Windows Safer Than Linux

[HardOCP News]

This thread is here for those of you who wish to debate the findings of this study released yesterday.

http://seattletimes.nwsource.com/html/businesstechnology/2002182315_security17.html

We know this topic has been broached before, this thread pertains specifically to this article and people's opinion of the study.

 

[Calavaro]

Oh, comon.. I wanted to vent in your inbox

In all seriousness though. I'm not really all that suprised that a windows box is relatively secure. Just that a big chunk of users use a microsoft OS, hence more users report trouble. Percentage wise? I'm sure it's more than close to a linux box.

 

[Saist]

my questions would be to these guys:

are they comparing apples to apples, or oranges to apples?

they state that:

They compared Windows Server 2003 and Red Hat Enterprise Server 3 running databases, scripting engines and Web servers (Microsoft's on one, the open source Apache on the other).

Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk — the period from when a vulnerability is first reported to when a patch is issued.

On average, the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup, their study found.

but... they don't state what those risks actually were, or what they pertained to.

Let me ask these questions :

How many of the Red Hat bugs were actually security related bugs and not program fixes.

How many of the Windows patches were actually security related bugs and not program fixes.

I'm just looking over the changelogs posted by Apache and RH... and i'm not seeing any "critical" bugs or vulnerabilities that would open a system up in the timeline that these guys say they ran their study. Espically any that took over 71 days to patch.

I also do not see any declaration of how bugs or patches or vulnerabilities were actually found. As far as I can see, these guys are only going from time of disclosure to time of released patch. That statistic alone already has some severe flaws with it as pointed out above.

So how many patches were actually released when comparing RH and Apache to Windows. Again, looking at the change logs posted by Apache and Red Hat and comparing them to the changelog posted by Microsoft... It seems to me that from a quick glance Microsoft is releasing patches at a near 5-1 ratio over Red Hat and Apache combined.


Overall, I think anyone in the Microsoft or Linux camp who takes this at face value without questioning the obvious flaws found in the study, really needs to rethink what they are doing. I think that this "study" is nothing more than a joke, and I don't see any way in which any realistic comparision about security can be drawn from the way the experiment was conducted.

 

[BigCheeze]

Overall, I think anyone in the Microsoft or Linux camp who takes this at face value without questioning the obvious flaws found in the study, really needs to rethink what they are doing. I think that this "study" is nothing more than a joke, and I don't see any way in which any realistic comparision about security can be drawn from the way the experiment was conducted.

The presentation was a preview of a report they plan to issue in 30 days.

At this time, we don't have enough information to determine if they have their facts straight or not.

 

[Phoenix86]

This isn't the first report I have seen comparing days vulnerable (a much better yardstick than # of vulnerabilities) that has favored windows over linux.

Saist,

"Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk — the period from when a vulnerability is first reported to when a patch is issued."

Vulnerabilities would seem to imply security, not bugs, but like you I want to see the method behind the data.

While it's interesting, I think we're going to have to wait for the details of the report to have an honest discussion...

 

[krizzle]

You know, it's kinda logic... Linux is open-source, and it's so amazingly secure for something like that. That in it's own is rediculously impressive.

Furthermore, the WinXP kernel is based off of a linux kernel. They took a look at that open-source goodness and realized how much better it is. That's the primary reason why DOS no longer exists in WinXP. So you can't give windows much credit.

 

[jon_k]

I don't know where you heard WinXP is based off of linux. XP is based off of 2000 which is based off of NT, which MS wrote from the ground up.

With that said, it really isn't suprising that Windows is safer than linux. I always thoguht so and I'm glad that there is proof too.

 

[Axiomatic]

[nausea]

Having used both products in various versions and service packs over my 15+ years in the server industry I can say that any one OS is not better than the other. Why does this even need to be "put to bed?"

There are reasons and uses for both OS's and I have found both OS's to be equaly insecure and equally secure depending mostly on the skill of the installer.

I can say this, if I'm building an application or database I prefer .NET stuff, I can get it done really fast and really slick. If I'm building a web site or public web offering then I prefer Linux/Apache because I don't have to worry about it after I provision it.

Man, they are just tools to a business end.

Does there need to be a winner?

