Forgot your password?
typodupeerror
Security

WinInformant Says Windows More Secure Than Linux 935

Posted by timothy
from the ho-hum dept.
nihilist_1137 excerpts from this WinInformant article, which reads in part: "For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. ... A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux." I wonder how many sysadmins (Windows or Linux) would agree with this conclusion. Update: 02/04 16:54 GMT by T : Looks like the WinInfo site has gone down since the story was submitted, so you may have to content yourself in the meantime with the Bugtraq numbers. Update: 02/04 19:30 GMT by T :Several readers have pointed out that the conclusions WinInformant makes based on the Bugtraq data are not those of SecurityFocus; the headline has been changed accordingly.
This discussion has been archived. No new comments can be posted.

WinInformant Says Windows More Secure Than Linux

Comments Filter:
  • by Anonymous Coward on Monday February 04, 2002 @12:38PM (#2950563)
    The Slashdot crowd will never stand for this. I expect to see hypocrisy in full swing in about 30 seconds, with the zealots proclaiming bias. Never mind that they've consistently relied on SF for past predictions of MS's ineptitudes.
  • by mblase (200735) on Monday February 04, 2002 @12:39PM (#2950571)
    Does Windows have fewer security holes than Linux? Apparently so.

    Are they smaller holes -- that is, exposing less control of the system and less potential for damage? Probably not.

    The question becomes, then: would you rather be shot by a dozen BB pellets or a single shotgun blast?
  • by peripatetic_bum (211859) on Monday February 04, 2002 @12:40PM (#2950575) Homepage Journal
    Look, the obvious point about this should be that the reason Linux has more known vulnerabilities is that linux has always been very open about what is wrong with linux.

    As for MS, I only have to point to the the major bug, that they knew about for weeks, but didn't let anybody know about!

    Now Im not saying that linux is more secure (as much as i would like to) but the data and report based from it, just makes no sense, if you think about how vulnerabilties are and are not reported

    Thanks for reading!
  • by llamalicious (448215) on Monday February 04, 2002 @12:40PM (#2950579) Journal
    Well, that may be all well and good from a purely technical (or counting reported bugs) standpoint.

    But when you consider Microsoft's installed user base, there's just no comparison to how widespread MS is.
    It's a damn good thing there were less bugs reported for Windows, as with each one, the repercussions are far far greater.

    ~sigh~
  • Simply put, (Score:3, Insightful)

    by Andorion (526481) on Monday February 04, 2002 @12:40PM (#2950585)
    Simply put, the reason Windows systems seem more vulnerable is because SO MANY MORE people use them, and don't keep them patched. As a rule of thumb, someone running Linux at home knows what the term "security vulnerability" means and keeps his system up to date, where someone running Windows whatever doesn't.

    Of course, that's not the case in the server market. If you want to talk about worms, remember one thing - the ONLY reason Code Red and other such worms exist is because of the popularity if the windows platform, on desktops and servers. Don't kid yourself for a second into thinking that the reason there aren't any widespread worms for *nix systems is because it's more secure.
    br -Berj
  • How severe though? (Score:2, Insightful)

    by oregon (554165) on Monday February 04, 2002 @12:41PM (#2950589) Homepage

    Linux may have had more, but were they as bad?

    The IIS holes in 2K that allowed CodeRed to spread and the uPnP holes in XP which, luckily so far, have been pretty much unexploited were both buffer overrun holes which caused, or had the potential to cause, v.serious work outbreaks.

    Did Linux have anything on this scale?
  • by BRO_HAM (543601) <brah777@@@yahoo...com> on Monday February 04, 2002 @12:41PM (#2950590) Homepage
    Oh man, I can hear the keyboards typing right now. One thing you don't do to the slashdot community on a monday morning is call their OS less secure than windows.

    On a side note, it's all about how you configure your OS. At this point, you can pretty much do the same thing with each OS from a security standpoint. It's all of the other software that usually does it - web server, DB server, application server, etc. But we all know this right?

  • by Victor Danilchenko (18251) on Monday February 04, 2002 @12:42PM (#2950606)
    What matters is not how many bugs there have been, but the total window of vulnerability per bug -- the time elapsed from bug's discovery to bug'a closing. One really bad bug that remained open for a year is much worse than 10 bugs each remaining open for a week, you see.
  • by Prowl (554277) on Monday February 04, 2002 @12:43PM (#2950614)
    exactly,

    linux probably had a multitude of minor, rarely exploited vulnerabilities, whereas win2K/NT had relatively few major holes.

    holes that are still now being exploited.

    id be interested to see the amount of revenue lost due to linux exploitation versus win2K (taking market share into account of course).

    sounds like poor data analysis...
  • flawed logic (Score:2, Insightful)

    by esme (17526) on Monday February 04, 2002 @12:43PM (#2950618) Homepage
    When you break the numbers down by Linux distribution, Win2K had fewer vulnerabilities than RedHat Linux 7.0 or MandrakeSoft Mandrake Linux 7.2

    And this is exactly the kind of flawed logic that always creeps into these kinds of discussions: there is no "Linux" to compare with "Windows", there are only a bunch of distros. Totalling up all the holes in all the distros makes no sense at all.

    And when you compare Windows to a given Linux distro (much closer to a good comparison), Linux wins every time.

    -Esme

  • by dnoyeb (547705) on Monday February 04, 2002 @12:44PM (#2950625) Homepage Journal
    Today security is measured in how long it takes you to break into a box, and not if you can break into the box. So on the one shoe, you can say windows is much more bombarded and patched than Linux because so many "testers" are willing to "test" the security of windows. But on the other hand, since security is measured in how long it takes to crack something, even though windows may end up with fewer holes, the fact is there are more "hole seekers" which effectively reduces the security.
  • Re:Oh well (Score:0, Insightful)

    by IAgreeWithThisPost (550896) on Monday February 04, 2002 @12:44PM (#2950631) Homepage Journal
    Maybe then we shouldn't count the IIS and Outlook type bugs either then, eh? After all, they aren't really part of Windows(although, remember, IE is of course integral to the survival of the OS, so it's bugs count)
  • by WIAKywbfatw (307557) on Monday February 04, 2002 @12:45PM (#2950646) Journal
    Surely it's not the number of vulnerabilities that either OS displays that's important but rather their severity?

    I mean, an exploit that requires the malicious party to have physical access to a machine and then only gives him access to one specific folder on a system is hardly as big a deal as one that gives a script kiddie sitting in his bedroom complete remote control of your corporate servers, allowing him to copy, overwrite and delete files, folders and hard drives at the click of a button?

    Let's try to compare apples and oranges here. Just because McDonalds has more restaurants than Michelin-stared ones it doesn't make the Big Mac a better meal.
  • by chancycat (104884) on Monday February 04, 2002 @12:46PM (#2950650) Journal
    One camp (Linux) is pretty open, and honest about those holes.


    The other camp ain't. We do hear about some vulnerabilities out of Microsoft, but more often it's independent disclosure that open's out eyes. So, how many problems are left unaddressed, and unknown by all but the secret holders? Simple: we don't know.

    At least with opensource I can look at the code.

