Forgot your password?
typodupeerror
Security Software Microsoft Linux

Study Finds Windows More Secure Than Linux 796

Posted by Zonk
from the an-interesting-definition-of-secure dept.
cfelde writes "A Windows Web server is more secure than a similarly set-up Linux server, according to a study presented yesterday by two Florida researchers." In addition to the Seattle Times article, there is also coverage on VNUnet. From the article: "The researchers, appearing at the RSA Conference of computer-security professionals, discussed the findings in an event, 'Security Showdown: Windows vs. Linux.' One of them, a Linux fan, runs an open-source server at home; the other is a Microsoft enthusiast. They wanted to cut through the near-religious arguments about which system is better from a security standpoint."
This discussion has been archived. No new comments can be posted.

Study Finds Windows More Secure Than Linux

Comments Filter:
  • by Rollie Hawk (831376) on Thursday February 17, 2005 @01:06PM (#11701187) Homepage
    ... another pissing match.
  • by Mustang Matt (133426) on Thursday February 17, 2005 @01:08PM (#11701217)
    I don't get it. I guess I need to read the article.

    A webserver needs port 80 and maybe 443 open. Any webserver can be secured.

    Where's the news?
  • by Staplerh (806722) on Thursday February 17, 2005 @01:09PM (#11701237) Homepage
    Interesting. Some relevant snippets:

    A Linux enthusiast at the RSA Conference in San Francisco has reluctantly concluded that Microsoft produces more secure code than its open source rivals.

    In an academic study due to be released next month Dr Richard Ford, from the Florida Institute of Technology, and Dr Herbert Thompson, from application security firm Security Innovation, analysed vulnerabilities and patching and were forced to conclude that Windows Server 2003 is more secure than Red Hat Linux.


    Now, I'll concede that Dr. Ford and Dr. Thompson do sound reputable, but one is an admitted Windows enthusiast and while the other one is a Linux fan who changed his minds, this hardly sounds like a study .

    It's an interesting question, and I'm sure there is no clear cut answer, but a more systematic study (with more parties, rather than just two scientists) is going to be needed to answer this sort of question before the 'results' are trumpetted. I'm sure Microsoft will pick this one up and run with it, however.. more of those annoying ads that seem peppered throughout Slashdot.
  • Not again... (Score:5, Insightful)

    by PoprocksCk (756380) <poprocks@gmail.org> on Thursday February 17, 2005 @01:09PM (#11701238) Homepage Journal
    "Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk -- the period from when a vulnerability is first reported to when a patch is issued."

    So Windows is more secure than Red Hat because Microsoft chooses to report less vulnerabilities and release less patches? Hmmm...

    (Move along, nothing new to see here.)
  • Non Story (Score:5, Insightful)

    by bfree (113420) on Thursday February 17, 2005 @01:09PM (#11701241)
    Until the report is released this is a non-story, just fuel for the FUD machine. Unfortunately we will have to wait for a month to actually discuss what this means so I don't even no why I am bothering to post to this!
  • by jmcmunn (307798) on Thursday February 17, 2005 @01:09PM (#11701244)
    ...is only as good as the security of the admin setting it up. It doesn't matter how many updates need to be run, whether one or one hundred. If the system admin doesn't keep the server up to date, it's only a matter of time until the server will be vulnerable.

    Now let the flaming begin, so you can all argue about the number of patches/updates required for each system, how long it takes for Linux/Windows to respond to problems, and all that good stuff. We all know that's the only reason this kind of story shows up on Slashdot is to start a good flame/troll war! :-)
  • Self-Evident (Score:5, Insightful)

    by Wvyern (701666) on Thursday February 17, 2005 @01:10PM (#11701246)
    "...Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance." By his own admission the Linux administrator is a "Wizard" compared to the average MS Systems Admin. Well, that just about says it all doesn't it?
  • I'm no zealot (Score:5, Insightful)

    by InfallibleLies (654694) on Thursday February 17, 2005 @01:10PM (#11701259)
    of either Linux or Windows, but really, how is one more secure than the other? If there's an equally exploitable hole in each, is it the one that gets fixed faster more secure? If it is, then the only thing making one more secure than the other is the administrator. He/She's the only one who can patch their systems by actually downloading the patch and applying it.

    No matter how fast a patch is issued, you still have to install it for it to work.

  • by Saint Stephen (19450) on Thursday February 17, 2005 @01:10PM (#11701262) Homepage Journal
    Doesn't Microsoft encourage delaying announcing vulnerabilities until a patch is available?
  • by Rollie Hawk (831376) on Thursday February 17, 2005 @01:11PM (#11701268) Homepage
    And how would you make updates?
  • by Assmasher (456699) on Thursday February 17, 2005 @01:11PM (#11701282) Journal
    Did you notice that this was a study aimed at IT administrators, not home users?
  • Hardly a study (Score:5, Insightful)

    by metatruk (315048) on Thursday February 17, 2005 @01:12PM (#11701289)
    This was a hardly a study. I don't see any data presented here, and certainly no methodology used to gather the data. Sorry, but the scientific method always wins.

    Sorry, but this "study" is not a study.

    Why was this even posted?
  • by Caeda (669118) on Thursday February 17, 2005 @01:12PM (#11701295)
    That they actually admit in the article that they set up the linux server as the absolute default change no security settings leave it just as it comes right out of the box... As they specifically state they left minimum configuration in place and linux users might do more. Basically implying the study is a pile of sh*t since no company in there right mind would opt for a total linux solution and then leave the webservers running without changing any settings...
  • by emil (695) on Thursday February 17, 2005 @01:13PM (#11701313) Homepage

    OpenBSD runs chroot() Apache. Does IIS have similar capability?

