Linuxlookup.com is reporting Wipro surveyed 90 companies in the U.S. and Western Europe with 2,500 to 113,000 employees where both the Windows and open source operating systems were simultaneously being run. The outcome: Windows beats Linux in Security. “We already know how to secure a Windows-based solution and keep it running smoothly,” says Stephen Shaffer, the airline’s director of software systems. “With Linux, we had to rely on consultants to tell us if our system was secure. With Windows, we can depend on Microsoft to inform us of and provide any necessary updates.”
“With Windows, we can depend on Microsoft to inform us of and provide any necessary updates.”
But of course, we can’t depend on Redhat, Novell, Debian (!) or any other Linux distributors to “inform us of and provide any necessary updates.” This article is such an obvious troll.
So, in reality, the headline should read
“Study Shows Windows Beats Linux on Mindshare”
Some news, huh.
This is like someone saying automatic is better just because they can’t drive manual.
I’d also like to see their cost model..
Here’s the link where this “study” was originally published:
http://www.microsoft.com/presspass/features/2005/jun05/06-23WiPro.m…
“With Windows, we can depend on Microsoft to inform us of and provide any necessary updates”.
Right, and Microsoft is known for telling the truth about the security of their softwares, just like they are known as using fair business practices…
You get no patch for two month and when it’s finally available it’s critical. That makes sense.
Btw, the reg had a nice article about this and how wipro works for M$.
“With Linux, we had to rely on consultants to tell us if our system was secure. With Windows, we can depend on Microsoft to inform us of and provide any necessary updates.”
What are they doing, rolling their own distro? RedHat, Novell, and other companies are backing their Linux-based OSs the same way Microsoft backs Windows.
I agree with the article that SMS has some advantages over, say, a bunch of Slackware machines that have to be updated manually, but Novell has a YaST-based equivalent, for example.
“• Windows desktops cost 14 percent less to patch than Linux desktops.
• Windows servers cost 13 percent less to patch than Linux servers.
• Windows database servers cost 33 percent less to patch than Linux database servers.
…
Source: MicroSoft Press Pass ”
I bet 82% of their figures are made up.
I better log off my fedora machine all these stackprotection and M.A.C. controls built into selinux are making me feel vulnerable compared to windows xp. The fact I have no open ports listening is really scary too. Its a good thing spyware isn’t targeted for me though and I can still surf the net and check my mail.
“With Windows, we can depend on Microsoft to inform us of and provide any necessary updates.”
I just spewed orange juice all over my monitor!
administrators who are only familiar with windows will have a tough time properly configuring, administrating and even using linux. i wonder how linux admins would fare at properly securing windows systems?
With the specific aim of improving security management, value and reliability, Independence Air, a regional passenger airline based at the Washington-Dulles International Airport, moved its e-commerce Web site from Linux to Microsoft. “We already know how to secure a Windows-based solution and keep it running smoothly,” says Stephen Shaffer, the airline’s director of software systems. “With Linux, we had to rely on consultants to tell us if our system was secure. With Windows, we can depend on Microsoft to inform us of and provide any necessary updates.”
Ummmmm, ever heard of Red Hat and Red Hat Network??? Hell, you can set it up to install the patches while you sleep if you really want. And thanks for telling me what I already knew, that a system is only as secure as the sysadmin makes it.
“Customers have told us that patch management is a significant part of the total cost of ownership equation,” says Martin Taylor, general manager of the Platform Strategy Group at Microsoft. “Wipro’s analysis shows that Microsoft helps address vulnerabilities faster than Linux distributors, enabling organizations to update their Windows environment more quickly than with open source alternatives. Organizations that employ solid management practices and Windows automation technology can significantly reduce the cost of patching and lower their risk exposure.”
ROFLMAO!!!!!!! Take a look at these links to see why.
http://secunia.com/product/2534/
http://secunia.com/product/1174/
Red Hat has zero unpatched vulnerabilities in AS 3. Windows has 11% of all vulnerabilities unpatched in Windows Server 2003.
http://secunia.com/product/48/
An even older product from Red Hat, AS 2.1, been out longer than WinServer 2003, has 0 unpatched vulnerabilities.
http://secunia.com/product/1171/
SLES8 has 99% vulnerabilities patched and 1% partial fix.
http://secunia.com/product/4118/
SLES9 has 98% vulnerabilities patched and 2% partial fix.
