News
Commentary
3/31/2005
06:19 PM
Mitch Wagner
Mitch Wagner
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Your Take On Windows-Linux Security Study: Yuck

Readers were skeptical of a recent study that found Microsoft Windows to be more secure than Linux, responding to our request for feedback in ways that left little room for misunderstanding.

This article is adapted from the Security Pipeline Newsletter

Readers were pretty skeptical of a recent study that found Microsoft Windows to be more secure than Linux.

They said the study was unfair because it compared Red Hat Linux — a relatively unsecured distro — to Windows. Readers cited their own experience finding far more problems with Windows than Linux. And they said the fact that Microsoft funded the study guaranteed a pro-Windows outcome.

The original articles:

- Report: Linux Vulnerabilities More Numerous And Severe Than Windows

- Controversial Report Finds Windows More Secure Than Linux

- Blog: Perfectly Good Rants Gone To Waste

- Blog: Earthquakes, Fire, Mudslides, Riots

In an e-mail with the subject line "poor journalism and M$ bias," reader Chris Updegrove, of Sacramento, Calif., wrote:

"A significant flaw in the title of your March 22, 2005 article 'Report: Windows Security Beats Linux' is that Red Hat Enterprise server is not Linux, but a Linux distribution. The title of the article calls the bias of Security Pipeline into question. An unbiased title would read something like 'Microsoft-Funded Report Claims Windows Security Beats Red Hat Linux.' An unbiased journalist would have asked tougher questions about the testing criteria, and would have made a point of informing the reader that more secure Linux distributions like Slackware and Gentoo were not part of the comparison.

"Over 40 Linux distributions are available for comparison, yet only one commercial version of a Linux distribution was used for the security comparison. Marketing-communications firm AvanteGarde recently published the results of a penetration test which examined the security of Microsoft Windows, Macintosh OS X, and Linspire's distribution of Linux. The Windows boxes were compromised within four minutes, while the Linspire and Mac OS X boxes were not compromised at all. To make the conclusion 'Windows security beats Linux' without first clarifying what Linux is, without scrutinizing the testing criteria, or comparing the report to similar reports is misleading and inaccurate.

"Many Windows security vulnerabilities are reported in security forums, newsgroups, and in IRC channels months, if not a year or more before Microsoft acknowledges the vulnerability and makes it 'public.' The average number of days of risk per vulnerability reported in your article is not accurate if that number is based on the date Microsoft acknowledges the vulnerability. You may want to attend Defcon 13 this year, where you will learn about the Windows security vulnerabilities you will write about next year (when they are made 'public')."

Updegrove raises a point made by several readers: that Red Hat is only one Linux distro, and not the most secure one, and a more fair comparison would have pitted Windows against other distros.

Eric Wagner (no relation to me) wrote: "I think the problem is comparing RED HAT to Windows. We run 30+ Debian boxes and two Red Hat boxes. I'll give you one guess as to the only ones we've had problems with."

Brandon Bohannon: "There are more secure Linux distributions. I subscribe to a Linux security newsletter and every Friday they have a list of vulnerabilities by distribution, and Red Hat and Fedora almost always have the most vulnerabilities. Researchers need to run one of their studies on Windows vs. EnGarde Secure Linux, or Slackware. EnGarde hasn't had a vulnerability reported since July 2004, and Slackware hasn't had one reported since November 2004. Researchers probably pick Red Hat because it's the most commercialized."

Dave Nelson, information security officer for the City of Virginia Beach, Virginia, said a skilled systems administrator is more important to security than which operating system is used.

"The system being secured by the most talented admin is the one I'll take every day of the week," he said. "Operating systems come and go but knowledge is here to stay. Find yourself an admin who knows YOUR system inside and out, then tell everyone else to take a leap."

He added that most security problems come not from software vulnerability, but from user error.

Joseph S. Vislocky, chief information officer for Wilmac Corporation, said: "As to whether Linux is more secure than Windows, I can only judge by real-life experience. I have Linux in use as firewall/router at all Internet interface points in my organization. During the evolution of our security scheme, we have been attacked regularly via Internet attacks, viruses and spyware. Some of the attacks have been marginally successful on both the Linux and Windows machines. I have found that successful attacks on Windows are more numerous and onerous to cleanse. Ultimately, I believe that with the proper level of expertise, Linux can be made far more punch-proof than Windows can be. There are just too many things that Microsoft doesn't document well (or at all) that can hurt you."

Steve Ellison, technical analyst II at the University of Pitt-Bradford, said Linux is designed to be more secure than Windows. "Case in point is user creation. Linux has you create and log in with a standard (read: non-privileged) user account. When you need the extra privileges you can su to root. Windows, on the other hand, creates your primary account as an administrator. Conveniently enough, it also leaves the account wide open by not making you specify a password."

He added: "In the end, the level of security of any system is proportionate to the skill and knowledge of its user. I think that everyone would agree with me that the average Linux user is more knowledgeable then the average Windows user. So, one can infer that Linux is more secure because it is in the right hands."

Readers said that the study's funding from Microsoft guaranteed a pro-Microsoft outcome.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.