WinInformant Says Windows More Secure Than Linux 935
nihilist_1137 excerpts from this WinInformant article, which reads in part: "For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. ... A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux." I wonder how many sysadmins (Windows or Linux) would agree with this conclusion. Update: 02/04 16:54 GMT by T : Looks like the WinInfo site has gone down since the story was submitted, so you may have to content yourself in the meantime with the Bugtraq numbers. Update: 02/04 19:30 GMT by T :Several readers have pointed out that the conclusions WinInformant makes based on the Bugtraq data are not those of SecurityFocus; the headline has been changed accordingly.
This, of course, will be ignored and ridiculed (Score:1, Insightful)
Define "more secure" (Score:3, Insightful)
Are they smaller holes -- that is, exposing less control of the system and less potential for damage? Probably not.
The question becomes, then: would you rather be shot by a dozen BB pellets or a single shotgun blast?
Less because MS doesnt tell (Score:5, Insightful)
As for MS, I only have to point to the the major bug, that they knew about for weeks, but didn't let anybody know about!
Now Im not saying that linux is more secure (as much as i would like to) but the data and report based from it, just makes no sense, if you think about how vulnerabilties are and are not reported
Thanks for reading!
From a technical standpoint. (Score:4, Insightful)
But when you consider Microsoft's installed user base, there's just no comparison to how widespread MS is.
It's a damn good thing there were less bugs reported for Windows, as with each one, the repercussions are far far greater.
~sigh~
Simply put, (Score:3, Insightful)
Of course, that's not the case in the server market. If you want to talk about worms, remember one thing - the ONLY reason Code Red and other such worms exist is because of the popularity if the windows platform, on desktops and servers. Don't kid yourself for a second into thinking that the reason there aren't any widespread worms for *nix systems is because it's more secure.
br -Berj
How severe though? (Score:2, Insightful)
Linux may have had more, but were they as bad?
The IIS holes in 2K that allowed CodeRed to spread and the uPnP holes in XP which, luckily so far, have been pretty much unexploited were both buffer overrun holes which caused, or had the potential to cause, v.serious work outbreaks.
Did Linux have anything on this scale?
There goes the Slashdot Neighborhood (Score:2, Insightful)
On a side note, it's all about how you configure your OS. At this point, you can pretty much do the same thing with each OS from a security standpoint. It's all of the other software that usually does it - web server, DB server, application server, etc. But we all know this right?
Number of bugs is the wrong metric! (Score:3, Insightful)
Re:but which were more severe? (Score:3, Insightful)
linux probably had a multitude of minor, rarely exploited vulnerabilities, whereas win2K/NT had relatively few major holes.
holes that are still now being exploited.
id be interested to see the amount of revenue lost due to linux exploitation versus win2K (taking market share into account of course).
sounds like poor data analysis...
flawed logic (Score:2, Insightful)
And this is exactly the kind of flawed logic that always creeps into these kinds of discussions: there is no "Linux" to compare with "Windows", there are only a bunch of distros. Totalling up all the holes in all the distros makes no sense at all.
And when you compare Windows to a given Linux distro (much closer to a good comparison), Linux wins every time.
-Esme
Yes and No--Security is time (Score:1, Insightful)
Re:Oh well (Score:0, Insightful)
Quality vs Quantity (Score:3, Insightful)
I mean, an exploit that requires the malicious party to have physical access to a machine and then only gives him access to one specific folder on a system is hardly as big a deal as one that gives a script kiddie sitting in his bedroom complete remote control of your corporate servers, allowing him to copy, overwrite and delete files, folders and hard drives at the click of a button?
Let's try to compare apples and oranges here. Just because McDonalds has more restaurants than Michelin-stared ones it doesn't make the Big Mac a better meal.
You mean KNOWN vulnerabilities, right? (Score:2, Insightful)
The other camp ain't. We do hear about some vulnerabilities out of Microsoft, but more often it's independent disclosure that open's out eyes. So, how many problems are left unaddressed, and unknown by all but the secret holders? Simple: we don't know.
At least with opensource I can look at the code.
Linux as a whole, or just MY Linux? (Score:3, Insightful)
When you break it down, however, Windows has been about equal to Red Hat and well above all the othe Linuxes and Unixes in the chart.
As a willing participant in the capitalist scheme, I don't care how secure everyone else's servers are -- just the one securing my stuff. The only thing this chart tells me is that if I want a secure server OS out of the box, I should start with Mandrake or Debian instead of Red Hat or Windows.
Re:Define "more secure" (Score:5, Insightful)
1) If a package has a security issue, usually all distros announce the security bug. Thus, the bug gets counted multiple times.