And this is biased against Red Hat, because these include vulnerabilities for 2 desktop environments, more than one web browser, an office suite, etc. (Yes, believe it or not, OpenOffice comes bundled with Red Hat’s server products).
It may be cheaper to patch the systems, but I’m willing to bet if Microsoft got around to patching all of their vulnerabilities that are KNOWN about, the costs would rise a bit.
Normally I don’t argue about this crap…but honestly….
If one wanted security, one would choose a system designed to be secure — not one coming from the vehemently anti-privacy/anti-security advocate that is RMS. He’s stated many times in interviews, in person and in public that “freedom” requires a sacrifice of privacy (and security) — that your sensitive data should be free of the shackles of passwords and singular ownership.
If one wanted security, one would choose a system designed to be secure — not one coming from the vehemently anti-privacy/anti-security advocate that is RMS. He’s stated many times in interviews, in person and in public that “freedom” requires a sacrifice of privacy (and security) — that your sensitive data should be free of the shackles of passwords and singular ownership.
Link with quote not taken out of context please?
Then why is it so hard to pick up malware on Linux, and so easy on Windows?
As of right now, there’s simply more malicious software out there designed for Windows… So for desktop use, Windows is the less secure operating system by virtue of its popularity… And by virtue of all of XP’s unpatched bugs, although I’ll give MS the benefit of the doubt there, since they probably have a million other things to work on.
(I won’t mention Windows 9x, which was never designed with security in mind. Comparing Win9x to Linux, or to just about anything else, is like comparing a scooter to a Volvo.)
Also, what Chris said…
“Windows is the less secure operating system by virtue of its popularity”
So is apache. Oh, nevermind.
Sites on Apache servers do get hacked a lot, no?
But we’re talking about operating systems, and Apache ain’t one.
Oy Anonymous (—.ev1servers.net), did you screw up copying and pasting or something? Damned if I can make sense of what you’re saying…
But it’s always amusing to see the fanboys get angry when their “advocacy” fails it.
Well I presented facts from a internet security company. Where are yours (and no, calling people fanboys is not a fact). This article was the worst attempt at FUD. I never comment on these articles and it even made me comment.
“We know how to use and secure Windows whereas we don’t know how to use and secure Linux, so we have to pay someone to do it, therefore, Windows is more secure.”
Here’s another one.
“I have been typing on a QWERTY keyboard all my life. I am very involved with computers and always use a QWERTY keyboard. The other day, I sat down at a friends computer, and he had a DVORAK keyboard. I couldn’t type without looking at the keyboard, therefore, QWERTY keyboards cost less than DVORAK’s because DVORAKs are harder to use and require more training.”
“I have been administering Red Hat servers for 6 years. Last year, our company decided to move to SUSE. I have no clue what I am doing, am not properly trained on Novell systems and don’t know how to use YaST. Therefore, SUSE has a higher TCO because I had to be retrained.”
Does that make any sense?
I find it funny how they factor in the consulting costs of Open Source servers because the IT staff aren’t properly trained, and yet, they don’t factor in the costs of the inital training the Windows admins had to go through. Not really a fair comparison in my book.”
Yes, I’m a Linux user. Why? Because I got sick of my Win98 system getting infected.
But just because it’s not quite as easy to pick up infections on Linux, doesn’t mean that it’s impossible. Look on any Linux board and you’ll probably see several posts by people who have gotten hacked, asking for help. Linux has vulnerabilities, like any OS – and the applications that people run on it have vulnerabilities of their own. As with any other OS, if you don’t watch your back, you’ll get hacked at some point.
But we’re talking about operating systems, and Apache ain’t one.
Sorry my post flew right over your head:
http://www.theinquirer.net/?article=19302
And I could give you thousands of examples that all prime numbers are odd. Doesn’t make it true, though.
It’s like in politics, where they never lie, but they selectively choose their truths (and why we’ve got that clause where you swear to tell the truth, THE WHOLE TRUTH, and nothing but the truth…)
Idiots deserve what they get. People who actually make decisions based on tech. analyst’s writing really deserve what they get. Listen to your tech department guys, that’s why you hired all those smart people…
“Look on any Linux board and you’ll probably see several posts by people who have gotten hacked, asking for help”
Pardon? Do you have any links? I can’t recall a single one.
