Another Study of Linux vs Windowsa on Security

[MrCoffee]

Wooo RedHat Enterprise has more security patches, hmm, how about NOT installing the gigs upon gigs of software it comes with and only installing the things Windows comes with. Looks like there is a flaw now. I can count on ONE hand the number of patches SUSE has had for packages that Windows comes with too.

So do you really think that the guys doing this study had GAIM and OpenOffice installed? Mine sure as **** doesnt. It's a stripped RH box, doing basic Web/FTP services. And it has had more patches then my Win2k Box with IIS. Whats that add up to? Nadda. Why?
Different box doing different jobs with different exposure. (FYI, my RH box had 137 patches, and we ARE talking about RH, not SuSE in this study, right?)

I guess the really furstrating part of this discussion, Gore, is the fact that several of us think that you have the knowledge and skill set within Linux to strongly dispute this study, yet all you can manage to do is a "My OS is better then your OS" rant. SDK and myself to name a few a seriously interested in why you feel so strongly, and WHAT technical FACTS you have to back it up.

By this point we all know you hate Windows, but personally I think it is a bit like saying you hate Ford's. Why do I care? Until you put a technical side on your opinion, it is nothing more then bad taste, like enjoying Punk Rock.... :O read Roberta Bragg or a few of TigerShark's tutorials, and Windows CAN be secured. Even with "Tons of software on it". I dont give a crap that you think SuSE the OS to end all OS's, I care about the WHY.

[whatthe]

What you think of that study? True or just another marketing hit?

a Microsoft-funded study has concluded.

I'm sure the Linux commissioned study says the opposite. Like it says in the article it depends on the skill set of the admin. Their concept of what it takes to be secure will remain the same regardless of the OS but they would obviously be able to do a better job sooner with software they are familiar with. There's always going to be a learning curve with the commands and contexts of new software.

[Black Cluster]

Well, I'm totally new to Linux.. but I am getting into it at a relatively good rate.... So far it is functioning quite stable and secure.... I have to agree with Gore at this point.... Linux is a very nice and powerful OS...

But i still believe in one point... Which is a more likely to be a principle.... The user is the first factor in deciding how secure is the OS.....

Linux is by far more secure with Gore than with me.... lol.... Gore knows the A to Z about Linux... but I don't so it would be vulnerable if an ignorant guys uses it....

Nevertheless, the default OS settings of Linux is more security-oriented... Windows has made the OS easier to use at the expense of security dimensions....

Just my $0.02

Cheers...

[whatthe]

Links to the methodology and final results.

http://www.securityinnovation.com/pd...inal_study.pdf

http://www.securityinnovation.com/pd...ethodology.pdf

And from TechWorld
Are independent reports meaningful any more?

The published report (pdf) now confirms that its funding did indeed come from Microsoft, which is bound to undermine its credibility in the eyes of some. The authors counter this, noting, “We have full editorial control over all research and analysis presented in this report. We stand behind out methodology and execution of that methodology to determine objective results that will be useful to customers and security practitioners.”

What no report can do, however, is compare the risks faced by companies running the rival systems in real-world conditions. That would mean taking account not only of noted vulnerabilities and patching cycles but the likelihood of an attacker successfully targeting any one of them during the window of vulnerability. There is no evidence that one server operating system is more likely to be targeted than an other, so much of the “days of risk” hypothesis remains just that.

And with the industry and its appointees now turning out reports the independence of which is increasingly being questioned, even valuable information now risks getting lost amidst accusation and counter-accusation.

Hey that's us

http://www.techworld.com/security/ne...fm?NewsID=3372

[MrCoffee]

I'm sure the Linux commissioned study says the opposite.

Yes there have been tons of them. Way too many assumations and exceptions in both this study, and the ones bias toward Linux.

evertheless, the default OS settings of Linux is more security-oriented... Windows has made the OS easier to use at the expense of security dimensions....

This is ONLY true IF the user installing it does NOT use the root as the primary user. I have found more then one person running Linux as ROOT because they had problems installing a package or some app, so they just ran as root. Or how about someone that opens up the stock firewall to accept all incomming?
To say that Linux is more secure out of the box after install then Windows is to say that all Windows users are not knowledgeable, and Linux users are all Guru's. It isnt the case.

Compare a properly configured Win-box verses a properly configure Linux box for a more accurate measure. Post your results, become famous, date super models!

Gore:

The researchers also studied Red Hat and Windows Web servers in minimal configurations, taking out of consideration applications that are not needed for serving Web pages. Even in that case, Microsoft still handily beat Red Hat, with only 52 flaws, compared with 132 for the Linux software.

Tons of software?