2) Windows security bugs are all remote compromises, either email attachments, or remote roots. Over 90% of the linux security problems are local security issues.
As another poster noted, this is a very poorly researched article.
bias (Score:3, Insightful)
Re:This, of course, will be ignored and ridiculed (Score:4, Insightful)
Open source haven't proven more secure than closed, as the theory about "given enough eyes all bugs are shallow" says.
The one thing it gives though, is choice. For instance, i dont run rsync(se recent security exploit) and i'll probably never do. Neither will mdk/rh pr. default (Allthough a lot is certainly run by default). Even though rsync comes with mdk/rh.
Frej Rasmussen.
Remote Vs. Local exploits (Score:2, Insightful)
Open source nature of Linux (Score:5, Insightful)
In the long term Linux will have progressively fewer bugs/vulnerabilities due to its open source nature. Look at the numbers on the same chart for NetBSD. There were 9 vulnerabilities found in 2001, and 42 found in Win 2K. 54 for RedHat and only 2 for TurboLinux.
Obviously everyone should switch to Turbo Linux.
Re:What?!? (Score:3, Insightful)
The fact that you can cite flaws in Windows security proves that Windows security is imperfect, not that Windows is less secure than Linux.
This is crazy (Score:1, Insightful)
Linux by default includes:
A mailserver
an ftp serer
a telnet server
a web server
a database server
etc....
Windows by default include:
A store receipt
IIS maybe..
ummm
okay so what are they basing their study on? The same system setups? Are they comparing postfix with exchange server or sendmail with exchange server? Mysql with MSSQL or MySQl with Oracle? I don't understand this study, nor do I believe it. I think this study is biased and fixed. It is funny that this study is released as M$ releases the W2K rollup package to fix the broken/hackable files.
Re:Lousy research (Score:2, Insightful)
The funny things is the journalists get all indignant when you point this out to them and ask them to throw in the security holes for IIS, IE, OE, Office, SQL Server, etc.
Re:but which were more severe? (Score:5, Insightful)
What about the last half of 2001? (Score:3, Insightful)
Also, most linux vendor security announcements posted to Bugtraq are for add-on software not enabled by default. They are also announced by each vendor individually, and the author of the package. Most Windows announcements are about vulnerabilities in the OS (IE) or widely deployed packages (IIS, Outlook) from the author of the exploit (after secure@microsoft.com has ignored them).
The entire article needs to be modded -1 flamebait.
Re:Define "more secure" (Score:3, Insightful)
It is an interesting question - and a proposal (Score:3, Insightful)
So, how about we do a serious analysis? I'll put up a system that lets people rate the various bugs by severity along a couple of continuums. (Like theoretical impact and actual impact.) Then people can use this data to draw more accurate conclusions. If at least 10 people respond to this post, and two thirds of them think it is a good idea, I'll put one up and link it here.
Re:sircam, code red, nimda (Score:3, Insightful)
But are installed by default.
No-one had to take any extra steps to install the indexing DLL to make themselves vulnerable to code red.
It may not be part of the core webserver, but the indexing DLL is, to all intents and purposes, part of IIS.
The security of any OS lies... (Score:5, Insightful)
Wow, talk about your slashdot fodder... (Score:5, Insightful)
Well, duh. Linux is full of holes. But that's not winformant's problem. You see, each of those holes was cleared up in a matter of days and a patch was freely available. There were no egos and press releases claiming there are no holes. There were no programmers waiting around while Marketing decided the best colour for the patch's installation wizard. There was no downtime as millions of machines had to get the file from a single MS server because the patch's license didn't allow redistribution. There were no hours of wringing hands as sysadmins watched hackers pick off their boxes one by one because there's no workaround while the patch was built. There was no possibility for diving into the code and fixing it yourself; and if there was there'd be no way to release the patched dll. Oh, and if a linux machine was compromised, there was little chance of it polluting the entire network...because the bug affected less than 1% of the install base of that particular OS, and not 100%.
Not to mention the reason that so many Linux patches were "found" rather than "discovered" is that bored sysadmins can sit around with sheets of source code, hoping to find a hole and make a name for themselves on BugTraq. With windows...well, you'd better be good with BlackIC and ASM, because it's the only way you're finding the hole.
A *nix OS? Unsecure? Not Like Windows (Score:2, Insightful)
But many of the things that make Windows unsecure do extend at the OS level. Here on my Macintosh, my firewall is set to lock out IPs that try a NETBIOS check, as well as various port scans. It's also aware of the Code Red variants.
My Mac OS (9 or X) ignore them. As with Linux, my OS doesn't know or care for NETBIOS.
