Your Take On Windows-Linux Security Study: Yuck - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

06:19 PM
Mitch Wagner
Mitch Wagner

Your Take On Windows-Linux Security Study: Yuck

Readers were skeptical of a recent study that found Microsoft Windows to be more secure than Linux, responding to our request for feedback in ways that left little room for misunderstanding.

This article is adapted from the Security Pipeline Newsletter

Readers were pretty skeptical of a recent study that found Microsoft Windows to be more secure than Linux.

They said the study was unfair because it compared Red Hat Linux — a relatively unsecured distro — to Windows. Readers cited their own experience finding far more problems with Windows than Linux. And they said the fact that Microsoft funded the study guaranteed a pro-Windows outcome.

The original articles:

- Report: Linux Vulnerabilities More Numerous And Severe Than Windows

- Controversial Report Finds Windows More Secure Than Linux

- Blog: Perfectly Good Rants Gone To Waste

- Blog: Earthquakes, Fire, Mudslides, Riots

In an e-mail with the subject line "poor journalism and M$ bias," reader Chris Updegrove, of Sacramento, Calif., wrote:

"A significant flaw in the title of your March 22, 2005 article 'Report: Windows Security Beats Linux' is that Red Hat Enterprise server is not Linux, but a Linux distribution. The title of the article calls the bias of Security Pipeline into question. An unbiased title would read something like 'Microsoft-Funded Report Claims Windows Security Beats Red Hat Linux.' An unbiased journalist would have asked tougher questions about the testing criteria, and would have made a point of informing the reader that more secure Linux distributions like Slackware and Gentoo were not part of the comparison.

"Over 40 Linux distributions are available for comparison, yet only one commercial version of a Linux distribution was used for the security comparison. Marketing-communications firm AvanteGarde recently published the results of a penetration test which examined the security of Microsoft Windows, Macintosh OS X, and Linspire's distribution of Linux. The Windows boxes were compromised within four minutes, while the Linspire and Mac OS X boxes were not compromised at all. To make the conclusion 'Windows security beats Linux' without first clarifying what Linux is, without scrutinizing the testing criteria, or comparing the report to similar reports is misleading and inaccurate.

"Many Windows security vulnerabilities are reported in security forums, newsgroups, and in IRC channels months, if not a year or more before Microsoft acknowledges the vulnerability and makes it 'public.' The average number of days of risk per vulnerability reported in your article is not accurate if that number is based on the date Microsoft acknowledges the vulnerability. You may want to attend Defcon 13 this year, where you will learn about the Windows security vulnerabilities you will write about next year (when they are made 'public')."

Updegrove raises a point made by several readers: that Red Hat is only one Linux distro, and not the most secure one, and a more fair comparison would have pitted Windows against other distros.

Eric Wagner (no relation to me) wrote: "I think the problem is comparing RED HAT to Windows. We run 30+ Debian boxes and two Red Hat boxes. I'll give you one guess as to the only ones we've had problems with."

Brandon Bohannon: "There are more secure Linux distributions. I subscribe to a Linux security newsletter and every Friday they have a list of vulnerabilities by distribution, and Red Hat and Fedora almost always have the most vulnerabilities. Researchers need to run one of their studies on Windows vs. EnGarde Secure Linux, or Slackware. EnGarde hasn't had a vulnerability reported since July 2004, and Slackware hasn't had one reported since November 2004. Researchers probably pick Red Hat because it's the most commercialized."

Dave Nelson, information security officer for the City of Virginia Beach, Virginia, said a skilled systems administrator is more important to security than which operating system is used.

"The system being secured by the most talented admin is the one I'll take every day of the week," he said. "Operating systems come and go but knowledge is here to stay. Find yourself an admin who knows YOUR system inside and out, then tell everyone else to take a leap."

He added that most security problems come not from software vulnerability, but from user error.

Joseph S. Vislocky, chief information officer for Wilmac Corporation, said: "As to whether Linux is more secure than Windows, I can only judge by real-life experience. I have Linux in use as firewall/router at all Internet interface points in my organization. During the evolution of our security scheme, we have been attacked regularly via Internet attacks, viruses and spyware. Some of the attacks have been marginally successful on both the Linux and Windows machines. I have found that successful attacks on Windows are more numerous and onerous to cleanse. Ultimately, I believe that with the proper level of expertise, Linux can be made far more punch-proof than Windows can be. There are just too many things that Microsoft doesn't document well (or at all) that can hurt you."

Steve Ellison, technical analyst II at the University of Pitt-Bradford, said Linux is designed to be more secure than Windows. "Case in point is user creation. Linux has you create and log in with a standard (read: non-privileged) user account. When you need the extra privileges you can su to root. Windows, on the other hand, creates your primary account as an administrator. Conveniently enough, it also leaves the account wide open by not making you specify a password."

He added: "In the end, the level of security of any system is proportionate to the skill and knowledge of its user. I think that everyone would agree with me that the average Linux user is more knowledgeable then the average Windows user. So, one can infer that Linux is more secure because it is in the right hands."

Readers said that the study's funding from Microsoft guaranteed a pro-Microsoft outcome.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll