Forgot your password?
typodupeerror
Security Software Microsoft Linux

Study Finds Windows More Secure Than Linux 796

Posted by Zonk
from the an-interesting-definition-of-secure dept.
cfelde writes "A Windows Web server is more secure than a similarly set-up Linux server, according to a study presented yesterday by two Florida researchers." In addition to the Seattle Times article, there is also coverage on VNUnet. From the article: "The researchers, appearing at the RSA Conference of computer-security professionals, discussed the findings in an event, 'Security Showdown: Windows vs. Linux.' One of them, a Linux fan, runs an open-source server at home; the other is a Microsoft enthusiast. They wanted to cut through the near-religious arguments about which system is better from a security standpoint."
This discussion has been archived. No new comments can be posted.

Study Finds Windows More Secure Than Linux

Comments Filter:
  • by Rollie Hawk (831376) on Thursday February 17, 2005 @01:06PM (#11701187) Homepage
    ... another pissing match.
  • by suso (153703) on Thursday February 17, 2005 @01:06PM (#11701189) Homepage Journal
    Study finds Slashdot as repetitive as Philip Glass
  • Integrity? (Score:5, Informative)

    by samtihen (798412) * on Thursday February 17, 2005 @01:06PM (#11701190) Homepage

    Well, apparently this is the second time Microsoft has come out on top of a research project by Mr. Richard Ford [fit.edu].

    http://www.virusbtn.com/magazine/articles/letters/ 2004/01_01.xml [virusbtn.com]

    Apparently there was some question to the validity of an earlier project because it was sponsored by Microsoft.

    However, I would like to note that both researchers seem very well educated, especially in computer security. And, additionally, they both note that a lot more could be done to lock down the Linux server.

    • by emil (695) on Thursday February 17, 2005 @01:13PM (#11701313) Homepage

      OpenBSD runs chroot() Apache. Does IIS have similar capability?

      The chroot() patch was never taken up, but it would probably not be that difficult to install on Linux.

      I would be disinclined to run any other way at this point.

      • by n0-0p (325773) on Thursday February 17, 2005 @01:55PM (#11701967)
        It's pretty easy to make Apache chrooted under linux. With Apache2 you still need to allow dynamic libraries though, which often bothers people. Having hardened both Windows and Linux servers on a regular basis, I'd pick Linux every time. It can be locked down much more than Windows. I haven't found anything that compares to a combination of PP buffer protection on binaries, chroot jailed services, iptables, and SELinux policy. I just don't understand why more vendors haven't tried to create default installs that support this level of security.
      • by jc42 (318812) on Thursday February 17, 2005 @01:59PM (#11702043) Homepage Journal
        Why would it take a patch to make a server run in a chroot jail? This can be done with any program. It requires no cooperation from the program itself.

        Of course, running anything chrooted usually requires making a list of subprocesses that the program calls, and linking them into the program's directory tree. You'd want to do this in this case, because web servers typically do invoke some subprocesses. Not always, of course; some web sites are completely static. In any case, this doesn't require any sort of patch; just a list of what files are needed in the chroot area.

        So what's in the OpenBSD chroot patch? What sort of vulnerability existed without it?
      • You should try chrooting an apache process that runs in User-mode linux. I run all of my servers out of UML now, even samba and my wireless access point. It keeps my server busy, but it always pained me to see it idle anyways.
    • Re:Integrity? (Score:5, Insightful)

      by leuk_he (194174) on Thursday February 17, 2005 @01:17PM (#11701376) Homepage Journal
      from the article

      Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk -- the period from when a vulnerability is first reported to when a patch is issued.


      I hoped for a deeper analysis, like the security model used or how it behaves in networks. But it just back to counting vulnerabilities.

      --Nothing to see here, move on.

      • Re:Integrity? (Score:5, Insightful)

        by Bastian (66383) on Thursday February 17, 2005 @02:14PM (#11702266)
        I, too, would like to see a more involved, academic analysis of the security of each platform. But even as a quick quantitative analysis, this technique for deciding how secure a system is falls on its face. Instead of counting vulnerabilities, I would be interested in counting number of viruses and script kiddie tools that take advantage of those vulnerabilities. Just counting known vulnerabilities and numer of patches, etc, has a few issues. One is that I honestly believe that a Windows vulnerability is much less likely to be announced once it is discovered than a Linux vulnerability - it's a questionn of culture.

        Another is that just counting vulnerabilities gives you a worst-case scenario. However, my practical experience suggests that if there aren't any script kiddie tools or viruses out there that take advantage of said vulnerability, your chances of getting compromised through it are exceedingly small.

        I'd also like to see some weighting for the likelihood of an attack succeeding through a given vulnerability. I'm going to be a lot more scared of the exploit that works every time than I am the buffer-overflow that lets you run arbitrary code, but only works once in a blue moon.

        Granted, these studies will never have that info; they aren't meant to mean anything, they are just mindcandy for the PHBs put together by industry pundits looking for a quick paycheck or some attention. If I were really looking for a security analysis or comparison that included an open source server that ran on x86 hardware, I would expect OpenBSD to be one of the operating systems tested.
      • Re:Integrity? (Score:5, Insightful)

        by jc42 (318812) on Thursday February 17, 2005 @02:40PM (#11702628) Homepage Journal
        Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk -- the period from when a vulnerability is first reported to when a patch is issued.