  • by mblase (200735) on Monday February 04, 2002 @12:46PM (#2950651)
    The SecurityFocus charts [securityfocus.com] seem to say that in the last several years, WinNT/2K has had 2/3 to 3/4 the vulnerabilities of Linux -- all Linuxes combined, that is.

    When you break it down, however, Windows has been about equal to Red Hat and well above all the othe Linuxes and Unixes in the chart.

    As a willing participant in the capitalist scheme, I don't care how secure everyone else's servers are -- just the one securing my stuff. The only thing this chart tells me is that if I want a secure server OS out of the box, I should start with Mandrake or Debian instead of Red Hat or Windows.
  • by blakestah (91866) <blakestah@gmail.com> on Monday February 04, 2002 @12:48PM (#2950671) Homepage
    You apparently didn't check out NTBugTraq. They simply added up vulnerabilities from different linux distros to come up with a high aggregate number. This is plain wrong because

    1) If a package has a security issue, usually all distros announce the security bug. Thus, the bug gets counted multiple times.

    2) Windows security bugs are all remote compromises, either email attachments, or remote roots. Over 90% of the linux security problems are local security issues.

    As another poster noted, this is a very poorly researched article.
  • bias (Score:3, Insightful)

    by Lord Omlette (124579) on Monday February 04, 2002 @12:51PM (#2950693) Homepage
    Bias isn't necessarily what annoys me. I would like to see more stories which foster discussion as opposed to sensational bullshit. Isn't their an interesting or nerdy or thought provoking or geeky news item that we can discuss? For fuck's sake, we know Microsoft sucks, we know 80% of slashdot's traffic is from IE, we know we don't like .NET, we know Ballmer is a monkey, come on, let's talk about something (ANYTHING) else.
  • by KeyserDK (301544) on Monday February 04, 2002 @12:51PM (#2950697) Homepage
    So true =).

    Open source haven't proven more secure than closed, as the theory about "given enough eyes all bugs are shallow" says.

    The one thing it gives though, is choice. For instance, i dont run rsync(se recent security exploit) and i'll probably never do. Neither will mdk/rh pr. default (Allthough a lot is certainly run by default). Even though rsync comes with mdk/rh.

    Frej Rasmussen.
  • by trandles (135223) on Monday February 04, 2002 @12:52PM (#2950702) Journal
    What about a breakdown of remote root exploits vs. local escalation of privileges exploits for linux? It seems to me that most linux vulnerabilities are of that later kind and wouldn't give a remote cracker total control of your system, while most if not all of the windows exploits leave your entire system open to remote takeover.
  • by John Harrison (223649) <[johnharrison] [at] [gmail.com]> on Monday February 04, 2002 @12:52PM (#2950704) Homepage Journal
    Is it a surprise that there were more vunerabilities DISCOVERED for Linux than for Win 2K? How many people are looking over the source code of Win 2K for bugs? Now how many have access to the couse code for Linux? It seems pretty obvious where you will find more bugs in the short term. Also, do you think that Microsoft "announces" any and all bugs that it finds internally or are these just bugs that were found outside of Microsoft? How easy is it to find these bugs in Windows without the source? How many more would be found if source code was availible?

    In the long term Linux will have progressively fewer bugs/vulnerabilities due to its open source nature. Look at the numbers on the same chart for NetBSD. There were 9 vulnerabilities found in 2001, and 42 found in Win 2K. 54 for RedHat and only 2 for TurboLinux.

    Obviously everyone should switch to Turbo Linux.

  • Re:What?!? (Score:3, Insightful)

    by rhanneken (130840) on Monday February 04, 2002 @12:54PM (#2950733)
    Do the names "Nimda", "Code Red" and "I Love You" ring a bell?

    The fact that you can cite flaws in Windows security proves that Windows security is imperfect, not that Windows is less secure than Linux.

  • This is crazy (Score:1, Insightful)

    by forgeeks (470786) on Monday February 04, 2002 @12:55PM (#2950747) Homepage
    Okay lets break it down:

    Linux by default includes:
    A mailserver
    an ftp serer
    a telnet server
    a web server
    a database server
    etc....

    Windows by default include:
    A store receipt
    IIS maybe..
    ummm

    okay so what are they basing their study on? The same system setups? Are they comparing postfix with exchange server or sendmail with exchange server? Mysql with MSSQL or MySQl with Oracle? I don't understand this study, nor do I believe it. I think this study is biased and fixed. It is funny that this study is released as M$ releases the W2K rollup package to fix the broken/hackable files.

  • Re:Lousy research (Score:2, Insightful)

    by cyclist1200 (513080) on Monday February 04, 2002 @12:56PM (#2950752) Homepage
    "Also, the Windows announcements are for the OS itself only, while the Linux announcements cover programs that do not count as OS stuff under Windows."

    The funny things is the journalists get all indignant when you point this out to them and ask them to throw in the security holes for IIS, IE, OE, Office, SQL Server, etc.
  • by PurpleFloyd (149812) <zeno20.attbi@com> on Monday February 04, 2002 @12:56PM (#2950755) Homepage
    If Linux had the marketshare of Windows, you can bet there would be lots and lots of scriptkiddies writing Code-Red style worms. Linux has had some pretty major security flaws in the past. Although they were fixed quickly, that doesn't mean that lazy or incompetent sysadmins will patch it right up. This leads to an opportunity for a Code-Red style worm, and if Linux had high marketshare, you can bet that it would have spread rather quickly as well.
  • by larsu (473425) on Monday February 04, 2002 @12:56PM (#2950757)
    Anyone remember Code Red? Nimda? I sure do. I still get 300+ scans a day from infected Windows boxen.

    Also, most linux vendor security announcements posted to Bugtraq are for add-on software not enabled by default. They are also announced by each vendor individually, and the author of the package. Most Windows announcements are about vulnerabilities in the OS (IE) or widely deployed packages (IIS, Outlook) from the author of the exploit (after secure@microsoft.com has ignored them).

    The entire article needs to be modded -1 flamebait.
  • by LightlyToasted (95756) on Monday February 04, 2002 @12:57PM (#2950762) Homepage
    I'm not convinced that "Windows has fewer security holes than Linux" just because there was a higher number of vulnerabilities reported. For the reported number to have any weight, there would need to be some consistency in how vulnerabilities are discovered and reported between Linux and Windows. On the discovery side, more eyes on open source code would tend to yield more discoveries, skewing the reported number. On the reporting side, Microsoft has a deserved bad reputation of denying and covering up security vulnerabilities in their products, which would lead me to speculate that they underreport their vulnerabilites, making a comparison useless. Moreover, the open source community has the opposite reputation - that of publishing vulnerabilities as they arise. Again, the results are skewed. I'm disappointed that a security site would perpetuate this flawed logic.
  • by victim (30647) on Monday February 04, 2002 @12:59PM (#2950777)
    Which OS has more security problems is an interesting question, but I would not use ntbugtrack's data to answer it for the following reasons...
    • Having one of the OSes embedded in their name immediately makes my wonder about bias.
    • They have an aggregate data column for `all linux distributions' where they overcount the same bugs. Despite breaking windows OSes into two columns, they don't aggregate these together.
    • They do not attempt to quantify either theoretical severity of a problem or actual real world impact of the problem. The linux community tends to have more bug reports for theoretical problems that are fixed before they are exploited.
    • The statistics from ntbugtrack have been stale since August. This is an abandoned site. I suspect anyone doing a serious analysis would start with current data.
    • It is possible that MS bugs are under reported. All Debian security bugs are fully reported by policy. Microsoft has a policy (recently at least) of supressing minor bug reports and quietly fixing them.
    • Your typical linux distribution is OS, plus OS utilities, plus all of the applications. Application level bugs will show up in the linux distributions, but not in the windows columns. Consider the recent rsync bug. That should be a bug for all of the major linux distributions, but will not appear in the windows column even though rsync can be installed and run on windows. (This is an example, I have not verified that the bug affects windows. I believe it does from the description. Don't flame me over this one.)

