Source on why linux is more secure than windows

E

epicstruggle

Weaksauce
Joined
Mar 7, 2003
Messages
73
Hi, Im writting a paper that is due on tueday. :cool: Im finalizing it now, but needed some sources on claims I make in my paper. I need something current that shows that Linux is more secure/safer than Windows machine. What I currently have is over 5 years old. Tried searching and cant seem to get anything good. Anyone have any links to studies/reports on the matter?

Thanks in advance.
 
No links, but I think pretty much the bottom line is that less people use linux, so it is less of a target for people to write things for. Much as it used to be with Firefox (not so much anymore since I believe they are up to 20% share)
 
it's open source... so the code is inherently more secure by virtue of it being constantly scrutinized and refined by a huge community...

so google around for info on why open source software in general is more secure, and you'll find your answers....
 
Obviously you can't use hearsay in a paper as a documented source, and I assume Googling was one of your first steps, but you might be able to find something on the websites of specific distros. I'm sure Canonical and Red Hat, et al, have as much marketing language thrown in there as any company, I wouldn't use that, but I bet some of the major distros might have some citations or studies of their own somewhere on their pages, maybe in an FAQ? Since it's one of the biggest selling points, I'm sure they address it somewhere, hopefully in reliable, unbiased language. Some general sites like distrowatch might have something too.
 
brucedeluxe169 said:
it's open source... so the code is inherently more secure by virtue of it being constantly scrutinized and refined by a huge community...

so google around for info on why open source software in general is more secure, and you'll find your answers....
Click to expand...

heh, Microsoft employs 15,000. That's a pretty huge community, though I doubt the janitor on campus has the ability to scrutinize the source code.

If I were you my fundamental premise would be that windows revolves around Rapid Application development (RAD)(VB speaks for itself). Linux, not so much, and RAD is the source of pretty well all your Remote Code Execution problems.

and yeah, google around for RSA and such would be where I'd start. I can think of a bunch of stories but I cant remember any of the details, so best you find them.
 
I have a feeling citing decent sources is going to be your biggest hurdle.

Some things you might poke at depending on how they'd fit in your paper.
Looking at EAL you can say that the commercial operating systems generally live up to the same security standards. I've never sought out information about it, but you might be able to find a more detailed breakdown on testing and results.

SELinux. Depending on what level of paper you're writing and how much anyone cares, you should be able to burn some of the character count describing things about it.

Patch cycles. I dont have any sources to link to for you, but there might be some documents available about how the different major distributions handle patch distribution. Feels like they are made available as quickly as possible instead of a set release schedule (ala Patch Tuesdays).

Following the patch stuff, you could plug the open source angle with how a white hat could point out to the developer what hunk of code allows an issue to occur and could even offer code or suggestions on how to fix it.. or they have the freedom to release their own patch for the issue if they so chose to. Again, a tough thing to cite document wise.

Anyway.. just some random brain vomit. hope some of it is useful. :eek:

---
tl;dr version: government documents (NSA and so on) should be good sources to cite if you can find anything relevant. Linux distro documents regarding maintenance may provide good citeable information.
 
xdivenx said:
No links, but I think pretty much the bottom line is that less people use linux, so it is less of a target for people to write things for. Much as it used to be with Firefox (not so much anymore since I believe they are up to 20% share)
Click to expand...


This argument is invalidated by the massive amount of linux servers in existence. If anything a server would be an even better target for a botnet for example due to better hardware / connection / 24/7 availability etc...

Of course a counterargument could be made that servers usually have admins to secure them but we are talking here about OS security not user fault.

Its pretty much impossible anyway to secure a sever from a bad user with full privileges anyway:

sudo apt-get install malware from a bad repo will infect a linux machine as well as clicking on allow (vista/7) malware.exe


One should mention how pre-vista systems also created an environment where running as admin was pretty much the default option - compounded by poorly written apps that required it also (running as root is a big no-no in the unix world)

As previously mentioned look up the NSA backed selinux initiative and novell's app amor

Another feature that i believe is still lacking in windows vs linux is password salting: http://en.wikipedia.org/wiki/Salt_(cryptography) (please correct me here if i'm wrong)

However overall Microsoft did made some huge leaps in security since vista
 
brucedeluxe169 said:
it's open source... so the code is inherently more secure by virtue of it being constantly scrutinized and refined by a huge community...

so google around for info on why open source software in general is more secure, and you'll find your answers....
Click to expand...

I'd say this.. 100% Everyone is looking at it, changing it, everything.
 
Open source isn't the whole story. You can have the code be open source, but if it lacks real security features, like DEP and ASLR, it's going to be less secure than closed source code that has that stuff. I think the OSS nature of the code makes very little difference, linux still gets many patches per month, shouldn't all the bugs have been found by now if so? And people besides MS can get the source to Windows, they just have to pay for it (and I believe there is academic access as well.) The only people who actually do studies on this stuff that I know of are MS and they say Windows is more secure, so...
 
