|Is Linux Really More Secure Than Windows?|
This answer might surprize you
|Here's the URL to the story:|
I don't think the story will surprise anyone that is close to the security industry. Windows proponents will use the information to feel better about their choice of operating systems and the Linux users will continue to wonder when this "news" will affect them. :)
Linux has enjoyed the benefit of security through obscurity in much the same way Netscape has enjoyed their perceived security. The same way Pegasus and Eudora are perceived to be more "secure" than Outlook.
There is no doubt that obscurity helps security.
The article looks to me like MS propaganda. When the first worm mentioned Ramen (two years old) became a problem in October 2000 and was patched for Redhat in September 2000. Slapper and Mighty are Related and I think September 20th 2002 was when it hit the press, my Redhat boxes were patched on August the 5th.
I really didn't read the whole article, they lost me with the first sentence.
Anyone who doesn't use the update tools available to them for either Linux or Windows is vulnerable. Period. That said, I sure get a lot more hits from Code Red relatives in a day than I've gotten hits from Slapper relatives total. The CERT advisory for that weakness came out on 9/14. I was updated by 9/15, and it was only a day or two after that when the fix was bundled into a Debian update on security.debian.org. Compare that to M$ response times once a bug is publicly known!
The best of linus is if the original developer doesn't think that an update is worth it, you can mostly do it yourself... NAd this isn't just security. Bugfixes, addon, modifications, can be done.
The question is just a bit misleading. Security is not a product, it's an state. Linux design is more secure than the one of windows, or at least it was a few years ago. I haven't used any more current windows.
But a enough skilled person (notice the irony) can make anything unsecure. Take for example the distributions that set linux to run as root by default; that downgrades the design to the quality of windows, that runs as administrator by default. I hope the idea is clear enough.
>Take for example the distributions that set linux to run as root by default; that downgrades the design to the quality of windows, that runs as administrator by default. I hope the idea is clear enough.
On Windows versions I've used the system is as vulnerable as a Unix system when you run as root.
Just more FUD from M$. I still remember wehavethewayout.com, isn't that nice a site that says Unix is bad runs Apache on FreeBSD.
/edit I just don't think before I hit submit
More noise with little substance.
I'm sure cyril [webmasterworld.com] remembers the Zlib [zzdnet.com.com] incident where the MS advocate(s) had egg on their face.
Actually, the zlib incident was a great example of open vs. closed source response to a potential security problem. The open source community had patches out right away. I think apache had a safe patch in 24 hours.
On the MS side, they were reluctant to even admit that they used Zlib because it is an open source library. IMO they didn't want to bring attention to the fact that they use open source code in their products. MS dragged their feet hard on that one.
Oh, for those of you who enjoy reading negative stories about Linux, cyril has done a good job of combing the corners of the web to find articles where Linux/Unix are painted in a bad light:
I'm sure he'll keep posting them as the become available, stay tuned.
As the forum administrator I feel it unfair to attack my crediablility with your recent post. If you don't want me to post just sticky mail me and request that I stop posting and I will stop.
Discussion lists are for discussions. It is not meant to be a love-in. Balance requires a presentation of ideas you may not agree with. Each of my prior post allowed others to comment on what I wrote and the url's that I posted. None of the urls can be said to be hostile to Linux.
My post points to a a story url "WebSideStory, Inc. the world’s leading provider of outsourced e-business intelligence services, today reported that despite much hype and expectation in recent years, Linux has failed to gain market share from Microsoft (NASDAQ: MSFT) and Apple (NASDAQ: AAPL) operating systems."
My second post is an opinion post by me but is balanced with the url of a contrary opinion.
My third post points to an article about security in NewsForge "The Online Newspaper of Record for Linux and Open Source"
My fourth post points to an important security work-around for Linux
My fifth post points to an article that notes that Linux had shrunk in the marketplace. Read it and note that I balanced it by noting that this was generally true of the entire technology sector and that "I don't think this says much about the overall health of the Linux market"
Oh, for goodness sake. No, it doesn't have to be a "love-in", but there's no reason why linking to a few of your posts is unfair. Personally, I'd rather see the forum administrator linking to a few of your posts and pointing out a theme than privately trying to shut you up. The first is discussion, and the second would, in my view, be both rude to you and, bacause Littleman is an administrator, possibly abuse of his position.
If I post elsewhere, and someone points out that I'm a bit of a linux bigot and that affects my comments, it's relevant. Heck, I seem to recall adding such an addendum to my own post at least once. (Acutaly, I'm a Free Software bigot who happens to know Linux better than the other Freenixes.)
