Your Take On Windows-Linux Security Study: Yuck

Mar 31, 2005 (01:03 PM EST)

Read the Original Article at

This article is adapted from the Security Pipeline Newsletter

Readers were pretty skeptical of a recent study that found Microsoft Windows to be more secure than Linux.

They said the study was unfair because it compared Red Hat Linux — a relatively unsecured distro — to Windows. Readers cited their own experience finding far more problems with Windows than Linux. And they said the fact that Microsoft funded the study guaranteed a pro-Windows outcome.

The original articles:

- Report: Linux Vulnerabilities More Numerous And Severe Than Windows

- Controversial Report Finds Windows More Secure Than Linux

- Blog: Perfectly Good Rants Gone To Waste

- Blog: Earthquakes, Fire, Mudslides, Riots

In an e-mail with the subject line "poor journalism and M$ bias," reader Chris Updegrove, of Sacramento, Calif., wrote:

"A significant flaw in the title of your March 22, 2005 article 'Report: Windows Security Beats Linux' is that Red Hat Enterprise server is not Linux, but a Linux distribution. The title of the article calls the bias of Security Pipeline into question. An unbiased title would read something like 'Microsoft-Funded Report Claims Windows Security Beats Red Hat Linux.' An unbiased journalist would have asked tougher questions about the testing criteria, and would have made a point of informing the reader that more secure Linux distributions like Slackware and Gentoo were not part of the comparison.

"Over 40 Linux distributions are available for comparison, yet only one commercial version of a Linux distribution was used for the security comparison. Marketing-communications firm AvanteGarde recently published the results of a penetration test which examined the security of Microsoft Windows, Macintosh OS X, and Linspire's distribution of Linux. The Windows boxes were compromised within four minutes, while the Linspire and Mac OS X boxes were not compromised at all. To make the conclusion 'Windows security beats Linux' without first clarifying what Linux is, without scrutinizing the testing criteria, or comparing the report to similar reports is misleading and inaccurate.

"Many Windows security vulnerabilities are reported in security forums, newsgroups, and in IRC channels months, if not a year or more before Microsoft acknowledges the vulnerability and makes it 'public.' The average number of days of risk per vulnerability reported in your article is not accurate if that number is based on the date Microsoft acknowledges the vulnerability. You may want to attend Defcon 13 this year, where you will learn about the Windows security vulnerabilities you will write about next year (when they are made 'public')."

Updegrove raises a point made by several readers: that Red Hat is only one Linux distro, and not the most secure one, and a more fair comparison would have pitted Windows against other distros.

Eric Wagner (no relation to me) wrote: "I think the problem is comparing RED HAT to Windows. We run 30+ Debian boxes and two Red Hat boxes. I'll give you one guess as to the only ones we've had problems with."

Brandon Bohannon: "There are more secure Linux distributions. I subscribe to a Linux security newsletter and every Friday they have a list of vulnerabilities by distribution, and Red Hat and Fedora almost always have the most vulnerabilities. Researchers need to run one of their studies on Windows vs. EnGarde Secure Linux, or Slackware. EnGarde hasn't had a vulnerability reported since July 2004, and Slackware hasn't had one reported since November 2004. Researchers probably pick Red Hat because it's the most commercialized."

Dave Nelson, information security officer for the City of Virginia Beach, Virginia, said a skilled systems administrator is more important to security than which operating system is used.

"The system being secured by the most talented admin is the one I'll take every day of the week," he said. "Operating systems come and go but knowledge is here to stay. Find yourself an admin who knows YOUR system inside and out, then tell everyone else to take a leap."

He added that most security problems come not from software vulnerability, but from user error.

Joseph S. Vislocky, chief information officer for Wilmac Corporation, said: "As to whether Linux is more secure than Windows, I can only judge by real-life experience. I have Linux in use as firewall/router at all Internet interface points in my organization. During the evolution of our security scheme, we have been attacked regularly via Internet attacks, viruses and spyware. Some of the attacks have been marginally successful on both the Linux and Windows machines. I have found that successful attacks on Windows are more numerous and onerous to cleanse. Ultimately, I believe that with the proper level of expertise, Linux can be made far more punch-proof than Windows can be. There are just too many things that Microsoft doesn't document well (or at all) that can hurt you."

Steve Ellison, technical analyst II at the University of Pitt-Bradford, said Linux is designed to be more secure than Windows. "Case in point is user creation. Linux has you create and log in with a standard (read: non-privileged) user account. When you need the extra privileges you can su to root. Windows, on the other hand, creates your primary account as an administrator. Conveniently enough, it also leaves the account wide open by not making you specify a password."

He added: "In the end, the level of security of any system is proportionate to the skill and knowledge of its user. I think that everyone would agree with me that the average Linux user is more knowledgeable then the average Windows user. So, one can infer that Linux is more secure because it is in the right hands."

