Linux fan concedes Microsoft is more secure

[Heeter]

"A Linux enthusiast at the RSA Conference in San Francisco has reluctantly concluded that Microsoft produces more secure code than its open source rivals.

In an academic study due to be released next month Dr Richard Ford, from the Florida Institute of Technology, and Dr Herbert Thompson, from application security firm Security Innovation, analysed vulnerabilities and patching and were forced to conclude that Windows Server 2003 is more secure than Red Hat Linux."

Read Here


Heeter

 

[NetRyder]

Posted here on Friday
http://www.osnn.net/comments.php?shownews=11814

It sparked off an interesting discussion in the comments section. I think we should continue it here. I prefer not to put anything more than a few lines down as comments under news stories. The forum just works better for me for larger posts and discussions.

Anyway, to repeat what I said there, a competent admin can manage either one equally well. IIS6 in WS2003 is actually far more solid than its predecessors, despite what many people think (or want you to think).

 

[NetRyder]

Thought I'd post a transcript of the news story comments, in case anyone wants to reply to a comment made by someone there. Color-coded for readability
-----------------------

#1 Posted by Kermit_The_Frog at 2:22am on the 18th February 2005
I love it the more we watch the more we will see that the so called super safe open source is nothing more nothing less its just software means its flawed.

#2 Posted by NetRyder at 3:44am on the 18th February 2005
As I have always felt, a competent admin can manage either one equally well.
IIS6 in WS2003 is actually far more solid than its predecessors.

#3 Posted by Johnny at 5:43am on the 18th February 2005
Hmmm .... When they say more secure, what security are they talking about ?? I have knoticed that 2003 crashes less than its predecessors, instead of twice a week it's down to only once ...

#4 Posted by NetRyder at 7:48am on the 18th February 2005
Uhh...WS 2003 crashing? Geez, even XP doesn't crash on me.

Netcraft rated Datapipe as the most reliable hosting provider for the whole second half of 2004 and Jan 2005. What do they use? Windows Server 2003.
http://news.netcraft.com/archives/2005/02/01/most_reliable_hosting_providers_during_january.html

We have a couple of Server 2003 machines that are being used as Terminal Servers for multiple users at a time. They just keep running. Our Debian-based web server also had an uptime of 342 days before a campus-wide power outage forced it to shutdown (yeah, we need a UPS).

I think Microsoft pretty much got stability under control after Oct 2001. You just have to make sure you use a good set of device drivers and stay away from junk software.

#5 Posted by desie at 3:10pm on the 18th February 2005
So why does 90% of the server market run Linux or BSD based servers?

Also I don't need Media Player or IE on my server thanks.

#5.1 Posted by Luna at 9:56pm on the 18th February 2005
They simply don't know any better.

#6 Posted by Joel (guest) at 7:24pm on the 18th February 2005
I think that the number of exploits depends largely on the availability of the exploited system.

Thus, on the one hand, exploits directed at end user computers are almost invariably directed at Windows. Get a large enough group of non-geeks running Linux and you'll get more Linux and Linux software exploits.

On the other hand, all the phish sites I see run, usually without the permission of the server owner, on Apache over Linux. And I get lots of phish and 419 spam that has been sent using a bug in the PHP Nuke nailing module running on Apache and Linux. (Do a groups.google.com search for "RLSP Mailer" and 419)

#7 Posted by Kermit_The_Frog at 5:50am on the 19th February 2005
90 % hahahahaha yeah ok I am sure its 90%

 

[Xie]

They also stated in that article that they didn't "lock down" the installs. Each was a basic install of what you would need and that was it. I believe it said that Linux would have the advantage of being able to "lock down" more before hand.

 

[Kush]

im no security expert, so im not ganna ridicule the guy, but as long as they are both somewhat secure im happy!

 

[SPeedY_B]

It may well be more secure, but I don't see it making a multitude of server owners switch over.

 

[Heeter]

Sorry for the double post, Nets and al.

Didn't realize that was posted earlier.

How they tested was basically fresh installs from each OS? Okay I would of presumed that all OS's are tweaked to make it more secure. I am pretty sure that IT dude out there would never just install a Server OS and leave it like that.

Heeter

 

[Mastershakes]

Sorry for the double post, Nets and al.

Didn't realize that was posted earlier.

How they tested was basically fresh installs from each OS? Okay I would of presumed that all OS's are tweaked to make it more secure. I am pretty sure that IT dude out there would never just install a Server OS and leave it like that.

Heeter

A 2003 install is quite intensive. It asks all kinds of questions.
I think one of the main points they agreed made Windows 03 more secure is the time betweeen crisis/exploit discovery (critical only) and patch is shorter with Windows than Red Hat.

Net: I like the response to Johnny .... mine never crashes either, unless I've loaded an image of it up in vmware, and I purposely mess around with it ... it eventually comes crashing down.

