Linux fan concedes Microsoft is more secure

Discussion in 'Windows Desktop Systems' started by Heeter, Feb 19, 2005.

  1. Heeter

    Heeter Overclocked Like A Mother

    Messages:
    2,732
    "A Linux enthusiast at the RSA Conference in San Francisco has reluctantly concluded that Microsoft produces more secure code than its open source rivals.

    In an academic study due to be released next month Dr Richard Ford, from the Florida Institute of Technology, and Dr Herbert Thompson, from application security firm Security Innovation, analysed vulnerabilities and patching and were forced to conclude that Windows Server 2003 is more secure than Red Hat Linux."

    Read Here


    Heeter
     
    NetRyder likes this.
  2. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    Posted here on Friday :)
    http://www.osnn.net/comments.php?shownews=11814

    It sparked off an interesting discussion in the comments section. I think we should continue it here. I prefer not to put anything more than a few lines down as comments under news stories. The forum just works better for me for larger posts and discussions.

    Anyway, to repeat what I said there, a competent admin can manage either one equally well. IIS6 in WS2003 is actually far more solid than its predecessors, despite what many people think (or want you to think).
     
  3. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    Thought I'd post a transcript of the news story comments, in case anyone wants to reply to a comment made by someone there. Color-coded for readability ;)
    -----------------------

    #1 Posted by Kermit_The_Frog at 2:22am on the 18th February 2005
    I love it the more we watch the more we will see that the so called super safe open source is nothing more nothing less its just software means its flawed.


    #2 Posted by NetRyder at 3:44am on the 18th February 2005
    As I have always felt, a competent admin can manage either one equally well.
    IIS6 in WS2003 is actually far more solid than its predecessors.

    #3 Posted by Johnny at 5:43am on the 18th February 2005
    Hmmm .... When they say more secure, what security are they talking about ?? I have knoticed that 2003 crashes less than its predecessors, instead of twice a week it's down to only once ...


    #4 Posted by NetRyder at 7:48am on the 18th February 2005
    Uhh...WS 2003 crashing? Geez, even XP doesn't crash on me. :)

    Netcraft rated Datapipe as the most reliable hosting provider for the whole second half of 2004 and Jan 2005. What do they use? Windows Server 2003.
    http://news.netcraft.com/archives/2005/02/01/most_reliable_hosting_providers_during_january.html

    We have a couple of Server 2003 machines that are being used as Terminal Servers for multiple users at a time. They just keep running. Our Debian-based web server also had an uptime of 342 days before a campus-wide power outage forced it to shutdown (yeah, we need a UPS).

    I think Microsoft pretty much got stability under control after Oct 2001. You just have to make sure you use a good set of device drivers and stay away from junk software.

    #5 Posted by desie at 3:10pm on the 18th February 2005
    So why does 90% of the server market run Linux or BSD based servers?

    Also I don't need Media Player or IE on my server thanks.


    #5.1 Posted by Luna at 9:56pm on the 18th February 2005
    They simply don't know any better.

    #6 Posted by Joel (guest) at 7:24pm on the 18th February 2005
    I think that the number of exploits depends largely on the availability of the exploited system.

    Thus, on the one hand, exploits directed at end user computers are almost invariably directed at Windows. Get a large enough group of non-geeks running Linux and you'll get more Linux and Linux software exploits.

    On the other hand, all the phish sites I see run, usually without the permission of the server owner, on Apache over Linux. And I get lots of phish and 419 spam that has been sent using a bug in the PHP Nuke nailing module running on Apache and Linux. (Do a groups.google.com search for "RLSP Mailer" and 419)


    #7 Posted by Kermit_The_Frog at 5:50am on the 19th February 2005
    90 % hahahahaha yeah ok I am sure its 90%
     
  4. Xie

    Xie - geek - Subscribed User Folding Team

    Messages:
    5,275
    Location:
    NY, USA
    They also stated in that article that they didn't "lock down" the installs. Each was a basic install of what you would need and that was it. I believe it said that Linux would have the advantage of being able to "lock down" more before hand.
     
  5. Kush

    Kush High On Life!

    Messages:
    4,590
    Location:
    Montreal, Quebec
    im no security expert, so im not ganna ridicule the guy, but as long as they are both somewhat secure im happy!
     
  6. SPeedY_B

    SPeedY_B I may actually be insane.

    Messages:
    15,800
    Location:
    Midlands, England
    It may well be more secure, but I don't see it making a multitude of server owners switch over.
     
  7. Heeter

    Heeter Overclocked Like A Mother

    Messages:
    2,732
    Sorry for the double post, Nets and al.

    Didn't realize that was posted earlier.

    How they tested was basically fresh installs from each OS? Okay I would of presumed that all OS's are tweaked to make it more secure. I am pretty sure that IT dude out there would never just install a Server OS and leave it like that.

    Heeter
     
  8. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    A 2003 install is quite intensive. It asks all kinds of questions.
    I think one of the main points they agreed made Windows 03 more secure is the time betweeen crisis/exploit discovery (critical only) and patch is shorter with Windows than Red Hat.