And OS X, as a better example for all the huff, is a *nix family OS--and still in its infancy compared to the older Linux distros and UNIX itself. A UNIX class OS is only unsecure in the magnitude of Windows when we open up all the elements of the OS that are normally closed by default--permissions, certain root access, and so on. Therefore, you have to be a Raving Buffoon(tm) to set Linux or any *nix for a fall.
Window's faults are inherent to perpetuate its market share as well as stupid coding. And now MS wants to "fix" it? Give us a break.
/.
Re:You mean KNOWN vulnerabilities, right? (Score:4, Insightful)
While I have many bones to pick with MS, disclosure of bugs is a tentative one. On one hand, if they find a bug, don't tell anyone, fix it, then tell everyone, all in a short period of time, I'll all for it. If nobody (or very few people) knows about the exploit, the chances of me being hit by it are very small. The closed source prevents hackers from climbing all through the code and pre-emptively looking for bugs to exploit. This can be a Good Thing(tm), but it can also be a Bad Thing(tm) if MS finds an exploit, does nothing about it, and then a wily hacker exploits it.
The ability to see the Linux source does me and my dev team little or no good. We are software developers and don't have the time to run through hundreds of thousands of lines of code looking for vulnerabilities. We don't have the time to try and understand poor documentation, conflicting requirements, and other pitfalls that can strike open source. I would go out on a limb and say that the vast majority of LInux users don't climb around in the code. Who has the time?
Why is this automatically false? (Score:4, Insightful)
Again, I find it disturbing how easily everyone shrugs this off as propaganda or something.
Listen, everyone: Times are changing. Linux has gotten big and complicated, and is no longer automatically secure. Long gone are the Slackware days where you'd download a minimal kernel/utilities package and then compile only the apps you need, by yourself, and understand everything. Complex software has security problems, and the linux community has done little but use the "lots of eyeballs" method to counter that. Microsoft software is also quite complex, and they have fewer eyeballs (I hope, though I am not sure), but they have publicly recognized the problem and are at least pretending to try to fix it. Microsoft also has a bunch of research into technologies for producing machine-checked code so that they don't even need lots of eyeballs. (I really wish that linux had this too; see a related rant http://slashdot.org/comments.pl?sid=26315&cid=2851 880 [slashdot.org] ).
My linux box has been rooted twice. I keep up to date on patches, I read bugtraq. My windows box, also connected to the internet all the time (and getting a lot more use), has never been compromised through 95, 98, 2000, and XP.(I have been Winnuked, that's the worst thing that's happened.)
I guess my point is: this is not something to laugh at. Some day soon, people will not think of Microsoft operating systems as crashy (already happening to an extent) and insecure (...), and then linux will have a much tougher sell to the average guy who doesn't care about Free Software. Instead of laughing smugly about an article like this, maybe we should be worrying?
Re:This, of course, will be ignored and ridiculed (Score:2, Insightful)
It's a great-sounding theory. It _could_ be true in reality, if everyone were perusing source code, but who really does? Now, some folks _have_ looked at the code for OpenBSD, so it's what I run at home.
OTOH, open source is amenable to extremely quick fixes for exploits. Once a weakness is known, the eyeballs look at the code, and it gets fixed quickly. I hope. In other words, I don't really know, but it sounds like it's true, so why not promulgate another fine-sounding theory, heh heh.
Re:This, of course, will be ignored and ridiculed (Score:4, Insightful)
This kind of study don't see what is Linux, and what is agregated software. They say Linux and Windows, but I'm sure they don't include IIS.
In any case, impact and severity must also be taken into account. Most Windows bugs are remotely exploitable, and give full control of the machine. Most linux bugs are only localy exploitable, or only leak information.
It's very easy to say that car acidents happen more often then plain crashes. Anyone cares to count the casualities ? Well, I'm not sure this is a good example, once car acidents casuality numbers are, AFAIK, higher, but I think you get what I mean.
Case of bad statistics (Score:3, Insightful)
Now, how many people do you know that install redhat, then add to it all the security bugs in caldera, Connectiva, Mandrake, Slackeware, Suse, and Turbo Linux?? None, that would be extremely difficult. This is akin to saying the Ford Taurus has fewer bugs than all of the Nissans put together, therefore it is a better product.
Also, we are assuming that all bugs are created equal. Guess what, not so. Windows bugs have superpowers, faster than a speeding packet, stronger than a firewall, able to leap entire networks in a single bound! Linux security bugs take down processes, sometimes servers. Windows bugs take down Networks, or internets!!!
But I'm sure they'll never get called on it, because their readership is windows users. They are preaching to the choir, and they will ignore us and our quest for accuracy.