    So, how about we do a serious analysis? I'll put up a system that lets people rate the various bugs by severity along a couple of continuums. (Like theoretical impact and actual impact.) Then people can use this data to draw more accurate conclusions. If at least 10 people respond to this post, and two thirds of them think it is a good idea, I'll put one up and link it here.
  • by oregon (554165) on Monday February 04, 2002 @12:59PM (#2950778) Homepage
    They expolited add-ons that IIS happened to use

    But are installed by default.

    No-one had to take any extra steps to install the indexing DLL to make themselves vulnerable to code red.

    It may not be part of the core webserver, but the indexing DLL is, to all intents and purposes, part of IIS.
  • by TobyWong (168498) on Monday February 04, 2002 @12:59PM (#2950780)
    The security of any OS lies in the skill of its admin. An idiot with a 2k box is no more secure than an idiot with a linux box and vice versa.
  • Again, Winformant, in a desperate attempt to seem like they aren't a bunch of toadies, has struck an "independent" blow against linux's "security myth," by proving that more holes were found in linux than in Windows.

    Well, duh. Linux is full of holes. But that's not winformant's problem. You see, each of those holes was cleared up in a matter of days and a patch was freely available. There were no egos and press releases claiming there are no holes. There were no programmers waiting around while Marketing decided the best colour for the patch's installation wizard. There was no downtime as millions of machines had to get the file from a single MS server because the patch's license didn't allow redistribution. There were no hours of wringing hands as sysadmins watched hackers pick off their boxes one by one because there's no workaround while the patch was built. There was no possibility for diving into the code and fixing it yourself; and if there was there'd be no way to release the patched dll. Oh, and if a linux machine was compromised, there was little chance of it polluting the entire network...because the bug affected less than 1% of the install base of that particular OS, and not 100%.

    Not to mention the reason that so many Linux patches were "found" rather than "discovered" is that bored sysadmins can sit around with sheets of source code, hoping to find a hole and make a name for themselves on BugTraq. With windows...well, you'd better be good with BlackIC and ASM, because it's the only way you're finding the hole.
  • by Spencerian (465343) on Monday February 04, 2002 @01:01PM (#2950804) Homepage Journal
    What someone said--a primary security hole (something you drive side-by-side trucks through) are Windows applications. Visual Basic and, by extension, Outlook, are big culprits.

    But many of the things that make Windows unsecure do extend at the OS level. Here on my Macintosh, my firewall is set to lock out IPs that try a NETBIOS check, as well as various port scans. It's also aware of the Code Red variants.

    My Mac OS (9 or X) ignore them. As with Linux, my OS doesn't know or care for NETBIOS.

    And OS X, as a better example for all the huff, is a *nix family OS--and still in its infancy compared to the older Linux distros and UNIX itself. A UNIX class OS is only unsecure in the magnitude of Windows when we open up all the elements of the OS that are normally closed by default--permissions, certain root access, and so on. Therefore, you have to be a Raving Buffoon(tm) to set Linux or any *nix for a fall.

    Window's faults are inherent to perpetuate its market share as well as stupid coding. And now MS wants to "fix" it? Give us a break.
    /.
  • by prisoner-of-enigma (535770) on Monday February 04, 2002 @01:01PM (#2950808) Homepage
    Granted, you can look at the code, but do you? I run both Linux and Windows environments at our dev company, and I must say that the "hardening" list of things you must do to secure Linux and Windows is pretty much near the same length. In some cases, Linus is harder to secure because so many things lack documentation or have not been tested properly (if at all).

    While I have many bones to pick with MS, disclosure of bugs is a tentative one. On one hand, if they find a bug, don't tell anyone, fix it, then tell everyone, all in a short period of time, I'll all for it. If nobody (or very few people) knows about the exploit, the chances of me being hit by it are very small. The closed source prevents hackers from climbing all through the code and pre-emptively looking for bugs to exploit. This can be a Good Thing(tm), but it can also be a Bad Thing(tm) if MS finds an exploit, does nothing about it, and then a wily hacker exploits it.

    The ability to see the Linux source does me and my dev team little or no good. We are software developers and don't have the time to run through hundreds of thousands of lines of code looking for vulnerabilities. We don't have the time to try and understand poor documentation, conflicting requirements, and other pitfalls that can strike open source. I would go out on a limb and say that the vast majority of LInux users don't climb around in the code. Who has the time?
  • by Tom7 (102298) on Monday February 04, 2002 @01:02PM (#2950812) Homepage Journal

    Again, I find it disturbing how easily everyone shrugs this off as propaganda or something.

    Listen, everyone: Times are changing. Linux has gotten big and complicated, and is no longer automatically secure. Long gone are the Slackware days where you'd download a minimal kernel/utilities package and then compile only the apps you need, by yourself, and understand everything. Complex software has security problems, and the linux community has done little but use the "lots of eyeballs" method to counter that. Microsoft software is also quite complex, and they have fewer eyeballs (I hope, though I am not sure), but they have publicly recognized the problem and are at least pretending to try to fix it. Microsoft also has a bunch of research into technologies for producing machine-checked code so that they don't even need lots of eyeballs. (I really wish that linux had this too; see a related rant http://slashdot.org/comments.pl?sid=26315&cid=2851 880 [slashdot.org] ).

    My linux box has been rooted twice. I keep up to date on patches, I read bugtraq. My windows box, also connected to the internet all the time (and getting a lot more use), has never been compromised through 95, 98, 2000, and XP.(I have been Winnuked, that's the worst thing that's happened.)

    I guess my point is: this is not something to laugh at. Some day soon, people will not think of Microsoft operating systems as crashy (already happening to an extent) and insecure (...), and then linux will have a much tougher sell to the average guy who doesn't care about Free Software. Instead of laughing smugly about an article like this, maybe we should be worrying?

  • by jazman_777 (44742) on Monday February 04, 2002 @01:05PM (#2950837) Homepage
    Open source haven't proven more secure than closed, as the theory about "given enough eyes all bugs are shallow" says.


    It's a great-sounding theory. It _could_ be true in reality, if everyone were perusing source code, but who really does? Now, some folks _have_ looked at the code for OpenBSD, so it's what I run at home.

