Study Finds Windows more secure than Linux

In case anybody wanted it, the link to the article i here

http://seattletimes.nwsource.com/htm...ecurity17.html

Both Ford and Thompson are listed on this page as being part of Florida Tech's Center for Information insurance, of which Microsoft is apparently a sponsor.

Also, you have to put this in perspective: These were "out of the box" installations. I'm sorry, but you ask any real person in the real world with real hosting experience and they will laugh at this "study".... Out of the box, installed by a n00b - yes, of course windows will be the more secure web server. but a properly configured apache server is the platform of choice for serious web hosting, unless you are tied to Coldfusion or .net

Camman

21 Feb '05, 2:29 pm

yeah omg sorry /linux rules and people with Doctorates and who are Professors probably are noobs and don't know what they are doing

primesuspect

21 Feb '05, 2:34 pm

so hostile....

primesuspect

21 Feb '05, 2:37 pm

Of course they know what they're doing - i'm not casting any doubt on that. I am simply saying they are testing out of the box solutions, which suck under ANY circumstances. Nothing will be configured properly out of the box, including windows.

Dude, I'm not a windows hater, like you think I am. But since half of my living is hosting, I have a very personal stake in the matter, and I would not stake my livelihood on windows' hosting out of the box any more than I would on linux out of the box, and given the choice, I've chosen linux because it's cheaper, faster, and more secure once configured properly.

Camman

21 Feb '05, 2:37 pm

not hostile, I should have counted on the instantaneous response to refute the article. I just find it funny that you can dismiss a study by people who obviously have quite a bit of knowledge in their fields as "n00bs setting up an out of the box system" . But then for all those people someone else will say "oh well Microsoft systems aren't secure out of the box and that will be a point against a Windows system. The evil in Redmond can do no right.

Enverex

21 Feb '05, 2:38 pm

Who the hell uses servers with "Out of the Box" OS Setups? Thats just silly, and Red Hat of all things...

Sputnik

21 Feb '05, 3:58 pm

where's thrax when you need him? wonna see what the other windows fanboy has to say....

got to go with prime here. the test is garbage at best.

Kwitko

21 Feb '05, 4:38 pm

Quoting Camman

people with Doctorates and who are Professors probably are noobs and don't know what they are doing

In my experience, yes. My father's friends, several who are doctors and lawyers, cannot do basic things with a PC. Intelligence != computer savvy.

primesuspect

21 Feb '05, 4:57 pm

Quoting Camman

not hostile, I should have counted on the instantaneous response to refute the article. I just find it funny that you can dismiss a study by people who obviously have quite a bit of knowledge in their fields as "n00bs setting up an out of the box system" . But then for all those people someone else will say "oh well Microsoft systems aren't secure out of the box and that will be a point against a Windows system. The evil in Redmond can do no right.

I'm hardly dismissing the study. I'm just making sure that you remember perspective on this. Nobody in their right mind would host a production server OOB with no patches. So, I'd like to see the study done again with fully patched servers - RHEL4 vs Win2K3

I can promise you that the linux setup would be more secure. That's all I'm saying. This is just spin doctoring, that's all.

Thrax

21 Feb '05, 4:57 pm

Quoting Sputnik

where's thrax when you need him? wonna see what the other windows fanboy has to say....

got to go with prime here. the test is garbage at best.

I don't give a ****.

lightnin

21 Feb '05, 5:18 pm

i dont see where this means a thing. period between patch updates?? give me a break. at least retitle the 'study' to something more meaningful, like 'redhat's security response rate vs microsoft's'. if they want to REALLY compare security, they should look at the severity of the code flaws that necessitated the patches to begin with. was this kernel-level security flaws or some stupid buffer overflow on an obscure and rarely-used text editor that will never be installed on a server anyway? these security 'tests' are rarely ever accurate on either side.

Camman

21 Feb '05, 5:27 pm

Quoting Sputnik

where's thrax when you need him? wonna see what the other windows fanboy has to say....

got to go with prime here. the test is garbage at best.

You're right, cause I decided to submit an article that happens to say something negative about a Linux platform, I am in fact a "Windows fanboy" give me a ****ing break.

