View previous topic :: View next topic |
Author |
Message |
AlmostSecure Just Arrived
Joined: 02 May 2003 Posts: 0 Location: Taiwan
|
Posted: Tue Sep 02, 2003 3:37 pm Post subject: Windows is more secure than Linux....really? |
|
|
http://www.wininformant.com/Articles/Index.cfm?ArticleID=39785
I've recently been handed this after having touted Linux as being more secure than Windows...hands down. Yet the guy that I argue with is always trying to champion Windows as being several levels above what the idiot/unguided and undisciplined Linux programmers could ever handle. It really chaps my hide, and I want to really rub him the wrong way with real proof....
anyone out there think they can help?
JR
|
|
Back to top |
|
|
uncletom Just Arrived
Joined: 21 Jun 2003 Posts: 8 Location: Isle of Man
|
Posted: Tue Sep 02, 2003 5:18 pm Post subject: |
|
|
First argument: it's not necessarily the most unbias news source is it!
Second argument: I'd like to see what Windows 2000's rating would be now in light of the Blaster etc exploits
Third argument: when you want to sort out a set of lost local passwords under windows what OS on a disk do you use? Linux! (Don't know if that's relevant, but it's worth tossing in!)
Anyway, I'll leave it to my more esteemed colleagues to throw more wood on the M$ pyre!
|
|
Back to top |
|
|
Sgt_B Trusted SF Member
Joined: 28 Oct 2002 Posts: 16777215 Location: Chicago, IL US
|
Posted: Tue Sep 02, 2003 5:25 pm Post subject: |
|
|
Beware! Flame-bait!
To answer your question...
The security of the OS depends wholly on the skill of the administrator. I can lock down a win2k box just as tight as a nix box..better infact since I'm better with win32. See?
Don't talk to me about default installs either...that is irritating as anyone who leaves a default install in production is an idiot. Exploits? Yeah there's usually more for win32, but you just gotta patch more often.
(Redhat had more vulnerabilities last year than win2k, btw)
|
|
Back to top |
|
|
uncletom Just Arrived
Joined: 21 Jun 2003 Posts: 8 Location: Isle of Man
|
Posted: Tue Sep 02, 2003 5:45 pm Post subject: |
|
|
*notes flame-bait remark and puts on asbestos suit*
|
|
Back to top |
|
|
AlmostSecure Just Arrived
Joined: 02 May 2003 Posts: 0 Location: Taiwan
|
Posted: Tue Sep 02, 2003 5:57 pm Post subject: |
|
|
Sgt_B wrote: |
Beware! Flame-bait!
To answer your question...
The security of the OS depends wholly on the skill of the administrator. I can lock down a win2k box just as tight as a nix box..better infact since I'm better with win32. See?
Don't talk to me about default installs either...that is irritating as anyone who leaves a default install in production is an idiot. Exploits? Yeah there's usually more for win32, but you just gotta patch more often.
(Redhat had more vulnerabilities last year than win2k, btw) |
No flame bait seen , what I will say is that the article falls woefully short on it's explanation of what kind of tests were performed.
secondly, I can take most *nix flavors and with some fanagaling, make them far more secure than any Windows system...but that means some serious tweaking. I'm not as good with win32 as you probably are, but I still have trouble with Windoze opening ports or starting services by default when I install some new software or patch for IIS or other services.
But we can agree on at least one thing, the biggest security flaws in any system is right between the keyboard and the chair.
JR
|
|
Back to top |
|
|
b4rtm4n Trusted SF Member
Joined: 26 May 2002 Posts: 16777206 Location: Bi Mon Sci Fi Con
|
Posted: Tue Sep 02, 2003 6:00 pm Post subject: |
|
|
However you can patch a *nix box straight away with minimal disruption to service. And you can roll back almost immeditately if theres a problem.
With a win box you need to test and schedule a bounce for out of production hrs. Assuming you can get the patch And unintsalling the patch ... arrgghhh!
Plus theres the added problem of not know what else has been included in the patch from MS.
|
|
Back to top |
|
|
Sgt_B Trusted SF Member
Joined: 28 Oct 2002 Posts: 16777215 Location: Chicago, IL US
|
Posted: Tue Sep 02, 2003 6:38 pm Post subject: |
|
|
Quote: |
Plus theres the added problem of not know what else has been included in the patch from MS. |
Are you insinuating that MS might be doing things to my computer w/o my knowledge?!?! You must be insane to make such an accusation!
Patching MS compared to patching *nix is night and day...agreed. After patches are installed (successfully), and assuming the patch doesn't have any adverse affects, the win32 box is good to go.