    OTOH, open source is amenable to extremely quick fixes for exploits. Once a weakness is known, the eyeballs look at the code, and it gets fixed quickly. I hope. In other words, I don't really know, but it sounds like it's true, so why not promulgate another fine-sounding theory, heh heh.

  • by morcego (260031) on Monday February 04, 2002 @01:05PM (#2950839)
    Not only that.
    This kind of study don't see what is Linux, and what is agregated software. They say Linux and Windows, but I'm sure they don't include IIS.
    In any case, impact and severity must also be taken into account. Most Windows bugs are remotely exploitable, and give full control of the machine. Most linux bugs are only localy exploitable, or only leak information.
    It's very easy to say that car acidents happen more often then plain crashes. Anyone cares to count the casualities ? Well, I'm not sure this is a good example, once car acidents casuality numbers are, AFAIK, higher, but I think you get what I mean.
  • by alta (1263) on Monday February 04, 2002 @01:07PM (#2950848) Homepage Journal
    Ok, here's what I noticed. The SUM of all Linux's put together had a higher bugcount than windows 2000.

    Now, how many people do you know that install redhat, then add to it all the security bugs in caldera, Connectiva, Mandrake, Slackeware, Suse, and Turbo Linux?? None, that would be extremely difficult. This is akin to saying the Ford Taurus has fewer bugs than all of the Nissans put together, therefore it is a better product.

    Also, we are assuming that all bugs are created equal. Guess what, not so. Windows bugs have superpowers, faster than a speeding packet, stronger than a firewall, able to leap entire networks in a single bound! Linux security bugs take down processes, sometimes servers. Windows bugs take down Networks, or internets!!!

    But I'm sure they'll never get called on it, because their readership is windows users. They are preaching to the choir, and they will ignore us and our quest for accuracy.
  • by johnthorensen (539527) on Monday February 04, 2002 @01:09PM (#2950859)
    I was thinking to myself yesterday about how the nature of open-source lends itself to a lack of "talent auditing". Meaning, there **MAY** be a greater chance of bugs being introduced into an open-source project because the programmers are often not hired professionals.

    I would like to see a comparison in bugcounts (say, per line of source code) between open-source projects supported by professionals (i.e. people trying to make money off of it, i.e. mySQL) and projects supported by weekend programmers.

    I just had an ironic thought. Since most open-source business plans revolve around providing support, would that make those companies want to introduce MORE bugs? :-P
  • by jcasey (264935) on Monday February 04, 2002 @01:09PM (#2950861)
    Take another look at the data [securityfocus.com] refrenced by the article! It actually shows the Windows 2000 was one of the worst as far as security goes. The linux aggregate score does not resemble any of the individual linux distros mentioned. What I would like to know is, How did the author ever draw the conclusion that Windows 2k was more secure ? And what was the point of comparing the score of an os with an aggregate score ? That makes no sense either!
  • Not True (Score:5, Insightful)

    by j7953 (457666) on Monday February 04, 2002 @01:13PM (#2950878)
    [...] To get the security problems for Linux, he adds all security announcements from each of the major distributions - completely ignoring that most of those announcements are for the same bug. [...]

    I can't connect to WinInformant, but if you look at the numbers available at SecurityFocus, you'll see that they did not simply add up the numbers. Linux is listet with 96 aggregated vulnerabilities for 2001, while e.g. Red Hat has 54, Debian got 28, and Mandrake got 36. There are more Linux distributions listed, but these numbers allone show that your claim is wrong (unless WinInformant has different numbers).

    You'll also see that Red Hat had 54 vulnerabilities while Windows 2000 had only 42.

    However, I'd still agree that the WinInformant article is badly researched (but please note that, as stated above, I've not read it, I only know the part that Slashdot quoted). The article claims that Windows is more secure "according to the reputable NTBugTraq," however, SecurityFocus does not make any claim concerning the security of either Windows or Linux, they just make the numbers available as a statistic. In other words, WinInformant doesn't have any source for their claims, they just found some more or less interesting numbers and made up a story.

  • by archen (447353) on Monday February 04, 2002 @01:15PM (#2950893)
    "Take this example: you have a highly competent NT/2K administrator (they do exist) and a pitiful *nix administrator."

    Every time someone brings this up I keep thinking it's sort of redundant. I guess, being a rather pitiful administrator in both respects; I find it easier to at least start locking down a unix box (FreeBSD in my case). With Unix you can tighten a box up instantly just by looking through hosts.allow (and hosts.deny in Linux's case) - it certainly doesn't take a genius to figure out what's going on. By contrast windows has a lot more to do with disabling services which (in my opinion) you're never sure what they do or if you need them. And sooner or later you'll end up fishing in the registry...

    To me Unix systems are easier to secure because security is a part of the system, and not an afterthought / "oh so we're getting bad press so we'll start an inititive" sort of deal.
  • Re:Simply put, (Score:5, Insightful)

    by Rupert (28001) on Monday February 04, 2002 @01:16PM (#2950894) Homepage Journal
    l10n and ramen were two recent worms that attacked a bug in some versions of BIND on almost all unices. This would appear to be evidence against your theory that "no-one writes worms for *nix because of lack of market share".

    Find another excuse.
  • by Archanagor (303653) on Monday February 04, 2002 @01:16PM (#2950901) Homepage Journal
    Well, no offense, but: "Duh!" Of coruse alot more Windows-based machines were exploted. You've got 2 very good reasons for this:

    1) Wide distribution. Yep. Contrary to your belief, Windows is distributed more widely than Linux. So, of course more boxes will be hit.

    2) Idiot users. I mean, lets face it, There's a reason why most windows users aren't on Linux. They're morons! Anyone and I mean anyone that runs an attachment from someone they hardly know that's written in worse english than a retarded 7 year old would write deserves what they get. Unfortunantly, they're the reason the network was clogged with NIMDA. Code Red was more a result of wide spread use of IIS.

    Gawd, I'm sick and tired of the linux bigotry around here. Linux is great and all, but I sure wouldn't want to join a group of the most closed minded bigots in the world, just to have the privelege of using a free OS that's actually pretty decent. I think I'll stick with Windows. Monopoly and all. You people are doing Linux a great disservice. Don't get me wrong, I like Linux, but it doesn't serve my needs as a desktop OS. Maybe instead of basing MS someone could make it more useful for the masses?
  • by Srin Tuar (147269) <zeroday26@yahoo.com> on Monday February 04, 2002 @01:16PM (#2950902)


    Of course, that's not the case in the server market. If you want to talk about worms, remember one thing - the ONLY reason Code Red and other such worms exist is because of the popularity if the windows platform, on desktops and servers. Don't kid yourself for a second into thinking that the reason there aren't any widespread worms for *nix systems is because it's more secure.


    Dont kid yourself. The various free o/s's are simply a harder target. They are more diverse, both across O/S's and distributions, and even within a distribution there are different configurations. On top of all that any individual box can be a totally custom system built from the source pool.


    There are countless email readers, multiple web browsers, all types of competing server daemons. When you take the windows monoculture you simply dont find such diversity. The competing software are simply wiped out.


