Forgot your password?
typodupeerror
Security

WinInformant Says Windows More Secure Than Linux 935

Posted by timothy
from the ho-hum dept.
nihilist_1137 excerpts from this WinInformant article, which reads in part: "For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. ... A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux." I wonder how many sysadmins (Windows or Linux) would agree with this conclusion. Update: 02/04 16:54 GMT by T : Looks like the WinInfo site has gone down since the story was submitted, so you may have to content yourself in the meantime with the Bugtraq numbers. Update: 02/04 19:30 GMT by T :Several readers have pointed out that the conclusions WinInformant makes based on the Bugtraq data are not those of SecurityFocus; the headline has been changed accordingly.
This discussion has been archived. No new comments can be posted.

WinInformant Says Windows More Secure Than Linux

Comments Filter:
  • by Toby Truman (555615) on Monday February 04, 2002 @12:38PM (#2950564) Homepage
    In unrelated news, Microsoft yesterday announced that it had purchased an unnamed but reputable security group...
  • by Brandon T. (167891) on Monday February 04, 2002 @12:38PM (#2950566) Homepage
    Perhaps windows has had less overall security vulnerabilities, but the ones it has had have completely ruined systems and clogged up the internet (i.e. code red, nimda etc...).
    • exactly,

      linux probably had a multitude of minor, rarely exploited vulnerabilities, whereas win2K/NT had relatively few major holes.

      holes that are still now being exploited.

      id be interested to see the amount of revenue lost due to linux exploitation versus win2K (taking market share into account of course).

      sounds like poor data analysis...
    • by PurpleFloyd (149812) <zeno20@attbPASCALi.com minus language> on Monday February 04, 2002 @12:56PM (#2950755) Homepage
      If Linux had the marketshare of Windows, you can bet there would be lots and lots of scriptkiddies writing Code-Red style worms. Linux has had some pretty major security flaws in the past. Although they were fixed quickly, that doesn't mean that lazy or incompetent sysadmins will patch it right up. This leads to an opportunity for a Code-Red style worm, and if Linux had high marketshare, you can bet that it would have spread rather quickly as well.
  • by SiW (10570) on Monday February 04, 2002 @12:39PM (#2950568) Homepage
    The report doesn't seem to take into account the fact that while the number Windows holes was fewer, they were far more severe. Code Red, anyone?

    Btw, I'm not a Linux cheerleader, I'm a Windows guy most of the time, and I subscribe to the "best tool for the job" philosophy.
    • by MattW (97290) <matt@ender.com> on Monday February 04, 2002 @03:04PM (#2951461) Homepage
      It gets worse than that. Let's consider:

      Most bugs that show up for redhat or any other linux distribution will NOT affect a well-secured machine in the first place. If you plan, for example, a standard web or database server, you're only going to permit ssh and apache or ssh and your brand of sql. How many vulnerabilities in the past year have been on those services? Practically none. Only 1 in ssh, and there was AMPLE warning to get patched before exploits were in the wild. The majority of bugs are for packages not often deployed, or not relevent to a server system where there is no user access.

      Meanwhile, an enormous number of these linux bugs are irrelevent on a firewalled system, never mind the incompetency of sysadmins. A firewall will protect your X font server or your installed-by-default nfsd/statd, but Microsoft has had many high-profile, extremely-widely-abused holes in a server's primary services (IIS, MS-SQL, etc).

      Anyhow, trying to say these statistics show that NT is more secure than Linux is not only irresponsible but absurd.
    • by Nailer (69468) on Monday February 04, 2002 @05:41PM (#2952352)
      I'm not really surprised by this. Following the recent long Microsoft DNS outage when it was revealed that quite a few of Micrposoft's own DNS servers were running Linux (not to mention they use akamai for their downloads), Paul Thurrot came out with the classic report that although this might be true `its proves Open Source zealots wrong as Linux wasn't being used for anything mission critical'

      What the fuck? According to WHAT kind of logic is DNS not mission critical? If it its not critical, let's take those DNS servers offline (both Microsoft's and WinInfo's) and see how long either MS or Thurrot last.

  • by mblase (200735) on Monday February 04, 2002 @12:39PM (#2950571)
    Does Windows have fewer security holes than Linux? Apparently so.

    Are they smaller holes -- that is, exposing less control of the system and less potential for damage? Probably not.

    The question becomes, then: would you rather be shot by a dozen BB pellets or a single shotgun blast?
    • by blakestah (91866) <blakestah@gmail.com> on Monday February 04, 2002 @12:48PM (#2950671) Homepage
      You apparently didn't check out NTBugTraq. They simply added up vulnerabilities from different linux distros to come up with a high aggregate number. This is plain wrong because

      1) If a package has a security issue, usually all distros announce the security bug. Thus, the bug gets counted multiple times.

      2) Windows security bugs are all remote compromises, either email attachments, or remote roots. Over 90% of the linux security problems are local security issues.

      As another poster noted, this is a very poorly researched article.
      • Worse still (Score:5, Insightful)

        by Srin Tuar (147269) <zeroday26@yahoo.com> on Monday February 04, 2002 @01:22PM (#2950946)

        Windows security holes typically have exploits in the field, whereas linux vulnerabilities are commonly realeased from code review- hence having no preexisting exploits (that are known and demonstrated). Some are in fact purely theoretical, and may have to use to a malicious user.


        So even if you keep on top of your windows updates religiously, keep in mind that they are generally reactive. So there is always that window of vulnerability...

      • by berzerke (319205) on Monday February 04, 2002 @03:20PM (#2951554) Homepage

        Another note from bugtraq that will really push the numbers in favor of Windows. I quote: "* There is a distinct difference in the way that vulnerabilities are counted for Microsoft Windows and other operating systems. For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they are shipped with. For Windows, applications and subcomponents such as Explorer often have their own packages that are considered vulnerable or not vulnerable outside of Windows and therefore may not be included in the count. This may skew numbers." MAY?!?!? More likely WILL.



        So let's see. IE vulnerabilities aren't counted. There goes the fairness in the numbers right there. Was IIS counted?

    • I'm not convinced that "Windows has fewer security holes than Linux" just because there was a higher number of vulnerabilities reported. For the reported number to have any weight, there would need to be some consistency in how vulnerabilities are discovered and reported between Linux and Windows. On the discovery side, more eyes on open source code would tend to yield more discoveries, skewing the reported number. On the reporting side, Microsoft has a deserved bad reputation of denying and covering up security vulnerabilities in their products, which would lead me to speculate that they underreport their vulnerabilites, making a comparison useless. Moreover, the open source community has the opposite reputation - that of publishing vulnerabilities as they arise. Again, the results are skewed. I'm disappointed that a security site would perpetuate this flawed logic.
  • by peripatetic_bum (211859) on Monday February 04, 2002 @12:40PM (#2950575) Homepage Journal
    Look, the obvious point about this should be that the reason Linux has more known vulnerabilities is that linux has always been very open about what is wrong with linux.

    As for MS, I only have to point to the the major bug, that they knew about for weeks, but didn't let anybody know about!

