It is a debate that will surely continue, but - surprise! – recent data demonstrate that regarding “OS vulnerabilities only, Unix, Linux, Mac OS X, and Windows all had about the same amount of exploits, with Windows actually being slightly lower.”

See:

Jeff Jones Security Blog
Windows versus everyone else exploit numbers

surprising.

would like to hear magoo's thots.

since linux is a primarily a server o/s, or began that way, it would seem it's designed with more security in mind.

altho everyone knows microsoft has made much effort to secure windows, especially since gates left control to that other guy (forget his name).

to be honest, i always feel like microsoft, since they are a big business, is in bed with the government, and give them a hidden back-door, so i never feel totally secure with that o/s. i always feel like somebody is looking over my shoulder (paranoia?).

linux was built by regular folks (like me and you) .. for the geeks of the world .. and geeks would nevewr sell out.

so if i really wanted to go secure, i'd go linux. it doesn't mean i'd never be hacked .. just not without serious hacking.

everybody should have a copy on linux on their system.

Rad, the most interesting thing I noticed about these data (see links in initial post) is not the comparison of one operating system to another, but the fact that the vast majority of security threats (about 95%) now come from applications.  It is a wake-up call to everyone to keep their applications up-to-date.

For example, in the past year, there have been updates to Adobe Acrobat Reader and Macromedia Flash that have specifically corrected security flaws.

Rad wrote on Oct 27^th, 2006 at 6:51pm:

would like to hear magoo's thots. since linux is a primarily a server o/s, or began that way, it would seem it's designed with more security in mind. ..... linux was built by regular folks (like me and you) .. for the geeks of the world .. and geeks would nevewr sell out. so if i really wanted to go secure, i'd go linux. it doesn't mean i'd never be hacked .. just not without serious hacking. everybody should have a copy on linux on their system.

I've taken to not having this argument with anyone who hasn't run Linux.  It's hard to understand the built-in security in Linux until you've used it for a while.

One thing to note is that the article is talking about disclosed vulnerabilities.  Since Linux is open-source, any vulnerabilities are out there for anyone to see (and help fix.)  Microsoft has the luxury of being able to fix many issues before the public finds them.  I'm sure there were some vulnerabilities that weren't included.

Another thing to note is that this is the workstation version of Red Hat.  This is not the Linux kernel itself.  Red Hat adds many tools and applications that other distributions, such as Slackware or Debian may not have.  Red Hat Enterprise Server also doesn't include these applications, and would have a completely different security rating.  Also, the author doesn't mention if Red Hat's NSA approved SELinux security package was included in the numbers.  My guess is that a computer with SELinux turned on would have much lower numbers of possible vulnerabilities.

One last point I want to make is that this seems to be talking about remote vulnerabilities.  In general, there are very few remote vulnerabilities compared to local vulnerabilities (in other words, when a user is at the keyboard.)  Linux is much more secure in a multi-user environment due to its permissions system.

I agree that every good geek should have a copy of Linux on their system.  It will teach you a completely different way of looking at computing and a new way to approach problems.  You may not be able to replace Windows, but Linux will give you good experience you can use when troubleshooting or researching.

Rad, you seem to be including control over your system, or maybe privacy, in your notion of security.  You are correct that Linux is the way to go for that, since everyone can see the code and can tell that there aren't any backdoors in there placed by the government or the devolpers (a valid, concern with Microsoft.)  Although it would probably be slightly paranoid to assume Microsoft is watching your every move, it wouldn't surprise me if some devolper has put some sort of backdoor somewhere.

Finally, keep in mind that this author picked 2 of the thousands of versions of Linux/Unix to compare to Windows.  If we wanted to slant the study the other way, we could simply compare OpenBSD to WindowsXP.  OpenBSD has had 1 remote vulnerability in the past 8 years.  Per the article, WindowsXP had 13 in the last quarter.  Now, which one would you rather have running at your bank?

Pleonasm wrote on Oct 29^th, 2006 at 9:34am:

Rad, the most interesting thing I noticed about these data (see links in initial post) is not the comparison of one operating system to another, but the fact that the vast majority of security threats (about 95%) now come from applications.

The user of a system is always the weakest link in security.  Any ignorant user can download spyware willingly and not know they have infected their computer.  This is where the Linux permission system excels at not allowing people who don't know what they are doing the permission to install things they don't understand.  

One of the common complaints among Windows power users is the need to run the computer as an administrator for daily use.  Sure, there are limited accounts, but they make daily use very cumbersome.  With Linux, you can give a limited user as much or as little power as necessary, allowing them to run any particular commands you want while locking them out of all the others.  Much of the security of Linux has to do with protecting the system from the users themselves, something Microsoft is notoriously bad at (see ActiveX.)

Well reasoned commentary, MrMagoo!

RE:  “One of the common complaints among Windows power users is the need to run the computer as an administrator for daily use.”

As I understand the situation, that issue has (fortunately) been corrected in Windows Vista.

Pleonasm wrote on Oct 31^st, 2006 at 9:09am:

As I understand the situation, that issue has (fortunately) been corrected in Windows Vista.

I haven't had a chance to play with Vista yet.  I'm sure as a good geek I should find a copy and get some experience soon.  I heard lots of concerns of the user control features I think you are refering to in the pre-releases of Vista.  If they got it all ironed out for the release, it would be a major improvement in user security.

Interesting reading . . .


Quote:

It’s usually taken as gospel in many IT circles to assume that Windows Security is an oxymoron; anyone who dares to suggest using Microsoft IIS 6.0 for a public web server faces serious ridicule.  To see if there was any truth to this presumption that Windows Server is fundamentally insecure, I looked up these hacking statistics from www.zone-h.org for 2003 to 2004.  Not only did it not show that Windows was hacked more often, but just the opposite.  The Linux servers were actually getting hacked and defaced far more often than the Windows server and Apache was also being hacked and defaced more than Microsoft IIS.

. . . and an insightful conclusion:


Quote:

… the argument about which OS is more secure is totally irrelevant since most modern exploits are against applications and not the operating system hosting them.

Source:  Does OS matter anymore for security?

Pleonasm wrote on Jan 17^th, 2007 at 9:46am:

Does OS matter anymore for security?

Without reading the article, I would say my answer is yes, the OS absolutely matters.

The reason that applications are attacked more often than the OS is because applications are easier targets.  If someone finds an easy way to attack your OS, they will attack it.  Then, all your work to secure your applications will be worthless.  

One good example of this type of security hole is the XBox360.  Microsoft spent years securing the embedded OS against modification.  The community responded by simply flashing the firmware of the DVD-ROM and many of Microsoft's security features on the XBox360 went right out the door.

So, while I agree that people need to focus much more than you might think on securing applications, it is still important to make sure you OS is as difficult a target as it can be.

Free alternatives to Windows Vista BitLocker

Free alternatives:

http://www.ce-infosys.com
http://www.abylonsoft.de
http://www.gnupg.org
...........................................
http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true
personally I think it is going to lock a lot of people out of their computers.
at least with windows Xp and server 2003 we had Knoppix Cd and
Dream Pack Pl software to get in and recover the data ,

it is going to be a long time before any body can find a way round this one , basically one needs an expensive machine to run Vista and also BitLoker is only available with Enterprise and Ultimate versions of vista .
which again are too expensive for hobbyist to test and get their head round it.
it says you need 2 partitions :
For BitLocker to work, you must have at least two partitions on your hard disk. The first partition is the system volume and labeled S in this document. This volume contains the boot information in an unencrypted space. The second partition is the operating system volume and labeled C in this document. This volume is encrypted and contains the operating system and user data.
and also it seems that there is a boot manager some where in all this .
if there are any Hobbyist Like Damian (auther of Dream Pack PL)
out there see if you can get your head round this one Vista BitLocker!!!
Regards Ben

;)

Quote:

You might not think it, but Microsoft's Windows Operating System has been listed as one of the most secure OSs available. According to Symantec in its 11th Internet Security Threat Report the Windows OS had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last 6 months of 2006.

Source:  Symantec says Windows most secure OS

From the article:

Of course as with any report you can twist the figures to suit your needs and delving deeper shows that of the 39 Windows vulnerabilities 12 of which were ranked high priority or severe compared to Apple's 1 high priority offering.

It is most useful to go beyond the summary statements in the article and actually look at the source report produced by Symantec.  While individuals may disagree about the interpretation of the specifics, the key point is this:  the "common wisdom" that Windows isn't as secure as alternative operating systems may be "common" – but it is not necessarily representative of "wisdom."

I found an interesting analysis today on different operating systems at different patch levels.  We've discussed before that the weakest link in the security of any system is the user, and part of that is that users are often slow to apply patches that fix security holes.  Users also often configure secure applications in an insecure way.  This analysis shows what kind of trouble you might be in running different operating systems if you don't stay on top of your patches or don't pay attention when enabling services with security risks in the default configuration (both of which are common mistakes of even more advanced users.)

http://www.omninerd.com/2007/03/26/articles/74

Not surprisingly, WindowsXP had a few serious problems before all patches were applied.  Even more disturbing was the problems that Windows 2003 Server had before applying patches.  

On the other side of the trench, Fedora Core had no vulnerabilities at any time during testing.  Even Ubuntu, considered an insecure starter version of Linux by the hard-core Linux fans, faired better in this analysis than XP did.  So, while it seems that Microsoft is doing a better job of finding and correcting security issues than they used to, that doesn't make it a secure operating system, and certainly not more secure than Linux.  