Check out this thread on the Gentoo forums:
http://forums.gentoo.org/viewtopic-t-210585-highlight-hacked.html
(Sorry, couldn’t use html, only italic and bold tags allowed…)
Please, he admits it was his fault because he did something stupid:
“I don’t take nearly as good care of it as I should..”
&
“I’m pretty sure that when I first installed gentoo on this machine 3 years ago, I made an account with the username AND password of “test”, and I guess I forgot to delete it.”
It’s not like he installed it while connected to the net and got trojanned before the install could complete.
“I find it funny how they factor in the consulting costs of Open Source servers because the IT staff aren’t properly trained, and yet, they don’t factor in the costs of the inital training the Windows admins had to go through. Not really a fair comparison in my book.”
Exactly! Take a 100 company using Linux and another 100 using Windows. Make sure you pick companies with experience with their system and that will make more sense.
IIRC, there are more reports of hacking further down the thread.
It is true that the attack on OP was his own fault. AFAIK, stupid mistakes are the most common way that people end up getting hacked.
Netcraft reports *.linuxlookup.com netblock owner is:
POGO LINUX 4030 148th avenue NE Redmond WA US 98052
What are the odds that it would be in Redmond?
Is this the same microsoft that said that they can do nothing to stop spyware from infecting their OS? Doesn’t sound very secure to me….
hacked IIS+windows>>>hacked apache+windows…….
and market share of apache>>>IIS
<Quote> “We already know how to secure a Windows-based solution and keep it running smoothly,� says Stephen Shaffer, the airline�s director of software systems. <End Quote>
Stephen to his MS Windows Administrators : Hey guys !!! make sure you install all of the patches via Internet Explorer. We are making our systems secure.
Administrator : Are you sure that’s all to it ?
Stephen : Yeah!! no sweat !! easy as pie right. Try doing that on Linux. My Microsoft pal said that he’ll be bringing me the latest patch CD during lunch. We’ll install that too.
Administrator : Whatever you say boss.
Dude… I can’t stop laughing… I think I’ll have a belly acke… this is the true Slashdotian spirit. rock on!
Personally, I think this article is garbage. The thing is, the Red Hat sponsored articles are garbage too. As with Novell.
Each OS is best suited for different tasks.
Full Blown Corporate Desktop = Windows + MS Office
Thin Client = Linux
Simple Secretary Computer = Windows or Linux depending on applications.
Supercomputers = Linux, AIX, Solaris, etc.
Web Server = Windows or Linux depending on content. (AIX, Solaris, etc could be used too).
(I know some people will disagree with my choices, but please shut up, cause if u take the time to argue about them, then u r missing the point).
Every OS is suited for different tasks. I’m glad it is like that. That means that there will always be more than one OS, which means competition. Yes, in some regards Windows has a clear advantage over Linux, Linux over Windows in some other situations, Solaris reigns supreme in other areas.
This is the way it should be. Hopefully this will prevent a monopoly from taking over the server space like what has happened to the desktop space.
These companies trying to shove the garbage down your throat that their OS is superior in every regard….well, they are talking out of their ass.
As a sidenote, hopefully you get the point of what I’m trying to say, I’m tired so it probably isn’t worded very well.
I don’t care if Linux more secure than windows, in my opinion Windows is more usable than Linux. I have knowledge to protect my windows, so it’s ok not using Linux. And for server, I prefer FreeBSD for its simplicity and robustness.
A fundamental difference in design is that Windows is [almost] impossible to use without being Administrator all the time. Besides that, there’s ActiveX as well [if people use the integrated IE].
Viruses and spyware have the freedom to install since they’re executed with admin privileges. ActiveX can launch several Windows components which is a hughe risk.
My FreeBSD desktop [or almost any Linux desktop as well] runs as $user and root tasks will prompt for a password if executed. So malicious software has no high privileges and so it can do less damage.
Linux is secure,
now if you want to open it up to the world wide web
it allows you to –
install a SSH demon, and set a login/password easy to crack
(in his case test + test )
machines are stupid – it just follows instructions.
but i wouldn’t call a machine that did not follow instructions
clever or more secure.