    Now Im not saying that linux is more secure (as much as i would like to) but the data and report based from it, just makes no sense, if you think about how vulnerabilties are and are not reported

    Thanks for reading!
    • Im not saying that linux is more secure

      The thing about linux is that if you don't know how to set it up you can unknowingly install LOTS of services, most of which are unnecessary for a home user and many of which can be compromised. Redhat's "everything" install sounds pretty neat, but you probably don't want to run an FTP server, DNS server, SQL server, etc. if you don't absolutely need it (and know how to configure it). Mandrake (at least the older versions) has better security setup, allowing you to check off a security level during install that does a decent job of hardening the OS. Of course, not knowing that you are installing file shares on a cable modem with no firewall could be even easier to compromise :)

    • "linux has always been very open about what is wrong with linux."

      Open, maybe. Willing to change, rarely. Just look at the recent code rift between pre-release forks and the slowly growing consensus that Linux isn't up to the task. Something as simple as a paging system has to be debated endlessly (in the meantime, having different systems with different potential vulnerabilities). We may not be able to look at the MS code, but we can be pretty sure what doesn't work on one machine shouldn't work on another.

  • by llamalicious (448215) on Monday February 04, 2002 @12:40PM (#2950579) Journal
    Well, that may be all well and good from a purely technical (or counting reported bugs) standpoint.

    But when you consider Microsoft's installed user base, there's just no comparison to how widespread MS is.
    It's a damn good thing there were less bugs reported for Windows, as with each one, the repercussions are far far greater.

    ~sigh~
    • Well, that may be all well and good from a purely technical (or counting reported bugs) standpoint.

      It isn't, though. Even the counting method used in the article is flawed. As mentioned in several other posts, package bugs are often listed for each distro that uses that package, so a single bug could easily be counted multiple times (and, in fact, this is the case since the article is based on the Linux aggregate, which simply counts the number of bugs reported on all Linux lists and adds them tegether).

      Even at the most basic level, the article is FUD. The fact that this article was published without the editors checking even basic facts (like, for example, the fact that NTBugTraq is not hosted by SecurityFocus) certainly casts WinInformant in a bad light, and I will definately take any information I get through them in the future with a large grain of salt.

  • Simply put, (Score:3, Insightful)

    by Andorion (526481) on Monday February 04, 2002 @12:40PM (#2950585)
    Simply put, the reason Windows systems seem more vulnerable is because SO MANY MORE people use them, and don't keep them patched. As a rule of thumb, someone running Linux at home knows what the term "security vulnerability" means and keeps his system up to date, where someone running Windows whatever doesn't.

    Of course, that's not the case in the server market. If you want to talk about worms, remember one thing - the ONLY reason Code Red and other such worms exist is because of the popularity if the windows platform, on desktops and servers. Don't kid yourself for a second into thinking that the reason there aren't any widespread worms for *nix systems is because it's more secure.
    br -Berj
    • Re:Simply put, (Score:5, Informative)

      by joshtimmons (241649) on Monday February 04, 2002 @01:05PM (#2950838) Homepage

      Actually, there aren't SO MANY MORE windows servers on the internet than *nix boxes.

      Please see this fine article http://slashdot.org/article.pl?sid=01/07/13/124025 7&mode=thread [slashdot.org] which tries to compare the number of windows systems vs unix systems on the internet.

      Here are a couple of their conclusions:

      1. GNU/Linux is the #2 web serving operating system on the public Internet (counting by IP address), according to a study surveying March and June 2001
      2. GNU/Linux is the #1 server operating system on the public Internet (counting by domain name), according to a 1999 survey of primarily European and educational sites.
      3. GNU/Linux is the #2 server operating system sold in 1999 and 2000, and is the fastest-growing.

      Even taking the statistics most favorable to Microsoft, they had almost twice as many IPs on the public internet than Linux did in 1999. However, during that same period, there were many more than twice as many expoits, viruses, etc. that attacked windows vs unix.

      Linux has far too many installations on the public internet to be dismissed as too rare to interest hackers.

    • Re:Simply put, (Score:5, Insightful)

      by Rupert (28001) on Monday February 04, 2002 @01:16PM (#2950894) Homepage Journal
      l10n and ramen were two recent worms that attacked a bug in some versions of BIND on almost all unices. This would appear to be evidence against your theory that "no-one writes worms for *nix because of lack of market share".

      Find another excuse.
    • by Srin Tuar (147269) <zeroday26@yahoo.com> on Monday February 04, 2002 @01:16PM (#2950902)


      Of course, that's not the case in the server market. If you want to talk about worms, remember one thing - the ONLY reason Code Red and other such worms exist is because of the popularity if the windows platform, on desktops and servers. Don't kid yourself for a second into thinking that the reason there aren't any widespread worms for *nix systems is because it's more secure.


      Dont kid yourself. The various free o/s's are simply a harder target. They are more diverse, both across O/S's and distributions, and even within a distribution there are different configurations. On top of all that any individual box can be a totally custom system built from the source pool.


      There are countless email readers, multiple web browsers, all types of competing server daemons. When you take the windows monoculture you simply dont find such diversity. The competing software are simply wiped out.


      Its a well known and intuitive fact that monocultures are far more vulnerable to disease and parasites than a healthy diverse population.

  • Lousy research (Score:3, Interesting)

    by JanneM (7445) on Monday February 04, 2002 @12:41PM (#2950594) Homepage
    His mathematics is pretty bad. To get the security problems for Linux, he adds all security announcements from each of the major distributions - completely ignoring that most of those announcements are for the same bug. The Linux number is thus about a factor 4 too high.

    Also, the Windows announcements are for the OS itself only, while the Linux announcements cover programs that do not count as OS stuff under Windows.

    Badly researched piece.

    /Janne
    • Not True (Score:5, Insightful)

      by j7953 (457666) on Monday February 04, 2002 @01:13PM (#2950878)
      [...] To get the security problems for Linux, he adds all security announcements from each of the major distributions - completely ignoring that most of those announcements are for the same bug. [...]

      I can't connect to WinInformant, but if you look at the numbers available at SecurityFocus, you'll see that they did not simply add up the numbers. Linux is listet with 96 aggregated vulnerabilities for 2001, while e.g. Red Hat has 54, Debian got 28, and Mandrake got 36. There are more Linux distributions listed, but these numbers allone show that your claim is wrong (unless WinInformant has different numbers).

      You'll also see that Red Hat had 54 vulnerabilities while Windows 2000 had only 42.

      However, I'd still agree that the WinInformant article is badly researched (but please note that, as stated above, I've not read it, I only know the part that Slashdot quoted). The article claims that Windows is more secure "according to the reputable NTBugTraq," however, SecurityFocus does not make any claim concerning the security of either Windows or Linux, they just make the numbers available as a statistic. In other words, WinInformant doesn't have any source for their claims, they just found some more or less interesting numbers and made up a story.

    • Re:Lousy research (Score:3, Interesting)

      by Asic Eng (193332)
      What I don't get is this: this exact same miscalculation was already in an article referred to by slashdot, about a year ago. Neither slashdot nor the writer of the article seem to have learned anything... I'm somewhat surprised that the slashdot editors didn't point out that mistake right away. It also seems strange that Security Focus would still publish these "aggregate" numbers - they seem to only confuse people, and I don't see what sense these numbers would make?