A wise man once said: Don't put all your eggs in one basket.

 

[defuseme2k]

well said.

 

[mcravenufo]

I'm not venting...I'm laughing! LOL

 

[Phoenix86]

[nausea]

Having used both products in various versions and service packs over my 15+ years in the server industry I can say that any one OS is not better than the other. Why does this even need to be "put to bed?"

There are reasons and uses for both OS's and I have found both OS's to be equaly insecure and equally secure depending mostly on the skill of the installer.

While I agree that security depends on the user, I like the approach they are taking in the article of "removing the user" from the equation.

"The setups were hypothetical, however. Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features. Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance."

Sure it's important to know the extra steps to harden a system and layer security, but that's not what they are trying to show. They are trying to show how an "average system" would fare.

 

[kc8apf]

I don't know where you heard WinXP is based off of linux. XP is based off of 2000 which is based off of NT, which MS wrote from the ground up.

With a huge amount of influnce from the creator of VMS. A lot of the basic security ideas and kernel concepts actually came from there.

 

[grzbear]

"— the period from when a vulnerability is first reported to when a patch is issued."

If I remember correctly;

Microsoft vulnerabilities have been suppressed for a length of time and reported right before or after a patch had been issued... Linux vulnerabilities are reported/noted almost immediately by the developer community.

If this is the case the study would be an apples to oranges thing... and thus, as far as proving their point, meaningless.

A better study would be from the vulnerabilities date of discovery.

 

[HHunt]

I don't know where you heard WinXP is based off of linux. XP is based off of 2000 which is based off of NT, which MS wrote from the ground up.

With that said, it really isn't suprising that Windows is safer than linux. I always thoguht so and I'm glad that there is proof too.

Actually, it's a far, far stretch to go from this study to that conclusion.
(For every study you'll be able to find two that disagrees. )
Just for the counterweight, I like this one.

 

[ThomasE66]

They did not do everything that can be done to lock down the linux server. They said that they wanted to represent what the 'average' system administrator would do. It has been my firsthand experience that Linux is far tighter than Windows when both systems are thoroughly locked down by someone who knows their stuff. I'm not sure how they decided what a 'typical' web server setup was.


This was discussed ad nauseum on slashdot earlier today.

 

[Optimummind]

As mentioned previously, the actual report that will be released later must be read first before anyone has the knowledge to make statements about the integrity of how this study was conducted.

Just wait for the report, read it carefully, then make your statements.

 

[Phoenix86]

Microsoft vulnerabilities have been suppressed for a length of time and reported right before or after a patch had been issued... Linux vulnerabilities are reported/noted almost immediately by the developer community.

Got any proof? Sounds like FUD to me.

They did not do everything that can be done to lock down the linux server. They said that they wanted to represent what the 'average' system administrator would do. It has been my firsthand experience that Linux is far tighter than Windows when both systems are thoroughly locked down by someone who knows their stuff. I'm not sure how they decided what a 'typical' web server setup was.

This was discussed ad nauseum on slashdot earlier today.

They also didn't lock down the windows box... If you start to lock things down, your adding the user's knowledge into the mix. While this may be more representative of what you see in the real world, it isn't a comparison of the OSes alone. It's a comparison of the OS+user. Since we don't know the same things the user that configed the box does we can't compare that vs. how we would configure the same machine.

Who cares what was discussed or how much on /.? This isn't /.

Until we have the report we can't make educated decisions on how the conclusions were reached.

 

[ThomasE66]

I mentioned the /. discussion in case anyone was interested. Of course we need to see the complete study before full conclusions can be drawn, but there is nothing wrong with discussing the preliminary conclusions. That's what this thread is for isn't it?

 

[LyCoS]

my questions would be to these guys:

are they comparing apples to apples, or oranges to apples?

dunno but apples are just about the safest things around (and are based on linux )

decently configured/optimized linux is just about unhackable...

 

[Phoenix86]

I mentioned the /. discussion in case anyone was interested. Of course we need to see the complete study before full conclusions can be drawn, but there is nothing wrong with discussing the preliminary conclusions. That's what this thread is for isn't it?