Perhaps a lot of you are underestimating the number of incompetent sysadmins out there. Now, I do not believe for one instant that Linux as an operating system is less secure than Windows as an operating system. However, I would trust an installation of Windows run by an incompetent system admin to be more secure than an installation of Linux by an incompetent system admin. Simply because even most incompetent windows admins know how to patch Windows. The same can not be said for Linux.
Overall however, it accomplishes little to argue which is more insecure. The important part is they are both not as secure as they could be and that should change. Maybe Theo’s rant a while ago wasn’t just about him venting, or even if it was, he was still right as usual, and Linux developers should take a more proactive approach to security.
should’ve been “Study Says Windows Beats Linux on Security”.
Microsft and their independent FUD studies…
😐
please…how can you have an article like this here??? it is useless.
Although personally I prefer unix, wipro does not work only for microsoft. they also work for sun, hp, ibm, redhat, ti, adi, … on almost all OSes. it is a services company
after all, 99 out of 100 dumb americans will believe…
That sentence has an identical meaning if you remove the word ‘dumb’.
“With Windows, we can depend on Microsoft to inform us of and provide any necessary updates.” – This one of the big reasons why sysadmins of nowadays can be so clueless sometimes. Give them something besides Windows NT (a specific version, even) and they are just totally lost. Linux (or *whatever* non-windows) is not a problem here. You got to learn something to do your job after all, people.
This “study” does not proves that Windows is more secure than windows, but another interesting issue comes up. People want to listen to lies. Microsoft says “Windows is absolutely secure” and they want to belive, Linux distributors say “Well, there are few bugs, which should be fixed” and they still belive. What is the conclusion? “Windows is more secure” Besed of course only on what they say, and not on what dey actually do.
This study is more about psychology and marketing than about security.
Muaaaaaaaaaaaaaaaaaahahahahahahhahah
Nice entertaining article, i am still laughing
Headline really should read “Smear campaign shows Windows more secure than Linux”.
But really, who cares about these studies anyway? Linux is for smart people, everybody knows that. And intelligent people don’t fall for these kinds of disinformation, only an idiot would believe that Windows is more secure than a locked-down Linux box.
We don’t need the idiots of the world using our operating system anyway, Linux is getting along swimmingly. But what really pisses me off is that they’re dissing my OS with these smear campaigns!
Wipro is one of these so called IT services company here in Bangalore. What matters to them is only the money you pay them to conduct studies. Don’t take them seriously…
Hey, given a nice contract they will ‘prove’ by their ‘studies’ that Windoze is better suited to High performance computing than Linux. How about that?
Don’t trust any studies published by any of these Indian service companies. I have worked in one and published a few internal ‘papers’ which had no more value than the paper on which it was printed. These companies are a big sham.
This statement proves the “study” to be a lie, and a bad one at that.
Patching in all major Linux distributions can be automated. Additionally, a patch of a linux distro usually does not break an application running on the platform, whereas Windows often breaks things when it is patched.
So it’s mainly in the patching that this article refers to, is there a linux/*bsd alternative to wsus (obviously for patching linux/*bsd systems, not a wsus clone).
I’m a windows administrator so I was curious how it’s done. Come to think of it, I know CentOS has a windows update like feature (Suse as well), so would you set up a mirror on your local network and then configure the clients to use that server for updates?
windows beats linux in security … i am sure that is why the majority of supercomputers run linux. According to Forbes out of the top 500 supercomputers run 301 linux, whereas only one(!) runs Windows with the rest running Unix and BSD variants.
enough said …
http://www.forbes.com/home/enterprisetech/2005/03/15/cz_dl_0315linu…
I like the “so they’re basically saying that automatic is better because they don’t know manual.” comparison.
Just because your personnel aren’t trained in Linux, and just because you need “outside consultants” to tell you if your setup is secure- that doesn’t mean that the operating system isn’t secure. It means that you obviously hired the wrong personnel, or that your personnel chose the wrong operating system. If you want to use Linux, then hire people who can administer Linux. If you’re IT staff, and you want to use Linux, then learn it first.
It’s funny, because what they’re saying sounds exactly like what I used to do when I first started using Linux. I’d install it, wouldn’t understand what was happening, and after a day or two of that, I’d get frustrated and re-install Windows and say “Damnit, Linux SUCKS!!1” Does this mean that Linux “sucks?” No, it means that I didn’t know what I was doing, and thus I had a bad time with it.
