MrMagoo, note that the “days-of-risk” metric captures the duration of the risk, not whether the risk (vulnerability) actually materialized into a problem (exploit).  I believe you are arguing that more vulnerabilities become transformed into exploits for Windows than for Linux, despite the fact that there are more “days-of-risk” for the latter than the former.  The difficulty, however, is that data are in contradiction to such an assertion.  See the first post in this thread for evidence that regarding “OS vulnerabilities only, Unix, Linux, Mac OS X, and Windows all had about the same amount of exploits, with Windows actually being slightly lower.”

Taking “the opposing point of view with a grain of salt due to the limited insight available to someone who has no idea how Linux works” does not appear to be applicable to Jeff Jones, the researcher who authored the “days-of-risk” analysis.  His biography is impressive, and - as you will note - is clearly someone who has quite a bit of knowledge about how Linux works:

Quote:
Source:  Jeff Jones Security Blog

I sincerely do not intend to be offensive, but your experience with Linux - whether good or bad - only represents a sample size of N=1.  It is not wise to extrapolate from your experience (or mine) to a more general conclusion about the security of Linux versus Windows.  Exploring this issue requires that one have visibility to a larger perspective.  I am confident you will agree that examining “days-of-risk” (or number of vulnerabilities/exploits) across operating systems over a period of years in a systematic manner is far more compelling and carries far more weight in a thoughtful investigation of the issue than the opinion of a single individual based upon her/his own limited experience.

Please do not interpret my comments negatively.  I am simply saying that well-founded and extensive research is much more meaningful than the opinion of any one person (including the opinion of me).  For example, “Mr. Smith” might be absolutely satisfied with his Ford vehicle, but that one experience does not change the truth of the assertion that Ford vehicles are of lower quality than those of Toyota, as demonstrated by independent marketplace research.

Is Linux more secure than Windows?  At the very least, the research referenced in this thread ought to cast considerable doubt on this commonly held perspective.  Time will, no doubt, clarify the case further.

Thank you for continuing to add your viewpoint into this thread.

@Pleonasm

IF your windows is just as secure or whatever you seem to believe.. then I challenge you to the following:

1) install a default Win XP Pro OR Home - No add-on software just a default install and hook it up to the network, do the EXACT same for linux, any distro, you have MULTITUDES of distro's to prove me wrong on.
2) leave both boxen directly connected UNFIREWALLED/UNVIRUS PROTECTED for 30 days.
3) Come back and lets see what box got owned first.
4) actually do it.
5) dont reply to me with some circle talk, just do it.

I on the other hand run the following:
- Arch Linux - Main Desktop
  Windows XP on another Small partition on my Main Desktop for gaming only.
- Red Hat Enterprise Linux 5 on the following:
  4 Identical 500mhz boxen running various services such as DNS(DDNS),DHCP,Sendmail,     LDAP and a few others.
- Red Hat Enterprise Linux 5 on my OPERATIONS BOX, runs my website via Apache 2.2 w/ssl, vsftpd w/ssl, master LDAP directory, and a few other services.
- OpenBSD thin client I put together running on a Mini-itx 800mhz board, installed on a 512mb CF Card (only uses 250mb, lets see windows do that), this system is my firewall, has 3 NIC's and filters my network and also connects my network to another network so we can be awsome at computers....together.
- 1 win2k3 box (does absolutely nothing at the moment cuz i can accomplish everything I need on my linux servers,tho it does seem to churn its HDD .... ALL THE TIME... wtf is it doing? ... )
- 1 WinXP Pro Laptop - Cuz i wanna game remotely somtimes, GAMING ONLY no web browsing.
- 1 Red Hat Enterprise Linux 5 Laptop: This is my Installation server/testing box for new services im studying. Runs DHCP, TFTP, and NFS for Remote PXE installation to my servers on demand. All i have to do is turn on a new box on the network.. and come back in 30 mins and login to the new box, windows can do that right?

and various other linux boxen.

The reason i listed those is:
1) my windows XP laptop for gaming... had to be reimaged.. now for the 4th time... in 1.5 months, this box is only used for C&C Generals... has Windows Firewall ON, and is used.. maybe MAYBE 2 times a week for a 1-2 Hour C&C Generals Gaming. How did this box get spyware/virus' ??? Why did it suddenly grind to a halt after only a little bit of use? It was running Arch Linux but after a year of not getting to game on it, i installed WinXP.

2) my Main Desktop' windows XP partition needs a re-install as well, though i admit.. i have surfed a site or two while waiting for my buddy to start C&C Generals up. WTF?

3) you get the point im making with the windows boxen.

4) ... this may come as a surprise to you, but, (everyone wait for it.. wait for it.... wait... ) I havnt had a single attack/virus/spyware/system malfunction.. on any.. ANY, of my linux boxen.. (of course im just lieing im sure.. :rolls eyes:   )  also i might add that im a bad linux admin, i dont run firewalls on any linux box except my OpenBSD FIREWALL box but thats kinda implied, no A/V, hell, i dont even set root passwd's half the time.. why? cuz who's gonna get in? , Oh and check this out.. can windows do this?