Sure it is, I just wasn't sure where you were going with that comment. Gah, this thread is frustrating w/o the report. Why release the conclusions w/o it?

 

[eggrock]

I wonder how they hypothetically set up these servers...?

Linux: Download these images and use this tool to copy them to floppy. Reboot from floppy, insert CD. Define mount points, swap file, etc. etc.

Windows: Insert CD. Click Next... Next... Next...

 

[Whatsisname]

you are completely incorrect about windows.

You know, it's kinda logic... Linux is open-source, and it's so amazingly secure for something like that. That in it's own is rediculously impressive.

Furthermore, the WinXP kernel is based off of a linux kernel. They took a look at that open-source goodness and realized how much better it is. That's the primary reason why DOS no longer exists in WinXP. So you can't give windows much credit.

 

[Whatsisname]

Windows really is not as unsecure as people make it out to be. Every major worm and exploit that has gone on a rampage has taken advantage of a flaw that was already addressed and had a patch. Systems were only succeptable (sp) because their owners did not maintain them. If a linux system is never updated, it will sooner or or later become vulnerable. The only difference there is that there arent a huge number of people on a personal crusade against linux like there are against windows.

 

[HHunt]

I wonder how they hypothetically set up these servers...?

Linux: Download these images and use this tool to copy them to floppy. Reboot from floppy, insert CD. Define mount points, swap file, etc. etc.

Windows: Insert CD. Click Next... Next... Next...

I think they said typical linux installation, not "old-fashioned".

 

[Mournblade]

Give me the servers and I could make them so secure no-one can get in and mess around - just pull out the network cables on both.

Without the actual report all we can do is bounce hypothetical ideas about what went on. Hold this thread for the next 30 days...

 

[ThomasE66]

Give me the servers and I could make them so secure no-one can get in and mess around - just pull out the network cables on both.

Without the actual report all we can do is bounce hypothetical ideas about what went on. Hold this thread for the next 30 days...

Don't forget to disconnect the USB and Floppy connections as well if you want to make it really secure

 

[HHunt]

Don't forget to disconnect the USB and Floppy connections as well if you want to make it really secure

Nah. Embedding them in a block of concrete would be better. (It's harder to get to the hard drives that way)

 

[Tex Arcana]

Bwahahaha... every time I see one of these "reports", when someone does a bit of digging behind said "report" they find out that it was funded by Micro$oft thru some back-alley deal. And this smells like the same old rotten fish.

This has been debated ad infinitum, ad nauseum; and the conclusions of most true experts is that Windows is horribly insecure, and that any flavor of Linux is reasonably secure.

What does it say when Microsoft threatens to sue the people who discover and post the flaws, to prevent them from revealing the flaws in the first place?? To me, it says that the M$ folks know beyond a shadow of a doubt that their products are buggy and insecure. When SP2 is being patched at almost a daily rate, and when virii spawn almost daily attacking newly-found vulnerabilities in Microsoft products, it's a pretty reasonable conclusion that the software has more holes than swiss cheese.

I think we're gonna find that these two guys are nothing more than Microsoft pawns, paid to do a "study" to help sell more Windows.

 

[Tex Arcana]

Windows really is not as unsecure as people make it out to be. Every major worm and exploit that has gone on a rampage has taken advantage of a flaw that was already addressed and had a patch. Systems were only susceptible (sp -1) because their owners did not maintain them. If a linux system is never updated, it will sooner or or later become vulnerable. The only difference there is that there arent a huge number of people on a personal crusade against linux like there are against windows.

Do you happen to work for M$?? Or have you been sleeping lately?? SP2 already has patches out to fix flaws in SP2, when SP2 was supposed to be the be-all, end-all of service packs!

The fact is, every major expoit and hole is typically discovered and exploited months before M$ deigns to release a patch, that sometimes doesn't work. If a vulnerability is reported in Linux (irrespective of flavor), it's typically reported the very moment it's found, and typically patched within a week or two of the report.

Windows, as are most M$ products, is horribly broken. The code is bloated, buggy, and riddled with holes. And M$ has absolutely no reason to fix any of it, because they have 90% of the market sold on the efficacy of the operating system, and they would rather have a nice obsolescence path to help sell the next new OS, and a whole slew of ineffective anti-virus and anti-spyware products--which are broken as well, because it allows them to sell "upgrades" and to give the virus and spyware creators another path to help sell software.