I will tell you this, though. I can install Linux on my desktop, connected directly to the cable modem, and at the very worst, I’ll have more than enough time to, whenever I feel like it, connect my computer to the router instead. I won’t have any mysterious viruses installed or anything.
Try doing that with Windows XP.
You can make Windows secure. Doing so requires work and specialized tools. Updating patches or running a firewall doesn’t do it.
This is the same as any operating system.
Unlike other operating systems, though, Microsoft seems to go well out of the way to make mundane security checks difficult as hell. Hiding the locations of files and not providing tools to look at all file attributes — including NTFS hidden data — makes it a real PITA to be certian everything is OK.
(Yes, security isn’t easy on any common OS…though it is possible. The system isn’t as arbitrary or obfuscated as it is with Windows.)
windows beats linux in security … i am sure that is why the majority of supercomputers run linux. According to Forbes out of the top 500 supercomputers run 301 linux, whereas only one(!) runs Windows with the rest running Unix and BSD variants.
Supercomputers don’t have to be secure in the same way that LANs do because they typically are not exposed to the rest of the world the same way. Many aren’t even on internal networks and instead have single-focused private networks with only 1 or 2 ways in.
That said, there are a boat load of reasons why Windows isn’t represented in HPC very well. Some are cost issues (licence and excessive hardware) and others are technical (just not very customizeable). I’m sure you could think of a half dozen other reasons as well.
I have about a dozen Linux systems directly attached to the Internet sans firewalls for 13 years now. I started out with version 0.9 and a Cyclades card offering Internet service (then several years of Solaris systems while Linux matured a little).
I have yet to have a single break-in. I’ve had some web pages hacked, but that’s it. It’s all in the administration… leave a machine unpatched for six months or more and it’ll be vulnerable… duh!
If only Redhat had paid more money to do a study..
http://www.thehindubusinessline.com/bline/2005/03/08/stories/200503…
So it’s mainly in the patching that this article refers to, is there a linux/*bsd alternative to wsus (obviously for patching linux/*bsd systems, not a wsus clone).
I’m a windows administrator so I was curious how it’s done. Come to think of it, I know CentOS has a windows update like feature (Suse as well), so would you set up a mirror on your local network and then configure the clients to use that server for updates?
There are a variety of available automated update tools for Linux. CentOS — a RHEL work-alike — can use Yum, Apt, or for an interactive GUI Synaptic.
If I had a rack of Linux servers, I’d point them at a local repository (think WUS) and have them update on a regular basis. That way, I’d control what gets updated and when.
You can push out updates and force them if you want. A simple and sloppy way is to use Konsole in KDE and open a shell with multiple servers in each tab. Now, right click on one of the tabs and select “Send Input to All Sessions”. Your keystrokes will be sent to all open shell prompts allowing you to perform the same command on 2 or more servers at the same time. Very powerful…and possibly dangerous if you aren’t careful!
Unlike Windows, Linux is unix-like. Unix has in-place updates and can be updated without causing file access problems. For example, if I update Firefox while I’m using it I can. The version that I’m using will be the old one until I exit Firefox and start it again. You can even replace X, KDE, or Gnome as you are using it and get the same basic results.
In the case of system services or network services, the service tends to shut down and restart. The rest of the system runs as-is and is oblivious to any down time.
(Yes, some Windows updates are similar to this. It’s not in the design of either NTFS or Windows though to allow this transparently. It takes extra effort thus the reason why many Windows updates require a restart.)
Good thing the army doesn’t use this philosophy.
Since you recruits already know how to use a sling shot we are going to forgo M-16 training….
Since we already know how to walk we will not learn how to drive the Hum-V with the .50 cal… instead we will walk with our sling shots into battle.
The base will call you with instructions on how to proceed when they feel that you are threatened enough to alter your path or after the ranks are thinned by casualties that continuing is not possible…
Haiz. Another one. When will it ever end? All these Microsoft-commissioned surveys. They can make the survey tell you Iraq is the safest place on the planet if they want to.
* yawn *
This is getting very old. Find a new way to attract trolls and flame wars, please.