    The chroot() patch was never taken up, but it would probably not be that difficult to install on Linux.

    I would be disinclined to run any other way at this point.

  • by schon (31600) on Thursday February 17, 2005 @01:14PM (#11701317)
    A Linux enthusiast at the RSA Conference in San Francisco has reluctantly concluded that Microsoft produces more secure code than its open source rivals.

    Umm, so MS showed him their source code? I find that a little hard to believe.

    If he can't see the source, how can he make any determination at all?
  • Reproducebility? (Score:4, Insightful)

    by RenHoek (101570) on Thursday February 17, 2005 @01:14PM (#11701319) Homepage
    I wish they'd post some info about the tests themselves. At least what kind of setups they user, where they got the info about vulnerabilities and patches, and so forth..
  • by diamondsw (685967) on Thursday February 17, 2005 @01:14PM (#11701320)
    A "Linux fan" and "Microsoft enthusiast" trying to cut through the near-religious arguments?

    I'll take a nice report by computer scientists and security experts about overall system design over crap papers like this any day.
  • by orion41us (707362) on Thursday February 17, 2005 @01:15PM (#11701336)
    Yea, but I can overrun the buffer by posting a grapload of data to 80 and winsock will crash and execute some code I cooked up.... better yet unless the website designers were deligent in using valid charecter checking I can use sql injection on ms sql server (mysql?) and have the server ftp out to my system and download any software I want....
  • by Daedala (819156) on Thursday February 17, 2005 @01:17PM (#11701361)
    Neither article defined "days of risk" to my satisfaction. Is it "days since the vulnerability was published" or "days since the vendor was informed of the vulnerability"? I suspect that Microsoft is more likely to hear things privately early. ASN.1 library anyone? It was discovered in July 2003, and announced and patched in February 2004. Was that six months of risk or one day?

    Secondly, there's no discussion of how the criticality of a vulnerability was weighed. If every "day of risk" for Windows was "critical," and every "day of risk" for RedHat was "moderate," then I'd differ with their conclusions. Further, there was no mention of whether they considered actual exploits in the wild.
  • Re:Integrity? (Score:5, Insightful)

    by leuk_he (194174) on Thursday February 17, 2005 @01:17PM (#11701376) Homepage Journal
    from the article

    Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk -- the period from when a vulnerability is first reported to when a patch is issued.


    I hoped for a deeper analysis, like the security model used or how it behaves in networks. But it just back to counting vulnerabilities.

    --Nothing to see here, move on.

  • by cameroon33 (720410) on Thursday February 17, 2005 @01:18PM (#11701382)
    Exactly. Don't miss the part where they say that both servers were generic builds:

    -----------
    Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features.

    Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance.
    ---------

    Define 'Wizard', and this may be informative. Otherwise, it's bunk.
  • Re:More FUD (Score:3, Insightful)

    by Anonymous Coward on Thursday February 17, 2005 @01:18PM (#11701383)
    Typical.

    A study comes out saying Linux is better than Windows? Praise it to high heavens! We knew it all along!

    A study comes out saying Windows is better than Linux? Question the results, Impugn the source and dig as deep as it takes to find some political or financial affiliation between them and Microsoft, no matter how assinine or inconsequential.

  • by rjune (123157) on Thursday February 17, 2005 @01:19PM (#11701395)
    Directly from the article:

    "The pair examined the number of vulnerabilities reported in both systems and the actual and average time it took to issue patches. In all three cases Windows Server 2003 came out ahead, with an average of 30 "days of risk" between a vulnerability being identified and patched compared to 71 from Red Hat."

    There is nothing said about the severity of the vulnerabilities. This article would never make it in a peer reviewed publication.
  • It showed one configuration of Windows 2003 server to be more secure than one configuration of RedHat Enterprise running Apache.

  • by Tackhead (54550) on Thursday February 17, 2005 @01:20PM (#11701422)
    > I don't get it. I guess I need to read the article.
    >
    > A webserver needs port 80 and maybe 443 open. Any webserver can be secured.

    A workstation doesn't even need that.

    Not counting the (numerous) local exploits caused by IE, WMP, Outleak and other applications getting pwn3d by their handling of hostile content, the big (i.e. "remotely exploitable without user intervention") holes in Windows all stem from M$'s unstated design assumption that "all the world's an office LAN", and the open/listening status of ports 135, 445, 5000 (anyone remember uPnP, the first 2K/XP remote exploit?), UDP-1434 (SQL server) and the like.

    If your business is based on selling an office application suite (and you're trying to extract a few more bucks from your office suite sales by requiring that someone buy your operating system to run it), then assuming that all the world's an office LAN is a pretty natural thing to do. It's wrong, it's flawed by design, and it's the canonical example of valuing ease of use over security, but it's pretty natural.

  • My problem. (Score:3, Insightful)

    by juuri (7678) on Thursday February 17, 2005 @01:21PM (#11701430) Homepage
    With all of these studies is they typically work on the assumption you are just throwing a server, regardless of OS, on the net. That means there is no load balancer in front, no filtering at the border routers, no firewalls and nothing is ever blocked.

    If a company or individual is actually doing this how on Earth can they possibly attest to the security of their server?
  • Re:Integrity? (Score:5, Insightful)

    by jedidiah (1196) on Thursday February 17, 2005 @01:21PM (#11701434) Homepage
    This study appears to be a clear example of redifining terms and using statistics to muddle an issue. While the conclusion of the study might be valid given the assumptions, I challenge the assumption.

    I challenge the assumption that Redhat vulnerabilities are equal to Microsoft vulnerabilities.

    Given the history of malware, they clearly are not.

