Study Finds Windows more secure than Linux
Linc
OwnerDetroit Icrontian
Researchers at an RSA Security conference set out to settle a debate between an avid Linux user and one who swears by Microsoft products. The results were not as expected and some may be skeptical.
Source:
Submitted by: CammanTheir criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk — the period from when a vulnerability is first reported to when a patch is issued.
On average, the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup, their study found.
Source:
0
Comments
http://seattletimes.nwsource.com/html/businesstechnology/2002182315_security17.html
Also, you have to put this in perspective: These were "out of the box" installations. I'm sorry, but you ask any real person in the real world with real hosting experience and they will laugh at this "study".... Out of the box, installed by a n00b - yes, of course windows will be the more secure web server.
Dude, I'm not a windows hater, like you think I am. But since half of my living is hosting, I have a very personal stake in the matter, and I would not stake my livelihood on windows' hosting out of the box any more than I would on linux out of the box, and given the choice, I've chosen linux because it's cheaper, faster, and more secure once configured properly.
got to go with prime here. the test is garbage at best.
In my experience, yes. My father's friends, several who are doctors and lawyers, cannot do basic things with a PC. Intelligence != computer savvy.
I'm hardly dismissing the study. I'm just making sure that you remember perspective on this. Nobody in their right mind would host a production server OOB with no patches. So, I'd like to see the study done again with fully patched servers - RHEL4 vs Win2K3
I can promise you that the linux setup would be more secure. That's all I'm saying. This is just spin doctoring, that's all.
I don't give a ****.
You're right, cause I decided to submit an article that happens to say something negative about a Linux platform, I am in fact a "Windows fanboy"
I guess the rest of you, by sputnik definition, are "Linux fanboys" since you must come to the aid to protect the name of Linux if somebody tries to say something detrimental about it.
And this doesn't even make sense. The people who did the study are obvious specialists in their field. I wouldn't expect a medical doctor or a lawyer to be savvy in areas of computer security.
But then again, it seems whenever you post something on here about somebody with qualifications everyone comes rushing in saying "well that doesn't mean ****, because <b>I</b> have experience and thats 10x more important than an education"
Fine, it may very well be, but every time I hear that on here it sounds more like a personal justification for not having an education or something.
My point was that somebody doing a study on computer security with a Doctorate or is a Professor in their particularly field, obviously has <i>some</i> knowledge of what they are doing, despite the objections of everyone who will dismiss this study as "garbage"
anyone can write trash about anything, put a big bold headline on it and people automatically agree with it. it's like this for almost ALL news media anymore.
"Hi folks, product A, which no one will ever use, is far better than product B, which no one will ever use. So make sure if you ever use the products for something, which you won't, that product A is the one you choose! Not that you would.... or anything..."
Cam, you say you're not hostile, but you were very quick to post the study and the article that you linked, just to be sure we read it correctly, as if to back up the claims. Now, you know me well enough to know that I don't feel the need to justify "i don't have no edukashun" but I'm just speaking from honest experience.
Let me put it another way: I got a phone call today, from a real live customer. This customer said he was about to install IIS by poking "pinholes" in his "router" and he wanted to host a web page on his company's file server. He was "doing a lot of research and reading" and felt that he was ready to become a web server admin based on his "research". Once I gave him a 10 minute overview of security, and the fact that installing a production web server on a standard, unpatched Win2K server running IIS5 would seriously compromise his company's data, he was very thankful that I gave him a quick education before he got his ass fired from his job by doing that.
Now if that same dude came and read this garbage study (and yes, now at this point I AM dismissing this study), he would say "oh windows is teh bettar" and install a production web server on his company's primary fileserver and then get it turned into an 0wn3d b0x for LEETPIGBLOOD3F33X~OMG~ GROUP serving up german poo poo videos, and get fired.
Actually, you obviously missed the fact that the article is not at all linked in the original news post.
It says
Source:
and there's nothing there. So I posted the article, not to 'back up my claims' but so that there is a reason for the news post and not just a random snip out of the article.
You people, you especially, are so closed minded to openly say "oh well this is garbage, I wont even pay attention to it" it's ridiculous. To be honest with you, I was surprised to find that this news post even made it through and got on Short-Media, so, I guess I should be satisfied with that.
Your same scenario about somebody compromising your clients box to turn it into some personal porn file sharing thing is just as applicable on a *nix box. You say it like "well because it's windows it WILL be compromised, unlike the Fort Knox that is any Linux distro" You contradict yourself because you yourself said above that "any unpatched box" can be easily compromised. So, his file server, running Linux or Windows 2000, could be compromised if security is lax on either system.
Obviously the guy is a noob anyway if he's trying to run a webserver off a production fileserver, so, the point you're trying to make is pretty much moot.
