Home > Privacy, Security > Linux lags Windows in new security report Linux lags Windows in new security report Eugenia Loli 2005-03-22 Privacy, Security 64 Comments A report released today indicates Windows Server 2003 may actually be more secure than its most popular Linux competitor when it comes to vulnerabilities and the time it takes to patch them. About The Author Eugenia Loli Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker. Follow me on Twitter @EugeniaLoli 64 Comments 2005-03-22 11:13 pm Anonymous It should be said: Microsoft FUNDED the report. Windows won? Go figure… 2005-03-22 11:30 pm Anonymous “…to be security-conscious is to be a control freak.” I think the report is valid, but the _number_ of vulnerabilities is only one metric. Especially considering with Linux you have the ability to swap one vulnerable service for a non-vulnerable one while the problem is fixed. 2005-03-22 11:33 pm Anonymous I think that’s all that really needs to be said. More FUD from Redmond. 2005-03-22 11:41 pm Anonymous Seems a fairly balanced test. They don’t make wild claims. Microsoft has put a lot of effort in to security lately, This is great. But microsoft most likely will never give me the flexibility and freedom that comes with GNU/Linux software. Microsoft is a big company with lots of money, if they want good software security then all they have to hire all the best security experts in the world. Free software doesn’t have this luxury. 2005-03-22 11:45 pm Anonymous Microsoft is a big company with lots of money, if they want good software security then all they have to hire all the best security experts in the world. Free software doesn’t have this luxury. Sure they do the experts just do it in their free time 2005-03-22 11:53 pm Anonymous That’s not true, and that mindset is why our public schools are becoming increasingly more innefficient. Problems aren’t solved by money. They’re solved by people, and not all people can be bought or even found. 2005-03-22 11:53 pm Anonymous Microsoft needs to start funding reports about how Linux has more viruses, Trojans and worms than Windows does. 2005-03-22 11:54 pm Anonymous Shouldn’t a very secure system would have to be rewritten from scratch? Just asking 2005-03-22 11:55 pm Anonymous I had a quick look over the methodology and I have to agree that is does seem to be, the only immediate issue I have is that they are using Red Hat as as the only representative of linux, they would be better off doing the study across a number of distributions and averaging the results. Perhaps if I had a bit more time, I could look more closely and see how balanced it truely is. 2005-03-22 11:55 pm Anonymous Is another pointless news item. Most of the people reading osnews don’t really care what one company or another says about security anymore because it is all hyperbole. System security is not something that can either be easily tested or contained in some little report for mindless marketing drones. System security is complicated and changes depending on so many factors it would take over a page to list them all (this 37 page report only covers one such factor, time to patch “critical” flaws). The readers of osnews know this, so why do we have keep putting up with all these simplistic reports? 2005-03-22 11:56 pm Anonymous Here is a quote: Analysis NOTE: Although additional steps could be carried out to “harden” servers from attack, we will not consider them in this study. We compare default and minimum installations of Red Hat with a Windows Server assuming all components installed. In preliminary reviews, we received questions about this approach and the level of hardening we did or did not do and therefore wish to clarify this issue. As security practitioners, we know either platform is highly “securable” by an expert with the right skill set. For example, we could lock down Internet Explorer or assume that a company had a policy of “no browsing” from servers. Similarly, many packages could be recompiled or removed from Linux in order to reduce the attack surface. However, at the end of the day, each vendor follows its own philosophy and makes decisions that impact the vulnerability and ease of security management of systems for any customers that are less savvy than top security practitioners. Experience in the security space has shown time and time again that the default configuration is often the configuration used in the real world – for better or for worse. One of the key criticisms levied against previous security comparisons is that they do not give fair credit to the Linux ability to create and deploy a minimum set of components – a security advantage it has over Windows. In comparing the fully-loaded Windows configuration against smaller Linux configurations, we leverage the modularity of Linux to create a minimal configuration for the web server role. In reading this document you should keep in mind that we advocate further steps in production security hardening for either vendor’s platform, but that this analysis can give you some idea of baseline system security. 