    This study is nothing more than a more formalized version of a certain form of trolling once popular on COLA.
  • by Anonymous Coward on Thursday February 17, 2005 @01:22PM (#11701454)
    I wonder if Security Innovations provides security consulting and training services for Microsoft?

    This should be disclosed in any report that is critical or praises a particular Microsoft product.

  • by Soukyan (613538) * on Thursday February 17, 2005 @01:23PM (#11701471) Homepage
    How many people run Red Hat Enterprise 3 at home? Did you bother to read the article?
  • by EmagGeek (574360) <gterich @ a o l.com> on Thursday February 17, 2005 @01:24PM (#11701491) Journal
    I would think that a Windows box set up by a MS Certified Professional and a Linux Box set up by some kind of Linux Certified Professional would be a much better comparison than one between a "Linux Fan" and a "Microsoft Enthusiast."

  • Re:Non Story (Score:4, Insightful)

    by PoprocksCk (756380) <poprocks@gmail.org> on Thursday February 17, 2005 @01:25PM (#11701503) Homepage Journal
    Heh. Here's what we've come to learn over the past little while, I guess:

    Red Hat = Linux

    Microsoft > Red Hat since it announces less vulnerabilities

    Therefore Microsoft > Linux by the transitive assumption...

    Seriously though, that's the problem with EVERY SINGLE one of these "security studies" -- they don't "study" anything, but they do "research" -- and they always use the same, weak argument as described above.
  • Horribly flawed (Score:5, Insightful)

    by StormReaver (59959) on Thursday February 17, 2005 @01:27PM (#11701537)
    "There are some people who are sceptical [of the results]," said Dr Thompson. "We would encourage them to replicate this type of study. If you see flaws please tell us."

    Are they joking? Their metric (reported vulnerabilities) is absurd for a number of reasons.

    1) Microsoft reports only a fraction of its vulnerabilities. Remember when Win2000 had over 65000 known (to Microsoft) flaws? No more than a handful were ever reported. Microsoft reports flaws only after bearing enormous public humiliation. Of course Microsoft's flaw count is going to be low. Microsoft hides them all until forced to disclose.

    2) Linux vendors report every hair out of place. It doesn't matter if the flaw causes a D to look like an O on the third day of the Summer Solstice, but only if that day matches the 4th digit of PI, and only if the computer has calculated the cure for cancer at exactly 15 milliseconds after the user's orgasm.

    3) Seriousness of vulnerabilities. Due to the nature of full disclosure under Linux, it will -always- have higher reported flaw counts than Windows. The vast majority of reported Linux flaws, however, are relatively benign, while the vast majority of reported Windows flaws hand over complete control of your computer to some third party.

    4) Widespread Propagation. Windows, by its intended design, makes propagating exploits to these vulnerabilities trivially easy (automatic, actually), while this has yet to be accomplished on Linux (and likely won't be).

    Sorry, but this "study" is complete nonsense.
  • Quality Research (Score:5, Insightful)

    by deanpole (185240) on Thursday February 17, 2005 @01:28PM (#11701550)
    One datapoint makes a terrible graph.
  • by bonch (38532) on Thursday February 17, 2005 @01:28PM (#11701554)
    No offense. But it sounds like people are searching for things to dismiss this study. Um, yes, a Linux guy changed his mind after seeing the conclusions of the study. That means it's not a valid study?

    I'm getting a little disturbed at the way all pro-Linux studies are being accepted and all other studies are being dismissed here. Critical thinking should always be welcome. And, yes, Linux is NOT perfect, it is NOT flawless, and it IS full of security holes like anything else. Nobody should take their operating systems so personally that they feel attacked when Linux is criticized.

    Note that this doesn't go for everybody. But there are a lot of zealots in the community who need to learn to see outside their own perspective.
  • by cliffiecee (136220) on Thursday February 17, 2005 @01:29PM (#11701573) Homepage Journal
    ... and squint your eyes, you'll see the 'clear' results.

    The researchers used reported vulnerabilites as their guideline, and 'days of risk;' quote: "the period from when a vulnerability is first reported to when a patch is issued."

    Windows Server 2003 had 30 days of risk, Linux (Red Hat Enterprise Server 3) 71 days.

    But which reports of vulns are they considering? Microsoft often provides their own reports, which are released WITH THE PATCH. I wouldn't give those reports the same weight, since the vuln could have been there (and unofficially known) for MONTHS.

    I fully expect Linux to have MORE vulns in any case, since Linux ultimately is a collection of separate programs working together, each of which has their own potential insecurities. But, a vuln in sendmail is NOT going to affect my webserver, because I'm going to turn that OFF (if I'm a smart admin).

    In fact, the researchers only used a "hypothetical" system to show "what an average system administrator may do." I'm sorry, but if an admin is using anything like a default setup he is BELOW average.

    In conclusion, this really sounds like a comparison of how vulnerable the respective systems with a 'default' install. Wake me up when they go head-to-head with OpenBSD.

    P.S. Hey researchers- RED HAT IS NOT LINUX.
  • by G4from128k (686170) on Thursday February 17, 2005 @01:31PM (#11701597)
    The study posts the "days of risk" defined as the time between announcement of a vulnerability and the availability of a patch. But this definition misses two big factors. First, there will be some number of days between the discovery of the vulnerability and the announcement of it. Second, there will be some number of days between the patch being available and the downloading of it. Both factors increase the days of risk and mean that a quickly-patch OS with lots of holes has higher practical risk than an slowly-patched OS with few holes.