I'm not convinced that Linux is really any more secure than Windows, now. With Linux's growing popularity in both the server and desktop markets, as well as a much greater effort on Microsoft's part to make Windows a more secure platform, I can't really say that there's much of a benefit. End users aren't likely to have security issues regardless of the platform if they practice good security habits.

Linux doesn't have the benefit of 'Security through Obscurity' any more, and Windows isn't the insecure platform it used to be.
 
AbJ32 said:
Linux doesn't have the benefit of 'Security through Obscurity' any more, and Windows isn't the insecure platform it used to be.
Click to expand...

Security through obscurity is the last thing you can accuse linux of. Everything is there, open, and available for browsing. :D
 
Just because something is open source doesn't mean people look at the code. There are parts of Unix derivatives and Linux that haven't been touched since their creation. An OS is a very large beast, and open source developers tend to focus on what they like and that's it. Once they have complete their task they leave and go away. Its rare that you get lifers in the open source community, though it does happen. Those people tend to be on core teams and the like, not dealing with the little bugs but dealing with the large picture. Open source applications are not more secure because people can see the source. Nobody sits there and tries to find flaws in the code, its a waste of time and is not fun.

Now you can have camps where they focus solely on security such as those at OpenBSD, and then you can have camps like Ubuntu where security is not a big concern.


As for if Linux is more secure than Windows. The answer is no. Windows has much greater utilization of the MMU, which forbids heap execution and stack instruction fetches. Windows also has Address space layout randomization and Data Execution Prevention.

MS has and still does invest huge amounts of money on security, other companies don't. I am a huge supporter of Open source operating systems and projects, though the publics assumption that windows sucks and Linux or OSX are amazing is just flat out false.
 
Scotch77 said:
Just because something is open source doesn't mean people look at the code. There are parts of Unix derivatives and Linux that haven't been touched since their creation. An OS is a very large beast, and open source developers tend to focus on what they like and that's it. Once they have complete their task they leave and go away. Its rare that you get lifers in the open source community, though it does happen. Those people tend to be on core teams and the like, not dealing with the little bugs but dealing with the large picture. Open source applications are not more secure because people can see the source. Nobody sits there and tries to find flaws in the code, its a waste of time and is not fun.

Now you can have camps where they focus solely on security such as those at OpenBSD, and then you can have camps like Ubuntu where security is not a big concern.


As for if Linux is more secure than Windows. The answer is no. Windows has much greater utilization of the MMU, which forbids heap execution and stack instruction fetches. Windows also has Address space layout randomization and Data Execution Prevention.

MS has and still does invest huge amounts of money on security, other companies don't. I am a huge supporter of Open source operating systems and projects, though the publics assumption that windows sucks and Linux or OSX are amazing is just flat out false.
Click to expand...


Wow, amazing blanket statements FTW, what more can i say. It seems this thread should be closed since all questions are answered.

Sorry for the sarcasm, but despite your statement that "publics assumption that windows sucks and Linux or OSX are amazing is just flat out false." in this forum the exact opposite is true.

The fact is that a simple answer as "As for if Linux is more secure than Windows. The answer is no" followed by a few examples of windows security features cannot be given. The considerations here are far too complex.

Also you seem to be stating that only MS is investing in security, the truth is that linux is used as platform and backed by very large companies with a vested interest in its security. A few examples: Oracle, you probably heard of them, they have their own linux distro, they even call it "ORACLE UNBREAKABLE LINUX" - i think it would be a safe bet that it is a very secure solution, Redhat also seems to be doing quite well in the enterprise world too. As previously mentioned even the most prolific US agency in the world of cybersecurity (if you'll allow me to use the word) contributed to linux security.

So i think it is safe to say that linux has very good corporate backing despite the impression that it is only maintained by a few antisocial geeks in their mom's basement.

And since you like to point out windows security features you might want to use google to see some of the linux security features, might find that some are quite similar here are just some of them: http://fedoraproject.org/wiki/Security/Features


One thing i will say with a good amount of certainty concerning desktops at this point linux should be more secure for 2 reasons:

1. far less market share = less incentive to attack
2. At this point the vast majority of linux desktop users are far more IT literate

(non technical factors but still valid)
I also find windows to be for now the better desktop OS due to current bugs/inconsistencies lack of some apps in linux's desktop

Another thing i think i should mention is that IMO the biggest security hole now that OSes face (aside from user error of course ) is 3rd party programs. There is pretty much nothing Microsoft or Redhat can do to fix a massive security hole in a closed source Adobe Flash. Remember this was the reason vista got taken down at last year's pwn2own. This is a big advantage of the open source model...an open source adobe flash can be fixed directly by MS for eg. but as it stands closed source nothing can be done till Adobe fixes it.