2005-03-23 12:11 am Anonymous Yes I did.. and where did you get that quote?…. it wasn’t in the article linked in the description. 2005-03-23 12:14 am Anonymous These kind of theoretical studies are just that, theory. To be any sort of real indication, you would have to put a lot of servers on the internet and measure average time to compromise. “The other metric measured how much time lapsed between public disclosure, such as through announcements on Bugtraq, and a patch release. Researchers referred to the gap as “days of risk.” In Windows, the average was 31.3 days; in Linux it was 69.6 days for minimally configured Red Hat and 71.4 for the default installation. “ How many times do we have to go over this? If someone reports a vulnerability directly to Microsoft, they keep it secret until they have their patch ready. So time from announcement of the vulnerability to patching is 0 days. But this 0 days has absolutely no correlation to “days of risk”, since the vulnerability remained unpatched before then. 2005-03-23 12:16 am Anonymous True they say that and more BUT on their web site it says. “Results of Independent Research Project Reveal that Microsoft Windows Server 2003 has Fewer Security Flaws than Multiple Configurations of a Comparable Linux Server” Now which thing do you think most executives will read, the disclaimers in the report or the big roaring headline? 2005-03-23 12:39 am Anonymous First, let me say that I have no idea which platform is more secure on the server but if it’s any reflection of the desktop, then I’d say Linux wins hands down. Why do we have to put up with this crap? How can anyone expect any “study” funded by M$ to be unbiased? Please… get a life. Well, it doesn’t really matter. Even if this study had been conducted by an open source group and came to the same conclusion, you’d still find issues with it. Why? Because it is impossible to be unbiased when your religion gets in the way. 2005-03-23 12:41 am Anonymous Well based on all of the bogus articles that criticise Linux, and mysteriously get posted on this site, I have no confidence in this website regarding this type of advertising. 2005-03-23 12:48 am Anonymous The bogus report done last week and posted on SCOnews by Reta Skeeter, and we find out that the company actually uses Linux, which it typical of SCO style journalism. 2005-03-23 12:49 am Anonymous You must be kidding ! 2005-03-23 12:57 am Anonymous Given the number of packagaes being dropped from the Fedora 4 ISOs(such as Abiword, GNUmeric and all of KOffice), without any prior warning of deprecation, I’d say both companies are as arrogant as each other. Neither of them could probably give a rat’s about security, either as they certainly do not care for their installed userbase. 2005-03-23 1:18 am Anonymous Now which thing do you think most executives will read, the disclaimers in the report or the big roaring headline? Arguments based upon assumptions are a bit tedious and sometimes pointless. I have no idea what executives will read and how they will interpret the headlines. The merit of the document is in question, not what executives will get out of it (that’s another topic). I think the document has some merit to it. I have personally managed WinNT/2k, Linux (Gentoo, RedHat), Solaris (8,9) and have found that my RedHat boxes are notorious for being compromised (not my Gentoo). Besides, your server is as secure as your administrator (yes, that points the finger at me). 2005-03-23 1:28 am Anonymous So why don’t linux supporters do like Microsoft and fund a third party to run off and do their own comparison research and tests? I’ll tell you why: because they know they’re almost certain to lose in all cases. They know the only time they’ll get a positive report is when either they or someone with a vested interest in linux, and stands to profit from it, conducts the study. But once they get someone where the outcome of the report doesn’t affect their gain? Forget it. Funding a third patry, especially with enthusiasts of your competitor’s product involved, to scrutinise and compare your product with a competitors is all about confidence; it’s very telling when the competitor refuses to do as such and starts spewing out “bias”. We also get the admittence that linux distributions are not secure by default. Something anyone with a clue has known for years. Linux needs to shape up and stop spewing out crap like “FUD” and “bias”. 2005-03-23 1:30 am Anonymous another worthless article I read this before osnews published it: http://www.advogato.org/person/mjcox/ 2005-03-23 1:50 am Anonymous Given the number of packagaes being dropped from the Fedora 4 ISOs(such as Abiword, GNUmeric and all of KOffice), without any prior warning of deprecation, I’d say both companies are as arrogant as each other. It seems you do not follow Fedora Core project very much. The packages you mentionned are currently moved on extras repository for Fedora Core 4. http://www.fedoraproject.org/wiki/Extras will help you for better explain as you managed to expose your complete lack of information about the project. 