    I don't know which OS has more risks, has a greater delay between discovery and announcement, or has a greater delay between patch availability and patch application. Does MS or Linux get more slack from vulnerability finders? Do MS or Linux admins patch faster? DOes MS or Linux get more vulnerabilities? These data points would help evaluate the true risk.
  • Re:Integrity? (Score:5, Insightful)

    by LurkerXXX (667952) on Thursday February 17, 2005 @01:36PM (#11701679)
    Unfortunately they don't tell you the real server that is more secure.

    The correct answer is the one with the better administrator. You can have a Linux box locked down tight, and a Windows box wide open. You can also have the inverse. Probe around, and you will find boxes of all those flavors out there. It all depends on the competence of the guys running it. The competence of the administrator at running the system he is running has a much larger effect on overall security than which OS is chosen.

  • Re:Hardly a study (Score:3, Insightful)

    by thenextpresident (559469) on Thursday February 17, 2005 @01:36PM (#11701690) Homepage Journal
    Yeah, and they make note that this was a preview of a study they will be releasing in a month's time.
  • Re:Not again... (Score:3, Insightful)

    by bonch (38532) on Thursday February 17, 2005 @01:40PM (#11701727)
    When people so routinely dismiss studies that paint Linux in less than flawless light while praising studies that put it at the top, I can't help but shake my head.

    Your post has to be the fourth one I've seen that has said the exact words "Move along. Nothing to see here."

    Why so desperate for people to not see it? Linux is not flawless. In fact, it's not been the best of years for it (Firefox as well). I'm sorry, but as popularity grows, so will the security reports pointing out the inherent flaws in any complex system constructed by human beings.

    The need to be better than Microsoft has to go. Just concentrate on fixing what is wrong with Linux when it's pointed out. This isn't a popularity contest, right?
  • by Paradox (13555) on Thursday February 17, 2005 @01:40PM (#11701728) Homepage Journal
    I wish I could mod you up, bonch. I've experiened the head-in-the-sand Linux mentality too, and it is scary. It misses the whole point of linux.

    Linux is awesome, this study doesn't change that but we always need to work to make it better and easier to secure. Critics of Linux are our best friends, because they do the work of finding out where we need to improve for free.

    The best thing about linux is that when people have a legitimate complaint, it's well within our power to fix it! If Linux is temporarily less secure, so what? After reading this, everyone will adapt their linux distros to render the complaints moot.

    This is part of why we love open source, right?
  • by mrtom852 (754157) on Thursday February 17, 2005 @01:44PM (#11701784)
    Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard"

    is that an average windoze SA or an average Linux SA?

  • by GunFodder (208805) on Thursday February 17, 2005 @01:49PM (#11701854)
    These researchers mention they are not "wizards" and I think this illustrates an important difference between Open Software and Windows. Linux is great if you know what you're doing. There are lots of resources out there to help you properly configure your system, and if done right you will have minimal issues.

    And you're going to need those resources if you're not a "wizard". Open Source software is not as easy to use as most MS products, and in many cases the documentation isn't very good either.
  • by chrism238 (657741) on Thursday February 17, 2005 @01:50PM (#11701875)
    If he can't see the source, how can he make any determination at all?

    Easily; you don't have to have access to source code to make a determination - you can make many external determinations by treating things as a black-box. It's a myth that only open-source code can be secure.

    We don't understand the "source-code" of DNA, and yet we make millions of determinations about other people, every day.

  • by Laur (673497) on Thursday February 17, 2005 @01:51PM (#11701892)
    No offense. But it sounds like people are searching for things to dismiss this study. Um, yes, a Linux guy changed his mind after seeing the conclusions of the study. That means it's not a valid study?

    When a study is contradictory to most peoples direct experience and observations they tend to be heavily skeptical. If a study was released saying the sky is really mauve, not blue, people are also going to be pretty dismissive. When was the last time you read about a Unix/Linux worm or virus on a nontechnical site like CNN? Or heard about it on the evening news? Ever heard these things about Windows? This isn't to say that the study is invalid, just that they better have a damn good case if they expect to convice anyone.

  • by phyruxus (72649) <jumpandlink@yaho o . com> on Thursday February 17, 2005 @01:51PM (#11701902) Homepage Journal
    "Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance."

    Sure doesn't sound like it's aimed at IT admins. If your IT department doesn't have anyone who's competent to secure and maintain the system(s) you use, it's the fault of management, not the software (nor the admin).

    Hey, my plywood outhouse is more secure than Fort Knox.. as long as the outhouse has a padlock and Fort Knox is unlocked and unoccupied. Putting one competent gaurd in front of the entrance to each highlights the real defendability of both.

    A crayon is ready to use right out of the box - a pencil has to be sharpened. Strangely, we use more pencils than crayons in the workplace. Why? Because it's better. Someday, a PHB will touch the obelisk, and stand upright. Until then, we're stuck with cray^H^H^H^H windows.

  • The Real Truth... (Score:5, Insightful)

    by eno2001 (527078) on Thursday February 17, 2005 @01:56PM (#11701985) Homepage Journal
    ...is too hard to handle for most:

    An OS is only as secure as it's admin is competent. This will NEVER change no matter what platform you are dealing with.

    If you give some RedHat CDs to a complete goof off and have them install it on a system that is going to be directly exposed to the internet, that box is going to get rooted eventually. It might take longer to get rooted than a Windows box, but it will be cracked.

    If you give Windows 2003 Server to a knowledgable admin, he will secure the box and make certain that the likelihood of it getting cracked is fairly low. He will know not to put the box on the internet until he's applied all SPs and critical updates. He will know to use an internal SUS or WUS to make sure that the box is updated without exposure to the internet.

    If you give a complete moron who *thinks* he knows all about [insert platform] any installation media, you're going to have an insecure box.

