Believe it or not, a Windows Web server is more secure than a similarly set-up Linux server, according to a study presented yesterday by two Florida researchers. The researchers, appearing at the RSA Conference of computer-security professionals, discussed the findings in an event, “Security Showdown: Windows vs. Linux.” One of them, a Linux fan, runs an open-source server at home; the other is a Microsoft enthusiast. They wanted to cut through the near-religious arguments about which system is better from a security standpoint.
Study finds Windows more secure than Linux
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
“a Windows Web server is more secure than a similarly set-up Linux server”
Is that to say : not configured at all, leaved running out of the box with all the flaws it can have ?
‘hypothetical’ study. Nuf said.
This was one of the worst “studies” I’ve seen in recent history and the study itself has holes in it big enough to drive a truck through. Comparing number of publicly released vulnerabilities is about the worst way to go about it that I can think of. The claim that one of user was a “Linux fan” adds ZERO credit to this guesstimate of a study. I’ve been running Linux and Windows servers at home for like 8 years, am I know a security expert?
Everywhere where this has been posted on the Net is been debunked as garbage so I have to say its somewhat surprising you bothered to link to it here.
Finally as any admin will tell you ends up being a process, not some single measure. How secure a server is largely ends up depending on who the admin is.
The numer of journal “Seattle Times” already says everithing. Seattle is near from Microsoft campus and almos all Microsoft employees live in this city.
Instead of: “Study finds Windows more secure than Linux”
the headline should be: “Study finds Windows more secure than Red Hat Linux, an operating system built around the linux kernel”
I know that sensationalism like that pays off, but it is inaccurate and misleading. Furthermore, I wonder how these numbers translate to real-world security risks – that is not clear from the study. Otherwise, for a distribution that costs that much, RH should get its act together and pay more attention to timely updates and security patches.
Another piece of FUD, reminding me of a certain study by a certain research company that ‘showed’ Linus could never have programmed the Linux kernel himself, and thus ‘must have’ stolen code. And the criteria are what exactly?
I bet those 2 researchers are either giggling with joy over their new ‘grants’ from Redmond. Sad..
The article says that a default web server install using Red Hat ES3 is less secure than IIS. Not a tuned Apache configuration.
But that’s still a perfectly valid observation to make … many corporate sysadmins — especially those who manage things like intranets — aren’t going to know the first thing about Apache. Especially if they’re coming from Windows.
The problem doesn’t lie with Apache, it lies with Red Hat. And all the other OS vendors who ship versions of Apache that by default turn on .cgi, PHP, mod_perl and a host of other nonessential Apache modules. That’s convenience for your amateur webmaster, but it’s not necessarily good security practice.
People fault Windows (and rightly so) for being insecure because it ships in single-user mode, with file sharing and other security holes open by default. Linux deserves the same scrutiny.
You know, when I saw this on Slashdot this morning I actually decided it would be a bit of a litmus test for OSNews. This is just the kind of junk that ought to mark the difference between the two sites. But it gets posted here with exactly the same summar? Come on! I understand that it might have become “news” by popular idiocy and therefore unavoidable, but could we at least get a reality check in the summary?
One of them, a Linux fan, runs an open-source server at home; the other is a Microsoft enthusiast.
Ok, so we have two clueless people trying to “cut through near-religious arguments” but unable to discuss the topic without any serious methodology nor any data available to back their claims ?
Whatever the conclusions are, this study is without interest.
Btw, what was the purpose of relaying this news ?
The article says that a default web server install using Red Hat ES3 is less secure than IIS. Not a tuned Apache configuration.
Yes…actually, though, the headline should read “Common Windows Configuration has fewer Vulnerabilities published and these are Rectified in less time than a common configuration of RedHat ES3 including hundreds of supporting software packages”.
Or am I mistaken?
Richard Ford, Ph.D.
Chief Technology Officer
Cenetec Ventures’s Chief Technology Officer Dr. Richard Ford is one of the nation’s top Internet architecture experts and an internationally acknowledged computer security expert. Ford has lectured worldwide on the subject of computer security, and holds editorial positions for several virus and security related journals. He holds one patent and is widely published in the areas of both computer security and physics. Dr. Ford has served as Director of Research for the National Computer Security Association. He also spent a year at IBM Research’s prestigious T.J. Watson Research Center, working in the Massively Distributed Systems group.
Before being appointed Chief Technology Officer for Cenetec Ventures, Dr. Ford was the Director of Technology at Verio in Boca Raton. There he served as senior architect for the world’s largest web hosting platform and was also responsible for the security of more than 200,000 web sites.
Dr. Ford was educated at Oxford in his native England and holds a Bachelors Degree and a Masters in Physics from that university. He went on to complete his doctorate at Oxford in Low Temperature Semiconductor Physics. He began work immediately after as an executive editor of Virus Bulletin, the world’s foremost technical publication on computer viruses and malware.
He currently resides in Boca Raton with his wife Sarah. When not working, he enjoys playing the saxophone and is also a highly-rated chess player.
Not so long ago folk like the Gartner Group were very underwhelming about IIS and security. And now we have academics experiencing a road to Damascus enlightenment….
Am not sure quite how they assess “days of risk”. Every example that I am aware of the Linux/ open source world is quicker out of the blocks.
Perhaps MS does own up to a security risk (and start the clock) at the first point they hear of it ….. but I suspect they keep shtum until it suits them.
Heck that way fewer blackhats go prospecting AND there are fewer apparent “days of risk”.
Am unclear as to whether they picked on the 2.6 kernel in its relatively immature phases which would be opportunist if you wanted to decide a conclusion before starting a report.
The last time we saw something like this, it was a 4 year-old Red Hat distribution with absoutely nothing done to it, against Windows Server 2003 tuned and tweeked to the max. Some ‘fair’ contest. Give it a week or two, the truth about how the deck was stacked in favor of Windows will be revealed for all to see (again).
The security patches say very little about the security of a system. Sqlinject, spoofing, sniffing and a lot of other stuff is still possible even if your system has all the security patches you can think of.
