Slashdot Mirror
Linux and Windows Security Neck and Neck
Linurati writes "According to vnunet.com, Linux and Windows are neck and neck when it comes to security, but 'misleading figures and surveys are muddying the waters.' The article lays blame on both sides for the misleading information." From the article: "...Microsoft had made real progress on security in the past two years, but that the increasing number of Linux enthusiasts coming into the market would help the open source alternative in the long run."
It's no longer better, it's now just as good.
Funny, last month people told me it was better. The only quote in the article talks about linux' advantages. Erm. Something's missing.
My little site.
Look out! All the slashdotter will have a heart attack reading this one, and miss the point which was : (fromt he article)
"My hunch would be that Linux still has the edge but it's difficult to tell with all this misleading information being pumped out."
FUD is FUD, and its being given by both side. It happenned in the C64 vs Mac, Mac vs PC, Nintendo VS Sega, XBOX vs PS2 wars, and will continue to happen in everything where nerds is involved.
Those wars are Nerd's answer to woman staffed clothes store. (if you don't get that one, go spend 1 hour in there while your girlfriend shop, and listen to the saleslady dispute who got the sale. Sounds like a Linux vs Windoze Slashdot thread).
1) Non-administrator OS X users have access that's much closer to typical Unix root than to a typical Unix user. It's a moot point because...
2) The obession with the omnipotence of root comes from the days when all Unix use was multi-user. On a typical Linux desktop, the access a user already has is far more dangerous than anything he could do under root.
3) Please stop saying "boxen".
Dident i read about windows and 12min of safe time before trouble hits.. Beyond that.. I could have sworn the problem with widows becomming a secure OS was the fact that it was not Open.. thus nobody can tell if it is secure or not. correct me if i'm wrong but the advantage to open source is the barrage of people out there who can see errors and report and patch... windows is more of a trial and error process for secuirty... which by definition is just not secure...
Losers whine about their best, Winners go home to fuck the prom queen
WinXP is still a sitting duck out of the box.
I'm not sure what Microsoft is shipping in its Windows XP boxes anymore, not having ever purchased a retail version of it. However, if you're buying a PC preloaded with Windows, you are almost certain to find SP2 already installed. SP2 fixes a raft of security holes, turns on automatic updates, and, as a bonus, turns on the firewall that was (by default) off on XP RTM and XP SP1.
I'd wager that the vast, overwhelming majority of (legal) Windows XP installations came on machines preloaded with Windows. Given that, your fears of "unpatched" boxes being loaded today seems a bit of an exaggeration.
The biggest security threat these days is users opening worm-laden attachments, despite mountains of FAQ's, instructions, README.TXT, co-worker horror stories, and other forms of documentation, all warning of the dire implications of opening up that oh-so-inviting attachment claiming to have pictures of Paris Hilton's hoo-ha.
The biggest threat to security these days isn't in the OS anymore, it's mounted between the keyboard and the chair. In this respect, Linux (or any *nix for that matter) can be considered more secure than Windows, but only until a competent administrator restricts local users to non-admin-equivalent accounts. Then things rapidly return to something amazingly close to equality.
The corollary would be to give root-level privileges to common users and see how long the vaunted *nix security model holds up. Hint: it isn't nearly as long as we'd like. You're just one shell-script attachment away from disaster when a user gets an email instructing them to save the attachment off, chmod +x it, and execute it, not knowing it contains the ever-useful "rm -rf" command inside. You don't believe that a user would actually do something so stupid as to execute commands outlined in an email body? What have you been smoking lately...of course they would. If *nix ever became as ubiquitous as Windows is now, it would assuredly happen, I'll set my watch and warrant on it.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
I use Linux on a daily basis for Desktop and server use, and since i'm not a security expert.. I often wonder how the entire process of awareness of exploits and the patching of packages happen. Could someone explain this to me?
Who is the trusted authority?
I'm not the type of guy to bash Microsoft, but I must say I was quite surprised when spyware of some sort infected IE on a fresh and updated install of WinXP. www.google.com was redirected to another site offering spyware removal (What a joke)
Well, I run into the non-admin option problem on Win boxes...as an Oracle DBA. Our SA's on the Sun boxes can easily create accounts for us with all the privs we need to install software, and admin. things on the box...they can let us sudo control things like Apache webservers (with Oracle iAS products..yup, gotta play with webservers too)...
However, on windows...well, latest restrictions can't allow them to give us local admin on the boxes...and apparently windows cannot be tuned in a granularly sufficient manner to give us what we need to do on the box. We have to now get an SA to log us in, and baby sit us while we do something as simple as a quarterly Oracle security update patch. A waste of money and time. Why can't MS get the security level thing right?