    It's been my experience that the best people to set up an internet exposed box using any OS are people who are most familiar with all OSes and have a good understanding of how to secure each one. It's not that hard to hit the main security points and still keep on top of all OSes. However, since egos aer so intrinsically tied to how secure a box is, people point the finger at the OS distributor. Sure, they are to blame in many cases, but the implementor is usually far more guilty of being lax. That's the hard truth and it cannot be refuted.
  • Re:Self-Evident (Score:1, Insightful)

    by Anonymous Coward on Thursday February 17, 2005 @02:04PM (#11702108)
    "By his own admission the Linux administrator is a "Wizard" compared to the average MS Systems Admin. Well, that just about says it all doesn't it?"

    No, what he is saying is that the assumption was that a wizard wasn't available to fix all the problems with the Linux setup.
  • Re:Horribly flawed (Score:3, Insightful)

    by ad0gg (594412) on Thursday February 17, 2005 @02:10PM (#11702192)
    You know there is difference between a flaw and a vunerability? Showing the wrong icon on a messagebox. Showing the wrong dialog text. Windowing issues which i see a lot of. Race conditions.
  • Re:More FUD (Score:5, Insightful)

    by jc42 (318812) on Thursday February 17, 2005 @02:12PM (#11702227) Homepage Journal
    Funny thing that seems to be missing in the discussion so far: I don't see anyone pointing out that this is a "sample of one" study. So any generalization at all about which system (or admin ;-) is more secure is laughable at best.

    It is useful as an anecdotal example. Especially in the area of security, where real security tends to mean knowing a lot of very specific examples of how things can go wrong. Documenting how these guys could have inadvertently left holes open would be useful. Then we need several hundred more such paired tests, with a more extensive report listing all the ways that admins of both systems can get it wrong.

    But concluding that, because two guys didn't get it right in a single test, therefore one of the systems is more or less secure than the other, shows little other than a total lack of understanding what security is all about.

    That, or intentional FUD on the part of either or both.

    I'd go with the lack of understanding. People are really good at generalizing from a single case with no statistical significance.

  • Re:Integrity? (Score:5, Insightful)

    by Bastian (66383) on Thursday February 17, 2005 @02:14PM (#11702266)
    I, too, would like to see a more involved, academic analysis of the security of each platform. But even as a quick quantitative analysis, this technique for deciding how secure a system is falls on its face. Instead of counting vulnerabilities, I would be interested in counting number of viruses and script kiddie tools that take advantage of those vulnerabilities. Just counting known vulnerabilities and numer of patches, etc, has a few issues. One is that I honestly believe that a Windows vulnerability is much less likely to be announced once it is discovered than a Linux vulnerability - it's a questionn of culture.

    Another is that just counting vulnerabilities gives you a worst-case scenario. However, my practical experience suggests that if there aren't any script kiddie tools or viruses out there that take advantage of said vulnerability, your chances of getting compromised through it are exceedingly small.

    I'd also like to see some weighting for the likelihood of an attack succeeding through a given vulnerability. I'm going to be a lot more scared of the exploit that works every time than I am the buffer-overflow that lets you run arbitrary code, but only works once in a blue moon.

    Granted, these studies will never have that info; they aren't meant to mean anything, they are just mindcandy for the PHBs put together by industry pundits looking for a quick paycheck or some attention. If I were really looking for a security analysis or comparison that included an open source server that ran on x86 hardware, I would expect OpenBSD to be one of the operating systems tested.
  • by Anonymous Coward on Thursday February 17, 2005 @02:19PM (#11702332)
    Truth be known: security is an ease of use issue; the easer it is to do, the more people will bother to do it. And ease of use falls squarely on the shoulders of the OS, not its user.
  • Re:Not again... (Score:3, Insightful)

    by drinkypoo (153816) <martin.espinoza@gmail.com> on Thursday February 17, 2005 @02:22PM (#11702374) Homepage Journal
    Desperate? I think you need to go reread the above comment. No one is desperate for someone not to see this so-called study. (It's an experiment at best.) The point is that it's not a study, it's just a couple guys poking at some computers over a fairly brief period of time and making some observations. Anyone basing business decisions off this study should have their head examined. Of course, the common conception is that most PHBs will read it and say "hey, this Linux thing has problems. Look, the study says so! We'd better use Windows" and thus this whole thing is a bunch of FUD bullshit.
  • by VB (82433) on Thursday February 17, 2005 @02:23PM (#11702396) Homepage
    It's unfortunate RedHat has acquired Windows' weak security posture in it's effort to attract Windows server market share. I've personally had to administer 3 compromised Redhat boxes, and this after converting that client over from Windows due to a compromise.

    But, RH isn't Linux. Linux is many distributions, some good, some not so good, but if you take the pool of Linux administrators against the pool of Windows administrators, you'll find Linux administrators are more knowledgeable about their systems and do smarter things in securing them. This isn't as true as it was a few years ago before the reluctant Windows administrative masses took refuge in RedHat, but you won't see _any_, not even one Linux defector to Windows. Perhaps BSD, but definitely _not_ Windows!

    I've never seen one of my Slackware servers (running sendmail, _even_ and FrontPage extensions with PHP on the Apache server) compromised. It's never happened in the 10 years I've been using them.

    I've been wasting a lot of time lately poring through logs for a new project and it's ludicrous how much additional coding I've had to put into my Perl scripts to make allowances for compromised Windows boxes that have inundated my web server with traffic during their Code Red and Slammer compromises, not to mention all the other little oddities Windows clients do when downloading mp3s from the server, such as client caching and sending 32k+ search strings in the URL. It creates work to have these obnoxiously configured client machines on the Internet.

