Neil Schneider wrote:
maverick said:
Is there any truth to this?
The truth is that they were comparing apples and oranges. They
compared the number of patches to each, without regard to whether the
patches were for critical vulnerabilities or just bugs. Many of the
vulnerabilities to Redhat systems could only be exploited locally.
Also the patches to Windows only applied to the OS, while the Redhat
patches also applied to the applications that Redhat includes in their
distribution. This has been hashed and rehashed when the report was
released. As with most Microsoft funded studies, it's mostly FUD.
When you start from a conclusion it's often easy to create a study
that gives the results you want.
Just to clarify the apples and oranges comparison, here's a copy of a
response I made on Slashdot. The context was yet another study by the Yankee
Group released on Tuesday. The person I was responding to stated (in summary)
that he'd installed Linux and Windows several times and Windows was faster and
easier to install. He stated that Linux gets tedious and confusing (my words,
same idea) with the package selections. So, I responded:
You are comparing an OS (windows) with a complete system (a Linux
distribution). There is a HUGE difference between the two. Now if we are going
to make this comparison, then we'll do it fairly.
For some background, I have been an administrator and developer for Windows,
Linux, Unix, VMS, and some systems most haven't ever even heard of. I've also
had numerous network security contracts involving both audits forensics, as
well as the task of securing some prominent government and commercial
networks.I run both Windows 2000 and Linux on my network currently, and am
working full time as a software engineer. I have performed independent research
into Linux/Windows TCO with references to both pro-Linux and pro-Windows
comparisons. This research had two different goals: convince a CEO why a
company should switch from Linux to Windows, and why a company should switch
from Windows to Linux.
Now, let's do a short comparison of RHEL WS (Red Hat Enterprise Linux Workstation Version
3) and Windows 2000. We'll call both of these a "distribution" for our
comparison and I'll refer to RHEL WS as simply Linux and Windows 2000 as W2K for brevity.
We won't look at the initial price for either distro as anyone can look these up. First
in the comparison, Linux.
Linux comes with a boatload of applications - multiple office suites, project
management, multi-media tools, many games, graphics applications, utilities,
more than a couple mail transport agents, multiple desktop environments, web
servers, multiple web browsers, multiple file servers, etc. - a list long
enough to take a couple CDs. A typical user can avoid the package selection by
selecting one of the pre-defined options at install. Do so will format the
drive, install all software for that configuration, provide dialogs for
selecting networking options (in the case of a networked system), timezone,
etc. Linux comes with the source code, another couple CDs.
Linux includes the option to select specific applications, environment, source
code, etc. (the package selection you complain about). This is considered an
advanced installation and 99% of the users out there would never select this
option. Selecting a basic workstation install is simple, quick, and is
performed in roughly half the time of W2K. Linux can be installed as a single
user workstation or a complete server (web, file, application, mail, database,
etc.).
Linux includes no anti-virus, anti-spyware, or anti-adware software nor does it
(to date) need it. The basic UNIX security model does not make it necessary
(but that's another long discussion). Linux does not require a per-user
license. It does not require a license for every computer it's installed on,
unless you want support from Red Hat for every computer (then you're paying for
the support, NOT Linux).
Linux comes with development tools for various compiled and interpreted
languages. It comes with the compilers and interpreters for those same
languages. It comes with a couple of IDEs, a debugger, and various utilities
for code development. All total, there are some 13 CDs for Linux (I haven't
actually counted them, but I have a nice stack for each of RHEL WS and RHEL
ES). That basically sums up Linux, so now how does W2K measure up?
W2K comes with a browser, some text editors, a few little games, a terminal program, a
single mail program, and a few other minor things. It all fits on a single CD. It can
only be installed as a workstation and not as a server. It has no anti-virus,
anti-spyware, or anti-adware software, but it requires it. W2k has limited
"package" selection because there's few packages to select. It takes far longer
to format the hard drive, and has only two real installation options: default and
individual package selection.
W2k has a single environment, no compilers, no IDEs, no servers, no source code. It has a
very simple graphics application, not many utilities. If a user wants to add all the
equivalent applications to make it on par with Linux, then the user must purchase (to
stay within the "distro" theme as much as possible) Office, SQL Server, IIS,
Exchange, per-user licenses, Photoshop, multiple IDEs, and either purchase or download
several other pieces of software. Then all these applications must be installed, with a
reboot for each one.
So, in comparison, tell me which one of these two distros is easier to install?
Which one has a better TCO based upon this simple criteria? If we were to take
the TCO comparison further, I can show that Linux, BSD, and other free UNIX
like operating systems have far better TCO than any Windows system.
However, all this aside, there are only two reasons to select ANY platform over
any other:
1. Does one platform meet the requirements of the business better than another?
2. Does one platform meet the requirements of the customer better than another?
TCO is secondary to the above two criteria.
[End of /. post]
Taking this to the area of security, and having personally been involved in
both Linux and Windows security, I will state that if you were to install an
equivalent set of operating system software for both Windows and Linux, secure
them both given the resources available with those installs (e.g. - no third
party or additional software installed), the Linux system will be more secure.
Additionally, one major point these studies never mention are viruses, spyware, and
adware. These are security vulnerabilities. These cause more corporations to lose more
money every year than "cracked" systems do. I have seen very few studies that
include these as research points, and those that do come out with Linux being more secure
than Windows every time.
Now let's consider the number of people that use IE. You simply can't use it if
you secure it. You must leave it in an insecure state in order to use the
operating system. I know, I've done it on ALL my systems. If I secure IE to the
point where all vulnerabilities are virtually eliminated (all that can be),
then I not only can't browse most of the web, but I can't copy files to/from
the network. This may make for a secure system, but it also makes for a very
useless system. So now which one is more secure? Windows is, but it's useless
as a server (and not much good as a workstation either).
Even if W2K3 is as secure as Linux before considering viruses, spyware, adware,
and IE, it certainly isn't afterward.
PGA
--
Paul G. Allen
Owner, Sr. Engineer, Security Specialist
Random Logic/Dream Park
www.randomlogic.com
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