Inexperienced Programmers? (Score:3, Insightful)
I would like to see a comparison in bugcounts (say, per line of source code) between open-source projects supported by professionals (i.e. people trying to make money off of it, i.e. mySQL) and projects supported by weekend programmers.
I just had an ironic thought. Since most open-source business plans revolve around providing support, would that make those companies want to introduce MORE bugs?
Data shows Windows pretty bad (Score:2, Insightful)
Not True (Score:5, Insightful)
I can't connect to WinInformant, but if you look at the numbers available at SecurityFocus, you'll see that they did not simply add up the numbers. Linux is listet with 96 aggregated vulnerabilities for 2001, while e.g. Red Hat has 54, Debian got 28, and Mandrake got 36. There are more Linux distributions listed, but these numbers allone show that your claim is wrong (unless WinInformant has different numbers).
You'll also see that Red Hat had 54 vulnerabilities while Windows 2000 had only 42.
However, I'd still agree that the WinInformant article is badly researched (but please note that, as stated above, I've not read it, I only know the part that Slashdot quoted). The article claims that Windows is more secure "according to the reputable NTBugTraq," however, SecurityFocus does not make any claim concerning the security of either Windows or Linux, they just make the numbers available as a statistic. In other words, WinInformant doesn't have any source for their claims, they just found some more or less interesting numbers and made up a story.
Re:Not being a Windows apologist (Score:2, Insightful)
Every time someone brings this up I keep thinking it's sort of redundant. I guess, being a rather pitiful administrator in both respects; I find it easier to at least start locking down a unix box (FreeBSD in my case). With Unix you can tighten a box up instantly just by looking through hosts.allow (and hosts.deny in Linux's case) - it certainly doesn't take a genius to figure out what's going on. By contrast windows has a lot more to do with disabling services which (in my opinion) you're never sure what they do or if you need them. And sooner or later you'll end up fishing in the registry...
To me Unix systems are easier to secure because security is a part of the system, and not an afterthought / "oh so we're getting bad press so we'll start an inititive" sort of deal.
Re:Simply put, (Score:5, Insightful)
Find another excuse.
Re:Vulnerabilities vs Exploits (Score:2, Insightful)
1) Wide distribution. Yep. Contrary to your belief, Windows is distributed more widely than Linux. So, of course more boxes will be hit.
2) Idiot users. I mean, lets face it, There's a reason why most windows users aren't on Linux. They're morons! Anyone and I mean anyone that runs an attachment from someone they hardly know that's written in worse english than a retarded 7 year old would write deserves what they get. Unfortunantly, they're the reason the network was clogged with NIMDA. Code Red was more a result of wide spread use of IIS.
Gawd, I'm sick and tired of the linux bigotry around here. Linux is great and all, but I sure wouldn't want to join a group of the most closed minded bigots in the world, just to have the privelege of using a free OS that's actually pretty decent. I think I'll stick with Windows. Monopoly and all. You people are doing Linux a great disservice. Don't get me wrong, I like Linux, but it doesn't serve my needs as a desktop OS. Maybe instead of basing MS someone could make it more useful for the masses?
Simply put youre dead wrong (Score:5, Insightful)
Of course, that's not the case in the server market. If you want to talk about worms, remember one thing - the ONLY reason Code Red and other such worms exist is because of the popularity if the windows platform, on desktops and servers. Don't kid yourself for a second into thinking that the reason there aren't any widespread worms for *nix systems is because it's more secure.
Dont kid yourself. The various free o/s's are simply a harder target. They are more diverse, both across O/S's and distributions, and even within a distribution there are different configurations. On top of all that any individual box can be a totally custom system built from the source pool.
There are countless email readers, multiple web browsers, all types of competing server daemons. When you take the windows monoculture you simply dont find such diversity. The competing software are simply wiped out.
Its a well known and intuitive fact that monocultures are far more vulnerable to disease and parasites than a healthy diverse population.
Re:Simply put, (Score:4, Insightful)
In a word: Bullsh*t.
Securityfocus presented the numbers without bias, without commentary even. It is the MS shills that try to draw conclusions from these numbers, and one by one they take the aggregate Linux number, because it suits their agenda.
However, that aggregate number is worthless to draw conlusions from. At most one could use the distro numbers to draw the conlcusion that the average Linux distro ships with more (potential) vulnerabilities than Windows 2000. Of course, since the average Linux distro
So, the numbers tell us nothing new, except that the MS apologists will grasp at any straw to discredit what little competition they have.
MartRe:What?!? (Score:1, Insightful)
This last year the window community has really taken quite the widespread beating with viri (as usual). The linux community has not. Less people use linux, less people know what to do with linux, less people hate linux, less people wish to exploit it, and therefore less people are going to screw with it.