    I'm not going to complain too loudly since without all these Windows users on the Internet surfing my site, there wouldn't be much of interest to process in these logs, but to assert Windows as more secure than Linux?! Really....

    Could someone please post the name of which Micro$oft C?O's budget backed this study, so we can move on to a more interesting and valid discussion?
  • Hmm... true (Score:3, Insightful)

    by doyle.jack (836744) on Thursday February 17, 2005 @02:27PM (#11702462) Homepage
    A Windows Web server is more secure than a similarly set-up Linux server

    I would have to agree. Windows IIS servers are insecure, if you set up an Apache server similarly (insecure), it will also be insecure.
  • by Queer Boy (451309) * <`moc.cam' `ta' `67.nogard'> on Thursday February 17, 2005 @02:28PM (#11702469)
    If a study was released saying the sky is really mauve, not blue, people are also going to be pretty dismissive.

    As right people should be dismissive. The sky is neither mauve nor blue, it has no colour. Blue light scatters in the atmosphere causing it to look blue.

    Nearly half that article had nothing to do with Linux or Windows security.

  • by mark-t (151149) <markt@PARISlynx.bc.ca minus city> on Thursday February 17, 2005 @02:31PM (#11702510) Journal
    Your point is valid, however...

    Windows isn't "just another OS"... it has the rather unique position of being on a substantial number of desktops in people's homes. In and of itself this is not a problem and requires no greater security, however, a significant percentage of _THOSE_ systems are also on the Internet. And of course, the problem is that most people are simply not qualified to do a respectable job of administering and securing their home computer. Which brings us to the point you mention. The security problem with Windows are primarily caused by the inescapable fact that most of its users *ARE* ignorant when it comes to security and the fact that MS chooses to continue to market its products at this demographic while at the same time ignoring security issues or sweeping them under the rug is why people may be inclined to blame the operating system or Microsoft for the problems.

    Although, interesting enough, if Darwinism really works, Windows users may ultimately adapt to having to always struggle to keep their boxes secure, and perhaps even end up being better than most Unix gurus at home computer security. Time will tell.

  • by delirium28 (641609) on Thursday February 17, 2005 @02:32PM (#11702532) Journal
    ...I must admit that there is a point lying in there somewhere. Perhaps Red Hat (or Apache) should re-evaluate the "default" setup for Apache. If it was "more secure" in a default setup, then we wouldn't have people like these making these types of claims.

    Keep in mind that most admins are lazy, and that while we can yell and scream that a default setup is not secure nor is it a good indication of being secure, it still should be somewhat secure out of the box. If it's not, then we have a problem and we're supplying the ammunition to the FUD machine that is MS.

  • Re:Integrity? (Score:1, Insightful)

    by Anonymous Coward on Thursday February 17, 2005 @02:35PM (#11702558)
    "Days of risk" reminds me of the logic one of my friends used to use while driving: "The faster we go, the less time we spend exposed to danger!"
  • by Sycraft-fu (314770) on Thursday February 17, 2005 @02:36PM (#11702582)
    Their contention was that for lower skill admins, Windows was more secure. Now, assuming the research was done correctly and the data does indeed support the conclusion, it's a good thing to know. That's something ot try and improve in Linux, espically since less competent admins are the real problem.

    It's not all that useful to research how tight a competent admin can lock down a box because the answer for almost any OS is "very well". You get a good admin that knows their OS and is on top of things, they can keep anything secure, even Windows. So it's not of much use to say a compentent Linux admin can make a secure system, we already knew that.

    It is useful, however, to know that a less competent admin will have trouble. More useful would be to know what specificly need to be done to fix it, but just knowing that it's a problem is a start. If Linux continues to gain in popularity, more people that are not as competent will be running it. While you can never truly protect someone from themselves, there are things you can do to make things more secure for those that don't know what they are doing, and that's a good thing for Linux developers to be looking in to.
  • Re:Integrity? (Score:5, Insightful)

    by jc42 (318812) on Thursday February 17, 2005 @02:40PM (#11702628) Homepage Journal
    Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk -- the period from when a vulnerability is first reported to when a patch is issued.

    Actually, this tells us most of what we need to know. If we want our system to be considered secure, the way to do it is: 1) Don't report vulnerabilities; 2) Don't issue security patches.

    Linux pretty much has to lose a contest that is judged this way.

  • Biased? (Score:5, Insightful)

    by Quixote (154172) * on Thursday February 17, 2005 @02:42PM (#11702652) Homepage Journal
    As someone else also mentioned earlier, the reason people are so skeptical of such "studies" is that these go counter to their own experiences.

    As someone said, "extraordinary claims demand extraordinary evidence". In a lot of peoples' opinion, the claim that Windows is more secure than Linux is just that, an extraordinary claim.

    How would the authors of their study reconcile it with something like this one [theregister.co.uk], which showed that a default installation of Windows got infected with a virus within 20 minutes?

  • Once again, RTFA! (Score:5, Insightful)

    by khasim (1285) <brandioch.conner@gmail.com> on Thursday February 17, 2005 @02:43PM (#11702677)
    A study comes out saying Windows is better than Linux? Question the results, Impugn the source and dig as deep as it takes to find some political or financial affiliation between them and Microsoft, no matter how assinine or inconsequential.
    You left off the part where comments such as your's are mod'ed up even though they contain zero content.

    From TFA:
    They compared Windows Server 2003 and Red Hat Enterprise Server 3 running databases, scripting engines and Web servers (Microsoft's on one, the open source Apache on the other).
    That sounds good. A real comparision of real services running on real servers.

    But wait!
    The setups were hypothetical, however. Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features.

    Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance.
    They aren't real setups.

