Study finds Windows more secure than Linux

The Seattle Time ^ | 2/17/05 | Brier Dudley

[rit]

SAN FRANCISCO — Believe it or not, a Windows Web server is more secure than a similarly set-up Linux server, according to a study presented yesterday by two Florida researchers.

The researchers, appearing at the RSA Conference of computer-security professionals, discussed the findings in an event, "Security Showdown: Windows vs. Linux." One of them, a Linux fan, runs an open-source server at home; the other is a Microsoft enthusiast. They wanted to cut through the near-religious arguments about which system is better from a security standpoint.

"I actually was wrong. The results are very surprising, and there are going to be some people who are skeptical," said Richard Ford, a computer-science professor at the Florida Institute of Technology who favors Linux.

[FastCoyote]

m"ySQL is the fact I couldn't use views or sprocs."

I think views are in 5.0 I'm using Mysql extensively. Not perfect, but rock solid and the price is right

[usgator]

I think views are in 5.0

Is it? Someone told me a while back that the 5.0 would have sprocs ... haven't used it yet. As I said in an earlier post if they included sprocs and views it would give SQL Server a pretty good battle. Guess I'll have to get the latest version and try it out. Thanks.

Here's a slightly off-topic request, but, I use a product called Window Washer on my Windows machines, does anyone know of a comparable application for Mandrake?

Also one that will detect spyware?

[Ex-Dem]

Lol, and my point is still that you need to put money into developing better products. Are you willing to say that OpenOffice has improved upon Microsoft Office the same way MS Office has compared to those other examples you gave? Does it have more features? A better interface? Is it more user friendly? They're put a lot of effort into making a product that works almost as well as MS Office and has almost as many features and even added a new thing or two like the PDF distiller, but even so it's hardly an improvement.

You'd have a more convincing argument there if you'd used Firefox as an example instead. Granted, they already had Netscape to work from, but it's still better in many ways than IE. Course, MS is coming out with IE7 at some point, so it'd be interesting to see how they'll respond.

[Ex-Dem]

You really shouldn't have a problem with spyware if you're using Mandrake...

As for those other things, a lot of web browsers give you easy ways of clearing cache, deleting/blocking cookies, and deleting history.

[dalight]

""dalight: "The only University professor that I know who wrote a major operating system that enjoys any market share today is Linus Torvalds""

Lets see, you posted this remark twice after I corrected that in post 285. As these were replies to posts after 285, this would seem to mean that you can't take yes for an answer. That just makes you a bore and a horse's patute..

[dalight]

My argument is and has been that the study sited in this article is flawed. It is flawed because it measures differences between the way Microsoft and Linux handles security problems rather than any real difference in Security because. Anyone who runs both of these OS's, Like MYSELF and several other professionals that have posted in this thread who definitely have fought these battles on a day to day basis and I have had one Linux box compromised in my whole career, but you almost can't keep the crud out of any Windows box without constant care, attention, 3 security scanners, update weekly or even daily, it just goes on.. and on.. why waste my time trying to give you a hint of a clue.

If you had a clue about the Mach kernel, that would be different too..

I don't know where the crack about manners came from. I guess just something to say.

I guess I need to support my assertion that Dr. Rashid wasn't the only person who worked on the Mach kernel. Still, I owe the bunch of them my thanks for their efforts and the foundation of the OS I like so much.

Current Mach Project Team Members

David Golub

Mach project staff

Currently working on real-time enhancements to the micro-kernel and the Unix server

