• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Windows is more secure than Linux....really?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page 1, 2, 3  Next
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> UNIX // GNU/Linux

View previous topic :: View next topic  
Author Message
AlmostSecure
Just Arrived
Just Arrived


Joined: 02 May 2003
Posts: 0
Location: Taiwan

Offline

PostPosted: Tue Sep 02, 2003 3:37 pm    Post subject: Windows is more secure than Linux....really? Reply with quote

http://www.wininformant.com/Articles/Index.cfm?ArticleID=39785

I've recently been handed this after having touted Linux as being more secure than Windows...hands down. Yet the guy that I argue with is always trying to champion Windows as being several levels above what the idiot/unguided and undisciplined Linux programmers could ever handle. It really chaps my hide, and I want to really rub him the wrong way with real proof....

anyone out there think they can help?

JR
Back to top
View user's profile Send private message Visit poster's website
uncletom
Just Arrived
Just Arrived


Joined: 21 Jun 2003
Posts: 8
Location: Isle of Man

Offline

PostPosted: Tue Sep 02, 2003 5:18 pm    Post subject: Reply with quote

First argument: it's not necessarily the most unbias news source is it!

Second argument: I'd like to see what Windows 2000's rating would be now in light of the Blaster etc exploits

Third argument: when you want to sort out a set of lost local passwords under windows what OS on a disk do you use? Linux! (Don't know if that's relevant, but it's worth tossing in!)

Anyway, I'll leave it to my more esteemed colleagues to throw more wood on the M$ pyre!
Back to top
View user's profile Send private message Send e-mail
Sgt_B
Trusted SF Member
Trusted SF Member


Joined: 28 Oct 2002
Posts: 16777215
Location: Chicago, IL US

Offline

PostPosted: Tue Sep 02, 2003 5:25 pm    Post subject: Reply with quote

Beware! Flame-bait! Twisted Evil

To answer your question...
The security of the OS depends wholly on the skill of the administrator. I can lock down a win2k box just as tight as a nix box..better infact since I'm better with win32. See?

Don't talk to me about default installs either...that is irritating as anyone who leaves a default install in production is an idiot. Exploits? Yeah there's usually more for win32, but you just gotta patch more often.
(Redhat had more vulnerabilities last year than win2k, btw)
Back to top
View user's profile Send private message Visit poster's website
uncletom
Just Arrived
Just Arrived


Joined: 21 Jun 2003
Posts: 8
Location: Isle of Man

Offline

PostPosted: Tue Sep 02, 2003 5:45 pm    Post subject: Reply with quote

*notes flame-bait remark and puts on asbestos suit* Wink
Back to top
View user's profile Send private message Send e-mail
AlmostSecure
Just Arrived
Just Arrived


Joined: 02 May 2003
Posts: 0
Location: Taiwan

Offline

PostPosted: Tue Sep 02, 2003 5:57 pm    Post subject: Reply with quote

Sgt_B wrote:
Beware! Flame-bait! Twisted Evil

To answer your question...
The security of the OS depends wholly on the skill of the administrator. I can lock down a win2k box just as tight as a nix box..better infact since I'm better with win32. See?

Don't talk to me about default installs either...that is irritating as anyone who leaves a default install in production is an idiot. Exploits? Yeah there's usually more for win32, but you just gotta patch more often.
(Redhat had more vulnerabilities last year than win2k, btw)


No flame bait seen Smile , what I will say is that the article falls woefully short on it's explanation of what kind of tests were performed.

secondly, I can take most *nix flavors and with some fanagaling, make them far more secure than any Windows system...but that means some serious tweaking. I'm not as good with win32 as you probably are, but I still have trouble with Windoze opening ports or starting services by default when I install some new software or patch for IIS or other services.

But we can agree on at least one thing, the biggest security flaws in any system is right between the keyboard and the chair. Razz

JR
Back to top
View user's profile Send private message Visit poster's website
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Tue Sep 02, 2003 6:00 pm    Post subject: Reply with quote

However you can patch a *nix box straight away with minimal disruption to service. And you can roll back almost immeditately if theres a problem.

With a win box you need to test and schedule a bounce for out of production hrs. Assuming you can get the patch Twisted Evil And unintsalling the patch ... arrgghhh!

Plus theres the added problem of not know what else has been included in the patch from MS.
Back to top
View user's profile Send private message Send e-mail
Sgt_B
Trusted SF Member
Trusted SF Member


Joined: 28 Oct 2002
Posts: 16777215
Location: Chicago, IL US

Offline

PostPosted: Tue Sep 02, 2003 6:38 pm    Post subject: Reply with quote

Quote:
Plus theres the added problem of not know what else has been included in the patch from MS.

Are you insinuating that MS might be doing things to my computer w/o my knowledge?!?! You must be insane to make such an accusation! Twisted Evil

Patching MS compared to patching *nix is night and day...agreed. After patches are installed (successfully), and assuming the patch doesn't have any adverse affects, the win32 box is good to go.