        Actually, this tells us most of what we need to know. If we want our system to be considered secure, the way to do it is: 1) Don't report vulnerabilities; 2) Don't issue security patches.

        Linux pretty much has to lose a contest that is judged this way.

    • Re:Integrity? (Score:5, Insightful)

      by jedidiah (1196) on Thursday February 17, 2005 @01:21PM (#11701434) Homepage
      This study appears to be a clear example of redifining terms and using statistics to muddle an issue. While the conclusion of the study might be valid given the assumptions, I challenge the assumption.

      I challenge the assumption that Redhat vulnerabilities are equal to Microsoft vulnerabilities.

      Given the history of malware, they clearly are not.

      This study is nothing more than a more formalized version of a certain form of trolling once popular on COLA.
    • Re:Integrity? (Score:5, Insightful)

      by LurkerXXX (667952) on Thursday February 17, 2005 @01:36PM (#11701679)
      Unfortunately they don't tell you the real server that is more secure.

      The correct answer is the one with the better administrator. You can have a Linux box locked down tight, and a Windows box wide open. You can also have the inverse. Probe around, and you will find boxes of all those flavors out there. It all depends on the competence of the guys running it. The competence of the administrator at running the system he is running has a much larger effect on overall security than which OS is chosen.

      • These researchers mention they are not "wizards" and I think this illustrates an important difference between Open Software and Windows. Linux is great if you know what you're doing. There are lots of resources out there to help you properly configure your system, and if done right you will have minimal issues.

        And you're going to need those resources if you're not a "wizard". Open Source software is not as easy to use as most MS products, and in many cases the documentation isn't very good either.
        • People who don't know what they are doing should definitely not be running a web server. I'm sorry, but it is far easier for someone to pay $4/month for geocities to host their personal web site than it is to configure IIS, run dyndns (or call ISP and set up a static IP address), etc. etc.

          Stupid people running stupid web servers is the reason why we had code red in the first place.

  • by Mustang Matt (133426) on Thursday February 17, 2005 @01:08PM (#11701217)
    I don't get it. I guess I need to read the article.

    A webserver needs port 80 and maybe 443 open. Any webserver can be secured.

    Where's the news?
    • > I don't get it. I guess I need to read the article.
      >
      > A webserver needs port 80 and maybe 443 open. Any webserver can be secured.

      A workstation doesn't even need that.

      Not counting the (numerous) local exploits caused by IE, WMP, Outleak and other applications getting pwn3d by their handling of hostile content, the big (i.e. "remotely exploitable without user intervention") holes in Windows all stem from M$'s unstated design assumption that "all the world's an office LAN", and the open/liste

  • by Staplerh (806722) on Thursday February 17, 2005 @01:09PM (#11701237) Homepage
    Interesting. Some relevant snippets:

    A Linux enthusiast at the RSA Conference in San Francisco has reluctantly concluded that Microsoft produces more secure code than its open source rivals.

    In an academic study due to be released next month Dr Richard Ford, from the Florida Institute of Technology, and Dr Herbert Thompson, from application security firm Security Innovation, analysed vulnerabilities and patching and were forced to conclude that Windows Server 2003 is more secure than Red Hat Linux.


    Now, I'll concede that Dr. Ford and Dr. Thompson do sound reputable, but one is an admitted Windows enthusiast and while the other one is a Linux fan who changed his minds, this hardly sounds like a study .

    It's an interesting question, and I'm sure there is no clear cut answer, but a more systematic study (with more parties, rather than just two scientists) is going to be needed to answer this sort of question before the 'results' are trumpetted. I'm sure Microsoft will pick this one up and run with it, however.. more of those annoying ads that seem peppered throughout Slashdot.
    • by schon (31600) on Thursday February 17, 2005 @01:14PM (#11701317)
      A Linux enthusiast at the RSA Conference in San Francisco has reluctantly concluded that Microsoft produces more secure code than its open source rivals.

      Umm, so MS showed him their source code? I find that a little hard to believe.

      If he can't see the source, how can he make any determination at all?
      • I second this. Also, I am sure they tried to crack their own boxen, and tried to crack eachother's boxen. All the linux vulnerabilities are well documented, and I am sure they used each one to see how easy it was. All of microsoft's bugs are not necessarily well documented, if at all, precisely because it is closed source and unviewable.

        While windows can indeed be secure enough for most situations if well administered, the truth is that most is not well administered and even then there is the constant

    • by bonch (38532) on Thursday February 17, 2005 @01:28PM (#11701554)
      No offense. But it sounds like people are searching for things to dismiss this study. Um, yes, a Linux guy changed his mind after seeing the conclusions of the study. That means it's not a valid study?

      I'm getting a little disturbed at the way all pro-Linux studies are being accepted and all other studies are being dismissed here. Critical thinking should always be welcome. And, yes, Linux is NOT perfect, it is NOT flawless, and it IS full of security holes like anything else. Nobody should take their operating systems so personally that they feel attacked when Linux is criticized.

      Note that this doesn't go for everybody. But there are a lot of zealots in the community who need to learn to see outside their own perspective.
      • by Paradox (13555) on Thursday February 17, 2005 @01:40PM (#11701728) Homepage Journal
        I wish I could mod you up, bonch. I've experiened the head-in-the-sand Linux mentality too, and it is scary. It misses the whole point of linux.