2005-03-23 1:51 am Anonymous explaination = explain 2005-03-23 2:00 am Anonymous I am aware of the project and know these files have been moved to extras. Let me further enlighten you: 1. Many people do not have high-speed internet access. To download these from the Extras repository is unfeasible for us. What of all the people who still rely on ISOs on magazine covers? 2. With each release of Fedora, there is a file that lists new packages added, removed and deprecated with possible removal intended in the future. As a common courtesy, users should at least have been informed with the Fedora 3 release that these packages had been deprecated. This smacks of total arrogance. 2005-03-23 2:21 am Anonymous 1. Many people do not have high-speed internet access. To download these from the Extras repository is unfeasible for us. What of all the people who still rely on ISOs on magazine covers? Magazines may add packages from Extras repository depending the users request. I noticed Abiword has only 5.4Mb which means it may take about 20 min to download on narrowband internet. 2. With each release of Fedora, there is a file that lists new packages added, removed and deprecated with possible removal intended in the future. As a common courtesy, users should at least have been informed with the Fedora 3 release that these packages had been deprecated. If these packages are depreciated, it means these packages won’t be added for the future version of Fedora which it is not a case. Because of the 4 CDs core rules excluding disk rescue, cut has to be made. Detaisl are sketchy. Just keep an eye on incoming change since Final version of Fedora Core 4 is not out yet. 2005-03-23 2:34 am Anonymous Finalzone, thanks for the explanation. I am still uneasy about the way they are handling this. My gut feeling is that if GNOME is the default desktop, all of the default GNOME office tools should be included and that, if something is moved from the CDs to extras, much more notification should be given. I’ll reserve my judgement until the release date of Fed Core 4, though. 2005-03-23 2:47 am Anonymous I understand. However, since OpenOffice is already the default, it wouldn’t make sense to include package that does the same things. The good news is OpenOffice 2.0 for Fedora is split into different application (Writer, Calc, Impress) so you can choose to not include the whole. I guess we hijacked this topic concerning the usual FUD courtesy by Microsoft. To keep this post related, it is a shame a big company like Microsoft wasted their money on that FUD instead using it for other project. 2005-03-23 2:52 am Anonymous if you don’t like change and are on 56k what are you doing using fedora anyway? I mean really if you don’t like updates why run an OS than has 5-10 updates a week including large things like new kernels and X rebuilds. Fedora is for people who are excited by new goodies and like to take an active approach. It’s not for someone who doesn’t like change. If i was on 56k id be using SuSe or something, don’t they have binary patches instead of the whole rebuilt exe? They use to.. 2005-03-23 2:55 am Anonymous “Why do we have to put up with this crap? How can anyone expect any “study” funded by M$ to be unbiased? Please… get a life.” How could anyone expect any funded study to be unbiased? This report is about as credible as one funded by Redhat. “Besides, this just shows that Linux hackers are more efficient at tracking vulnerabilities than Winbloze engineers. God knows how many vulnerabilites truly exist in Winbloze… ” Winbloze? Never heard of that OS. I guess I’ll stay away from it and stick with Windows XP. Never had a virus or bit if spyware on it, runs everything I need, and best of all, its as solid as a rock! 2005-03-23 3:04 am Anonymous RedHat nor Windows is perfect with security obviously but the major problem I have with most ‘security’ study’s is that windows comes with one app for one task, linux distro’s come with 4 apps for any given task where the vulnerabilitys in sylpheed? Evolution? Kmail? pine? balsa? compare them all against outlook? Hardly fair is it? Here is probably another significant difference. Win 2003 was built with security in mind. They were having a big PR nightmare and made 2003 calling it as water tight as a frogs ass. If redhat comes out with a “red hat secure server” let me know, I’m sure it will have excellent fw rules, an selinux policy that prevents user_r main /proc privliges (preventing half exploits) slimmed down packages, stack protection compiled in (like win 2003) Look lets just say this list can go on forevver. Its an apples/oranges comparison in short. 2005-03-23 3:30 am Anonymous if microsoft funded studies didnt consistantly get different results then independant ones. as it is, ill withhold judgement atm. i would also say this is a reflection on redhat more then the oss community at large, what would be real interesting is a comparison between a bug being reported, and the various large distros reaction time. 2005-03-23 4:17 am Anonymous This site needs someone with a CS degree to manage it, because it’s too much like the SCO. There’s news out there, but this website posts very few quality articles and information. 