Windows vs. Linux Security, Once More 489
TAGmclaren writes "The Register is running a very interesting article about Microsoft and Linux security. From the article: 'until now there has been no systematic and detailed effort to address Microsoft's major security bullet points in report form. In a new analysis published here, however, Nicholas Petreley sets out to correct this deficit, considering the claims one at a time in detail, and providing assessments backed by hard data. Petreley concludes that Microsoft's efforts to dispel Linux "myths" are based largely on faulty reasoning and overly narrow statistical analysis.' The full report is available here in HTML form, and here in PDF. Although the article does make mention of OS X, it would have been nice if the 'other' OS had been included in the detailed analysis for comparison."
Re:Geez.. (Score:3, Informative)
I think the "mysterious future" feature available to subscribers allowing them to see upcoming stories ahead of the rest of us is meant to be an ironic joke: you've got to read the stories whilst they are still there, because whether or not the links will be accessible in the future is a mystery...
Make Sure That You Only Present... (Score:1, Informative)
In case of Slashdotting (Score:1, Informative)
By John Lettice
Published Friday 22nd October 2004 15:30 GMT
Report Considering the publicity that has surrounded - and, despite super new security-focused Service Packs, continues to surround - Windows security issues, Microsoft's determination to demonstrate that Linux is less secure than Windows shows a certain chutzpah. The company has however had some support here; Forrester, for example, provides some numbers that can be used to support the contention that Microsoft flaws are less severe, less numerous and fixed faster. And although there's a general readiness among users to believe that Windows is a security disaster area, there's also a reasonable amount of support for the view that Linux would get just as many security issues if it had anything like Windows' user base.
But what's the truth? For every claim there is, somewhere, a counterclaim. But until now there has been no systematic and detailed effort to address Microsoft's major security bullet points in report form. In a new analysis published here, however, Nicholas Petreley* sets out to correct this deficit, considering the claims one at a time in detail, and providing assessments backed by hard data. Petreley concludes that Microsoft's efforts to dispel Linux 'myths' are based largely on faulty reasoning and overly narrow statistical analysis. Even if you think you know this already (as we fear may be the case for numerous Register readers), we think you'll find it useful to be able to say why you know it, what the facts and the numbers really are, and where you can get the document to back up what you're saying. Appropriately enough, we're offering the report for free. You can browse through it here, and you can download it in PDF format here.
We encourage you all to grab a copy and give it a good read, but as a service for the fast fact junkies, we've produced a few bullet points of our own. All of these are clearly supported (unlike some similar efforts you might find elsewhere) by Nicholas' report, but don't just take our word for that, check it against the full report.
Myths and Facts
Myth Windows only gets attacked most because it's such a big target, and if Linux use (or indeed OS X use) grew then so would the number of attacks.
Fact When it comes to web servers, the biggest target is Apache, the Internet's server of choice. Attacks on Apache are nevertheless far fewer in number, and cause less damage. And in some case Apache-related attacks have the most serious effect on Windows machines. Attacks are of course aimed at Windows because of the numbers of users, but its design makes it a much easier target, and much easier for an attack to wreak havoc. Windows' widespread (and often unnecessary) use of features such as RPC meanwhile adds vulnerabilities that really need not be there. Linux's design is not vulnerable in the same ways, and no matter how successful it eventually becomes it simply cannot experience attacks to similar levels, inflicting similar levels of damage, to Windows.
Myth Open Source Software is inherently dangerous because its source code is widely available, whereas Windows 'blueprints' are carefully guarded by Microsoft.