I should also note that its been known that some MS patches undo the changes made by prevoius patches, thus exposing the system to prevoius flaws that are assumed to be patched. I can't remember any examples, but I remember this being the case.

All that being said...I think you can lock down any win32 box just as tight as any nix, given a competant admin, and proper and timely distribution of effective patches. Also assuming no intruders have physical access to the server.

Ok, all done with assumptions..... Smile
Back to top
View user's profile Send private message Visit poster's website
shakin
Just Arrived
Just Arrived


Joined: 18 Jul 2003
Posts: 0


Offline

PostPosted: Tue Sep 02, 2003 6:49 pm    Post subject: Reply with quote

Sgt_B wrote:
Redhat had more vulnerabilities last year than win2k, btw


That's not entirely true. Red Hat releases pathes for hundreds of pieces of software along with those for Linux. Microsoft probably combines Windows and IIS patches only, then releases SQL Server Content Server, Windows Media Server, etc. patches separately. Not to mention the fact that they don't release any patches for software from 3rd party companies.
Back to top
View user's profile Send private message Send e-mail
shakin
Just Arrived
Just Arrived


Joined: 18 Jul 2003
Posts: 0


Offline

PostPosted: Tue Sep 02, 2003 7:01 pm    Post subject: Reply with quote

Read the comments to that Winformant article. There's a gem that outlines what the CC is (ie. it doesn't measure security, only documentation):

"The Common Criteria provides four levels of assurance that are mutually recognized by the sixteen participating countries, EAL1 through EAL4. Naively, one might assume that a product certified to EAL4 is "more secure" than a product certified to EAL1, just like an "A" in a college course indicates better student performance than a "D". But the EAL1-EAL4 scale is only superficially similar to grading systems like the classic D-C-B-A report card. Each ascending level of assurance requires more product _documentation_ rather than more product _security_ per se. EAL4, in particular, requires dozens of documents that can add up to thousands of pages for even relatively simple products. Many of these documents are created solely for the CC process; they serve no other purpose. Often the highest "grades" go to the product vendor with the biggest documentation budget, independent of the real world assurance provided by the targets of evaluation (TOEs)."
Back to top
View user's profile Send private message Send e-mail
uncletom
Just Arrived
Just Arrived


Joined: 21 Jun 2003
Posts: 8
Location: Isle of Man

Offline

PostPosted: Tue Sep 02, 2003 7:36 pm    Post subject: Reply with quote

So you don't understand how having thousands of pages of documentation can make a system more secure? Allow me to explain, it's a simple procedure...


...Stack all the manuals/ pages of dox around the server so you can't get to it, there!

Mwuhahahahahahahahahahahahahahahahahahahahahahaha Twisted Evil
Back to top
View user's profile Send private message Send e-mail
ncrawler
Just Arrived
Just Arrived


Joined: 19 Aug 2003
Posts: 0
Location: Santo Ângelo, RS, Brazil

Offline

PostPosted: Tue Sep 02, 2003 7:52 pm    Post subject: Reply with quote

I believe in the security provided by a software that you can actually see running, modify its code, recompile and put it to work again, makes me feel good to know that an admin with more knowledge than me can patch it too and publish it so I can get it. Try doying that with MS software. Cool I am a FS addicted.

And btw, how often you see virus, worms, trojs, spyware (?! if any) patches for POSIX systems?! I run both systems in a lab, guess wich one gives me more work to set security in?! (yeah, yeah, MS). Wink

And Ok, soe nix systems have as many patches as MS ones, but most of them are actually versions reviewed, and not security holes filled with more and more code. Well, I won't argue with that cause I simply hate MS. Twisted Evil
Back to top
View user's profile Send private message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Tue Sep 02, 2003 10:01 pm    Post subject: Reply with quote

Well there's no point in me reciting everyone elses points, but it is about whoever sets up/administers the machine not about the underlying OS, although I do believe the OSS model to be more secure as security through obscurity is tenuous at best.

b4rtm4n makes some salient points about patching however and the fact that you can look at the diff files to see what they do before applying them is nice.

Or if you have Debian stable you can just to apt-get update && apt-get upgrade Smile

As for the original article it's points are fair to a degree, they are just the facts, obviously slanted in MS way.

To me the certification means nothing if Windows2000 as a default install can get it..

And the GNU/Linux community in general doesn't have the money nor inclination to participate in such things, so well we don't jump through hoops, does that make us less secure?

As for Linux vs Windows, if Linux became as popular as Windows there would be a hell of a lot more viruses and worms for it..

The fact is at present most Linux users are allready power users so are more familiar with baseline security and good admin practise.

You can't say that for the average Joe Sixpack on WindowsXP.