I don't see a credibility issue at all. I do see a need for evaluating the integrity of information presented in articles brought up for discussion. Determining that may or may not involve considering the source, depending on whether it's an issue that's subject to bias or controversy, but knowing the source of information certainly doesn't detract from determining accuracy or being able to objectively analyze what we're reading.
I'm no techie or security person, but I certainly can read English. The best way to establish credibility of an article is to do a little semantic analysis to discern whether it's propagandized, slanted or unbiased, objectively written reporting.
The title of the article reads "Is Linux Really More Secure than Windows?" which is also the title of this thread. That title intimates that Linux is less secure than Windows. So either it's unbiased and that's true, or it's untrue and the article is clearly slanted, pro-MS propaganda. It can't be both.
How does the article itself read contextually?
Is the article talking about office or home based PCs, or web servers?
>>Mainframe operating systems, which have been perfected over decades, have very few security flaws.
How many commercial virtually hosted websites out there are hosted on IBM 390s?
>A large number of Windows problems are surfacing, in part because of the program's age and in part because of the number of people using Windows
What is the proportion of commercial websites hosted on MS compared to the number hosted on *nix? I believe there are some figures available.
Is there any possibility that there are any vested financial interests behind or related to the article or the source of the information (BugTraq) that could bias it? Being a salesperson, that would make a very effective presentation for a pitch for selling something such as managed security solutions.
|BugTraq is a popular forum for discussion of computer security vulnerabilities. It is moderated by SecurityFocus, now a division of security firm Symantec. |
Do these people derive any income from security related sources that would see increases in revenue from selling fear? The rep from the Auto Club once told me, when I was signing up for membership, "We sell fear." ;)
Just a couple of passing thoughts.
"The title of the article reads "Is Linux Really More Secure than Windows?" which is also the title of this thread. That title intimates that Linux is less secure than Windows. So either it's unbiased and that's true, or it's untrue and the article is clearly slanted, pro-MS propaganda. It can't be both."
The article is posted on Yahoo and the author works for a news service NewFactor. The title is the authors.
Your point is that it is either true or not true. Why not comment on that? What do you agree with or disagree with in the article?
The article writer is reporting what "Eric Hemmendinger, research director at Aberdeen Group" said. He point out that the existance of security flaws does not necessarily add up to more risk for users.
"Michael Rasmussen, director of research and information security at Giga Information Group and vice president on the international board of directors of the Information Systems Security Association, agreed"
Are Yahoo, NewsFactor, Aberdeen Group and Giga Information Group (and me) part of the pro-MS propaganda machine?
C'mon lighten up. If you have a differing opinion lets hear it.
<giggle>Now why did I KNOW the starter of this thread even before clicking through from the Active posts?</giggle>
I LOVE Cyril's determined efforts to present the other side. I hope he never stops. I hardly ever agree, but sometimes do. He always forces us to rexamine popularly held assumptions. In this case, as an old journalist, this article has "beat up" written all over it. To a causual non-professional reader like me, the body of the article does very little to justify such a provocative title, and indeed if you read it through, you can see good arguments for the contrary. The interesting comparison on the different ways open source and propriertary systems deal with security problems is the most interesting and in all tends to suggest that open source overall, has the edge.
Im not an expert in this field, so I have to leave it to others for knwoedgeable comments, but I enjoy reading good posts that can counter with objective good arguments. As a market researcher now, I offered some professional commetary on Cyril's other posts, and the poor research design of projects used to justify an argument in a pro-website. Now its up to all you programming guys can help demolish this argument if you can!
OK, I'll bite again.
|Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system." |
I'm not on BugTraq specifically, but I am on a few other lists. I see very little that affects me, and even of that I almost never see vulnerabilities that are actually specific to Linux. They're always application-specific. Apache, which has been affected by most of the ones I've seen lately, is not part of linux, nor is it linux-specific. (Heck, you can run it on Windows.) OpenSSL, which was actually the source of the problem in some of those vlunerabilities, is also not Linux-specific. Likewise a PHP4 problem. Before that, I think the last one I had to patch for was OpenSSH. Not only is OpenSSH not Linux-specific, OpenSSH is primarily developed on OpenBSD, a different Free 'nix, with heritage going all the way back to the original BSD.
Linux vs Windows 2000 Security Alert Comparison [cyber.com.au]