I guess the rest of you, by sputnik definition, are "Linux fanboys" since you must come to the aid to protect the name of Linux if somebody tries to say something detrimental about it.

Quoting Kwitko

In my experience, yes. My father's friends, several who are doctors and lawyers, cannot do basic things with a PC. Intelligence != computer savvy.

And this doesn't even make sense. The people who did the study are obvious specialists in their field. I wouldn't expect a medical doctor or a lawyer to be savvy in areas of computer security.

But then again, it seems whenever you post something on here about somebody with qualifications everyone comes rushing in saying "well that doesn't mean ****, because I have experience and thats 10x more important than an education"
Fine, it may very well be, but every time I hear that on here it sounds more like a personal justification for not having an education or something.

My point was that somebody doing a study on computer security with a Doctorate or is a Professor in their particularly field, obviously has some knowledge of what they are doing, despite the objections of everyone who will dismiss this study as "garbage"

lightnin

21 Feb '05, 5:31 pm

well, i personally get tired of reading so-called news like this. it's not good info for anyone.
anyone can write trash about anything, put a big bold headline on it and people automatically agree with it. it's like this for almost ALL news media anymore.

primesuspect

21 Feb '05, 5:56 pm

Yeah, that's the other thing I'm trying to get at, lightnin.... like, what's the point of this "study" except for spin and/or headlines? Since the fact that no serious administrator would ever run a production server OOB, and this "study" compares two products OOB, what is the data that is to be drawn from the conclusion?

"Hi folks, product A, which no one will ever use, is far better than product B, which no one will ever use. So make sure if you ever use the products for something, which you won't, that product A is the one you choose! Not that you would.... or anything..."

Cam, you say you're not hostile, but you were very quick to post the study and the article that you linked, just to be sure we read it correctly, as if to back up the claims. Now, you know me well enough to know that I don't feel the need to justify "i don't have no edukashun" but I'm just speaking from honest experience.

Let me put it another way: I got a phone call today, from a real live customer. This customer said he was about to install IIS by poking "pinholes" in his "router" and he wanted to host a web page on his company's file server. He was "doing a lot of research and reading" and felt that he was ready to become a web server admin based on his "research". Once I gave him a 10 minute overview of security, and the fact that installing a production web server on a standard, unpatched Win2K server running IIS5 would seriously compromise his company's data, he was very thankful that I gave him a quick education before he got his ass fired from his job by doing that.

Now if that same dude came and read this garbage study (and yes, now at this point I AM dismissing this study), he would say "oh windows is teh bettar" and install a production web server on his company's primary fileserver and then get it turned into an 0wn3d b0x for LEETPIGBLOOD3F33X~OMG~ GROUP serving up german poo poo videos, and get fired.

Camman

21 Feb '05, 6:00 pm

Quoting primesuspect

Cam, you say you're not hostile, but you were very quick to post the study and the article that you linked, just to be sure we read it correctly, as if to back up the claims.

Actually, you obviously missed the fact that the article is not at all linked in the original news post.

It says

Source:

and there's nothing there. So I posted the article, not to 'back up my claims' but so that there is a reason for the news post and not just a random snip out of the article.

You people, you especially, are so closed minded to openly say "oh well this is garbage, I wont even pay attention to it" it's ridiculous. To be honest with you, I was surprised to find that this news post even made it through and got on Short-Media, so, I guess I should be satisfied with that.

Your same scenario about somebody compromising your clients box to turn it into some personal porn file sharing thing is just as applicable on a *nix box. You say it like "well because it's windows it WILL be compromised, unlike the Fort Knox that is any Linux distro" You contradict yourself because you yourself said above that "any unpatched box" can be easily compromised. So, his file server, running Linux or Windows 2000, could be compromised if security is lax on either system.

Obviously the guy is a noob anyway if he's trying to run a webserver off a production fileserver, so, the point you're trying to make is pretty much moot.

Private_Snoball

21 Feb '05, 6:04 pm

Why is it that when ever Open source, Microsoft, and OS X are brought up in the same article WWIII happens.

