Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security

Windows vs Linux On Security 480

e8johan writes "NewsFactor is running an article asking whether Linux really is more secure that Windows. I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting makes Windows more insecure than anything I've ever seen, but they do make some good points, especially when discussing Open Source and security."
This discussion has been archived. No new comments can be posted.

Windows vs Linux On Security

Comments Filter:
  • by Anonymous MadCoe ( 613739 ) <maakiee@NoSpam.yahoo.com> on Monday October 14, 2002 @08:39AM (#4445072) Homepage
    Which is more secure is such a hard question. UN*X is structurally more secure in many people's opinions. Windows also has the disadvantage that it has many clueless admins (even the certified ones). I think that's a big part here, any OS is as secure as the admin, a well managed Windows box can be more secure than a badly run Linux box... A propper comparison will be much more complicatec than this article.
    • pick(nit); (Score:5, Insightful)

      by Black Parrot ( 19622 ) on Monday October 14, 2002 @08:56AM (#4445184)


      > I think that's a big part here, any OS is as secure as the admin...

      I would have said "the admin sets an upper bound on system security". The OS could still undershoot that bound.

    • by swb ( 14022 ) on Monday October 14, 2002 @08:58AM (#4445193)
      I wonder if Windows' security problems aren't as much the fault of the everything-but-the-sink integration and legacy support, and abysmal documentation as they are inexperienced and unknowledgable administrators.

      A lot of the IIS exploits are built around "integration features" turned on by default and not well (at all?) documented. How do you disable what you don't know exists? And that's just IIS -- there's more hidden surprises buried in the OS known by hard-core developers and MS only.

      Third party resources? You can't say "take a class" -- I've *taken* MS curricula before and its not a whole lot better than the online documentation. A typical 30 hour (4 day) class has about 2 hours of stuff you'd be unlikely to sort out through the UI and docs. Books? Usually no better than the online docs and often *worse*, and that's if you can manage to wade through a sea of 'em to find one that's not just screenshots of the online docs!

      My experience with Linux and (predominately) FreeBSD is that while the UI of these OS's is often less untuitive, the documentation, even man pages, while dense is far closer to complete than Windows and there's a lot less hidden "gotchas". One of the great things about textual config files is that most sample configs, especially with stuff like Apache, Squid, etc is that the configuration docs are integrated with the config. You just can't do that well with Windows, which is moot anyway, since MS *doesn't* do it with their default configs.

      My point is that while its fun (and often fair) to blame clueless admins, they're also admining a system that seems to try very hard to defy people who want to learn -- Just Click Here And It'll All Be OK. If they could learn and understand the operation of the system(s) and their archtecture they'd get a lot smarter. MS makes it hard to do this so people don't.

      • by GigsVT ( 208848 ) on Monday October 14, 2002 @09:20AM (#4445312) Journal
        Playing devil's advocate here but....

        MS could have documentation that is just as good, and contextual like a squid conf file.

        The problem is that people stop clicking the question mark cursor (contextual help) after doing it about 10 times and getting "This is a text box, you enter text into it" or "click the check box to toggle this option on or off".

        So, IMO, it's not so much that they can't, it's that they don't.
      • Difference (Score:3, Interesting)

        by AftanGustur ( 7715 )


        I've *taken* MS curricula before and its not a whole lot better than the online documentation. A typical 30 hour (4 day) class has about 2 hours of stuff you'd be unlikely to sort out through the UI and docs.


        My thoughts exactly when I took the NT server/admin/whatever course. I realy felt like I had been had (or that the company I worked for had been had).

        Those awfully expensive Micro$oft courses do a la-la job of telling you what the software can do, but leave out entirely *how the software works*, which is exactly what serious admins need to know.

        • Re:Difference (Score:4, Interesting)

          by swb ( 14022 ) on Monday October 14, 2002 @01:12PM (#4446997)
          Those awfully expensive Micro$oft courses do a la-la job of telling you what the software can do, but leave out entirely *how the software works*, which is exactly what serious admins need to know.

          I've always wondered why people don't offer more in-depth courses that cover more than just remedial networking-101 and basic dialog box entry, since the "official" curricula is so empty. The answer is probably twofold:

          Most people are taking the classes for bad reasons: to pass the MS cert tests, to get out of work for a few days or because of work requirement. They're not actually interested in how it works.

          -or-

          Even scarier, it's because nobody (outside of 500 or so developers, MS employees and other who aren't telling) REALLY knows how it works! 15 years of weird coding, new features, parallel development paths, diverse coding groups, ad nauseum have rendered an OS and system that simply is too byzantine to be understandable by anyone. It's like a fractal design -- the closer you get, the more detail is revealed, which brings you closer, to more detail...
    • by Anonymous Coward
      I know a couple MCSE guys that are "security experts". They think hackers use programs called "script kitties" to break into machines.

      Meow!
    • In circumstances like these, I think the best metric would be to use averages. An average windows box is less likely to be well managed given the profile of an average windows user (not to say (s)he is less smart, just less of an OS/security geek). Add to this the bundling of dangerous products like VB-script enabled utilities, and the winbox (even corporate-admin managed) is a disaster waiting to happen. On the other hand, a *nix user is mostly a more sophisticated user with a little more understanding of security. I don't think it is possible to have a really completely fair and proper comparison of the two systems unless you only ask persons who use/admin both systems.
    • The problem is that there are a couple of issues:

      ** Out of box:
      Linux: used to suck hard here. Traditionally, ran lots of services. You were supposed to know what you were doing and close what you didn't want. Now, unacceptable for new users. RH 5.2 shipped with tons of services, which people found holes in quickly. RH 8.0 ships with far less running.
      Windows: Fewer services than old Linux, but too many things running as "root" like IIS. A ridiculous amount of holes in IIS compared to Apache. XP is supposed to have (finally) proper permissions out of box.

      ** Granularity:
      Linux: normal UNIX stuff. Getting ACLs. Not very granular at all. You have the framework to hack up just about anything you want with sudo and scripts, but it isn't there out of box, and it isn't standardized.
      Windows: Nice. You can say "sally and bob can read this file, and mary can only write to it but not read it." ACLs may not be fast or easy to examine for mistakes, but they're powerful and easy to use.

      ** Easy of screwing up:
      Linux: UNIX is pretty easy to examine for irregularities, suid binaries, etc.
      Windows: Just like VMS, it's a *bitch* to know if you have some series of permission errors that screw you over somewhere.
  • Article Summary (Score:5, Insightful)

    by Sabalon ( 1684 ) on Monday October 14, 2002 @08:40AM (#4445077)
    Security problems exists - it may or may not be worse in Linux than windows...keep your systems updated regardless.