No operating system is perfect and or totally secure, however the more you scrutinize something the more apparent its flaws become. The Windows operating system has a hell of a lot more people looking at it under the micro scope...and that's an understatement. This, along with geek loathing and common software variables, is the reason why windows is less secure. The widespread common viri are just the result of all of this BS, and in my mind they totally prove that Windows is less secure. This is the same argument that us Mac diehards have been spitting out for years.
Worse still (Score:5, Insightful)
Windows security holes typically have exploits in the field, whereas linux vulnerabilities are commonly realeased from code review- hence having no preexisting exploits (that are known and demonstrated). Some are in fact purely theoretical, and may have to use to a malicious user.
So even if you keep on top of your windows updates religiously, keep in mind that they are generally reactive. So there is always that window of vulnerability...
Re:but which were more severe? (Score:1, Insightful)
So yes the story is probably very true. Linux appears less secure but in the end who is more secure? You know I dont recall hearing very many blurbs about IIS holes recently... Maybe its because anyone in their right mind isnt using it anymore.
Ill tell you why (Score:2, Insightful)
Re:Define "more secure" (Score:2, Insightful)
I really think the incendiary rounds are the best for personal defense. I don't think someone would continue to fuck with you if your shooting back at them with great big balls of white hot fire
Re:bias (Score:3, Insightful)
If you look at the SF numbers for any given distribution of GNU/Linux, they are smaller than the Windows numbers. Also, the numbers don't take into account things like severity, remote vs. local, whether the package affected is a core component of a functional server, package redundancy (one bug in four different FTP servers on GNU/Linux vs. four bugs in IIS is not delineated), popularity of the package to the platform is not discussed, etc etc.
And yes, I'm using IE to post this because Netscape seems to have proxy issues here at work, not because I want to.
Re:Define "more secure" (Score:2, Insightful)
Really? Which ones in particular?
I looked at the page, and I see REDHAT as the highest number for all of the linux distros.
This number is LOWER than the NT ones.
So can you explain this sentence for the rest of us please?
Re:The security of any OS lies... (Score:3, Insightful)
Look at it this way, when you say "linux exploits" you are not only talking about kernel issues and quality packages but every half-baked bit of code to come out of a college dormatory. If you include all the windows shovelware in with those exploit numbers I venture to say that you would see a very different picture.
Re:This, of course, will be ignored and ridiculed (Score:3, Insightful)
Does Open Source favor evil deep magic hackers? (Score:3, Insightful)
With closed source, mr. evil hacker will need to spend more time discovering the inner workings of the software than he will with open source.
So - will he then produce more exploits running through open source software grepping for common starting points for exploits than he will when dissecting closed source programs?
Remember - at any moments, the black hat community knows about exploits the rest of us don't know about. No computer has yet been classified as formally secure (to the best of my knowledge). We could all be at risk.
Exactly (it deserves to be rediculed and ignored) (Score:3, Insightful)
These numbers only reflect that GNU/Linux is more open and public in reporting its bugs than Windows, which is not surprising given Bill Gates & Co.'s efforts to suppress information about existing bugs in their operating system (the rightly rediculed notion of achieving security through obscurity).
There is absolutely no correlation between number of bugs reported and number of bugs existing, be they security related or not. This is doubly true when one party (Microsoft) is actively working to suppress such information about their own products.
The incompetence of the author writing this story, and of the Security Focus editorial staff for letting it through, is staggering. With this kind of security "expertise" is it any wonder at all that Nimda worms and the like run rampent across the net?
Indeed, if one wants to draw correlations (always a risky endeavor without corraborating evidence) it would make far more sense to correlate the percentage (vs. installed base) of demonstrably compromized systems running one operating system vs. another. As Code Red, Nimda, etc. have demonstrated, Microsoft's products win this one hands down. Indeed, in this case there is massive corraborating evidence to back up the conclusions of such a correlation
Perhaps you could put that on the stats page? (Score:3, Insightful)
I thought this was probably true, but I could not confirm it until I manually added up the bugs for a given year. Maybe you could explain the terms a little better on the page itselft?
Regardless of anything else, using these number to declare that one thing is more secure than another is a mistake.
That sounds like another piece of advice that should be on the stats page, not buried in a slashdot comment. Its unfortunate that someone misinterprets your statistics and publishes a misleading article every 6 months, but I can't help but wonder why you don't take proactive steps to help people understand the meaning of your web page.
-Mike
Re:His point is not moot. (Score:2, Insightful)
Worms thrive on total volume, not specifically servers.
Umm... Can you think of really a more damaging worm lately than Code Red?
