"Linux geek" sez: Windows more secure then Linux!

yellow

Moderator emeritus
Original poster
Oct 21, 2003
16,033
1
Portland, OR
While laughing my ass off after finding http://www.unixsucks.com/, one of the articles linked there made me laugh even harder.

After spending the last couple days wrastling with Panther, Win2k, WinXP and Active Directory, this made me feel good. Apparently these guys were quoted after the open bar closed down...

http://www.vnunet.com/news/1161323

Linux fan concedes Microsoft is more secure

Vulnerability research claims shocking results

Iain Thomson at the RSA Conference in San Francisco, vnunet.com 17 Feb 2005

A Linux enthusiast at the RSA Conference in San Francisco has reluctantly concluded that Microsoft produces more secure code than its open source rivals.

In an academic study due to be released next month Dr Richard Ford, from the Florida Institute of Technology, and Dr Herbert Thompson, from application security firm Security Innovation, analysed vulnerabilities and patching and were forced to conclude that Windows Server 2003 is more secure than Red Hat Linux.

"Vulnerability counts are much higher with Red Hat than with Microsoft," said Dr Ford. "I am a huge Linux fan, and I have a Linux server in my basement. The first time I saw the statistics I thought someone had mucked about with my database."

The pair examined the number of vulnerabilities reported in both systems and the actual and average time it took to issue patches. In all three cases Windows Server 2003 came out ahead, with an average of 30 "days of risk" between a vulnerability being identified and patched compared to 71 from Red Hat.

But the academics acknowledged that some intangibles, including the relative attractiveness of Windows as a target for hackers, could skew the results. Nevertheless, many attacks these days are aimed at Linux servers rather than Windows systems.

"There are some people who are sceptical [of the results]," said Dr Thompson. "We would encourage them to replicate this type of study. If you see flaws please tell us."

The pair said that they lacked the funding to test other operating systems, such as the Apple OSX kernel, although they thought it was "amazingly" stable.

The long term aim is to set up a website so that system administrators could assess security vulnerabilities before investing in computer platforms.

"You would be a fool to make platform decisions without thinking about security," said Dr Ford. "When you choose a platform you have to factor in the costs of intrusion. It is not just the costs of a break in; it is the time spent running around making sure no one gets in."
Of course, the writer might have left out the part where they said something to the effect of:

of course, with the proliferation of Windows boxes across the world, and a good % of them not getting patched, ultimately everything we've noted here about Linux being less secure then Windows is a complete crock of fecal mater.
Or something..



Or perhaps I'm deluded?
 

rasp

macrumors regular
Jan 13, 2005
114
0
Easthampton, MA
Any system will have a weakness. And improperly maintained systems will have even more... Where was I going with this??? The long and short of the idea is that given proper motivation, the bad guys will find a way in. and we just try to make their job harder is all.
 

superbovine

macrumors 68030
Nov 7, 2003
2,872
0
rasp said:
Any system will have a weakness. And improperly maintained systems will have even more... Where was I going with this??? The long and short of the idea is that given proper motivation, the bad guys will find a way in. and we just try to make their job harder is all.
exactly because computer perception for most ppl, but it really a process. the only people that care to say that their os is the most secure is specifically for marketing purposes. anybody who knows anything about computer security knows that it a never ending process.
 

panphage

macrumors 6502
Jul 1, 2003
496
0
I think this was probably a paid advertisement from microsoft. But if I had to guess, I'd say that microsoft's vulnerabilities are catastrophic due to random programs being able to make any changes they like to the OS w/o user intervention. I'd say that's less secure in my opinion.
 

yellow

Moderator emeritus
Original poster
Oct 21, 2003
16,033
1
Portland, OR
panphage said:
I'd say that's less secure in my opinion.
Yes, and mind-bogglingly stupid. One major reason that I refuse to support Windows in my environment more then I have to.
 

Westside guy

macrumors 603
Oct 15, 2003
5,520
2,471
The soggy side of the Pacific NW
The pair examined the number of vulnerabilities reported in both systems and the actual and average time it took to issue patches. In all three cases Windows Server 2003 came out ahead, with an average of 30 "days of risk" between a vulnerability being identified and patched compared to 71 from Red Hat.
We have both Red Hat (Enterprise Linux 3) and Windows (2000 Server) machines in our server room, so I keep an eye on the time between announcement and "fix" for both systems using subscriptions to things like SANS newsletters. There is NO WAY these numbers could be accurate without some sort of really odd skewing going on. I can't think of a significant Red Hat hole that's taken even two weeks to patch, let alone 30 or 71 days - so I'd really like to see what sort of stuff is being included in this rather than this vague (and sweeping) statement.

On the Windows side, I would bet their number is skewed significantly downward (not that 30 days is a good turnaround time) because Microsoft does not generally acknowledge many vulnerabilities until they've got a patch for them. So you can have an MS vulnerability get announced in, say, Summer 2003, but MS doesn't acknowledge it until Summer 2004 at the same time they release the fix.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.