I do believe however Linux is more secure by design and somewhat easier to secure (once you are familiar with it) it tells you exactly what it's doing and allows you to change any of its behaviour. Plus it has a good model of privelege seperation.
Back to top
View user's profile Send private message Visit poster's website
AlmostSecure
Just Arrived
Just Arrived


Joined: 02 May 2003
Posts: 0
Location: Taiwan

Offline

PostPosted: Wed Sep 03, 2003 9:49 am    Post subject: Reply with quote

Ok, so I sent off a response to my friend and wrote:

Well, testing one distro hardly shows that Windows beats Linux out for
security....that's like saying that Our formula 1 is faster than a
honda...yet fail to mention it's a honda hatchback.

No matter how many Windows yes men try and stack the deck in Windows favor,
a real test would be to test all distro's against eachother in a head to
head competition. And with different categorys, like home OS, Webserver OS,
Distributed Databases etc...

The latest spreading of the Blaster worm just shows that Windows isn't as
secure as claims made.....sure, reading through all the reams of
instructions of how to batten down the hatches may take care of a lot....it
still falls woefully short of making Windows a good secure system.

This article (http://securityfocus.com/news/6767) illustrates some scary
consequenses of the flaws inherent in the closed system of the Windows
development model. (i.e. usually, Microsoft AND us users don't know about
the flaw until after it's been exploited by the bad guys)


Then, he responded almost as I figured he would...

And he wrote:
It is interesting to me that, although Linux (and most other unix flavors)
suffers from consistent flawed architecture
http://www.securityfocus.com/bid/vendor/ (Linux) and that, in fact the very
concept you propose about testing systems intended for 'home' users, web
server OS, etc. is exactly what Microsoft has done, that there is STILL no
concept of UNBIASED approach to consulting on behalf of clients from a
perspective that is ultimately pragmatic and bent only on what the best
solution for the requirements might be.
It seems to me that the present state of computing with respect to home and
SME business computing is that OSes are neither as reliable or sturdy as our
dreams envision. So, I stay away from the judgements and rhetoric. In my
minds eye I see a completely alternate system, neither unix (Linux) nor
Microsoft that comes into being and within a few years is considered the
bee's knees because of it's 'appliance' like reliability.


All in all, I believe that his lack of understanding of linux and it's capabilities and the fact that all his carreer has been made up of administering Windows has colored his response.

/sarcasim on

How can I respond when his perspective is so skewed towards Windows and it's obvious greatness?

/sarcasim off

JR
Back to top
View user's profile Send private message Visit poster's website
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Wed Sep 03, 2003 10:31 am    Post subject: Reply with quote

simply reply

Quote:
O/S2
Back to top
View user's profile Send private message Send e-mail
uncletom
Just Arrived
Just Arrived


Joined: 21 Jun 2003
Posts: 8
Location: Isle of Man

Offline

PostPosted: Wed Sep 03, 2003 6:48 pm    Post subject: Reply with quote

Personally i wouldn't be bothered in replying on this thread of conversation, since it appears as thouhg his oppinion won't be changed (like so many Windows afficionados).

I long ago gave up arguing with people who say that Linux is nsecure since their attitude is usually one of "lalalalala, i'm not listening, lalalalalala"

Might I suggest sitting back as feeling smug in the fact thet you know ur right, works well for me!

*goes looking for "smug" emoticon*
Back to top
View user's profile Send private message Send e-mail
MrAcrim0ny
Just Arrived
Just Arrived


Joined: 15 Jul 2003
Posts: 0


Offline

PostPosted: Thu Sep 04, 2003 1:49 am    Post subject: Reply with quote

First off, organizations that work for the government are usually always paid off to list things as meeting criteria - look at the FDA, for example. I really don't think the NSA, or DoD (or ISO for that matter) are in any position to determine what *my* security needs are. To rate an operating system's security, in a way that is meaningful to *me*.

As well, I don't really believe in the myth of a 'secure OS'... at it's core, a system that is secure by design would likely have to start with hardware that partitions functions from one another. Next you would need good filesystem access controls, and then memory, CPU, network resource, and disk quotas that are easy to configure and enforce. Then you need process controls, to limit the window into the system that is visible to a process, and the resources available to that process (within the limits established for the user). Next you need network access controls and monitoring, so that you know what application did what, on the network. It's a lore more than I've seen any operating system come even close to..

I feel that ANY operating system can be as secure, or insecure as the administrator makes it. Although organizations may 'audit' the system for certain features, are they anything *you* are going to be using? The majority of users would have a secure windows operating system if they knew how to work it properly, and patch it regularly, but then again that goes for any Operating system.

To conclude, I don't believe in that 'bullplop' that agencies, and companies put out on operating systems. I think your best bet is to go and try a few operating systems yourself, and see what you like.
Back to top
View user's profile Send private message AIM Address
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> UNIX // GNU/Linux All times are GMT + 2 Hours
Goto page 1, 2, 3  Next
Page 1 of 3


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register