dbg@cs.cmu.edu

J. Mark Stevenson

Mach project staff

Currently working on Multi-Server

jms@cs.cmu.edu

Dan Stodolsky

CMU CS graduate student

Now working on Parallel Data Lab project support for disk arrays

danner@cs.cmu.edu

Past Mach Project Team Members

Robert Baron

Mach project staff

Now working for Computer Security Project at CMU

rvb@cs.cmu.edu

Joseph Barrera

CMU CS graduate student

Researcher, Microsoft Corporation

joebar@microsoft.com

David Black

CMU CS graduate student

Open Software Foundation Research Institute - Senior Research Fellow

dlb@osf.org

Brian Bershad

CMU CS Faculty Member, Mach PI

University of Washington Faculty Member

bershad@cs.washington.edu

Dave Bohman

ITC Mach staff

NeXT

dbohman@next.com

Bill Bolosky

Mach project staff

Researcher, Microsoft Corporation

bolosky@microsoft.com

Jose Brustoloni

CMU CS graduate student

Now working for HIPPI Nectar and VC Nectar

jcb@cs.cmu.edu

Jonathan Chew

Mach project staff

Stanford University

jjc@mojave.stanford.edu

Randall Dean

Mach project staff

Open Software Foundation Research Institute - Senior Research Engineer

rwd@osf.org

Rich Draves

CMU CS graduate student

Researcher, Microsoft Corporation

rpd@cs.cmu.edu

Alessandro Forin

CMU CS Research faculty

Researcher, Microsoft Corporation

sandrof@microsoft.com

Jeffrey Friedl

Visiting Researcher from Omron

Omron Corporation

jfriedl@nff.ncl.omron.co.jp

Michael Ginsburg

CMU Math Undergraduate

Microsoft Corportation

Lori Iannamico

Mach project staff

Distribution co-ordinator

lli@cs.cmu.edu

Michael Jones

CMU CS graduate student

Researcher, Microsoft Corporation

mbj@microsoft.com

Daniel Julin

CMU CS graduate student

Researcher, Isis Distributed Systems

dpj@cs.cmu.edu or dpj@isis.com

Chris Maeda

CMU CS graduate student

Currently in residence at University of Washington

cmaeda@cs.washington.edu

Rob Malan

Mach project staff

Graduate Student at University of Michigan

grm@cs.cmu.edu

Manish Modh

CMU Undergraduate in Math

IBM Boca.

mmal+@andrew.cmu.edu

Doug Orr

Mach project staff

Graduate Student University of Utah

dbo@cs.utah.edu

Rick Rashid

CMU CS Faculty Member, Mach PI

Director of Research at Microsoft Corporation

rashid@microsoft.com

Richard Sanzi

Mach project staff

Transarc Corporation

sanzi+@transarc.com

Indira Subramanian

CMU CS/ECE graduate student

indira@cs.cmu.edu

Avie Tevanian

CMU CS graduate student

NeXT

Avadis_Tevanian@Next.Com

Mary Thompson

Mach project staff

Lawrence Berkeley Laboratory

mrt@cs.cmu.edu E-mail: MRThompson@lbl.gov

Bob Wheeler

CMU CS graduate student

D. E. Shaw & Co.

bobw@cs.cmu.edu E-mail: bobw@deshaw.com

Zon Williams

ITC Mach staff

zon@andrew.cmu.edu

Michael Young

CMU CS graduate student

Transarc Corporation

mwyoung@cs.cmu.edu

[usgator]

You really shouldn't have a problem with spyware if you're using Mandrake...

Kinda figured that but wanted to be sure.

web browsers give you easy ways of clearing

I'm using Firefox and it will remove web caching and things like that. I was also looking for a easy way to remove temp files etc, but this is a minor point. Thanks.

[usgator]

wow. Now, that's a post! Anyway, thanks to everyone who helped make this a very informative thread. It's midnight here and 5:00 comes early ... 'night all!

[FastCoyote]

"has (Open Office) improved upon Microsoft Office the same way MS Office has compared to those other examples you gave?"

Certainly not. Cewrtainly doesn't matter. Types a business document just fine (unless you need Word Art). I'm sorry, but Excel doesn't do sqat more than it did five years ago. I use other tools to replace Access.

In short, I'm pretty close to the point where I don't give a lick what anyone pro-Microsoft says, because I have open source alternatives that are converging RAPIDLY!

[Frumious Bandersnatch]

Uh Oh, now I have to watch out for the Borgs! Time to invest in tin foil head gear...