Let Microsoft build a server and the guys from Red Hat. After that offer $100.000 for the first one who gets root access on one of those 2 servers through an exploit. This will generate a lot of publicity and a big victory for the winner. It’s most likely a lot cheaper than doing advertisements or bribing reviewers
So, if anyone from Microsoft or Red Hat is reading this, just make the challenge and make the other one look stupid if they don’t accept it.
And they most likely don’t know what they talk about, osx is totally not secure, userfriendly yes, but not secure.
An article in the Seattle Times and VNUNet. Well, it’s obviously 100% above board isn’t it? Nothing going on there.
One of them, a Linux fan, runs an open-source server at home; the other is a Microsoft enthusiast.
So he doesn’t actually run Linux professionally at all, and the other guy is someone who thinks the sun shines out of Windows 2003’s a**e?
*cynic mode*
The Linux enthusiast with a server at home is actually someone pretending to like Linux for the purposes of this study.
*/cynic mode*
OK, so it’s crap then. I’m tempted to stop reading right there.
“I actually was wrong. The results are very surprising, and there are going to be some people who are skeptical,” said Richard Ford, a computer-science professor at the Florida Institute of Technology who favors Linux.
Oh my God! I was so shocked!(tm).
Microsoft people can never get this right, can they?
“Vulnerability counts are much higher with Red Hat than with Microsoft,” said Dr Ford. “I am a huge Linux fan, and I have a Linux server in my basement. The first time I saw the statistics I thought someone had mucked about with my database.”
Oh yer, a very reputable thing to say and I’m sure he stored all of the results of his study in a really reliable, fault-tolerant and secure database and with everything normalised correctly.
As is always the case with these studies, I hope they installed comparable software, functionally speaking, on Windows 2003 with what is in a Red Hat server. By that I mean including SQL Server, Exchange and everything else functionally speaking you’d get with a Linux distribution. If not then it’s crap, isn’t it? Oh bugger – I haven’t screwed the study, have I?
The 71 day figure is also crap, but even if it wasn’t you have to ask how dangerous a security exploit really is before saying that a customer is at risk. With Windows unfortunately, you’re always at risk.
With Windows 2003 obviously doing so well and having such a huge chunk of the server market (by revenue) I’m really shocked(tm) that Microsoft and/or Microsoft’s enthusiasts would need to continue to come up with stuff like this.
It’s not a study, it’s a set of statistics. You don’t need a degree to watch secunia folks. This isn’t surprising at all, it’s just another:
“RH is insecure because there are 6 billion xpdf exploits!”
Wait until RHEL4 comes …. with SElinux
. They’ve setup 290,000 rules to keep any rootings to minimum damage 
.
Another point to make is that Red Hat ES3 is an Apache 2 server, ES2 was Apache 1. And let’s face it, it’s not like exploits in Apache 2 are exactly rare … I mean, 2.0.53 just came on, and look at the changelog:
http://www.reverse.net/pub/apache/httpd/CHANGES_2.0
I can certainly see where the “71 days” came from, although really it’s just way too simplistic to lump any sort of bug or exploit, no matter how minor or difficult to exploit in reality, and call it a “day of risk.”
Now IIS vs. Apache 1, that I’d like to see!
Personally I have used Apache 2 in production for a couple of years now and would have to be dragged kicking and screaming to use IIS. But I recently had to set up a small cluster on Red Hat ES3 and the Apache/PHP packages were nonfunctional. I had to compile both to get them to work with the application.
Not to mention Red Hat uses a generic httpd.conf, with all the config dumped into one huge file. Mandrake’s ADVX build of Apache takes a much better approach, modularizing everything and putting each module’s config in a separate file so it’s a lot easier to configure only what you need and turn everything else off.
This is the type of study that PC-Mag readers would go ape for. It fits the journalistic style:
“Joe is a fan of X and even he agrees Y is better!”
“Joe will be setting up a website to help you out!”
“Wow Joe, that’s a cool website, I wish any idiot could do that; I sure wish there were other sites that already did this like the ones you used to get your data!”
*sigh* Maybe you should just post the days vulnerabilities everyday, that’d be more interesting and educational for us all Eugenia (this is a serious suggestion btw).
every one of these comments says “pending review.” folks need to grow up and quit whining like little babies. most of the comments are simply constructive criticism of a very flawed “study.”
at this point Windows doesn’t have a decent stack guard, rsbac, jails, etc, without adding expensive 3rd party software. so a company is looking at a several thousand dollar solution vs a potentially free one. better to look to Trusted Solaris or something.
Wow, there’s a lot of comment is currently pending reviews here. Seems Mr Bill Gates is busy clicking away at that damn review button 😉 Notice the ones left untouched are pro Windows 😉 Surely you can tell who’s doing the review pressing and ban their IP (if it’s the same person).
My 2c on this is the report is a load of baloney and most probably these 2 guys have received VERY hefty bribery, oops I mean grant funds from Microsoft. Are any of them related to Laura DiDio or Darl “man I can spread FUD” McBride?
Dave
And to me, this seems pretty far-fetched. Windows does have its strenghts – security is not of them.
As David Pastern has noted, there are alot of comments pending review or censorship.
There are several issues with the study and if someone points out these flaws, then they are subject to being censored. Well, here is another point that may be worthy of censorship.
1) Test only measures patch release dates.
a) Local vs Remote exploit
b) Prvil escalation
2) Were these default installs.
3) Red Hat =! Linux
Click “Rebort abuse” Mr. Gates
I would guess that the Windows machine was using IIS6 to serve web sites.
Now listen up, people. IIS6 isn’t all that bad on the security front. IIS5 and previous have had a (well-earned) reputation for having more holes than a wedge of Swiss cheese. But IIS6 stacks up pretty well vs Apache in the security stakes.
The report was on overall system security, and Microsoft still has to clean up its act in a hell of a lot of places. But IIS6 isn’t the weak point that many believe it to be.
a) Local vs Remote exploit
b) Prvil escalation
in fairness to Windows, linux local roots are still damning. an intruder can sniff a lowly user password via trojan or sniffing, then root a linux box. in fairness to linux, there are tools e.g. kernel patches which can neutralize most local roots.
