people who use Linux at home are knowledgeable enough to keep even a Windows machine safe.)
"the increasing number of Linux enthusiasts coming into the market would help the open source alternative in the long run."
I'd say this is precisely the other way around. More users equals bigger target and more potential fuck-ups.
But I agree with the parent -- advanced psychology-based FUD is a growing science.
They are taking security vuln's for redhat EL 3, or suse 9.1, and comparing them to MS Windows. That is not fair. Now if they compared them to Windows, Office, sharepoint, IIS, Office, Project, all Microsoft games, SQL server, etc.. then it would probably be a little more fair. Linux DISTRIBUTIONS are a little more than an OPERATING SYSTEM.
What are we going to do tonight Brain?
Where are the proactive security systems for Windows? Sure, Windows by default has a fairly rigorous ACL system by default (at least in comparison to classical Linux ACL's), but trying to measure the security of a system solely on how many exploitable bugs it has is just a poor measurement method. With projects like SELinux, GRSecurity, Pax, different implementations of active bounds checkers as well as stack smashers, and good implementations like Hardened Gentoo (Debian has a hardened project but I havn't tried it) I don't particularly see how Windows has a chance in hell.
I don't know of any person with a Windows box who will hand out an admin account, but there are Gentoo Hardened devs who hand out root on their SELinux test rigs. Why? Because the system is secure enough to hand out root.
I hate these studies. Saying Linux isn't secure is like saying that fruit isn't red... it depends on what you're looking at. Are we talking about kernels? GNU tools? Common server software?
More importantly, which distribution? Windows comes with f*cking notepad and Solitaire. Linux distributions typically come with an order of magnitude more applications.
I'm on the Gentoo Security Mailing List. I get a few messages each day about vulnerabilities in software. Is each of these a ding on Linux? No, certainly not... it's a piece of software that happens to be available via portage.
If they want to be fair, then every ding on every Windows application counts against Windows.
More importantly, why the hell does every one of these boneheaded articles make it on the front page of Slashdot? Just helps spread the FUD.
The figures mentioneed by the hosting company seem to indicate that the discussion is focused on Windows security on the server side, where it is fairly true that Windows can be about as secure as Linux when both are competently managed. In both cases, there will be someone who knows about the systems taking care of them and ensuring that they're properly patched, firewalled, etc. I personally find managing Linux boxes easier, but Windows can be kept secure as a server.
Where Windows still falls down security-wise is on the desktop, where the combination of a vulnerable browser/Office Suite along with the fact that the de facto standard way for desktop users to set up their accounts is with administrator priviledges. That turns what would be a non-existant threat on the server (you shouldn't be doing general surfing or office work on a server) into a major issue. Microsoft has made feeble attempts to encourage users and developers to use limited accounts, but the fact remains that reconfiguring poorly written software to work in a limited account is a major headache that the average desktop user is not willing to put up with.
Microsoft also falls behind [most] Linux systems in that the majority of the software on a Linux box can typically be updated from a single tool (apt-get, yast, urpmi et al) while Windows Update only covers the core OS. Microsoft does have a better system in the works, but that will still only cover MS software.
Windows continues to be a world where, out of the box, people set up their boxen with everyone at administrator privelege levels.
And this points at where the problem lies - the users. They're generally lazy and uninformed. Even if they CAN set up more secure ways of doing things, they're not likely to actually do it if A) they aren't sure what they're doing and B) it will cause their computer-using experience to be more complex.
Even that isn't the main issue, though. Major problems come with the fact that users don't know what they're supposed to and what they're not supposed to run. Trojans are able to affect any system so long as the users aren't informed. Actual informed users can run administrator accounts on Windows with no problems whatsoever (I have for years without worms/viruses/adware/spyware/etc), however dumb users can still mess ANYTHING up if they're given permission to install/run programs.
If you spend any time at Secunia, you will find all of the leading Operating Systems listed.
One of the things you will notice, is that not all Operating Systems are created equally.
Windows XP is here
http://secunia.com/product/22/
and Redhat 9 is here
http://secunia.com/product/1343/
With the biggest difference being in HOW CRITICAL THE SECURITY DEFECTS ARE and HOW MANY ARE STILL UNPATCHED
Funny, that...