Based on the results of the tests on Windows Vista, it seems like Microsoft is finally learning to be proactive with security, just like other software vendors have been for some time now.  Maybe in a few years, Windows will be a secure operating system.  As a member of the internet community, I look forward to it.  Linux is not for everyone, and insecure computers hooked to the network put everyone at risk of bot attacks and spam.  Unfortunately, it doesn't look like we are there yet.

From the article:

As far as "straight-out-of-box" conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities. Even before enabling the servers, Windows based machines contain numerous exploitable holes allowing attackers to not only access the system but also execute arbitrary code. Both OS X and Windows were susceptible to additional vulnerabilities after enabling the built-in services. Once patched, however, both companies support a product that is secure, at least from the outside. The UNIX and Linux variants present a much more robust exterior to the outside. Even when the pre-configured server binaries are enabled, each system generally maintained its integrity against remote attacks.

And, to add insult to injury, I just got news that Vista can be forced into a crash-restart-crash loop by a buffer overflow in an animated cursor file:

http://www.betanews.com/article/Vista_Can_Be_Taken_Down_by_an_Animated_Cursor/1175201875

Now, an animated cursor is a silly reason to loose stability on a computer, but on top of the low tech speech engine exploit:

http://blogs.zdnet.com/Ou/?p=418

it gives me concerns about deploying Vista on my network.

MrMagoo, you will be interested to review the analysis documented in Windows Vista - 90 Day Vulnerability Report, which shows that Windows Vista (and Windows XP as well) had fewer security issues in the first 90 days following their release than either Red Hat Enterprise Linux, SUSE Linux Enterprise Desktop, or Ubuntu.

The key point in my posts isn’t to argue to that Windows is more secure than Linux, but rather to encourage a thoughtful reader to question the commonly held idea that Linux is more secure than Windows.  My perception is that many in the Linux community have an almost religious “devotion” to the belief that Linux is more secure than Windows, even in the presence of a growing body of contradictory evidence.  In my opinion, such evidence ought to cause an intellectually honest person to pause, and to possibly alter their position.  At a minimum, a summary statement on the issue ought to be “the assumed security superiority of Linux over Windows is questionable” (as opposed to “Linux is more secure than Windows”).

;)

This article expresses the same sentiment I attempted to articulate in the prior post . . .


Quote:

Although the knee-jerk response from IT professionals is that Linux is more secure than Windows, the real answer is a lot more complex, according to a recently-released report from Forrester Research. "When asked about the security of popular operating systems like Linux and Windows, many IT professionals have a reflexive reaction:  Linux is relatively secure; Windows isn't," Laura Koetzle, a senior analyst with Forrester said Wednesday. But is that off-the-cuff dismissal of Windows on the mark? Not really, said Koetzle, the primary author of Forrester's "Is Linux More Secure Than Windows?" report. … "The bottom line?  Any of these platforms can be operated securely," said Koetzle.

Source:  Windows Vs. Linux Security:  Depends On Who You Ask

While I agree that any platform can be run securely, we've agreed that users often aren't experienced enough, observant enough, or motivated enough to take the necessary steps.  With Linux, things are often either secure by default, or you are forced to configure them securely before they will run.  

And I think I'll leave off this argument where I started it - I try not to have this discussion with anyone who hasn't personally run Linux long enough to become familiar with it.  It is difficult to understand the security inherent in Linux until you've used it.  

MrMagoo, my perspective on the issue is that we are presently in a state of uncertainty:  for every compelling article that documents the security superiority of Linux over Windows, there is at least one article that argues the opposite.  The problem, in part, is that different authors have different conceptualizations of what “security” encompasses – and, more importantly, employ different metrics to assess the presence or absence of “security.”

Under these conditions of uncertainty, the only thing that is certain is the uncertainty itself.  In other words, it is no longer tenable (in my opinion) to assert that “Linux is more secure than Windows” with a high level of confidence.  A more arguable position, I believe, is the moderate assertion that the “assumed security superiority of Linux over Windows is questionable.”

Uncertainty ought to beget humility.

:)

I thought I post a quick link to an article I was reading about a new service where people can subscribe to virus updates.  Not antivirus, but virus updates.  The idea is that spammers and evildoers can pay a monthly fee to get fresh exploits.

What caught my eye is this this section from the article:

...many exploit providers simply wait for Microsoft's monthly patches, which they then reverse engineer to develop new exploit code against the disclosed vulnerabilities...

I think that really drives home the point that patching security holes quickly is a good thing, but it is much more important to not have security holes in the first place, since people are often slow to patch their systems or don't even know that they should be patching them.

Of course, taken from another angle, this underscores the importance of updating your computer frequently, something I think Windows and Linux have made easy for end users to do in the latest versions.

Edit:  Here is a link to the full article - http://www.computerworld.com.au/index.php/id;838771320;fp;16;fpid;0

On this same theme, a recent analysis of the “days-of-risk” by operating system has been published here.

In 2006, contrary to the generally accepted wisdom, users of Windows were at risk less than those of Linux due to the more prompt security response by Microsoft.  Even when only “high severity” incidents are considered, the same pattern of results holds:  one-third to one-half fewer “days-of-risk” for Windows users versus Linux users.

Of course, it is better not to have a security risk at all than to fix one promptly.  Nonetheless, all operating systems do experience security flaws, and these occurrences place their users at risk.  The fewer the “days-of-risk,” however, the more secure is the total experience.

This is interesting information for all who are concerned about security at the operating system level.  Hopefully, the security response from all vendors of operating systems will improve, but as this research shows, the trend for both Windows and Linux has been the opposite:  more "days-of-risk" in 2006 as compared to 2005.

Interesting link.

http://radified.com/gfx2/risk.gif

Quote:

While I agree that any platform can be run securely, we've agreed that users often aren't experienced enough, observant enough, or motivated enough to take the necessary steps.

Mr.Magoo hit it right on here:
IMHO, Windows to an average end-user will be more secure.  Development teams get bank to make it idiot-proofed.  Linux, however, is not a "casual user" system.  Though it increasingly attempts to be.  Linux tends to be used by folks who know what they're doing with it.  Therefore, like Mr.Magoo pointed out, a more experienced user will make the system more secure.
The vast majority of problems I've encountered with security issues within various OS's have happened between the keyboard and the floor.

Quote:

Starting with release 2.4 and then 2.6 of the Linux kernel, Linus Torvalds and company have been issuing updates every two to three months.  "We add 2,000 lines of code a day to the Linux kernel.  We work on 2,800 lines of code a day," said kernel developer Greg Kroah-Hartman.  "I've never seen the pace of change that Linux has shown." That presents its own problems.  When new features are added to the kernel at that pace, they haven't necessarily been tested with all the requisite software and on the requisite systems.  A questioner asked the kernel developers why they didn't engage in more regression testing, making sure a new kernel runs the same as the previous kernel in the same environments. "There's a tension between introducing new features and stabilizing them," said James Bottomley, who works on the Linux kernel and also is CTO at SteelEye Technology. With developers committed to speeding up the pace of innovation, "what we really need is for the user community to help us track down bugs," he said.  "The user base is far bigger than the number of kernel developers."

Source:  Linux Community Looks Past Microsoft

No pre-release testing on Linux?  The user community is primarily responsible for “tracking down bugs”?  Could this be one reason why the “days-of-risk” with Linux is so high as compared to Windows?

I think the "days of risk" has to do with the fact that most of Linux is coded by volunteers.  Microsoft has a team of people it pays to correct flaws on a schedule that Microsoft sets.  Linux coders have lives and day jobs that slow them down.  This is, admittedly, one advantage of a commercial OS.

Fortunately, open source has a corresponding advantage in that everyone can review the code and find bugs, as Linus suggests.  There are many more honest people reading over the code than dishonest ones, so flaws are almost always discovered by honest people before they are discovered by malicious people.  Often, a patch is available to fix the problem before a crack is seen "in the wild" to exploit the hole.  Most would-be hackers don't actually have the skill to exploit a security vulnerability themselves, so they have to wait for someone to write a pre-formatted crack to help them.

In other words, there is almost always a patch available to fix the hole before a way to exploit the same hole is widely available.  The "days of vulnerability" doesn't take this into account.  Just because there is a hole there for 45 days doesn't mean that any large number of people can easily attack that vulnerability for that same number of days.

In contrast, there is a much smaller base of people who have access to Microsoft code.  Security holes in Windows are usually found by hackers who reverse engineer or decompile the OS.  Microsoft usually doesn't find out about a security issue until it is exploited, which is what drives the need for a very low "days of vulnerability" stat for them.  There is usually exploit code widely available during the entire period of vulnerability, so they have to fix it quick.  The problem is confounded by the fact that Windows is more popular, and is therefor a much more desirable target for hackers.  If you have a way into a Windows box, you have a lot more computers to choose from than if you are looking to attack Linux or Solaris.

I stand by my opinion that no one who has never run Linux long enough to be reasonably familiar with it has much basis to comment on its security.  Its a different paradigm as far as how to access files and make changes to the system, and statistics like "days of vulnerability" really don't show the whole picture.

nice, lucid post.

slightly off-topic, in reference to 'reverse engineering' .. is it possible, with available tools, for a hacker to decompile windows and and see all the source code?

.. or do they only get an *idea* of what the source looks like?

tho some may disagree, i like the idea behind this statement:


Quote:

I stand by my opinion that no one who has never run Linux long enough to be reasonably familiar with it has much basis to comment on its security.

There is no way to get the original source code.  I don't think Microsoft even makes which language the source code is written in public information (although I'm sure we could make a very educated guess.)  What you can see when you decompile software (as I understand it) is lists of the system calls the computer is making, which memory addresses it is reading and writing, and the instructions sent to the CPU.  Its a very geeky thing to try to do, but someone with experience at it can get a pretty good idea of how a program works.