I should also note that its been known that some MS patches undo the changes made by prevoius patches, thus exposing the system to prevoius flaws that are assumed to be patched. I can't remember any examples, but I remember this being the case.
All that being said...I think you can lock down any win32 box just as tight as any nix, given a competant admin, and proper and timely distribution of effective patches. Also assuming no intruders have physical access to the server.
Ok, all done with assumptions.....
|
|
Back to top |
|
|
shakin Just Arrived
Joined: 18 Jul 2003 Posts: 0
|
Posted: Tue Sep 02, 2003 6:49 pm Post subject: |
|
|
Sgt_B wrote: |
Redhat had more vulnerabilities last year than win2k, btw |
That's not entirely true. Red Hat releases pathes for hundreds of pieces of software along with those for Linux. Microsoft probably combines Windows and IIS patches only, then releases SQL Server Content Server, Windows Media Server, etc. patches separately. Not to mention the fact that they don't release any patches for software from 3rd party companies.
|
|
Back to top |
|
|
shakin Just Arrived
Joined: 18 Jul 2003 Posts: 0
|
Posted: Tue Sep 02, 2003 7:01 pm Post subject: |
|
|
Read the comments to that Winformant article. There's a gem that outlines what the CC is (ie. it doesn't measure security, only documentation):
"The Common Criteria provides four levels of assurance that are mutually recognized by the sixteen participating countries, EAL1 through EAL4. Naively, one might assume that a product certified to EAL4 is "more secure" than a product certified to EAL1, just like an "A" in a college course indicates better student performance than a "D". But the EAL1-EAL4 scale is only superficially similar to grading systems like the classic D-C-B-A report card. Each ascending level of assurance requires more product _documentation_ rather than more product _security_ per se. EAL4, in particular, requires dozens of documents that can add up to thousands of pages for even relatively simple products. Many of these documents are created solely for the CC process; they serve no other purpose. Often the highest "grades" go to the product vendor with the biggest documentation budget, independent of the real world assurance provided by the targets of evaluation (TOEs)."
|
|
Back to top |
|
|
uncletom Just Arrived
Joined: 21 Jun 2003 Posts: 8 Location: Isle of Man
|
Posted: Tue Sep 02, 2003 7:36 pm Post subject: |
|
|
So you don't understand how having thousands of pages of documentation can make a system more secure? Allow me to explain, it's a simple procedure...
...Stack all the manuals/ pages of dox around the server so you can't get to it, there!
Mwuhahahahahahahahahahahahahahahahahahahahahahaha
|
|
Back to top |
|
|
ncrawler Just Arrived
Joined: 19 Aug 2003 Posts: 0 Location: Santo Ângelo, RS, Brazil
|
Posted: Tue Sep 02, 2003 7:52 pm Post subject: |
|
|
I believe in the security provided by a software that you can actually see running, modify its code, recompile and put it to work again, makes me feel good to know that an admin with more knowledge than me can patch it too and publish it so I can get it. Try doying that with MS software. I am a FS addicted.
And btw, how often you see virus, worms, trojs, spyware (?! if any) patches for POSIX systems?! I run both systems in a lab, guess wich one gives me more work to set security in?! (yeah, yeah, MS).
And Ok, soe nix systems have as many patches as MS ones, but most of them are actually versions reviewed, and not security holes filled with more and more code. Well, I won't argue with that cause I simply hate MS.
|
|
Back to top |
|
|
ShaolinTiger Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777215 Location: Kuala Lumpur, Malaysia
|
Posted: Tue Sep 02, 2003 10:01 pm Post subject: |
|
|
Well there's no point in me reciting everyone elses points, but it is about whoever sets up/administers the machine not about the underlying OS, although I do believe the OSS model to be more secure as security through obscurity is tenuous at best.
b4rtm4n makes some salient points about patching however and the fact that you can look at the diff files to see what they do before applying them is nice.
Or if you have Debian stable you can just to apt-get update && apt-get upgrade
As for the original article it's points are fair to a degree, they are just the facts, obviously slanted in MS way.
To me the certification means nothing if Windows2000 as a default install can get it..
And the GNU/Linux community in general doesn't have the money nor inclination to participate in such things, so well we don't jump through hoops, does that make us less secure?
As for Linux vs Windows, if Linux became as popular as Windows there would be a hell of a lot more viruses and worms for it..
The fact is at present most Linux users are allready power users so are more familiar with baseline security and good admin practise.
You can't say that for the average Joe Sixpack on WindowsXP.
