Slashdot Mirror
Linux and Windows Security Neck and Neck
Linurati writes "According to vnunet.com, Linux and Windows are neck and neck when it comes to security, but 'misleading figures and surveys are muddying the waters.' The article lays blame on both sides for the misleading information." From the article: "...Microsoft had made real progress on security in the past two years, but that the increasing number of Linux enthusiasts coming into the market would help the open source alternative in the long run."
"Nothing to see here ... move along"
Now THATS security for you!
The Pinto dealer down the block said that they have added a couple of air bags on the passenger side doors to get it at par with a Volvo. Coincidence?
Free XBox, PS2
I think there are two main factions here, and the answer for what constitutes better security has slightly different context with significantly different results.
For all of these people their machines are ticking time bombs, and I'm usually the one who gets the call when their world of computer technology explodes. This by itself is reason enough to consider other technologies where by default they are secure. For example, Apple does a good job (not perfect) of making their machines secure... I won't go into great depth -- I'm not a heavy Mac user.
Also, linux by default comes out of the box with decent security. Even if users do try to just use, e.g., KDE an root only, they (as I recall) have to fight off the big red screen background, kind of like the enunciator lights and bells in cars when you don't fasten your seat belts.
So, in the lay community, though Windows carries the popular vote, I think linux out of the box is by far the more secure and safe way to go.
Security in Windows itself had definately improved over the last few years. But almost all of the current and recent vulnerabilities have somehow been related to IE.
Not using IE and using Firefox instead almost completely secures an up-to-date Windows box. Get rid of IE, get rid of 90% of Windows' security problems.
Natlie Portman and Kathy Bates neck and neck when it comes to hotness.
But I agree with the parent -- advanced psychology-based FUD is a growing science.
They are taking security vuln's for redhat EL 3, or suse 9.1, and comparing them to MS Windows. That is not fair. Now if they compared them to Windows, Office, sharepoint, IIS, Office, Project, all Microsoft games, SQL server, etc.. then it would probably be a little more fair. Linux DISTRIBUTIONS are a little more than an OPERATING SYSTEM.
What are we going to do tonight Brain?
yawn...
Generally, bash is superior to python in those environments where python is not installed.
They have a herd of poorly paid but diligent slaves (a.k.a. graduate students studying for a Ph.D.). They do excellent work in voluminous quantities and would surely produce an accurate analysis of Linux versus Windows.
Where are the proactive security systems for Windows? Sure, Windows by default has a fairly rigorous ACL system by default (at least in comparison to classical Linux ACL's), but trying to measure the security of a system solely on how many exploitable bugs it has is just a poor measurement method. With projects like SELinux, GRSecurity, Pax, different implementations of active bounds checkers as well as stack smashers, and good implementations like Hardened Gentoo (Debian has a hardened project but I havn't tried it) I don't particularly see how Windows has a chance in hell.
I don't know of any person with a Windows box who will hand out an admin account, but there are Gentoo Hardened devs who hand out root on their SELinux test rigs. Why? Because the system is secure enough to hand out root.
I hate these studies. Saying Linux isn't secure is like saying that fruit isn't red... it depends on what you're looking at. Are we talking about kernels? GNU tools? Common server software?
More importantly, which distribution? Windows comes with f*cking notepad and Solitaire. Linux distributions typically come with an order of magnitude more applications.
I'm on the Gentoo Security Mailing List. I get a few messages each day about vulnerabilities in software. Is each of these a ding on Linux? No, certainly not... it's a piece of software that happens to be available via portage.
If they want to be fair, then every ding on every Windows application counts against Windows.
More importantly, why the hell does every one of these boneheaded articles make it on the front page of Slashdot? Just helps spread the FUD.
The figures mentioneed by the hosting company seem to indicate that the discussion is focused on Windows security on the server side, where it is fairly true that Windows can be about as secure as Linux when both are competently managed. In both cases, there will be someone who knows about the systems taking care of them and ensuring that they're properly patched, firewalled, etc. I personally find managing Linux boxes easier, but Windows can be kept secure as a server.
Where Windows still falls down security-wise is on the desktop, where the combination of a vulnerable browser/Office Suite along with the fact that the de facto standard way for desktop users to set up their accounts is with administrator priviledges. That turns what would be a non-existant threat on the server (you shouldn't be doing general surfing or office work on a server) into a major issue. Microsoft has made feeble attempts to encourage users and developers to use limited accounts, but the fact remains that reconfiguring poorly written software to work in a limited account is a major headache that the average desktop user is not willing to put up with.
Microsoft also falls behind [most] Linux systems in that the majority of the software on a Linux box can typically be updated from a single tool (apt-get, yast, urpmi et al) while Windows Update only covers the core OS. Microsoft does have a better system in the works, but that will still only cover MS software.
WinXP is still a sitting duck out of the box.
I'm not sure what Microsoft is shipping in its Windows XP boxes anymore, not having ever purchased a retail version of it. However, if you're buying a PC preloaded with Windows, you are almost certain to find SP2 already installed. SP2 fixes a raft of security holes, turns on automatic updates, and, as a bonus, turns on the firewall that was (by default) off on XP RTM and XP SP1.