    C'mon...this was nothing but flamebait - nothing news worthy there at all.

    About the only telling thing is the top line about MS turning towards spending $$$ towards security - perhaps that includes buying blurbs like this saying Linux ain't perfect either.
    • Flamebait indeed (Score:5, Informative)

      by kafka93 ( 243640 ) on Monday October 14, 2002 @08:58AM (#4445198)
      In many respects, Linux isn't so much a "newer operating environment" - its pedigree is Unix, and it owes much of its core to long-established developments for much older systems. To say that it is "even newer than Windows" and to cite this as evidence that Linux is therefore less secure than Windows is rather irresponsible, to say the least.

      Similarly, the quoting of a few minor-but-exaggerated viruses etc., and to imply that these stack up to anything remotely comparable to the plethora of such issues that plague the Windows OS, is quite ridiculous.

      Let's face it - this is FUD. "Microsoft has organized a huge security program" and (Linux is) "less disciplined but more timely" -- such soundbites have been carefully calculated.

      Of *course* security comes to more than the Operating System alone; still, one can only gape at such inane comments as "the existence of security flaws -- and of hackers willing to exploit them -- does not necessarily add up to more risk for users".

      This is FUD that is based on the vaguest understanding of security, upon one man's comments, upon old, tired misunderstandings about the merits of "single commercial entities" -- in short, it is the usual chest-pumping pro-Microsoft FUD from someone who knows very little about which he speaks.
      • Re:Flamebait indeed (Score:5, Informative)

        by Reziac ( 43301 ) on Monday October 14, 2002 @10:16AM (#4445727) Homepage Journal
        Well, I would have thought it flamebait too, and then I picked up a copy of "Hacking Linux Exposed" (http://www.hackingexposed.com/) This companion volume to "Hacking Exposed" is almost as thick as the original, which covers all other OSs combined.

        BTW, they're both very good reads; indeed, I would say *required* reading for sysadmins of ANY platform.

        • Re:Flamebait indeed (Score:4, Informative)

          by user311 ( 320598 ) on Monday October 14, 2002 @03:12PM (#4448157)
          Umm, yeah, but there is also Hacking Windows 2000 exposed - which is pretty much the same size as the other two. Hacking Linux exposed was more in depth than its predecessor, and the same with HEW2K. So your comment by no standards solves the question at hand, nor does it verify whether the the article is flamebait.
      • In many respects, Linux isn't so much a "newer operating environment" - its pedigree is Unix, and it owes much of its core to long- established developments for much older systems. To say that it is "even newer than Windows" and to cite this as evidence that Linux is therefore less secure than Windows is rather irresponsible, to say the least.

        To get even more picky, Windows is used as a generic term. Most GNU/Linux distros are older than Windows XP or 2000. Some Linux and BSD distros are older than Windows NT. The core security model of all *nix systems is much older than any Windows security model.

        I didn't think much of this article, basically because it didn't really say anything.

  • by Anonymous Coward on Monday October 14, 2002 @08:41AM (#4445080)

    From the article:

    Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system." BugTraq is a popular forum for discussion of computer security vulnerabilities.

    This is probably true, but only because for Linux, every security vulnerability gets posted multiple times, once for each vendor that has released updated packages, plus once by the vulnerability discoverer (so you get one by the discoverer, and one by redhat, debian, mandrake, suse, turbolinux, grandmasfavouritedistro, etc).

    In contrast, with Windows, you only see a posting related to a single vulnerability twice - once by the discoverer and once by Microsoft.

    It appears to me if you count each vulnerability only once, there have been more Windows-related than Linux-related.

    • by jandrese ( 485 ) <kensama@vt.edu> on Monday October 14, 2002 @09:23AM (#4445335) Homepage Journal
      And sometimes only once, when the discoverer posts and then nothing from Microsoft. Heck, by this logic, the most secure system is the one where the vendor never ever acknowledges security problems, much less fixes them.
      • And sometimes only once, when the discoverer posts and then nothing from Microsoft.
        I seem to recall a big uproar about Microsoft deciding not to further their efforts to release e-mail vulnerability/patch announcements, opting instead to have users frequent their websites to view the contents of the announcements.

        I'm subscribed to just about every Security Focus mailing list that has anything to do with security, viruses, bugs, incidents, events, etc. and I really haven't even seen many (any?) "Visit this URL for details" posts from Microsoft. I'd have to say that they've gone quite mum in recent months.

        Of course, when you stop announcing your vulnerabilities in an open forum, then threaten legal action against anybody else who tries to do it for you, that open forum will slowly start to tilt towards the other guys. Sure, Linux/UNIX application vulnerabilities (don't forget that Apache, Sendmail, and BIND still run on FreeBSD et al!) are more popular on the list - but that's because people aren't ALLOWED to publicize Microsoft vulnerabilities!

        I know that recent MS EULAs forbid people from disclosing benchmarks relating to the ".NET" suite of applications without Microsoft's prior consent - is it feasible that they've buried something in there about vulnerability disclosure as well?

  • Geez (Score:4, Interesting)

    by Hayzeus ( 596826 ) on Monday October 14, 2002 @08:44AM (#4445099) Homepage
    I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting

    These aren't exactly a part of the operating system, though, are they? Any poorly set up system will be vulnerable. I'm no huge fan of MS's bloated products and crappy license arrangements, but I mean, really...

    • ActiveX is... (Score:5, Insightful)

      by Arker ( 91948 ) on Monday October 14, 2002 @08:56AM (#4445183) Homepage

      Microsoft has worked very hard to make ActiveX an integral 'part of the operating system' - it's a pain to get rid of it even on older systems, and I don't believe anyone has even worked out a way to properly disinfect it from XP to date (if I'm wrong give me a link, litepc.com is still working on it, it's a tough problem.) ActiveX is also the very exemplar of security hole from the ground up. Despite all the lip-service given recently to the concept of security by Microsoft, this particular policy, by far the biggest cause of security flaws, has been intensified over time, not backed off from. This makes Microsoft systems and security antonymical.

      Now there are some smart folks at Microsoft, I can't credit the theory that no one there understands what they are doing. The alternative, of course, leads to what may be denigrated as 'conspiracy theory' but in this case it seems reasonable, for the reasons stated above. What does Microsoft gain by making their systems inherently insecure? A rationale for the 'necessity' of so-called security schemes (that really don't have anything to do with security, but rather with centralised control) such as DRM. Flood the net with insecure boxes and then cash in later by 'solving' the problem in a way that makes you the effective gatekeepers of the internet. Now there's a business model with some profit potential.

