Andrew P. Lentvorski, Jr. said: > > On Feb 11, 2005, at 4:12 PM, Lan Barnes wrote: > >> He's comparing apples to unicorns, and he cheats, too. > > Yeah, but the fact that he has *some* good data should not be ignored. > >> What is the problem? Too much choice? Knowledgeable users know what >> to >> use. Ignorant users? Linux has far fewer of those. Too many services >> by >> default? All of the above and also, which boxes get hacked by >> default? > > Huh? What relevance does that rant have to my comments?
This article <" http://www.theregister.co.uk/security/security_report_windows_vs_linux/ "> pretty well debunks his numbers. Firstly the numbers quoted from the original article referenced here <" http://techworld.com/security/news/index.cfm?NewsID=1329 "> looks at all the patches for Linux which includes "bugs" on applications vs Windows "vulnerability" patches. <quote from the register> Much ado has been made about whether or not Linux is truly more secure than Windows. We compared Windows vs. Linux by examining the following metrics in the 40 most recent patches/vulnerabilities listed for Microsoft Windows Server 2003 vs. Red Hat Enterprise Linux AS v.3: 1. The severity of security vulnerabilities, derived from the following metrics: 1. damage potential (how much damage is possible?) 2. exploitation potential (how easy is it to exploit?) 3. exposure potential (what kind of access is necessary to exploit the vulnerability?) 2. The number of critically severe vulnerabilities The results were not unexpected. Even by Microsoft's subjective and flawed standards, fully 38% of the most recent patches address flaws that Microsoft ranks as Critical. Only 10% of Red Hat's patches and alerts address flaws of Critical severity. These results are easily demonstrated to be generous to Microsoft and arguably harsh with Red Hat, since the above results are based on Microsoft's ratings rather than our more stringent application of the security metrics. If we were to apply our own metrics, it would increase the number of Critical flaws in Windows Server 2003 to 50%. We queried the United States Computer Emergency Readiness Team (CERT) database, and the CERT data confirms our conclusions by a more dramatic margin. When we queried the database to present results in order of severity from most critical to least critical, 39 of the first 40 entries in the CERT database for Windows are rated above the CERT threshold for a severe alert. Only three of the first 40 entries were above the threshold when we queried the database about Red Hat. When we queried the CERT database about Linux, only 6 of the first 40 entries were above the threshold. Consider also that both the Red Hat and Linux lists include flaws in software that runs on Windows, which means these flaws apply to both Linux and Windows. None of the alerts associated with Windows affect software that runs on Linux. So why have there been so many credible-sounding claims to the contrary, that Linux is actually less secure than Windows? There are glaring logical holes in the reasoning behind the conclusion that Linux is less secure. It takes only a little scrutiny to debunk the myths and logical errors behind the following oft-repeated axioms: 1. Windows only suffers so many attacks because there are more Windows installations than Linux, therefore Linux would be just as vulnerable if it had as many installations 2. Open source is inherently less secure because malicious hackers can find flaws more easily 3. There are more security alerts for Linux than for Windows, therefore Linux is less secure than Windows 4. There is a longer time between the discovery of a flaw and a patch for the flaw with Linux than with Windows The error behind axioms 3 and 4 is that they ignore the most important metrics for measuring the relative security of one operating system vs. another. As you will see in our section on Realistic Security and Severity Metrics, measuring security by a single metric (such as how long it takes between the discovery of a flaw and a patch release) produces meaningless results. </quote> -- Neil Schneider pacneil_at_linuxgeek_dot_net http://www.paccomp.com Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D "All political parties die at last of swallowing their own lies." -- Dr. John Arbuthnot (1667-1735) -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