2005-03-23 4:18 am Anonymous We’ve seen this before. In fact we see them about once a month. And still the real world completely contradicts the PR-dept funded tripe, go figure. 2005-03-23 4:21 am Anonymous This is MS FUD, nothing more. How Microsoft gets certain people to believe these lies is truly amazing. What’s worse than Microsoft business practices? Someone that does not take the time to educate themselves about the options available and protect themselves. Ignorance is not bliss. 2005-03-23 4:23 am Anonymous Talk in the IT world is cheap…. Linux has been given a lot of slack in the media for the last several years, now that’s a serious contender in the enterprise arena….those days of the media and analysts going easy on it…ARE QUICKLY COMING TO AN END. Quit fussing about who or what the conspiracy or FUD storm of the week is, the linux community and vendors are going to have to start delivering on their hype. Compete on technical merit, not on 90% media hype momentum. The easy days are over with, prepare to be subjected to an increasing amount of scrutiny. WHen you take yourself out of the typical linux fanboy auto-defensive mode and think about it a bit, you might realize that in the end…it could be good for Linux. Agree or disagree, increasing scrutiny upon Linux isn’t going away. Get used to it or get yourself plenty of blood pressure medicine on hand 😉 2005-03-23 4:34 am Anonymous Its funny to see all these people yelling at Eugenia. Stop complaining. This site is like a portal with lots of news and articles from the net all in one place for convenience…at least for me. This is an unbiased site in my opinion. I mean come on Eugneia herself has used Linux for a long time. If this was a biased website, would she be posting Linux bashing articles. You guys need to shut up…errr…get your keyboards taken away… 2005-03-23 5:27 am Anonymous Win 2003 was built with security in mind. They were having a big PR nightmare and made 2003 calling it as water tight as a frogs ass. Whatever…. Server 2003 is basically Windows XP with a few more features. It obviously incorporated all the fixes up to the point it was released, but pretty much everytihng since has hit it too. It still fails to fix some of Windows’ more basic problems: for example, there is still no practical way to run it as a restricted user. To make changes to anything, you have to be an administrator, which is what most people will do (even most server admins; they’re too busy to piss about trying to figure out how to make “run as” do something useful). RPC is still built into the system, and offers a nicely gaping security hole. The study’s a joke; another article has just said that IE was vulnerable for all but 7 days of 2004 ( http://www.greatreporter.com/modules.php?name=News&file=article&sid… ). Sure, 2k3 has the “enhanced security configuration”, but I bet that makes little difference to most of the flaws. And regardless, I find it a little hard to believe that 2k3 is wonderfully secure while MS’s “flagship” browser/interface/half of an OS is left buggy basically permanently. 2005-03-23 5:27 am Anonymous That any report that “claims” that any operating system is more secure than another based on slim facts, will end up as a flame war if posted on osnews. This is because the people on the site are educated enough to know the truth and they often have an agenda (the people reading osnews). Therefore we should not have such ignorant stories posted but rather as Anonymous (IP: —.cg.shawcable.net) above has said, stories about real tech not marketing. Yes osnews is a news portal but this report is not “news”, and we don’t care about it anyway. Frankly I would rather see less articles on osnews as long as they are more technical and less marketing. 2005-03-23 5:57 am Anonymous I’d rather see and read everything and then choose for myself what is right or what is wrong…what is FUD and what is not. Till then I think people should have the choice to read what they want…and not complain about it since they are not running the site. 2005-03-23 6:24 am Anonymous those days of the media and analysts going easy on it…ARE QUICKLY COMING TO AN END. This isn’t “the media” or “analysts”, it’s a paid study by MS. Or rather, one of many studies – no censorship necessary, as MS only goes public with those that support its views and buries anything else. Hey, they pay for these studies, they can do what they want with it… P.S. Using all caps is considered bad form in internet postings. This isn’t a shouting match. 