How many Linux Security Threats have made me work over 24 hours straight?...
How many Windows Security Threats have made me work over 24 hours straight?
If you're like the sysadmin in our lab, Windows makes you spend more hours on it for two reasons: (1) more machines are running it, and (2) the ones running Windows tend to be have more non-savvy users.
Point #1 says that if there's an equal number of exploits, and each exploit takes a constant amount of time per machine to fix, then since around 90% of machines are Windows boxes, your total time spent fixing them is obviously going to be a lot higher.
Point #2 says that the less mainstream nature of Linux tends to self-select a userbase that knows what they're doing, security-wise. On the other hand, many Windows users just have it so they can write up their reports and check their email, and have no idea what a security update is or how to install it. The recent infamous RPC exploit, for example, had a patch out for a couple of months before exploits for it appeared in the wild, but was ignored by most Windows users. A hypothetical similar Linux root exploit would have been quickly adopted by most computer geeks, while our sysadmin was complaining that even a month after Blaster made the rounds, there were still people bringing laptops into lab that were unpatched and quickly hacked. Add to this that many of the same people were unhappy about anyone else having access to their machine, but didn't care enough to secure it, and patching security exploits was one big headache.
I've heard many good reasons why the Microsoft article about Linux security is pretty slanted in their favor, but hours of work to fix isn't a fair one. A better metric might be hours of work per Windows box versus Linux box.
Slashdot Mirror
Point #1 says that if there's an equal number of exploits, and each exploit takes a constant amount of time per machine to fix, then since around 90% of machines are Windows boxes, your total time spent fixing them is obviously going to be a lot higher.
Point #2 says that the less mainstream nature of Linux tends to self-select a userbase that knows what they're doing, security-wise. On the other hand, many Windows users just have it so they can write up their reports and check their email, and have no idea what a security update is or how to install it. The recent infamous RPC exploit, for example, had a patch out for a couple of months before exploits for it appeared in the wild, but was ignored by most Windows users. A hypothetical similar Linux root exploit would have been quickly adopted by most computer geeks, while our sysadmin was complaining that even a month after Blaster made the rounds, there were still people bringing laptops into lab that were unpatched and quickly hacked. Add to this that many of the same people were unhappy about anyone else having access to their machine, but didn't care enough to secure it, and patching security exploits was one big headache.
I've heard many good reasons why the Microsoft article about Linux security is pretty slanted in their favor, but hours of work to fix isn't a fair one. A better metric might be hours of work per Windows box versus Linux box.