Install a plain basic Win2K SP4 with no new patches applied (basic and not tweaked or configured). Plug it to the internet with a public IP address, browse web sites (yahoo, google, msn or your ISP) for 5 minutes. Guess what? The machine is infected with a backdoor. Terrible, isn’t it?
By the way, if you’re wondering who reported most of the comments on this thread as abuse, it was:
198.160.96.7 (maxim.acxiom.com)
You’ve got one itchy trigger finger, dude.
People fault Windows (and rightly so) for being insecure because it ships in single-user mode, with file sharing and other security holes open by default. Linux deserves the same scrutiny.
I completely agree with your post. I’m a Linux enthusiast, often called a zealot by the most excitables of the anti-Linux crowd, but I have to agree that a more secure default install is always a good idea when it comes to online security.
I agree the title is misleading, because it focuses on a) a single aspect of cybersecurity and b) a particular distro which, even if it is the better-known brand, is far from being the only one.
No doubt anti-Linux posters will have a field day with this, however the important thing is that Red Hat and other distro makers take the hint and improve the security of a basic Apache installation.
And just ignore the trolls.
of course not!
Linux is better than MS! period! It has to! so says the myth…
if the OPEN source community stays as CLOSed minded as they are now i think they’d never be in a position to challenge MS in the long run!
their failure to acknowledge their main competitors’ (MS or Sun) partial superiority is their biggest weakness and is getting worse by day.
our hopes for a well engineered OS is slowly going down the drain.
too bad…
An operating system is only secure as the idiot in front of the monitor. This is true for a Redmond user as it is a Linux user.
The article looked fine to me. Hey, they did do the research. The researchers also look pretty credible don’t they.
Titles in newspapers and the like are often like that (weird and even inappropriate sometimes). If the article from which this piece was derived from was originally formatted for print, then the space it was left with probably influenced how it was worded. Leave it to the editors to muck things up sometimes (I know cause I have to deal with one daily).
From TFA:
They compared Windows Server 2003 and Red Hat Enterprise Server 3 running databases, scripting engines and Web servers (Microsoft’s on one, the open source Apache on the other).
That sounds good. A real comparision of real services running on real servers.
But wait!
The setups were hypothetical, however. Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features.
Ford said the idea was to represent what an average system administrator may do, as opposed to a “wizard” who could take extra steps to provide plenty of security on a Linux setup, for instance.
They aren’t real setups.
And it gets worse.
Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk — the period from when a vulnerability is first reported to when a patch is issued.
Hmmmm, I wonder if they included the info from http://www.eeye.com http://www.eeye.com/html/research/advisories/AD200 50208.html [eeye.com] 190 days is a long time.
On average, the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup, their study found.
That’s amazing. Particularly with that single 190 day vulnerability I referenced. And those kinds of “studies” have been completely discredited.
So, a “study” that doesn’t test any real world criteria is somehow valid?
Oh, it’s not that the study is not valid, it’s that pointing out the flaws in the study shows the groupthink on /.
Thinking of Red Hat, security isn’t hardly what pops my mind. I thought that was why Debian and SE Linux existed.
2k3 is a really good product which too few has bothered to look up closer. Everytime there is a flaw affecting Windows sytems, it’s always 2k3 shining with it’s non existence in getting mentioned in the seucurity note.
Besides, Linux is hardly focused at security in general, that’s when you use Solaris or OpenBSD.
Increible, the first two pages are full with comments reported for abuse, which leads me to think, either the article is a flamebait (most probably), or some Pro MS FUD people reported all the posts
Back to the topic:
“One of them, a Linux fan, runs an open-source server at home; the other is a Microsoft enthusiast.”
This really makes me doubt about the study, but anyways “hypotetically” talking this study can be as well “sponsored” by MS.
come on the real security dudes out there understand the only secure system is the one u konow how to secure!
well. windows > linux > mac blablabla.
Why is it so hard to believe? Windows is always the target for hackers so the probability to crack its security is greater. Of course it would seem Windows is less secure when all the code out there is designed to attack Windows and not Linux, because it is written to run on Windows. These are all anti-MS people. Here is an example, until recently there were no vulnerabilities aimed at GIANT spyware remover. When GIANT got purchased by MS, we IMMEDIATELY saw a worm attacking it. The code base is the same isn’t it? How come when it was owned by GIANT there were no threats and as soon as it got purchased by MS, it got attacked.
I am not pro-MS. I am using Linux as a secondary system and I love it. I have nothing against either OS, I don’t hate MS and I don’t hate Linux.
saying UNIX is the perfect OS is like saying Lamborghini Mura is the ultimate car!!
they’re both revolutionary and influential but far from perfect!
how the hell can an OS designed some 30 years ago be the ultimate answer.
i think it’s time for all the computer engineers to actually engineer something and stop relying on some 30 year old technology.
for some reason i believe if everybody starts using INIX instead of Windows then UNIX would become the least secure OS!!
INIX=UNIX;)
“Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features.”
In its most basic configuration, Linux is free and comes with much more features than Windows. Now how many CD:s are Debian?
🙂
Hypothetical configurations that would never be used in real life are uninteresting.
According to Finjan, hackers could also bypass XP SP2’s notification mechanism on the download and execution of .exe files, and therefore download files without any warning or notification.
More reason to use a limited account as often as possible.What harm can be done when something is being downloaded under limited user credentials?And even if a trojan got installed with admin credentials, what harm can it do other than sending “i’m ready packages” to some rogue network.Especially when it still can’t alter hardware firewall rules that can only be managed on the serial console.Lol,the only thing such a malicious peace of software could do is counting the amount of pornpics and send back the result,i’m not impressed
What harm can be done when something is being downloaded under limited user credentials?
Heaps. It can install into the user’s area, set to start on login, scan through the address book, send mail, make outgoing network connects, start listening on a network port, etc.
There’s very little that malware usually wants to do, that it can’t from a regular user account.
