Quantcast

Study finds Windows more secure than Linux

  • Come enter the Ridemonkey Secret Santa!

    We're kicking off the 2024 Secret Santa! Exchange gifts with other monkeys - from beer and snacks, to bike gear, to custom machined holiday decorations and tools by our more talented members, there's something for everyone.

    Click here for details and to learn how to participate.

http://seattletimes.nwsource.com/html/businesstechnology/2002182315_security17.html
Thursday, February 17, 2005 - Page updated at 12:00 a.m.

By Brier Dudley

Seattle Times technology reporter

SAN FRANCISCO — Believe it or not, a Windows Web server is more secure than a similarly set-up Linux server, according to a study presented yesterday by two Florida researchers.

The researchers, appearing at the RSA Conference of computer-security professionals, discussed the findings in an event, "Security Showdown: Windows vs. Linux." One of them, a Linux fan, runs an open-source server at home; the other is a Microsoft enthusiast. They wanted to cut through the near-religious arguments about which system is better from a security standpoint.

"I actually was wrong. The results are very surprising, and there are going to be some people who are skeptical," said Richard Ford, a computer-science professor at the Florida Institute of Technology who favors Linux.

Their research could contribute to the debate about which system costs more for companies to operate. Linux costs less to acquire, but Microsoft is trying to convince buyers that its software is less expensive to run and manage.

The researchers said security management is a key factor in the cost of running any system. "We need a real factual comparison here," said Herbert Thompson, the other researcher. He is director of security research and training at Security Innovation, a company that provides security services and technology. "There's so much speculation on the Web, newsgroups, from certain presenters on an RSA stage, we need real solid facts."

They compared Windows Server 2003 and Red Hat Enterprise Server 3 running databases, scripting engines and Web servers (Microsoft's on one, the open source Apache on the other).

Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk — the period from when a vulnerability is first reported to when a patch is issued.

On average, the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup, their study found.

"That's a very surprising statistic, and I must say the first time I saw this statistic I thought you messed with my database," Ford said to Thompson. Their presentation started jokingly, with Ford reeling off Windows jabs and praising the virtues of freely shared software that's developed collaboratively over the Internet.

But they concluded with statistics showing that the Windows setup had a clear advantage over the Linux alternative.

The setups were hypothetical, however. Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features.

Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance.

The presentation was a preview of a report they plan to issue in 30 days.
 

binary visions

The voice of reason
Jun 13, 2002
22,165
1,261
NC
Meh.

Not sure why this is suprising - when you consider what they did. Windows (and Microsoft products in general) is designed around the "average person" who doesn't know how to set up security, thus the basic configuration being more secure.

Linux can be locked up far tighter than Windows, but it requres more knowledge and experience in order to do so - right in line with the way Linux has always been.

The patch release dates are interesting, though. To be expected, of course - who has more resources to devote to fixing problems than Microsoft? But the difference between the two numbers if very significant.
 

BigMike

BrokenbikeMike
Jul 29, 2003
8,931
0
Montgomery county MD
binary visions said:
Meh.

Not sure why this is suprising - when you consider what they did. Windows (and Microsoft products in general) is designed around the "average person" who doesn't know how to set up security, thus the basic configuration being more secure.

Linux can be locked up far tighter than Windows, but it requres more knowledge and experience in order to do so - right in line with the way Linux has always been.

The patch release dates are interesting, though. To be expected, of course - who has more resources to devote to fixing problems than Microsoft? But the difference between the two numbers if very significant.
agreed
 

binary visions

The voice of reason
Jun 13, 2002
22,165
1,261
NC
Barbaton said:
And as usual, OS X has the best of both worlds. :love:
:rolleyes:

More like, as usual, the Mac people butt their nose into a discussion that doesn't involve them with irrelevant claims & no data or facts to back it up...

;) :p
 

Barbaton

Turbo Monkey
May 11, 2002
1,477
0
suburban hell
binary visions said:
:rolleyes:

More like, as usual, the Mac people butt their nose into a discussion that doesn't involve them with irrelevant claims & no data or facts to back it up...