    And it gets worse.
    Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk -- the period from when a vulnerability is first reported to when a patch is issued.
    Hmmmm, I wonder if they included the info from www.eeye.com http://www.eeye.com/html/research/advisories/AD200 50208.html [eeye.com] 190 days is a long time.
    On average, the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup, their study found.
    That's amazing. Particularly with that single 190 day vulnerability I referenced. And those kinds of "studies" have been completely discredited.

    So, a "study" that doesn't test any real world criteria is somehow valid?

    Oh, it's not that the study is not valid, it's that pointing out the flaws in the study shows the groupthink on /.

    And pointing out that perceived groupthink gets you mod'ed up as "insightful".
  • Re:More FUD (Score:1, Insightful)

    by Anonymous Coward on Thursday February 17, 2005 @02:47PM (#11702728)
    A study comes out saying Linux is better than Windows? Praise it to high heavens! We knew it all along!

    A study comes out saying Windows is better than Linux? Question the results, Impugn the source and dig as deep as it takes to find some political or financial affiliation between them and Microsoft, no matter how assinine or inconsequential.


    Hear hear. This absolute black and white "conviction" and group rage is ruining more for the credibility of "the community" than most people imagine. We just look like crazy fundamentalists.
  • by einhverfr (238914) <chris.traversNO@SPAMgmail.com> on Thursday February 17, 2005 @02:56PM (#11702860) Homepage Journal
    You have a valid point. Furthermore I never talk about a "secure" OS. Personally I don't think Linux is a "secure OS" anymore than Windows is.

    The primary questions include:

    1) How *securable* is the OS?

    2) How gracefully do services respond to failures?

    Secondary questions (addressed in this study) include:

    1) How secure is the OS *by default.*

    2) What constitutes a typical setup?

    Now, personally I don't care much about these secondary questions from a secure server perspective. Linux security is easier than Windows security, and Linux is more securable than Windows. A lot of this is because Windows depends on things like RPC which does not fail gracefully.

    On the other hand, you can mitigate a lot of this risk by proper security practices. A skilled admin is going to be trying to balance usability and security and will do it well if given the approrpiate tools.

    Again the quesition should be "how securable" rather than "how secure" for exactly the reason you mention.
  • by unixbugs (654234) on Thursday February 17, 2005 @02:56PM (#11702872)
    If you are implying that Windows is more secure because you can click on an anti-virus icon you have yet to understand the nature of the problem.

    Think of the gold in Fort Knox as your personal information, and think of the fort itself as the server or PC.

    Fort Knox is not secure because it was easy to do, nor is it secure because they spent ungodly amounts of money securing it. Fort Knox is secure because it was well thought out, well implemented, and has been modeled after the sum of innumerable years of open ideas about how to build a stronghold. The idea of hiding all that gold under a rug and hoping nobody will notice is utterly absurd. All it would take is for someone to accidentally kick the rug or tell just one person where the gold is and its all over. Conversely all it would take is just one person to talk about a hole in Fort Knox to have the entire Army in Kentucky in a matter of hours.

  • Oh yes it is. (Score:3, Insightful)

    by khasim (1285) <brandioch.conner@gmail.com> on Thursday February 17, 2005 @02:59PM (#11702906)
    It said the criteria "included" the number of vulnerabilities. It didn't say that was the whole basis of the study; it was just one factor. Hardly a reason to dismiss the study.
    It is the best reason to dismiss the "study".

    If you want to see which car is safer than another, you would do things like controlled crash tests and use crash test dummies.

    You would NOT factor in how many crashes they had both been in. One moron who keeps hitting telephone poles would alter the stats too much.

    The material in TFA does NOT show them comparing the security models or even the patch severity. One bug in a seldom used perl module that lagged on the fix could result in very bad stats for Red Hat.
  • Re:More FUD (Score:5, Insightful)

    by dgatwood (11270) on Thursday February 17, 2005 @03:02PM (#11702946) Journal
    The funny thing about this is that it says nothing about actual security. The -real- risk interval is the time between when a problem is first exploited and when it is fixed, not the difference between when it is reported and when it is fixed.

    That's a critical difference. So many people pour over the Apache source code that most vulnerabilities are discovered prior to when they actually become "in the wild" exploits. The same cannot be said about MS IIS. Worse, the odds are very good that many the IIS exploits were in the wild prior to when they were first publicly reported, while most of the Apache exploits were, in all likelihood, patched prior to the first exploit.

    When viewed from that perspective, the Windows/IIS server was likely vulnerable to exploit for many, many more weeks than the Linux/Apache server. And that assumes that half the vulnerabilities are ever even reported. With a closed source product, there could be tons of security holes being subtly exploited by clever crackers every day and there would be no way to find out about it.

    No, this article is pure and unadulterated FUD.

    There are three kinds of lies: lies, damned lies, and statistics.
    ---Benjamin Disraeli

  • Why is it that ... (Score:3, Insightful)

    by polyp2000 (444682) on Thursday February 17, 2005 @03:04PM (#11702981) Homepage Journal
    Apache 39821368 68.43 40681140 68.83 0.40
    Microsoft 12137446 20.86 12322111 20.85 -0.01
    Sun 1830008 3.14 1835718 3.11 -0.03
    Zeus 690193 1.19 618599 1.05 -0.14

    Given those statistics (source - netcraft) why is it then, that we dont see malware attacking apache on such a grand scale as we do IIS? If its possible for an operating system with such a small percentage of the (server)market to suffer from such virulent malware attacks - then why do we not see these problems on linux which has a comparatively small share of the desktop market?

    I call bullshit!

    I've been seeing this coming for a while though as people find new and exciting FUD campaigns. Does anyone know who funded this report ? need I even ask that question?