I’m not impressed by the research. I read nowhere the severity of the vulnerabilities. And if they did take into account the severity of potential vulnerabilities I’d like to know how they judged the severity of a vulnerability. If they just looked at what the bug discoverer rank the severity as then this won’t work. They need to clearly state what they consider severe and what they consider low-risk.
The severity must also be related to patch times. If a severe bug has a fix after 30 days or a low-risk has a fix after 30 days makes a huge difference.
Furthermore, did they look at *all* vulnerabilities in the operating system, or only those packages needed to run a webserver? Cause I get the feeling they just looked at *all* redhat packages. Well as you know, redhat Linux distribution contains almost all software one could want, whether it be a server or a workstation. So if you setup a server then no way are you going to install for example OpenOffice. While Microsoft and their Windows server 2003 has very limited software, Redhat comes with all software you could ever need in a box. So obviously there’s much more fixes coming out on redhat.
If this 71-days count of redhat is true, shame on redhat! But I wonder if this 71-days is about security fixes or normal fixes.
BBuGG: Unix may be 30 years old. But it has changed so significantly in the form of modern Linux and BSD. Unix concepts still apply to Linux or BSD but these systems are still modern. You can do all things you would expect from a modern operating system using Linux or BSD. Why wouldn’t Unix be right?
Yes Unix security is not enough for this day, but there are many projects working to increase the underlying security of modern Unix operating system. Look for example at Role-Based Access Control to maybe replace the traditional Unix access control system.
And now take a look at Mac OS X. Its desktop is gorgeous and it has the best “plug and play” capabilities ever seen. Mac OS X and Linux are NOT build on 30-year old code, they contain much innovation. The only thing that remains is the Unix concepts of 30 or 40 years ago. But these concepts don’t hold us back.
Fine. You can start from scratch and build an operating system built on a new foundation, but why? I don’t see a reason for that, so far Unix principles have worked out fine and we can build on it and continue to innovate on it.
1) Ads
2) Post troll article
3) ???
4) Profit!
I knew this would get posted here by Loli-Queru and i already debunked this one on Slashdot although there’s not much available to debunk. Both of these articles do not show the grounds they’re based on and do not include details. They were plain marketing habla at RSA conference. Therefore, the discussion here is rather based on the conclusion with various people from who we already know what their standpoint is. Luckily, i’m able to say: some actually reply to the scarce details available.
A few points:
* They minimize ‘Linux’ by saying ‘Linux is RedHat’. While ‘RedHat is Linux’, its merely an OS which includes Linux. What about Novell, for example?
* How are vulnerabilities counted? Microsoft often releases an advisory with their patch which fixes various vulnerabilities. They often refuse to admit a flaw exists.
* Does it include vulnerabilities to say MySQL whereas MySQL is only accessible by an internal IP by default?
* Who runs a default setup? What about the compotent admin aspect?
* Its purely theoretical.
They wanted to cut through the near-religious arguments about which system is better from a security standpoint.
And they think their study somehow develops a pragmatic study? Well, from what i’ve read now it doesn’t. 1) Wrong or off compares 2) The study isn’t available yet! Why release a controversial conclusion without the study?
Nevertheless i’m looking forward to the study and i hope its posted here as well. Then we’ll argue again.
It’s too early for an April Fool’s joke. Someone screwed up their calendar. There wasn’t even any factual evidence in there. It was all hypothesis’.
I believe most of you guys dont really like MS.
I can perfectly understand that.
However, the experiment has been carried out IMHO fairly.
Indeed, you gotta have a good knowledge in security to be a good admin and effectively (and safely) operate any server.
But the experiment is to compare the OSes. Not the admin.
Therefore. comparing with default parameters does make sense to me.
Just to test if you stupidly set up a server, how well and how long it can survive.
Another fair experiment is to push those systems to its limit.
And see if they still have flaws or holes to be exploited.
But then, in this case, the admins have to know their system and depend also on how goo they are.
In that case, it wouldnt be a fair competition.
Of course, you might argue that it would be then Red Hat’s fault because it gets you stupid default security values.
Well then, let’s face it, Red Hat is one of the most popular distros around.
I still have doubt that what would be more secure in the long run.
But heck, they are talking about out-of-the-box safety.
For one, XP is not 2003, which is what the acticle was about. For those with their head up their buts and dont know what google is, read:
http://www.cenetec.com/NV_about_MT4.htm
I consider most Linux users to be “backyard car mechanics” in that they dont know wtf is really going on. Just think of how many intrustions there would be on redhat if it held the majority of the business market like IIS does.
How many Linux distributions do you know of where you have to use anti virus software like Symantec, McAffee? For God’s sake, Microsoft is dabbling in this arena themselves because virus’ are a pain on Windows. Most users use their PCs primarily for internet related stuff like email/browsing, so it’s a no brainer to believe Microsofts’ security is without peer. In other words a joke.
And yet again we are not TALKING about browsing the internet Mike, we are talking about web servers & what has a better default configuration. Did you even read the article, dont think so.
Think before you speak dude!
…I’ve been saying this for years. It just plain obvious that Windows is more secure than Linux. Just google around for exploits and vulnerabilities on Linux and there are some whoppers out there and many haven’t been fully patched. I think the problem is that the open-source community a) doesn’t really care because they don’t want to take responsibility for it and b) moves far too slowly on upgrades and patches.
The commercial software vendors have a monetary interest in making their software secure. Open-source software is just a hobby-hack, hence they don’t care about security.
I agree with you somewhat. I think linux users are aware of security and probly do care about it, its just that who whats to find an exploit or write a virus for an OS that share something like less than 40% of the market.
And yea, Microsoft coming out with patches goes to show ya that they have people working on things to correct problems or whatever.
“The commercial software vendors have a monetary interest in making their software secure.”
That’s really strange because MS has done such an inadequate job with it that they’ve admitted the security needs work. I think what you want to say is the commercial vendors’ products SHOULD be more secure. But considering how new strains of worms can knock down thousands of servers at a time (worms sometimes written by teenagers, mind you), you can’t really make that claim. Unless of course you’re some sort of closed source zealot.