;) :p
um, no. I'm a sysadmin for all three platforms and have a very intimate idea what it takes to secure all three. Linux does take some work to make secure, but it's doable. Windows doesn't even have the security possibilities, and OS X makes it push-button easy.

If you must know, on my mac at work I run firmware passwords, my mac locks itself when my cell phone (bound via encrypted bluetooth :) ) moves out of range. I keep an encrypted home directory, which contains the keys for my encrypted email. And of course, it's firewalled but I can actually manage it unlike the windows one that just likes to break everything. :) Coworkers think I spent a lot of time setting it all up but it's just pushing a couple buttons in the preferences. :eviltongu 'course, if i ever tell anyone the passwords it won't be any good...

so poo on you. :blah: :p :cool:
 

bpatterson6

Turbo Monkey
Jul 1, 2004
1,049
0
Colorado
As an MCSE, CCNA and an everyday IT Engineer working for a very large financial services company and working on many different plaforms including Linux, I have 2 words for Microsoft...

BETA TESTING!! :mumble:

I'm so sick of patches being released in mass...
It has now become a very painful full time job just to keep up with the amount of servers that I babysit + the amount of patches they release on a regular basis... I guess I should just be happy and Consider it Job Security. :D
 

SkaredShtles

Michael Bolton
Sep 21, 2003
67,827
14,165
In a van.... down by the river
Barbaton said:
um, no. I'm a sysadmin for all three platforms and have a very intimate idea what it takes to secure all three. Linux does take some work to make secure, but it's doable. Windows doesn't even have the security possibilities, and OS X makes it push-button easy.<snip>
OS X is based on BSD. So in all probability you are talking about securing a *nix box with a GUI, correct? NTTAWWT.

-S.S.-
 

Barbaton

Turbo Monkey
May 11, 2002
1,477
0
suburban hell
SkaredShtles said:
OS X is based on BSD. So in all probability you are talking about securing a *nix box with a GUI, correct? NTTAWWT.

-S.S.-
ayup. it's mostly the same stuff you can do in linux, but apple pays people a lot of money to write graphical front ends for all that command line stuff. :rolleyes:
 

Barbaton

Turbo Monkey
May 11, 2002
1,477
0
suburban hell
SkaredShtles said:
I hate GUIs........ :p

-S.S.-
you can edit all the config files by hand then. :) We've got folks who run OS X (well, darwin) without any graphical stuff turned on at all, on servers.

One of my colleagues (linux guy) also hates guis. But he loooves emacs (the *nix text editor, not the crap apple product). Reads his mail in emacs, chats on IM in emacs, surfs the web in emacs. All text. Has one of his mouse buttons set to log him out if he should accidentally touch it. :rolleyes:
 

Ciaran

Fear my banana
Apr 5, 2004
9,841
19
So Cal
It doesn't matter what you do to make your system secure. It does not matter what OS you use? Why? Because the end user is gonna screw it up anyway!

PEBKAC!!!!!!!! :D
 

Toshi

butthole powerwashing evangelist
Oct 23, 2001
39,750
8,749
Barbaton said:
One of my colleagues (linux guy) also hates guis. But he loooves emacs (the *nix text editor, not the crap apple product). Reads his mail in emacs, chats on IM in emacs, surfs the web in emacs. All text. Has one of his mouse buttons set to log him out if he should accidentally touch it. :rolleyes:
you hang out with nerds

(vim for life!)
 

SkaredShtles

Michael Bolton
Sep 21, 2003
67,827
14,165
In a van.... down by the river
Barbaton said:
<snip> But he loooves emacs (the *nix text editor, not the crap apple product). Reads his mail in emacs, chats on IM in emacs, surfs the web in emacs. All text. Has one of his mouse buttons set to log him out if he should accidentally touch it. :rolleyes:
That dude is a *major* freak. Emacs is horrid. :p

-S.S.-