    Nick ...
  • Re:More FUD (Score:5, Insightful)

    by LnxAddct (679316) <sgk25@drexel.edu> on Thursday February 17, 2005 @03:20PM (#11703154)
    Their analysis was based on number of patches and time it took to get patched from the time it was publically released. Microsoft stays quiet about most vulnerabilities until a patch is ready and will ship it some time that month, thus the average 30 days. In addition to this, there are still IE holes unpatched from last july. This didn't make the report because its a server. Also, Linux comes with *much* more software by default and much more functionality. They said that these were default setups. That means that if they were using a distro like Red Hat, every single program gets updated as necessary over 2000 programs judging from one of my boxes). Far fewer programs get updated from Windows Update (usually only core programs and utilities... or things that Microsoft deems necessary).

    Also, many OSS exploits are theoretical in nature... if a strcpy() passes an unchecked ptr and some coder sees this... whether or not that code could have been exploited... he fixes it and out goes the patch. Its a patch for something that may have never been even able to be taken advantage of. That would never happen in a commercial project. All this study shows is that these researchers define security as the ability to hide security problems as long as possible until a patch is ready and if the patch never gets ready, just never tell anyone about the problem. Following the two above stated rules would easily make any software company "secure" by their standards. As stated previously, their criteria was # of patches and time to release. Time to release is shortened by waiting until the patch is ready (which Microsoft does) and # of patches is shortened by simply not releasing non-major patches and just rolling them out with the next version. The criteria these guys used was meaningless and if anything shows that linux is doing something right if they are updating several times more programs with only twice the delay (which i really doubt is the true delay time). One other thing worth noting, the Ford guy has been paid by Microsoft several times to do studies and release them in favor of MS, I'd hardly call him a true linux fan. Maybe this time they just covered it up better... you wouldn't want to bite the hand that feeds you.
    Regards,
    Steve
  • by jopet (538074) on Thursday February 17, 2005 @03:40PM (#11703404) Journal
    Without knowing the study in detail it is exremely difficult to comment, but from what I could read in the news article, there could be a crucial and severe flaw in the study: simply counting vulnerabilites won't tell anything about how critical they are, how easy they can be exploited etc. With opensource apps there is a tendency that many vulnerabilities get reported which are low risk while the number of real vulnerabilites in closed source systems is probably only known to core developers and a few hackers, who won't tell us.
  • by Anonymous Coward on Thursday February 17, 2005 @03:42PM (#11703427)
    Hmmmm, I wonder if they included the info from www.eeye.com http://www.eeye.com/html/research/advisories/AD200 50208.html 190 days is a long time.

    You mean this one?

    "eEye Digital Security has discovered a vulnerability in Windows SMB client's handling of SMB responses."

    Perhaps they didn't include it because this is a study of servers. Once again, RTFA. Dumb shit.

    Further testament to slashdot's retardedness is that that exact same "insightful" comment is posted largely verbatim in each article where Windows is found to be more secure than Linux. and each time I post it, it gets modded to +5.
  • by Ogerman (136333) on Thursday February 17, 2005 @03:42PM (#11703429)
    I haven't found anything that compares to a combination of PP buffer protection on binaries, chroot jailed services, iptables, and SELinux policy. I just don't understand why more vendors haven't tried to create default installs that support this level of security.

    The article as has a point when it states that "linux wizards" could do a lot more to enhance the Linux machine's security compared to the default RHEL installation they were using. Indeed, why are vendors not using the complete assortment of Linux security best practices? Administrators almost always go for the path of least resistance -- whether Windows or Linux. As a result, Linux distros need to make absolutely sure that this path is also the most secure by default. And tools need to be written to make proper administration easier.
  • by X.25 (255792) on Thursday February 17, 2005 @04:36PM (#11704131)
    I also wonder if IIS has mod_chroot ...

    The whole "study" is silly. There is no such things as "more secure", unless you take into account WHO managed those machines. What's the point of having super-secure Linux server if admin leave '1234' as password? Security is not only technology (actually, technology is only small part of it) - it is much more. It is sociology (or whatever you call it in English).

    I've been doing pentests for the past 13 years, and in many (and I mean it) cases I didn't need latest exploit (or any exploit at all) in order to gain access to resources.

    You know, when you do proper information gathering and try to "think like an admin", miracles happen...
  • by X (1235) <x@xman.org> on Thursday February 17, 2005 @06:18PM (#11705375) Homepage Journal
    The irony of the posts I'm reading here make me laugh. I'm reading posts talking about poor analysis and bias written by people who are critiquing a study before it even comes out.

    Folks, it's hard to maintain credibility if you heap praise on one study that agrees with you [theregister.co.uk] and then critique another sight unseen.

    Wait for the study to be published, examine its assumptions, and try to reproduce it. I know it's not as exciting, but that's the only way anyone is going to get to the truth.
  • by myke113 (629375) on Thursday February 17, 2005 @06:43PM (#11705660) Homepage
    Security is a process, not a product. A hardware firewall is useless if it's firmware can't be updated and a vulnerability is found. But software, in the right hands, due to it being more configurable, is generally safer.
  • by elli2358 (848342) on Friday February 18, 2005 @12:05AM (#11707912)
    I'd have to disagree with the position that religions caused "practically every war that we know of". Hitler/Stalin/Pol Pot et al were all secular leaders and they've taken an unimaginable number of lives.

    As far as the European Imperial era, Christianity was often abused by the governments a front to support the looting and plundering of the rest of the world, rather than a primary cause.

    Broad generalizations make us no better than these reports we keep complaining about.

Stupidity, like virtue, is its own reward.

Working...