PS. Sorry for the rant but the amount of bashing linux gets in this forum is quite annoying (not that linux would be perfect by any means especially in the desktop area). I'm actually a win admin, its just that i like constructive criticism rather than linux sucks arguments. I would react the same to windows sucks arguments in a linux forum.
 
Last edited:
Neutrino


I don't really know what the point of your post was, did it accomplish anything?

anyway, I am personally on a core team at a open source OS, I wont say which one because it doesn't matter. As somebody who has worked on OS'es for nearly 15 years, I stand completely by my statements. I very rarely come to this forum, due to the members mostly. Though I will say that the assumption that Windows is more secured is justified.

As for corporate support, you are correct. The OS project I am a member of, we have lots of companies like Yahoo and comcast which all have full time commiters. Though they tend to only work on what their company sees interest in, and its not usually security. I have said there are very secure camps such as OpenBSD, but those camps tend to shun usability. Camps which embrace usability are forced to shun security. Its a give and a take. You mentioned that a OS like Fedora has these features, and you are right they do. But look at the source code for what enables them to work and its shit. A random bunch of mess that makes it work in the least.

The majority of flaws in windows have little to do with 3rd party apps and everything to do with legacy. Though the legacy will always stay and until then their will be the flaws. So again I will stick with saying that Windows is more secure than Linux, solely because it is.
 
It's not. Windows is the single most ironclad secure OS in existence. More secure than Linux, BSD, Macs, etc. (Google it, I'm not making this up.) And yet, for all its security, it still has the largest amount of successful attacks against it, simply because more people are people trying harder to crack at it.

Script kiddies could take a few hours and write a PERL script to crush any Linux system out there. They don't, because it's simply not worth their time. (Consider: 3 hours to attack Linux, and it'll get patched in 12 hours, or 30 minutes to attack Windows, and it won't get patched for a week.)
 
InorganicMatter said:
It's not. Windows is the single most ironclad secure OS in existence. More secure than Linux, BSD, Macs, etc. (Google it, I'm not making this up.) And yet, for all its security, it still has the largest amount of successful attacks against it, simply because more people are people trying harder to crack at it.
Click to expand...

OK, I'll bite. I can't find the sources you're referring to on Google - care to share your search string with us? I'm open to any genuine articles on the matter, so long as the funding for the studies hasn't been traced back to Microsoft.
 
AbJ32 said:
I'm not convinced that Linux is really any more secure than Windows, now. With Linux's growing popularity in both the server and desktop markets, as well as a much greater effort on Microsoft's part to make Windows a more secure platform, I can't really say that there's much of a benefit. End users aren't likely to have security issues regardless of the platform if they practice good security habits.

Linux doesn't have the benefit of 'Security through Obscurity' any more, and Windows isn't the insecure platform it used to be.
Click to expand...


Security is an issue of knowledge and viruses are an issue of ignorance. People catch viruses because they don't know what they're doing. I've been Windows for over 17 years and not once have I gotten a virus because I know what I'm doing. The unix based community attracts nerds, and nerds know what they're doing. The day that non-nerds use unix based OS's then that's the day viruses will spread to the linux/unix/bsd community. This being the case, what do you call security? The stupid-proof guard that you put on the operating system limiting the ignorant users? Kind of like putting padding on cornered tables so the baby doesn't bump his head? or the ability to exploit software?

Don't be suprised if you caught some malware/virus if you installed some random software that has no reputation but advertises functionality you're looking for, or if you're downloading or browsing websites related to anything in the black market (porn, warez, mp3s). Or simply you're using old software that's not meant for todays security (old internet explorer browsers that have ActiveX on). If this is you, then you're in the stupid category and I don't consider this an issue of security, I consider this an issue of ignorance.

As for networking and software security, Apache is more secure than any Microsoft, Oracle or Sun HTTP server. PHP or Python is more secure than ASP.net and SQLite, mySQL, and PostgreSQL is more secure than Microsoft SQL2000+, Access server, or any Oracle/IBM SQL databases. Why? new versions come out in the open source community almost weekly to monthly, and they're free. The only downside is that there is no liability so if you do not update and you do get hacked, you have no one to sue or complain to. Enterprises and corporations will take the Microsoft route because they get the customer service and the liability, if Microsoft messes up Microsoft will do something to redeem themselves. Nevertheless, the question is security, not service, and in my experience Open Source is the winner.
 