    Its a well known and intuitive fact that monocultures are far more vulnerable to disease and parasites than a healthy diverse population.

  • Re:Simply put, (Score:4, Insightful)

    by mvdwege (243851) <mvdwege@mail.com> on Monday February 04, 2002 @01:20PM (#2950934) Homepage Journal

    Its funny how people back security focus when it talks about MS vulnerabilities, but once it mentions Linux, they are "Uniformed" or a variety of other things

    In a word: Bullsh*t.

    Securityfocus presented the numbers without bias, without commentary even. It is the MS shills that try to draw conclusions from these numbers, and one by one they take the aggregate Linux number, because it suits their agenda.

    However, that aggregate number is worthless to draw conlusions from. At most one could use the distro numbers to draw the conlcusion that the average Linux distro ships with more (potential) vulnerabilities than Windows 2000. Of course, since the average Linux distro

    1. ships with more server software than Windows (multiple mail servers for example),
    2. has a habit of reporting all vulnerabilities, from local DoS to remote root,
    of course it will show more vulnerabilities.

    So, the numbers tell us nothing new, except that the MS apologists will grasp at any straw to discredit what little competition they have.

    Mart
  • Re:What?!? (Score:1, Insightful)

    by Aqua OS X (458522) on Monday February 04, 2002 @01:21PM (#2950938)
    Let's just put it this way. More people use windows, more people want to exploit windows... and at the very least, from a social perspective, windows is bound to be less secure.

    This last year the window community has really taken quite the widespread beating with viri (as usual). The linux community has not. Less people use linux, less people know what to do with linux, less people hate linux, less people wish to exploit it, and therefore less people are going to screw with it.

    No operating system is perfect and or totally secure, however the more you scrutinize something the more apparent its flaws become. The Windows operating system has a hell of a lot more people looking at it under the micro scope...and that's an understatement. This, along with geek loathing and common software variables, is the reason why windows is less secure. The widespread common viri are just the result of all of this BS, and in my mind they totally prove that Windows is less secure. This is the same argument that us Mac diehards have been spitting out for years.

  • Worse still (Score:5, Insightful)

    by Srin Tuar (147269) <zeroday26@yahoo.com> on Monday February 04, 2002 @01:22PM (#2950946)

    Windows security holes typically have exploits in the field, whereas linux vulnerabilities are commonly realeased from code review- hence having no preexisting exploits (that are known and demonstrated). Some are in fact purely theoretical, and may have to use to a malicious user.


    So even if you keep on top of your windows updates religiously, keep in mind that they are generally reactive. So there is always that window of vulnerability...

  • by Anonymous Coward on Monday February 04, 2002 @01:30PM (#2951010)
    The only reason Linux appears less secure is that holes were found and patched. That is what open source does - allows security holes to be found and fixed. Closed source means you know you have a hole after youve been assraped and you cant do anything about it. You just wait for the next hole to be found. Maybe eventually the closed source keeper will get around to patching it. Maybe not. It depends on how public the vulnerability becomes. A hole few people know about will never be patched.

    So yes the story is probably very true. Linux appears less secure but in the end who is more secure? You know I dont recall hearing very many blurbs about IIS holes recently... Maybe its because anyone in their right mind isnt using it anymore.

  • Ill tell you why (Score:2, Insightful)

    by Jeff Knox (1093) on Monday February 04, 2002 @01:33PM (#2951039) Homepage
    Ill tell you what the flawed logic is. You can completely ignore that stats, and you can completely ignore direct comparisons. It all lays in the software. Most of the Linux vulnerabilities were for software that most people dont install, non standard stuf. Like, bitchx exploits or exim exploits. Not everyone installs that by default. So this aggregated Linux number is basically exploits from the tens of thousands of pieces of software available for unix systems. This is why its flawed logic. Most of the Windows vulnerabilities are default install problems. They are standard with the OS. Even under the break down by Mandrake, that includes all software you find on the Mandrake cd. Not only software that is by default installed (under all install options even). If you include ever peice of software that runs on the windows platform, that was exploitable last year, I think you would get a number that would blow it out of water. On a side note, thats not even taking into consideration source is available for most of this linux software, so it is easier to find more exploits. This is a good thing, not a bad thing. This just means they havent found all the exploits yet, because they use closed source. Security by obscurity does not mean its more secure :P
  • by 5foot2 (24971) on Monday February 04, 2002 @01:39PM (#2951084) Homepage
    BB's are copper. Old style bird shot was lead, current stuff is steel. Then there is buckshot and slugs of course. Then we get into the really cool shit, fletchet rounds (a dozen or so finned steel darts), incendiary rounds (think of a ball of white hot fire coming out of the barrel of a 12gauge. The round is for forestry work, setting backburns to fight fires), duplex rounds (for blowing deadbolts and hinges off doors). There are some really cool rounds for shotguns.

    I really think the incendiary rounds are the best for personal defense. I don't think someone would continue to fuck with you if your shooting back at them with great big balls of white hot fire ;-)
  • Re:bias (Score:3, Insightful)

    by ichimunki (194887) on Monday February 04, 2002 @01:43PM (#2951108)
    I agree. The numbers from SF are purely for entertainment value only and the WinInformant site is Slashdotted (they must be running Windows, haha) so I have no idea what they said.

    If you look at the SF numbers for any given distribution of GNU/Linux, they are smaller than the Windows numbers. Also, the numbers don't take into account things like severity, remote vs. local, whether the package affected is a core component of a functional server, package redundancy (one bug in four different FTP servers on GNU/Linux vs. four bugs in IIS is not delineated), popularity of the package to the platform is not discussed, etc etc.

    And yes, I'm using IE to post this because Netscape seems to have proxy issues here at work, not because I want to.
  • by schon (31600) on Monday February 04, 2002 @01:44PM (#2951114)
    Yes, it's true, the *aggregate* linux number is huge, but some of the individual distros are higher than WinNT/Win2K

    Really? Which ones in particular?

    I looked at the page, and I see REDHAT as the highest number for all of the linux distros.

    This number is LOWER than the NT ones.

    So can you explain this sentence for the rest of us please?
  • by TobyWong (168498) on Monday February 04, 2002 @01:48PM (#2951131)
    10-14 new linux exploits which dont apply to 95% of linux users. I'm on the debian security mailing list and almost every notice they send out is regarding a package I dont use (on a package heavy box even).

    Look at it this way, when you say "linux exploits" you are not only talking about kernel issues and quality packages but every half-baked bit of code to come out of a college dormatory. If you include all the windows shovelware in with those exploit numbers I venture to say that you would see a very different picture.
  • by jgerman (106518) on Monday February 04, 2002 @01:48PM (#2951139)
    I'm not sure I agree. How can you contrast a "security through obscurity" system like Windows to an open one like Linux. It's natural that more bugs are found and reported in Linux, but that says nothing about the number of existing bugs. In addition, having the bug known isn't always the sole indicator either, how long does the bug exists once it is known about . I'd like to see some sort of measurement based on "bug-hours" that measures not only the number of bugs but the summation of the time the bugs were exploitable.
  • by Jeppe Salvesen (101622) on Monday February 04, 2002 @02:03PM (#2951216)
    Let's be fair. Some of the malicious hackers are extremely good. Does source code peer reviews improve security? If the guy reviewing the code is dumber than mr. evil hacker, then he might leave open an exploit for mr. evil hacker to enjoy and abuse.