Trust me...as the project managers see what a PITA this is becoming and what a waste of time and $$'s...they are now listening to us, and we will NOT be getting any more Win. boxen to run server applications on. Is a pain to live with now, but, at least it has finally give the PHB's a reason to listen to us about staying with Unix, and trying Linux.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
http://science.slashdot.org/article.pl?sid=05/07/1 3/2255243
Studies show that there is a one in three chance this is BS, and a 100% chance we'll see this artical written over and over again in the favor of one or the other. The difference is, the Microsoft are usually the only ones to write articals in which they look better than linux. Perhaps things really are changing.
Go ahead and call me unreliable; reliable is just a synonym for predictable.
Mind Booster Noori
I'll start paying attention to the Linux vs. Windows security debate the next time I get a virus on my Linux box. Nuff said.
If I had mod points I wouldn't. BSD has excellent security from what I've seen (I havn't had time to experiment enough with it yet so this is opinion) primarily because they have such high standards for code quality. When I was looking up comparisons before of Linux vs BSD, it seems like BSD takes a lot of proactive measures from the get-go, but not as much as something like SELinux. From what I've read in fact BSD has borrowed from SELinux because face it: Good security is good security. If somebody else has a good idea why not use it? It's like settling for ROT13 when RSA is knocking at your door.
I have been running a mixture of Windows and Linux boxes at home for more than 10 years. I am conscientious about anti-virus and anti-spyware on the Window's boxes. On the Linux (and an occasional BSD) boxen I just take the normal security of the distro install and update packages regularly. I also, of course, do not log in as root. The bottom line is over the years I have had to battle various vermin on the Windows boxes. I have yet to have a virus or anything like it on the Linux/BSD machines. EVER! I use Linux as my normal OS on my laptop. I am surfing everywhere, constantly checking email. I download lots of programs, install things, etc. NEVER a virus, etc. Give me a break!
Some settling may occur during posting.
I have come to a conclusion that one useless man is a shame, two is a law firm, and three or more is a congress -J Adams
It will continue to be impossible to secure any version of Microsoft Windows until that company changes their design philosophy of mingling various unrelated tasks directly into the operating system.
The latest example is their plan to integrate RSS feeds into Littlebighorn (due out next near, whether it's ready or not). Lookie, boys and girls, a whole new way to infest Windows with viruses and malware. We haven't got the old holes plugged yet, but here we are planning to make new ones! You gotta love innovation at work.
Until they stop this "I'm OK, you're ok, so let's share" design philosophy, and get a little more paranoid, Windows will always be the easier target for the Internet's criminals and malcontents.
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
or mostly BS.
1. Compare WinXP operation system to the whole distribution is stupid.
2. Where from the heck those viruses spread ?
3. Look the secunia lists (www.secunia.com)
WinXP Pro (only OS):
Unpatched 21 of 84 total
Etremely or Highly Critical 30 of 84 total
Remotely exploited 52 of 84 total
Debian Sarge (OS and many, MANY, applications!):
Unpatched 10 of 26 total
Etremely or Highly Critical 4 of 26 total
Remotely exploited 18 of 26 total
When was the last time you saw a home Linux machine 0wn3d?
About a month ago. Buddy of mine who was using Gallery 1.3.3 to serve up some photo albums for friends and family got rooted. Someone used a PHP injection exploit which was present in that particular version to execute remote commands on his box, then used a local root exploit (I forget what they used, sorry) to gain root. Linux is far from invulnerable.
Well that's exactly the point isn't it?
Give a novice admin access and you have no security! ( Thus the outrage over Lindows default admin only setup by people who know better.)
Linux cloned the Unix environment which early on was a multi user networked environment, used by many universities where students could wreak havoc. Many design decisions were made to improve security early on.
Microsoft? Hey lets give our browser, email and applications the ability to install any software
at any time from anywhere on the net without the user even knowing about it. That would be cool huh?
Overall it boils down to a corporate culture problem at Microsoft:
What percentage of programmers who "get" linux/unix would ever want to work there?
What percentage of engineering decisions are made by "Pointy Haired Bosses" instead of programmers with real experience?
Sure, now that linux is giving MS hearburn in the security pocketbook, they are changing, but that's what they do well, and why they succeed. Remember how fast Bill Gates switched from "The Internet is for loosers" to "We Invented the Internet" ?
At least with competition MS are forced to start cleaning up the massive mess they have made of network computing.
Bavarian Purity Law of Rice Krispie Squares: Rice Krispies, Marshmallows, Butter, Vanilla.
I'd agree that a fully patched and protected Windows server is about as secure as a default install of a Slackware server
The difference is the Slackware machinbe won't become a security problem when a user sits down and starts surfing the web.
As many point out, novice users with IE/Outlook are the main entry point for windows viruses.
Hey, perhaps someone could set up a public test:
Set up an internet cafe with say 10 XP machines, fully loaded for virus bear and 10 Linux Machines,
Then keep a live scorecard for how long all 20 machines keep clean and functioning. Let Vegas in on this, and place your bets!
Or hey, do it as a docu-tainment independent video similar to "supersize me"...
Hey Cringely, there's an idea for your new downloadable TV show!