Fact This 'inherent danger' clearly has not manifested itself in terms of actual attacks. Windows-specific viruses, Trojans, worms and malicious programs exist in huge numbers, so if one gives any credence at all to this claim, one would do better to phrase it 'Open Source Software ought to be more dangerous'. But the claim itself hinges on the view - rejected by reputable security professionals - that obscurity aids security. Obscurity/secrecy can also make it more difficult for the vendors themselves to identify vulnerabilities in their own products, and can lead to security issues being neglected because they are not widely-known. The Open Source model, on the other hand, facilitates widespread review and makes it easier to identify and correct flaws. Modular design principles support this, while the overall appr
Re:Geez.. (Score:3, Informative)
Re:Linux is more secure. Once more. (Score:2, Informative)
Re:What I Would Like to See (Score:5, Informative)
He did use the Apache case as a counter-example, because that's one of the few cases where MS and Libre software compete, and Libre is the larger target. In that case, the smaller target comes out looking more vulnerable. Is there something special about Apache which makes you think that it wouldn't work that way for other Libre projects? If you know something we don't, by all means share it.
Oddly enough, Petreley covered that question, too [theregister.co.uk].
Re:Make Sure That You Only Present... (Score:3, Informative)
While the Reg likely won't be
Much ado has been made about whether or not Linux is truly more secure than Windows. We compared Windows vs. Linux by examining the following metrics in the 40 most recent patches/vulnerabilities listed for Microsoft Windows Server 2003 vs. Red Hat Enterprise Linux AS v.3:
1. The severity of security vulnerabilities, derived from the following metrics:
1. damage potential (how much damage is possible?)
2. exploitation potential (how easy is it to exploit?)
3. exposure potential (what kind of access is necessary to exploit the vulnerability?)
2. The number of critically severe vulnerabilities
The results were not unexpected. Even by Microsoft's subjective and flawed standards, fully 38% of the most recent patches address flaws that Microsoft ranks as Critical. Only 10% of Red Hat's patches and alerts address flaws of Critical severity. These results are easily demonstrated to be generous to Microsoft and arguably harsh with Red Hat, since the above results are based on Microsoft's ratings rather than our more stringent application of the security metrics. If we were to apply our own metrics, it would increase the number of Critical flaws in Windows Server 2003 to 50%.
We queried the United States Computer Emergency Readiness Team (CERT) database, and the CERT data confirms our conclusions by a more dramatic margin. When we queried the database to present results in order of severity from most critical to least critical, 39 of the first 40 entries in the CERT database for Windows are rated above the CERT threshold for a severe alert. Only three of the first 40 entries were above the threshold when we queried the database about Red Hat. When we queried the CERT database about Linux, only 6 of the first 40 entries were above the threshold.
Consider also that both the Red Hat and Linux lists include flaws in software that runs on Windows, which means these flaws apply to both Linux and Windows. None of the alerts associated with Windows affect software that runs on Linux.
So why have there been so many credible-sounding claims to the contrary, that Linux is actually less secure than Windows? There are glaring logical holes in the reasoning behind the conclusion that Linux is less secure. It takes only a little scrutiny to debunk the myths and logical errors behind the following oft-repeated axioms:
1. Windows only suffers so many attacks because there are more Windows installations than Linux, therefore Linux would be just as vulnerable if it had as many installations
2. Open source is inherently less secure because malicious hackers can find flaws more easily
3. There are more security alerts for Linux than for Windows, therefore Linux is less secure than Windows
4. There is a longer time between the discovery of a flaw and a patch for the flaw with Linux than with Windows
The error behind axioms 3 and 4 is that they ignore the most important metrics for measuring the relative security of one operating system vs. another. As you will see in our section on Realistic Security and Severity Metrics, measuring security by a single metric (such as how long it takes between the discovery of a flaw and a patch release) produces meaningless results.
Finally, we also include a brief overview of relevant conceptual differences between Windows and Linux, to offer an insight into why Windows tends to be more vulnerable to attacks at both server and desktop, and why Linux is inherently more secure.
Re:Linux is more secure. Once more. (Score:5, Informative)
Will be exploited? Download the metasploit framework [metasploit.com] sometime; there are more exploits for Linux than for Solaris or Windows. But this is where the guy's point becomes important: because of how Windows deals with security tokens (here [wiley.com] is a good place to start if you're curious), any exploit that gains access can probably execute code in the SYSTEM context.
So, of the Linux exploits that are trivially available to exploit, none can reliably execute arbitrary system code, while all of the Windows exploits can. That's not this one guy's opinion, that's just how the operating systems work.