Last edited:
:LJ: said:
InorganicMatter said:
It's not. Windows is the single most ironclad secure OS in existence. More secure than Linux, BSD, Macs, etc. (Google it, I'm not making this up.) And yet, for all its security, it still has the largest amount of successful attacks against it, simply because more people are people trying harder to crack at it.
Click to expand...
OK, I'll bite. I can't find the sources you're referring to on Google - care to share your search string with us? I'm open to any genuine articles on the matter, so long as the funding for the studies hasn't been traced back to Microsoft.
Click to expand...

Actually, this is also directly relevant to the OP.

Speaking of... How'd the paper turn out?
 
Frobozz said:
Actually, this is also directly relevant to the OP.

Speaking of... How'd the paper turn out?
Click to expand...

Actually, I wasn't being snarky - as somebody who runs a lot of Linux servers (and finds it a lot easier to run them as secure than Windows servers), I'm genuinely curious as to the evidence being in favour of Windows being the most secure OS ever written. I don't agree, because of my experience of it, but I'm open to the idea that I'm the exception. Equally, though, I don't think it's fair to the OP's chances of getting a decent grade if the information he's provided with is all studies paid for by MS to support their own product.
 
Scotch77 said:
Neutrino


I don't really know what the point of your post was, did it accomplish anything?

anyway, I am personally on a core team at a open source OS, I wont say which one because it doesn't matter. As somebody who has worked on OS'es for nearly 15 years, I stand completely by my statements. I very rarely come to this forum, due to the members mostly. Though I will say that the assumption that Windows is more secured is justified.

As for corporate support, you are correct. The OS project I am a member of, we have lots of companies like Yahoo and comcast which all have full time commiters. Though they tend to only work on what their company sees interest in, and its not usually security. I have said there are very secure camps such as OpenBSD, but those camps tend to shun usability. Camps which embrace usability are forced to shun security. Its a give and a take. You mentioned that a OS like Fedora has these features, and you are right they do. But look at the source code for what enables them to work and its shit. A random bunch of mess that makes it work in the least.

The majority of flaws in windows have little to do with 3rd party apps and everything to do with legacy. Though the legacy will always stay and until then their will be the flaws. So again I will stick with saying that Windows is more secure than Linux, solely because it is.
Click to expand...


Well I thought the point was quite clear in my post, I even posted the reason at the end of my post explaining my rant.

But let me further it then, lets take your claimed experience for the sake of argument and not demand any proof because it is not needed tanking into account your arguments.

You say you worked for 15 years in OS development, in this kind of environment I would assume you are quite familiar with the burden of proof demanded by something as basic the scientific method.

So lets take a very well respected physicist, lets say Hawking for the sake of notoriety, and have him declare at a conference that he can transmit information via quantum entanglement because and i will quote you here " solely because it is." and have that as proof, what do you think the reaction would be.

Now this is the reason i mentioned your claimed experience might well be true but your arguments which amount to "I SAY IT IS..." do not hold much weight.

Again sorry that i sound so harsh, I did not mean to single you out but i do see so many posts that bash linux security without 1 measly link to back it up.

-----------------------------------------------------

Also as LJ and others mentioned I would really like to see those studies that show windows as being far safer than linux. independent ones ofcourse.
 
I have to ask, what makes a posted link anymore right or corrent then what somebody else says here. Most links are simply opinion, nothing more. Just because a organization backs it up, doesn't make it solid.
 
Scotch77 said:
I have to ask, what makes a posted link anymore right or corrent then what somebody else says here. Most links are simply opinion, nothing more. Just because a organization backs it up, doesn't make it solid.
Click to expand...

Well I thought it was quite well established that references (in this case links) are generally used to back one's argument.

For example i can say that Schumacher is the best driver in the world because he is the shit or i can say the same thing and bring links to his driving record. I would dare say the second option is quite more trustworthy.

Ofcourse those references can vary, it is one thing to bring a link from Richard Stallman saying that windows sucks or from Bill Gates saying the opposite....and another to bring links from studies made by well respected universities/organizations/developers/admins with no affiliation to open source or MS.
 
I always thought a part of making Linux secure is the user having to give permission to do something that is powerful enough to destroy system files, or even copy files into a system folder - and run.

Albeit, there are more reasons also.
 
Scotch77 said:
I have to ask, what makes a posted link anymore right or corrent then what somebody else says here. Most links are simply opinion, nothing more. Just because a organization backs it up, doesn't make it solid.
Click to expand...

Because a link to an independent study worth looking at will have references of its own, and a lot more work will have gone into forming a considered opinion based on available (quantifiable) evidence. This is as opposed to most of the posturing that appears to be occurring in this thread (unless you're looking at one of the paid-for studies, that is).
 
Version_3 said:
I always thought a part of making Linux secure is the user having to give permission to do something that is powerful enough to destroy system files, or even copy files into a system folder - and run.

Albeit, there are more reasons also.
Click to expand...

Every modern OS does this.
 
You must log in or register to reply here.
Back
Top