Did it need clients/volume? Or just he 2X% of NT/2K servers out there unpatched?
While you're in the forest, watch for the trees. (Score:2, Insightful)
After all, aren't you really saying that those security flaws are less critical because script kiddies and crackers are less likely to come across a Linux box than a Windows one?
Re:The more accurate question (Score:5, Insightful)
Oh please. This is the same Slashdot that touted 30K bugs for Windows 2000 (like every other major tech publisher) regardless of the fact that the bugs were not known and many were probably "We spelled "maximize" wrong here".
Not only that, but... (Score:5, Insightful)
Most bugs that show up for redhat or any other linux distribution will NOT affect a well-secured machine in the first place. If you plan, for example, a standard web or database server, you're only going to permit ssh and apache or ssh and your brand of sql. How many vulnerabilities in the past year have been on those services? Practically none. Only 1 in ssh, and there was AMPLE warning to get patched before exploits were in the wild. The majority of bugs are for packages not often deployed, or not relevent to a server system where there is no user access.
Meanwhile, an enormous number of these linux bugs are irrelevent on a firewalled system, never mind the incompetency of sysadmins. A firewall will protect your X font server or your installed-by-default nfsd/statd, but Microsoft has had many high-profile, extremely-widely-abused holes in a server's primary services (IIS, MS-SQL, etc).
Anyhow, trying to say these statistics show that NT is more secure than Linux is not only irresponsible but absurd.
Re:Less because MS doesnt tell (Score:2, Insightful)
Personally, I'd like to see a more OpenBSD like install for all the consumer products. Although the user would have to work a little harder to get what they want, they would (presumably) learn a bit more about the system. If that fails, then they would at least have to admit liability for braindead configurations (er... most of em).
Re:This, of course, will be ignored and ridiculed (Score:5, Insightful)
Deciding which OS is more secure just by looking at the number of bugs is not the right way to decide things. As usual, there's an easy way, and then there's the right way.
First, lets assume the numbers are honest, and not double counted, as has been done before. (One reporter in the past took the numbers for linux in general, then took the numbers for a distribution, then ADDED them together to get his final number of bugs. Too bad most were double counted.) Not all bugs are the same. First, how severe is it? A bug that allows complete takeover of your system just by connecting to the internet (Universal Plug and Play anyone!) is not the same as an exploit in some little program nobody runs and those who do run it don't run it as root and run it in a chroot environment.
Second, how quickly is the bug patched? If you can't patch the hole for months because the vendor doesn't put out a patch, that's a different level of security than if you can patch the hole the next day. Third, does the patch fix problems or create them (NT SP2 anyone!).
Finally, are we comparing apples to apples. Most linux distributions come with much more software than a Windows CD. Not all of that software gets installed. Are we comparing a linux system with just the equivalent software a Windows CD comes with? That can make a big difference in the bug numbers.
Bias works both ways(Re:bias) (Score:3, Insightful)
Re:Define "more secure" (Score:5, Insightful)
Another note from bugtraq that will really push the numbers in favor of Windows. I quote: "* There is a distinct difference in the way that vulnerabilities are counted for Microsoft Windows and other operating systems. For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they are shipped with. For Windows, applications and subcomponents such as Explorer often have their own packages that are considered vulnerable or not vulnerable outside of Windows and therefore may not be included in the count. This may skew numbers." MAY?!?!? More likely WILL.
So let's see. IE vulnerabilities aren't counted. There goes the fairness in the numbers right there. Was IIS counted?
Re:From a technical standpoint. (Score:3, Insightful)
It isn't, though. Even the counting method used in the article is flawed. As mentioned in several other posts, package bugs are often listed for each distro that uses that package, so a single bug could easily be counted multiple times (and, in fact, this is the case since the article is based on the Linux aggregate, which simply counts the number of bugs reported on all Linux lists and adds them tegether).
Even at the most basic level, the article is FUD. The fact that this article was published without the editors checking even basic facts (like, for example, the fact that NTBugTraq is not hosted by SecurityFocus) certainly casts WinInformant in a bad light, and I will definately take any information I get through them in the future with a large grain of salt.
Re:Statistics.... (Score:4, Insightful)
Good point, but it would be better if you took it out of the context of the "users" and put it in the context of the developers. It works out more like this:
Open Source Project X Developer (who may well be on someone's payroll) finds a previously unknown security bug. He patches the bug and informs RedHat and other distro vendors, who then issue a security bulletin. One strike against Linux in the security count.
Meanwhile Microsoft Product Y Developer finds 100 unknown security security bugs in his big Feburary cleanup period. They are all rolled in to service pack 3. Microsoft issues a bulletin recommending all customers upgrade immediately. Zero strikes against Microsoft.