      Anyway, what I found interesting is that Redhat faires so badly - about as bad as Win2k, and about twice as bad as any other Linux distribution. If SuSE has only 21 tracked bugs, and comes with a lot of software (7 CDs now, I think) is Redhat with 54 entries doing something wrong?

  • by Victor Danilchenko (18251) on Monday February 04, 2002 @12:42PM (#2950606)
    What matters is not how many bugs there have been, but the total window of vulnerability per bug -- the time elapsed from bug's discovery to bug'a closing. One really bad bug that remained open for a year is much worse than 10 bugs each remaining open for a week, you see.
  • by opkool (231966) on Monday February 04, 2002 @12:43PM (#2950612) Homepage
    After reading the whole thing, I came to the conclusion that this is an unfair comparison:

    -They only count bugs for one Microsoft OS product. I mean, there's Win95, Win95osr2, Win98, Win98SE, Win2000, WinME, WinCE, WinNT4.0...

    -They count one bug for each distribution. I mean, if a bug is detected on rsync, it shows as one different bug for every distribution, that is, one but for Mandrake 7.0, one for Debian, one for Mandrake 7.1 ...

    So, this makes me wonder if the journalist is plainly uninformed or if has no idea of what he is talking about (a laid-off journmalist from the gardening section re-hired for a tech-writter position).

    The conspiracy theories, black helicopters and Microsoft-payed journalists, from my point of view, do not apply here.

    Well, who said the world was fair?
  • by Gothmog (21222) <gothmog@@@confusticate...com> on Monday February 04, 2002 @12:43PM (#2950621) Homepage
    Pure quantity of security holes really is not the most question. To me there are two factors:

    1. How severe is the hole if exploited.

    Are we talking a DOS, a root compromise, the ability to take over a domain controller. The effect of a compromise needs to be taken into account.

    2. How easy to exploit is the whole.

    Is it a theoretical exploit, or are there tools floating around? Can it be easily mitigated by a good firewall, or can viewing an email cause the problem.

    These questions seem to me more important than pure quantity and should be taken into account when building a threat assesment of a system.
    • by SilentChris (452960) on Monday February 04, 2002 @02:58PM (#2951409) Homepage
      "These questions seem to me more important than pure quantity and should be taken into account when building a threat assesment of a system."

      Oh please. This is the same Slashdot that touted 30K bugs for Windows 2000 (like every other major tech publisher) regardless of the fact that the bugs were not known and many were probably "We spelled "maximize" wrong here".

  • by prisoner-of-enigma (535770) on Monday February 04, 2002 @12:44PM (#2950632) Homepage
    But it is possible to have a very secure Windows environent. No, it does not involve turning the box off ;^)

    Take this example: you have a highly competent NT/2K administrator (they do exist) and a pitiful *nix administrator. Which one is going to produce a more secure box? Any objective person would have to say the NT/2K guy would, because he knows his platform well enough to shore up vulnerabilities. Nimda, I Love You, and many other worms did not hit affect my company because we took security very seriously beforehand. Malicious attachments (.EXE, .SCR, etc) were banned long before I Love You came along.

    Now, having played devil's advocate for a moment, let me say that if you have a tightly controlled *nix box with a competent admin and a focus on security, you can create a damn near impregnable system. The weaknesses then lie with the applications, not the OS, and that's something ALL vendors need to work on (you listening, Larry "Unbreakable" Ellison?)
  • by cperciva (102828) on Monday February 04, 2002 @12:44PM (#2950635) Homepage
    I can't remember hearing about many *new* security holes in win2K recently.

    I can't get to the article right now, so I'm not sure exactly what their argument is, but while I can remember hearing about quite a few major security holes in the unixes (I think everyone was bitten at least once by ptrace race conditions) I can't think of any similar issues in win2k.

    XP, on the other hand... but we're not talking about XP here.
    • by Drestin (82768) on Monday February 04, 2002 @01:12PM (#2950868)
      Actually, IIS hasn't had a hole since last August and IIS 5.1 hasn't had one, period. XP has only had the UPnP hole (new technology, consider it a version 1.00 bug).

      There are FAR fewer holes in W2K than people would like to admit. IE may have some problems but not the base OS. Even IIS has been tighted up a great deal.

      People need to understand something, we know MS almost never get's it right the first time (see version 1.00 bug) and may not the second but eventually they do. OK, they sucked at security to begin but with all those resources and the pressure from the top and from outside - did you really think they'd sit still or get worse? Nope - ask Netscape what happens when you become their focus of attention. Tux comes out and smokes IIS 5 and everyone laughs... according to the results of my beta tests with IIS6, we'll see who's laughing when it's publically benched.

      Your lesson is: MS learns. It's almost never right the first time but... it learns.
      • by Lumpy (12016)
        There are FAR fewer holes in W2K than people would like to admit. IE may have some problems but not the base OS. Even IIS has been tighted up a great deal.

        EXACTLY!!!!!! Sorry you cant count any BIND holes on linux. Or any sendmail, ssh,telnet,ftp,etc...

        so after removing all holes that are for software that runs on the OS, linux has what 1 maybe 2?

        This is why I pitch a royal bitch about most certification and security analyses... they are testing things that are not a part of the CORE OS. and therefore are meking everything a mess.

        Let't take NT4.0 and a slackware linux with packages A and N installed. no software other than what the base os allows. (no ftp, not BIND, no sendmail, no servers of any kind.)

        then let's look at the holes... the number of problems on both sides will dwindle to almost nothing. with NT losing because of the silly run all services as the system account bungle.

        if you were to apply a daemon mindset to Nt, and able to run most of the services as a almost-no-access user, over 1/2 the trouble would evaporate.
  • by WIAKywbfatw (307557) on Monday February 04, 2002 @12:45PM (#2950646) Journal
    Surely it's not the number of vulnerabilities that either OS displays that's important but rather their severity?

    I mean, an exploit that requires the malicious party to have physical access to a machine and then only gives him access to one specific folder on a system is hardly as big a deal as one that gives a script kiddie sitting in his bedroom complete remote control of your corporate servers, allowing him to copy, overwrite and delete files, folders and hard drives at the click of a button?

    Let's try to compare apples and oranges here. Just because McDonalds has more restaurants than Michelin-stared ones it doesn't make the Big Mac a better meal.
  • by mblase (200735) on Monday February 04, 2002 @12:46PM (#2950651)
    The SecurityFocus charts [securityfocus.com] seem to say that in the last several years, WinNT/2K has had 2/3 to 3/4 the vulnerabilities of Linux -- all Linuxes combined, that is.

    When you break it down, however, Windows has been about equal to Red Hat and well above all the othe Linuxes and Unixes in the chart.

    As a willing participant in the capitalist scheme, I don't care how secure everyone else's servers are -- just the one securing my stuff. The only thing this chart tells me is that if I want a secure server OS out of the box, I should start with Mandrake or Debian instead of Red Hat or Windows.
  • Break it down.. (Score:3, Interesting)

    by iamsure (66666) on Monday February 04, 2002 @12:49PM (#2950677) Homepage
    1. Severity - The issues that exist on Windows platforms are demonstratably larger. There is no administrator/root containment of priveldge (generally), and most of the security issues reported are indeed system-level, remote, and widespread.