“Microsoft recently commissioned Wipro Technologies Ltd., an independent consulting firm, to study the cost of updating Microsoft and open source software in a real-world environment for desktops, servers and database servers.”
It is amazing what you can do and how well you can lie when you got lots of money
Is Microsoft the only one to do studies? Does anybody have any links to studies by non biased companies to back up or refute these crappy articles?
The domain linuxlookup.com belongs to Exologic Inc.
On the website of exologic we find “Microsoft Partner”.
http://g0thm0g.livejournal.com/123638.html
– In bold text on the first page: Sponsored by Microsoft Corporation
– META Group validated the approach and the comparison methodology utilized by Wipro to create this white paper. META Group did not validate or certify in any way the results derived by Wipro or the content/data collected by Wipro in support of this study.”
– META Group, Inc’s webserver spews the following Server string in the reply: Apache/2.0.53 (Unix) mod_jk/1.2.5
– META Group, Inc. was just acquired by Gartner, another broad-based US tech firm, whose webserver spews this string: Sun-ONE-Web-Server/6.1
Anyway, their broad point is that on a per-system basis, patching OSS is more expensive than Windows. On a network average, however, OSS is typically near 150% less expensive to patch. So what happened here? Everyone knows that OSS, given half-decent admins and time for a deployment to mature, tends to be much less expensive than a Windows system. As the survey was sponsored by MS, however, Wipro obviously had to slant the summary of the data to focus on the individual system patch cost, as opposed to the real net cost of a system-wide upgrade. Again, it doesn’t take much to scare most executives away from change, and Microsoft knows that all it takes is one misleading bullet point like this. Now you know why META Group wasn’t allowed to validate the conclusions of the white paper…
You can commission a study to say anything, and people will believe you.
http://www.theregister.co.uk/2005/06/24/ms_wipro_study/
There’s the story from The Register someone mentioned awhile back which talks about Wipro’s ties to Microsoft.
I have to wonder at this point why there aren’t more publicized *independent* studies on this. My own inclination on any issue is to not believe the emotional ravings of either side. It would be interesting to see a series of studies and polling by someone who really stood nothing to gain by siding with either OS. Of course, no one really wants to know the results unless they support their own prejudices anyway.
And speaking of “either OS,” the other thing is, when it comes to patches, this is really distro-specific, in terms of how easy they are to apply. Debian for example is much like Windows and frankly I have to say, I *like* Windows’s patching and notification system. It’s too bad Windows has all of its security problems but I’ve always liked the notifications, and the descriptions of patches, and the ease with which any user can easily apply them. I suppose people have had patches go wrong, and definitely have had some problems with Service Packs in Windows but I’ve never had a problem related to a patch.
That being said I’m a Linux user and small-time Linux admin. I just don’t think everything about Windows sucks. What’s too bad about these surveys is that they may contain some kernels of truth but you can’t ever be sure due to the money on the other end. Pity.
My own experience is I had one really nasty, needed-a-reformat experience on a Linux server I inherited from someone at work (multiple rootkits), and zero problems after that.
I’ve never had a disastrous problems in Windows but lots of piddling little issues like spyware. I haven’t had a windows virus in 6 years or so from daily use, so really this is a matter of user education more than anything else. My firewall logs on the other hand STILL show Code Red hits, and at Code Red’s peak was clearly out of hand.
Question:
How many security compromises, worms, takeovers, and so on are a result of systems going unpatched when a patch DOES exist from the vendor, and how many are a result of brand new exploits for which no patch exists and/or vendors are dragging their feet?
This seems to be the most important question. I would make a wild stab in the dark and guess the former.
I’ve not had a problem keeping Windows from the desktop point of view secure, nor Linux from the server or desktop POV secure. And I’m not some super-genius.
apt-get update && apt-get upgrade (Stable branch)
Windows Update, yes install these. Clickety click click.
Don’t see a big difference in difficulty between the two. Windows is prettier, Debian doesn’t require a reboot.
The discussion of securing the OS in terms of CONFIGURATION rather than patches and vulnerabilities is a whole other discussion of course.
The Konsole hint sounds impressive.
Sigh, what I wouldn’t do for a windows patch that doesn’t require a restart.
By Anonymous (IP: —.jetstream.xtra.co.nz) – Posted on 2005-06-28 10:31:09