[root@opsbox ~]# uptime
13:43:25 up 53 days, 38 min,  2 users,  load average: 0.00, 0.00, 0.00

Thats when it completed its first boot after its PXE install ( obviously i cant prove this )
youll note that the load average is quite low, this is due to the following:

httpd running
vsftpd running
NFS mounts being used to share out my awsome "Friends" episodes

I could go on.. but you probably stopped reading by now.. and if not.. ill remind you of the challenge that i foresee NOT happening:

1) install a default Win XP Pro OR Home - No add-on software just a default install and hook it up to the network, do the EXACT same for linux, any distro, you have MULTITUDES of distro's to prove me wrong on.
2) leave both boxen directly connected UNFIREWALLED/UNVIRUS PROTECTED for 30 days.
3) Come back and lets see what box got owned first.
4) actually do it.
5) dont reply to me with some circle talk, just do it.


DO IT!

init 0

Pleonasm wrote on Jun 23^rd, 2007 at 3:54pm:
That's really the only way Windows vulernabilities can be found.  MS only has so many people they can pay to work on security - and most of the stay busy *fixing* issues and don't have much time for looking for them.  No one else has access to the source code, so decompiling it is the only option.  Decompiling code is time intensive, so only people who have a LOT to gain by finding holes do it - and this mostly means industrial hackers, spyware writers, ect...

Pleonasm wrote on Jun 23^rd, 2007 at 3:54pm:
I'm not saying anyone's opinion matters.  I'm saying without experience it is difficult to interpret and discuss the results of studies like this.  As far as any trend you think you are seeing, I could find just as much information contradictory to the studies you are posting as you have found supporting it.  It just depends on what you look for. 

I don't think assigning a number to the probability that Linux is more secure is nearly as scientific as it sounds.  My overall point is that I feel that the design of the OS and the control the administrator has in Linux makes it much more secure, and none of the studies you have shown here have had an impact on that.  There are things in windows (like administrative shares, where any Windows computer with Windows file sharing turned on shares the root of all hard drives - other Windows computers can't access those shares but Linux computers can read and write to your hole drive!...) that are major design flaws.  Linux is much more modular, and provides an administrator complete control over every line of code in the system.  Microsoft tries to decide what is best for every user and they can't get it right all the time.  Vista seems to be only an incremental improvement in security design, and I think only a major security philosophy change at MS will ever bring it up to the level that Linux is already at.

Pleonasm wrote on Jun 24^th, 2007 at 9:37am:
No, the kernel developers don't spend much time looking for vulnerabilities, but since it is open source, many other people who are willing to volunteer their time to Linux can and do spend a significant amount of time on it.  This is how Linux has been built - by the community for the community.

Pleonasm wrote on Jun 24^th, 2007 at 9:37am:
No, it is not a subjective assessment at all.  A better designed braking system (like ABS vs standard brakes, for example) and the option for the driver to choose several different steering modes (one for high speeds, one for traffic, etc.) could give a car an edge in safety.  It's the same with Linux.  The superior permissions system, along with the option to choose to disable or enable modules as you need them or as your security threat dictates gives Linux an edge in security.  There are services in Windows (such as the administrative shares I mentioned earlier) that cannot be disabled that either are security loopholes or could be at some time that cannot be disabled by the computer administrator. 

As far as providing the links to surveys you have requested, I have provided a few earlier in this thread.  Anyone who wants more could start with Google.  I don't think I could change your mind with a thousand links, and all of your links have been unsuccessful in changing mine.  I don't feel you and I going tit-for-tat with every survey we can find would be productive right now.  Instead, I encourage any reader of this thread who does have an open mind about this issue to do their own research, become throughly familiar with both OS's, and make their own well-informed decision.

A thoughtful, empirical and independent study from Purdue University says . . .

Quote:
Source:  Vulnerabilities and Patches of Open Source Software:  An Empirical Study

Greetings, MrMagoo.  I too like the fact that the Purdue study demonstrates a slight advantage for open-source operating systems - it suggests that the authors are really being “fair.”  It is good to note, though, that the research found a “lack of statistical significance on several measures,” meaning that the observed advantage for open source is not reliably different than what one would expect on the basis of chance.

I wouldn’t use the Purdue study to argue that Windows is more secure than Linux (or the opposite), but it might cause a thoughtful reader to at least question the merit of adopting an unwavering “Linux is more secure than Windows” position.

Red Hat actually achieved the same EAL4 rating a long time ago.  What everyone is excited about is that this rating also included the Labeled Security Protection Profile.  From the article:

Linux had already been certified at the EAL4 level, but this is the first time that the operating system has received the Labeled Security Protection Profile (LSPP) certification, which relates to its access-control features.

SE Linux was developed by Red Hat for Linux by request of the NSA.  About 5 years ago, no operating system met their criteria for security and user permissions.  They approached Red Hat about the issue, and Red Hat developed SE Linux to meet the NSA's needs.  So, while Windows does have an EAL4 rating, Red Hat with SE Linux is the only thing the NSA will use for their own most sensitive systems. 

This is why whenever someone shows me a study about how Windows or some other operating system is better secured than Red Hat, my first questions is always "Was SE Linux turned on for the Red Hat systems studied?"  The answer is "no" about 10% of the time and "The study didn't mention that" the other 90%.  Its almost like me turning my Windows firewall off and then doing a study about how fast someone can hack into the machine.