“Open-source software is just a hobby-hack, hence they don’t care about security.”
Yeah, go ahead and tell the NSA that their efforts on SELinux are wasted, that they are just hobbyists.
A server (doesn’t matter what server) is only as secure as the guy who’s administering it …
No reason to be P$$ed at me dude, I was just stating the facts. Must be hard for you to swallow those, lol.
It just plain obvious that Windows is more secure than Linux. Just google around for exploits and vulnerabilities
Just google around for Code Red, Nimda or MyDoom. Or, better yet, just google “costs of malware attacks in 2004.”
The article did NOT prove that Windows is more secure than Linux. What it did show is that the IIS 6 default install on Win2K3 is more secure than the default Apache install on RedHat. Nothing less, nothing more.
Open-source software is just a hobby-hack, hence they don’t care about security.
Yes, because everyone knows IBM, Novell and Sun are just hoppy shops.
2k3 is a really good product which too few has bothered to look up closer. Everytime there is a flaw affecting Windows sytems, it’s always 2k3 shining with it’s non existence in getting mentioned in the seucurity note.
well Server 2003 has stack protection. it is possible to circumvent it (see Google for examples), but most released exploit code is made for NT 4.0, XP, and 2000. i’ve been using a 3rd party app (Stackdefender) with 2003.
i’m fairly impressed with some of the stuff in 2003 and XP SP2. hopefully Longhorn will have decent security.
You may have heard about Linux – a hobbyist operating system based on the open source principle, has been making waves in the hacker underground and in the periphery of large corporations for around five years now. Linux is a competent operating system which can even be said to compete with professionally designed OS’s such as Microsoft Windows XP. Nothing remarkable there, after all the market place for other goods has many examples of competing products which are all but identical to the casual observer.
What many people do not realise is that to some of its advocates, Linux is more than a simple tool to get a job done. To these extremists, Linux represents a philosophical almost religious belief system – a way of life based around “open source” and “free software”.
You may have encountered one of these Linux evangelists at work. They make themeselves known by constantly berating Microsoft products, and blindly praising Linux. Ask a Linux apologist why Linux is better than the alternatives and the explanation you are most likely to hear is “Linux Rocks – Micro$oft Sucks”
The Linux Zealot typically displays an irrational hatred of Microsoft, a complete conviction that his choice of operating system is the only valid one, and a scathing patronising contempt of anyone “stupid” enough to use “windoze”*.
What causes this mindless OS bigotry? you may be wondering. Well, the father of modern psychoanalysis – Professor Sigmund Freud proposed an idea which he called the “narcissism of minor differences”. Put simply it means that people hate other people who are very similar to them. This similarity threatens their sense of individuality, their sense of self, causing them to react in a hostile manner, which seems to become more hostile, the closer the similarity. Windows and Linux have very much in common and yet their supporters fight tooth-and-nail over which one is “best”.
No doubt a qualified psychologist or doctor could come up with all kinds of elaborate theories as to why the Linux Zealot behaves the way he does. One theory I have is that the Linux Zealots have small penises and belittling others for their choice of operating system is their way of ‘getting back’ at society and the world for their unfortnate genetic inheritance.
Another possibility is that due to the aforementioned hygiene problems the typical Linux Zealot cannot get laid, and subliminates his frustrated sexual energy into blaming Microsoft for all the evils of the world.
But I expect you have heard enough of my amateur psychology, I am interested in what you, the readers think. Why do these Linux advocates get so riled up about something so utterly insignificant as choice of OS ? Surely they cannot all be mentally ill ? (however intuitively obvious that answer might be)
*Windoze, Micro$oft, Microshaft, Winblows, etc are all terms used by Linux Zealots. If you recieve an e-mail containing any of these terms, you can be sure you have a Zealot on your hands.
I consider most Linux users to be “backyard car mechanics” in that they dont know wtf is really going on.
pray tell, what are your credentials in the world of comp security? have you ever coded an exploit? been published? written a decent security tool using something other than Visual Basic? since you are making appeals to authority, i will question your credentials.
neither of the “study” authors has any street cred in the security community. and i could care less that one is a college professor. FIT is hardly a tier 1 (or even 2) engineering school.
not to mention one of his prior studies has been called into question due to direct funding by MS. just amateurs playing armchair security guru.
>“What it did show is that the IIS 6 default install on Win2K3 is more secure than the default Apache install on RedHat. Nothing less, nothing more.”
There was much more. In case you missed it, I’ll quote the article for you:
The pair examined the number of vulnerabilities reported in both systems and the actual and average time it took to issue patches. In all three cases Windows Server 2003 came out ahead
Of course, this is just statistics. For example, Red Hat released RHEL 4.0 on February 15, and posted 27 security patches for it on February 15.
It is what, 0 days it took to issue 27 low to moderate security patches? Surely if these 27 security patches were counted, Red Hat would beat Windows 2003 easily in average time to release patch.
Oh, and by the way: a kernel security patch on February 18. Boy, Red Hat is fast!
>Or, better yet, just google “costs of malware attacks in 2004.”
I took your challenge and googled, but did you?
Here: Your search – “costs of malware attacks in 2004” – did not match any documents.
How about search by these words, not exact phrase? The first URL found dated November 2004 would tell us this:
According to the study, computers running Linux accounted for about 65 percent of all recorded breaches, while Microsoft Windows-based systems accounted for about 25 percent of such attacks.
No wonder IT professionals from US Fortune 1000 companies prefer Windows/IIS to any other OS/Apache, 2 to 1.
This was one of the worst “studies” I’ve seen in recent history and the study itself has holes in it big enough to drive a truck through. Comparing number of publicly released vulnerabilities is about the worst way to go about it that I can think of. The claim that one of user was a “Linux fan” adds ZERO credit to this guesstimate of a study. I’ve been running Linux and Windows servers at home for like 8 years, am I know a security expert?
>
>
Actually, the claim of one of the users was a Linux “Fan”
has *MICROSOFT ASTROTURFER* written all over it.
Who the hell are these idiots trying to kid?
I took your challenge and googled, but did you?