Bavarian Purity Law of Rice Krispie Squares: Rice Krispies, Marshmallows, Butter, Vanilla.
Am I missing something? I would not attempt to dispute what he says, but what criteria does he use for that statement? Number of crashes, Technician time to re-boot/reload after an incident. Number of Viruses that get through? How many times the box is hacked?
For an article titled "Linux and Windows Security Neck and Neck", I expect to see more than just "servers....no difference..."
Apparently I am not the only one that thinks security is not just the server level. Nearly all the (on topic) comments talk about win boxes that startup with admin priviledges. The real security problem seems to be at the user level, not the server level. A good admin (or group of admins for 13000 servers) can setup and take either box to maximum security. The home user, (not lazy, not ignorant as one post call them) is not an IT person. If the box comes with a setup that makes it less secure, that is probably the only thing that will ever get setup.
My opinion is that security is not just MS or LINUX. It is based on the person that installs and sets up the OS. I would bet that any good admin can set-up and make either OS very secure or very in-secure. If a secure box is delivered to the home user, it will probably remain secure. Otherwise, it will probably end up helping send SPAM.
I work in a world where I am responsible for about 100 servers, most of which run Windows 2000/2003, but a handful of which run CentOS 4 (RHEL4).
:
I have to say that either operating system is secure in the hands of a knowledgeable administrator. The key difference is simply that Linux can be made more secure by someone with ample experience, whereas Windows can be made moderately secure much more easily.
Let me explain. In the Linux world, because everything is open source, a very knowledgeable person can strip away `features` from the operating system, leaving fewer areas which could possibility contain security holes. In doesn't matter whether the NFS server has a security hole, if the NFS server isn't running, or even installed. To be more specific, a very knowledgeable person could even recompile their kernel, etc, such that the only things that will run on the box is that which is intended. A box configured for single use is easy to secure because then there are only a handful of areas which can be exploited. Because of this limited number, there are then only a handful of lists/newsgroups that need to be monitored for security updates.
Windows on the other hand posseses the advantage that Microsoft stands behind their product, and says apply these patches, and your secure. Therefore, to make a `relatively` secure machine is very easy. Just run auto-update regularly, and your secure. On the other hand, taking security to the next level. The level described above is almost imposible. You can't eliminate features from the Windows kernel by recompiling. Nor is it easy to pick and choose which DLL's get installed with the operating system. The result is a bigger window of opertunity for an exploit to be discovered which can then be used on your system. Now it is still possible to disable services, etc, but that is a more difficult task in Windows because of the interconnectivity. In the Linux world, because most components are developed by different people, they have few dependancies. This isn't true in the Windows world, and that makes it more difficult to lock down.
My point is that if there are three security levels, secure, very secure, and air tight. It is easier to get to the first level with Windows, but easier to get past the first level, to the second level and third levels with Linux. Granted large corporations can afford to modify Windows to get the other levels of security, but its more difficult because Windows is such a closed environment.
I've rambled enough. A good article on locking down a Linux box can be found here
http://www.puschitz.com/SecuringLinux.shtml
Huh? You should always use different vendor's products in your security system. If it's Windows inside, it should be something else at the border. Probably a Cisco box rather than any PC/Linux solution.
For a similar example, we use one vendor's Anti-Virus product on the desktops and another for the servers.
It's called defence thru depth.
Which, Microsoft insists, is an integral and inseparable part of the OS.
Microsoft can't say on the one hand that IE is part of Windows, and then on the other hand claim that IE vulnerabilities don't count as Windows vulnerabilities.
Hehe, sad but true ;)
I think the understated thing here is the severity of the typical break in though.
In windows most users install and run as administrator, they can do pretty much anything. Thus even small application security holes result in someone being able to completely obliterate the machine.
In unix most people install as root and run as an individual user. Thus most security holes unix has are relatively minor at worst executing the resultant code as the user who it is currently running as... which typically means it does very little.
You could further go on about how many script kiddies target windows as compared to other os's etc.etc.. but that's just getting into security through obscurity as the first poster here mentioned and "thats just silly"(tm).
Shadus
Yes, theoretically Windows has better security than any Unix-a-like, with its ACLs and finer-grained user permission levels.
In actual practice, any scheme in managing ACLS that is any more complex than Unix' UGO permissions tends to be an administrative nightmare, so many Windows admins don't even try it.
And as for finer-grained user access levels, if I do a ps aux on my Linux box, I see several different UserIDs running system processes. On my XP workstation at work, a decently locked down system, I see only two users: myself and SYSTEM, aka root. Any break in those SYSTEM-owned processes, and my workstation is toast.
And all this is before I discount the MS marketing slogans that you don't need an expensive sysadmin to set up and maintain Windows.
In short, Windows' theoretical superiority is destroyed by its complexity and the fact that the vendor keeps insisting that it is not complex at all. Practice therefore does not seem to bear out theory.
Mart"I know I will be modded down for this": where's the option '-1, Asking for it'?