Article I found on Slashdot:http://www.theregister.co.uk/2004/10/22/linux_v_windows_security/

Report:
http://www.theregister.co.uk/security/security_report_windows_vs_linux/


Yes, it is the Register, but that doesn't make it necessarily skewed or biased.

Anyway, I think this is related to an off-topic discussion here about the merits of Firefox vs IE. People make the argument that the only reason Windows or IE has more discovered security vulnerabilities is because Windows/IE runs on more systems. They are bigger targets.

People make the argument that Apache would be the bigger target than IIS, yet Apache doesn't have nearly as many severe issues.

The articles above go into detail about whatever research Microsoft had done and "facts" it uses in their campaign. I think it is an interesting read.

I stopped reading at this point:

"Windows is Monolithic by Design, not Modular"
"Linux is Modular by Design, not Monolithic"

I guess when you finish your degree and don't know jack sh*t about IT you have two options:
- become a teacher and spread the ignorance
- write articles to sites/magazines

People make the argument that Apache would be the bigger target than IIS, yet Apache doesn't have nearly as many severe issues.
It doesn't have nearly as many 'known' severe issues. I'm sure if it went under the same level of attack as Microsoft servers do, issues would come to light.

And there is always sendmail :D

It doesn't have nearly as many 'known' severe issues. I'm sure if it went under the same level of attack as Microsoft servers do, issues would come to light.

Well, why isn't there as high a level of attack?

Not enough people running it. Lions follow the herd.

Not enough people running it. Lions follow the herd.

I'm confused. Not enough people running Apache? Are you saying that a majority of servers running the web isn't enough to consider it a high enough target to those who would attack it?

There are TONS of attacks being tried out against apache. This makes sense since very many big and small websites use it. So saying that more issue would probably come to light if attacked more is wrong.

That being said, a while ago I signed up for the redhat security list (https://www.redhat.com/mailman/listinfo/enterprise-watch-list) to keep myself informed about possible security issues with my webserver. There have certainly been more postings made to the list I was expecting.

I spent the last 18 months working with Symantec on cross-platform security products. In spite of this, I wouldn't consider myself a systems security expert (it's such a broad field now it requires specialization). But my take on the issue isn't much different from EpicBoy's.

The Register is right on one count... Microsoft's attacks on the security of Linux are a mostly FUD. It's their business to convince you that their solution is better than the cheaper alternatives out there.

But the Linux proponents are just as guilty. There are TONS of Linux security patches that go out every month. Most are pretty insignificant, some are real dangers. Most Linux distros are composed of dozens of components that all have their own security holes... and thought the vast majority of patches are related to these other components, the kernel gets patched for security reasons often enough.

In both Linux and Microsoft's case, though, these security holes are usually plugged BEFORE an exploit is created externally. Today's hackers & virus creators usually just sit back and wait to hear of the new exploits once they are patched... then they write exploits against those systems that aren't kept up-to-date. The really nasty Blaster Worm (and all the variants) last year didn't come out until seven weeks after the vulnerability had been fixed by Microsoft.

Microsoft gets all the attention because:
#1 - It's got a big, glowing target painted on it, and
#2 - The non-specialized press tends to ignore what major vulnerabilities and exploits get discovered outside of Microsoft's software.

Right now --- as of XP SP2 and Windows Server 2003 --- I'd have a tough time picking Linux over Windows from a purely security standpoint. This is not huge praise for Microsoft... I think Windows is a klunky mess that tends to collapse under its own weight far too often requiring a clean reinstall (I just went through the hell of trying to upgrade the primary drive on my wife's machine... where Win XP was installed...). But I think they've made some very serious strides in the security department, to the point where I don't think I'd label the OS as being 'insecure'.

Unless you don't bother to update.

To backup GBGames with some numbers in response to the "not enough people running Apache" comment, here's a July report (http://www.fateback.com/news/web_hosting/data/Apache_web_server_increases_market_share.html) discussing Apache's 67% market share versus IIS's 21%.

Microsoft's attitude toward security is laughable - just look at Outlook and ActiveX. Because of this, I doubt that I will ever use a Microsoft program where security is a requirement.

To be fair, a lot of major security problems exist for both Linux and Windows machines, and if the end user is not vigilante enough, those problems become real issues.

If you don't update your software on either system, you will be sorry eventually. There is no denying that security issues exist on Linux.

But one of the points of the article is that most security vulnerabilities for Linux are not major security issues that can allow someone to take over control of your machine.

Sillysoft: another point made in the article was that having found a large number of security issues isn't cause for panic. It's not acknowledging issues or otherwise not resolving them that is a problem.

My favorite points:
- just because a system is most popular it doesn't make it any more or less a target for script kiddies or "hackers"
- just because the source is available it doesn't mean that you've given the blueprints to the enemy and are now more vulnerable to attack

- just because the source is available it doesn't mean that you've given the blueprints to the enemy and are now more vulnerable to attack

Not to de-rail the thread, but are you sure of this? I was always under the impression that having the sourcecode helped the hackers alot.

Article I found on Slashdot:http://www.theregister.co.uk/2004/10/22/linux_v_windows_security/

People make the argument that Apache would be the bigger target than IIS, yet Apache doesn't have nearly as many severe issues.


Nonsense. First off iis doesnt have more severe issues. I'd like to see you prove that. Second iis is used on more serious sites. Apache has a wider user base BUT much of it's user base is hobby sites, home servers etc... Not the kind of sites targeted for hacker attacks.

Not to de-rail the thread, but are you sure of this? I was always under the impression that having the sourcecode helped the hackers alot.


I would like to bring up a somewhat related piece of security software: public-key encryption.

Everyone knows how it's done. The algorithm is openly available. It doesn't make it any easier to crack through an encrypted transmition.

Now if you had the source code to poorly made software, yes, that would probably be a blueprint that could be used to exploit it. Of course, there are people who would also use that same blueprint and figure out how to actually fix the issues to counteract that.



Nonsense. First off iis doesnt have more severe issues. I'd like to see you prove that. Second iis is used on more serious sites. Apache has a wider user base BUT much of it's user base is hobby sites, home servers etc... Not the kind of sites targeted for hacker attacks.

I was simply going by the article. Check their sources to see who is claiming the attacks to be more severe. Also, my Windows PC at home, or anyone's PC at home, shouldn't be the kind of site targeted for hacker attacks either. A major government or corporation's PCs, yeah, I can see that. But Microsoft's reliance on things like RPC when it shouldn't need it, among other things, make Windows anywhere, at home under the radar or otherwise, a security headache.

Again, check the article for the text and sources used. I just wanted to give a very small intro/summary without going into too much detail.

and thought the vast majority of patches are related to these other components, the kernel gets patched for security reasons often enough.

True, mostly, however the Linux guys release patches very quickly when vulnerabilities are found, and admit to them being there. Unlike Microsoft which very often takes the stance that "we haven't seen it happen, so it doesn't exist" and then release a patch 6 months later.