Yes I did – though I didn’t put the quotes in my search. The quotes were to isolate the search terms from the rest of my message, not to put in the google search box. I realize I should have made it clearer as some people take a bit longer to catch on.
The first URL found dated November 2004 would tell us this
Nice, but irrelevant. The notice about Linux breaches isn’t about malware, but about intrusions. You see, with Linux you don’t use such crude tools as viruses, trojans or worms. You actually have to work to compromise a system – which is why most attacks on Linux systems are not automated malware infections, but rather live hacking attempts. With Windows, you don’t actually need hacking skills: malware will do the job for you.
Meanwhile, if you go further down in the article, you find this gem:
“According to the company, 459 successful malware attacks occurred during the past year, most of which targeted Windows-based systems. Malware rarely targeted BSD-based and Linux systems. These electronic attacks are taking an economic toll. The firm says that electronic attacks such as Distributed Denial of Service (DDoS) attacks caused as much as $123 billion in damages during the past year. Malware attacks were responsible for $202 billion in damages during the same time period.”
So. $202 billion dollars in malware costs, almost entirely involving Windows machines. You must have a pretty big rug to so casually sweep that figure under it…
No wonder IT professionals from US Fortune 1000 companies prefer Windows/IIS to any other OS/Apache, 2 to 1.
You mean, using the biased numbers of a pro-Microsoft company? Sure. Keep drinking the kool-aid (or, in this case, read Paul Thurrott’s articles).
Meanwhile, Apache still has a 3-to-1 lead over IIS.
Lastly, allow me to reuse the “popularity” argument (which anti-Linux posters use to justify the fact that there 2,500 times more malware for Windows than Linux): I’ll say that the reason why Win2K3/IIS 6 has been the target of so few attacks is that its market share is simply too small to attract hackers and virus makers. Once Win2K3 gains a larger market share, then you’ll start seeing more exploits.
“No doubt a qualified psychologist or doctor could come up with all kinds of elaborate theories as to why the Linux Zealot behaves the way he does. One theory I have is that the Linux Zealots have small penises and belittling others for their choice of operating system is their way of ‘getting back’ at society and the world for their unfortnate genetic inheritance. Another possibility is that due to the aforementioned hygiene problems the typical Linux Zealot cannot get laid, and subliminates his frustrated sexual energy into blaming Microsoft for all the evils of the world.”
I’m by no means a Linux zealot, and in fact many of my friends consider me a Microsoft fanboy. But I can’t believe Ictavian’s post wasn’t moderated down. This is clear flamebait.
set to start on login,
Nah,set the key to read only.
heaps
That’s a good one,all that fuzz solely about guarding the stack,while the heap is mostly a free target.
TIP:
You can pretty much anything while being a limited user in you own home folder,that is if the developer hasn’t messed up one or another.Furthermore you can encrypt that newly created folder,let’s say c:Documents and SettingsOpera,and all files within and still have a full functional browser.
Have at least one limited user account ready.Set the following registry keys to read only (deny write) for this particular limited user.(needless to say you ought to mack a backup first of you registry state)
SoftwareMicrosoftWindowsCurrentVersionRun
SoftwareMicrosoftWindowsCurrentVersionRunOnce
SoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders
SoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders
SoftwareMicrosoftWindowsNTCurrentVersionWindows
C:Documents and Settings<user>StartmenuProgramsStartup
CDocuments and Settings<All users>StartmenuProgramsStartup
The study it over-generalized. This clearly sounds like a study completed by professors, or in other words, an important paper including nothing important. Back in college were my professors the smart, edge of technology type? Um.. no. Most Computer Science professors aren’t sharp.
The study lacks:
(1) Any direct examples. An overall count of holes doesn’t provide any substance. Can they specify an exact flaw?
(2) Only running a Linux box at home as a hobby doesn’t qualify the Linux side as fair. Get a Linux professionsal vs a Windows professional.
(3) Linux isn’t always Redhat.
Oh well… I’m on FreeBSD so I don’t even know why I care! 😉
The notice about Linux breaches isn’t about malware, but about intrusions.
The article discussed, or you forget, is about servers- i.e., intrusions. Your irrelvant suggestion to take a look at desktop malware gave spectacular result of proving the poijt of how not inherently secure a Linux based server is.
Thank you, and I enjoyed an irony of that. It was your suggested google search, after all.
So. $202 billion dollars in malware costs, almost entirely involving Windows machines
Windows desktop machines, mind you. What has it to do with Windows 2003 server vs. Red Hat server? Nothing, of course!
Just a pathetic attempt of a zealot to change the subject.
You must have a pretty big rug to so casually sweep that figure under it…
Desktops are not servers, remember? But, you know, pathetic LAMP record as a server platform makes me wonder how bad Linux would be as a common business and home desktop. If a Linux server can run rootkited for a year unnoticed, imagine Linux desktops managed by office employees.
Thanks, but no thanks.
No wonder IT professionals from US Fortune 1000 companies prefer Windows/IIS to any other OS/Apache, 2 to 1.
You mean, using the biased numbers of a pro-Microsoft company?
I mean, using Fortune 1000 companies list prepared by the financial industry which has no pro- or anti- Microsoft bias.
I mean, you can check these numbers yourself. You know that- but you don’t want to, because like any avid zealot you don’t accept facts when they conflict with your beliefs.
Please also take notice: I never dismissed your numbers as a lie or falsification. That’s the difference between a zealot and a non-zealot.
Once Win2K3 gains a larger market share, then you’ll start seeing more exploits.
It is quite possible. Also, does it mean that now you do accept popularity argument, or like any zealot you only use something that benefits your way of reasoning?
I mean, you must agree that with Linux taking over desktop there will be much, much more malware for it. As a result, there will hundreds of billions dollars lost in damages from malware targeting Linux.
Do you agree?
1)Try a diffrent linux distrobution
2)Linux supports 256bit AES encryption. Windows supports 128bit AES bit encrytion
3)Linux is ment to be a desktop OS, but also is very good as a server. Try OpenBSD.
4)Turn on a damn firewall.