Or a better alternative (Score:5, Informative)
IE messages, security features and windows updates (Score:2, Informative)
This type of implementation of security related features is precisely why nobody use them and get their machine bloated of spyware, malware, viruses and such.
The inability to update a machine via a 56k modem is probably another reason why I know so many friends running unpatched OSes (any offline installable M$ update anyone ?). Grrrrrrr....
Incorrect maths (Score:1, Informative)
There are 60 x 24 x 30 = 43200 minutes in a month
If you are down for 4 minutes a month, you have
((43200 - 4) / 43200) x 100 = 99.9907% reliability,
That's 4 nines, not the 6 nines claimed. Each additional nine is way harder to achieve, e.g. 5 nines is about 5 minutes per year so you only get to reboot once a year at that speed!
Re:Articles like this... (Score:1, Informative)
http://en.wikipedia.org/wiki/Astroturfing
"Ast
This isn't about "hardship". It's about numbers. (Score:5, Informative)
Nope.
Reboots take about 4 minutes to shut down, restart, wait for the services to resolve themselves, and try again.
4 minutes/month == 48 minutes/year.
99.999 availablility means 5.26 minutes of downtime per year.
At best, you've got around 99.99% availability.
However, 4 minutes a month isn't a hardship, and anyone who says it is needs to either look into something transparently redundant, fault-tolerant, or reevaulate why they are so dependant on that one system in the first place.
It isn't about "hardship". It's about reliability. Getting that last
But for those that require it, it is available. And because it is available to those, it is available to everyone. Even those who do not need it.
Sure, my print server probably doesn't need 99.999% reliability. But because it has it, I don't have to worry about it.
In my experience, it's the reboot that causes the hardware failures. The fewer reboots, the fewer chances for hardware failure.
Re:enterprise 03 (Score:3, Informative)
I'm citing your comment as a "reasonable standard" for enterprise grade equipment in another comment I'm writing, walking through the author's paper and clarifying important points.
Discussing the merits? (Score:1, Informative)
Re:I'd rather see (Score:5, Informative)
I think (correct me if I'm wrong) they fixed this in Windows XP SP2. The software firewall comes up first, then the network interfaces. If the firewall tries to start and fails, the network interfaces won't start either.
Re:SELinux (Score:3, Informative)
Re:Make Sure That You Only Present... (Score:3, Informative)
They work well.
Unpached Windows Vs Linux (Score:3, Informative)
Do the same with XP or W2k and within 20 minutes or less it would become infected and begin zombie operations.
Lets go to a patched server in both cases they're still vulnerable. However there is a clear difference in vulnerabilities with the majority of Linux ones being in the realm of local hacks where in Windows you're still dealing with remote hacks and buffer overflows.
Yes in many cases both problems can be blamed on 3rd party apps but even in kernel to kernel comparisons Windows still is high on the list of being vulnerable.
Re:IE messages, security features and windows upda (Score:2, Informative)
You can (and maybe should) order a XP SP2 CD from Microsoft - it's free, al expenses paid by M$. Not patching your machine will only make the hackers and spammers happy. .... at least I'm secured against known vulnerabilities.
I'm on ISDN, so downloading XP SP2 isn't an option. I ordered the patch CD, and now my XP machines are patched & secure - so I hope
Re:IE messages, security features and windows upda (Score:2, Informative)
But, how about those numerous friends/relatives who still run win98 and can't update to something else without changing their hardware ? I find rather embarassing that none of those update packs can'be downloaded and installed *later* on other machines, it's pure nonsense to me.
Re:Make Sure That You Only Present... (Score:2, Informative)
Re:Window vs OS X (Score:2, Informative)
I suppose that's why the kernel is Open Source and compiled on a GNU platform (GCC is the default compiler for the BSD subsystem), hmmm? Maybe that explains why just about everything aside from the graphics layer and a handfull of other code can be - and often is - contributed back upstream to the FOSS community. Safari is an enhanced front-end for Konqueror, and Apple sends many of their bugfixes back up the pipe. There are other examples, but that's one that just about anyone will have heard of.