Think of it this way, everyone is taking this with a grain of salt, everyone will. If someone doesn't look at this article and think "hmmmm I wonder about this than they probably aren't intelligent enough to be hosting anyway.

Take it with a grain of salt, get some french fries, and lets all hug and be friends, or hand shake, either way.

Interesting article either way.

primesuspect

21 Feb '05, 6:10 pm

Cam, I was referring to your first post in this thread - "in case anybody wanted it, here's the link".

Snoball, i wish people did take this stuff with a grain of salt, but someone out there is going to read this news article and go and make a bad decision because of it, and that just contributes to the overall suckiness of the web.

Cam:

If the dude was going to say "i guess I'll go with linux because it's safer", it would be much more difficult for him to go "OOB" than it is with windows. There's no wizards.

So, he would have to read, research, and become educated on the platform at least a little bit before he could even get it to work. By the time he did all that, he would at least realize the importance of having the latest patches.

You seem really riled up about this, so I'm just gonna let it go. Windows is more secure than linux. you're right, i'm wrong, i'll move all of my servers over to windows tomorrow

Camman

21 Feb '05, 6:14 pm

Quoting primesuspect

Cam, I was referring to your first post in this thread - "in case anybody wanted it, here's the link".

You seem really riled up about this, so I'm just gonna let it go. Windows is more secure than linux. you're right, i'm wrong, i'll move all of my servers over to windows tomorrow

So was I, there's NO LINK IN THE NEWS POST. That's what I'm getting at. I figured people would actually want to read the article that I submitted and wasn't even linked, instead of checking out one snip and saying "wtf, where is that from, what does this have to do with anything?"

And yeah, it's pretty easy for you to make me look like the dick by "letting it go" (letting what go, it's just a discussion) and saying "oh you're right I'm wrong" that's not at all what I was trying to say. And I don't care what you do with your servers, as long as they stay up and I can log into my site. And oh yeah, I'm sorry, I forgot that I don't know anything because I don't run an operate production environment web servers, which seems to be what you're getting at by continually responding to my posts with tales of "actual clients"

GnomeWizardd

21 Feb '05, 6:28 pm

CHILDREN CHILDREN !!!!! Simmer down!

Windows may be more secure or Linux maybe more secure or hell OSX maybe more secure! Just because one article says something doesnt mean its 100% true. I can find articles that say AMD is betterand I can find some artcles that say Intel is better. Everyone has thier opinion and everyone is entitled to it. Now lets kick this to the curb and move on!

Shake hands and be done with it!

Thrax

21 Feb '05, 6:37 pm

"Love... Love will keep us together..."

RWB

21 Feb '05, 6:41 pm

I think your both going a bit overboard... don't even understand how this got started, but I feel neither of you want to let it go becuase the bullets have already been fired. Swallow your pride, shake hands, kiss and make up.

I really don't think that article gave any amount of decent information to go either way on this issue. They even mentioned that they didn't have the funds to do proper testing(not a quote), and after looking up more artiles on this "study" none gave much more information.

PEACE!

^Ben

21 Feb '05, 7:08 pm

Wasn't this study more based on how fast each respective vendor patches serious security holes?

It wasnt about who can find more holes, it was more "well this problem was reported lets sit back and see how long it takes microsoft or red hat to fix it."

RWB

21 Feb '05, 8:04 pm

Quoting ^Ben

Wasn't this study more based on how fast each respective vendor patches serious security holes?

It wasnt about who can find more holes, it was more "well this problem was reported lets sit back and see how long it takes microsoft or red hat to fix it."

I still wouldn't think that is very fair on either side. While Open Source has anyone and everyone fixing and submitting fixes; Microsoft, for good reason, may hold back any annoucement of known problems to prevent people from taking advantage of that issue, then when it is found out they may release the fix. Two very different worlds if you ask me.

primesuspect

21 Feb '05, 8:12 pm

Quoting Camman

So was I, there's NO LINK IN THE NEWS POST. That's what I'm getting at. I figured people would actually want to read the article that I submitted and wasn't even linked, instead of checking out one snip and saying "wtf, where is that from, what does this have to do with anything?"