        Linux is awesome, this study doesn't change that but we always need to work to make it better and easier to secure. Critics of Linux are our best friends, because they do the work of finding out where we need to improve for free.

        The best thing about linux is that when people have a legitimate complaint, it's well within our power to fix it! If Linux is temporarily less secure, so what? After reading this, everyone will adapt their linux distros to render the complaints moot.

        This is part of why we love open source, right?
        • by Sycraft-fu (314770) on Thursday February 17, 2005 @02:36PM (#11702582)
          Their contention was that for lower skill admins, Windows was more secure. Now, assuming the research was done correctly and the data does indeed support the conclusion, it's a good thing to know. That's something ot try and improve in Linux, espically since less competent admins are the real problem.

          It's not all that useful to research how tight a competent admin can lock down a box because the answer for almost any OS is "very well". You get a good admin that knows their OS and is on top of things, they can keep anything secure, even Windows. So it's not of much use to say a compentent Linux admin can make a secure system, we already knew that.

          It is useful, however, to know that a less competent admin will have trouble. More useful would be to know what specificly need to be done to fix it, but just knowing that it's a problem is a start. If Linux continues to gain in popularity, more people that are not as competent will be running it. While you can never truly protect someone from themselves, there are things you can do to make things more secure for those that don't know what they are doing, and that's a good thing for Linux developers to be looking in to.
      • by Laur (673497) on Thursday February 17, 2005 @01:51PM (#11701892)
        No offense. But it sounds like people are searching for things to dismiss this study. Um, yes, a Linux guy changed his mind after seeing the conclusions of the study. That means it's not a valid study?

        When a study is contradictory to most peoples direct experience and observations they tend to be heavily skeptical. If a study was released saying the sky is really mauve, not blue, people are also going to be pretty dismissive. When was the last time you read about a Unix/Linux worm or virus on a nontechnical site like CNN? Or heard about it on the evening news? Ever heard these things about Windows? This isn't to say that the study is invalid, just that they better have a damn good case if they expect to convice anyone.

        • If a study was released saying the sky is really mauve, not blue, people are also going to be pretty dismissive.

          As right people should be dismissive. The sky is neither mauve nor blue, it has no colour. Blue light scatters in the atmosphere causing it to look blue.

          Nearly half that article had nothing to do with Linux or Windows security.

      • I'm not sure that Dr. Ford is a Linux guy. He may claim he's a Linux guy, in an attempt to make his 'conversion' story a more compelling argument for the side he 'converted' to.
      • No offense. But it sounds like people are searching for things to dismiss this study. Um, yes, a Linux guy changed his mind after seeing the conclusions of the study. That means it's not a valid study?

        Exactly. Regardless of the validity of the study the Linux community should be taking this the same way they've taken other comparisons in the past: as a spur to make the changes and improvements necessary to make Linux simply that much better than the opposition.

        Right now that means, if you're a developer
    • by EvilTwinSkippy (112490) <.yoda. .at. .etoyoc.com.> on Thursday February 17, 2005 @01:29PM (#11701568) Homepage Journal
      Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance.

      Um, no. Your average system administrator earns about $62k has at least 2 years experience, and generally a bachelors degree in a related field. At least according to most industry figures. [salary.com]

      The job title also entails tweaking system configurations for security, evaluating patches, etc. etc.

  • Not again... (Score:5, Insightful)

    by PoprocksCk (756380) <poprocks@gmail.org> on Thursday February 17, 2005 @01:09PM (#11701238) Homepage Journal
    "Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk -- the period from when a vulnerability is first reported to when a patch is issued."

    So Windows is more secure than Red Hat because Microsoft chooses to report less vulnerabilities and release less patches? Hmmm...

    (Move along, nothing new to see here.)
    • Re:Not again... (Score:3, Insightful)

      by bonch (38532)
      When people so routinely dismiss studies that paint Linux in less than flawless light while praising studies that put it at the top, I can't help but shake my head.

      Your post has to be the fourth one I've seen that has said the exact words "Move along. Nothing to see here."

      Why so desperate for people to not see it? Linux is not flawless. In fact, it's not been the best of years for it (Firefox as well). I'm sorry, but as popularity grows, so will the security reports pointing out the inherent flaws in
      • Re:Not again... (Score:3, Insightful)

        by drinkypoo (153816)
        Desperate? I think you need to go reread the above comment. No one is desperate for someone not to see this so-called study. (It's an experiment at best.) The point is that it's not a study, it's just a couple guys poking at some computers over a fairly brief period of time and making some observations. Anyone basing business decisions off this study should have their head examined. Of course, the common conception is that most PHBs will read it and say "hey, this Linux thing has problems. Look, the study s
  • Non Story (Score:5, Insightful)

    by bfree (113420) on Thursday February 17, 2005 @01:09PM (#11701241)
    Until the report is released this is a non-story, just fuel for the FUD machine. Unfortunately we will have to wait for a month to actually discuss what this means so I don't even no why I am bothering to post to this!
    • Re:Non Story (Score:4, Insightful)

      by PoprocksCk (756380) <poprocks@gmail.org> on Thursday February 17, 2005 @01:25PM (#11701503) Homepage Journal
      Heh. Here's what we've come to learn over the past little while, I guess:

      Red Hat = Linux

      Microsoft > Red Hat since it announces less vulnerabilities

      Therefore Microsoft > Linux by the transitive assumption...