[ImaGraftedBranch]

70 before .NET. 72 with it. (www.systar.com)

[krinklyfig]

"A Windows Web server is more secure than a similarly set-up Linux server"

Well, since I have a clue what I'm doing, I don't set up my boxen like the ones in the study are set up. Therefore, to me this is irrelevant. My *nix machines have never been compromised, nor have my Windows machines, but I don't have to worry about the *nix machines or run anti-stuff (virii, spyware) on them. In contrast, I run anti-virus scanners on a *nix box to scan the a Windows machine and incoming mail, as it's easier to delete infected files that way, and the *nix machine doesn't get infected anyway. My firewall is pf running on OpenBSD, my servers are FreeBSD as is my workstation, though I run Linux sometimes as a workstation and server, and I keep Windows around for games and because my clients use it (otherwise, I could go without it). Changing to Windows servers, workstation and security tools would be a serious downgrade. Why would I want to do that?

[StJacques]

"70 before .NET. 72 with it. (www.systar.com)"

You're the one everyone should be listening to Branch, because your situation is the best "real world test" of cross-platform interoperability -- forget the hype, who else around here even comes close to the number of platforms and data source types you're dealing with every day. In spite of all claims to the contrary; Linux, Unix, OS2, and OS/400 all operate best in an incestuous environment in which machine choice is controlled. If you want to interbreed in the wider IT gene pool you have to have .NET. Your situation is the living proof.

[KwasiOwusu]

"Anyone who runs both of these OS's, Like MYSELF and several other professionals that have posted in this thread who definitely have fought these battles on a day to day basis and I have had one Linux box compromised in my whole career, but you almost can't keep the crud out of any Windows box without constant care, attention, 3 security scanners, update weekly or even daily, it just goes on."

Your claims are in direct conflict with the findings of this test.
Trouble is, I see boasts like yours about how "rock solid" the security of Linux is everyday at slashdot, without an iota of proof to back it up.
One thing everyone knows, the open source crazies lie through their teeth every single day with their boasts about so-called "rock solid" Firefox or Linux security, and how they never had a single security breach , or in your case just one security breach (yeah right) in their entire lives,, something that is not supported by the facts in real life.
I have posted a few threads on the huge security holes found in both Linux and Firefox on this board, only to have the same open source crazies who used to scream about "rock solid" security in Firefox and Linux, baxckpedal at great speed and claim they never said open source was super secure in the first place.
You just keep getting funnier by the minute.

[KwasiOwusu]

"I guess I need to support my assertion that Dr. Rashid wasn't the only person who worked on the Mach kernel"

Rick Rashid is still the one who is credited with developing the Mach multiprocessor operating system, which has been influential in the design of many modern operating systems and remains at the core of a number of commercial systems.
Of course most professors get some of the legwork done by their students in any research project.
That doesn't mean those students are credited with having invented or developed what was invented or developed.

Still doesn't explain your weird claim that:

"dalight: "The only University professor that I know who wrote a major operating system that enjoys any market share today is Linus Torvalds"

Does it?
You just keep lying and hope no one catches you out, don't you? Normal open source fanatic practice..

Ummm about Linus Torvalds being a professor like you claimed.. what university was that at again?

You don't have a clue what you are talking about do you?
You just keep making things up.

[ThePythonicCow]

As no doubt some others have noticed above, the title on this article is B.S.

This study shows that a certain Microsoft server gets fewer security patches, with shorter warning times, than a certain Linux server.

It is a flaming crock to say that makes the Microsoft server more or less secure. How secure a server is depends on how well it protects its contents from attacks, not the frequency and timing of the patches. Perhaps the Microsoft server has fewer patches because it is less buggy, perhaps because Microsoft combines multiple fixes into one patch, perhaps because Microsoft doesn't fix some of the bugs, perhaps perhaps. And perhaps the fixes come with less warning notice because Microsoft fixes things quicker, or perhaps because they hide things longer.

What's measured, the timing and frequence of fixes, simply does not tell you which is more secure.

It would be like a comparison of recall rates of cars, in the American and Chinese car markets, being headlined as a demonstration that American cars were more or less safe than Chinese cars. Recall rates don't determine safety, and the recall procedures in those two markets are likely quite different.

---

And the other thing wrong with this title -- the majority of readers will think Microsoft and Linux desktop software, as used on a typical home PC, or work desktop PC. They will think this because that's where the majority of people use Microsoft or Linux software.