For something like Windows, though, would a hacker really need all the source code?  That seems like it's overly-complex.  After all, Windows' goal was to use Jobs' GUI to make a user-friendly, and easily accessible system.  In doing that, it seems like they've laid a lot of security flaws out in the open.
It's not that hard to learn Registry functions, Bios tweaks, or (though it seems to be phasing out) Dos hacks for Windows.

Concerning Reply #24, MrMagoo, I believe you may have misunderstood the definition of the “days-of-risk” metric.


Quote:

Days-of-Risk (DoR) is a measurement of the time period of greatly increased risk from when a vulnerability has been publicly disclosed (and thus known and available to millions of script-kiddies and other malicious attackers) until a vendor patch is available to close the vulnerability.

Source:  Basic Guide to Days of Risk

The metric does not measure the time between when a developer at Microsoft or within the Linux community identifies a security risk and the time it is fixed.  “Days-of-risk” measures the time “from when a vulnerability has been publicly disclosed ... until a vendor patch is available to close the vulnerability.”  Thus, the point that Microsoft has paid personnel and the Linux community is collection of volunteers is not relevant; nor, is the point about a patch being available “to fix the problem before a crack is seen ‘in the wild’ to exploit the hole” germane.  That is not what is being measured by the “days-of-risk.”  To my way of thinking, this research showing that a Linux user is exposed to two to three times as many “days-of-risk” as a Windows user is indeed very compelling.

Although I understand you have a different option, I am troubled by your stance that “no one who has never run Linux long enough to be reasonably familiar with it has much basis to comment on its security.”  This is akin to saying that “no one who has never experienced God has much of a basis to comment on faith.”  Personally, I think such an intellectual position is quite unfortunate, and suffers from circular reasoning.  The way to learn and to grow to is engage with others who have different viewpoints, not to isolate yourself from divergent perspectives.

I have not misunderstoond the "days of risk"; you have misunderstood the difference between a vulernability and an exploit.  Just because a vulernability is publicly disclosed doesn't mean that millions of script kiddies know who to exploit it.  There is a big gap between knowing of a vulernabilty and exploiting it.  Most of these kids don't know much - or anything - about programing.  They don't understand memory locations or buffer overflows.  They need a script they can run that will expliot the vurnability for them - hence the name script-kiddie.  It takes significant talent and time to write such a script - which is how a vulernability can be patched before it can be easily exploited, even if it is publicly disclosed for some time.

The idea behind disconunting the opinion of peopley who aren't familiar with Linux is not to close myself off from opposing points of view or different perspectives.  The idea is to take the oppsoing point of view with a grain of salt due to the limited insight available to someone who has no idea how Linux works.  The methods of gaining access to files, limiting permissions, and preventing configuration changes is different between Linux and Windows, so some knowledge of how the system works is necessary to comment intelligently on studies like this.  I used Windows exclusivly for years, and continue to use it on a daily basis.  I favor Linux based on my knowledge of both systems and my first hand experience.  I welcome you to install and run a Linux distribution for a few months and learn how it works and then provide us all with your reactions to what you find.  I would be very interested in the reactions to Linux of an analytical long-time Windows user like yourself.

I extend this challenge to you and anyone else willing to take me up on it:

Try it.  Try Linux.  You might like it.  And if you don't, I honestly will want to hear why.  If I agree with you, I'll even work on submitting feature requests to the relevant devolpment team(s) to make Linux better.  I've written a guide that should make Linux approachable for someone with any level of experience.  If you find anything incorrect or lacking in my guide, I would really like to hear about that too.  I am always open to feedback on my guides, and would welcome any oppertunity to improve it - especially since you are just about the exact type of computer user I was targeting when I wrote it.

acosby wrote on Jun 22^nd, 2007 at 9:57am:

For something like Windows, though, would a hacker really need all the source code?  That seems like it's overly-complex.  After all, Windows' goal was to use Jobs' GUI to make a user-friendly, and easily accessible system.  In doing that, it seems like they've laid a lot of security flaws out in the open. It's not that hard to learn Registry functions, Bios tweaks, or (though it seems to be phasing out) Dos hacks for Windows.

No, you don't need the full source code, only detailed knowlege of how the program works, which you can get by decompliling it.

DOS and BIOS tweaks are not quite the type of hacking we are talking about.  We are talking more about the type of remote vulernability which might allow someone to gain full access to a computer they have no permissions on - like SQL injections or IIS buffer overflows.  The type of stuff you see in movies where someone can visit a website and end up taking over the server...

MrMagoo, note that the “days-of-risk” metric captures the duration of the risk, not whether the risk (vulnerability) actually materialized into a problem (exploit).  I believe you are arguing that more vulnerabilities become transformed into exploits for Windows than for Linux, despite the fact that there are more “days-of-risk” for the latter than the former.  The difficulty, however, is that data are in contradiction to such an assertion.  See the first post in this thread for evidence that regarding “OS vulnerabilities only, Unix, Linux, Mac OS X, and Windows all had about the same amount of exploits, with Windows actually being slightly lower.”

Taking “the opposing point of view with a grain of salt due to the limited insight available to someone who has no idea how Linux works” does not appear to be applicable to Jeff Jones, the researcher who authored the “days-of-risk” analysis.  His biography is impressive, and - as you will note - is clearly someone who has quite a bit of knowledge about how Linux works:


Quote:

Leaving Purdue in 1987, I immediately started working in security at the Computer Security Office of the Aerospace Corporation.  We did Air Force risk assessments, research projects and supported the Trusted Product Evaluation Program (now NIAP) with the NSA.  Nineteen years later, I've worked always in security, learning along the way at Trusted Information Systems (TIS, where I got my first experience with an Open Source product the FWTK).  While at TIS, I also got my first Linux experience when I worked from home on my P66 SLS Linux machine, building and maintaining everything myself.  ...  Since those good old days, I did kernel dev on Trusted Xenix, a lot of research and consulting, thousands of firewall stalls and eventually moved into product management at McAfee/NAI...

Source:  Jeff Jones Security Blog

I sincerely do not intend to be offensive, but your experience with Linux - whether good or bad - only represents a sample size of N=1.  It is not wise to extrapolate from your experience (or mine) to a more general conclusion about the security of Linux versus Windows.  Exploring this issue requires that one have visibility to a larger perspective.  I am confident you will agree that examining “days-of-risk” (or number of vulnerabilities/exploits) across operating systems over a period of years in a systematic manner is far more compelling and carries far more weight in a thoughtful investigation of the issue than the opinion of a single individual based upon her/his own limited experience.

Please do not interpret my comments negatively.  I am simply saying that well-founded and extensive research is much more meaningful than the opinion of any one person (including the opinion of me).  For example, “Mr. Smith” might be absolutely satisfied with his Ford vehicle, but that one experience does not change the truth of the assertion that Ford vehicles are of lower quality than those of Toyota, as demonstrated by independent marketplace research.

Is Linux more secure than Windows?  At the very least, the research referenced in this thread ought to cast considerable doubt on this commonly held perspective.  Time will, no doubt, clarify the case further.

Thank you for continuing to add your viewpoint into this thread.

:)

Pleonasm wrote on Jun 22^nd, 2007 at 3:54pm:

MrMagoo, note that the “days-of-risk” metric captures the duration of the risk, not whether the risk (vulnerability) actually materialized into a problem (exploit).

Exactly my point.  Just because there is a vulnerability doesn't mean (as an article you reference stated) that millions of script kiddies can exploit it.
Pleonasm wrote on Jun 22^nd, 2007 at 3:54pm:

I believe you are arguing that more vulnerabilities become transformed into exploits for Windows than for Linux, despite the fact that there are more “days-of-risk” for the latter than the former.

Not at all.  I would venture to say almost all vulnerabilities eventually have exploits available.  What I'm saying is that a vulnerability could be discovered and patched before an exploit is created.  Many Windows vulnerabilities are discovered by hackers and exploits are written before the vulnerability is publicly known or exposed.  In contrast, Open Source OS vulnerabilities are often found by people auditing the source code, and are patched before an exploit is written.  

I am not discrediting Jeff Jones.  I trust his study.  My point is that it is not the whole picture.  My comments about taking people's opinion who haven't tried Linux with a grain of salt were directed toward you.  Just as you don't mean your comments negatively, I mean you no disrespect, but I do feel that you would have a better perspective on this discussion if you would try Linux for 30 days.  And you did not respond to my challenge.

@Pleonasm

IF your windows is just as secure or whatever you seem to believe.. then I challenge you to the following:

1) install a default Win XP Pro OR Home - No add-on software just a default install and hook it up to the network, do the EXACT same for linux, any distro, you have MULTITUDES of distro's to prove me wrong on.
2) leave both boxen directly connected UNFIREWALLED/UNVIRUS PROTECTED for 30 days.
3) Come back and lets see what box got owned first.
4) actually do it.
5) dont reply to me with some circle talk, just do it.