      Seriously though, that's the problem with EVERY SINGLE one of these "security studies" -- they don't "study" anything, but they do "research" -- and they always use the same, weak argument as described above.
  • by jmcmunn (307798) on Thursday February 17, 2005 @01:09PM (#11701244)
    ...is only as good as the security of the admin setting it up. It doesn't matter how many updates need to be run, whether one or one hundred. If the system admin doesn't keep the server up to date, it's only a matter of time until the server will be vulnerable.

    Now let the flaming begin, so you can all argue about the number of patches/updates required for each system, how long it takes for Linux/Windows to respond to problems, and all that good stuff. We all know that's the only reason this kind of story shows up on Slashdot is to start a good flame/troll war! :-)
    • Exactly. Don't miss the part where they say that both servers were generic builds:

      -----------
      Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features.

      Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance.
      ---------

      Define 'Wizard', and this may be informative. Ot
      • They not only said generic builds, but HYPOTHETICAL builds. As in they didn't actually setup machines, rather it is all a thought experiment.

        As to whether it was a poor experiment or not, show me the data.
  • Self-Evident (Score:5, Insightful)

    by Wvyern (701666) on Thursday February 17, 2005 @01:10PM (#11701246)
    "...Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance." By his own admission the Linux administrator is a "Wizard" compared to the average MS Systems Admin. Well, that just about says it all doesn't it?
  • I'm no zealot (Score:5, Insightful)

    by InfallibleLies (654694) on Thursday February 17, 2005 @01:10PM (#11701259)
    of either Linux or Windows, but really, how is one more secure than the other? If there's an equally exploitable hole in each, is it the one that gets fixed faster more secure? If it is, then the only thing making one more secure than the other is the administrator. He/She's the only one who can patch their systems by actually downloading the patch and applying it.

    No matter how fast a patch is issued, you still have to install it for it to work.

  • by Saint Stephen (19450) on Thursday February 17, 2005 @01:10PM (#11701262) Homepage Journal
    Doesn't Microsoft encourage delaying announcing vulnerabilities until a patch is available?
  • by Vollernurd (232458) on Thursday February 17, 2005 @01:11PM (#11701281)
    How the hell can anyone claim to be a "Microsoft enthusiast"?! It's hardly a hobby.
  • Hardly a study (Score:5, Insightful)

    by metatruk (315048) on Thursday February 17, 2005 @01:12PM (#11701289)
    This was a hardly a study. I don't see any data presented here, and certainly no methodology used to gather the data. Sorry, but the scientific method always wins.

    Sorry, but this "study" is not a study.

    Why was this even posted?
  • by Caeda (669118) on Thursday February 17, 2005 @01:12PM (#11701295)
    That they actually admit in the article that they set up the linux server as the absolute default change no security settings leave it just as it comes right out of the box... As they specifically state they left minimum configuration in place and linux users might do more. Basically implying the study is a pile of sh*t since no company in there right mind would opt for a total linux solution and then leave the webservers running without changing any settings...
  • by digitalgimpus (468277) on Thursday February 17, 2005 @01:13PM (#11701306) Homepage
    Read it for yourself. It reads:

    "Believe it or not, a Windows Web server is more secure than a [i]similarly set-up[/i] Linux server, according to a study presented yesterday by two Florida researchers."

    So when you load a linux server with software that has known security holes....they are both equally as secure.

    It's not groundbreaking news.
  • by Leroy_Brown242 (683141) on Thursday February 17, 2005 @01:13PM (#11701312) Homepage Journal
    . . . 2 florida researchers were seen speeding away from thier work places in new ferarri's wearing armani suits. . .
  • Reproducebility? (Score:4, Insightful)

    by RenHoek (101570) on Thursday February 17, 2005 @01:14PM (#11701319) Homepage
    I wish they'd post some info about the tests themselves. At least what kind of setups they user, where they got the info about vulnerabilities and patches, and so forth..
  • by diamondsw (685967) on Thursday February 17, 2005 @01:14PM (#11701320)
    A "Linux fan" and "Microsoft enthusiast" trying to cut through the near-religious arguments?

    I'll take a nice report by computer scientists and security experts about overall system design over crap papers like this any day.
  • by Daedala (819156) on Thursday February 17, 2005 @01:17PM (#11701361)
    Neither article defined "days of risk" to my satisfaction. Is it "days since the vulnerability was published" or "days since the vendor was informed of the vulnerability"? I suspect that Microsoft is more likely to hear things privately early. ASN.1 library anyone? It was discovered in July 2003, and announced and patched in February 2004. Was that six months of risk or one day?

    Secondly, there's no discussion of how the criticality of a vulnerability was weighed. If every "day of risk" for Windows was "critical," and every "day of risk" for RedHat was "moderate," then I'd differ with their conclusions. Further, there was no mention of whether they considered actual exploits in the wild.
  • by rjune (123157) on Thursday February 17, 2005 @01:19PM (#11701395)
    Directly from the article:

    "The pair examined the number of vulnerabilities reported in both systems and the actual and average time it took to issue patches. In all three cases Windows Server 2003 came out ahead, with an average of 30 "days of risk" between a vulnerability being identified and patched compared to 71 from Red Hat."

    There is nothing said about the severity of the vulnerabilities. This article would never make it in a peer reviewed publication.
  • It showed one configuration of Windows 2003 server to be more secure than one configuration of RedHat Enterprise running Apache.