      • Re:ActiveX is... (Score:3, Interesting)

        by Fizzlewhiff ( 256410 )
        Windows applications will always be less secure than OSS because it's much more complex and used by millions more users. This is the fact that tends to get missed by people who blindly quote stats that they don't comprehend.

        Your reasoning for windows applications being less secure than OSS makes no sense.

        Closed source software is no more complex than its open source counterpart. The fact that millions uses software package A over software package B does not make A less secure than B.

        I've never worked on an open source project because the closed source world keeps me too busy. But I would imagine its very similar to working on a closed source project, the main difference being teams are not working at the same location. Still, everyone works on their assigned piece of the project and checks it in and hopefully the project leader and others on the team review the code and perform walkthroughs. In either world security holes (buffer overflows, etc.) should be spotted. So its not the open or closed source model that leads to more secure code, it is the project management methodology and the people on the projects who lead to more secure code.

        The code most prone to errors in my opinion would be the code written by teams of one where virtually no review would be done. I believe you would find this type of development more often in an open source project but it could happen in either environment.

        The thought that security problems in commercial software being a conspiracy to make way for DRM and DRM based operating systems is laughable. I remember back in the early 90's a similar theory that IBM was writing the more common DOS viruses as a method to promote the usage of OS/2 because at the time no one had ever heard of any OS/2 virii. The fact that there was little OS/2 file swapping because there was little OS/2 native software never came into people's minds.
  • by Nighttime ( 231023 ) on Monday October 14, 2002 @08:45AM (#4445103) Homepage Journal
    Is this a new Linux distro I haven't heard about? Is it Debian-based like Storm Linux was?
  • by Jack Wagner ( 444727 ) on Monday October 14, 2002 @08:45AM (#4445108) Homepage Journal
    Lies, damned lies and statistics.

    Windows applications will always be less secure than OSS because it's much more complex and used by millions more users. This is the fact that tends to get missed by people who blindly quote stats that they don't comprehend.

    Actually this is yet more hardcore evidence that the FSF and open source proponents need to shift to a more modern Extreme Programming model of development and away from their legacy "hacker working alone in a basement" methodologies. I've done this using a modified P2P client for real-time distribution of code amongst a team of 3 other coders over high bandwidth connections and it works out very nicely-even though we were all in different states at the time. It's generally known that studies have shown that teams of four can develop code one order of magnitude faster than 4 coders working separately and my experience backs that up.

    This hits at the very heart of the Achilles heel of open source as it tends to be rather unprofessional and willy-nilly in it's approach to development and project management which was fine back in the early 90's but suffers from severe limitations in todays modern and complex software development paradigm. Sure they make more secure software becasue it's easy to make an Xterm secure and not so easy to make an giant enterprise ERP package secure. Lets see these "experts" comapare apples to apples sometime.
    • Nice troll, modded highly.
      I highly doubt your statements and evenso more that extreme programming would do any good to an open source project.
      And don't even get me started on how complex projects were realized in the "early 90s" (and even earlier) that managed to be successfull without extreme programming.
      Sure, XP does have its place and it may work under certain conditions - but for a project where the developers are far away, do not know each other personally and don't have the spare time to work on the project at the exactly same time - it would do much more harm than good.
      (And finally I could cite Joel on extreme programming, but I don't because I suspect that you fully know that XP is not the holy grail of programming methodologies)
    • by rseuhs ( 322520 ) on Monday October 14, 2002 @10:20AM (#4445744)
      IIS runs less than 25% of webservers, Apache about 2/3.

      But, IIS has the far, far worse security track record.

  • by theBraindonor ( 577245 ) on Monday October 14, 2002 @08:46AM (#4445114) Homepage
    Yet again, we find an article that points to the significant number of Linux bugs going through BugTrack. The turn-around time for the patch in Linux is usually quite fast. Commercial software makers are starting to sue individuals for disclosing security vulnerabilities.

    How many bugs for Windows have been swept under the rug? How many software vendors out there have patch security holes, and requested that their customers download the latest 'maintenance' patch?

    Just ask some of the truly gifted individuals in security what they think of security through obfuscation.
  • Flaw in argument? (Score:5, Interesting)

    by ebuck ( 585470 ) on Monday October 14, 2002 @08:46AM (#4445116)
    It seems that Hemmendinger argues that the newer the software, the higher the likelyhood of bugs. While that argument sounds valid, it would only hold up under the following conditions.

    1. Both platforms stem from an equal amount of design history.

    2. Both platforms use technology of comparable complexity.

    3. Both platforms refused to make concessions in software integrity to deliver their products.

    4. Both platforms actively avoid known pitfalls in thier chosen architecture.

    5. Both platforms remove flaws at approximately the same rate.

    None of these conditions (and I'm sure there are more) exist in the comparison of Linux to Windows making the "age" argument a very weak one.
  • by hatchet ( 528688 ) on Monday October 14, 2002 @08:46AM (#4445119) Homepage
    I think that most of linux's security risks are there because of administrators. They should only run services and modules that are essential, but nothing else.
    Administrators should have physical access to machine, so they can disable anykind of remote shell access. Do not run ftpd as root.. and so on. I think that would minimize security risks.
  • by kubla2000 ( 218039 ) on Monday October 14, 2002 @08:48AM (#4445129) Homepage
    from the article:
    Linux, which is even newer than Windows and is not controlled by a single commercial entity, can be expected to have even more vulnerabilities than Windows.

    um, I don't get it. How does newer == "less secure" in this scenario? Sure, the older and os the more time it's had for the kinks to be worked out of it. But doesn't method have something to do with it also? Linux is developed in an open and peer-reviewed environment. It's maturing much faster than windows. There's no reason to compare the two in the way the author's done. Faulty thinking on his part.

    What's also got to be factored in is the severity of the bug. A buffer-overflow that lets a cracker rm / is serious. A buffer-overflow that lets code run with the perms of the user owning the service in a chrooted directory is also serious, but much less so.

    The author also babbles about the volume of security-related issues on BugTraq... I'm not the first and I won't be the last to point out the rather obvious logical flaw here. If Bugs are getting reported and being quashed then they don't pose a threat any more. If the bugs aren't reported because a certain company based in Redmond Washington won't allow them to be reported... well, it's kinda obvious from there.

    That said, it is indeed encouraging to see more and more people concerned about security. I think the message is slowly being driven home.

  • It's not the OS (Score:3, Interesting)

    by m00nun1t ( 588082 ) on Monday October 14, 2002 @08:49AM (#4445133) Homepage
    Just about every major worm, linux or windows, has used an exploit that's been patched for a few months or more. The admin is a far weaker link than the OS.

    Stating the obvious, I know, but whoever posted this flamebait article didn't think so.

