Linux and Windows Security Neck and Neck

Linurati writes "According to vnunet.com, Linux and Windows are neck and neck when it comes to security, but 'misleading figures and surveys are muddying the waters.' The article lays blame on both sides for the misleading information." From the article: "...Microsoft had made real progress on security in the past two years, but that the increasing number of Linux enthusiasts coming into the market would help the open source alternative in the long run."

It's all IE's fault

[DarkHand]

Security in Windows itself had definately improved over the last few years. But almost all of the current and recent vulnerabilities have somehow been related to IE.

Not using IE and using Firefox instead almost completely secures an up-to-date Windows box. Get rid of IE, get rid of 90% of Windows' security problems.

Re:Advancements in FUD everywhere

[team99parody]

It's funny how people think. Since neither product is 100% secure, they both think they're equally insecure. This logic is as stupid as saying "reading slashdot is just as dangerous as motorcycle racing, because I could get hit by meteor and die either way". Clearly one of the products has more serious exploits than the other and has caused more loss to businesses, but some people just don't want to admint that.

But I agree with the parent -- advanced psychology-based FUD is a growing science.

Why can't they figure this out..

[QuantumRiff]

They are taking security vuln's for redhat EL 3, or suse 9.1, and comparing them to MS Windows. That is not fair. Now if they compared them to Windows, Office, sharepoint, IIS, Office, Project, all Microsoft games, SQL server, etc.. then it would probably be a little more fair. Linux DISTRIBUTIONS are a little more than an OPERATING SYSTEM.

Neck and neck? Pffft.

[hoka]

Where are the proactive security systems for Windows? Sure, Windows by default has a fairly rigorous ACL system by default (at least in comparison to classical Linux ACL's), but trying to measure the security of a system solely on how many exploitable bugs it has is just a poor measurement method. With projects like SELinux, GRSecurity, Pax, different implementations of active bounds checkers as well as stack smashers, and good implementations like Hardened Gentoo (Debian has a hardened project but I havn't tried it) I don't particularly see how Windows has a chance in hell.

I don't know of any person with a Windows box who will hand out an admin account, but there are Gentoo Hardened devs who hand out root on their SELinux test rigs. Why? Because the system is secure enough to hand out root.

Studies schmudies

[Lost+Found]

I hate these studies. Saying Linux isn't secure is like saying that fruit isn't red... it depends on what you're looking at. Are we talking about kernels? GNU tools? Common server software?

More importantly, which distribution? Windows comes with f*cking notepad and Solitaire. Linux distributions typically come with an order of magnitude more applications.

I'm on the Gentoo Security Mailing List. I get a few messages each day about vulnerabilities in software. Is each of these a ding on Linux? No, certainly not... it's a piece of software that happens to be available via portage.

If they want to be fair, then every ding on every Windows application counts against Windows.

More importantly, why the hell does every one of these boneheaded articles make it on the front page of Slashdot? Just helps spread the FUD.

For the server or for the desktop?

[jschottm]

The figures mentioneed by the hosting company seem to indicate that the discussion is focused on Windows security on the server side, where it is fairly true that Windows can be about as secure as Linux when both are competently managed. In both cases, there will be someone who knows about the systems taking care of them and ensuring that they're properly patched, firewalled, etc. I personally find managing Linux boxes easier, but Windows can be kept secure as a server.

Where Windows still falls down security-wise is on the desktop, where the combination of a vulnerable browser/Office Suite along with the fact that the de facto standard way for desktop users to set up their accounts is with administrator priviledges. That turns what would be a non-existant threat on the server (you shouldn't be doing general surfing or office work on a server) into a major issue. Microsoft has made feeble attempts to encourage users and developers to use limited accounts, but the fact remains that reconfiguring poorly written software to work in a limited account is a major headache that the average desktop user is not willing to put up with.

Microsoft also falls behind [most] Linux systems in that the majority of the software on a Linux box can typically be updated from a single tool (apt-get, yast, urpmi et al) while Windows Update only covers the core OS. Microsoft does have a better system in the works, but that will still only cover MS software.

Re:sensationalist

[prisoner-of-enigma]

windows is not secure by default for a typical end user that doesn't know much about security there is no argument

And these same clueless end users are supposed to love the easy-to-use, totally intuitive, absolutely-not-cryptic Unix way of doing things so much that, if everyone would just adopt Linux, security would take care of itself.

Is it just me or does anyone else see the silliness of the above argument? Windows is not the problem with security any more than Linux. What's lacking here is something that's easy to use and flexible/powerful and secure. What we want is something with the simple user interface of a television (on/off, channel, volume, and that's about it) but we want the functionality of an I-need-eight-remotes-and-an-AV-consultant-to-run-t his-thing home theater setup.

Personally, I think this form of contradictory nirvana simply cannot exist. If you make Linux easier to use and more accessible to the general public, it must lose either some of its security lustre, some of its flexibility, or some of both. Yet this very thing that would allow Linux to reach the mass market is what the uber-Geek /. Linux heads consistently rail against, right after they finish their rant about how the only reason Linux isn't succeeding on the desktop is because Microsoft is somehow holding them down.

Folks, the weak link here is the human, not the software.

Re:More users != more secure

[CyricZ]

The bazaar model fails to take into account the talents of the bazaarers. In practice what happens is that the numer of developers does increase, but the overall talent of those developers decreases. So while more code is output, it is not necessarily quality code. And secure code is often high quality code.

Better security comes from better coding practices, the use of languages that are not as vulnerable to exploits, and the use of technology to avoid such exploits.

Now, the fact still remains that such a model fairs far better than that used by Microsoft, for various reasons. But your model of the bazaar is too simplified. It fails to take into account some very important factors, like code and coder quality.

Re:I think linux actually has an edge...

[ILikeRed]

I'm sure he did, but the point is, here's Ballmer saying security is important to Microsoft, but if you want to put that in action, don't you dare put our products on the internet naked... put something running Linux, Cisco's IOS, one of the BSDs, or anthing we don't sell in between our products and the internet. And really, they do so, any administrator worth their salary does so... and yet look at how many Linux machines sit naked on the internet, or act as security appliances to protect those vulnerable Microsoft products... and then someone can say they have comparible security with a straight face?!?