It is misleading for the title not to state Microsoft server software and Linux server software.

It would be like a headline proclaiming that Toyotas are safer than Fords, only to read the article to find that they are talking about big rigs, not cars.

---

And a third thing - it's one particular example, this particular server versus that one, over a short period of time.

The bleeping headline gives no sense of how limited in scope the study is.

---

What we have here is yellow journalism, intended to sell papers (or in this case I guess web hits) by the headline. It has nothing useful to do with anything that I'm doing this month.

[dalight]

You know.. when you brought up the CMU (Carnegie-Mellon University) connection.. it got me to remembering a University Professor that I would trust to make a statement on Windows vs. Unix security. A CMU alum from before Dr. Rashid's time, who is credited as the Father of the Computer virus. At least he was the first to define the term "Computer Virus".

From Kosmoi.com

The term "virus" was first used in this sense in print by Fred Cohen in his 1984 paper Experiments with Computer Viruses, where he credits Len Adleman with coining it. However, a mid-1970s science fiction novel by David Gerrold, When H.A.R.L.I.E. was One, includes a description of a fictional computer program called "VIRUS" that worked just like a virus (and was countered by a program called "ANTIBODY"); and John Brunner's 1975 novel The Shockwave Rider describes programs known as "tapeworms" which spread through a network for the purpose of deleting data.

Now if Dr. Cohen would come out with a study saying Windows was more secure, then I would stand up and take notice. But, alas he probably wouldn't as he wrote an article comparing security for closed vs. open source software already (now a couple of years old still is pretty accurate)

And just by the way, Linus Torvalds did teach Computer Science at the University of Helsinki, he just never got his Piled Higher and Deeper before he decided to come to America to work for Transmeta.

[ThePythonicCow]

Still doesn't explain your weird claim that:

He's already corrected himself on this, and complained that you didn't notice his correction.

Either you can or won't read what is written by those responding to you.

I don't guess I care which.

[KwasiOwusu]

"but I don't have to worry about the *nix machines or run anti-stuff (virii, spyware) on them"

Yada yada yada.

We have had tons of security holes in Linux in the past 12 months alone, but we still keep seeing these boasts about "never had any security problems on my Linux box" from open source fanatics on this board all the time, something which is not backed up by the facts, as in this from your own open source loving slashdot:

"Security Holes Draw Linux Developers' Ire

Posted by timothy on Mon Jan 10, '05 07:01 AM from the quick-draw-me-an-ire dept. jd writes "In what looks to be a split that could potentially undermine efforts to assure people that Linux is secure and stable, the developers of the GRSecurity kit and RSBAC are getting increasingly angry over security holes in Linux and the design of the Linux Security Modules. LWN has published a short article by Brad Spengler, the guy behind GRSecurity and it has stoked up a fierce storm, with claims of critical patches being ignored, good security practices being ignored for political reasons, etc. Regardless of the merits of the case by either side, this needs to be aired and examined before it becomes more of a problem. Especially in light of the recent kernel vulnerability debated on Slashdot."

Time for (even) better security? (Score:5, Insightful) by moz25 (262020) on Monday January 10, @07:05AM (#11308973)
(http://www.backgroundsarchive.com/)
Given that I'm getting lousy uptimes on my Linux servers because of the mandatory kernel upgrades, I certainly welcome a (constructive) critical look at Linux kernel security. "

http://it.slashdot.org/article.pl?sid=05/01/10/035225&from=rss

More Linux security holes:
http://www.eweek.com/article2/0,1759,1612368,00.asp

http://www.eweek.com/article2/0,1759,1530811,00.asp

Doesn't exactly gel with your claims of rock solid Linux with just one security problem with Linux does it?

[ThePythonicCow]

Linus Torvalds did teach Computer Science at the University of Helsinki

But I suspect he started Linux well before he taught, and he has certainly continued to lead Linux development long after this teaching.

So it's not that a professor wrote Linux, but that a student started Linux (many of us have written it), and would later go on, for a little while, to teach at a University, while continuing to lead Linux development.