    On another topic, the moves MS are making with their auto-update tools should put an interesting light on the security landscape. The previews of .NET server look pretty good in this area.
  • What timing! (Score:5, Insightful)

    by Pedrito ( 94783 ) on Monday October 14, 2002 @08:49AM (#4445134)
    Just last night, a buddy of mine did a security scan of the Linux box I use at home as a gateway for my other 4 computers. The only security problem found was with the version of wu-ftpd that I'm running.

    No problem, I thought, I'll just upgrade it. So, my first step was to download it from wu-ftp's ftp site, only to realize I was going to have to figure out how to build it (that was simple, except I kept getting two or three errors in the compilation. I'm assuming my gcc is out of date) and then how to install and replace all the existing stuff (I have no idea how, and I don't have time to learn it).

    So, I figure I'll go to RedHat, download the RPM and just install that. Which I do. Ran RPM to install it, no messages, try to FTP in, still running the old version. Shut-down and re-start, same thing.

    Folks, I know most of you are Linux fanatics, but if a programmer with 23 years of programming experience can't manage to upgrade a simple application in under 30 minutes, Linux will never make it to the masses.

    There's nothing I'd like more than to see Linux replace Windows on every desktop. When Linux is ready. Frankly, I don't think it is, and I think it's still got a long way to go. Sorry.
    • by Black Parrot ( 19622 ) on Monday October 14, 2002 @09:10AM (#4445258)


      > Just last night, a buddy of mine did a security scan of the Linux box I use at home as a gateway for my other 4 computers.

      That's nothing - complete strangers do security scans on all my boxes every night!

    • Re:What timing! (Score:5, Insightful)

      by smnolde ( 209197 ) on Monday October 14, 2002 @09:31AM (#4445390) Homepage
      You need FreeBSD to get you out of RPM hell. It takes far less effort to upgrade software on FreeBSD than it does with any RPM-based lunix distro.

      Getting out of RPM hell was the main reason I chose FreeBSD over lunix.

    • Re:What timing! (Score:4, Insightful)

      by Cytlid ( 95255 ) on Monday October 14, 2002 @11:29AM (#4446201)
      Folks, I know most of you are Linux fanatics, but if a programmer with 23 years of programming experience can't manage to upgrade a simple application in under 30 minutes, Linux will never make it to the masses.

      Ok, I was getting ready to flame you for this... but after reading all the other replies, I thought not. I think the biggest problem people have, either on the Windows or Linux side, is living in a paradigm. Like it or not, you're most likely living in a Windows paradigm. You like the way it works, it's "easy" for you, you program in it. You promote and spread the Windows paradigm. The Linux Paradigm doesn't fit you all to well... I'm probably the opposite. Yea, I've been using Windows for years, and I'm used to it, but I honestly think I fit better into the Linux paradigm. (Read: if I were adminning a Linux server, trust it better than if I were adminning a Windows server.) I *know* I should hone my skills in Windows administration, but without really good (free, available) documentation... it's not possible unless I spend all kinds of money. Only thing I can hope for is to pick up tips from people I know are Windows Admin gurus. I think this whole debate is a matter of realizing where you stand. The people who see clearly in both paradigms will be the ones ultimately winning.
    • by Skapare ( 16644 ) on Monday October 14, 2002 @05:04PM (#4449081) Homepage

      This is why we should not allow programmers to moonlight as system administrators. As a programmer, of course I expect you to never, ever, code up a buffer overflow exploit. But please leave system administration to professionals who know how to do the job. A system administrator of 2 years experience or less (usually way less) could do this with ease and correctly.

    • Re:What timing! (Score:5, Insightful)

      by timster ( 32400 ) on Monday October 14, 2002 @06:20PM (#4449587)
      The problem here is that what you were doing was not "desktop use", but for some reason you extend your experience to desktop use. What you were doing was clearly server administration. I don't hear anybody telling me that Windows isn't a good desktop OS because the DHCP Manager isn't intuitive (which it's not, unless you understand DHCP). Server administration is always going to require skills, and whatever other skills you may have you have no skills in Linux server administration.

      As for your experience, you made a number of mistakes that anyone who knew what they were doing (as a Linux sysadmin would) would never make. First problem was thinking you should go to the wu-ftpd website and try to compile the software yourself. Unless you have some tremendous reason to do this, you need to go to your distributor in all cases, since their installations are customized in numerous ways that you have probably come to expect. Second mistake was expecting an RPM to restart the service for you (RPM's don't really go for pre/post-install scripts, see Debian for that).

      The third mistake was the worst, as it totally ignores the whole purpose of your distributor. Development groups (like the wu-ftpd group) generally attach security and bug fixes to new versions, since they usually prefer to work on one codebase. However, your distributor should never upgrade you to a new version that changes any functionality unless you change the version of the distribution, since a given version is supposed to be stable. So, as every Linux sysadmin in the world knows, Red Hat doesn't just toss the thing into an RPM and throw it out there. Rather, they take their existing codebase (which as I said, is usually patched in several ways) and apply the security fixes to _that_. And everyone knows this because it is _clearly_ _documented_. If you are running a server (ftpd is not a desktop app) then you need to follow the security updates for your distro, which will quite clearly explain what patch level fixes what holes.

      My advice to you is to either: remove all the server programs from your system and use it as a desktop user; hire a competent sysadmin; or spend the time yourself to become a competent sysadmin. Don't play end-user-with-a-server or you'll get burned, no matter the OS.
  • It's the user (Score:5, Insightful)

    by photon317 ( 208409 ) on Monday October 14, 2002 @08:50AM (#4445142)

    The user makes all the difference. What software you choose to run, and how you choose to configure and audit things. How much care you give to security issues and how much knowledge of basic security you have.

    However, if you are competent and security-minded, it is quite easy to make a Linux box extremely secure against all but the most directed and knowledgeable attackers, which are quite rare. If you run Windows, no matter how hard you try you're still gonna be fairly hosed. Some things just can't be fixed reasonably on that platform.
    • I can make my windows box VERY secure, just turn it off :)
    • In fact, pushing all the responsibility down on the user is a very bad way of securing anything. Most poeple care more about functionality than security. We as developers need to pay more attention to finding ways of implementing non-intrusive security. It may include more lines of code, but it will certainly pay off in how many of your users end up screwed by an exploit in YOUR app.

      I'm just waiting and hoping for automated code audit for security. That would possibly be the greatest contribution to computer security since encryption!
  • Bugtraq (Score:5, Informative)

    by qurob ( 543434 ) on Monday October 14, 2002 @08:50AM (#4445146) Homepage

    Linux, which is even newer than Windows and is not controlled by a single commercial entity, can be expected to have even more vulnerabilities than Windows. Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system." BugTraq is a popular forum for discussion of computer security vulnerabilities.