  • My problem. (Score:3, Insightful)

    by juuri (7678) on Thursday February 17, 2005 @01:21PM (#11701430) Homepage
    With all of these studies is they typically work on the assumption you are just throwing a server, regardless of OS, on the net. That means there is no load balancer in front, no filtering at the border routers, no firewalls and nothing is ever blocked.

    If a company or individual is actually doing this how on Earth can they possibly attest to the security of their server?
  • by Spudnuts (21990) on Thursday February 17, 2005 @01:21PM (#11701437)
    In a previous job at a datacenter where we ran Red Hat Enterprise Linux, I frequently got the comment that there seemed to be a lot more Linux patches than Windows patches. All of the updates for optional software (I tried to do minimal installs and/or remove optional things, but the dependencies sometimes made this awkward) simply made the systems seem more needy than the Windows systems.

    Many of the vulnerabilities were of low risk to us, but it was rare for the system owners to say that even with this low risk that it was acceptable to hold off on applying the patches.
  • by NoMoreNicksLeft (516230) <<ten.tsacmoc> <ta> <relyo.nhoj>> on Thursday February 17, 2005 @01:21PM (#11701444) Journal
    cfelde writes "Satanism is less evil than a christianity, according to a study presented yesterday by two Florida researchers." In addition to the Seattle Times article, there is also coverage on VNUnet. From the article: "The researchers, appearing at the RSA Conference of philosophers, discussed the findings in an event, 'Religion Showdown: Good vs. Evil.' One of them, a satanist, performs perverse human sacrifice rituals; the other volunteers at the local homeless shelter. They wanted to cut through the near-political arguments about which religion is less evil from a morality standpoint."
  • by Oriumpor (446718) on Thursday February 17, 2005 @01:22PM (#11701463) Homepage Journal
    The setups were hypothetical, however. Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features.


    Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance.


    Come on, who runs a Windows box on the web without heavy firewalling, software firewalling (blackice with autoblocking for instance) and regular audits?

    The same goes for Linux. Security is not something to be taken lightly. People should NOT be putting machines out in the open. The best practice used to be Firewall critical servers. The best practice has become Firewall, IDS, and monitor the crap out of anything touching the internet.

    These tests are always like comparing a Factory Model to a Nascar Stock Car.
  • by rpdillon (715137) on Thursday February 17, 2005 @01:23PM (#11701476) Homepage
    This "article" doesn't actually provide with any information in what WAY the results were obtained.

    From an admin perspective, I want to know what the vulnerbilities were, and what their definition of "vulnerable" is - especially if they say "Windows had 30 days of vulnerbaility, versus 71 for Linux".

    On that topic, when are we going to get past the label "Linux"? There is no such thing. There's RedHat, SuSe, Gentoo, and Debian (among hundreds of others) and they all handle security differently. I'm sure I could find distros LESS secure than Windows, and I'm sure I could find distros unquestionably MORE secure, as well.

    Ah, well, I guess I'll wait for the report. I would have preferred a headline:
    "OS Zealots Face Off in an Anecdotal RedHat vs. Windows Web Server Security Showdown - IIS Triumphs"
  • by EmagGeek (574360) <gterich@@@aol...com> on Thursday February 17, 2005 @01:24PM (#11701491) Journal
    I would think that a Windows box set up by a MS Certified Professional and a Linux Box set up by some kind of Linux Certified Professional would be a much better comparison than one between a "Linux Fan" and a "Microsoft Enthusiast."

  • Horribly flawed (Score:5, Insightful)

    by StormReaver (59959) on Thursday February 17, 2005 @01:27PM (#11701537)
    "There are some people who are sceptical [of the results]," said Dr Thompson. "We would encourage them to replicate this type of study. If you see flaws please tell us."

    Are they joking? Their metric (reported vulnerabilities) is absurd for a number of reasons.

    1) Microsoft reports only a fraction of its vulnerabilities. Remember when Win2000 had over 65000 known (to Microsoft) flaws? No more than a handful were ever reported. Microsoft reports flaws only after bearing enormous public humiliation. Of course Microsoft's flaw count is going to be low. Microsoft hides them all until forced to disclose.

    2) Linux vendors report every hair out of place. It doesn't matter if the flaw causes a D to look like an O on the third day of the Summer Solstice, but only if that day matches the 4th digit of PI, and only if the computer has calculated the cure for cancer at exactly 15 milliseconds after the user's orgasm.

    3) Seriousness of vulnerabilities. Due to the nature of full disclosure under Linux, it will -always- have higher reported flaw counts than Windows. The vast majority of reported Linux flaws, however, are relatively benign, while the vast majority of reported Windows flaws hand over complete control of your computer to some third party.

    4) Widespread Propagation. Windows, by its intended design, makes propagating exploits to these vulnerabilities trivially easy (automatic, actually), while this has yet to be accomplished on Linux (and likely won't be).

    Sorry, but this "study" is complete nonsense.
    • Re:Horribly flawed (Score:3, Insightful)

      by ad0gg (594412)
      You know there is difference between a flaw and a vunerability? Showing the wrong icon on a messagebox. Showing the wrong dialog text. Windowing issues which i see a lot of. Race conditions.
  • Quality Research (Score:5, Insightful)

    by deanpole (185240) on Thursday February 17, 2005 @01:28PM (#11701550)
    One datapoint makes a terrible graph.
  • by cliffiecee (136220) on Thursday February 17, 2005 @01:29PM (#11701573) Homepage Journal
    ... and squint your eyes, you'll see the 'clear' results.