I on the other hand run the following:
- Arch Linux - Main Desktop
 Windows XP on another Small partition on my Main Desktop for gaming only.
- Red Hat Enterprise Linux 5 on the following:
 4 Identical 500mhz boxen running various services such as DNS(DDNS),DHCP,Sendmail,     LDAP and a few others.
- Red Hat Enterprise Linux 5 on my OPERATIONS BOX, runs my website via Apache 2.2 w/ssl, vsftpd w/ssl, master LDAP directory, and a few other services.
- OpenBSD thin client I put together running on a Mini-itx 800mhz board, installed on a 512mb CF Card (only uses 250mb, lets see windows do that), this system is my firewall, has 3 NIC's and filters my network and also connects my network to another network so we can be awsome at computers....together.
- 1 win2k3 box (does absolutely nothing at the moment cuz i can accomplish everything I need on my linux servers,tho it does seem to churn its HDD .... ALL THE TIME... wtf is it doing? ... )
- 1 WinXP Pro Laptop - Cuz i wanna game remotely somtimes, GAMING ONLY no web browsing.
- 1 Red Hat Enterprise Linux 5 Laptop: This is my Installation server/testing box for new services im studying. Runs DHCP, TFTP, and NFS for Remote PXE installation to my servers on demand. All i have to do is turn on a new box on the network.. and come back in 30 mins and login to the new box, windows can do that right?

and various other linux boxen.

The reason i listed those is:
1) my windows XP laptop for gaming... had to be reimaged.. now for the 4th time... in 1.5 months, this box is only used for C&C Generals... has Windows Firewall ON, and is used.. maybe MAYBE 2 times a week for a 1-2 Hour C&C Generals Gaming. How did this box get spyware/virus' ??? Why did it suddenly grind to a halt after only a little bit of use? It was running Arch Linux but after a year of not getting to game on it, i installed WinXP.

2) my Main Desktop' windows XP partition needs a re-install as well, though i admit.. i have surfed a site or two while waiting for my buddy to start C&C Generals up. WTF?

3) you get the point im making with the windows boxen.

4) ... this may come as a surprise to you, but, (everyone wait for it.. wait for it.... wait... ) I havnt had a single attack/virus/spyware/system malfunction.. on any.. ANY, of my linux boxen.. (of course im just lieing im sure.. :rolls eyes:   )  also i might add that im a bad linux admin, i dont run firewalls on any linux box except my OpenBSD FIREWALL box but thats kinda implied, no A/V, hell, i dont even set root passwd's half the time.. why? cuz who's gonna get in? , Oh and check this out.. can windows do this?

[root@opsbox ~]# uptime
13:43:25 up 53 days, 38 min,  2 users,  load average: 0.00, 0.00, 0.00

Thats when it completed its first boot after its PXE install ( obviously i cant prove this )
youll note that the load average is quite low, this is due to the following:

httpd running
vsftpd running
NFS mounts being used to share out my awsome "Friends" episodes ;)

I could go on.. but you probably stopped reading by now.. and if not.. ill remind you of the challenge that i foresee NOT happening:

1) install a default Win XP Pro OR Home - No add-on software just a default install and hook it up to the network, do the EXACT same for linux, any distro, you have MULTITUDES of distro's to prove me wrong on.
2) leave both boxen directly connected UNFIREWALLED/UNVIRUS PROTECTED for 30 days.
3) Come back and lets see what box got owned first.
4) actually do it.
5) dont reply to me with some circle talk, just do it.


DO IT!

init 0

MrMagoo, thank you for clarifying your point.  However, may I ask:  on what basis do you assert that "Many Windows vulnerabilities are discovered by hackers and exploits are written before the vulnerability is publicly known or exposed" whereas "Open Source OS vulnerabilities are often found by people auditing the source code, and are patched before an exploit is written"?  Is this your informal impression, or are there data to support the statement?

I do agree that Jeff Jones' study (or, in general, any one study) is not "the whole picture."  When seeking to understand a situation, it is helpful to try to obtain "convergent validity" – i.e., several sources and facts that collectively all point to the same conclusion.  That is what we are beginning to see here, and it is the reason why I do not believe it is prudent to forcefully argue that "Linux is more secure than Windows".  The hypothesis may, in fact, be true.  But, given the evidence on the table, it is – at the very minimum – quite questionable and far from completely certain.  To be specific, I would be much more comfortable if Linux users were just a bit more humble and asserted "Linux may be more secure than Windows - but the situation is not clear" rather than exhibiting an unjustified level of bravado, in my opinion.

On this point, MrMagoo, what probability (0 < p < 1) would you assign to the hypothesis that the statement "Linux is more secure than Windows" is true?  Would you say that the probability is 1.0?  or 0.9? …  or 0.5?

With respect to Linux, I do intend to try it – but am waiting until I purchase a better PC (probably latter in 2007 or early 2008) in order to run it in a virtual machine.  However, whether you or I like or dislike Linux really has no relevance to the discussion at hand, since the opinions from a sample size of N=2 (you and I) carries little weight as compared to thoughtful, well-executed industry research.  (In years past, I did use SCO Xenix quite a bit, by the way.)

;)

Pleonasm wrote on Jun 23^rd, 2007 at 3:54pm:

MrMagoo, thank you for clarifying your point.  However, may I ask:  on what basis do you assert that "Many Windows vulnerabilities are discovered by hackers and exploits are written before the vulnerability is publicly known or exposed" whereas "Open Source OS vulnerabilities are often found by people auditing the source code, and are patched before an exploit is written"?  Is this your informal impression, or are there data to support the statement?

That's really the only way Windows vulernabilities can be found.  MS only has so many people they can pay to work on security - and most of the stay busy *fixing* issues and don't have much time for looking for them.  No one else has access to the source code, so decompiling it is the only option.  Decompiling code is time intensive, so only people who have a LOT to gain by finding holes do it - and this mostly means industrial hackers, spyware writers, ect...


Pleonasm wrote on Jun 23^rd, 2007 at 3:54pm:

With respect to Linux, I do intend to try it – but am waiting until I purchase a better PC (probably latter in 2007 or early 2008) in order to run it in a virtual machine.  However, whether you or I like or dislike Linux really has no relevance to the discussion at hand, since the opinions from a sample size of N=2 (you and I) carries little weight as compared to thoughtful, well-executed industry research.

I'm not saying anyone's opinion matters.  I'm saying without experience it is difficult to interpret and discuss the results of studies like this.  As far as any trend you think you are seeing, I could find just as much information contradictory to the studies you are posting as you have found supporting it.  It just depends on what you look for.  

I don't think assigning a number to the probability that Linux is more secure is nearly as scientific as it sounds.  My overall point is that I feel that the design of the OS and the control the administrator has in Linux makes it much more secure, and none of the studies you have shown here have had an impact on that.  There are things in windows (like administrative shares, where any Windows computer with Windows file sharing turned on shares the root of all hard drives - other Windows computers can't access those shares but Linux computers can read and write to your hole drive!...) that are major design flaws.  Linux is much more modular, and provides an administrator complete control over every line of code in the system.  Microsoft tries to decide what is best for every user and they can't get it right all the time.  Vista seems to be only an incremental improvement in security design, and I think only a major security philosophy change at MS will ever bring it up to the level that Linux is already at.

Quote:

I could find just as much information contradictory to the studies you are posting as you have found supporting it.

That is my point, MrMagoo.  The situation is quite murky and unclear, with evidence on both "sides" of the issue.  Under such circumstances, I fail to see how an intellectually honest person could boldly make the assertion that "Linux is more secure than Windows" (or, the reverse).  I think the more reasonable conclusion is that there exists significant doubt on whether or not Linux is more or less secure than Windows.

Since you offered, can you kindly post links to top three empirical studies you believe demonstrate a higher level of security for Linux as compared to Windows?


Quote:

I don't think assigning a number to the probability that Linux is more secure is nearly as scientific as it sounds.

My objective was simply to better understand how strongly you believe in your position that "Linux is more secure than Windows":  whether you consider this statement as "gospel truth," "urban legend" – or, something in between.


Quote:

That's really the only way Windows vulnerabilities can be found.  MS only has so many people they can pay to work on security - and most of the stay busy *fixing* issues and don't have much time for looking for them.

Actually, unless one of us has experience working in the software security department of Microsoft, I do not believe that either you or I could claim that Microsoft does not spend "much time" looking for vulnerabilities.  We don't know, and shouldn't say otherwise.  In contrast, we do know that the Linux kernel developers spend no time looking for vulnerabilities, as reported in Reply #23.  Personally, I find that quite troubling.


Quote:

I'm saying without experience it is difficult to interpret and discuss the results of studies like this.

I fail to see how one's familiarity with Linux helps or hinders the interpretation of Jeff Jones' research.  It's not complicated, it doesn't involve any "advanced statistics" beyond counting and basic arithmetic, and it is all based on publicly available data.


Quote:

My overall point is that I feel that the design of the OS and the control the administrator has in Linux makes it much more secure

This is like saying "I feel that the design of <insert your favorite vehicle name here> and the control the driver has in it makes it much more safe."  It is purely a subjective assessment.  I don't doubt that your viewpoint is based upon a thoughtful consideration, but you ought to realize that others may see the same situation quite differently.  For example, Windows file sharing is viewed by you as a security flaw; by others, it is viewed as very beneficial feature.  The fact that it can be misused, in my opinion, does reflect on the inherent security of Windows – rather, it highlights the fact that a user of any operating system has the responsibility to understand the consequences of their configuration decisions.

;)

Pleonasm wrote on Jun 24^th, 2007 at 9:37am:

In contrast, we do know that the Linux kernel developers spend no time looking for vulnerabilities, as reported in Reply #23.  Personally, I find that quite troubling.

No, the kernel developers don't spend much time looking for vulnerabilities, but since it is open source, many other people who are willing to volunteer their time to Linux can and do spend a significant amount of time on it.  This is how Linux has been built - by the community for the community.


Pleonasm wrote on Jun 24^th, 2007 at 9:37am:

This is like saying "I feel that the design of <insert your favorite vehicle name here> and the control the driver has in it makes it much more safe."  It is purely a subjective assessment.