    Very few of these messages are related to the Linux kernel itself. I find most of these to be about packages included with most major distributions.

    So many programs get lumped into 'linux' and this is forgotten.

    Imagine if EVERY time there was a patch for a Windows app, it was checked off in the 'windows' category.

    Then again, there are more Windows apps than Linux...
  • by mustangdavis ( 583344 ) on Monday October 14, 2002 @08:53AM (#4445164) Homepage Journal
    I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system."

    * Gets out a kleenex, wipes off author's glasses*

    IIS - enough said.

    The actual number of posts may be greater, but how many people install X on their Linux servers? How many people have xmms on thier linux server?

    Also, considering that Linux is open source, and thus, hackers can actually look at the code for the OS, it is AMAZING that it is more secure than Windows! Can you imagine how many exploits their would be for IIS if a good hacker could see the source code for it?

    Nothing more to be said here ... move on!
  • Security? (Score:5, Interesting)

    by Noryungi ( 70322 ) on Monday October 14, 2002 @08:54AM (#4445173) Homepage Journal
    This sentence from the article really drew my attention:

    Mainframe operating systems, which have been perfected over decades, have very few security flaws. Security problems on mainframes tend to be caused by administrators' errors.

    Obviously, this guy does not know what he is talking about.

    My father used to be a mainframe security officer at a Fortune 500 company. He knew mainframes inside and out and was always pretty much on top of things -- and he started his career on old IBM with punch cards, if you see what I mean.

    Anyway, his company would hire (once every three years) an external consultant to test the security of the systems my father took care of. This consultant could gain the mainframe equivalent of "root" access in 30 minutes or less.

    A mainframe operating system is not secure -- it's very stable (uptime=99.9999%), though, but that's a different thing.

    My advice? If you want security, get OpenBSD [openbsd.org]. If you want the latest gizmo, get Linux (a real Linux [slackware.com]) and invest some time in securing your installation...

  • by InodoroPereyra ( 514794 ) on Monday October 14, 2002 @08:55AM (#4445177)
    Even though I contribute code every once in a while, my background is not in CS and I am not an expert in Security by any means. What matters to me is not whether open source solutions are inherently a little more or less secure than open source solutions. What really matters to me is what can I do to secure my machine .

    Security holes happen for any development model, shit happens. With open source, GNU/Linux in particular, I keep an eye on security updates to my distro and that's it. Almost no effort if you use a friendly distro. Well, that and I check not to run services I do not need, use a firewall, etc. I know that as fast as a hole is found a fix will appear and I'll download new packages in a couple days. If I am really concerned I can compile and install in the meantime. Here is where the freedom meaning of free software shines.

    Oh, and the title should better be "Open source vs propietary security". Old same old ...

  • by sheriff_p ( 138609 ) on Monday October 14, 2002 @08:56AM (#4445186)
    Many people thought prior to Slapper coming out that Linux was somehow impenetrable to malware ... VB has a good article (written before Slapper came out, as it happens) on why this is largely untrue:

    http://www.virusbtn.com/magazine/archives/200209/l inux_malware.xml [virusbtn.com]
  • by Nicolay77 ( 258497 ) <nicolay.gNO@SPAMgmail.com> on Monday October 14, 2002 @08:58AM (#4445199)
    Who is better, bigger faster? That doesn't help any community very much either.

    What is good is to ask how to make actual systems better, to catch up faster with patches an so on.

    My try:

    Besides disabling unneeded daemons, automatic updating should be a priority for almost all users, at least for every desktop (not hardcore) user. MS would have that right if they weren't pushing EULA changes with every update. And checksums of packages would start to be a serious thing, not something we saw but ignore in the same web page as the .rpms, .isos or .exes.

    But this automatic updating should be entirely configurable, because hardcore users, admins and so on can't rely on third parts to check the compatibility of every patch with the endless configuration they have done. Auto-update could be enabled in any vanilla system, and disabled per package with dependencies with a CLI and GUI tool.

    Ohhh, and making sure that this autoupdate doesn't have any bugs too! (as far as possible). May be SSH and server keys in the .isos to prevent man in the middle virus patch attacks.

    Just a though.
  • by MercuryWings ( 615234 ) on Monday October 14, 2002 @09:04AM (#4445229) Journal
    ...in all operating systems, no matter if it is Windows, Linux, or any others. The difference is in the approach to implementing security.

    Based on my experience, Windows' focus was functionality first, security second. Compared to most *nixes, which take the focus of security first, functionality seconds.

    This is not to say most *nixes have less functionality than Windows. In many cases, *nix OS'es tend to be more useful. But it means that the functionality of the application are done within the context of overall system security. The usual rule of thumb is to put the program in user-space (versus non-restricted kernel space) whenever possible, in order to minimize the effects of a rogue program on the remaining apps or the system itself. Users should be given only the minimum features necessary to make an application function. This means any features which could pose a risk should be disabled by default whenever possible, and only be actived when the user explicitly decide they need the feature.

    This is my primary beef with Windows. Far too many critical applications are run with superuser-level privileges, especially when it is clear they do not need any of the capabilities of a superuser. Advanced features of applications (like Outlook's VB scripting) are turned on 'just in case the user needs it' - when the majority of people who use the app never need it.

    There's a difference between having security risks and being insecure by nature. I still believe linux (and other *nixes) are less vulnerable than Windows, and that's to do with the architecture of the systems, not really the applications themselves.

    To use an already overworked analogy - I'd rather drive a car with the spark plugs in the motor - far away from the gas tank - than to drive a car with the spark plugs in the tank itself. At the very least, I'll know that a malfunctioning spark plug isn't as likely to turn my car into a firebomb, rather than just a minor repair job.

  • by smd4985 ( 203677 ) on Monday October 14, 2002 @09:17AM (#4445297) Homepage
    Until Windows goes open source, it'll have the biggest security flaw in my mind - I can't take a look at the source code and AUDIT what it is doing behind the scenes. Obviously, this is one of the main motivations behind mandating that governments use open source software.
    • Until Windows goes open source, it'll have the biggest security flaw in my mind - I can't take a look at the source code and AUDIT what it is doing behind the scenes. Obviously, this is one of the main motivations behind mandating that governments use open source software.

      1): Do you do this for Linux?

      2:) MS has their "shared source" initative, where a big enough customer can audit the Windows source code.

      3:) If the US government really needed an OS, they could just take it. If they want a secure OS, they'll probably just write it themselves. (What, you think that NSA Linux really stopped?)
  • What's 'Linux'? (Score:5, Insightful)

    by mccalli ( 323026 ) on Monday October 14, 2002 @09:19AM (#4445307) Homepage
    Seriously - are they talking about an install of Red Hat, an LFS home project, a bootable floppy disk...