    With closed source, mr. evil hacker will need to spend more time discovering the inner workings of the software than he will with open source.

    So - will he then produce more exploits running through open source software grepping for common starting points for exploits than he will when dissecting closed source programs?

    Remember - at any moments, the black hat community knows about exploits the rest of us don't know about. No computer has yet been classified as formally secure (to the best of my knowledge). We could all be at risk.
  • by FreeUser (11483) on Monday February 04, 2002 @02:07PM (#2951227)
    Exactly right.

    These numbers only reflect that GNU/Linux is more open and public in reporting its bugs than Windows, which is not surprising given Bill Gates & Co.'s efforts to suppress information about existing bugs in their operating system (the rightly rediculed notion of achieving security through obscurity).

    There is absolutely no correlation between number of bugs reported and number of bugs existing, be they security related or not. This is doubly true when one party (Microsoft) is actively working to suppress such information about their own products.

    The incompetence of the author writing this story, and of the Security Focus editorial staff for letting it through, is staggering. With this kind of security "expertise" is it any wonder at all that Nimda worms and the like run rampent across the net?

    Indeed, if one wants to draw correlations (always a risky endeavor without corraborating evidence) it would make far more sense to correlate the percentage (vs. installed base) of demonstrably compromized systems running one operating system vs. another. As Code Red, Nimda, etc. have demonstrated, Microsoft's products win this one hands down. Indeed, in this case there is massive corraborating evidence to back up the conclusions of such a correlation ... years of it, all in the public record.
  • by mikemulvaney (24879) on Monday February 04, 2002 @02:13PM (#2951240)
    Secondly, I'm constantly amazed at how people mis-read our stats page. The Linux aggregate stats are the total of all unique bugs across all the various distributions we track

    I thought this was probably true, but I could not confirm it until I manually added up the bugs for a given year. Maybe you could explain the terms a little better on the page itselft?

    Regardless of anything else, using these number to declare that one thing is more secure than another is a mistake.

    That sounds like another piece of advice that should be on the stats page, not buried in a slashdot comment. Its unfortunate that someone misinterprets your statistics and publishes a misleading article every 6 months, but I can't help but wonder why you don't take proactive steps to help people understand the meaning of your web page.

    -Mike

  • by jamwt (220439) <jamwt AT jamwt DOT com> on Monday February 04, 2002 @02:49PM (#2951332) Homepage

    Worms thrive on total volume, not specifically servers.

    Umm... Can you think of really a more damaging worm lately than Code Red?

    Did it need clients/volume? Or just he 2X% of NT/2K servers out there unpatched?

  • by Nurlman (448649) on Monday February 04, 2002 @02:57PM (#2951395)
    The argument that "Linux has a smaller installed base, so its security holes are less important" sounds like a paraphrasing of the old "security through obscurity" canard.

    After all, aren't you really saying that those security flaws are less critical because script kiddies and crackers are less likely to come across a Linux box than a Windows one?
  • by SilentChris (452960) on Monday February 04, 2002 @02:58PM (#2951409) Homepage
    "These questions seem to me more important than pure quantity and should be taken into account when building a threat assesment of a system."

    Oh please. This is the same Slashdot that touted 30K bugs for Windows 2000 (like every other major tech publisher) regardless of the fact that the bugs were not known and many were probably "We spelled "maximize" wrong here".

  • by MattW (97290) <matt@ender.com> on Monday February 04, 2002 @03:04PM (#2951461) Homepage
    It gets worse than that. Let's consider:

    Most bugs that show up for redhat or any other linux distribution will NOT affect a well-secured machine in the first place. If you plan, for example, a standard web or database server, you're only going to permit ssh and apache or ssh and your brand of sql. How many vulnerabilities in the past year have been on those services? Practically none. Only 1 in ssh, and there was AMPLE warning to get patched before exploits were in the wild. The majority of bugs are for packages not often deployed, or not relevent to a server system where there is no user access.

    Meanwhile, an enormous number of these linux bugs are irrelevent on a firewalled system, never mind the incompetency of sysadmins. A firewall will protect your X font server or your installed-by-default nfsd/statd, but Microsoft has had many high-profile, extremely-widely-abused holes in a server's primary services (IIS, MS-SQL, etc).

    Anyhow, trying to say these statistics show that NT is more secure than Linux is not only irresponsible but absurd.
  • by broter (72865) on Monday February 04, 2002 @03:08PM (#2951482) Homepage Journal
    You're right about the pedestrian installs being way too feature filled; however, I'd like to point out the obvious caviot that Windows* does this as well. Very often the options added in Windows* are poorly documented, if at all, so you get into much the same situation as a newbie Linux user w/o an experienced Linux friend to ask. What do you deinstall? What do you keep?

    Personally, I'd like to see a more OpenBSD like install for all the consumer products. Although the user would have to work a little harder to get what they want, they would (presumably) learn a bit more about the system. If that fails, then they would at least have to admit liability for braindead configurations (er... most of em).
  • by berzerke (319205) on Monday February 04, 2002 @03:09PM (#2951493) Homepage

    Deciding which OS is more secure just by looking at the number of bugs is not the right way to decide things. As usual, there's an easy way, and then there's the right way.



    First, lets assume the numbers are honest, and not double counted, as has been done before. (One reporter in the past took the numbers for linux in general, then took the numbers for a distribution, then ADDED them together to get his final number of bugs. Too bad most were double counted.) Not all bugs are the same. First, how severe is it? A bug that allows complete takeover of your system just by connecting to the internet (Universal Plug and Play anyone!) is not the same as an exploit in some little program nobody runs and those who do run it don't run it as root and run it in a chroot environment.



    Second, how quickly is the bug patched? If you can't patch the hole for months because the vendor doesn't put out a patch, that's a different level of security than if you can patch the hole the next day. Third, does the patch fix problems or create them (NT SP2 anyone!).



    Finally, are we comparing apples to apples. Most linux distributions come with much more software than a Windows CD. Not all of that software gets installed. Are we comparing a linux system with just the equivalent software a Windows CD comes with? That can make a big difference in the bug numbers.

  • by TechnoLust (528463) <kai.technolustNO@SPAMgmail.com> on Monday February 04, 2002 @03:13PM (#2951515) Homepage Journal
    Securityfocus is the definitive sight for security news. To say the numbers are "purely for entertainment" is the most ridiculous thing I've ever heard. You only proved your ignorance later in the post when you said, "the WinInformant site is Slashdotted (they must be running Windows, haha)" when OBVIOUSLY this would have more to do with their BANDWIDTH than their OS. I know I'll get modded down for posting this, but I don't care. I hate to see people discount anything that doesn't agree with their opinions. Oh, and I run Windows NT at work, Windows2000 and Mardarke 8 at home. I love Linux, but I love MS more for some things (games, word processing, etc.)
  • by berzerke (319205) on Monday February 04, 2002 @03:20PM (#2951554) Homepage

    Another note from bugtraq that will really push the numbers in favor of Windows. I quote: "* There is a distinct difference in the way that vulnerabilities are counted for Microsoft Windows and other operating systems. For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they are shipped with. For Windows, applications and subcomponents such as Explorer often have their own packages that are considered vulnerable or not vulnerable outside of Windows and therefore may not be included in the count. This may skew numbers." MAY?!?!? More likely WILL.