    Net: I like the response to Johnny .... mine never crashes either, unless I've loaded an image of it up in vmware, and I purposely mess around with it ... it eventually comes crashing down. ;)
     
    NetRyder likes this.
  9. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,332
    Location:
    new york
    I really never understood why anyone would think an open source os could be more secure then protected source.

    it would however be easier to patch open source when a flaw is discovered, where in a closed os the patch would usually have to come from the provider
     
  10. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    Yeah, you'd think so... but in this case... MS beats Red Hat to the patch in about half the time. Perhaps because so much scrutiny is on MS security... they get the patches rolling out as fast as possible to lift their tarnished image.
     
  11. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    So what you're saying is a WS2003 install is more secure out-of-the-box than a RedHat installation?
    I'd say that's a good thing whichever way you see it. ;)

    People can question the security of XP/2003, but when it comes down to stability, there is no doubt that Microsoft was able to nail it down this time.

    The fact that two of the top five most reliable hosts in the second half of 2004 were running Windows Server 2003 (with two others running FreeBSD) is proof enough that people who claim it's buggy, insecure and unstable are 1) incompetent admins or 2) full of crap.

    Each one has its place. Any server that hosts ASP.NET content, or other services like SharePoint etc would be running a Windows server. Setups that host PHP+MySQL content mainly would be better off using Linux/BSD.
    With that said, change from one to another takes a lot of effort, time and money. Hosts aren't going to switch one way or another in large numbers at a time.
     
  12. Xie

    Xie - geek - Subscribed User Folding Team

    Messages:
    5,275
    Location:
    NY, USA
    Well alot of people assume an open source OS would be more secure because it has more eyes going over the lines of code then closed source does.

    Also a study like this puts RH at a disadvantage as being and open OS bugs are easier to find where as MS OS you can't see the code so bugs might be lying around just waiting to be found .. does that really make it more secure? I would say yes and no .. all depends on how you look at it.
     
  13. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,332
    Location:
    new york
    the thing is, I see open source as being more vulnerable for this very reason.
     
  14. Kush

    Kush High On Life!

    Messages:
    4,590
    Location:
    Montreal, Quebec
    thats exactly what i was going to say, but i didnt want to spark any flaming, btw what desides which versions of linux are open source and closed source, and free and priced?
     
  15. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    That seems like it would be true, but the fact is that there are thousands [maybe millions] of eyes looking in that code. Most OSS vulnerabilities are discovered before they are exploited, it would be safe to say that almost all Windows exploits are fixed after they are exploited.

    I still don't get the patch time response. Windows 2003 has an upatched vulnerability that goes back to June 11th 2003.

    Windows 2003 has 5 current unpatched vulnerabilities: http://secunia.com/product/1173/

    Redhat has 0: http://secunia.com/product/2536/

    You might also notice that with Linux, secunia includes non-default software as well such as CUPS, Xfree/Xorg, and GAIM. Alot of webservers won't be running an IM client, X-window, or a print server, yet there are 0 exploits at this time.

    @the_mafia, all Linux is OpenSource. There are some apps that run on Linux that are closed, but they are commercial apps like MATLAB or Communigate. All Linux is technically free as well, some do charge for services like Redhat's Enterprise edition. The only pay linux distro that I know is Linspire, which is really a joke anyways.
     
  16. tdinc

    tdinc █▄█ ▀█▄ █ Political User

    Messages:
    3,507
    Location:
    Sterling Heights, MICHIGAN
    Bottom line______nothing is "Secure" no matter how you look at it....But LINUX is by far a better secured OS...my 2cents :)
     
  17. Heeter

    Heeter Overclocked Like A Mother

    Messages:
    2,732
    This testing involved "Out-Of-The-Box" setups. Basically, drop CDin, and answer questions and install. The way I see it actually, WinServ2003, due to it's encrypted source code, will always be more "secure". Anything done to the OS's after this inital step will only make it more secure, but it was not what the testing was about.


    Heeter
     
  18. Geffy

    Geffy Moderator Folding Team

    Messages:
    7,805
    Location:
    United Kingdom
    as I recall from last years top four rankings of secure operating systems there was Linux in fourth, windows in third and the top two spots where equally ranked as OS X and FreeBSD.
    This if I remember rightly was a survey of server machines. The explaination at the time for the slip of Linux down to fourth was that many governments had switched to using linux servers and the admins didnt properly know how to secure them.

    Had they been able to test either OS X or FreeBSD with a default installation either of these would have come out on top in all likelyhood.
     
  19. Steevo

    Steevo Spammer representing. Political User Folding Team

    Messages:
    2,566
    /leaves to read article
     
  20. Steevo

    Steevo Spammer representing. Political User Folding Team

    Messages:
    2,566
    http://www.vnunet.com/news/1160853


    MS bashing Linux? Sounds like a playground bully trying to talk someone down.


    "Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.

    "In Microsoft's world customers are confidant that we take responsibility. They know that they will get their upgrades and patches."


    Really? So if I have all my patches and I get a virus that destroys my system are they going to come and recover all my data? Are they going to re-install windows for me and mop up the mess?

    No?