No, it is not a subjective assessment at all.  A better designed braking system (like ABS vs standard brakes, for example) and the option for the driver to choose several different steering modes (one for high speeds, one for traffic, etc.) could give a car an edge in safety.  It's the same with Linux.  The superior permissions system, along with the option to choose to disable or enable modules as you need them or as your security threat dictates gives Linux an edge in security.  There are services in Windows (such as the administrative shares I mentioned earlier) that cannot be disabled that either are security loopholes or could be at some time that cannot be disabled by the computer administrator.  

As far as providing the links to surveys you have requested, I have provided a few earlier in this thread.  Anyone who wants more could start with Google.  I don't think I could change your mind with a thousand links, and all of your links have been unsuccessful in changing mine.  I don't feel you and I going tit-for-tat with every survey we can find would be productive right now.  Instead, I encourage any reader of this thread who does have an open mind about this issue to do their own research, become throughly familiar with both OS's, and make their own well-informed decision.

Quote:

A better designed braking system ... could give a car an edge in safety.  It's the same with Linux.

There is no argument that “better design = better product,” of course; the point you are raising is whether Linux has a better design than Windows.  That is an important question, but one that I hope you will admit is open to interpretation.  For example, some would say that a Toyota Camry has a better design than a Honda Accord; others, however, would say the opposite.  There is not a ‘right’ or ‘wrong’ perspective on “better design” - it is somewhat a case of “beauty is in the eye of the beholder,” so to speak, dependent upon the features/benefits that are of most importance to the person making the conclusion.

I understand that you personally believe that Linux has a better design than Windows, but you should understand that your assessment of the situation is not “gospel truth” - it simply represents your honest opinion of the situation, and others who are equally skilled with both operating systems could have an equally valid opinion favoring Windows.  In short, your assessment isn’t a statement of “truth,” but only of “truth” as you see the situation - and others can look at Linux and Windows and come to a different conclusion.  I am confident that you have enough intellectual curiosity and openness to agree.


Quote:

I don't think I could change your mind...

Actually, I have tried to indicate in several posts that my position on the issue is far from being solidified.  Based upon what I have read, I believe that Linux might be more secure than Windows (or the reverse?), but the situation is sufficiently unclear so as to make that statement quite questionable.  In contrast, I perceive that your position is closed:  namely, you have no doubt that Linux is more secure than Windows, divergent evidence not withstanding.  My hope is that you will subject your belief to the criticism of the alternative viewpoint, and allow for the possibility of changing your stance.  My experience is that, with regret, too many Linux users refuse to openly and honestly consider the other side of the equation, sadly and snuggly secure in a worldview from which they will never, never deviate for any reason.  I pray that I may never be so confident about my own judgments.


Quote:

As far as providing the links to surveys {that support the security advantages of Linux over Windows} you have requested...

Interestingly, I have assumed that empirical studies exist that support the hypothesis that Linux is more secure than Windows.  My search of the web, however, has so far failed to find any that specifically and empirically show that the user experience of Linux is more secure than that of Windows.

All the best,
Pleonasm
:)

A thoughtful, empirical and independent study from Purdue University says . . .


Quote:

Software selection is an important consideration in managing the information security function.  Open source software is touted by proponents as being robust to many of the security problems that seem to plague proprietary software.  This study empirically investigates specific security characteristics of open source and proprietary operating system software.  Software vulnerability data spanning several years are collected and analyzed to determine if significant differences exist in terms of inter-arrival times of published vulnerabilities, median time to release patches, type of vulnerability reported and respective severity of the vulnerabilities.  The results demonstrate that open source and proprietary operating system software are each likely to report similar vulnerabilities and that open source providers are only marginally quicker in releasing patches for problems identified in their software.  The arguments favoring the inherent security of open source software do not appear to hold up to such analysis.

Source:  Vulnerabilities and Patches of Open Source Software:  An Empirical Study

Still interesting that the results of this study seem to be in conflict with your "Days of risk" study, with Purdue giving Open Source a slight advantage.  I'm impressed to see that they show Open Source with a slight advantage considering most Open Source devolpers are volunteers.  

Greetings, MrMagoo.  I too like the fact that the Purdue study demonstrates a slight advantage for open-source operating systems - it suggests that the authors are really being “fair.”  It is good to note, though, that the research found a “lack of statistical significance on several measures,” meaning that the observed advantage for open source is not reliably different than what one would expect on the basis of chance.

I wouldn’t use the Purdue study to argue that Windows is more secure than Linux (or the opposite), but it might cause a thoughtful reader to at least question the merit of adopting an unwavering “Linux is more secure than Windows” position.

Red Hat Linux was just awarded a top United States government security rating in June, 2007, which is very impressive (see here).  It now appears that Linux has matched the security rating of Windows, which was earned earlier in December, 2005 (see here).

As a consequence, from the perspective of a United States government security rating, both operating systems are equally secure.

Red Hat actually achieved the same EAL4 rating a long time ago.  What everyone is excited about is that this rating also included the Labeled Security Protection Profile.  From the article:

Linux had already been certified at the EAL4 level, but this is the first time that the operating system has received the Labeled Security Protection Profile (LSPP) certification, which relates to its access-control features.

SE Linux was developed by Red Hat for Linux by request of the NSA.  About 5 years ago, no operating system met their criteria for security and user permissions.  They approached Red Hat about the issue, and Red Hat developed SE Linux to meet the NSA's needs.  So, while Windows does have an EAL4 rating, Red Hat with SE Linux is the only thing the NSA will use for their own most sensitive systems.  

This is why whenever someone shows me a study about how Windows or some other operating system is better secured than Red Hat, my first questions is always "Was SE Linux turned on for the Red Hat systems studied?"  The answer is "no" about 10% of the time and "The study didn't mention that" the other 90%.  Its almost like me turning my Windows firewall off and then doing a study about how fast someone can hack into the machine.

Very interesting, MrMagoo!  I do wonder, however, about the statement that “Red Hat with SE Linux is the only thing the NSA will use for their own most sensitive systems.”  How do you interpret the following from the NSA itself?


Quote:

Security-enhanced Linux is only intended to demonstrate mandatory controls in a modern operating system like Linux and thus is very unlikely by itself to meet any interesting definition of secure system.

Source:  http://www.nsa.gov/selinux/info/faq.cfm#I13

And . . .


Quote:

This is out of context, and yet another irresponsible post by a linux fan boy that just hurts the penguin's street cred.  As a contractor with many years experience working in and around the NSA, I can tell you for a certainty that the NSA maintains custom builds of many OS's - not just Linux.  And internally, Linux isn't perceived as any more secure than windows - just easier to create a custom build of a known secure configuration, and deploy it easily.  The NSA's primary server software, last time I checked (less than a year ago) was still Windows Advanced Server 2000, with a smattering of Windows DC Server.  Also, note that the NSA uses MS Exchange 2003 and SQL Server 2000 (I don't think these run on Linux, do they?) in their SI {Signals Intelligence - foreign adversaries' communications} division - I know, as I was part of the team that set them up. Love the linux, but don't spread the word without the correct context; just because they're using a secure variant they came up with in their research area doesn't meant they're using it across the enterprise; and when they issued docs on securing Windows 2000 and started using it internally, it wasn't even news.  What does this tell you? That when you secure an enterprise OS, no one is surprised. When you secure Linux, it's news.

Source:  http://digg.com/linux_unix/NSA_chooses_Linux

Let’s continue the conversation . . .

Mandatory controls are the most important part of security, so yeah, by itself it isn't enough but on top of a good OS, its good stuff.

My source is a conversation with an SE Linux developer in a class I took taught by Red Hat.  Your source is some dude on digg.  So, I guess its all just he said she said stuff, but I like my source better.

MrMagoo, it is difficult, I agree, to determine the truth of what operating systems the NSA uses in which departments.  I’m not sure I would place a “high” degree of credibility in either of the sources we have referenced.  If you search the NSA website, though, you’ll find many references to Windows, suggesting (but not proving) that the Windows platform has a substantial role in the NSA.

Additionally, the NSA publishes a number of Operating Systems Guides.  It is noteworthy that Windows is included in this list - but not Linux (although Sun Solaris is present).

Building upon the prior collection of posts, can we now say with certainty that the “Linux is more secure than Windows” situation is uncertain?  Really, that is the core of my point:  the Linux advocates could be correct, but (to me) the body of contradictory evidence suggests that a more humble stance (e.g., “Linux may be more secure than Windows”) would be more appropriate.

(Hubris is unbecoming.)

:)

Quote:

"Gartner's research indicates that all of the mainstream operating systems, in the personal and the mid-range server environments, are roughly similar in terms of the level of security assured by the OS in a default installation.  This includes Windows, Mac, and Linux.  Accordingly, it is not correct to assert that Linux is inherently more or less secure than any other mainstream operating system," said Walls {research director for Gartner’s Security}.

Source:  Security Beefed Up for Linux (2 JUL 2007)

If you are not familiar with the company, note that Gartner is widely recognized and acknowledged as the most prestigious, independent source of technology information available.


Quote:

Gartner, Inc. (NYSE: IT) is the world’s leading information technology research and advisory company.  We deliver the technology-related insight necessary for our clients to make the right decisions, every day.  From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, we are the indispensable partner to 60,000 clients in 10,000 distinct organizations.  Through the resources of Gartner Research, Gartner Consulting and Gartner Events, we work with every client to research, analyze and interpret the business of IT within the context of their individual role.  Founded in 1979, Gartner is headquartered in Stamford, Connecticut, U.S.A., and has 3,800 associates, including 1,200 research analysts and consultants in 75 countries.

Source:  About Gartner

The position of Gartner is not just “opinion” - it is informed, independent analysis from industry experts.