2005-03-23 6:35 am Anonymous You’re the one stating opinions as facts. It’s her site and she decides what content is to be written/posted. Want a fact. She’s pointed out flaws in every distro thus pissing off every loony OS gangster on the planet, yet they all come back with darn you and your bias opinion! We all have favorites sure but she doesn’t refuse to give the other side of the story. If you don’t think there is pro linux sec papers hitting this site I can assure you they have. 2005-03-23 6:43 am Anonymous Eugenia has recently posted an article saying that OS development was looking boring. http://www.osnews.com/story.php?news_id=9802 I replied that “I think the problem is the shallow articles” Of course I was ignored but I still feel that articles like these undermine what is otherwise a great news site. Which is why I read osnews more than slashdot because almost every second slashdot article is junk, and almost all of them are filled with idiotic and troll posts, that not even their karma system and reading a +5 can solve. 2005-03-23 7:02 am Anonymous Richard James is correct, we should have more technology oriented articles, rather than just advertisements and blogs. I emailed information about Blue Ray technology which is going to be in all of your DVD drives in the future, the blue light is a stronger laser than the red light, and it’s an interesting article, but instead we have the thousandth Windows vs Linux bullcrap article. I noticed that Eugenia does not have a CS degree, maybe that’s why we get so much Microsoft advertising on this SCOnews site. 2005-03-23 7:49 am Anonymous It’s an interesting yet somewhat biased paper.Unfortunately they didn’t test RHEL4 against Windows server 2003.RHEL4 has a default SELINUX targeted policy for the services especially relevant in the aforementioned security paper. The paper doesn’t mean that much because no server will ever run in it’s default instalation state.Most of the mentioned services that openened some ports that where scanned for by nmap can all be shut down with ease on RHEL.No admin worth his salt does simply a default minimal install but will go further than that and selects only the packages which are absolutely necessary in order to serve whatever has to be served.Which leaves a lot less vectors to be attacked than the paper wants you to take notice off. More interesting would be an test in which to skilled admins would fortify each server platform with only what’s avaible with any install of the official install cd’s and or repositories.And than trying to crack eatchothers boxes. 2005-03-23 8:40 am Anonymous One thing to remember is Microsoft forcefully stops the disclosure of many valnerabilities, while the majority of linux projects try to fix them all. I also severely doubt that it takes into account the programs installed on the typical server. I bet that they consider a DOS attack on a copy of frozen bubble to be included in the valnerability. The only decent report that can ever be done is by someone who has full access to internal Microsoft documents/changelogs 2005-03-23 8:50 am Anonymous As long as the developers use their libraries then there will always be a chance of security problems with buffer overflows. 2005-03-23 9:05 am Anonymous Hey guys we’re on 2005, Everybody knows win2K3 is faster than Linux, cheaper than linux, secure than linux, much more convenient than linux, beautiful than linux, comes bundle with more software than linux, comes pre-packed for more hardware platforms than linux, XXX than linux and YYY than linux, and ZZZ than linux, etc. Nothing new to see here move along. Just daily dose of MS FUD. IMHO the only aspect of windows which is fairly superior is centralized authentication and gui integration, but that’s all. 2005-03-23 9:51 am Anonymous Windows system specs: Intel Pentium IV – 1GB Ram Linux server running on this: http://d116.com/spud/ 😉 Seriously, I can’t believe these fact-bending, M$-funded stories keep getting published like that. For a little perspective, go here: http://www.novell.com/linux/truth/ I’m not saying either is 100% ‘right’, but at least seeing 2 different sides of the coin, this gives some perspective, don’t you agree? 2005-03-23 10:11 am Anonymous very funny……… pity I was unable to connect, I gave up after a couple of attempts. linux might be more than ready for my desktop… but not the spuds. I would rather chip them and deep fat fry them and eat them while I sit in front of my PC 2005-03-23 10:22 am Anonymous 1. “Linux lags etc”, okay but it is red-hat-linux. 2. > For example, CAN-2004-0957 discusses a bug in MySQL s > mysql_real_connect() function. This was entered into the > MySQL bug database on 4th June 2004, and fixed in the source > tree 17th June 2004. However, Red Hat only packaged this fix > in RHSA- 2004:611, issued on the 27th of November. http://www.linuxsecurity.com/content/view/106717/110/ So it was 27th of October. Only one month less, you may say even too late but if this is the accuracy of their tests let me have some doubts about those tests. 3. default installation. I’m sure I didn’t understand but you want a system up-to-date as a default installation without bugs ? Like installing FreeBSD 5.3-RELEASE and saying hey it has a lot of fixes to apply to ? Could you help me to understand ? I think who install a server is on that place so it is not installing a server OS by a remote location. Or do you mean that you change the wheels of a F1 car on the race road and not at the box ? 