    So let's see. IE vulnerabilities aren't counted. There goes the fairness in the numbers right there. Was IIS counted?

  • by MrResistor (120588) <peterahoff AT gmail DOT com> on Monday February 04, 2002 @03:34PM (#2951635) Homepage
    Well, that may be all well and good from a purely technical (or counting reported bugs) standpoint.

    It isn't, though. Even the counting method used in the article is flawed. As mentioned in several other posts, package bugs are often listed for each distro that uses that package, so a single bug could easily be counted multiple times (and, in fact, this is the case since the article is based on the Linux aggregate, which simply counts the number of bugs reported on all Linux lists and adds them tegether).

    Even at the most basic level, the article is FUD. The fact that this article was published without the editors checking even basic facts (like, for example, the fact that NTBugTraq is not hosted by SecurityFocus) certainly casts WinInformant in a bad light, and I will definately take any information I get through them in the future with a large grain of salt.

  • Re:Statistics.... (Score:4, Insightful)

    by IntlHarvester (11985) on Monday February 04, 2002 @03:37PM (#2951657) Journal
    Let's keep in mind that Linux users who find bugs or issues are far more likely to report them, document them, publicize them, and share them.

    Good point, but it would be better if you took it out of the context of the "users" and put it in the context of the developers. It works out more like this:

    Open Source Project X Developer (who may well be on someone's payroll) finds a previously unknown security bug. He patches the bug and informs RedHat and other distro vendors, who then issue a security bulletin. One strike against Linux in the security count.

    Meanwhile Microsoft Product Y Developer finds 100 unknown security security bugs in his big Feburary cleanup period. They are all rolled in to service pack 3. Microsoft issues a bulletin recommending all customers upgrade immediately. Zero strikes against Microsoft.

    So you are counting ALL security bugs on the Linux side verus only publically reported security bugs on the Windows/Solaris/whoever side.

    (Furthermore, it seems nobody considers local root exploits on Windows to be that big of a deal. I remember when RedHat put out multiple advisories for vi, joe, ed, and a bunch of other editors for a temp file vulnerability. [You'd think that "ed" would be rock solid by now...] Would that sort of thing even be considered a bug on the Windows side?)
  • by Anonymous Coward on Monday February 04, 2002 @03:40PM (#2951674)
    Open Source projects use the public internet to keep everyone well informed of software weaknesses and we're not afraid to keep doing that because it makes the software stronger.

    Besides the fact that it is unfair to count 6 releases of Red Hat as one OS and not count NT and Win2k as one release over the same period, the initial period for a Linux distro is going bring issues to the surface, that is part of the process.

    The linux bug finders are, as a rule, supported, appreciated and recognised in the open source community as pioneers. There findings are widely shared and listenned to -- I'm glad you can find the reports.

    The Windows Bug Finders are threatenned, hushed, denied information, ignored and actively discouraged. Furthermore any recovery data is typically horded till a shiny executable can be sent out in a subdued and 'professional' manner when it wont embarrass Microsoft.

    Where would you rather be???

    I'll take linux any day.
  • by Fjord (99230) on Monday February 04, 2002 @03:41PM (#2951679) Homepage Journal
    This really isn't a badge that Linux can hide behind. Many people, myself included, would like to see linux replace Windows as the mainstream OS. It's hard to say you should switch to linux because it isn't mainstream. If everyone did switch, then it would be mainstream and thus more targeted.

    That said, however, I also whink that this report is exaggerated because of the whole same bug-different ditro thing, the bugs in packages that aren't common for anyone to use (and your can use a root exploit on a package you don't have), plus the fact that I would assume that open source projects would have more security bug reports than closed source ones because it is easier to find them with the source.
  • by Mojo Geek (28926) <bpatrick@itpatrick.net> on Monday February 04, 2002 @04:52PM (#2952121) Homepage
    I'm confused here. Is IE just an application or "subcomponent" of a MS operating system? That's not what they've been argueing in court. They say they've "integrated" it with the operating system, that it's an "integral part"! They even went on to argue (unsucessfully) that the operating system cannot function without it.

    And why does which ever answer I get smell like an Enron balance sheet?
  • by Shads (4567) <shadus.shadus@org> on Monday February 04, 2002 @05:04PM (#2952160) Homepage Journal
    ... is when a windows exploit comes out, it effects most windows systems in opperation. When a linux exploit comes out (proftpd, apache, etc) it rarely effects all the systems in the field. I know about 90% of the bugs that show up in bugtraq and else where dont apply at ALL to my system because I dont run those daemons. Where in windows... how many people DONT run activex scripting or diable javascript in outlook?
  • by Malor (3658) on Monday February 04, 2002 @05:36PM (#2952323) Journal
    I posted a couple years ago on this topic. My hypothesis at the time was that Open Source would show more bugs for quite some time, as people poked through the code, but would gradually settle down and become very secure. I also believed that Windows vulnerabilities would continue to be discovered at a more or less constant rate.

    The jury is still out.

    The SecurityFocus statistics broke in August, 2001, per their web page, so one has to extrapolate the partial 2001 total to get the projected total for the year.

    In that extrapolation, one sees that the expected number of bugs (assuming the 96 reported bugs cover through the end of August) would be 144. There were 153 the year prior, which is likely well within the margin of error. In addition, many of the black hats have STOPPED REVEALING their exploits, so in fact there may be many more than what we see.

    Now, it's worth pointing out that this is not necessarily a good measurement of security. We may be measuring the wrong thing.

    An example of bad measurement is the one the government used to determine how many cod were left out in the ocean, to prevent overfishing. Year after year, the catches were about the same, so the government assumed that the fish stocks were constant. But suddenly there were no more fish -- the industry collapsed.

    Why? Because they were measuring the wrong thing. They weren't measuring the total number of fish, they were measuring the fish that were caught. They didn't realize, as the fish stocks dwindled rapidly, that the fishers were getting newer and better technology to fish with. The total number of fish coming out of the water was constant -- but as a fraction of the total fish in the water, was going up very quickly. Eventually the fish were all but wiped out.

    Measuring security by bugs reported is very similar. It may or may not reflect the number of bugs in the 'ocean'. It is an indirect measurement at best.

    We need to differentiate between fish 'caught' and fish 'available'. From a security perspective, I think we are talking about TRUE security (the number of fish in the water) versus FUNCTIONAL security (the number of fish actually being caught).

    Now, as security people, our goal is to reduce the fish catch as much as possible. There's two ways to do this; we can reduce the number of fish, or we can somehow control, limit, or damage the profession of fishing.

    The real professonals are trying to reduce the number of fish in the water. That's the true long-term solution. But from a short-term perspective, what I care about personally is how many fish are CAUGHT. Every time they come up with a new exploit, I have to run around like a maniac patching systems.