    Windows comes in defined sets. You can customise those sets, but a basic install is defined. With Linux, I can vary drastically what goes into making an 'install', so the discussion is moot unless they define which set of features they're talking about.

    I have a self-made boot floppy, and I'll guarantee you that no-one could hack it from the network. That's because it has no network drivers. Utterly secure, and utterly useless. And yet it's still 'Linux'.

    The article needs to tighten up and define the scope of discussion. Tossing around loose metrics like 'number of BuqTraq postings' doesn't help much either.

    Cheers,
    Ian

  • by Lethyos ( 408045 ) on Monday October 14, 2002 @09:22AM (#4445324) Journal
    (I'm posting here because the editors of that site will probably censor this comment.)

    Windows, from its initial inception, was never designed with security in mind. Memory was accessible (rw) to everyone. No secure protocols were in place. Any code could execute by any user. Arguably, this may not be true for NT, since the codebase it was derived from had security in mind. Nevertheless, NT became a completely different animal when Microsoft made it their OS. Both technically and politically (even admittedly), Microsoft have never expressed any prudence when it comes to security. They've depended on obscurity to hide their numerous, horrible flaws behind lies and lawyers. Today, they run around telling everyone how much effort they are putting into making their operating systems more secure. They run around shouting "we have a special program! All new code is secure!" It's all meaningless FUD as their products have only gotten worse, not better. You cannot build security without a strong foundation. Microsoft's is a house built on the sand.

    Linux and other *nix variants have been built on strong security principles for decades. The *BSDs have been designed to be provably secure since the day the BSD project was started. The *few* worms that attacked Linux systems recently does not make Linux less secure for a few reasons. Politically speaking, Linux has had an excellent security track record, and therefore, it's big news when it's cracked. Microsoft has an awful record, so the news comes with little surprise and is more difficult to sensationalize (as the author has done). Technically speaking, it takes a lot more effort, skill, and dependency on obsolete software to attack a *nix machine. Even the most up-to-date Windows, on the other hand, collapses under even slight scrutiny. Speaking in terms of volume, the ratio of Windows exploits to Linux exploits is so absurd it's a wonder how any Windows machine stays running for a few hours after being attached to the Internet. Let's not forget that the number of servers running *nix (with Apache) is *far* greater than Windows, so *nix gets hammered on a lot more (source: http://www.netcraft.com/survey).

    I think it's important to note is the protocols exploited were patched months before these worms came to the light. It's only the outdated systems that were affected. Usually, the exact opposite is true in the Microsoft and the rest of the proprietary software world.

    *nix is more secure. Always has been and always will be. At the very least, whom would you rather trust? A group of engineers developing software for free as volunteers with the goal of improving technology on a whole, or a company that is repeatedly breaking the law, cheats on its taxes, fails to fulfill promises (especially of security), and has vicious mechanisms for sucking money from their customers?
  • Microsoft Office (Score:3, Insightful)

    by tmark ( 230091 ) on Monday October 14, 2002 @09:22AM (#4445325)
    I'd say that they miss to point out that Microsofts Office suite combined with VBA scripting makes Windows more insecure than anything I've ever seen

    That would be a good point if not for the fact that 1) Microsoft Office is not part of Windows, and 2) a lot more people would switch to Linux on their desktop if Microsoft Office (and not some pale imitation) were available on Linux. But it isn't, is it ?
  • by doodleboy ( 263186 ) on Monday October 14, 2002 @09:33AM (#4445400)
    I've used UNIX and Linux for close to ten years, and by now I have a pretty good idea how to do things in a secure and functional way. I've only had to admin an NT box once, and I migrated services off of it as quickly as I could.

    Why? Not because I had any direct evidence of insecurity (this was before the real flood of NT vulnerabilities began), but because I knew I could do a better job with the tools I knew best.

    But also:

    - the NT machine tended to bluescreen every month or so for no apparent reason. The MCSE on staff was not overly troubled ("Oh I see the problem, it just needs a reboot"), but its flakiness did not fill me with confidence.

    - the MS tactic of bundling the kitchen sink with the OS is just asking for trouble. Linux's modularity means you don't have to have a graphics layer on the server, for example, or any other unnecessary frills that provide opportunities for crackers.

    - I believe the full-disclosure bug reporting model is orders of magnitude more responsive than what you get from proprietary vendors. Afaik, lots of reported linux bugs == lots of bugs get fixed because lots of people have access to the code.

    - really excellent security tools are freely available: iptables, xinetd, snort, tripwire, nessus, nmap, chroot, etc. An interested beginner could make a linux server very hard to break into. I know {NT,W2K,XP} has more wizards and stuff, but is it easier (or even possible) to really see and control what's happening with the OS?
  • Several problems (Score:5, Insightful)

    by mfos.org ( 471768 ) on Monday October 14, 2002 @09:34AM (#4445412)
    1) The author cited as fact that the age of the operating system is directly related to its security, without any kind of proof. This makes sense at first glance, but it ultimatly glosses over the fact that both OSes are in constant development. New features are added every day. This might make sense if, after developing the system, all the time after that was spent patching and debugging, but this isn't the case.

    2) The author has no concept of service vs. system. Most vulnerabilites are in sevices, not at the kernel level. All Linux is just a kernel. Packages are added to make a usable Linux distro.

    3) The author cites number of bugtraq entries as a way of gauging relative security, without considering the severity. Also, bugs, like those reported to Security Focus aren't the only vectors of compromise

    4) Open source software, by virtue of being free, allows an administrator to install much more security software for his dollar. Firewalls, IDSes [snort.org], advanced cryptographic file systems [tldp.org], HIDS [cs.tut.fi], and virus scanners [openantivirus.org] can all be downloaded for free.
  • BugTraq... (Score:3, Interesting)

    by Squidgee ( 565373 ) on Monday October 14, 2002 @09:37AM (#4445439)
    Now that I've thoroughly chastised the author about his spelling..

    The fact that there are less bugs on BugTraq pertaining to Windows than there are to Linux is beside the point: Most Windows users don't give a damn about posting on BugTraq. Most Linux users want to improve their OS, so they do post on BugTraq. And if Windows users did care...oh boy would BugTraq see some bugs...