    2. Activeness - The common issues reported for Windows deployments are almost universally in use and actively being exploited BEFORE the report. Most *ix vulnerabilities are not being actively exploited (and definitely at a lower level of activity), and are generally patched to resolve the issue FAR quicker.

    3. Openness - "Linux" has no control over the release of bug reports. Microsoft on the other hand, does, to a degree. They can actively "persue" the matter and encourage the bug reporter to remain quiet about it until they can respond. In some cases for MONTHS even for well established bug hunters like eEye, on very large vulnerabilities like UPNP.

    In closing, there are lies, damned lies, and statistics. Sure, you can put whatever spin you want on it, and I think I have in this posting.

    ONE thing needs to be clear, there are alot of bugs, and having many eyes isnt preventing them from happening on Linux.

    No matter where you sit, its justification to yet again work diligently to reduce the number of potential bugs by secure programming techniques.

  • by defile (1059) on Monday February 04, 2002 @12:51PM (#2950686) Homepage Journal

    Unlike Windows, there are many independent distributions of Linux that may or may not be vulnerable to a security hole. Also unlike Windows, each distribution has shorter release cycles. Futhermore, many Linux distributions come with lots of bundled software that not all sys admins install.

    This means that security holes discovered against Windows could be far more devastating because of the uniformity of the installed systems. Code Red/Nimda, etc. would've been much harder to pull off against all variants/distributions of Linux. There's much more paydirt in developing good Windows exploits, since they're likely to work against ALL Windows systems, which means the exploits are likely to be very refined and well tested. Compare to Linux exploits which are usually very hard to get working the first time.

    It's also harder to find security holes in Windows since it's closed source (which doesn't make them any less severe). Many security analysts won't even bother since it mostly involves using a debugger to poke at a task for hours, rather than simply grepping source trees for unsafe functions.

    But yeah, it is pretty disgusting that Linux in general has this many security holes.

  • by Junta (36770) on Monday February 04, 2002 @12:52PM (#2950701)
    Essentially, concluding that Windows is more secure based on that data alone is rather ridiculous. Not to say it couldn't be true, but that data is inconclusive at best.

    For one, in total vulnerabilities Windows come in second only to aggregate linux, which, as far as I can tell is a compilation of vulnerabilities across the board for linux distributions and therefore includes mostly duplicates, so that figure is best thrown out the window completely. So numerically the argument doesn't hold up. Additionally, within a distribution a widespread vulnerability may impact several packages. For example, say a widespread vulnerability in FTP servers was found. In Windows, that means one vulnarability, IIS. For a linux distribution, it could be several (wu-ftpd, proftpd, etc...) So in another way Linux figures are inflated by duplicates.

    Second, no matter how the numbers add up, it still proves nothing for either side. The numbers state simply that X # of vulnerabilities are known for platform. Nothing is said of severity or exploitability. Very minor or virtually non-exploitable vulnerabilities count as much as serious, wide-open delete data vulnerabilities in these stats. Also, no consideration is given for what would be considered a vulnerability on each platform. Windows tends to by design allow users to do more without Admin privs. So, a theoretical bug that allowed change of color depth in XFree86 might be considered a vulnerablity (since root privs are typically required for that operation), while in Windows it is a normal, harmless feature. This example has all sorts of problems with it, but I think it illustrates the point that some things normal in Windows would be considered vulnerabilities in a Linux environment (and vice-versa to some extent).

    In short, no simple chart can show one platform to be more secure than another....
  • by John Harrison (223649) <johnharrisonNO@SPAMgmail.com> on Monday February 04, 2002 @12:52PM (#2950704) Homepage Journal
    Is it a surprise that there were more vunerabilities DISCOVERED for Linux than for Win 2K? How many people are looking over the source code of Win 2K for bugs? Now how many have access to the couse code for Linux? It seems pretty obvious where you will find more bugs in the short term. Also, do you think that Microsoft "announces" any and all bugs that it finds internally or are these just bugs that were found outside of Microsoft? How easy is it to find these bugs in Windows without the source? How many more would be found if source code was availible?

    In the long term Linux will have progressively fewer bugs/vulnerabilities due to its open source nature. Look at the numbers on the same chart for NetBSD. There were 9 vulnerabilities found in 2001, and 42 found in Win 2K. 54 for RedHat and only 2 for TurboLinux.

    Obviously everyone should switch to Turbo Linux.

    • Let's be fair. Some of the malicious hackers are extremely good. Does source code peer reviews improve security? If the guy reviewing the code is dumber than mr. evil hacker, then he might leave open an exploit for mr. evil hacker to enjoy and abuse.

      With closed source, mr. evil hacker will need to spend more time discovering the inner workings of the software than he will with open source.

      So - will he then produce more exploits running through open source software grepping for common starting points for exploits than he will when dissecting closed source programs?

      Remember - at any moments, the black hat community knows about exploits the rest of us don't know about. No computer has yet been classified as formally secure (to the best of my knowledge). We could all be at risk.
    • by Malor (3658) on Monday February 04, 2002 @05:36PM (#2952323) Journal
      I posted a couple years ago on this topic. My hypothesis at the time was that Open Source would show more bugs for quite some time, as people poked through the code, but would gradually settle down and become very secure. I also believed that Windows vulnerabilities would continue to be discovered at a more or less constant rate.

      The jury is still out.

      The SecurityFocus statistics broke in August, 2001, per their web page, so one has to extrapolate the partial 2001 total to get the projected total for the year.

      In that extrapolation, one sees that the expected number of bugs (assuming the 96 reported bugs cover through the end of August) would be 144. There were 153 the year prior, which is likely well within the margin of error. In addition, many of the black hats have STOPPED REVEALING their exploits, so in fact there may be many more than what we see.

      Now, it's worth pointing out that this is not necessarily a good measurement of security. We may be measuring the wrong thing.

      An example of bad measurement is the one the government used to determine how many cod were left out in the ocean, to prevent overfishing. Year after year, the catches were about the same, so the government assumed that the fish stocks were constant. But suddenly there were no more fish -- the industry collapsed.

      Why? Because they were measuring the wrong thing. They weren't measuring the total number of fish, they were measuring the fish that were caught. They didn't realize, as the fish stocks dwindled rapidly, that the fishers were getting newer and better technology to fish with. The total number of fish coming out of the water was constant -- but as a fraction of the total fish in the water, was going up very quickly. Eventually the fish were all but wiped out.

      Measuring security by bugs reported is very similar. It may or may not reflect the number of bugs in the 'ocean'. It is an indirect measurement at best.

      We need to differentiate between fish 'caught' and fish 'available'. From a security perspective, I think we are talking about TRUE security (the number of fish in the water) versus FUNCTIONAL security (the number of fish actually being caught).

      Now, as security people, our goal is to reduce the fish catch as much as possible. There's two ways to do this; we can reduce the number of fish, or we can somehow control, limit, or damage the profession of fishing.