Windows and Linux neck and neck? Not according to these numbers.
--E--
A friend's machine is full of spyware. Common users have no knowledge of ad-aware, so what's the point of having your windows "updated" automatically, when you haven't cleaned up the spyware in the first place?
OH, and with the new SP2, you _HAVE_ to connect to the internet to activate your product, so that makes windows CD's either crippled (you can't connect w/o activating, and you can't activate w/o connecting first) or insecure by default. And I bet most of the people haven't gone to the stores to replace their WinXP SP1 CD with SP2.
The *current* build of XP might be more secure, but in general, the whole policies stuff is making that security COMPLETELY USELESS.
A good measure of windows security I'd suggest:
* Percentage of Linux machines in the world infected with spyware? 0.
* Percentage of Windows machines in the world infected with spyware? 80, maybe more.
So which OS is more secure, huh?
windows is not secure by default for a typical end user that doesn't know much about security there is no argument
t his-thing home theater setup.
/. Linux heads consistently rail against, right after they finish their rant about how the only reason Linux isn't succeeding on the desktop is because Microsoft is somehow holding them down.
And these same clueless end users are supposed to love the easy-to-use, totally intuitive, absolutely-not-cryptic Unix way of doing things so much that, if everyone would just adopt Linux, security would take care of itself.
Is it just me or does anyone else see the silliness of the above argument? Windows is not the problem with security any more than Linux. What's lacking here is something that's easy to use and flexible/powerful and secure. What we want is something with the simple user interface of a television (on/off, channel, volume, and that's about it) but we want the functionality of an I-need-eight-remotes-and-an-AV-consultant-to-run-
Personally, I think this form of contradictory nirvana simply cannot exist. If you make Linux easier to use and more accessible to the general public, it must lose either some of its security lustre, some of its flexibility, or some of both. Yet this very thing that would allow Linux to reach the mass market is what the uber-Geek
Folks, the weak link here is the human, not the software.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
Uh, the parent poster never concluded Windows has more serious flaws.
I can understand *YOU* could jump to the conclusion that people think Windows is less secure than Linux (because a lot of people have that personal experience)
But for all we can tell the parent posting that you flamed may have been suggesting that Linux had more serious flaws than Windows (as laughable as that sounds; considering most online brokerages are linux/apache according to netcraft; and most all the Department of Homeland Security sites are either Linux/Apache or Unix/Apache).
More likely he was just making an observation that often journalists falsely jump to conclusionsn that when two things have some risk, that they have equal risk.
I'm sure he did, but the point is, here's Ballmer saying security is important to Microsoft, but if you want to put that in action, don't you dare put our products on the internet naked... put something running Linux, Cisco's IOS, one of the BSDs, or anthing we don't sell in between our products and the internet. And really, they do so, any administrator worth their salary does so... and yet look at how many Linux machines sit naked on the internet, or act as security appliances to protect those vulnerable Microsoft products... and then someone can say they have comparible security with a straight face?!?
I have come to a conclusion that one useless man is a shame, two is a law firm, and three or more is a congress -J Adams
"Linux has a slight advantage in that computer science students are learning it, but Microsoft has made life easier for non-techies, particularly with its improved patches."
This paragraph says it all.
First off, a system is only going to be as secure as the person who's using the system knows how to secure it. I've seen tons of Linux and BSD boxes with services running for no reason. Just check out Redhat's default installation and you'll see ports open all over the place that are not being used. At least that the way Redhat did things.
Secondly, Linux has 3 advantages over Windows.
1. The obvious. Linux should be more secure because it's a much simpler system than Windows! I don't think anyone can deny that. Wouldn't make sence if Linux was less secure than Windows, especially since lots of it's functionality was taken from more time proven Unix systems.
2. The people who use Linux are more likely to be experienced computers users than their Windows counterparts. Linux doesn't have to appeal to a bunch of mouse clickers who expect things to work all the time. Us geeks are willing to bend over backwards to make things work.
3. Windows operates over 90% of the world's computers, so hackers and virus writers have a much bigger target. Besides, it wouldn't make much sense for anyone to write viagra adware for Linux when most of it's users aren't even getting laid!