  • GNU is Not Linux! (Score:3, Interesting)

    by RAMMS+EIN ( 578166 ) on Monday October 14, 2002 @09:38AM (#4445446) Homepage Journal
    ``Linux, which is even newer than Windows and is not controlled by a single commercial entity, can be expected to have even more vulnerabilities than Windows.''
    What they're forgetting here, though, is that Linux is actually GNU/Linux. The Linux kernel is a relative newcomer, but the GNU utilities that it uses have been in existense for quite a while, and have a history of testing on various Unices, etc. etc. These days, what matters is mostly the security of programs that connect to the 'Net. Vulnerabilities exists on both sides, but tend to be more braindead with Windows programs. M$ Outlook Express executes .exe attachments disguised as audio/x-midi inserted in HTML mail...WTF? Linux users are more likely to patch or upgrade to more secure software. The programs used matter, but the human factor can't be ruled out, either.

    ---
    Running as root is bad. I don't want to run as root. But now I can't modify my config files... Hmm, chmod -R o+w /etc/*
    Good, now I feel a lot safer...
  • by fudgefactor7 ( 581449 ) on Monday October 14, 2002 @09:47AM (#4445530)
    (Ok, so that subject isn't that great, sue me) ;)

    I submitted this same story on the 11th and was amazed that it wasn't posted as it's an important debate, not to mention one that is extrememly volitile (which might be why it wasn't until now--get the Monday crowd, so to speak)..

    At any rate, there have been tests done that disprove the OSS-is-more-secure model, basically stating that either style (OSS or Closed-Source) can be equally secure. We all know that. What I think is interesting is exactly how both camps go about the same thing (ie: security).

    The OSS people find a bug, the author of the affected application is notified (probably by hundreds of affected people, or by bugtraq, or something like that, and he/she fixes the bug, releases a patch or new version and the world is more or less happy. (Some apps might not work, but then that's not the problem of the author.) Time from bug to "fix": about 2 weeks (at most).

    Closed-Source people get a bug report, then they have to see where it is in the code, fix it (and here the similarities end) because there is (at least in the commercial business) a desire for backward compatibility and what MS likes to call "regression testing." Once that arduous process is done a patch is released. Time from bug to "fix": at least 2 weeks (unless your'e lucky.)

    Really, the only thing I see different is the time involved, both bugs get fixed, but OSS doesn't have to test it with previous releases--the author only has to make sure it works on a "vanilla" install; whereas someone like MS has to make sure that it doesn't break anything going as far back as, say, Windows 98. (Which is pretty far back in computer time.)

    I think the real way to describe it is that OSS is made secure faster than Closed-Source. Speed being the essence, that's the rub. If I want security I'd like it now, not later.
  • by rosewood ( 99925 ) <.rosewood. .at. .chat.ru.> on Monday October 14, 2002 @09:49AM (#4445547) Homepage Journal
    Once again we have an article that forgets the history of bug tracking and CERT. There was a time where everyone thought it would be best to alert the company first and let them fix a patch. Then we saw time and time again a company sitting on a problem and not wanting to issue a fix until the next big release they could sell.

    Then, the idea was to make a bug known publically so that the company couldnt hide. Unfortunatly, the company then denied that such an attack was possible. This lead to the requirement of posting source or an example program the exploited the program - which before was just sent to the company - into the wild.

    This brings us to where we are now: Everyone (sysadmins, crackers, hackers, the media, and the company) knows about the problem and how it works at the same time. This means the company HAS to patch their software. This also gives your sys admin a better chance since he can know about an exploit and immediately begin watching it or take the effected program away until a patch is issued.

    The down side of course is smbdie being posted on /. and everyone in the university using it to crash computers campus wide. However, these idiots, the idiot sys admins and the idiots that made smbdie possible all had equal amount of time to do what they needed to do.
  • by ellem ( 147712 ) <ellem52@g3.14159mail.com minus pi> on Monday October 14, 2002 @09:49AM (#4445550) Homepage Journal
    Hemmendinger commented, "I see a lot more stuff coming across BugTraq [about Linux] than any flavor of Unix or any Microsoft operating system."

    This makes no sense for several reasons:

    1 -- "a lot" more; how much is "a lot"?
    2 -- Linux the kernal or does he mean Red Hat?
    3 -- Didn't MS make a big deal about NOT posting to BugTraq for (snicker) "Security Reasons"?

    Hemmdinger sounds like a shill to me, and I don't even use Linux (Red Hat, et al) anymore.
  • Linux security... (Score:3, Interesting)

    by Junta ( 36770 ) on Monday October 14, 2002 @09:56AM (#4445603)
    First of all is hard to nail down what exactly that means. When most peoople utter those words, they refer to Apache/Linux/Linux Apps vs. IIS/Windows/Office.

    Very few security issues in the recent past have really had much to do with Windows itself, mostly IIS and some Office/IE vulnerabilities. Even with those, frequently the problem is that the administrators of targeted systems are not sufficiently security minded. Also, MS products draw a lot of attacks, simply because the systems are such a large target.

    The enhanced security of Linux, at least in part, is a self-fulfilling prophecy. When administrators are highly security concious, they will often go to Linux to drastically reduce the sheer number of attacks they receive and are influenced by reputation. Sure Linux boxes with Apache have had a number of problems and worms, but those administrators are far more likely to update Apache than IIS administrators.

    One thing that really does make me think it would be difficult to update Windows as easily as Linux systems is the model for updating busy files. Under linux, the in-use inodes are kept open for the processes that need them, but the filesystem is updated for future processes. Under windows, the file updates are scheduled for reboot. Since so many of the updates for Windows touch so many files, updating IIS will likely require a reboot, huge no-no for mission critical apps..... Aside from that, I'm not so sure that Windows is that much less secure. However, I prefer linux because it *is* more flexible..
  • by flinxmeister ( 601654 ) on Monday October 14, 2002 @09:57AM (#4445605) Homepage
    Almost nothing is routinely secure "out of the box". And even OpenBSD has had its share of black eyes.

    It's not a question of "How secure is it"...it's a question of how securABLE it is. IIS is securable, so is Apache. The problem with IIS is that it's usable by the low end of the technical spectrum who don't know or don't take the time to secure it. People who use *nix/*nux and Apache are almost techies by definition. They generally have the attitude to secure their boxes.
    The irony is that with a flurry of points and clicks, IIS is easier to secure than Apache. However, nobody does it.
  • by SatanicPuppy ( 611928 ) <Satanicpuppy@nosPAm.gmail.com> on Monday October 14, 2002 @10:02AM (#4445643) Journal
    What everyone seems to be missing is the difference in scale between a windows exploit, and a linux exploit.

    Linux, if you hack a mail client you can send spam to people on YOUR mailing lists.

    Windows, if you hack a mail client you can send mail to people on THEIR mailing lists.

    Most times linux exploits get you the very lowest level of security access. Yea, you got in, but you hardly got root priviledges out of it.

    Windows on the other hand, has several known and documented exploits that not only get you in, but get you admin priviledges to go along with it.