Standards that are part of OS X include LDAP, Kerberos, OpenSSL, OpenSSH, 3DES (Triple Digital Encryption Standard), TLS (Transport Layer Security), S/MIME, X.509 Certificate Handling, L2TP (Layer 2 Tunneling Protocol), PPTP (Point to Point Tunneling Protocol), EAP (Extensible Access Protection), LEAP (Lightweight Extensible Access Protection), PEAP (Protected Extensible Access Protection), TTLS (Tunneled Transport Layer Security), VPN support for Microsoft and Cisco RSA secureID, and IPFW (the BSD firewall).
Read it for yourself!
Apple [apple.com] even has this to say:
Here, [apple.com] you can find a complete list of Apple's ties to Open Souce.
So, while Apple may not be entirely free and open with everything they do, I think it's more than slightly hasty to write them off as just another corporate closed-source shop. There are some deep ties between OS X and its roots, especially with the BSDs. Perhaps you might want to read up on Apple's dabbling with Linux in the past [apple.com] before making such claims. More, and less of Apple's marketing, can be found here, [kernelthread.com] if you're interested in how Mach and OS X came to be. This article is a subsection of a much larger history of Apple's operatings systems and the influences thereupon. The short version is that Steve Jobs went off to found NeXT, where he and his teams created an operating system from the Mach 2.5 kernel. Just as Mach had been intended, it was a framework to create your own system around and not a whole OS in and of itself. Later, when he returned to Apple, it's fairly obvious that Jobs brought along his Mach love and, well... The rest is history.
Despite what some would have you believe, it's possible to patch whatever version of a given utility or program you're using through the terminal. I maintain a number of applications that aren't Apple's distrubted choice - or distributed with their products at all! - because I decided I wanted them. It's pretty simple, since I have access to dselect, apt-get, and fink to maintain my OSS library.
Between the power and stability of OS X and the design brilliance of Johnathan Ive, Apple's been reversing their death spiral rather handily. If one considers that they've been making consistent, year over year leaps since his return, the future looks pretty bright for the habitually "beleaguered" and "proprietary" inhabitant of Cupertino, California.
The place that OS X is now is where Linux needs to be - fast, stable, pretty, and usable. So far, the Linux community can manage three out of the four, but there are serious problems with the usability and appearance aspects. Until the day I can have my sister or grandmother be able to pop in a CD or DVD and just click through and have it work when they're done, the job just isn't over. Keep trying, though! I see Apple and the FOSS community as allies and not enemies, so I'd like to see what can be done on both fronts.
Re:Make Sure That You Only Present... (Score:3, Informative)
D:\ResKit>su.exe
UserName required!
above available from nt4.
or "run as" available from win2k?
Look, you'd better to educate yourself before posting.
Ah, but the lack of factual data is the problem. (Score:1, Informative)
Both of those claims are unfounded. He says that Windows XP is a "big step" in multi-user support. However, he apparently (without saying so) is comparing Windows XP to the Windows 9x and DOS line of products.
The real comparison should be to the Windows NT line, as that is where XP evolved from.
Windows NT was designed from the ground up to be a multi-user system. It was also designed to be the single most modular OS around. Furthermore, it was designed with a network environment in mind and includes security features based upon those found in older Unix architectures (as well as VMS, where NT finds a good deal of its heritage).
This kind of thinking is also clear when comparing NT's scalability features. NT was designed for multi-threading - Linux was not. Only recently have Linux's threading and scheduler functions come close in capaility to those of more modern OSes like NT and the defunct BeOS. BSD systems, while based on older technology than even Linux, advanced in this area much faster as well.
The misrepesentation of Windows' history is indicative of the author's bias. If you set out wanting to find a certain result, you'll probably give a one-sided treatment to attain your goal.
Re:Or a better alternative (Score:1, Informative)
Re:Make Sure That You Only Present... (Score:1, Informative)
Shamefully, I read (most of) the article.