So, the firs post titled “Sigmund Freud, Linux and The Narcissism of Minor Difference” is (rightly) modded down, then “Octavian Belafonte” repost the exact same message from a different IP, and it is suddenly deemed acceptable? (Even though it is still an inflammatory piece of garbage?)
So basically the message you’re sending to trolls is “just repost your inflammatory messages from a different IP address and you’ll be all right.
The article discussed, or you forget, is about servers- i.e., intrusions.
Uh, no. Servers are also victims of malware, i.e. Worms. they can also be compromised by other types of malware from the inside of a network, since that side is often less defended than the outside.
The rest of your post is pretty much invalidated by this fundamental mistake on your part.
Windows desktop machines, mind you.
Nope. Windows machines. Desktop and servers. Code Red, Nimda, MyDoom…these worms mostly affected servers, and they were among the costliest. Get your facts straight.
Desktops are not servers, remember?
Irrelevant. In the case of Windows, both desktop and servers are affected by malware.
I mean, using Fortune 1000 companies list prepared by the financial industry which has no pro- or anti- Microsoft bias.
I’ve only seen Port80’s study mentioned for this. If you can give me another study than Port80’s, then I’ll reconsider. FYI: Port80 is definitely a pro-Microsoft company, since they develop Windows software exclusively.
Meanwhile, Netcraft’s numbers stand: for total market share (not just a geographical and economical subsample), Apache is still the leader 3-to-1.
It is quite possible. Also, does it mean that now you do accept popularity argument, or like any zealot you only use something that benefits your way of reasoning?
Is that what zealots do? I mean, you should know, being one of the biggest Microsofts zealots here…
As a result, there will hundreds of billions dollars lost in damages from malware targeting Linux.
I don’t necessarily agree with the popularity argument, but that’s besides the point. All I’m saying is that, if you agree that the reason why Linux has so little viruses is because of its scarcity, then you must hold Win2K3 to the same standard.
I myself have not made up my mind on the popularity argument. I do believe that the fact that you can’t have an executable simply by putting the right extension at the end of a file, or that the default browser and e-mail client are not tied up to the actual OS, do make Linux more secure.
Also, consider that the billions in malware damages are not caused by desktops only, but by servers. More desktops may be targeted, but servers are much more expensive to clean up – especially if they’re mission-critical servers or large databases. That’s where the high costs lie, and that’s already where Linux has its biggest market share (around 25%, I believe).
So, regardless of whether I believe in the popularity argument or not, I don’t think that Linux will be that more vulnerable if it becomes a bigger player. Of course, I’m all for finding out – and if you want to find out too, you should promote Linux instead of attacking it every chance you get. Only when Linux has a similar market share as Windows will we know if it will be the same security nightmare that Windows is.
(After all, the original’s repost wasn’t modded down, so a little adaptation shouldn’t either…)
You may have heard about Windows – a commercial operating system originally based DOS, has been making waves in legal circles over monopoly issues and is used by Microsoft to dominate the computer industry. Windows is a competent operating system which can even be said to compete with more stable OS’s such as the BSDs, Solaris and Linux. Nothing remarkable there, after all the market place for other goods has many examples of competing products which are all but identical to the casual observer.
What many people do not realise is that to some of its advocates, Windows is more than a simple tool to get a job done. To these extremists, Windows represents a philosophical almost religious belief system – a way of life based around “proprietary software” and “closed source and file formats”.
You may have encountered one of these Windows evangelists at work. They make themeselves known by constantly berating any alternatives, and blindly praising Microsoft. Ask a Microsoft apologist why Windows is better than the alternatives and the explanation you are most likely to hear is “Linsux” and “BSD is dying.”
The Microsoft Zealot typically displays an irrational hatred of Linux and other alternatvies, a complete conviction that his choice of operating system is the only valid one, and a scathing patronising contempt of any “communist” using “Linsux”*.
What causes this mindless OS bigotry? you may be wondering. Well, the father of modern psychoanalysis – Professor Sigmund Freud proposed an idea which he called the “narcissism of minor differences”. Put simply it means that people hate other people who are very similar to them. This similarity threatens their sense of individuality, their sense of self, causing them to react in a hostile manner, which seems to become more hostile, the closer the similarity. Windows and Linux have very much in common and yet their supporters fight tooth-and-nail over which one is “best”.
No doubt a qualified psychologist or doctor could come up with all kinds of elaborate theories as to why the Windows Zealot behaves the way he does. One theory I have is that the Windows Zealots have small penises, which explains why they will side with the comforting father-figure of a monopoly, and belittling others for their choice of operating system is their way of ‘getting back’ at society and the world for their unfortnate genetic inheritance.
Another possibility is that due to the aforementioned hygiene problems the typical Windows Zealot cannot get laid, and subliminates his frustrated sexual energy into blaming alternative OSes and monopoly lawsuits for all the evils of the world.
But I expect you have heard enough of my amateur psychology, I am interested in what you, the readers think. Why do these Windows advocates get so riled up about something so utterly insignificant as choice of OS ? Surely they cannot all be mentally ill ? (however intuitively obvious that answer might be)
*”Linsux”, “communists”, “viral license”, etc are all terms used by Windows Zealots. If you recieve an e-mail containing any of these terms, you can be sure you have a Zealot on your hands.
LOL! that was great. describes a lot of them perfectly.. course, same can be said for some users of Windows and Mac..
*obligatory disclaimer*
I use linux as well as a dozen other OS’s so I’m in no way a linux hater. please don’t flame me
I think that the security depends on your configuration, not only of the operating system. It is already a battle that follows Windows and Linux.
This is a rather heated discussion, but nonetheless:
For all of you complaining about the validity of the article – check out the bio on the “Linux Enthusiast” (Dr. Ford) on the first page, something like the 7th comment.
Off that – I use Windows. My server computer runs IIS, and I like it the way it is. I’ll be damned if I’m going to get hacked because I can download all the updates in something like 30 seconds. My web server that my hosting company uses runs Redhat 9 and apache 2. And I like the way it’s set up – simply because writing something like the CP I use would be a lot harder for IIS, and hence I don’t think a windows CP exists. If I’m wrong, tell me.