    Linux is very protective of it's hardware access (As anyone who's ever tried to run games will tell you. =P). Windows, on the other hand, goes out of its way to make hardware access easy and painless, both to the user and the abuser.

    Exploits exist for both systems. But which ones would you rather have to deal with?
  • by vrypan ( 38719 ) on Monday October 14, 2002 @10:19AM (#4445738) Homepage
    he has access to.

    My experience is that it is really hard to find *good* documentation for advanced topics in the Microsoft world. (especially when you need it). I guess that there are good books out there, but when I needed information I was not at the bookstore.

    On the other hand, Linux/Unix is very well documented. And when you hit the wall, you can always look around in the source code.

    Panayotis.
  • Quick Comments... (Score:4, Insightful)

    by tqbf ( 59350 ) on Monday October 14, 2002 @11:10AM (#4446057) Homepage

    • The article lacks credibility. Security is a complex issue. There are very few organizations qualified to present it authoritatively. Who is NewsFactor? Who is Masha Zager? What is the "Informations Systems Security Association"?
    • Ignores the worm gene pool. Several of the Linux worms cited use the same (uncommon) vulnerabilities to gain access to computers. Putting a different payload on the same attack doesn't make the "different worms" uniquely different threats.
    • Newer != Insecure. SunOS is old, and insecure. djbdns is brand new, and very secure. Secure programming, and (more importantly) secure design, are new disciplines.
    • Linux != New. Linux is new in implementation, but evidences the classic Unix security model. The Unix model is flawed, but not impossible. Win32 has a "better" design, but does nothing to make that apparent (in the same sense as Darwin doesn't make apparent its microkernel design).
    • Bug Counting? Most Linux bugs are in packages. There are thousands of available packages, virtually all with published source code. Third-party QA teams at ISS and Network Associates can go make a list of 100 CGI programs, read bad source code for a week, and generate 15-20 new advisories. Very, very few of them will affect real, deployed systems.
    • Still More Bug Counting! Linux sees more bug reports. Linux has published source code. An independant QA person can spend a month looking for a remote attack on Win32, come up with one, and coast on it for a year --- that remote hole will probably affect 80% of all deployed systems. To get the same cred, you need to find tens of holes in popular Linux packages. It is both significantly easier and more useful (to the reporter) to find numerous Linux-related holes.
  • by kakos ( 610660 ) on Monday October 14, 2002 @11:27AM (#4446182)
    ...because they are both insecure enough to be a hazard in a real world situation. If I want to run a secure box, I'll run a BSD (probably OpenBSD). One remote exploit in six years is a bit better than a new one every month (a trend both Linux and Windows seem to share). The only way to keep a Linux or Windows box secure is to patch it almost constantly. To be honest, that is a task that sysadmins don't want to be doing all the time. There are much more important things to be doing.
  • by Junks Jerzey ( 54586 ) on Monday October 14, 2002 @11:53AM (#4446370)
    In these type of discussions, Linux is equated with the Linux kernel, some device drivers, and maybe a handful of utilities like sendmail and so on. After that you get into debates about scripting languages and window managers and desktop environments and all that--none of which could be considered part of "standard" Linux.

    Standard Windows, however, includes graphics libraries and scripting systems and a GUI, and even tools like file browsers and Internet Explorer are considered part of Windows. Not surprisingly, most of the security problems are in those high-level tools, not the kernel itself. Now it could be argued that the kernel shouldn't allow tools to cause problems, but that's wishful thinking. Microsoft introduced a scripting language into Word, and that's been the cause of so-called "document viruses," for example.

    To do a fair comparison, you need to put together a Linux machine running KDE, Star Office, a graphical email client, and so on. And then you have to consider all security exploits in KDE and all applications that come with it. But of course that's never how comparisons like this are done. If a KDE application is at fault, then we're quick to dismiss it as a KDE problem, not a Linux problem. And so we run in circles with this kind of meaningless argument.
  • by steveha ( 103154 ) on Monday October 14, 2002 @01:19PM (#4447049) Homepage
    I am not an experienced sysadmin, but I have found sysadmin tasks to be pretty easy with Debian. Here is how to run a server with Debian:

    0) install using the Debian "stable" branch. (Use the pgi [progeny.com] to install; it's easy.)

    1) once a week or so, run the commands:

    apt-get update; apt-get upgrade

    These will go out and get all the latest updates to your packages.

    If you update your packages, worms like Slapper will not be able to get into your system.

    Debian also provides a really excellent howto. Any Debian server admins should study it:

    http://www.debian.org/doc/manuals/securing-debian- howto/ [debian.org]

    P.S. I'm sure Windows systems can be made secure, but it has to be more work than securing a Debian system. There is nothing as cool as "apt-get upgrade" on Windows.

    steveha
  • by octogen ( 540500 ) <g.bobby@gmx . a t> on Monday October 14, 2002 @03:04PM (#4448071)
    When Microsoft compares Windows Security with Linux/Unix security, they commonly show you all the cute security features of Windows 2000 and then compare it with a freshly installed Red Hat 7 box (or something like that, debian, SuSE, whatever you want).

    What about comparing the most secure setup of Windows with the most secure setup of Linux or Unix?

    Now you end up comparing Windows 2000 with HP SecureLinux or with Trusted Solaris, Trusted Irix, and so on.

    The most secure setup of Windows 2000 has C2 level security (discretionary access controls capable of defining access to the granularity of a single user, audit trail), while the most secure Versions of Linux have things like domain based access controls (however they are not certified at any TCSEC security level, not even C2) and the most secure Unix environments have B3 level security (structured protection, zero design flaws and minimum implementation flaws).

    Just take a look at how security mechanisms work, maybe compare Linux+Pitbull/LX (domain based access control) with the most secure Version of Windows 2000 - and try to imagine, how DBAC keeps your computer secure, even when somebody hacks your sendmail daemon.

    Now go and look for a Version of Windows with zero design flaws, or maybe just a B1 secure Version of Windows, good luck.

    regards,
    octogen

    Some further information:
    Trusted Solaris [sun.com], Sun Microsystems; ITSEC EAL4 (exceeding B1 security);
    Pitbull, Pitbull/LX [argus-systems.com], Argus Systems; ITSEC EAL4 security for AIX and Solaris; Domain Based Access Control for Linux (Pitbull/LX);
    XTS/300 [getronicsgov.com], Getronics; TCSEC B3;
    Firewall Server [borderware.com], BorderWare; (Unix based Firewall), ITSEC EAL4 with EAL5 vulnerability analysis;
    Windows XP [microsoft.com], Microsoft; TCSEC C2;

Whoever dies with the most toys wins.

Working...