 

[Whatsisname]

Anyways, so what if there are patches? Most patches are bug fixes, and if you're going to bitch about those then you better bitch about the billions of bug fixes and updates linux users have to go through.

And no, most exploits are not made before patches. Like i mentioned, the blaster worm went on its rampage months after microsoft patched the exploit it fed off of. The same with the MSSql worm that virtually DoS'ed the entire internet. I don't think I need to go on with this. There have only been a few instances where an exploit is discovered and there is no patch, such as the GDI exploit, but strangely, there werent any viruses that took advantage of them.

99% of security problems with windows boil down to laziness or incompetence on behalf of their users.

If you hate microsoft so much, then write a superior operating system that can do the job better, and that means run on computers owned by 80 year old people and 10 year old girls just as well as businesses and software developers, and learn to write like a normal human being so you can be taken seriously. Otherwise, just shut the hell up and let the people that know what the hell is going on take care of things.

Do you happen to work for M$?? Or have you been sleeping lately?? SP2 already has patches out to fix flaws in SP2, when SP2 was supposed to be the be-all, end-all of service packs!

The fact is, every major expoit and hole is typically discovered and exploited months before M$ deigns to release a patch, that sometimes doesn't work. If a vulnerability is reported in Linux (irrespective of flavor), it's typically reported the very moment it's found, and typically patched within a week or two of the report.

Windows, as are most M$ products, is horribly broken. The code is bloated, buggy, and riddled with holes. And M$ has absolutely no reason to fix any of it, because they have 90% of the market sold on the efficacy of the operating system, and they would rather have a nice obsolescence path to help sell the next new OS, and a whole slew of ineffective anti-virus and anti-spyware products--which are broken as well, because it allows them to sell "upgrades" and to give the virus and spyware creators another path to help sell software.

 

[ThomasE66]

[99% of security problems with windows boil down to laziness or incompetence on behalf of their users.

I applaud you. This is one of the truest statements ever made.

I love Linux and use it frequently. It's four of the 10 production machines I have at home. Another one has Solaris, the rest have Windows. They all are good for various things.

Linux can be made very secure. Fact is, so can almost any NT variant of Windows (4.0, 2000, XP, Server 2003, etc.).

One reason there are so many insecure Windows boxen out there is that it's so accessible. A clueless luser is more likely to buy a PC preloaded with Windows or IF they install their own OS it is also 90% likely to be Windows based. Those who run Linux do tend to be more knowledgeable, but that's mostly because until very recently you basically HAD to be knowledgeable to run Linux. From a user friendliness and ease of install standpoint Windows has had a huge head start.

My personal preference is Linux because I like to mess with the system internals. However, I'm totally agnostic about computers. I also prefer running code that I can audit if I wish. However, I use what works for the task at hand.

I get amusement to no end at the endless religious battles over computers. Mac vs Wintel. *nix vs Windows. NVidia vs ATI. I've received so much joy from the hilarious antics of rabid fans that I really should find some way to thank them all! It's hilarious. A computer is a tool. A piece of software is a tool. Use them for the tasks they are good at. Use the one that works best for you. Don't flame others for chosing another tool if that's the one that works for them

 

[/dev/null]

I wonder why they didn't compare OpenBSD ("Only one remote hole in the default install, in more than 8 years!") vs windows

www.openbsd.org

(I've been using it since 1996 or so)

Rob

 

[ThomasE66]

I wonder why they didn't compare OpenBSD ("Only one remote hole in the default install, in more than 8 years!") vs windows

www.openbsd.org

(I've been using it since 1996 or so)

Rob

OpenBSD blows Linux and Windows away from a security standpoint, that's why. But you knew that

 

[GreNME]

The trick with this report is that it doesn't necessarily represent either OS in their "properly secured" modes. When it comes to getting the most from the operating system's capabilities while simultanously keeping it secure, the problem lies in how much time one wishes to spend on it and a cost/benefit analysis of getting the OS to be able to do what is desired (web serving, mail forwarding, application serving, terminal serving, etc.). There is no single "aha!" answer out there that will cover everyone's situation in a blanket scheme. Each attempt by each "study" seems to miss this little fact, and each time a new one comes out the myth that one OS is going to be the best option over proper training and analysis of needs (versus wants) is propagated further.

