Readers were pretty skeptical of a recent study that found Microsoft Windows to be more secure than Linux.
They said the study was unfair because it compared Red Hat Linux — a relatively unsecured distro — to Windows. Readers cited their own experience finding far more problems with Windows than Linux. And they said the fact that Microsoft funded the study guaranteed a pro-Windows outcome.
In an e-mail with the subject line "poor journalism and M$ bias," reader Chris Updegrove, of Sacramento, Calif., wrote:
"A significant flaw in the title of your March 22, 2005 article 'Report: Windows Security Beats Linux' is that Red Hat Enterprise server is not Linux, but a Linux distribution. The title of the article calls the bias of Security Pipeline into question. An unbiased title would read something like 'Microsoft-Funded Report Claims Windows Security Beats Red Hat Linux.' An unbiased journalist would have asked tougher questions about the testing criteria, and would have made a point of informing the reader that more secure Linux distributions like Slackware and Gentoo were not part of the comparison.
"Over 40 Linux distributions are available for comparison, yet only one commercial version of a Linux distribution was used for the security comparison. Marketing-communications firm AvanteGarde recently published the results of a penetration test which examined the security of Microsoft Windows, Macintosh OS X, and Linspire's distribution of Linux. The Windows boxes were compromised within four minutes, while the Linspire and Mac OS X boxes were not compromised at all. To make the conclusion 'Windows security beats Linux' without first clarifying what Linux is, without scrutinizing the testing criteria, or comparing the report to similar reports is misleading and inaccurate.
"Many Windows security vulnerabilities are reported in security forums, newsgroups, and in IRC channels months, if not a year or more before Microsoft acknowledges the vulnerability and makes it 'public.' The average number of days of risk per vulnerability reported in your article is not accurate if that number is based on the date Microsoft acknowledges the vulnerability. You may want to attend Defcon 13 this year, where you will learn about the Windows security vulnerabilities you will write about next year (when they are made 'public')."
Updegrove raises a point made by several readers: that Red Hat is only one Linux distro, and not the most secure one, and a more fair comparison would have pitted Windows against other distros.
Eric Wagner (no relation to me) wrote: "I think the problem is comparing RED HAT to Windows. We run 30+ Debian boxes and two Red Hat boxes. I'll give you one guess as to the only ones we've had problems with."
Brandon Bohannon: "There are more secure Linux distributions. I subscribe to a Linux security newsletter and every Friday they have a list of vulnerabilities by distribution, and Red Hat and Fedora almost always have the most vulnerabilities. Researchers need to run one of their studies on Windows vs. EnGarde Secure Linux, or Slackware. EnGarde hasn't had a vulnerability reported since July 2004, and Slackware hasn't had one reported since November 2004. Researchers probably pick Red Hat because it's the most commercialized."
Dave Nelson, information security officer for the City of Virginia Beach, Virginia, said a skilled systems administrator is more important to security than which operating system is used.
"The system being secured by the most talented admin is the one I'll take every day of the week," he said. "Operating systems come and go but knowledge is here to stay. Find yourself an admin who knows YOUR system inside and out, then tell everyone else to take a leap."
He added that most security problems come not from software vulnerability, but from user error.
Joseph S. Vislocky, chief information officer for Wilmac Corporation, said: "As to whether Linux is more secure than Windows, I can only judge by real-life experience. I have Linux in use as firewall/router at all Internet interface points in my organization. During the evolution of our security scheme, we have been attacked regularly via Internet attacks, viruses and spyware. Some of the attacks have been marginally successful on both the Linux and Windows machines. I have found that successful attacks on Windows are more numerous and onerous to cleanse. Ultimately, I believe that with the proper level of expertise, Linux can be made far more punch-proof than Windows can be. There are just too many things that Microsoft doesn't document well (or at all) that can hurt you."
Steve Ellison, technical analyst II at the University of Pitt-Bradford, said Linux is designed to be more secure than Windows. "Case in point is user creation. Linux has you create and log in with a standard (read: non-privileged) user account. When you need the extra privileges you can su to root. Windows, on the other hand, creates your primary account as an administrator. Conveniently enough, it also leaves the account wide open by not making you specify a password."
He added: "In the end, the level of security of any system is proportionate to the skill and knowledge of its user. I think that everyone would agree with me that the average Linux user is more knowledgeable then the average Windows user. So, one can infer that Linux is more secure because it is in the right hands."
Readers said that the study's funding from Microsoft guaranteed a pro-Microsoft outcome.
IT's Reputation: What the Data SaysInformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
What The Business Really Thinks Of IT: 3 Hard TruthsThey say perception is reality. If so, many in-house IT departments have reason to worry. InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business views IT's performance in delivering services - and, more important, powering innovation. The news isn't great.