      The real professonals are trying to reduce the number of fish in the water. That's the true long-term solution. But from a short-term perspective, what I care about personally is how many fish are CAUGHT. Every time they come up with a new exploit, I have to run around like a maniac patching systems.

      However, the fishing analogy starts to break down, as most do eventually. Truly secure systems are still run by people, and people make mistakes. Even if the OS is perfect, the attack will often come against the weakest link, the employees. Thus, even though I would prefer to have true security, I have to argue that it isn't really necessary. The OS just has to be stronger than the other avenues of attack. ("Why are you putting on tennis shoes? You can't outrun a bear!" "I don't have to. I just have to outrun you.")

      Security through obscurity, in other words, may be adequate for most uses. It slows down the rate of fish catching. If nobody discovers the bug until the next version of the OS is out, the bug is less important. The longer it takes to discover the bug, in general, the less damage it will do -- at least as long as we're on the upgrade treadmill.

      But, a counter-argument to that just occurred to me: Security through obscurity may be long-term counter-productive -- making it hard to catch fish may have the effect of increasing the fish supply. Every time a fish is caught, it can't breed, and reduces the total population by that much. Likewise, in code, once a vulnerability is discovered, many related vulnerabilities may also be patched. Thus, security through obscurity may work well for a long time, but may actually be making the fundamental problem worse.

      Another observation I have to add is that programmers like to create new programs. Very few of them like to audit code. New projects and programs are being added to the Open Source world at an amazing speed, and I don't think they're being stringently audited. In other words, they're adding to the fish stocks every day. There is no QA department in Open Source, and the code is getting more complex than individual people can understand anymore. I think, unless we come up with a better development method, Microsoft's ability to fund a billion dollar a year QA department is likely to reduce their fish count below that of Open Source.

      So I think I will need to expand on my original hypothesis. I now believe that Open Source will probably lag behind closed source in terms of FUNCTIONAL security. In terms of TRUE security (absolute number of exploitable bugs, known or unknown) -- there's no easy way to tell. If catching fish reduces the fish supply, and if the programmers don't add too many new fish, eventually Open Source will start winning. But if Microsoft's QA department does a good job with their nets and lures, their fish supply may drop just as fast or faster. Money is definitely a good way to motivate people, and Microsoft has a lot of it.

      It's also worth pointing out that even if things are getting more secure, the catch rates may be roughly constant, because presumably the crackers will get better and better, catching a higher and higher percentage of the fish. If the analogy holds, and I suspect it may, then eventually the fish stocks will be exhausted and the black hats will be very suddenly unable to crack machines anymore.

      It's going to take at least five more years to know -- and twenty might be a more reaonable time frame. It took a long time to wipe out all those billions of cod. It may take just as long to wipe out the pool of security flaws.

      <<RON>>
  • Some explanations??? (Score:5, Interesting)

    by Zwack (27039) on Monday February 04, 2002 @12:53PM (#2950720) Homepage Journal
    Greetings,
    I wonder how they decided what is "more secure", but my guess is that it's based on the number of reported exploits/bugs.
    Does anyone know if they used any weighting on the types of exploits/bugs. I would consider a remotely exploitable bug to be much worse than a locally exploitable bug as you can't control people that aren't on your box as well as the people that are. I would consider a root/administrator access bug to be worse than a denial of service type bug.

    So, given a weighting scheme of :-
    Remote Root = 4
    Remote Denial of Service = 3
    Local Root = 2
    Local Denial of Service = 1
    How would the different OSes stack up?

    My guess is that without even taking number of installations into account you would find that Microsoft was at least as bad as the various Linux/Unix versions. I'm not going to say that they were worse.

    Anyone want to do some analysis on the same information given a weighting scheme and see what the differences are?

    Z.
  • Wait a sec... (Score:5, Interesting)

    by saberworks (267163) on Monday February 04, 2002 @12:54PM (#2950724) Homepage
    1. How many of the Linux vulnerabilities are in services that aren't linux? IE: sendmail, apache, ftp servers, and whatnot? Just because something is packaged with linux doesn't make it linux. Do the windows bugs count IE bugs and every other MS software running on the system? What about other packaged software such as AOL and whatever other links they provide?

    2. Sheer number of vulnerabilities mean nothing - are they counting the severity of the vulnerabilities?

    3. Are they counting the time it took before A) someone discovered the vulnerability and B) a patch was issued?

    4. If there are comparable numbers of linux vs. win2k servers out there, which actually had more break-ins? (This question not valid if there is a wide gap in numbers since then the lower of the two probably benefits from that "security through obscurity").

    5. I think having full source code availability leads to people actually FINDING the bugs, whereas Windows could have way more, but we don't know about them unless people are actually TRYING to crack the system (as opposed to finding them working on source or whatever).
  • Bogus statistics (Score:3, Interesting)

    by coyote-san (38515) on Monday February 04, 2002 @12:55PM (#2950744)
    If this is the same article mentioned on LWN (can't be sure, since it's slashdotted), this article compared the number of bugs reported against Windows against the number of bugs reported against Red Hat. And Debian. And SuSE. And another distro - forgot which one.

    I'm sure it was an honest mistake that most Linux bugs were counted multiple times.

    But I don't buy into the "bug count" argument anyway. It's a lot like that controversy over the "most decorated US veteran" (Hacksworth?) - a lot of people think that you can have a warehouse full of bronze stars and distinguished service medals and it's all scrap metal next to a single Congressional Medal of Honor (post.).

    What was the last remote root exploit for a widely used Unix service? What about local exploit for a widely used Unix application?

    Now ask the same thing about Microsoft.

    Finally, "NTBugTraq" may be respected but that doesn't mean it never publishes crap -- sometimes for the purpose of shooting it down. I've seen this happen on comp.risks and elsewhere.
  • by larsu (473425) on Monday February 04, 2002 @12:56PM (#2950757)
    Anyone remember Code Red? Nimda? I sure do. I still get 300+ scans a day from infected Windows boxen.

    Also, most linux vendor security announcements posted to Bugtraq are for add-on software not enabled by default. They are also announced by each vendor individually, and the author of the package. Most Windows announcements are about vulnerabilities in the OS (IE) or widely deployed packages (IIS, Outlook) from the author of the exploit (after secure@microsoft.com has ignored them).

    The entire article needs to be modded -1 flamebait.
  • by victim (30647) on Monday February 04, 2002 @12:59PM (#2950777)
    Which OS has more security problems is an interesting question, but I would not use ntbugtrack's data to answer it for the following reasons...
    • Having one of the OSes embedded in their name immediately makes my wonder about bias.
    • They have an aggregate data column for `all linux distributions' where they overcount the same bugs. Despite breaking windows OSes into two columns, they don't aggregate these together.
    • They do not attempt to quantify either theoretical severity of a problem or actual real world impact of the problem. The linux community tends to have more bug reports for theoretical problems that are fixed before they are exploited.
    • The statistics from ntbugtrack have been stale since August. This is an abandoned site. I suspect anyone doing a serious analysis would start with current data.
    • It is possible that MS bugs are under reported. All Debian security bugs are fully reported by policy. Microsoft has a policy (recently at least) of supressing minor bug reports and quietly fixing them.
    • Your typical linux distribution is OS, plus OS utilities, plus all of the applications. Application level bugs will show up in the linux distributions, but not in the windows columns. Consider the recent rsync bug. That should be a bug for all of the major linux distributions, but will not appear in the windows column even though rsync can be installed and run on windows. (This is an example, I have not verified that the bug affects windows. I believe it does from the description. Don't flame me over this one.)