It's nice to see the study was done by proponents of both platforms being compared, but it still isn't going to yield any more information than an "in this situation, which is different than many situations" set of results. I mean, don't get me wrong, I love my Windows machines and use XP as my main client OS, but there are applications where a Linux server or a Linux client are a more worthwhile choice in the long run, just as there are applications where a Windows server or Windows client are the more worthwhile choice. It totally depends on the needs of the environment.

Just as with any other comparison of the two, the real answer is simple: it's the administrator.

 

[Tex Arcana]

[IMGhttp://www.iupload.net/022005/mspennyarcade.gif[/IMG]

Anyways, so what if there are patches? Most patches are bug fixes, and if you're going to bitch about those then you better bitch about the billions of bug fixes and updates linux users have to go through.

And no, most exploits are not made before patches. Like i mentioned, the blaster worm went on its rampage months after microsoft patched the exploit it fed off of. The same with the MSSql worm that virtually DoS'ed the entire internet. I don't think I need to go on with this. There have only been a few instances where an exploit is discovered and there is no patch, such as the GDI exploit, but strangely, there werent any viruses that took advantage of them.

99% of security problems with windows boil down to laziness or incompetence on behalf of their users.

If you hate microsoft so much, then write a superior operating system that can do the job better, and that means run on computers owned by 80 year old people and 10 year old girls just as well as businesses and software developers, and learn to write like a normal human being so you can be taken seriously. Otherwise, just shut the hell up and let the people that know what the hell is going on take care of things.

IIRC, BeOS was superior, but it died a rather whimpering death for some reason. (shrug)

I hate corporation that put out inferior product, and expect people to keep buying it. I hate corporation that will do ANYTHING for a buck, sacrificing doing the RIGHT THING for a few more cents.

You mention the only two exploits that were allegedly "patched" before the exploits came out. However, you faile to mention the rest of the exploits that were out before MS (yeah, the "M$" is a habit I'm trying to break) deigned to even acknowledge them; and the ones I mentioned that they sued the discoverers prior to the publication--to PREVENT publication--you deigned to ignore as well. But what should I expect of an apologist?? Like I said--you must work for MS.

If you consider yourself one of "...the people that know what the hell is going on [to] take care of things...", then I'd rather use an abacus and a stone tablet, because it's people exactly like you that perpetrate the whole "Windows is superior and secure" myth. Yes, many of the insecurities are caused by poorly-educated users, but most of them are flaws in the OS itself. ANd until Microsoft stops taking shortcuts to make things work, and stops leaving holes untouched 'til someone brings them to attention, this whole debate will not stop.

 

[Tex Arcana]

I applaud you. This is one of the truest statements ever made.

I love Linux and use it frequently. It's four of the 10 production machines I have at home. Another one has Solaris, the rest have Windows. They all are good for various things.

Linux can be made very secure. Fact is, so can almost any NT variant of Windows (4.0, 2000, XP, Server 2003, etc.).

One reason there are so many insecure Windows boxen out there is that it's so accessible. A clueless luser is more likely to buy a PC preloaded with Windows or IF they install their own OS it is also 90% likely to be Windows based. Those who run Linux do tend to be more knowledgeable, but that's mostly because until very recently you basically HAD to be knowledgeable to run Linux. From a user friendliness and ease of install standpoint Windows has had a huge head start.

My personal preference is Linux because I like to mess with the system internals. However, I'm totally agnostic about computers. I also prefer running code that I can audit if I wish. However, I use what works for the task at hand.

I get amusement to no end at the endless religious battles over computers. Mac vs Wintel. *nix vs Windows. NVidia vs ATI. I've received so much joy from the hilarious antics of rabid fans that I really should find some way to thank them all! It's hilarious. A computer is a tool. A piece of software is a tool. Use them for the tasks they are good at. Use the one that works best for you. Don't flame others for chosing another tool if that's the one that works for them

I use Windows because I have trouble getting myself to use Linux regularly, and mostly becasue Linux (in the past, almost 2 years ago now) was harder to use in GUI mode than Windows, and I'm not interested in learning new command-line commands. I've got Mandrake 10.2 ready to install and evaluate, so I can once again try to wean myself off Windows.