Readers of this thread may find the Windows Vista 6-Month Vulnerability Report to be of interest.

While a comparison over only six months is a short duration, the report suggests that Windows Vista may have succeeded in delivering an improved security vulnerability profile, both relative to Windows XP and relative to Linux (Red Hat, Ubuntu, Novell) over equivalent durations.

There were several problems with the 6 month vulnerability report, beginning with the fact that it compared Vista with versions of Linux that were much older than Vista.  RHEL 4 was used, when 5 has been on the market for some time.  Ubuntu 6.06 was used, when both 6.10 and 7.04 are both out (although 7.04 isn't quite 6 months old yet.)  SUSE 10 was used, when both 10.1 and 10.2 have been on the market for a while.  

The report is very one-sided, as you should expect from a Microsoft researcher.  There are several problems with the way the number of vulnerbilities were counted, some of which are described here:

http://seclists.org/fulldisclosure/2007/Jun/0528.html

You've posted several quotes from impartial industry experts out of your own research that indicate that no OS is more secure than others, so we should be just as skeptical when we find information that says Windows is more secure than Linux as we have been when we find information that points the other way - especially when the report is written by Microsoft.

MrMagoo, I wasn’t using the Windows Vista 6-Month Vulnerability Report to argue that Vista is more/less secure than Linux, but rather only as a data point suggesting that “Vista may have succeeded in delivering an improved security vulnerability profile” (Reply #48).  As we discussed previously, vulnerabilities do not equate to exploits.

Your insights about the report are intriguing.  I wonder why the researcher did not use the most recent versions of RHEL and Ubuntu (assuming that each version has been available for at least 6-months)?  More importantly, I wonder whether doing so would make any difference in the analysis.  Do you have any reason to believe that the pattern of results would be meaningfully different had the most recent versions of RHEL and Ubuntu been used?

The report 6 Month Vista Vuln Report, Debunked referenced in Reply #49 is hardly an “analysis” of the situation, but more of a “rant”.  In fact, there is not a single number in the Windows Vista 6-Month Vulnerability Report that this author re-computes and shows to be incorrect.  Stated differently, if there is a problem with the way that vulnerabilities are counted, then why doesn’t this author do a re-count and share the results rather than simply offering unsubstantiated and generalized criticisms?

Is the “report is very one-sided”?  Unless it can be shown that the research has a fundamental flaw or was structured so as to purposely skew the outcome, then it may be difficult to argue that it is “one-sided.”   All data used to construct the analyses in the Windows Vista 6-Month Vulnerability Report come from public sources.  Anyone is free to check the numbers or summarize them in a way that they believe to be more appropriate.  Wouldn’t that be a much more productive path forward and shed more “light” than “heat” on the topic?  Honestly, I wish that someone from the Linux community would do this task so that a more informed discussion may occur on the theme.

I don't know that calling it a rant is very fair.  He discusses several of the issues I have brought up here as far as the difficulty of comparing open source bug reports with closed source ones.  He also points out that several of the bugs listed for the Linux distributions are not necessarily bugs in Linux but bugs in software that doesn't even come installed in the default installation.  Listing a bug in MySQL as an RHEL 4 vulnerability is the same as listing a bug in Photoshop as a WinXP vulnerability.  He does provide the number of these "extranous vulnerbilities" as 100+.  It is true that he doesn't rework the numbers and redo all the math, but that is not at all the point.  The point is that what we have in the 6 Month Vulnerbility Report is as much marketing as security research, which is very typical of Microsoft.

RE:  “I don't know that calling it a rant is very fair”

Yes, in retrospect, I agree that the use of the word “rant” was an overstatement.  But, in comparing the Windows Vista 6-Month Vulnerability Report to the posting 6 Month Vista Vuln Report, Debunked, I hope you will agree that there can be little doubt which is more professional, more thorough, more factual (i.e., data-based), and of higher quality.  One is a systematic examination of a problem; the other, in contrast, is informal commentary.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

RE:  “...Ubuntu 6.06 was used, when both 6.10 and 7.04 are both out...”

The researcher explains that version 6.06 was used because “So far, Ubuntu has only committed to long term support for 6.06 and not later releases.”  See footnote 4 on page 7 in Windows Vista 6-Month Vulnerability Report.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

RE:  “... several of the bugs listed for the Linux distributions are not necessarily bugs in Linux but bugs in software that doesn't even come installed in the default installation”


Quote:

Red Hat and other Linux distribution vendors add value to their workstation distributions by including and supporting many applications that don’t have a comparable component on a Microsoft Windows operating system.  It is a common objection to any Windows and Linux comparison that counting the “optional” applications against the Linux distribution is unfair, so I’ve completed an extra level of analysis to exclude component vulnerabilities that do not have comparable functionality shipping with a Windows OS.

Source:  Windows Vista 6-Month Vulnerability Report (page 6)

The comparison of Windows (Vista/XP) to the reduced Linux builds still shows the same pattern of results:  Windows had considerably fewer vulnerabilities in its first 6 months as compared to the reduced Linux builds, whether all fixed/unfixed vulnerabilities are examined or whether the analysis is restricted to high severity vulnerabilities only (see Figure 3 and 4 in the report).


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

RE:  The Windows Vista 6-Month Vulnerability Report “is as much marketing as security research”

If the research report has limitations, then let’s discuss each one in turn.  But, dismissing the merit of the content as “marketing” is, really, not much more than childlike “name calling” -- it doesn’t add substance to the interchange.

What, specifically, do you see in the report that is unsubstantiated and not fact-based?

If the report were only “marketing,” wouldn’t you expect to find derogatory statements about Linux contained in it?  I don’t see a single instance of such a comment - do you?  


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

The Windows Vista 6-Month Vulnerability Report closes with the encouragement to readers “to challenge ... assumptions, analysis and conclusions and provide critical feedback – but asks for equal (or better) rigor in methodology and analysis to support the challenges, as opposed to enthusiastic espousal of unsupported evangelistic fervor.”  A very reasonable request, is it not?

Hopefully, the Linux community will respond with “rigor in methodology and analysis” and not “enthusiastic espousal of unsupported evangelistic fervor.”  Hopefully, the wait will not be long . . . .

;)

Concerning whether the author of the Windows Vista 6-Month Vulnerability Report is “biased” or not . . .


Quote:

I’ve expected that as soon as we get into any meaty and interesting discussions, my current place of employment (Microsoft) will come into play, combined by assertions that I must be biased.  It is fairly predictable, so I thought it might be interesting to just pre-empt it and open the question myself. I’ve been a Director at Microsoft for a little over four years now, in the security group that works to drive security improvement across the company.  For that alone, some may condemn me, so let’s dig into it. In the engineering program at Purdue University, we all used Unix accounts and to this day, my fingers remember the key “vi” editing commands.  My workstation and development platform for my first four years of work was a Sun workstation.  Working from home after that, I used Slackware Linux as my primary workstation for two years starting in 1994.  When we turned the TISFirewall Toolkit into the Gauntlet firewall, we did it on the BSD/OS.  ... Basically, I’ve used and done security analysis on most common operating systems over the past 20 years – even some uncommon and interesting proprietary ones by Unisys, Tandem and HP.  In fact, over 75% of my security career came before Microsoft. How did I end up at Microsoft?  Let’s go back in time five years.  At that point, it was commonly accepted by most people that Microsoft had some security problems.  In contrast, most folks thought the Unix and Linux community (and vendors) historically had a better approach to security and would build on that.  Around that time, I got a call from a respected former colleague (Steve Lipner), who convinced me that Microsoft management was committed to improving security across the company and was taking real steps to do it.  I was skeptical, but ultimately convinced enough to join – where better to have real impact in computer security? Still, I like to be practical about security.  Does your team have deep Unix skills and no experience on Windows?  If so, your risk will be better managed on some sort of Unix system, regardless of whether Microsoft security is better, worse or indifferent. So, I’ve been around security a while and in the past four years I’ve personally participated in steps at Microsoft that, in my mind, are resulting in improved security for customers.  Is it perfect?  No.  Are the products much better than predecessors?  Certainly so.  Is security improvement happening on Linux and Unix?  Definitely.  Who is doing better?  Ah, that brings us back to the question doesn’t it – by what metric? Am I biased?  I do not think so, but let’s just all keep assuming I am, because I don’t mind.  If I make comparisons, I’ll lay out my metrics.  I’ll lay out my assumptions.  I’ll describe the methodology.  Then, if you want to dispute the results, debate the assumptions, or critique the methodology, I’ll ask the same of you.  Regardless of the outcome, all sides will get presented, progress is made and that’s a win for interested readers.

Source:  Exactly how biased am I?

Sure doesn't sound biased to me.  Your perspective?

It is worthwhile to note these comments from the author of the Windows Vista 6-Month Vulnerability Report . . . .


Quote:

I am not asserting that my vulnerability analysis demonstrates that Windows is more secure.  Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows.  The "unsupported" part of that bothers me, so I check for myself.  What I keep finding is that Linux distributions have more vulnerabilities, more serious vulnerabilities and the data does not support the assertions of security superiority for Linux and Open Source software.

Source:  Apples, Oranges and Vulnerability Metrics

Couldn’t have said it better myself.  Like this author, I too am disappointed by the continuous cacophony of Linux fans asserting that Linux is more secure than Windows, despite the apparently complete lack of supporting data.  As indicated many times previously in this thread, I believe the more justifiable position is that “Linux may be more secure than Windows, but the certainty of that superiority is quite questionable.”  Isn’t that a more appropriate (and humble) position, given the evidence in hand?