 

[Perris Calderon]

I really never understood why anyone would think an open source os could be more secure then protected source.

it would however be easier to patch open source when a flaw is discovered, where in a closed os the patch would usually have to come from the provider

 

[Mastershakes]

it would however be easier to patch open source when a flaw is discovered, where in a closed os the patch would usually have to come from the provider

Yeah, you'd think so... but in this case... MS beats Red Hat to the patch in about half the time. Perhaps because so much scrutiny is on MS security... they get the patches rolling out as fast as possible to lift their tarnished image.

 

[NetRyder]

They also stated in that article that they didn't "lock down" the installs. Each was a basic install of what you would need and that was it. I believe it said that Linux would have the advantage of being able to "lock down" more before hand.

So what you're saying is a WS2003 install is more secure out-of-the-box than a RedHat installation?
I'd say that's a good thing whichever way you see it.

Net: I like the response to Johnny .... mine never crashes either, unless I've loaded an image of it up in vmware, and I purposely mess around with it ... it eventually comes crashing down.

People can question the security of XP/2003, but when it comes down to stability, there is no doubt that Microsoft was able to nail it down this time.

The fact that two of the top five most reliable hosts in the second half of 2004 were running Windows Server 2003 (with two others running FreeBSD) is proof enough that people who claim it's buggy, insecure and unstable are 1) incompetent admins or 2) full of crap.

It may well be more secure, but I don't see it making a multitude of server owners switch over.

Each one has its place. Any server that hosts ASP.NET content, or other services like SharePoint etc would be running a Windows server. Setups that host PHP+MySQL content mainly would be better off using Linux/BSD.
With that said, change from one to another takes a lot of effort, time and money. Hosts aren't going to switch one way or another in large numbers at a time.

 

[Xie]

I really never understood why anyone would think an open source os could be more secure then protected source.

it would however be easier to patch open source when a flaw is discovered, where in a closed os the patch would usually have to come from the provider

Well alot of people assume an open source OS would be more secure because it has more eyes going over the lines of code then closed source does.

Also a study like this puts RH at a disadvantage as being and open OS bugs are easier to find where as MS OS you can't see the code so bugs might be lying around just waiting to be found .. does that really make it more secure? I would say yes and no .. all depends on how you look at it.

 

[Perris Calderon]

Well alot of people assume an open source OS would be more secure because it has more eyes going over the lines of code then closed source does.

the thing is, I see open source as being more vulnerable for this very reason.

 

[Kush]

thats exactly what i was going to say, but i didnt want to spark any flaming, btw what desides which versions of linux are open source and closed source, and free and priced?

 

[j79zlr]

the thing is, I see open source as being more vulnerable for this very reason.

That seems like it would be true, but the fact is that there are thousands [maybe millions] of eyes looking in that code. Most OSS vulnerabilities are discovered before they are exploited, it would be safe to say that almost all Windows exploits are fixed after they are exploited.

I still don't get the patch time response. Windows 2003 has an upatched vulnerability that goes back to June 11th 2003.

Windows 2003 has 5 current unpatched vulnerabilities: http://secunia.com/product/1173/

Redhat has 0: http://secunia.com/product/2536/

You might also notice that with Linux, secunia includes non-default software as well such as CUPS, Xfree/Xorg, and GAIM. Alot of webservers won't be running an IM client, X-window, or a print server, yet there are 0 exploits at this time.

@the_mafia, all Linux is OpenSource. There are some apps that run on Linux that are closed, but they are commercial apps like MATLAB or Communigate. All Linux is technically free as well, some do charge for services like Redhat's Enterprise edition. The only pay linux distro that I know is Linspire, which is really a joke anyways.

 

[tdinc]

Bottom line______nothing is "Secure" no matter how you look at it....But LINUX is by far a better secured OS...my 2cents

 

[Heeter]

Bottom line______nothing is "Secure" no matter how you look at it....But LINUX is by far a better secured OS...my 2cents

This testing involved "Out-Of-The-Box" setups. Basically, drop CDin, and answer questions and install. The way I see it actually, WinServ2003, due to it's encrypted source code, will always be more "secure". Anything done to the OS's after this inital step will only make it more secure, but it was not what the testing was about.


Heeter

 

[Geffy]

as I recall from last years top four rankings of secure operating systems there was Linux in fourth, windows in third and the top two spots where equally ranked as OS X and FreeBSD.
This if I remember rightly was a survey of server machines. The explaination at the time for the slip of Linux down to fourth was that many governments had switched to using linux servers and the admins didnt properly know how to secure them.

Had they been able to test either OS X or FreeBSD with a default installation either of these would have come out on top in all likelyhood.

 

[Steevo]

/leaves to read article

 

[Steevo]

http://www.vnunet.com/news/1160853


MS bashing Linux? Sounds like a playground bully trying to talk someone down.


"Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.

"In Microsoft's world customers are confidant that we take responsibility. They know that they will get their upgrades and patches."


Really? So if I have all my patches and I get a virus that destroys my system are they going to come and recover all my data? Are they going to re-install windows for me and mop up the mess?

No?