Windows is easy to use, especially for an experienced user like me, but I find it a pain in the butt when it comes to virii and spyware and hijackers, it drives me nuts because those things alone kill the machine. They cause me no ends of work for those machines I get asked to work on. I can get them to work well, but the tools I use to shield them aren't the easiest to use (hence more effective), and the users invariably slip on the updates or scans, and the machines get infected and turn into dogs.

So, from a "set and forget" standpoint, Linunx is way more reliable. And, maybe, it's more usable too. I shall see.

 

[GreNME]

You, sir, are a troll. Furthermore, you seem to have very little actual knowledge of security and OS internals to back up your frothing-mouthed bullshit.

Accusing people who do not share your disdain for Microsoft as being Microsoft employees further discredits any validity you may have had. If you can't make a strong case without relying heavily on your weak-kneed rhetoric and ad hom accusations, then perhaps you should just shut the fuck up and let some people who have actually formed their own opinions on the matter instead of parrotting some paranoid drivel actually discuss the subject.

And I find it extremely ironic that you were posting your venom from a Windows box to begin with. Can talk the talk but can't walk the walk.

 

[LyCoS]

i would like to mention that OSX is the most user friendly OS ever, and based on linux. The only reason why linux isnt as user friendly as windows is because no one was ever bothered to make it user friendly.

As far a security, it applies to both.

If win 2K/XP or just about any distribution of linux is configured/optimized properly, with a decent amount of common sence (and without internet exploder), you're really secure.

Now as far as server based applications (which is really the point of the study), linux is really a better choice. not for the default security...... but for the customisation potential...

you can customize linux from ground up (thank you open source)... which is not the case of windows...

 

[GreNME]

i would like to mention that OSX is the most user friendly OS ever, and based on linux.

That is false. OS X is based on the Mach kernel, which is a derivative of BSD. OS X shares some family ties to Linux, but is nowhere near being "based on" Linux.

 

[HHunt]

You, sir, are a troll. Furthermore, you seem to have very little actual knowledge of security and OS internals to back up your frothing-mouthed bullshit.
(etc.)

Ah, GrenME, but so are you, right now. Just one with a higher post count and better english. (And a history of usually useful posts.)
Shall we dissect what he said:

I hate corporations that put out an inferior product, and expect people to keep buying it. I hate corporations that will do ANYTHING for a buck, sacrificing doing the RIGHT THING for a few more cents.

Implying "Microsoft" for "corporations", of course.
They've been convicted for monopolic behaviour. They declare they will never fix security flaws in products they want people to upgrade from. They (this is my favourite) deliberately make IIS and IE break TCP standards for terminating connections, so apache suddenly fares much worse in tests with IE clients (and give non-IE browsers problems with IIS websites.)
Yes, they claim they've improved. Yes, they might even have. (Though the recent extortion attempt on Denmark regarding software patents didn't shock me.)

All in all, it's a fair enough rant.


You mention the only two exploits that were allegedly "patched" before the exploits came out. However, you faile to mention the rest of the exploits that were out before MS (yeah, the "M$" is a habit I'm trying to break) deigned to even acknowledge them; and the ones I mentioned that they sued the discoverers prior to the publication--to PREVENT publication--you deigned to ignore as well.

Is he wrong? If he isn't, is he wrong to be angry about whoever he's responding to not mentioning this?

But what should I expect of an apologist?? Like I said--you must work for MS.
If you consider yourself one of "...the people that know what the hell is going on [to] take care of things...", then I'd rather use an abacus and a stone tablet, because it's people exactly like you that perpetrate the whole "Windows is superior and secure" myth. Yes, many of the insecurities are caused by poorly-educated users, but most of them are flaws in the OS itself. And until Microsoft stops taking shortcuts to make things work, and stops leaving holes untouched 'til someone brings them to attention, this whole debate will not stop.

Not without truth, nor without unneccesary attacks. Much like your last observation.