P.S.:  It is ironic that Unix has it roots in academia, a community in which unsupported assertions are poorly tolerated.

:)

Pleonasm wrote on Aug 7^th, 2007 at 11:51am:

P.S.:  It is ironic that Unix has it roots in academia, a community in which unsupported assertions are poorly tolerated.

Yikes.  Now you are making it personal, and I don't feel continuing down this path would have any academic value for readers of this thread.  My assertions that Linux is more secure are founded on actual personal and professional experience with both operating systems, and I've provided supporting documentation along the way.  I take (slight) offense to you implying that anything I've said is completely unfounded.  Thanks for a great discussion, but we've obviously hit the limit now.

Pleonasm wrote on Aug 7^th, 2007 at 11:51am:

I too am disappointed by the continuous cacophony of Linux fans asserting that Linux is more secure than Windows, despite the apparently complete lack of supporting data.

To be fair Pleo, this isn't really surprising and not unique to them. Even quite serious and dedicated groups of people fall prey to reasoning errors like groupthink and confirmation bias, and that's without the kind of self-selection dynamics in communities like that around Linux (and there are several quite distinct communities - there is no one "the" Linux community).

Really, much of the "language wars" kind of thing that programmers tended to engage in is the same; people want to come up with post-facto "rational" justifications for decisions they have made for other reasons. That doesn't mean that they are necessarily wrong, or that their decisions are bad - emotion is, as I've said elsewhere, a useful part of our cognitive toolbox - just that the backward-looking search for justification tends to produce a lot of just so stories.

Another example of a case of this was in evolutionary biology; some years ago it was a real problem where the "selfish gene" concept was spreading rapidly, and biologists having decided that the theory was right went looking at unusual features of organisms in light of this new viewpoint. The result was an awful lot of circular reasoning, where biologists went around imagining untestable "benefits" for things to explain why they had been selected for, resulting in lots of "just so stories". It took quite some time before the standard of scholarship recovered from this.


Pleonasm wrote on Aug 7^th, 2007 at 11:51am:

P.S.:  It is ironic that Unix has it roots in academia, a community in which unsupported assertions are poorly tolerated.

That's a little oversold, unless you were referring to the Standford/MIT axis with its influence on so much of the entire software world (and they also being deeply involved in MULTICS). Otherwise, I'd consider UNIX to be a classic product (like Smalltalk) of the 70's industrial laboratories that are now a thing of the past.

The main contributions of universities to UNIX itself was just exposing students to it. The work at Berkeley resulted in a lot of extremely useful code and tweaks to implementations, especially measured against the Sixth Edition, but it terms of real design ideas there is surprisingly little that I can really point to if you compare BSD to say, the Eighth Edition.

In fact, the only real revolution in ideas (at least, technical ones - social ideas being something else entirely) to affect UNIX itself that came from academia that I can think of came from Rick Rashid's work on Mach. And Mach's impact is, well... complicated and full of ironies, especially since it had such a big impact on Windows too.

Gee, I created a bit more of a controversy with a single “P.S.” parenthetical comment than was anticipated!

There is no legitimate place in this forum for inappropriate attacks, and - to the extent that MrMagoo perceived my “P.S.” as such - then I sincerely do apologize.  Certainly, I didn’t intend it personally - but I do understand that my “pithy” writing style could, unfortunately, be read that way.


* * * * * * * * * * * * * * *

To the substance of this thread, though, I must say that I have reviewed all of the posts that argue in favor of a security advantage of Linux - and, unless I am overlooking something - I still do not see any verifiable evidence referenced herein that would convincingly support the assertion that Linux is more secure than Windows.  Correspondingly, I also do not see any evidence that is sufficiently strong, in my opinion, to argue the opposite.  Therefore, from my perspective, the assertion that “Linux is more secure than Windows” as a general statement of fact is at least quite questionable.  As I have attempted to convey many times, whether that assertion is true or not seems to be indeterminate at this time, thus suggesting that a more modest and humble viewpoint by the Linux community is warranted.

One has to wonder:  If Linux is so “obviously” more secure than Windows, then shouldn’t there exist an overabundance of evidence to support this blatantly apparent fact?  Shouldn’t it be exceedingly easy to empirically demonstrate that superiority?  Shouldn’t that security advantage have practical consequences that are readily observable and quantifiable?

I myself wouldn’t use the word “arrogance” and “Linux” in the same sentence, but others are not so cautious (see Linux Supporters Arrogant?  You Be The Judge).  As I noted in long ago in Reply #18:


Quote:

Under these conditions of uncertainty, the only thing that is certain is the uncertainty itself.  In other words, it is no longer tenable (in my opinion) to assert that “Linux is more secure than Windows” with a high level of confidence.  A more arguable position, I believe, is the moderate assertion that the “assumed security superiority of Linux over Windows is questionable.” Uncertainty ought to beget humility.

* * * * * * * * * * * * * * *

Quote:

To be fair Pleo, this isn't really surprising and not unique to them.  Even quite serious and dedicated groups of people fall prey to reasoning errors like groupthink and confirmation bias, and that's without the kind of self-selection dynamics in communities like that around Linux (and there are several quite distinct communities - there is no one "the" Linux community). Really, much of the "language wars" kind of thing that programmers tended to engage in is the same; people want to come up with post-facto "rational" justifications for decisions they have made for other reasons. That doesn't mean that they are necessarily wrong, or that their decisions are bad - emotion is, as I've said elsewhere, a useful part of our cognitive toolbox...

Yes, I do agree - the ex post facto approach to justifying one’s decision is not at all unique to users of Linux.  The underlying psychological mechanism is often cognitive dissonance, in which an individual modifies her or his perception of the world to match their beliefs.  If I may be so bold, I suspect that many Linux advocates hold the belief that "Linux is more secure than Windows” so deeply that any discussion that might cause them to question that belief is met with severe resistance and dissonance, hindering their ability to probe the issue objectively.

In the spirit of self-disclosure, I must admit that I too have fallen prey to the same problem on other topics at other times . . . .


* * * * * * * * * * * * * * *

Quote:

That's a little oversold, unless you were referring to the Stanford/MIT axis...

Yes, I had in mind the early influence of MIT and the University of California at Berkeley upon Unix.

In more general terms, the reference to academia was intended to simply highlight the fact that within institutes of higher education, almost any viewpoint is well tolerated and welcome - provided, however, that the advocate can politely defend the position with verifiable evidence.  Stating a personal or professional viewpoint may be “free speech” or "practical advice," but it doesn’t rise to the level that is expected in academic arguments.

Best wishes to all,
Pleonasm

:)

In fairness, some Linux advocates are open to the possibility that Linux may not be more secure than Windows.


Quote:

A Linux enthusiast at the RSA Conference in San Francisco has reluctantly concluded that Microsoft produces more secure code than its open source rivals. In an academic study due to be released next month Dr Richard Ford, from the Florida Institute of Technology, and Dr Herbert Thompson, from application security firm Security Innovation, analysed vulnerabilities and patching and were forced to conclude that Windows Server 2003 is more secure than Red Hat Linux. "Vulnerability counts are much higher with Red Hat than with Microsoft," said Dr Ford. "I am a huge Linux fan, and I have a Linux server in my basement.  The first time I saw the statistics I thought someone had mucked about with my database." The pair examined the number of vulnerabilities reported in both systems and the actual and average time it took to issue patches.  In all three cases Windows Server 2003 came out ahead, with an average of 30 "days of risk" between a vulnerability being identified and patched compared to 71 from Red Hat.

Source:  Linux fan concedes Microsoft is more secure

This research paper (while not beyond criticism) is just yet another example of what the Linux advocates need to “explain away” in order to maintain their belief that Linux is more secure than Windows.  Where are the corresponding empirical counter-examples that support the Linux point-of-view?  Why doesn’t someone from the Linux community update and replicate this study?

By the way, I personally hope that Linux succeeds in the marketplace, because competition is good - and Microsoft needs more of it.  The rivalry of products and ideas ultimately benefits all users.

. . . And the data continue to show substantially higher quantities of vulnerabilities for Linux (see July 2007 - Operating System Vulnerability Scorecard).

The pattern holds whether the comparison is 2007 year-to-date, or May-July 2007 only, or when subdivided by low/medium/high levels of vulnerabilities, or whether only a ‘reduced Linux set’ is considered, or whether the comparison is for workstations versus servers.

Food for thought . . .


Quote:

The latest figures from consulting firms indicate that although Linux sales are growing by number of servers shipped with the operating system, the software is losing ground to Microsoft's Windows. Microsoft picked up 2 percentage points, bringing its market share to 67.1% of servers shipped during the second quarter, according to data from Gartner.  Of 2.06 million servers shipped overall, nearly 1.4 million came preloaded with proprietary OS.  That works out to an extra 77,650 Microsoft-based servers sold during the quarter, year over year. Linux accounted for 22.8% of server shipments, down from 23.1% the year before.  In spite of the lost ground in market share, strong sales of servers created a bigger pie for the slight growth of commercial Linux.

Source:  Microsoft Still Cleaning Up With Windows

Consider:  If Windows is less secure than Linux, and if the marketplace (increasingly) prefers the former over the latter, then the conclusion is that the marketplace does not value security highly when choosing an operating system.  Since this conclusion is patently ‘absurd,’ the premise must be questionable - right?

;)

Pleonasm wrote on Aug 28^th, 2007 at 8:53am:

then the conclusion is that the marketplace does not value security highly when choosing an operating system.

An entirely reasonable hypothesis, and one I conjecture would survive any test you care to imagine.

An alternative intermediate hypothesis is that these people are in fact emploring a correctly balanced, risk-weighted assessment of the economic and reputational cost of breaches, and are making rational decisions about it (which would not change the outcome much).