    So, how about we do a serious analysis? I'll put up a system that lets people rate the various bugs by severity along a couple of continuums. (Like theoretical impact and actual impact.) Then people can use this data to draw more accurate conclusions. If at least 10 people respond to this post, and two thirds of them think it is a good idea, I'll put one up and link it here.
  • Again, Winformant, in a desperate attempt to seem like they aren't a bunch of toadies, has struck an "independent" blow against linux's "security myth," by proving that more holes were found in linux than in Windows.

    Well, duh. Linux is full of holes. But that's not winformant's problem. You see, each of those holes was cleared up in a matter of days and a patch was freely available. There were no egos and press releases claiming there are no holes. There were no programmers waiting around while Marketing decided the best colour for the patch's installation wizard. There was no downtime as millions of machines had to get the file from a single MS server because the patch's license didn't allow redistribution. There were no hours of wringing hands as sysadmins watched hackers pick off their boxes one by one because there's no workaround while the patch was built. There was no possibility for diving into the code and fixing it yourself; and if there was there'd be no way to release the patched dll. Oh, and if a linux machine was compromised, there was little chance of it polluting the entire network...because the bug affected less than 1% of the install base of that particular OS, and not 100%.

    Not to mention the reason that so many Linux patches were "found" rather than "discovered" is that bored sysadmins can sit around with sheets of source code, hoping to find a hole and make a name for themselves on BugTraq. With windows...well, you'd better be good with BlackIC and ASM, because it's the only way you're finding the hole.
  • by tqbf (59350) on Monday February 04, 2002 @12:59PM (#2950788) Homepage
    I like SecurityFocus. The people in charge of SecurityFocus are with-it and honest. I am completely confident that this work was done in good faith.

    However, the conclusion being drawn here is invalid. The SecurityFocus vulnerability survey is interesting, but it is not itself a reasonable methodology to generate security metrics between operating systems.

    I could pick nits at this ad hoc study for hours, but the biggest problems are also the most obvious:

    First: the study associates third-party software with the operating system, and aggregates all the distributions together into a meaningless "Linux" category. This study is literally just pattern matching against advisories.

    Second: there is no notion of "severity" or "impact" in the study. This is a shame, because SecurityFocus has actually put some real effort into deriving a taxonomy of vulnerabilities from their (enormous) vulnerability database. There is no way to determine whether the N Linux vulnerabilities were equivalent to the K NT vulnerabilities.

    Third: the study compares a kit of open-source software, which has received extensive peer review, to a closed-source product. It should surprise nobody that Linux has more documented problems than Windows: it's actually possible to go find vulnerabilities on Linux. Finding Windows vulnerabilities requires black-box reverse engineering.

    Finally, both Linux and Windows do a reasonable job of locking down server configurations out of the box. What IT people need to know is vulnerability breakdown by operating system and by deployed configuration. This study does nothing to inform us of whether a Linux web server is at more risk than a Windows web server, or whether it's safer to expose a Linux print server or a Windows print server. Organizations that deploy homogenous Apache+NFS+ssh server farms don't care about XFree vulnerabilities or Samba problems.

    I don't think SecurityFocus is actually trying to make claims about the relative security of Linux and Windows. I think they've been a bit careless with this report though; it's a reasonable thing to try to generate from their database, but more thought should have gone into presentation.

    SecurityFocus has the on-staff expertise to publish some real conclusions about the distribution of vulnerabilities between Linux and Windows. Before this database report is misconstrued by the trade press, it would be enormously helpful if they could publish a statement about the conclusions that can be legitimately drawn from it. It'd be good press for them, too.

  • by Tom7 (102298) on Monday February 04, 2002 @01:02PM (#2950812) Homepage Journal

    Again, I find it disturbing how easily everyone shrugs this off as propaganda or something.

    Listen, everyone: Times are changing. Linux has gotten big and complicated, and is no longer automatically secure. Long gone are the Slackware days where you'd download a minimal kernel/utilities package and then compile only the apps you need, by yourself, and understand everything. Complex software has security problems, and the linux community has done little but use the "lots of eyeballs" method to counter that. Microsoft software is also quite complex, and they have fewer eyeballs (I hope, though I am not sure), but they have publicly recognized the problem and are at least pretending to try to fix it. Microsoft also has a bunch of research into technologies for producing machine-checked code so that they don't even need lots of eyeballs. (I really wish that linux had this too; see a related rant http://slashdot.org/comments.pl?sid=26315&cid=2851 880 [slashdot.org] ).

    My linux box has been rooted twice. I keep up to date on patches, I read bugtraq. My windows box, also connected to the internet all the time (and getting a lot more use), has never been compromised through 95, 98, 2000, and XP.(I have been Winnuked, that's the worst thing that's happened.)

    I guess my point is: this is not something to laugh at. Some day soon, people will not think of Microsoft operating systems as crashy (already happening to an extent) and insecure (...), and then linux will have a much tougher sell to the average guy who doesn't care about Free Software. Instead of laughing smugly about an article like this, maybe we should be worrying?

    • Microsoft also has a bunch of research into technologies for producing machine-checked code so that they don't even need lots of eyeballs. (I really wish that linux had this too;


      Linux DOES have this - there are various and sundry programs which will scan your code for you - even kernel code. And if you don't want to rely on the programmer, there are libraries available for Linux which prevent a number of these holes - automatically.


      My linux box has been rooted twice. I keep up to date on patches, I read bugtraq. My windows box, also connected to the internet all the time (and getting a lot more use), has never been compromised through 95, 98, 2000, and XP


      Of all the boxes I've had to monitor, only a disused Windows box has ever been compromised. I am constantly bombarded with virii and worm attacks from compromised Windows boxes; most of the Linux boxes "attacking" my network are owned by the hackers.


      I'd stand by my Linux install just as soon as I'd stand by any Windows box I've had a hand in hardening.

    • by jdavidb (449077) on Monday February 04, 2002 @01:48PM (#2951134) Homepage Journal

      Long gone are the Slackware days where you'd download a minimal kernel/utilities package and then compile only the apps you need, by yourself, and understand everything.



      Wrong. I entered those days quite recently, with Linux From Scratch [linuxfromscratch.org]. LFS isn't exactly a "security solution," but it's hard to break into a machine when there's nothing running on any port except ssh.

  • by alta (1263) on Monday February 04, 2002 @01:07PM (#2950848) Homepage Journal
    Ok, here's what I noticed. The SUM of all Linux's put together had a higher bugcount than windows 2000.

    Now, how many people do you know that install redhat, then add to it all the security bugs in caldera, Connectiva, Mandrake, Slackeware, Suse, and Turbo Linux?? None, that would be extremely difficult. This is akin to saying the Ford Taurus has fewer bugs than all of the Nissans put together, therefore it is a better product.