The section titled:
Windows focuses on its familiar graphical desktop interface
talks about how Windows is more vulnerable because it, by design, leads people to working in a desktop-like environment on the server. Microsoft wants you to walk up to the server, log in as Administrator, and download the new service pack via IE. He lists this as a bad thing. He then compares Linux, which is far more often set up headless and administerred remotely via shttp or ssh. He lists that as a better thing.
So while Windows users are part of the problem for doing foolish things, they are doing them partly because Microsoft designed the system to work that way.
BTW, Server 2003 was put on my company's server in February. In March, we went to data recovery on our way to Server 2000. Third party apps crashed the system hard enough to lose the filesystem. One data point does not a trend make, but S2003 isn't perfect.
Re:Then again, Lindows / Linspire (Score:3, Informative)
Re:Does security really matter? (Score:5, Informative)
YES
I mean neither Windows nor Linux are secure, we see new ways to exploid them every few weeks or even days
Um, no, there is a huge difference. UNIX applications are usually designed in an inherently secure manner, UNIX file permissions really do make a difference, and UNIX contains mechanisms that can be used to lock the system down to the point where you can give a user "root" access and they still can't modify anything outside the sandbox you set them up in.
Windows does not, in practice, provide some of these kinds of security at all... and others are purely nominal protections at the same level of asking people "are you going to rob the bank" and letting them into the vault if they say "no".
So where on Linux an error that lets someone break out of a CHROOT environment is listed as an "exploit", Windows doesn't even provide that kind of environment so you don't need an exploit to compromise it. When a Windows exploit is listed, it far more often means there's a way of completely compromising your computer and taking it over, rather than just letting the attacker from one locked room to another.
That is, if I was running an "anonymous FTP server", and the server application has a buffer overflow in it, on Windows that exploit would let them inject a backdoor and take over my machine at will, and modify the boot sequence to restart the backdoor if the computer is rebooted. On Linux, they would be able to run the backdoor as an unprivileged user, they wouldn't be able to even see any executable files that could be used to restart the backdoor, and in some configurations they wouldn't even have network access. They would need to find and run two more exploits... one to break out of the CHROOT environment and one to get root privileges... before they could do anything.
This is called "defense in depth". UNIX systems and applications, developed in an environment where you had to give mutually untrusting users access to the same computer at the same time in a timesharing environment, don't break down and give up with one attack.
SO...
Linux, like all UNIX systems, is built around inherent security and defense in depth, which means that it's MUCH harder to get in and MUCH harder to do anything once you are in.
AND...
It's not just a matter of relative popularity... for one example: back when 2/3 of the domains out there were running Apache on Linux, the less than 1/3 remaining IIS servers still represented 2/3 of the domains on the "defaced sites" list.
Re:A few clarifications... (Score:1, Informative)
Re:Make Sure That You Only Present... (Score:3, Informative)
Yup.....and it makes it a pain in the ass if you have to do any Oracle DBA work on a win.box. We used to have at least the oracle acct. that had local admin..or enough special privs. when we needed it. Now, they've got new rules...and we have to bug the SA to come fucking sit with us, to log us in to run/build things,,,etc.
On the Sun boxes we work on...everything we need is there...and for special things...we get sudo for them. I cringe whenever they throw a windows box for us to install and maintain Oracle on...we as a group always push for a Unix platform. So much easier to care for and automate with scripts.
Re:biased? (Score:3, Informative)
Re:Ah, but the lack of factual data is the problem (Score:3, Informative)
The problem is everything else added on top of the kernel, and the fact that graphics drivers have been integrated with the kernel instead of seperated out. Though XP has made progress by moving sound drivers out of the kernel -- in contrast to Linux which has sound drivers in the kernel, and graphics drivers in userland (with two notable exceptions -- Nvidia and Ati's 3d drivers).
Even with the RPCs, if they were each seperated into seperate user accounts with access rights to only allow what is needed for each service, security would be vastly improved.
And while NT may have a more feature rich access rights model, it hasn't been exercised very well.
Also you would be more convincing if "Don't run as Administrator" was as popular a phrase in the windows world as "Don't run as root" is in the Unix world.