Think of it this way, everyone is taking this with a grain of salt, everyone will. If someone doesn't look at this article and think "hmmmm I wonder about this than they probably aren't intelligent enough to be hosting anyway.
Take it with a grain of salt, get some french fries, and lets all hug and be friends, or hand shake, either way.
Interesting article either way.
Snoball, i wish people did take this stuff with a grain of salt, but someone out there is going to read this news article and go and make a bad decision because of it, and that just contributes to the overall suckiness of the web.
Cam:
If the dude was going to say "i guess I'll go with linux because it's safer", it would be much more difficult for him to go "OOB" than it is with windows. There's no wizards.
So, he would have to read, research, and become educated on the platform at least a little bit before he could even get it to work. By the time he did all that, he would at least realize the importance of having the latest patches.
You seem really riled up about this, so I'm just gonna let it go. Windows is more secure than linux. you're right, i'm wrong, i'll move all of my servers over to windows tomorrow
So was I, there's NO LINK IN THE NEWS POST. That's what I'm getting at. I figured people would actually want to <b>read the article</b> that I submitted and wasn't even linked, instead of checking out one snip and saying "wtf, where is that from, what does this have to do with anything?"
And yeah, it's pretty easy for you to make me look like the dick by "letting it go" (letting what go, it's just a discussion) and saying "oh you're right I'm wrong" that's not at all what I was trying to say. And I don't care what you do with your servers, as long as they stay up and I can log into my site. And oh yeah, I'm sorry, I forgot that I don't know anything because I don't run an operate production environment web servers, which seems to be what you're getting at by continually responding to my posts with tales of "actual clients"
Windows may be more secure or Linux maybe more secure or hell OSX maybe more secure! Just because one article says something doesnt mean its 100% true. I can find articles that say AMD is betterand I can find some artcles that say Intel is better. Everyone has thier opinion and everyone is entitled to it. Now lets kick this to the curb and move on!
Shake hands and be done with it!
I really don't think that article gave any amount of decent information to go either way on this issue. They even mentioned that they didn't have the funds to do proper testing(not a quote), and after looking up more artiles on this "study" none gave much more information.
PEACE!
It wasnt about who can find more holes, it was more "well this problem was reported lets sit back and see how long it takes microsoft or red hat to fix it."
I still wouldn't think that is very fair on either side. While Open Source has anyone and everyone fixing and submitting fixes; Microsoft, for good reason, may hold back any annoucement of known problems to prevent people from taking advantage of that issue, then when it is found out they may release the fix. Two very different worlds if you ask me.
damn dude....
That said, its not exactly a flawed study. I see the "its an OOB configuration, of course linux isn't all buttoned up" argument getting tossed around. Using OOB is the most accurate way to measure the security level. Otherwise depending on who patched yesterday, their OS will look more secure if you start somewhere else. By starting with a basic setup, its easier to tell who has the most security holes from the get go, and how long between their discovery and patch turns out to be.
Yeah, there are plenty of other factors to consider. Type of code vulnerability, is it kernel level or not, etc. The way they set this up isn't all that poor though. By measuring the number of reported vulnerabilities and the time between when its discovered and patched, you give a pretty good account of how quickly security problems are buttoned up on both platforms.
As long as we're tossing out spurious factors, consider this...windows is drastically more popular than linux. If you want to write a virus or dig up a security flaw, you want it to be effective, so you pick the biggest target. I would argue windows is inherently much more secure than any study would show simply due to the level of scrutiny it receives from the code cracking community. I would also argue than it is more secure because in the absence of intelligence, it will automatically patch itself without any input from the home user.
Can some elite server administrator make a linux server more secure than an equally competant windows admin, probably, but only because a linux server is a smaller target. In the end, either would probably be plenty secure in the hands of an administrator that knows what the hell they're doing.
My opinion on it. It wouldn't surprise me that Windows would be more secure than Linux.
1) It faces more attacks and is in greater use by the normal community, thus more problems are found, thus more problems are fixed.
2) Linux is used less, faces less attacks, and is not used by the normal community but by mostly more computer savvy people, so most guys who care about viruses and hacking don't bother. You don't get any noteriety if no one knows what you did, and more computer savvy people are harder to get at anyways.
Just because Windows gets more attacks and widespread problems does not mean its any less secure than linux. Its like comparing apples to oranges as far as I'm concerned. Obviously I have no data, but statistically speaking, I'd want to see an equal comparision before I knew which was which. I'm sure virus writers would destroy linux if it was in the same position as Windows.
Anyways, it just seems to me that since Windows gets the crap beat out of it more, and thus improved more, that it is possibly the more secure system, its just that it seems less secure because the goal of many people out there is to beat on Windows based systems rather than linux based ones. No data to back this up, and there really isn't any way to gather that data, but thats the way it seems to me.
edit// Well, now that I think about it, I guess you could say linux is the more secure system because it simply faces less attacks. Least technical way to go about it I guess.