Coffeehouse Thread

249 posts

Study Shows Windows Beats Linux on Security

Back to Forum: Coffeehouse
  • footballism

    Wipro wrote:

    streamlined security tools.

    Security is one of the chief concerns of IT decision makers. Along with purchase price, interoperability, maintainability and deployment costs, security is a critical factor in determining which platform to deploy across an enterprise or to serve a particular role.

    For proprietary and open source software (OSS) alike, administering security updates are a reality in the enterprise and a significant factor in total cost of ownership (TCO). In order to get an accurate picture of how costs associated with patch management figure into the TCO equation, Microsoft recently commissioned Wipro Technologies Ltd., an independent consulting firm, to study the cost of updating Microsoft and open source software in a real-world environment for desktops, servers and database servers.

    Wipro surveyed 90 companies in the U.S. and Western Europe with 2,500 to 113,000 employees where both the Windows and open source operating systems were simultaneously being run. When the costs of updating are distributed across the size of the environment and evaluated on a per-asset basis, the study shows Microsoft software to be less expensive to patch than open source equivalents. These findings confirm what many customers are experiencing in their deployment scenarios.

    Full Article

  • Stitch 2.0

    This study has the same big problem as any other study coming to this conclusion:
    It is sponsored by MS!

    The pro-MS person I am, I still won't believe a study talking positvely about windows over linux if it is sponsored by MS.
    (Neither will I trust a study coming to the opposite conclusion, if it is sponsored by a linux distributor)

    We need completely independent studies for people to believe their contents. (I know, this probably won't happen, because someone needs to pay for it. But I am positive that it would draw much more attention than "just another MS-sponsored study/survey/etc")

  • Sven Groot

    I believe that with this kind of study you can prove whatever you set out to prove depending on what metric you use.

    I prefer personal experience over any study, regardless of which OS they claim is better or more secure.

  • Maurits

    Sven Groot wrote:
    I believe that with this kind of study you can prove whatever you set out to prove depending on what metric you use


    Hence the studies that show chocolate milk is good for your teeth

  • Erisan

    Please help make SELinux even better.
    http://www.coker.com.au/selinux/play.html
    You have root account so do what you ever want (well ... almost, please read FAQ) and please inform the Russel Coker when you find a security hole!

  • rjdohnert

    Stitch 2.0 wrote:
    This study has the same big problem as any other study coming to this conclusion:
    It is sponsored by MS!

    The pro-MS person I am, I still won't believe a study talking positvely about windows over linux if it is sponsored by MS.
    (Neither will I trust a study coming to the opposite conclusion, if it is sponsored by a linux distributor)

    We need completely independent studies for people to believe their contents. (I know, this probably won't happen, because someone needs to pay for it. But I am positive that it would draw much more attention than "just another MS-sponsored study/survey/etc")


    I personally dont care about studys or marketing speeches.  Everyone says the same crap "Oh we have the best stuff, deploy us and we will make things so easy for you"  Its all just a crock.  Just use what you like or what you want.  I would use Multics if it could help me get my job done.

  • ScanIAm

    "Study Shows Windows Beats Linux on Security"

    After weeks of intense interviews, Windows finally gave in and admitted that he did, on the night of June 3rd, 2005, Beat Linux.  Officer Robert "Clippy" Clipowsky interviewed by this reporter today said that Windows was quite fortcoming in his statement.  Here is a small part of the full transcript:

    Clipowsky:  "So did you beat Linux or not?"

    Windows: "The little tart had it coming.  If I told her once, I told her a thousand times, quit bragging about security"

    Clipowsky:  "Security?"

    Windows: "For someone that secure, she changes her hair color more than her underwear.  Did you know that she sleeps with a gun under her pillow?"

    Clipowsky:  "But why did you beat her?"

    Windows:  "Well, ok, so I was drinking a little bit, but she should have know to keep her mouth shut.  She started bragging about how she had so many users and how slash-something-or-other thought she was the greatest.  I just got tired of it so I slapped her."

    Clipowsky:  "Slapped...?"

    Windows: "with a tire iron, ok!  Are you happy?"


  • koorb

    I have never read a study that said Linux security was better, but I think that is because Microsoft has internal security analysts that make sure the software is secure and Linux security is based on the assumption that many eyes will make the software secure.

  • Cider

    Beer28 wrote:


    I DARE, I DARE microsoft to give us access to one of their machines with admin terminal access or admin remote desktop access and claim it's still safe.

    I DARE them. I'll wipe it out myself.



    Riiiiight, I'm waaaaaaay off the mark when I say Beer is a psychotic nutjob.

    What is it?  Did Mother once have a BSOD and now you are out to get revenge?

