February 18th, 2005, 04:19 AM
Nice to see RedHat is the only Linux distro in the whole World and just because it had these flaws that all others do. I wonder...... Did they do a full install of all ... 3 GBs of software? And then count how many of those were patched?
I've said it before:
Trim Linux installs down to nothing but what Windows comes with too and try again. Most people fail to point out the average Linux distro comes with about 10 X the software Windows comes with. More software = more risk for patches.
February 18th, 2005, 04:37 AM
My intent was not another windows vs. linux discussion.
God I'm sick of these windows vs linux discussions
Taken from the original article, I just wanted to see what people thought about an average system admin. and a "wizard admin. The article does not prove anything except to have your article written.
Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance.
February 18th, 2005, 04:55 AM
I run both web servers IIS 6 and I run Apache 1.3.3.
I have never had a security breach nor any problems with either of these webservers other than me messing up the httpd.conf file once. lol
February 18th, 2005, 05:20 AM
Re: Study finds Windows more secure than Linux
Seattle Times, im sure Microsoft's home town news paper would try and promate a Microsoft product. That city gains way too much off of Microsoft not to.
Im wondering what packages where installed on Red Hat, its defult setup never had impressed me as far as secruity is concerned.
They compared Windows Server 2003 and Red Hat Enterprise Server 3 running databases, scripting engines and Web servers
These studies are pointless. I do not think one has been done yet that hasn't been slanted one way or another. If the admin keeps the system patched, there is no problem.
February 18th, 2005, 06:02 AM
Wrong. The FBI Email was hacked recently and they had all Windows patches in.
February 18th, 2005, 06:42 AM
I gennerally don't get involved in these type of discussions due to the rapid tendency of degration. However; this study becons a response. Eeye tracks MicroSoft 3 years behind on critical patches. The worst response time I have ever seen out of Apache is 2 weeks.
I must agree that IIS 6.0 is to fresh/raw to be properly evaluated. Wait until the first vulnerability is found and factor in MicroSoft's response time to get a "properly working" patch out to the public. This I believe is were the number will seperate fact from advertising hype.
A good example of this is the now recalled Longhorn. What was hyped as the most secure OS MicroSoft ever released turned, in my opinion, into an advertising embarassment that MicroSoft will never live down. Apache 2.x have a working history, IIS 6.0 has nothing to back any creditable resultsd on.
An aside to this. lets have an evaluation of Linux vs MicroSoft done be a hard-core back-breaking blinder ridden MAC user, perhaps Steve Jobs. Then and only then will we settle this rhetotical os war. Those result WOULD be very interesting considering Steve Jobs' partiality to MAC. How about Larry Elliot (Oracle), the man that believes the PC is the parasitic plague of the universe, another very interesting result.
February 18th, 2005, 10:04 AM
Firstly, let me categorically state that I am no expert in this area, so I will wear my Finance Director/CFO hat (you know, the miserable little £$%^%^& you have to get to sign the purchase authority )
I question the validity of these "researches" as I wonder how easy it is to get a "level playing field" when doing virtually "out of the box" comparisons between professional products.
I would want to see a comparison between Product A + Wizard and Product B + Wizard
I am also sceptical about vulnerability and patch statistics. How many are just proof of concept? how many have actually been exploited? what was the cost to the organisations concerned?
I think that the whole subject is rather more complex than these two dimensional analyses suggest, particularly if you view security as a layered rather than a single product concept.
Just my £0.02
If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?
February 18th, 2005, 10:25 PM
Duck has a good point to. But the case is that anyone can start IIS or a Linux web server and without knowing the risks associated with doing so.
Personally, for enterprise applicaations I use enterprise OS's Windows is not my first choice for anything.
March 29th, 2005, 08:25 AM
hmmm according to Zone-h.org analysis, i see that windows in secure than linux.
check itout : http://www.zone-h.org/en/winvslinux2
If you didnt hack your system,Who will do it !!!
THE MAN OF THE DARK SIDE
March 29th, 2005, 08:48 AM
Until any distro of Linux comes out with a widely accepted TFM, these studies are worthless.
Until these studies consider real world risks (inside attacks, odds of misconfiguration, audit trail accountability) they will be worthless.
Until then, we are merely left with DOD-5200.28-STD and ISO 15408, which state thus far: Windows has better security with regard to confidentiality and integrity and equal security (when compared to specific vendors, better than others) for availability and assurances. These statements are very incomplete however because the Linux community cannot bond together enough to come up with a single specification, instead they want to compare all the best attributes of many different kernel mods as well as exotic and research variations/ configuration. This makes Linux impossible to quantify and we are left with this nebulous blob that no one can agree upon. This may be its greatest strength as far as home users in the know goes, it is it's biggest weakness as far as the corporate world and perhaps more importantly high assurance environments goes. A few vendors have tried to correct this by defining their own specific flavor, but this runs into further problems with a large percentage of the Linux core user base... *sigh*
Although IIS6 is the better product, I still prefer IIS5 for security reasons due to my possession of a DBAC kernel module. (and as much as I love me some Windows, porting such things from one rev to the next can be a MAJOR headache.)