    Also, we are assuming that all bugs are created equal. Guess what, not so. Windows bugs have superpowers, faster than a speeding packet, stronger than a firewall, able to leap entire networks in a single bound! Linux security bugs take down processes, sometimes servers. Windows bugs take down Networks, or internets!!!

    But I'm sure they'll never get called on it, because their readership is windows users. They are preaching to the choir, and they will ignore us and our quest for accuracy.
  • by johnthorensen (539527) on Monday February 04, 2002 @01:09PM (#2950859)
    I was thinking to myself yesterday about how the nature of open-source lends itself to a lack of "talent auditing". Meaning, there **MAY** be a greater chance of bugs being introduced into an open-source project because the programmers are often not hired professionals.

    I would like to see a comparison in bugcounts (say, per line of source code) between open-source projects supported by professionals (i.e. people trying to make money off of it, i.e. mySQL) and projects supported by weekend programmers.

    I just had an ironic thought. Since most open-source business plans revolve around providing support, would that make those companies want to introduce MORE bugs? :-P
  • by Serpent Mage (95312) on Monday February 04, 2002 @01:17PM (#2950906)
    Connectiva has been declared the safest operating system ever with combined vulnerabilities over the last 5 years equalling 0. Everyone in corporate america and those banks too should immediately through out all other operating systems and switch over to Connectiva.

    Warning: Connectiva does not support vulnerabilities and all calls will be redirected to the nearest OS distributor.
  • by bwt (68845) on Monday February 04, 2002 @02:51PM (#2951352) Homepage
    As a former quality supervisor, I have to say that the conclusions drawn from this data are badly flawed. Interpreting the results of a measurement, even something as simple as a count, without giving due attention to the measurement process itself, is a classic way to reach wrong conclusions.

    For any measurement to be meaningful, a mechanism of calibration must exist. In the context of counting software defects of any type, some questions immediately arise:
    1. Severity: is there a threshold for including a bug in the count. Is it the same across systems? EG: do each count "privacy bugs"?
    2. Scope of measurement: are the measurements made for comparable functionality of code. EG: If "MS Backoffice" is tallied separately to WinNT is this an apples-to-apples comparison to a linux disto?
    3. Timing: does each measurement count vulnerabilities at the same point in the identification process? EG: Do "theoretical" bugs with no known exploit count? Do bugs in beta versions of particular applications count?
    4. Completeness: are all vulnerabilities reported? are separable vulnerabilities reported separately? EG: if MS internally ID's a bug and fixes it, does it remain secret or will it make its way into the tally? Can three separate bugs be counted as only 1 because the details are kept hidden?

    I believe that linux distros include a lot more functionality, have a higher standard on what constitutes a bug, report bugs early and visibly, and fix bugs much earlier in the vulnerability lifecycle. Every one of these traits would penalize a linux distro on a defect count metric.

    Reported defect counts are generally a lousy measure of quality, because they drive bad behavior: they can be decreased by lowering the quality of identification process instead of improving the quality of the product. Moreover, to draw conclusions about overall system security, I would be more interested in the aggregate lifetime-until-patch of known working exploits.
  • by uucpbrain (541924) on Monday February 04, 2002 @03:04PM (#2951452)
    The problem here is just that there is no "aggregate Microsoft" category. Heck, there's not even a W95/98/ME category! But if you lumped together all W95/98/ME/2K/NT/XP vulnerabilities, then made sure that you dealt with apps evenhandedly, "aggregate Linux" would start looking great all of a sudden.

    Now consider exploitability. Let's take Mandrake for example -- although their figures are already way lower than NT's (or, no doubt, 95/98/ME's), a default install includes 'libsafe', which means that none of the buffer overflows or format bug exploits will work. There go 3/4 of the theoretical vulnerabilities, including the ones which haven't been discovered yet. And a libsafe rpm could be installed on almost any Linux system in a matter of seconds without breaking anything, making the whole raw tally concept very questionable.

    The only way to secure an MS system that broadly and quickly is to cut the Ethernet cable.

    I leave my Linux box on the Internet without worry, and my investment in security has been maybe an hour and $0.00. I can and do take my time on patches because I know that almost none of the bugs have any chance of being exploited on my system. That is a realistic measure of Linux security, and I will delightedly compare it to Windows any day of the week. Securityfocus' figures, taken by themselves, don't mean anything.
  • by sheldon (2322) on Monday February 04, 2002 @03:04PM (#2951457)
    Screw securityfocus, let's look at bulletins released by manufacturers.

    Microsoft security bulletins released in 2002:
    MS02-001

    Redhat security bulletins released in 2002:
    2002-018
    2002-015
    2002-014
    2002-012
    2002-011
    2002-009
    2002-007
    2002-004
    2002-005
    2002-003
    2002-002
    2001-171
    2001-168
    2001-165

    And if you look at 2001 results you'll see a somewhat similar trend, although not near as pronounced. Somethink like 80 versus 60.

    Are these statistics meaningful? Of course not. If you have read Paul's columns you would know he reported this tongue and cheek. It was a slow news day, he noticed this, had to make fun of it.

    What makes this story interesting, and why Paul reported it is because if the numbers had been reversed you would be assured that would be the headline of the day on slashdot, and if anybody questioned it they would be called Microsoftie apologists.

    And look at the responses you see here. They're almost comical. Reminds me of the responses to the Mindcraft benchmark. Fear, Uncertainty and Denial. :)
  • Glass half full... (Score:5, Interesting)

    by gnovos (447128) <gnovos.chipped@net> on Monday February 04, 2002 @03:13PM (#2951516) Homepage Journal
    They are looking at this from the wrong perspective. Instead of saying "Linux had more bugs than Windows in 2001" it should say "Linux *fixed* more bugs than Windows in 2001". Simply becuase those Windows bugs haven't been found yet does *NOT* mean tha they are not there waiting to be exploited (or are already being exploited).
  • by C0vardeAn0nim0 (232451) on Monday February 04, 2002 @03:34PM (#2951638) Journal
    requires some methods, and since I'm too lazy today to look for the mothods they used to compile all that data, I'll create my own.

    1- let's stablish what's a windows OS and what's a Linux OS (and the nots too)

    1.1 Windows 3.1 is NOT an operational system. is a graphic user interface (GUI) for DOS. let's assume win 95/98/me and NT 3.5/4.0/2000/XP are OSes.

    1.2 Linux is NOT an OS. Is a KERNEL. the combination between Linux and GNU OS makes the operational system we know as GNU/Linux

    2 Let's determine the minimum instalation of each one that's capable of doing usefull work, including user tasks such as reading e-mail and browsing the web and server tasks such as serving web pages, sharing files, routing e-mail, et al.

    2.1 Both in Windows and GNU/Linux you'll have to select all the packages neccessary to the proposed tasks using the minimum ofered by the standard install CD. If the CD doesn't ofer some of the functionalities they must be downloaded from the manufacturer's site.