  • PaoloM

    Beer28 wrote:
    I DARE, I DARE microsoft to give us access to one of their machines with admin terminal access or admin remote desktop access and claim it's still safe.

    I DARE them. I'll wipe it out myself.

    This must be like your promised-but-not-really-sorry-I-was-joking class action against Dell and Microsoft about the Windows XP bundled with your new laptop, right?

    Empty threats...

  • AndyC

    Beer28 wrote:

    I DARE, I DARE microsoft to give us access to one of their machines with admin terminal access or admin remote desktop access and claim it's still safe.
    Define Admin access? Unlike *nix, Windows doesn't have the concept of a superuser. You can obliterate almost all of the rights and privileges assigned by default to Administrators. You can tweak NT permissions in the registry to prevent an Administrator from changing them and use Group Policies to enforce further restrictions.

    How does that differ from SELinux?

    Cider wrote:

    Riiiiight, I'm waaaaaaay off the mark when I say Beer is a psychotic nutjob.


    Nah, he's an AI experiment.

  • Manip

    I used to go along with the hype about how secure Linux is and such.. But experience has shown me I was wrong to do so. The problem with Linux (Distro, not kernel) is that it has weaknesses in all the wrong areas.

    I tried to hack my own Linux server, I was successful. I first found holes in my configuration that allowed me to slip in without too much trouble. After fixing those I also managed to get in by using a proof of concept tool that exploited a hole in the FTPD service giving me full root access.

    Now the point of the above is not to show how much I suck at managing a Linux server it is instead supposed to show that the complexities of Linux is NOT hidden from the user. I found the holes in the system were caused in one case by the defaults and in another it was inadequate explanation in the configuration files of how the software interacted with the file system. The exploits where caused by patches not being applied to third party tools that didn't come with the distro, so instead I had to go check for an update and install it myself.

    On Windows 2K3 the dialogs and GUIs make it a lot more efficient to see holes in the configuration because instead of reading down a thousand lines of ASCII reading it you can get it categorised and well commented. The 'controls' also make input error a lot less likely. Although 2k3 doesn't update third party software/tools either it is again a lot simpler with GUI applications and often less complex.

    Linux's problem and biggest strength is in its complexity. I love Apache because it gives me the freedom I can only dream of IIS having but having an entire operating system tools and all is just over the top, you get flooded with configuration data and mistakes are far more likely. That is why I opt to install Apache on Windows. At least then I know I have a safe simple OS with a highly configurable HTTPD system on top. Not a overly complex system with an overly complex HTTPD system on top.

    IPTables is a PERFECT example of the problems Linux has. It is one of the most powerful, configurable firewalls out today but it is so complex only a small handful of leetists can configure it well (who incidentally say "read the manual" when you ask for help). The XP SP2 firewall is extremely poor in functionality but very simple... I bet there are more exploits on IPTables protected equipment; primarily down to errors in configuration than the simple SP2.

  • PerfectPhase

    AndyC wrote:
    Define Admin access? Unlike *nix, Windows doesn't have the concept of a superuser. You can obliterate almost all of the rights and privileges assigned by default to Administrators. You can tweak NT permissions in the registry to prevent an Administrator from changing them and use Group Policies to enforce further restrictions.


    One way of which is just to rename the administrator account to something obscure and create a new administrator account with guest level access.  Let the hackers waste time breaking the dummy account.  Or watch with glee as the software testers try to work out what has happened in revenge for all the obscure bugs reports Smiley

    Stephen.

  • Sven Groot

    Russel Coker wrote:
    2)  You must not do DOS attacks, that is not the point of the machine.

    Beer28 wrote:
    method: DOS by g++

    Gee, how nice of you.

  • AndyC

    PerfectPhase wrote:

    One way of which is just to rename the administrator account to something obscure and create a new administrator account with guest level access.


    That doesn't actually work overly well, as the Administrators account has a Well-Known-SID (S-1-5-domain-500) so you can hack it without ever having to know what it is called. Before Beer chips in, Linux does them same (UID 0)

    A few minutes in the Group Policy editor and a handful of Deny ACLs here and there can do wonders though. Smiley

  • blowdart

    Beer28 wrote:

    As for an empty threat, if they make an open call to hack a server on their redmond network and give open admin access to a machine either on terminal services or remote desktop, I would be more than happy to log in and wipe it out for them.


    You have to love this.

    "I can hack a machine if I have an administration login"

    Right. That's not exactly hard.

  • Tensor

    Sven Groot wrote:
    Russel Coker wrote: 2)  You must not do DOS attacks, that is not the point of the machine.

    Beer28 wrote: method: DOS by g++

    Gee, how nice of you.


    If only it had been in a managed environment...

  • manickernel

    Well in all fairness to Beer, that is not denial of service.

    It is Death of System.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.