    The researchers used reported vulnerabilites as their guideline, and 'days of risk;' quote: "the period from when a vulnerability is first reported to when a patch is issued."

    Windows Server 2003 had 30 days of risk, Linux (Red Hat Enterprise Server 3) 71 days.

    But which reports of vulns are they considering? Microsoft often provides their own reports, which are released WITH THE PATCH. I wouldn't give those reports the same weight, since the vuln could have been there (and unofficially known) for MONTHS.

    I fully expect Linux to have MORE vulns in any case, since Linux ultimately is a collection of separate programs working together, each of which has their own potential insecurities. But, a vuln in sendmail is NOT going to affect my webserver, because I'm going to turn that OFF (if I'm a smart admin).

    In fact, the researchers only used a "hypothetical" system to show "what an average system administrator may do." I'm sorry, but if an admin is using anything like a default setup he is BELOW average.

    In conclusion, this really sounds like a comparison of how vulnerable the respective systems with a 'default' install. Wake me up when they go head-to-head with OpenBSD.

    P.S. Hey researchers- RED HAT IS NOT LINUX.
  • by G4from128k (686170) on Thursday February 17, 2005 @01:31PM (#11701597)
    The study posts the "days of risk" defined as the time between announcement of a vulnerability and the availability of a patch. But this definition misses two big factors. First, there will be some number of days between the discovery of the vulnerability and the announcement of it. Second, there will be some number of days between the patch being available and the downloading of it. Both factors increase the days of risk and mean that a quickly-patch OS with lots of holes has higher practical risk than an slowly-patched OS with few holes.

    I don't know which OS has more risks, has a greater delay between discovery and announcement, or has a greater delay between patch availability and patch application. Does MS or Linux get more slack from vulnerability finders? Do MS or Linux admins patch faster? DOes MS or Linux get more vulnerabilities? These data points would help evaluate the true risk.
  • by GoNINzo (32266) <GoNINzo&yahoo,com> on Thursday February 17, 2005 @01:34PM (#11701651) Homepage Journal
    Yeah, I know we're used to this FUD but let's take a bit closer look.

    One is that as someone pointed out earlier [slashdot.org], the 'linux enthusist' has accepted research grants from Microsoft before. That's a little suspect.

    Two is the data they present as 'proof' that windows is more secure, the delay between announcement and patch. "the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup". Besides the point that it doesn't prove one more secure than the other, Microsoft has released patches the same day they announced the exploit because they've kept it supressed.

    Three, if your server is behind a firewall (as all web servers should be!), you need to protect two ports and the software associated with them. Did they limit the study to just those details? Or was this a stock install of these machines directly on the internet?

    And fourth, there was no demonstration, this was simply an announcement by two guys who ran some numbers against an undisclosed exploit database. Which thing was it that ran 71 days or stretched everything that long? How many total exploits was it? If I had 2 exploits on redhat, one at one day and one at 141 days, but 10 exploits on windows varying from 1 day to how many days for the ASN exploit... which is more secure again?

    Stock install, no patches, then yes, I would say the windows server is more 'secure' than the linux server, dispite vulnerabilities in each. But that's like saying that this screen door is more secure than this paper door.

  • by DunbarTheInept (764) on Thursday February 17, 2005 @01:58PM (#11702023) Homepage
    The article compares the window of times of vulnerability between reports of security flaws and available fixes to them. Based on that, Linux should come out WAAY ahead, and yet it didn't... And then I noticed the one importat detail - they were comparing Redhat to Windows, and thus the window of vulnerabilty counts from when the vulnerability is reported to when REDHAT gets the fix packaged up and pushed out through *their* channels, which is signifigantly after the fix is available if you didn't go through redhat to get it.

    So, the research is very true - a straight redhat install with no outside packages does have longer windows of vulnerability than a straight Windows install with no outside packages. But the person writing the article told a MAJOR LIE when summarizing it for the article, by attributing the long windows of time to linux in general, when really it's a problem with just redhat.

  • I'm going to dump my Fedora Installation(TCO $0.00)
    and run to the store and buy me Server 2003(TCO $599-$3522 + Licencing).

    Definitly not going for RHEL(TCO $349-$2499 + Licencing) because no matter how hard I try, I could never get as secure with up2date, SELinux, Pax and Firefox as I could be with Windows Update, Third party antivirus, Windows Firewall and Security Center. NEVER!

    And I shouldn't even be comparing Fedora to Server 2003 because Fedora could never be used as a server of any kind. Neither could Slackware(TCO $0.00), Suse(TCO ~$100.00), Mandrake(TCO ~$100.00), Debian(TC0 $0.00) or any other of those insecure Linux distros! They're not SOLD as servers so they absolutely cannot be compared to server 2003. No way, never, uh-uh.

    Wow! This study has really opened my eyes to the lie. Why did I abandon my XP installation(TCO $200.00) after only a few dozen major worm outbreaks? I could have done anything on XP that I can do in Linux. It would only have cost be a few thousand dollars, but I could have!

    These researchers have really opened my eyes to the lies. I believe everything they say, even without the data to prove it they..... .....