Also, I’ll be damned if I ever switch to linux for development, a friend of mine who uses linux was like “BS, there are awesome development tools for linux”. Turns out all the IDEs sucked ass (and didn’t work too well) and I’ll be damned if I’m going to edit everything thru a text editor or vi.
If you can find a decent linux IDE that can beat visual c++ .net 2003 (or even 2005 express edition *beta*), I’ll give it a shot. Email me at kawahee AT gmail DOT com and I’ll get back to you on how I find it.
There are plenty of things that from an elevated viewpoint don’t seem worth arguing about…
Mac vs Windows, Linux vs Windows, Chevy vs Ford, IE vs Firefox, Pepsi vs Coke, Stella Artois vs Heineken, White Bread vs. Brown Bread etc etc.
They’re all so similar that they’re interchangable in almost all situations, so the devil is in the details.
It may not seem worth arguing about whether applications contain all their resources in a neat little bundle or scatter their files around and then use a tool to clean them up to most people, but for me it’s a reason to choose one OS over another, even though my choice might limit me in other ways.
When the differences between OSes are so small, of course people are going to argue about small things. It’s not a case of feeling threatened because your product of choice is almost interchangable, but people arguing about the areas where OSes aren’t interchangable. One prime example is licensing.
The level of vitriol used is dependant on the maturity of the person arguing. When I was younger I would argue fervently about ideology and small differences between features of different OSes, but now my philosophy has changed…
By deliberate choice or through ignorance, when we are free to choose, we all end up using the OS we deserve on the computer we deserve.
Your point being? Anyway, the whole study sounds very fishy. However, I’ll hold further comments until after this “academic study” is published.
Luke, I AM your operating system. — Darth Linux
On the whole I agree with the article because it points out the most important point:
Windows is only as secure as Microsoft makes it.
Linux is only as secure as the person who sets it up.
What does this mean? Linux is for people who know what they are doing… always a rare commodity.
and that’s just not news.
Best laugh I’ve had for weeks!
Security on Linux and Windows come in two (well, more, but two I care to discuss now) main forms:
#1 ‘Security Features’ (firewall, anti-virus, filtering, etc…)
#2 Bug patches.
The first, is actually to try and protect from the second., the second to protect what fails in the first.
Okay, watch this: theoritical numbers (for simplicity sake):
Windows vulnerabilities: 500,000
Linux Vulnerabilities: 1,000,000
Okay, so at first look, Linux looks like crap, but take into account severity:
Vulnaribilities that allow total control to be taken of affected machine:
Windows: 300,000
Linux: 400,000
A little closer, these are the biggies.
Vularabilities (other than above), that can lead to data loss:
Windows: 9,000
Linux: 3,000
Okay, Linux is looking better, as for integrity.
Now, think carefully.. how many bugs will be fixed within a 6-month period?
Windows: 500-1,000
Linux 5,000 – 10,000
Okay, so Linux gets repaired faster, but is that the primary thing? No, it is how long a certain exploit exists:
Half-life of fatal flaws:
Windows: 2-4 years
Linux: 2-4 months
Okay, so an exploit for Linux may only work for a couple months, but for Windows, years (again, just potentially).
Now, let us assume, that there is one major bug in both systems, the exploits are identical in every manner, including the complexity of the repair (Kernel must be completelty recompiled, and not just patched). This exploit is causing major security problems for many people on both sides.
How long till the (proper) updates are available for each?
Windows: Next service pack, if ever, until then, we will just plug one of our other holes to prevent this from being seen.
Linux: NOW, oh.. and I see how it got in, “Hey guys! Anyone here feel like plugging this whole up real quick? This took my system down an hour ago, and I found out how it got in, anyone want to take a stab at it?”
Okay, but something more important:
How long before the repair is public:
Windows: a couple months, maybe less on simple jobs, more if waiting for a service pack.
Linux: Hours, maybe a day or two.
Okay, so Linux gets patched up much faster, but let us assume that we do not want to apply ANY patches, but want to completely disable the feature that is letting the attack occur.
Windows: Disable service, another exploit allows the service to be re-enabled so the work-around works for only a day or two, until the other exploit hits you. And, in disabling that service, you also lost the ability to use your network for anything you paid all your money for.
Linux: Disable, and remove, component. There is no getting around a deleted component / service. In order to be affected, you would need to install the same one again. Problem: Component was integral to your network! Solution: install another compatible component, to get you by until the full system upgrade that you will be doing next week.
Okay, by now someone has undoubtedly noticed I did mention one thing that would protect both systems equally: A hardware firewall.
Yup, think about it reallisically, if you have a hardware firewall, filtering packets of data for you, what do you need all of this security junk for?
So, in conclusion.. with he exception of external protection, I would choose Linux over Windows any day.
Of course, as far as obscurity, I did not even take that into account:
Number of exploits abused by software (viruses, spyware, whatnot) for each:
Windows: Somewhere between 5,000,000,000 and infinity
Linux: Last count, about a few hundred. Most by those trying to test security.
But if you want a real thought:
MacOS: I heard of a few for this, I would guess there are maybe ten or fifteen.
BeOS: ONE, supposedly, but unlikely.
OS/2: My old beloved system, pobably still zero today, possibly one by now.
Of course, MacOS.. I would not mind using as a server, however BeOS would be a tough sell until Haiku is ready. Because if there is an exploit, there is no stopping it.
Oh well, I guess Windows is more secure then… hmm.. wait… maybe not?? My BeOS system has never crashed, rebooted mysteriously, needed a format / reinstall, or even had to check the disk for errors. In fact, I did not even restart when I updated my graphics driver (not standard BeOS feature, though.. just a script to close and re-start the app_server).
–The loon
A nun, he moos: I do believe that the fact that you can’t have an executable simply by putting the right extension at the end of a file <clip> do make Linux more secure.
I’ve said this before (on another thread once upon a time) and I’ll say it again… Windows works that way by default to make it easy. You can change the default so that it does not work that way.