And yeah, it's pretty easy for you to make me look like the dick by "letting it go" (letting what go, it's just a discussion) and saying "oh you're right I'm wrong" that's not at all what I was trying to say. And I don't care what you do with your servers, as long as they stay up and I can log into my site. And oh yeah, I'm sorry, I forgot that I don't know anything because I don't run an operate production environment web servers, which seems to be what you're getting at by continually responding to my posts with tales of "actual clients"

damn dude.... you're not a dick, i'm just giving you my honest arguments... You are so defensive, you make it sound like I'm out to get you or something

LawnMM

21 Feb '05, 8:39 pm

A few things I'll point out here. First off, apparently the guy who did this research is a computer science professor. So he probably has some knowledge of the field, bonus: he's a linux fan. So its not like we have a MS fanboy conducting the research. Unfortunately, I'd rather see the study run by a research scientist, or at least somebody well versed in research methodology. Its good to know the field, but its best to use that knowledge to guide a research scientist in designing the study.

That said, its not exactly a flawed study. I see the "its an OOB configuration, of course linux isn't all buttoned up" argument getting tossed around. Using OOB is the most accurate way to measure the security level. Otherwise depending on who patched yesterday, their OS will look more secure if you start somewhere else. By starting with a basic setup, its easier to tell who has the most security holes from the get go, and how long between their discovery and patch turns out to be.

Yeah, there are plenty of other factors to consider. Type of code vulnerability, is it kernel level or not, etc. The way they set this up isn't all that poor though. By measuring the number of reported vulnerabilities and the time between when its discovered and patched, you give a pretty good account of how quickly security problems are buttoned up on both platforms.

As long as we're tossing out spurious factors, consider this...windows is drastically more popular than linux. If you want to write a virus or dig up a security flaw, you want it to be effective, so you pick the biggest target. I would argue windows is inherently much more secure than any study would show simply due to the level of scrutiny it receives from the code cracking community. I would also argue than it is more secure because in the absence of intelligence, it will automatically patch itself without any input from the home user.

Can some elite server administrator make a linux server more secure than an equally competant windows admin, probably, but only because a linux server is a smaller target. In the end, either would probably be plenty secure in the hands of an administrator that knows what the hell they're doing.

primesuspect

21 Feb '05, 8:53 pm

I don't see this so much as windows vs. linux argument, i'd see it more as "IIS on Win2K3" vs "apache on RHEL3"

NiGHTS

21 Feb '05, 9:58 pm

Jengo

21 Feb '05, 10:10 pm

i agree with Prime, But it doesnt matter, arguing about it is just childish.

pseudonym

21 Feb '05, 11:40 pm

Dear god, I didn't read everything, although I probably should have cause I'm probably just going to repeat everything.

My opinion on it. It wouldn't surprise me that Windows would be more secure than Linux.

1) It faces more attacks and is in greater use by the normal community, thus more problems are found, thus more problems are fixed.

2) Linux is used less, faces less attacks, and is not used by the normal community but by mostly more computer savvy people, so most guys who care about viruses and hacking don't bother. You don't get any noteriety if no one knows what you did, and more computer savvy people are harder to get at anyways.

Just because Windows gets more attacks and widespread problems does not mean its any less secure than linux. Its like comparing apples to oranges as far as I'm concerned. Obviously I have no data, but statistically speaking, I'd want to see an equal comparision before I knew which was which. I'm sure virus writers would destroy linux if it was in the same position as Windows.

Anyways, it just seems to me that since Windows gets the crap beat out of it more, and thus improved more, that it is possibly the more secure system, its just that it seems less secure because the goal of many people out there is to beat on Windows based systems rather than linux based ones. No data to back this up, and there really isn't any way to gather that data, but thats the way it seems to me.

edit// Well, now that I think about it, I guess you could say linux is the more secure system because it simply faces less attacks. Least technical way to go about it I guess.

lightnin

22 Feb '05, 8:11 pm

define 'secure'

then show me 10 worms that affect a linux machine simply by exposing it to the internet

tcith

22 Feb '05, 9:01 pm

Quoting lightnin

then show me 10 worms that affect a linux machine simply by exposing it to the internet

If Linux servers where as popular as Windows servers then there would be more worms - the object of the virus is to compromise the system then launch it'self out looking for another system to compromise...