I'd wager that the vast, overwhelming majority of (legal) Windows XP installations came on machines preloaded with Windows. Given that, your fears of "unpatched" boxes being loaded today seems a bit of an exaggeration.
The biggest security threat these days is users opening worm-laden attachments, despite mountains of FAQ's, instructions, README.TXT, co-worker horror stories, and other forms of documentation, all warning of the dire implications of opening up that oh-so-inviting attachment claiming to have pictures of Paris Hilton's hoo-ha.
The biggest threat to security these days isn't in the OS anymore, it's mounted between the keyboard and the chair. In this respect, Linux (or any *nix for that matter) can be considered more secure than Windows, but only until a competent administrator restricts local users to non-admin-equivalent accounts. Then things rapidly return to something amazingly close to equality.
The corollary would be to give root-level privileges to common users and see how long the vaunted *nix security model holds up. Hint: it isn't nearly as long as we'd like. You're just one shell-script attachment away from disaster when a user gets an email instructing them to save the attachment off, chmod +x it, and execute it, not knowing it contains the ever-useful "rm -rf" command inside. You don't believe that a user would actually do something so stupid as to execute commands outlined in an email body? What have you been smoking lately...of course they would. If *nix ever became as ubiquitous as Windows is now, it would assuredly happen, I'll set my watch and warrant on it.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
windows is not secure by default for a typical end user that doesn't know much about security there is no argument
t his-thing home theater setup.
/. Linux heads consistently rail against, right after they finish their rant about how the only reason Linux isn't succeeding on the desktop is because Microsoft is somehow holding them down.
And these same clueless end users are supposed to love the easy-to-use, totally intuitive, absolutely-not-cryptic Unix way of doing things so much that, if everyone would just adopt Linux, security would take care of itself.
Is it just me or does anyone else see the silliness of the above argument? Windows is not the problem with security any more than Linux. What's lacking here is something that's easy to use and flexible/powerful and secure. What we want is something with the simple user interface of a television (on/off, channel, volume, and that's about it) but we want the functionality of an I-need-eight-remotes-and-an-AV-consultant-to-run-
Personally, I think this form of contradictory nirvana simply cannot exist. If you make Linux easier to use and more accessible to the general public, it must lose either some of its security lustre, some of its flexibility, or some of both. Yet this very thing that would allow Linux to reach the mass market is what the uber-Geek
Folks, the weak link here is the human, not the software.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
When was the last time you saw a home linux machine?
The bazaar model fails to take into account the talents of the bazaarers. In practice what happens is that the numer of developers does increase, but the overall talent of those developers decreases. So while more code is output, it is not necessarily quality code. And secure code is often high quality code.
Better security comes from better coding practices, the use of languages that are not as vulnerable to exploits, and the use of technology to avoid such exploits.
Now, the fact still remains that such a model fairs far better than that used by Microsoft, for various reasons. But your model of the bazaar is too simplified. It fails to take into account some very important factors, like code and coder quality.
Cyric Zndovzny at your service.
Am I missing something? I would not attempt to dispute what he says, but what criteria does he use for that statement? Number of crashes, Technician time to re-boot/reload after an incident. Number of Viruses that get through? How many times the box is hacked?
For an article titled "Linux and Windows Security Neck and Neck", I expect to see more than just "servers....no difference..."
Apparently I am not the only one that thinks security is not just the server level. Nearly all the (on topic) comments talk about win boxes that startup with admin priviledges. The real security problem seems to be at the user level, not the server level. A good admin (or group of admins for 13000 servers) can setup and take either box to maximum security. The home user, (not lazy, not ignorant as one post call them) is not an IT person. If the box comes with a setup that makes it less secure, that is probably the only thing that will ever get setup.
My opinion is that security is not just MS or LINUX. It is based on the person that installs and sets up the OS. I would bet that any good admin can set-up and make either OS very secure or very in-secure. If a secure box is delivered to the home user, it will probably remain secure. Otherwise, it will probably end up helping send SPAM.
Riight. Like this?
Go on, pull the other one. Windows is just as leaky as it's ever been.
no, like this
oh, and btw, microsoft offered has had a fix for those issues for at least a week now.
Linux may not have as many worms/viruses, but that's only because it is not a target (not because it's more secure). Which ever operating system is the most popular will have the most people trying to attack it.
I'm getting tired hearing this false argument over and over. To run something in Linux that can potentially damage the system you need to log in as root. To run a virus you need to submit root password which is pretty different from what happens in Windows (by the way can you run Windows as restricted user? Many programs just refuse to work, I think that restricted user account is useless, most of the people I know run Windows as Administrator, only that and makes a big difference.)
Remember also that Linux has a big share on servers, and still there are not as many worms like Red Code and alike that bug Windows.
I still have to see ONE virus that successfully replicates in Linux environment. ALL the viruses that exist are lab viruses and they exploit holes that were patched long time ago. Or the type of viruses/worms that come in e-mail and say "please install me" but that doesn't count.
"It is our choices, Harry, that show what we truly are, far more than our abilities." -- Prof. Dumbledore