So you are counting ALL security bugs on the Linux side verus only publically reported security bugs on the Windows/Solaris/whoever side.
(Furthermore, it seems nobody considers local root exploits on Windows to be that big of a deal. I remember when RedHat put out multiple advisories for vi, joe, ed, and a bunch of other editors for a temp file vulnerability. [You'd think that "ed" would be rock solid by now...] Would that sort of thing even be considered a bug on the Windows side?)
Open Source airs its laundry (Score:2, Insightful)
Besides the fact that it is unfair to count 6 releases of Red Hat as one OS and not count NT and Win2k as one release over the same period, the initial period for a Linux distro is going bring issues to the surface, that is part of the process.
The linux bug finders are, as a rule, supported, appreciated and recognised in the open source community as pioneers. There findings are widely shared and listenned to -- I'm glad you can find the reports.
The Windows Bug Finders are threatenned, hushed, denied information, ignored and actively discouraged. Furthermore any recovery data is typically horded till a shiny executable can be sent out in a subdued and 'professional' manner when it wont embarrass Microsoft.
Where would you rather be???
I'll take linux any day.
Re:Severity of vulnerabilities (Score:2, Insightful)
That said, however, I also whink that this report is exaggerated because of the whole same bug-different ditro thing, the bugs in packages that aren't common for anyone to use (and your can use a root exploit on a package you don't have), plus the fact that I would assume that open source projects would have more security bug reports than closed source ones because it is easier to find them with the source.
IE subcomponent or "integral part"? (Score:2, Insightful)
And why does which ever answer I get smell like an Enron balance sheet?
one thing to consider... (Score:2, Insightful)
A Treatise on Fishing (Score:5, Insightful)
The jury is still out.
The SecurityFocus statistics broke in August, 2001, per their web page, so one has to extrapolate the partial 2001 total to get the projected total for the year.
In that extrapolation, one sees that the expected number of bugs (assuming the 96 reported bugs cover through the end of August) would be 144. There were 153 the year prior, which is likely well within the margin of error. In addition, many of the black hats have STOPPED REVEALING their exploits, so in fact there may be many more than what we see.
Now, it's worth pointing out that this is not necessarily a good measurement of security. We may be measuring the wrong thing.
An example of bad measurement is the one the government used to determine how many cod were left out in the ocean, to prevent overfishing. Year after year, the catches were about the same, so the government assumed that the fish stocks were constant. But suddenly there were no more fish -- the industry collapsed.
Why? Because they were measuring the wrong thing. They weren't measuring the total number of fish, they were measuring the fish that were caught. They didn't realize, as the fish stocks dwindled rapidly, that the fishers were getting newer and better technology to fish with. The total number of fish coming out of the water was constant -- but as a fraction of the total fish in the water, was going up very quickly. Eventually the fish were all but wiped out.
Measuring security by bugs reported is very similar. It may or may not reflect the number of bugs in the 'ocean'. It is an indirect measurement at best.
We need to differentiate between fish 'caught' and fish 'available'. From a security perspective, I think we are talking about TRUE security (the number of fish in the water) versus FUNCTIONAL security (the number of fish actually being caught).
Now, as security people, our goal is to reduce the fish catch as much as possible. There's two ways to do this; we can reduce the number of fish, or we can somehow control, limit, or damage the profession of fishing.
The real professonals are trying to reduce the number of fish in the water. That's the true long-term solution. But from a short-term perspective, what I care about personally is how many fish are CAUGHT. Every time they come up with a new exploit, I have to run around like a maniac patching systems.
However, the fishing analogy starts to break down, as most do eventually. Truly secure systems are still run by people, and people make mistakes. Even if the OS is perfect, the attack will often come against the weakest link, the employees. Thus, even though I would prefer to have true security, I have to argue that it isn't really necessary. The OS just has to be stronger than the other avenues of attack. ("Why are you putting on tennis shoes? You can't outrun a bear!" "I don't have to. I just have to outrun you.")
Security through obscurity, in other words, may be adequate for most uses. It slows down the rate of fish catching. If nobody discovers the bug until the next version of the OS is out, the bug is less important. The longer it takes to discover the bug, in general, the less damage it will do -- at least as long as we're on the upgrade treadmill.
But, a counter-argument to that just occurred to me: Security through obscurity may be long-term counter-productive -- making it hard to catch fish may have the effect of increasing the fish supply. Every time a fish is caught, it can't breed, and reduces the total population by that much. Likewise, in code, once a vulnerability is discovered, many related vulnerabilities may also be patched. Thus, security through obscurity may work well for a long time, but may actually be making the fundamental problem worse.