If I have a virii that only attacks the minority of thre it will be very sloiw to spread and do minimal damage, if not halt itself due to not being able to replicate

That said
Worms for Linux servers: not 10 but hey there is more than one:
Slapper worm
Ramen Worm - this brought NASA to it's knees
Lion Worm

There are virus and worms written for almost any OS out there, if not all.

lightnin

22 Feb '05, 9:06 pm

i used to agree with the whole 'windows is more popular' argument however... if I were a worm coder, and i really wanted to screw someone's world up, i'd be trying to write as many worms as i could for as many http servers i could find for 'nix systems. if the argument holds true, that means there are EVEN MORE holes in OSS/'nix services that could be exploited. it'd be a worm coder's playground. why hasnt this scenario played out yet? with as popular as linux/unix is in the server room, it seems these guys would want to make themselves famous and go for the the gold, like that ramen worm.

primesuspect

22 Feb '05, 9:07 pm

You know, I don't know where you guys get your info, but to say "windows is more popular than linux" when we are talking about webservers is just plain wrong. We are not talking about desktops or desktop security here. In the world of web serving, *nix + apache reign supreme - by a big majority. So that whole "oh if linux were more popular it would be more attacked" argument doesn't make any sense in this context. It IS the bigger target.

//edit: hahha i think we were posting (and thinking) the same thing at the same time, lightnin

Jengo

22 Feb '05, 9:11 pm

yes prime, your are right. Linux servers are cheaper therefore making them more appealing to corporations.

primesuspect

22 Feb '05, 9:18 pm

I really don't think the cost is the deciding factor. Major purchasers like a big company don't necessarily look at the cost of the product - they look at the TCO (total cost of ownership) which takes into account things like supportability, reliability, performance, cost of hiring qualified operators, etc.

Generally Windows and Linux are on the same footing as far as TCO goes. You pay more for Windows licensing, but it costs less to hire an MCSE than a certified or qualified *nix guru, and MCSEs are a dime a dozen. Windows is cheaper to "run", for lack of a better term. This goes back and forth, with various competing "studies" always showing Windows has a lower TCO and then another one showing Unix has the lower TCO, so on and so forth ad nauseum.

Linux is more widely deployed in the web serving market for a variety of reasons. Being first to the game was a big part of it. The fact that up until IIS 5, IIS was a hulking piece of crap didn't help the windows case either. IIS5 was alright, IIS6 is pretty tight, on par with apache for features and performance. But the big thing is open source. open source is, VERY much to Microsoft's chagrin and detriment, a viable model for building excellent applications. Because LAMP (linux apache mysql php) provides such an amazing feature set at such a low cost and is terribly reliable and fast, it is a very very viable competitor to Microsoft's offerings. Microsoft's spin machine is always out to paint the open source stuff as a joke, but really, there's not a whole lot you can't do with that combo, even up to the major enterprise level.

lightnin

22 Feb '05, 9:32 pm

we do some pretty amazing things with LAMP here at work. although i have to admit i HATE php as a language, it is pretty powerful and very easy to learn and use in my opinion. i've gone from thinking the only dbs out there was Oracle and DB2 to thinking the only ones are Postgre and Mysql

only thing about that article, it only took into account apache, how many of those numbers are MS+Apache?

Camman

22 Feb '05, 10:09 pm

Quoting primesuspect

Microsoft's spin machine is always out to paint the open source stuff as a joke, but really, there's not a whole lot you can't do with that combo, even up to the major enterprise level.

Yeah, but any company does this with a competing project. There just is so many distros of Linux and different companies and none are really "huge" so to say, so you only see the 'spin' coming from Microsoft and not vice versa. It's just advertising and marketing.

Thrax

22 Feb '05, 10:17 pm

"Marchitecture."

Study Finds Windows more secure than Linux

39 Comments:

Advertisement

Welcome home

New in tech

Meet the Staff

New in gaming

New in life

Advertisement

The 10¢ Tour

What We’re Doin’

RSS Feeds