4. Because they are using a LAMP, why not using a FAMP where F stand for FreeBSD. If the answer is “it’s too difficult” then you are not titled to do criticizes because you are a little admin and with GUI and mouse depending. As I said I’m not titled to speak as I did because I don’t have admin experience at all, even if I admit I’m a freebsd fan. But IMHO a server administrator is not a simple job. 2005-03-23 11:11 am Anonymous Why didn’t make test with hardened sources with gprsec and pAX and selinux ? 2005-03-23 11:29 am Anonymous Let me get this straight. Internet Explorer has had massive security issues over the past 3 or 4 years. Simply massive. Internet Explorer has hooks going right into the core of Windows, whether it’s Windows 98 or Windows 2003 Server. Now, wouldn’t common sense tell me that this poses a security issue? To add salt to the wound, it’s impossible to totally remove Internet Explorer from Windows (any version) without breaking Windows. Now – for a server i’d install Linux without X, minimal applications, basically only what’s required to do the job. I can do that with Linux. Don’t believe me? Grab a Debian woody CD and try it. I guarantee it’ll be a helluva lot safer than ANY version of Windows. What sort of server o/s ships with a GUI ffs? Please. It’s idiocy. I haven’t read the article, and no, i’m not going to read it. Why would I waste my time on paid lies? MIT has recommended Open Source software (including Linux) over Microsoft software to Brazil. I’d trust the guys from MIT any day thanks. The problem with Microsoft is that it can: 1. Control when bugs are “officially” announced. ie. bug was found on 01/07/2004. They spend six months fixing it. They announce the bug on 24/12/2004, and then the patch on the 01/01/2005. Wow, it took them 7 days to patch it! Yay Microsoft! It’s a common ploy that Microsoft has been doing for a while now. 2. Let’s add up all of the security issues on a full blown Windows installation with applications on it. Go on. 3. Let’s actually be allowed to see the src code without a NDA Microsoft and pick the bugs and security holes in it. Go on. Put your money where your mouth is Mr Gates. I bet that we find a friggen shit load of holes in it. This is the beauty of closed source. You can hide behind it. You can hide the bugs. The holes. The exploits. 4. Did the report consider viruses/worms/trojans? I suspect not. I don’t have to run anti virus software on my Linux box. 18 months later and I still don’t have a virus. Try that with ANY Microsoft Windows product. From what I hear, =< Windows XP SP 1 gets infected within an hour of being on the net. Without doing anything. 5. This report refers to Windows 2003 server, which is a more secure operating system than preceeding Windows versions (i’m not biaised enough to say it isn’t, it is). Now, since the majority of the Windows world isn’t running Windows 2003 server…but other variants of Windows the security issues are a bit large methinks 🙂 Most home users have no idea about security. sysadmins (on both Linux and Windows etc) i’d expect to. 6. If it wasn’t for the competition from Linux and Open Source, Microsoft still wouldn’t be given a fuck about holes/security exploits. Give them a monopoly and no competition and they’ll do what they want, when they want, how they want every single time. 7. This report does not factor in (from what I can see) the quality of sysadmins. I’d say a Unix/Linux/BSD sysadmin will know his/her system much more intimately than any Windows sysadmin. Call me biaised on this point 😉 Dave 2005-03-23 12:18 pm Anonymous How much microsoft paid for this article ? 🙂 …. 2005-03-23 2:03 pm Anonymous Jesse McNelis wrote: “Microsoft has put a lot of effort in to security lately,” And Windows is still the most vulnerable, insecure OS on the planet. “Microsoft is a big company with lots of money, if they want good software security then all they have to hire all the best security experts in the world. Free software doesn’t have this luxury.” Then Microsoft had better put out the ‘Programmers Wanted’ signs. They diverted many programmers from ‘Longhorn’ to work on Service Pack 2, and lost dozens of man-years worth of development time on ‘Longhorn’ which, I might add, is over two years late now. And they’ve had to cut many of the core features. Despite that, you probably won’t see ‘Longhorn’ until early 2007 (maybe later). Microsoft’s security problems don’t stem from a lack of programmers. The reason is, they haven’t cared about security for the past 15 years. Now it’s coming back to bite them in the @$$. 