Another observation I have to add is that programmers like to create new programs. Very few of them like to audit code. New projects and programs are being added to the Open Source world at an amazing speed, and I don't think they're being stringently audited. In other words, they're adding to the fish stocks every day. There is no QA department in Open Source, and the code is getting more complex than individual people can understand anymore. I think, unless we come up with a better development method, Microsoft's ability to fund a billion dollar a year QA department is likely to reduce their fish count below that of Open Source.
So I think I will need to expand on my original hypothesis. I now believe that Open Source will probably lag behind closed source in terms of FUNCTIONAL security. In terms of TRUE security (absolute number of exploitable bugs, known or unknown) -- there's no easy way to tell. If catching fish reduces the fish supply, and if the programmers don't add too many new fish, eventually Open Source will start winning. But if Microsoft's QA department does a good job with their nets and lures, their fish supply may drop just as fast or faster. Money is definitely a good way to motivate people, and Microsoft has a lot of it.
It's also worth pointing out that even if things are getting more secure, the catch rates may be roughly constant, because presumably the crackers will get better and better, catching a higher and higher percentage of the fish. If the analogy holds, and I suspect it may, then eventually the fish stocks will be exhausted and the black hats will be very suddenly unable to crack machines anymore.
It's going to take at least five more years to know -- and twenty might be a more reaonable time frame. It took a long time to wipe out all those billions of cod. It may take just as long to wipe out the pool of security flaws.
<<RON>>
Re:wininformant.com eats its own dog food ... (Score:3, Insightful)
It has nothing to do with it being IIS or Tux or Apache or anything.
But you already knew this, and just got lucky that some zealot with moderation points fell for the Typical Windows Slam. Don't think I'm slamming you. Its not like you modded yourself up, so my beef isn't with you. It's with the Fanatics.
To Whom it may concern at Security Focus/BugTraq (Score:2, Insightful)
Thank You.
Re:Not only that, but... (Score:3, Insightful)
Window in the other hand comes with very few servers bundled and they are all on by default (as far as I know, I not a win expert). And even worst the security bugs are usualy in packages that are vital to the work the machine supose to be doing. I can make, and I bet many people do, a server machine without a font server, but I can't take out (or firewall) the server it self from the machine.
Re:A Treatise on Fishing (Score:3, Insightful)
Nice post.
One additional idea to consider, one which I'm unfortunately not creative enough to fit into your analogy.
The idea is the "window of vulnerability". You say that as a sysadmin you want to see less fish caught because that means you don't have to run around patching as often. Running around patching is bad, but getting rooted is worse, so if fish are going to be caught, we want the good guys to catch them first, because the bad guys prefer to gill-net them and leave them underwater as long as possible (okay, there's my lame attempt to keep the analogy going).
I would argue that the good guys aren't generally willing to fish as deep as the bad guys, but there are more of them and they share. The bad guys (some of them, anyway) are willing to work harder, but they keep their catch to themselves. In an open source world, the fish are shallower and easier for both sides to catch which seems likely to help the good guys more than the bad guys.
As you point out, though, this is all theoretical, and it will take years for the hard data to become available.
Zealotry (Score:3, Insightful)
Paul: Fuck You. You don't know shit. How's the page views today? That's what I thought.
CmdTaco: Stop feeding the trolls. This guy just made $x money because you decided to link to his crappy site. Now everyone is here literally frothing at the mouth. If this was real life someone would've been stoned to death by now or branded a witch. Is
Everyone:
Lies and statistics. August 2001 huh? So the stats were last compiled just after Code Red, but not since Code Red II, not since the UPnP fiasco, not since the most secure Windows OS ever? Nice to see "journalists" grouping distros together on the basis of which *kernel* they use. If you want to assess the security of *linux* then only focus on expoits that compromise the kernel. If it's just another BIND or wuFTP vulnerability, count it just once for "OSes that use that GPL'd kernel*" *note: packages included with each distro are not uniform across platforms. Not all Linux distros are alike.
But that is rational and fair, and we can't have that can we? No. We need to increase page views and banner hits, we need to convince so-and-so in management that *OS-not-right-for-the-job* is the right tool for the job.
Windows on the desktop and *nix in the server room; the Buddha smiled and farted. And God said "It is Good".
Re:Microsoft public relations employee (Score:1, Insightful)
Pull your head out of your ass, Moron. Linux is just a play-toy. If they actually made a halfway decent and usable desktop OS it'd actually be a worthy competitor. MS has no real competition. It's a monopoly by choice. And if you could see more than 2 inches in front of your own pimply face, you'd see that.
Read the sig. Friggin moron!