    Ok here my sarcasm must crack under the sheer enormity of the following statement.
    The pair said that they lacked the funding to test other operating systems, such as the Apple OSX kernel(TCO $100.00), although they thought it was "amazingly" stable.
    WTF!? Are these guys for real? Is this study just a troll? I mean... WTF!!?

    I will however take a wild guess that their next server security study will have OpenBSD mysteriously absent.
  • by tacocat (527354) <tallison1NO@SPAMtwmi.rr.com> on Thursday February 17, 2005 @02:00PM (#11702054)

    The article states that the configurations where done using the typical, basic options that an adminisrator may do and not any kind of security wizard.

    I would like to know how many companies are out there that would take their pimply faced intern and have him to a default installation for an internet server with databases on it. They may have found a valid point, but their premise is fucking retarded.

    I have always given MSFT the benefit of the doubt that they would have the option to configure a server with the intention of meeting security requirements and similarly doing the same with Linux and then see who's the most secure. While Microsoft has made ground against the *NIXes of the world, I really don't believe that a reasonable attempt at security is any better on Windows than it is on Linux. Considering the damage they've been suffering, I would expect their default installations to be increasinbly severe.

    I would equate this study to testing the security of a 4 foot high brick wall or a 3 foot high set of four horizontal wires. The wall is obviously more secure, until you turn on the high voltage supply to the electric fence...

  • by Eskimore_ (842733) on Thursday February 17, 2005 @02:13PM (#11702243)
    I did some work at a local University a while back. The faculty I worked in used HP-UX for their core services, Linux on the desktop, a couple of Solaris labs and 1 small (less than a dozen) windows lab. The other faculties used Windows almost exclusively.

    The faculty that ran the *nix based services had almost no complaints of intrusion or other security problems from the "global" IS department of the university, while some of the windows using faculties were being threatened with losing their internet access because of too many security breaches.

    No, this isn't a study. But it's evidence of how it works in the real world.

    The reason I think *nix is more secure is because of how configurable it is. You can configure almost anything. Hell, you could write your own TCP drivers if you felt like it (not that I've ever known anyone to do that). On Windows you're limited to the security options given to you from the vendor. Or you have to pay a 3rd party for their innovation... With *nix the power is in your hands.

    'Out of the box' software/systems are usually never ready for production environments right? But sufficiently tweaked most systems can be reasonably secure and centrally manageable. I just think that level of tweakability is higher with *nix. /my2cents
  • by VB (82433) on Thursday February 17, 2005 @02:23PM (#11702396) Homepage
    It's unfortunate RedHat has acquired Windows' weak security posture in it's effort to attract Windows server market share. I've personally had to administer 3 compromised Redhat boxes, and this after converting that client over from Windows due to a compromise.

    But, RH isn't Linux. Linux is many distributions, some good, some not so good, but if you take the pool of Linux administrators against the pool of Windows administrators, you'll find Linux administrators are more knowledgeable about their systems and do smarter things in securing them. This isn't as true as it was a few years ago before the reluctant Windows administrative masses took refuge in RedHat, but you won't see _any_, not even one Linux defector to Windows. Perhaps BSD, but definitely _not_ Windows!

    I've never seen one of my Slackware servers (running sendmail, _even_ and FrontPage extensions with PHP on the Apache server) compromised. It's never happened in the 10 years I've been using them.

    I've been wasting a lot of time lately poring through logs for a new project and it's ludicrous how much additional coding I've had to put into my Perl scripts to make allowances for compromised Windows boxes that have inundated my web server with traffic during their Code Red and Slammer compromises, not to mention all the other little oddities Windows clients do when downloading mp3s from the server, such as client caching and sending 32k+ search strings in the URL. It creates work to have these obnoxiously configured client machines on the Internet.

    I'm not going to complain too loudly since without all these Windows users on the Internet surfing my site, there wouldn't be much of interest to process in these logs, but to assert Windows as more secure than Linux?! Really....

    Could someone please post the name of which Micro$oft C?O's budget backed this study, so we can move on to a more interesting and valid discussion?
  • Hmm... true (Score:3, Insightful)

    by doyle.jack (836744) on Thursday February 17, 2005 @02:27PM (#11702462) Homepage
    A Windows Web server is more secure than a similarly set-up Linux server

    I would have to agree. Windows IIS servers are insecure, if you set up an Apache server similarly (insecure), it will also be insecure.
  • by frozenray (308282) on Thursday February 17, 2005 @02:30PM (#11702494)
    Which is more secure, Windows or Linux? It depends on whom you ask. Here's what Bruce Schneier, a reputable security researcher and author of "Applied Cryptography" and other computer-security related books has to say on the matter:

    Linux Security

    I'm a big fan of the Honeynet Project (and a member of their board of directors). They don't have a security product; they do security research. Basically, they wire computers up with sensors, put them on the Internet, and watch hackers attack them.

    They just released a report about the security of Linux:

    Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months. This means that a unpatched Linux system with commonly used configurations (such as server builds of RedHat 9.0 or Suse 6.2) have an online mean life expectancy of 3 months before being successfully compromised.

    This is much greater than that of Windows systems, which have average life expectancies on the order of a few minutes.

    It's also important to remember that this paper focuses on vulnerable systems. The Honeynet researchers deployed almost 20 vulnerable systems to monitor hacker tactics, and found that no one was hacking the systems. That's the real story: the hackers aren't bothering with Linux. Two years ago, a vulnerable Linux system would be hacked in less than three days; now it takes three months.