    However, the fishing analogy starts to break down, as most do eventually. Truly secure systems are still run by people, and people make mistakes. Even if the OS is perfect, the attack will often come against the weakest link, the employees. Thus, even though I would prefer to have true security, I have to argue that it isn't really necessary. The OS just has to be stronger than the other avenues of attack. ("Why are you putting on tennis shoes? You can't outrun a bear!" "I don't have to. I just have to outrun you.")

    Security through obscurity, in other words, may be adequate for most uses. It slows down the rate of fish catching. If nobody discovers the bug until the next version of the OS is out, the bug is less important. The longer it takes to discover the bug, in general, the less damage it will do -- at least as long as we're on the upgrade treadmill.

    But, a counter-argument to that just occurred to me: Security through obscurity may be long-term counter-productive -- making it hard to catch fish may have the effect of increasing the fish supply. Every time a fish is caught, it can't breed, and reduces the total population by that much. Likewise, in code, once a vulnerability is discovered, many related vulnerabilities may also be patched. Thus, security through obscurity may work well for a long time, but may actually be making the fundamental problem worse.

    Another observation I have to add is that programmers like to create new programs. Very few of them like to audit code. New projects and programs are being added to the Open Source world at an amazing speed, and I don't think they're being stringently audited. In other words, they're adding to the fish stocks every day. There is no QA department in Open Source, and the code is getting more complex than individual people can understand anymore. I think, unless we come up with a better development method, Microsoft's ability to fund a billion dollar a year QA department is likely to reduce their fish count below that of Open Source.

    So I think I will need to expand on my original hypothesis. I now believe that Open Source will probably lag behind closed source in terms of FUNCTIONAL security. In terms of TRUE security (absolute number of exploitable bugs, known or unknown) -- there's no easy way to tell. If catching fish reduces the fish supply, and if the programmers don't add too many new fish, eventually Open Source will start winning. But if Microsoft's QA department does a good job with their nets and lures, their fish supply may drop just as fast or faster. Money is definitely a good way to motivate people, and Microsoft has a lot of it.

    It's also worth pointing out that even if things are getting more secure, the catch rates may be roughly constant, because presumably the crackers will get better and better, catching a higher and higher percentage of the fish. If the analogy holds, and I suspect it may, then eventually the fish stocks will be exhausted and the black hats will be very suddenly unable to crack machines anymore.

    It's going to take at least five more years to know -- and twenty might be a more reaonable time frame. It took a long time to wipe out all those billions of cod. It may take just as long to wipe out the pool of security flaws.

    <<RON>>
  • What the fuck, chuck? So what? I don't care if the thing is running SupaOS/Linux/HP-UX et al. Put Google on a T1 and it too will dry heave and puke. I don't suspect that Any Old Bush League site is equipped to get about 40,000 hits in a 2 hour period.

    It has nothing to do with it being IIS or Tux or Apache or anything.

    But you already knew this, and just got lucky that some zealot with moderation points fell for the Typical Windows Slam. Don't think I'm slamming you. Its not like you modded yourself up, so my beef isn't with you. It's with the Fanatics.
  • by Astralmind (120317) on Monday February 04, 2002 @07:07PM (#2952715)
    Please change the way inwhich stats are reported. IIS, IE, Index Server, and the like all ship now with Windows 2000/XP just like Apache, WuFTP ship with most Linux Distros. Since this is the case, those security flaws are also security flaws in Windows 2000/XP in the much in the same way that Apache, WuFTP and other packages security flaws are being reports with Linux Distros.

    Thank You.
  • by bogado (25959) <bogado@@@bogado...net> on Monday February 04, 2002 @07:19PM (#2952759) Homepage Journal
    Since linux usualy comes with many more packages then windows all those packages are accounted for security bugs, but they are not used by many people. And since redhat has a policy of not starting servers by default, even if you actualy installed a package that has a bug, it will not affect you unless you have started it your self (witch mean that you at least have an idea of what you're doing).

    Window in the other hand comes with very few servers bundled and they are all on by default (as far as I know, I not a win expert). And even worst the security bugs are usualy in packages that are vital to the work the machine supose to be doing. I can make, and I bet many people do, a server machine without a font server, but I can't take out (or firewall) the server it self from the machine.
  • by swillden (191260) <shawn-ds@willden.org> on Monday February 04, 2002 @07:43PM (#2952847) Homepage Journal

    Nice post.

    One additional idea to consider, one which I'm unfortunately not creative enough to fit into your analogy.

    The idea is the "window of vulnerability". You say that as a sysadmin you want to see less fish caught because that means you don't have to run around patching as often. Running around patching is bad, but getting rooted is worse, so if fish are going to be caught, we want the good guys to catch them first, because the bad guys prefer to gill-net them and leave them underwater as long as possible (okay, there's my lame attempt to keep the analogy going).

    I would argue that the good guys aren't generally willing to fish as deep as the bad guys, but there are more of them and they share. The bad guys (some of them, anyway) are willing to work harder, but they keep their catch to themselves. In an open source world, the fish are shallower and easier for both sides to catch which seems likely to help the good guys more than the bad guys.

    As you point out, though, this is all theoretical, and it will take years for the hard data to become available.

  • Zealotry (Score:3, Insightful)

    by underpaidISPtech (409395) on Tuesday February 05, 2002 @06:03AM (#2954387) Homepage
    Just to cut throught the FUD on both sides here:

    Paul: Fuck You. You don't know shit. How's the page views today? That's what I thought.

    CmdTaco: Stop feeding the trolls. This guy just made $x money because you decided to link to his crappy site. Now everyone is here literally frothing at the mouth. If this was real life someone would've been stoned to death by now or branded a witch. Is /. a tabloid now?

    Everyone:
    Lies and statistics. August 2001 huh? So the stats were last compiled just after Code Red, but not since Code Red II, not since the UPnP fiasco, not since the most secure Windows OS ever? Nice to see "journalists" grouping distros together on the basis of which *kernel* they use. If you want to assess the security of *linux* then only focus on expoits that compromise the kernel. If it's just another BIND or wuFTP vulnerability, count it just once for "OSes that use that GPL'd kernel*" *note: packages included with each distro are not uniform across platforms. Not all Linux distros are alike.

    But that is rational and fair, and we can't have that can we? No. We need to increase page views and banner hits, we need to convince so-and-so in management that *OS-not-right-for-the-job* is the right tool for the job.

    Windows on the desktop and *nix in the server room; the Buddha smiled and farted. And God said "It is Good".
  • by LinSux (554676) on Tuesday February 05, 2002 @01:23PM (#2956222) Homepage Journal
    Another closed-minded Linux Zealot. The kind I bitch about all the time.

    Pull your head out of your ass, Moron. Linux is just a play-toy. If they actually made a halfway decent and usable desktop OS it'd actually be a worthy competitor. MS has no real competition. It's a monopoly by choice. And if you could see more than 2 inches in front of your own pimply face, you'd see that.

    Read the sig. Friggin moron!

What this country needs is a good five dollar plasma weapon.

Working...