Is Linux Truly More Secure than Windows?

Discussion in 'Windows Desktop Systems' started by wadada, May 27, 2004.

  1. wadada

    wadada Moderator

    If you're someone who enjoys a good debate, step right up. There's a discussion (well, more like a donnybrook, actually) revving up, pitting those who believe with religious fervor that Linux is intrinsically more secure that Windows against those who believe just as strongly that poor Microsoft has just gotten all the bad press and attention because of its near-monopoly on the desktop. Just wait, they say, until the hackers start going after Linux.

    Given IBM's increasing emphasis on Linux — and its wider adoption and implementation on the iSeries — who's right? Inquiring minds want to know.

    Standing fast as the defenders of Windows are many of the big industry analyst firms. Yankee Group's Laura DiDio argues in a recent comparison study of the total cost of ownership of Linux and Windows that, "hype not withstanding, Linux's technical merits, while first-rate, are equivalent but, for the most part, not superior to Unix and Windows Server 2003." DiDio reports that 72 percent of the respondents in her study "rated Windows reliability equal to Linux."

    DiDio also predicts that as Linux's popularity grows, so will the hackers' efforts to penetrate it. Within a couple of years, she says, "companies will be spending as much time securing their Linux environments as they would have with Microsoft."

    Forrester Research analyst Laura Koetzle reaches much the same conclusion. Her March 2004 report " Is Linux More Secure than Windows? " concludes that Windows and Linux (in a variety of distributions) can all be deployed securely.

    Jim Hurley, security analyst for Aberdeen Group, says that despite the fundamental differences of the operating systems, both Linux and Windows are open to Internet threats.

    The baseline argument for many is that expressed by Carol Woodbury, president of SkyView Partners . "Hackers tend to go for the most readily available target," she says. "The more Linux deployments, the more readily available it will be to them. It will also become a larger target as more business-critical applications and installations are available. Hackers like to get notoriety, so they will go after the targets that bring them that. Windows has been a very easy target. If hackers feel that Linux is an easier target that will give them more notoriety, you'll start to see more attacks."

    It's already happening, says Chaya Bouganim of Bsafe Sofware Solution's marketing department. "Linux is already expanding fast," she says, "accompanied by an increasing number of attacks on Linux and other open-source systems."

    Bouganim cites attacks reported last month against Linux servers at Stanford University. "Last year, we saw an attempt to propagate a malicious program called CAN-2003-0434," she says, "which allowed PDF files to run system commands. Fortunately, it failed in its aims, but the malicious desires of its author remain."

    But not everyone agrees that a wider deployment of Linux will lead to more widespread attacks. "Windows suffers from 'ease of use' exploits," says Mark Boltz, product manager for Stonesoft . "Linux exploits are of a different nature. Windows machines tend to suffer from worms and malicious code like Sasser and Blaster that are created with a very low 'run-level knowledge requirement.' In other words, Windows has tools available for the script kiddies with little or no skills who simply click on the options they want their worm or virus to have and then release it to the world."

    Boltz sees an inverse relationship between the security and the usability of a system. Since Microsoft gears its applications and operating system toward usability, it will be hit more often. Linux hackers, on the other hand, tend to exploit coding errors "such as buffer overflow attacks," Boltz says, "which require a great deal more skill to exploit."

    Of course, one of the hallmarks of Linux is that the code is published openly for everyone to see. But that doesn't necessarily provide a blueprint for hackers to find a way in.

    "Linux is more securable than a proprietary product because of its transparency," says Bruce Lowry, Novell's public relations director. "Creating good, secure software requires a quality engineering process. You can get this in both the open-source community and the proprietary world. The security benefit of open source lies in the value of transparency that facilitates quick identification and repair of security breaches."

    Which leads to another philosophical argument: which is more secure — something that is totally open that everyone can see, or something that is closed and has to be "broken into" in order to modify. This debate is much like asking which store on Main Street is more secure at night: the one with big glass windows and all the lights on, allowing anyone from the outside to see what's going on inside, or the one with all the lights out that's locked up like a bank vault. It might be real tough to get in, but once in there, you can go about your business in peace, knowing that no passersby will easily observe you.

    Mark Cox, manager of Red Hat's Security Response Team, clearly opts for the lights-on approach. "According to surveys, the Apache Web server already powers over three-quarters of all public Web sites," he says, "and we already have situations where Linux is more widely deployed than other operating systems. I don't see that this trend will cause more widespread attacks. It may cause more people to scrutinize the code looking for flaws — but in the long term, this is actually beneficial."

    Boltz, as well, believes that "code review over a much broader spectrum of programmers makes it much more likely that issues from coding, like buffer overflows, will be more likely to be found and corrected. This would only be true, however, for 'core Linux,' the kernel and related code and the most popular Linux applications like GNOME, KDE, and Mozilla, where there is a larger interest in the code."