    Why? My guess is a combination of two reasons. One, Linux is that much more secure than Windows. Two, the bad guys are focusing on Windows -- more bang for the buck.

    Bruce Schneier [schneier.com]
    Posted on January 06, 2005 at 01:45 PM
    ------------
    Different methodology, different results. My money's on Schneier.
  • by LuSiDe (755770) on Thursday February 17, 2005 @02:30PM (#11702496)
    This is probably FUD but we need solid arguments to debunk it. Slashdot, Groklaw et al can contribute to this but saying its 'crap' right away because of the conclusion which you may dislike is not entering the discussion from a pragmatic or rational point of view (quite the contrary).

    I'm gonna give it a try and quote here what I read in the VNUnet article (which is the most informative one IMO since it contains a few details, in contrast to the other one) and try to express some reasoning. Until the real analysis is out we cannot be sure about anything though.

    analysed vulnerabilities and patching and were forced to conclude that Windows Server 2003 is more secure than Red Hat Linux.

    Classic strategy: minimize your enemy by defining it tightly as a dogma, then attack that dogma. I've seen this from Sun Microsystems as well. Basically, they ignore e.g. Novell. At least Novell is also a big player in terms of market share.

    That said I remain interested in learning why they chose to compare to Red Hat and Red Hat alone.

    "Vulnerability counts are much higher with Red Hat than with Microsoft," said Dr Ford.

    Definition of 'vulnerability counts' and which vulnerabilities are counted. For example, lets say Red Hat has a patch for OpenLDAP while i run LAMP or LAPP then who cares about the fact that there's an OpenLDAP patch? Not me.

    In all three cases Windows Server 2003 came out ahead, with an average of 30 "days of risk" between a vulnerability being identified and patched compared to 71 from Red Hat.

    71 days is long! How they got to these numbers is also very interesting. For example, does this include e.g. the Mozilla bug which was alleged to be known (but not fixed) in 2001? It reminds me about MSIE for which vulnerabilities took long as well and remember 1 patch != 1 vulnerability either.

    "I am a huge Linux fan, and I have a Linux server in my basement. The first time I saw the statistics I thought someone had mucked about with my database."

    "There are some people who are sceptical [of the results]," said Dr Thompson. "We would encourage them to replicate this type of study. If you see flaws please tell us."

    Statements like these may just as well be from astroturfers. Its also a classic strategy: basically, you play as if you're convinced by the study you conducted yourself while you expected a different result. In all honesty, why would you believe the judgement about the conclusion ("FUD!") from someone who hasn't read the study over the one from the person who's got convinced by his own study? This is why there's not much we can currently do except arguing over the existing details! This is why we need to stress about where the missing details are. This is why we cannot judge yet.

    One last note:
    "You would be a fool to make platform decisions without thinking about security," said Dr Ford. "When you choose a platform you have to factor in the costs of intrusion. It is not just the costs of a break in; it is the time spent running around making sure no one gets in."

    With that last statement he Dr Ford basically says to take this study with a grain of salt because thats precisely what he hasn't researched!
  • by noidentity (188756) on Thursday February 17, 2005 @02:32PM (#11702521)
    In an academic study due to be released next month Dr Richard Ford, from the Florida Institute of Technology, and Dr Herbert Thompson, from application security firm Security Innovation, analysed vulnerabilities and patching and were forced to conclude that Windows Server 2003 is more secure than Red Hat Linux.

    I see.
  • Related article (Score:3, Informative)

    by loconet (415875) on Thursday February 17, 2005 @02:32PM (#11702525) Homepage
    Here is another related report [theregister.co.uk] in which Windows is compared with Linux in terms of security. Interesting read.
  • do I care? (Score:3, Interesting)

    by Anonymous Coward on Thursday February 17, 2005 @02:39PM (#11702608)
    I have a Linux server with qmail and publicfile. No other open ports except SSH which is firewalled to a small set of hosts, runs on a different port, works with keys only, and doesn't use PAM. I haven't rebooted or patched anything on it in months. Unless there is a remote root hole the kernel I won't bother with it.

    Maybe Red Hat is less secure than Windows, who cares. They both have greater than zero security holes, which makes them both insecure. All I know is I have a fairly secure server and I know how to set up another one for zero dollars on my lunch break. Plus djb has a $500 reward for security holes in his software, I don't see Microsoft even pretending they have anything like that.

    Folks, don't fool yourself. Both Windows and Linux distros are mostly crappy software full of holes. It doesn't need to be that way, and admins shouldn't need to be "wizards". But that's how it is.

    At least with Linux you 1) don't have to pay and 2) have access to the source code. I don't see how Windows can ever win this argument, except maybe with inexperienced or ignorant admins, or special windows-only software.
  • Biased? (Score:5, Insightful)

    by Quixote (154172) * on Thursday February 17, 2005 @02:42PM (#11702652) Homepage Journal
    As someone else also mentioned earlier, the reason people are so skeptical of such "studies" is that these go counter to their own experiences.

    As someone said, "extraordinary claims demand extraordinary evidence". In a lot of peoples' opinion, the claim that Windows is more secure than Linux is just that, an extraordinary claim.

    How would the authors of their study reconcile it with something like this one [theregister.co.uk], which showed that a default installation of Windows got infected with a virus within 20 minutes?

Heuristics are bug ridden by definition. If they didn't have bugs, then they'd be algorithms.

Working...