I do believe however Linux is more secure by design and somewhat easier to secure (once you are familiar with it) it tells you exactly what it's doing and allows you to change any of its behaviour. Plus it has a good model of privelege seperation.
|
|
Back to top |
|
|
AlmostSecure Just Arrived
Joined: 02 May 2003 Posts: 0 Location: Taiwan
|
Posted: Wed Sep 03, 2003 9:49 am Post subject: |
|
|
Ok, so I sent off a response to my friend and wrote: |
Well, testing one distro hardly shows that Windows beats Linux out for
security....that's like saying that Our formula 1 is faster than a
honda...yet fail to mention it's a honda hatchback.
No matter how many Windows yes men try and stack the deck in Windows favor,
a real test would be to test all distro's against eachother in a head to
head competition. And with different categorys, like home OS, Webserver OS,
Distributed Databases etc...
The latest spreading of the Blaster worm just shows that Windows isn't as
secure as claims made.....sure, reading through all the reams of
instructions of how to batten down the hatches may take care of a lot....it
still falls woefully short of making Windows a good secure system.
This article (http://securityfocus.com/news/6767) illustrates some scary
consequenses of the flaws inherent in the closed system of the Windows
development model. (i.e. usually, Microsoft AND us users don't know about
the flaw until after it's been exploited by the bad guys)
|
Then, he responded almost as I figured he would...
And he wrote: |
It is interesting to me that, although Linux (and most other unix flavors)
suffers from consistent flawed architecture
http://www.securityfocus.com/bid/vendor/ (Linux) and that, in fact the very
concept you propose about testing systems intended for 'home' users, web
server OS, etc. is exactly what Microsoft has done, that there is STILL no
concept of UNBIASED approach to consulting on behalf of clients from a
perspective that is ultimately pragmatic and bent only on what the best
solution for the requirements might be.
It seems to me that the present state of computing with respect to home and
SME business computing is that OSes are neither as reliable or sturdy as our
dreams envision. So, I stay away from the judgements and rhetoric. In my
minds eye I see a completely alternate system, neither unix (Linux) nor
Microsoft that comes into being and within a few years is considered the
bee's knees because of it's 'appliance' like reliability.
|
All in all, I believe that his lack of understanding of linux and it's capabilities and the fact that all his carreer has been made up of administering Windows has colored his response.
/sarcasim on
How can I respond when his perspective is so skewed towards Windows and it's obvious greatness?
/sarcasim off
JR
|
|
Back to top |
|
|
b4rtm4n Trusted SF Member
Joined: 26 May 2002 Posts: 16777206 Location: Bi Mon Sci Fi Con
|
Posted: Wed Sep 03, 2003 10:31 am Post subject: |
|
|
simply reply
|
|
Back to top |
|
|
uncletom Just Arrived
Joined: 21 Jun 2003 Posts: 8 Location: Isle of Man
|
Posted: Wed Sep 03, 2003 6:48 pm Post subject: |
|
|
Personally i wouldn't be bothered in replying on this thread of conversation, since it appears as thouhg his oppinion won't be changed (like so many Windows afficionados).
I long ago gave up arguing with people who say that Linux is nsecure since their attitude is usually one of "lalalalala, i'm not listening, lalalalalala"
Might I suggest sitting back as feeling smug in the fact thet you know ur right, works well for me!
*goes looking for "smug" emoticon*
|
|
Back to top |
|
|
MrAcrim0ny Just Arrived
Joined: 15 Jul 2003 Posts: 0
|
Posted: Thu Sep 04, 2003 1:49 am Post subject: |
|
|
First off, organizations that work for the government are usually always paid off to list things as meeting criteria - look at the FDA, for example. I really don't think the NSA, or DoD (or ISO for that matter) are in any position to determine what *my* security needs are. To rate an operating system's security, in a way that is meaningful to *me*.
As well, I don't really believe in the myth of a 'secure OS'... at it's core, a system that is secure by design would likely have to start with hardware that partitions functions from one another. Next you would need good filesystem access controls, and then memory, CPU, network resource, and disk quotas that are easy to configure and enforce. Then you need process controls, to limit the window into the system that is visible to a process, and the resources available to that process (within the limits established for the user). Next you need network access controls and monitoring, so that you know what application did what, on the network. It's a lore more than I've seen any operating system come even close to..
I feel that ANY operating system can be as secure, or insecure as the administrator makes it. Although organizations may 'audit' the system for certain features, are they anything *you* are going to be using? The majority of users would have a secure windows operating system if they knew how to work it properly, and patch it regularly, but then again that goes for any Operating system.
To conclude, I don't believe in that 'bullplop' that agencies, and companies put out on operating systems. I think your best bet is to go and try a few operating systems yourself, and see what you like.
|
|
Back to top |
|
|
|