Discriminating the above hypotheses is hard, because most discussion of security avoids looking at the actual harm and the actual losses incurred, i.e. taking an actuarial approach. That's with good reason, of course - that means gathering some difficult-to-obtain numbers.

[ However, financial institutitions almost certainly have/are refining precisely such actuarial models, since offering what is effectively insurance makes it important for them to develop such things. A fully developed loss insurance industry would be the next step. ]

According to the most recent six month period examined by Symantec, the patch development time (“period between the disclosure date of a vulnerability and the release date of an associated patch”) was lower for Windows than for Apple Mac OS X, Hewlett-Packard HP-UX, Red Hat Linux (including enterprise versions and Red Hat Fedora), and Sun Microsystems Solaris.

Details may be found in Symantec Internet Security Threat Report:  Trends for January–June 07 (page 54+).

More questions about the security advantages of Linux . . .


Quote:

When it comes to launching online attacks, criminals are getting more organised and branching out from the Windows operating system, says eBay's security chief. eBay recently did an in-depth analysis of its threat situation, and while the company is not releasing the results of this analysis, it did uncover a huge number of hacked, botnet computers, said Dave Cullinane, eBay's chief information and security officer, speaking at a Microsoft-sponsored security symposium at Santa Clara University. ... Last week eBay said data on 1,200 eBay members had probably been stolen via an phishing scam.  The members' data was posted to the company's Trust & Safety discussion forum. Cullinane's experience with phishing goes back to his previous employer, Washington Mutual, which has been one of the top phishing targets in the US. While there, he noticed an unusual trend when taking down phishing sites. "The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling.  We expected Microsoft boxes," he said. Rootkit software covers the tracks of the attackers and can be extremely difficult to detect.  According to Cullinane, none of the Linux operators whose machines had been compromised were even aware they'd been infected. ... "We see a lot of Linux machines used in phishing," said Alfred Huger, vice president for Symantec Security Response.  "We see them as part of the command and control networks for botnets, but we rarely see them be the actual bots.  Botnets are almost uniformly Windows-based." Since Linux machines can be used to more easily create specially crafted networking packets, they can be used in highly sophisticated online attacks, said Iftach Amit, director of security research with Finjan's malicious code research centre. Capabilities like this make Linux machines highly coveted by online attackers, and they fetch a premium in the underground marketplace for compromised machines, Amit said.

Source:  eBay:  Phishers getting better organised, using Linux

Humorous insights into the psychological mind set of Red Hat Linux devotees . . .


Quote:

A few weeks after my July OS Vulnerability Scorecard posting, I was amused to see a posting about it on truthhhappens.redhatmagazine.com (click to see the post).  I can't even do it justice by paraphrasing, so here is the text: A Microsoft vulnerability report suggests that Microsoft wasn’t able to fix more Windows flaws than the number of open software flaws fixed by the major open source companies. Red Hat, having forty times less employees than Microsoft, did the best job, by fixing and closing the most security bugs, also closing even minor bugs - where Microsoft didn’t even fix one minor bug in the same period. Seriously, I loved this post, it made me laugh out loud!  Fixing more security vulnerabilities is apparently a good thing in the world of Red Hat Truth. Well, for those who actively support that theory, I have some fantastic news for them!  According to my calculations, in July 2007, the Red Hat Enterprise Linux 4 team fixed their 1000th unique security vulnerability.  Now, 164 of these were Low severity and 479 were Medium severity, but still, that is a ton of work accomplished by that team, especially given that the product only shipped in February of 2005. To put that in context, (again by my calculations) Microsoft has fixed only 649 security vulnerabilities for all supported products across the company since the year 2000.

Source:  Red Hat Enterprise Linux 4 Passes 1000 Vulnerabilities

The Windows Vista One Year Vulnerability Report confirms the findings previously observed in similar 90-day and 6-month investigations:  Windows (XP or Vista) had significantly fewer vulnerabilities than “other operating systems such as Red Hat Enterprise Linux, Ubuntu, and Apple Mac OS X 10.4. “

To his credit, the author acknowledges that “one factor can’t measure the absolute ‘security’” of an operating system, but nonetheless the fact that it is “easier to mediate risk on a system that has 10 vulnerabilities in a year or one that has 100 vulnerabilities in a year” is commonsensical.

The author also addresses one of the often repeated criticisms of these analyses:


Quote:

Past analyses have been criticized saying that you don’t count issues that Microsoft finds internally and “silently” fixes, so comparisons are invalid. This is an interesting line of thinking to me. It is true that I don’t know if any vendors’ product updates address more security issues than is documented. There’s no way to know things that haven’t been discussed publicly. For example, I have no idea how many security vulnerabilities were found by the Apple Quality Assurance team during the release of Leopard and were simply fixed. Further, I don’t know how many “bugs” were found and fixed without anyone, even on their team, knowing their might have been security implications if it had not been found. This is equally true for Linux distributions. I don’t know how many “bugs” fixed during the development process for rhel4 Update 5 might have had a security implication. In terms of enumerating vulnerabilities though, there are specific examples that I can point to that indicate that silent fixes sometimes happen. Take CVE-2007-5959, for example. It is a single vulnerability identifier, but the description says “multiple unspecified vulnerabilities”. I would count that only a single time in my analyses though, since there is only a single CVE identifier. Similarly, CVE-2004-1057, says that “multiple drivers in Linux kernel” do not properly mark memory and enable a denial of service. I would only count this as a single issue in any analysis, though technically there are an additional number of vulnerabilities silently fixed. These products are getting the “benefit” of the issues that are not detailed in any analysis. On the other hand, I can say that in Microsoft security updates, the MSRC policy is to document any internally found vulnerabilities that change the risk assessment or severity of an externally found vulnerability, or ones where the mitigations and workarounds listed don’t apply. So, by counting the issues that get publicly disclosed for products I’m using an identifiable set of vulnerabilities that have an increased risk for customers. More generally, if a theoretical “silent fix” (in any product) actually is easily rediscoverable and is proven to be so for any vendor’s product, then it will join the publicly disclosed set of vulnerabilities in due course and can be measured as well. Ultimately, I see the so-called “silent fixes” criticism to be a bit of a Red Herring that distracts readers from the core results of the analysis of publicly disclosed vulnerabilities.

By way of background, readers of this thead may be interested in reviewing Linus Benedict Torvalds’s original forum post (October, 1991) announcing the creation of Linux.

He describes Linux as “a program for hackers by a hacker.”  It is ironic that Linux—believed by some to be the most secure operating system—was created “by a hacker” for others of the same ilk.  History is curious, is it not?

Of course, in those days, "hacker" didn't necessarily have the same negative implications as it does today, but...

[smiley=smiley.gif]

In the technical community, hacker does NOT mean someone who breaks into systems without authorization.  That is a cracker.  A hacker is someone who knows how a system works and can "hack" together a solution to nearly any problem.  It is a compliment, and that is how Linus meant it.

The media got a hold of the term and misused it, leading to its popular definition.  Technical people still use it to mean someone who can invent creative solutions to problems.  It has nothing to do with security, and trying to imply such shows the extent of your misunderstanding about Linux.

http://catb.org/~esr/faqs/hacker-howto.html#what_is
http://www.schneier.com/blog/archives/2006/09/what_is_a_hacke.html

hacker /n./
[originally, someone who makes furniture with an axe] 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
http://www.ccil.org/jargon/jargon_23.html#SEC30

MrMagoo, as I noted in Reply #66, the interpretation of the term “hacker” has certainly evolved over time.  Nonetheless, as the cited Wikipedia article documents, “By 1983, hacking in the sense of breaking computer security had already been in use as computer jargon.”  Thus, the negative connotation of the term was already part of the public lexicon eight years before Linux was announced.

Am I suggesting that Linus Torvalds is involved in, supports, or condones “breaking computer security”?  Of course not.  His description of the Linux audience as “hackers” is just an interesting (and somewhat humerous) historical tidbit, in light of the emphasis that some attribute to Linxus security.  It's nothing more than that, my friend.

;)

Well, Linus meant 'hacker' to mean someone who enjoys solving problems using computers, and still often uses the term in that way, so I don't see any connection to our discussion on security.

MrMagoo, I accept your interpretation of Torvalds’ use of the word “hacker.”  It actually does make sense to me, especially if he is still using the term in its original connotation.

Perhaps it is just a reflection of my own wry sense of humor, but I found the historical connection of “Linux” to “hacker” surprising.  Surely, Torvalds must have been aware of the evolving commonplace and negative understanding of the term at the time, even though it may not have corresponded to his own interpretation.  If I were creating a new software product—even today—and hoped for it to be widely adopted among consumers and businesses, I certainly wouldn’t “advertise” it as a tool “by a hacker for hackers.”  Very bad marketing, at a minimum (!).

Best wishes,
Pleonasm

Great thread, gentlemen.

You might consider continuing your debate in a NEW thread .. (include a link to it at the end of this one,and vice-versa).

From my recent forum upgrade fiasco, it seems all text from each thread goes into a *single* text file (*.txt), despite each thread appearing to be separated into numerous pages (5, in the case of this thread).

For whatever reason, I noticed the server seems to have problems with text files which approach 100-KB.

I just don't want you to lose another.

Memorable quote:  


Quote:

Any thread Pleo joins is likely to see 5 pages

How true. [smiley=smiley.gif]

Good point.  It seems this thread may go on for a while...  I'll split it into a new thread.

This thread is continued at this link:

http://radified.com/cgi-bin/yabb2/YaBB.pl?num=1202611835

Test.