    2.2.1 for windows you'll keep only:
    - networking drivers;
    - the standard MS file sharing;
    - Internet Explorer;
    - Outlook express/MS mail;
    - IIS/personal web server
    - Exchange server;

    2.2.1 For GNU/Linux:
    - Network modules and associated tools;
    - NFS or Samba;
    - Mutt os pine (remember, in GNU/Linux you can read e-mail/browse from command line, so XFree is not installed);
    - Lynx or Links
    - Apache;
    - Sendmail;

    3 count the number of security holes in the test systems, including:
    - vulnerabilities to e-mail virii;
    - vulnerabilities to malicious web-pages;
    - remote exploits that grant root/administrator access;
    - local exploits that grant root/administrator access;
    - holes that allows an atacker to succesfully launch a DoS atack, freezing the machine;
    - unauthorized read and/or write access to files;
    - any other vulnerability you can think of;

    In a test like this who do you think'll win ? please post your comments.
  • Oh yeah. (Score:3, Interesting)

    by ikekrull (59661) on Monday February 04, 2002 @05:33PM (#2952309) Homepage
    All the servers infected with a virus hitting my web server requesting http://www/root.exe are UNIX machines, uh huh.

    Why not try this.
    With any of the following IPs, type 'smbclient -L 207.88.220.61'

    If you're more of a cracker than I am, you might then try smbclient //WORKGROUP/C\$ -I 207.88.220.61

    and just hit return when prompted for a password.

    this also works with:

    203.228.232.188
    203.231.119.70
    203.231.166.49
    203.233.20.86
    203.231.216.208
    203.199.54.26
    203.231.217.5
    203.231.122.227
    203.244.13.72

    and countless others.

    These machines (all Win2K) have their entire filesystems exposed over the internet, and are promiscuously advertising their presence because they are infected by a virus that leaves a clear trail in the logs of any web server they attempt to infect.

    These machines are engaged in abuse of my web services, and I hold Microsoft at least partly responsible for this situation.

    Presumably the virus itself is responsible for opening their shares with guest access, but maybe it's M$'s lame out-of-the-box security.

    If your machine's IP is on this (small fragment of my) list of machines banned from accessing my web server due to virus infection, then i suggest you replace your hopelessly insecure OS with a decent one.

    I was incredulous when i analysed my web-servers logfiles and found the sheer number of virus-infected hosts, all Windows NT and 2000, and most of which were sharing the entire contents of their hard-drives over the public internet.

    I know Windows can be secure as the admin is competent, but the ease with which it's security is breached through Outlook/IE is breathtaking.

    The idea that Windows is somehow more secure than Linux/UNIX is laughable to me.
  • by fR0993R-on-Atari-520 (60152) on Monday February 04, 2002 @06:23PM (#2952554)
    [Here's what I posted to the comments section of wininformant.com. Doubtful they'll display it.]

    Excellent satire.

    One only needs to look at the SecurityFocus stats referenced to find holes in most (if not all) statements made by Paul's article. An example:

    "A look at the previous 5 years [there were only four previous years reported on - tsmith]--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux..."

    Lets take a look at the previous "five" years, starting with 2000. Redhat Linux 6.2 i386, listed as the most vulnerable of the linux flavors with 65 vulns, is bested outright by MS Windows NT with a whopping 71 vulnerabilities. To compare apples to apples requires adding in MS IIS 4.0, with 29 reported vulns, for a total of 100 vulns, or over %50 more vulnerabilities than the _buggiest_ distribution of linux. Even the combination of the lowly, four-years-on-the-market, mature Windows95 with IIS (if such a combination were possible - it matters not, because if not then W95 cannot honestly be compared to RHL) results in 64 vulns. Note that Win95 had the least vulns reported (at 35) of all the Wins. Also not that despite it being out a solid 3 years longer than RHL, it can only best the mark by 1 vuln. Not quite what I'd describe as "far fewer".

    Paul's statement is even more humorous in light of the data from 1999. In that year, Microsoft's products fill the top of the list almost exclusively, with the exception of Solaris 7.0 having slightly more vulnerabilities than IIS and NT4.0SP5. That's right folks, IIS _alone_ had more vulns than any flavor of Linux and most of the Solari. NT4.0 without a service pack? 75 vulns.

    1998 is the only year during which Paul may have a contention regarding NT besting Linux. 8 vulns vs RHL's 10. Note, however, that this is not including bugs from IIS, and is akin to comparing apples to oranges. In any case a difference of two is not what I would consider "far fewer". The comparison of RHL to Win95 is laughable in this case - what does a count of security vulnerabilities show in a system which has virtually no security?

    Once again in 1997, RHL's 6 bests WinNT's 10.

    Paul, how exactly are we to interpret the phrases "five", "each year", and "far fewer"? Perhaps as "four", "maybe one year", and "a little bit"? I suppose your wording was close enough though - I mean, it _is_ just your journalistic integrity on the line, right?

    "Win2K had fewer vulnerabilities than RedHat Linux 7.0 or MandrakeSoft Mandrake Linux 7.2"
    Note that niether BO nor IIS are reported on in the 2001 tables, thus no conclusion may be drawn.

    "...despite the fact that Windows is deployed on a far wider basis than any version of Linux"
    Excellent heresay. Well un-supported by reliable references. After reading the prior claims in your article, I'll be sure to give this little tidbit all the credit it deserves (incidentally, none).

    Thanks again for the good laugh Paul! What's next week? "WinXP Embedded Has Smaller Footprint Than vxWork? Yepppp!" I can almost imagine you shaking your pom-poms in the air.
  • by TheFlu (213162) on Monday February 04, 2002 @07:41PM (#2952838) Homepage
    How about some different numbers...everyone loves statistics. "The following numbers were obtained by counting web site defacements as listed at Attrition.org from June 2000 through May 2001:" Breakin Stats [geodsoft.com]


    The trouble with comparing Linux distros to Windows lies in the fact that Linux distros include so many different applications. I just did a count of installed packages on a RedHat box I am using, and I got 780 installed packages. I'd like to see a comparison of the number of exploits between the RedHat distro and Windows installed with 700 of the most common applications for it. That might be a more useful comparison. Also, I will readily acknowledge the weakness and lack of true usefulness of the numbers below, so no need to flame me for the lack of usability...I'm only posting the info I found, so no need to stone the messenger.


    Windows
    4336 Windows NT
    1070 Windows 2000
    2 Windows 95
    5408 Windows total

    All UNIX and Like
    1185 Linux Red Hat
    999 Linux unknown distributions
    36 Linux Connectiva
    23 Linux Debian
    17 Linux Cobalt
    17 Linux SuSE
    13 Linux ALZZA
    12 Linux Mandrake
    1 Linux Slackware
    2304 Linux total

    485 Solaris & Sun OS (1)
    267 IRIX
    163 FreeBSD
    121 BSDI
    44 SCO
    28 Generic UNIX
    18 Compaq Tru64 UNIX
    9 AIX
    7 HPUX HP
    4 Digital UNIX DG
    3 OpenBSD
    2 NetBSD
    1 PowerBSD
    1 Digital OSF1
    1153 UNIX & Like total

    3457 UNIXs & Linux

    8865 Total Windows and all UNIX

    Other
    2 Mac OS
    1 Netware

    63 unidentified

We want to create puppets that pull their own strings. - Ann Marion

Working...