    Dave Boutcher, a senior technical staff member at IBM's Linux Technical Center, believes two additional factors make Linux more secure. "First of all, unlike Windows, if you are running a Linux server as a Web server, you only install the programs you need for that application," he says. "You wouldn't install the desktop applications, for example. By having less software installed, you reduce your exposure."

    Secondly, Boutcher points out that "Linux installations are much less homogeneous. With any other operating system — such as OS/400 or Windows, for example — a large number of people have exactly the same code. With Linux you have a broader range of versions. Even with the SuSE and Red Had implementations, many people make modifications that make their installations slightly different than anyone else's. This makes it much harder for a single worm to affect a large number of people."

    Scott Granneman, a senior consultant for Bryan Consulting, refers to this in his article, " Linux vs. Windows Viruses ". "Linux runs on many architectures, not just Intel, and there are many versions of Linux, many packaging systems, and many shells," he writes. He goes on to say that, "in the Windows world, a virus writer knows how the monoculture operates, so he can target his virus, secure in the knowledge that millions of systems have the same vulnerability."

    Granneman also attacks the design of Windows, which he believes invites danger. He points out that, "running as root (or Administrator) is common in the Windows world," and that "Windows XP ... automatically makes the first named user of the system an Administrator, with the power to do anything he wants to the computer. The reasons for this decision boggle the mind."

    Bouganim agrees that this is a problem in Windows. However, she says that, "while it's true that Linux users are administrated by the root superuser, it is well known that cracking the superuser's ID and password opens up the system to anyone. The possibility of daemon programs enjoying superuser rights add to the vulnerability. The concern for a more secure Linux can be seen in Red Hat's Fedora project involving enhanced security features."

    The Fedora project, explains Cox, is deploying new technologies that are designed to make machines look diverse and to help protect against common security flaws.

    It's not likely the debate will be resolved any time soon. Only time will tell whether hackers will soon enjoy easy access to Linux. Or whether Granneman's thesis will be borne out: "To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it."
  2. SPeedY_B

    SPeedY_B I may actually be insane.

    Midlands, England
    Loving the copy and paste work.
  3. j79zlr

    j79zlr Glaanies script monkey Political User

    If you leave SSH, FTP ect. as most distros do without setting up a firewall [iptables et al] it can be hacked. Windows big problem is spyware, and linux seems to be pretty much immune on that one. Another reason is that most linux users don't run as root day-to-day, but most windows users do; because of this, if a malicious file was executed as a normal user in nix, it can't really do much damage outside of the ~ dir. If Windows users ran as limited users normally, viruses, spyware etc would not be able to install.
  4. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    new york
    great post j79

    when I get home, I'm going to paste your post here into the favorite tweaks thread, with the recomendation that everyone run on limited user accounts

    a nice new tweak

    if you'd like to put it there yourself, that would be nice
  5. NerdUprising

    NerdUprising [ Method ]


    excellent point/post, for both degrees.
  6. sean.ferguson

    sean.ferguson Moderator Folding Team

    Fife; Scotland
    im going to make a small comment...

    I once believed that i was god because i ran a slackware install... however my "haha windows user you will get haX0red" attitude quickly ran dry when i got hacked and control of my slackware box was compromised... it was apparently by a group called the outlaws, but as there was little on my machine that really was important they left a txt file in my home dir telling me where i went wrong.

    I then read up alot on linux security texts, looking up different web resources and asking on forums. Now my answer to the above question is simple...

    Any OS, whether it be windows, linux, unix or mac. They are only as secure as the user/admin makes them. Granted *nix and mac 'default' setting are more secure than that of windows... but all OS's can be made in-penatrable.
  7. NetRyder

    NetRyder Tech Junkie Folding Team

    New York City
    Excellent point. [​IMG]
  8. ShepsCrook

    ShepsCrook Red Sox Fan!

    I do agree. Windows is so widely used that more people are out to hack it. At least for personal and business use. And I'm sure if Linux because the #1 desktop OS, we'd see just as many hackers, crackers, and viruses appear. It's common sense really.

    So no 1 OS is the best or safest. We're all screwed! Quick save yourselves, I'll fend them off! Oops...

    Anyway, like it was mentioned before. You're only as safe and secure as you make it.
  9. Geffy

    Geffy Moderator Folding Team

    United Kingdom
    in the last test of the most secure operating systems on the internet, the ranking had Windows higher than Linux and *BSD ranked as the #1 most secure operating system on the internet. The linux ranking was attributed to the recent uptake of linux in government networks/departments, which lacked the right personel to secure it properly.
    The most recent windows version XP and anything newer, I believe to be a lot more stable and more secure than any of the previous versions. Linux has always had more of a secure reputation because of often better stability and so on, and windows still has an often poor reputation, though I believe some of this to be due to their wide ranging hardware and software support.
    so finally I believe that *BSD is more secure than both :D