Readers said that the study's funding from Microsoft guaranteed a pro-Microsoft outcome.

A reader signing his name as "Tony" said: "Have you ever heard of a case where Microsoft funded an study, the study determined that Linux was more secure, and the study was published?"

Peter Spearing with the Akron Municipal Court Data Processing Department said: "Anyone who is old enough to have quit believing in the tooth fairy knows that nobody funds a report that is going to come up with conclusions that are against their interests. If Red Hat or Novell/SuSE funded a report on the subject I'd feel exactly the same way. I also think the whole subject is essentially a religious argument. Any networkable operating system can be attacked via said network. Use good sense, stay aware of the threats, and make backups."

Patrick Durling: "You said 'In the end, the researchers note rightly, what's important is not who funded the study, but rather how the study was conducted.' You would be more correct to say, 'what's important is not who funded the study, but rather how the results of the study were interpreted.' Since it's possible the results were interpreted subjectively, it's important to understand the motivations of those who conducted the study. It is then logical that the person who funded the study would have an effect on the way the results would be interpreted. To believe this is not so is nave."

Readers also commented on my criticisms of New York and New Yorkers.

Jody Cody: "Aahhh, stuff it in your keister!!" Jody was one of several readers to use the word "keister," which is a fine word that should be used more often.

Pat Babcock: "Don't be too hard on the New Yorkers. You'd be cranky, too, if you had to live with the realization that the light at the end of the tunnel was New Jersey."

More Noteworthy Articles

Microsoft Releases Major Windows Server 2003 Update: The first service pack for the server software includes numerous security fixes, as well as application updates to Internet Explorer and Outlook Express -- all meant to "reduce customer pain centered on server security.""

The 10 Worst Security Practices: Sometimes one whopper of a mistake can be more instructive than a binder's worth of best practices. We interviewed more than a dozen security consultants to arrive at our list. See which ones apply to you, and then learn how to do things better.

Wayne Rash: VoIP 911 Problems Could Kill You: Voice over IP and cell service can't be relied on for 911 calls. That means that ripping out your conventional phone service could be a dangerous -- even deadly -- proposition.

CoolWebSearch, Dubbed Adware's "Ebola," Tops Spyware Threat List: CoolWebSearch, adware that generates more than $300 million a year for its maker, is the "Ebola" of adware, and easily the most significant spyware threat on the Internet, an anti-spyware security firm says.

Macs Becoming More Attractive Target For Attacks: As the Mac regains popularity, more vulnerabilities will likely surface. Mac users should watch out for spyware in particular.

For more opinions, links, and humor about security, technology, and the Internet, see Wagner's Weblog. This week: Longhorn could be a tough sell for Microsoft; a LiveJournal user describes how he did his own detective work and, with a little luck, tracked the guys who stole his credit card; battlefield robo-docs; and links to anti-spyware resources elsewhere on the Internet.

Voting Booth: Windows Vs. The World

Cast Your Vote On Windows Vs. The World

Which operating system is more secure? - Windows - Linux - Mainframes - Macs - VMS - BSD - The skill of the administrator matters more than which platform you use.

Answer, or we'll subject you to a marathon viewing of the 1983 TV series "Manimal."

Previous results:

We asked: What's your favorite way to stay informed on IT topics?

- Using a Web browser to surf to tech sites and blogs: 40%, 91 votes - Reading e-mail newsletters I subscribe to: 27%, 60 votes - Reading a printed magazine I can hold in my hands: 15%, 34 votes - Using an RSS reader or service to gather Web articles: 9%, 21 votes - Calling the Psychic Friends Network: 7%, 16 votes - I'd rather not read about IT topics: 2%, 4 votes

Like I said last week: I was surprised by the relatively low performance of e-mail newsletters (27 percent of respondents), given that the overwhelming majority of respondents to our polls come from the newsletter. It's not too surprising that print magazines should score low (15%) in a poll conducted by a Webzine.

I was surprised by the relatively low results for RSS (9 percent); other studies of our readers have ranked RSS as being more popular. But maybe I shouldn't have been surprised, after all, this is an e-mail newsletter, and my gut feeling is that people who use RSS don't like e-mail newsletters, and vice-versa.

Finally, the relative popularity of our two joke answers — "the Psychic Friends Network" and "I'd rather not read about IT topics" — makes me take the whole poll with a grain of salt.

This poll ran roughly concurrently across the entire line of TechWeb Pipeline sites; we'll bring you the overall results in an upcoming newsletter.

And, finally, if you have anything to say about Windows security vs. other platforms, staying informed on IT topics, or any other subject, give me a shout-out at We'll publish the best of your responses.

Witty Conclusion

That's it for this week. Watch your keisters.

Mitch Wagner is editor of Security Pipeline

(Permanent link to this article.)