2005-03-23 2:22 pm Anonymous These “studies” only count up reported vulnerabilities. They don’t take into account the fact that in Linux, all vulnerabilities are reported on immediately. They also don’t take into account the fact that MS withholds announcing vulnerabilities until they have an idea of how to deal with it, allowing vulnerabilities to do more damage in the wild. They also don’t report that patches for Linux are issued very swiftly. These “studies” also don’t take into account vulnerability severity. With Linux, the vulnerabilities are typically minor nusances and do little damage. With Windows, the vulnerabilities are quite often very damaging and bring entire networks to their knees. In other words, there is a very cruial downtime factor. With Linux, there is very little downtime. With Windows, there is tons of downtime in fixing the damage done by the viruses, worms, and other security breaches exploiting the many vulnerabilties. Finally, if a study is funded by MS, or any other corporate entity, it will most certainly have a bias towards the source of the funds. Therefore it has zero credibility. Take it all with a grain of salt. In other news, Ford says Chevy cars suck. 2005-03-23 4:13 pm Anonymous First, there is no problem with posting news stories on the various reports, such as this one, that discuss points in a very popular item like a Windows to Linux comaprison. This topic is a hotipoint currently in many an organization’s IT department and is very relevant. What is not relevant is whether Eugenia has a CS degree or not. That smacks of a comment from a smug self-imortant fool who cannot see past his or her own “credentials”. Eugenia doesn’t claim to be an expert, but does a good job of managing this site and trying to provide thought-provoking articles to discuss. It is not her fault that there are idiots on both sides who prefer to whine and complain about the content of particular artiles, or prefer to turn on the auto-bash and start bad-mouthing other people’s ideas (or even people directly!). Finally, back to the topic at hand: this article… I am surprised that no one has yet commented on (that I saw, anyhow) the fact that this “study” doesn’t count the severity of the risk, and rewards companies for keeping a bug in a program with no attempt to repair it until it gets “public” disclosure (Microsoft is known for this one). They can sit on a critical bug and fix it in a year, but announce the bug and fix at the same time – it’s a 0 day turnaround! The trur responsiveness of a company or organization to bugs in their product is how quickly they fix it from the day they first know about it. Here is a bit of counterpoint from a Red Hat employee: http://people.redhat.com/mjc/ 2005-03-23 4:34 pm Anonymous In my opinion if you wait till a bug gets public disclosure you are light years lagging behind.There are zillion of exploits publicly unknown and probably stay unknown the coming years.Software is the root of all problems. 2005-03-23 5:38 pm Anonymous Each of the following companies put in an equal share into the funding: Microsoft=50%; SUSE/Novell, Red Hat, Oracle, and OSDL=50%. This money, handled by an administrator specifically hired and overseen to use it as intended, hires three independent testing houses to test the following on the exact same hardware: Suse Linux Enterprise Server 9 (with all patches and updates as of a specified date), Red Hat Enterprise Server (ditto on the updates/patches), Microsoft Windows server 2003 Enterprise Edition (ditto again on the updates and patches), FreeBSD-current (ditto, once more). No additional applications that do not appear in the default install will be installed or tested. They’ll test the following: installed applications vulnerabilities, number of open ports accessible, firewall intrusion testing, firewall logging ability, overall stability running something such as “buildworld” (or the Windows equiv. Note: this may require something of an additional donation from certain vendors), speed at file finding, speed at file hosting, responsivity of TCP/IP stack to various malformed requests, OS CPU idle use percentage, scalability to multiple servers (clusters), vulnerability to current modes of attack, ease of administration of an arbitrary number of users in an arbitrary number of groups. I figure, this would be the one and only fair methodology to use. And nobody could be able to cry foul as no single company is kicking in more than any of the others. 2005-03-23 6:00 pm Anonymous Unisys and Microsoft… http://news.com.com/2100-1001-870805.html There it is. 2005-03-23 6:09 pm Anonymous The parties behind this “report” exposed… http://redmondmag.com/news/article.asp?EditorialsID=5285 2005-03-23 6:16 pm Anonymous quote from link below… “Unisys’s newly announced support for Linux as we migrate to newer versions of Oracle,” says Wright.” read on… http://www.unisys.co.za/about__unisys/news_a_events/04081701.htm 2005-03-23 7:22 pm Anonymous since microsoft is a for-profit company they will not write one ounce of new code to fix anything unless it causes them loss of money. 2005-03-23 11:01 pm Anonymous Microsoft has the pockets to PAY people full time to fix things, OSS does not. EVENTUALLY they are going to win. There is zero incentive for OSS to improve anything as it doesn’t put food on the table, especially since the next guy down the line can slap his name alongside your work and give it away for free. Seriously, you Open Source programmers out there: Stop devaluating your own work!