Security comparison between Microsoft and Linux

Discussion in 'Computer Security' started by Peter James, Dec 19, 2003.

  1. Peter James

    Peter James Guest

    Some of the postings I read on this NG curdle my blood. What with
    Virii, Trojans, Security lapses etc, etc.
    So how secure is a good Linux distribution compared with Windows XP
    that I am using now.
    I do have a second HD running Suse, but it is very difficult to come
    to terms with. MS on the other hand is a comparative doddle, but
    secure....?
    I am not trolling in order to start a flame war, just a concerned user
    who is worried at some to the threats that are out there and waiting.
    --

    Peter James
    Change AT to @ to reply
    Peter James, Dec 19, 2003
    #1
    1. Advertising

  2. Peter James

    Bit Twister Guest

    On Fri, 19 Dec 2003 20:23:17 +0000, Peter James wrote:
    >
    > I do have a second HD running Suse, but it is very difficult to come
    > to terms with. MS on the other hand is a comparative doddle, but
    > secure....?


    How can MS be secure with ~70 new viruses a week.
    For their lastest vulnerability protection read how to protect yourself.
    http://support.microsoft.com/?id=833786
    They have known about the problem for more than a few weeks.
    Bit Twister, Dec 19, 2003
    #2
    1. Advertising

  3. "Peter James" <> wrote in message
    news:...
    > Some of the postings I read on this NG curdle my blood. What with
    > Virii, Trojans, Security lapses etc, etc.
    > So how secure is a good Linux distribution compared with Windows XP
    > that I am using now.
    > I do have a second HD running Suse, but it is very difficult to come
    > to terms with. MS on the other hand is a comparative doddle, but
    > secure....?
    > I am not trolling in order to start a flame war, just a concerned user
    > who is worried at some to the threats that are out there and waiting.


    Both have traditionally been insecure out-of-the-box. Both are trying to
    make amends with a firewall being automatically activated as part of
    installation.

    The main problem seems to be (IMHO) down to two things - firstly, you don't
    generally tend to get complete novices setting-up Linux boxes; Windows, you
    do. Secondly (and much more importantly) the array of apps that you get with
    Windows (e.g. Outlook Express) have lots of (usually) useless bells &
    whistles. With vulnerabilities or potential exploits.

    Like Linux, these can be configured out. Unlike Linux, we're back to that
    wetware issue.

    If you're competent, you can set-up either to be more-of-less equally secure
    (I'll neatly sidestep IIS on this one - excellent Intranet server, but I'll
    generally take something with less bells and whistles for Internet
    deployment).

    Windows Update seems to be a helluva lot more reliable than the Red Hat
    version - can't answer for other distros (not that I've heard of one with a
    similar service..). OTOH, with so many vulnerabilities coming out on Windows
    (generally for the apps), it had damn well better be!

    With a decent firewall (separate box, almost certainly *nix-based) and a
    sensible attitude, you shouldn't go far wrong with either.

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
    Hairy One Kenobi, Dec 19, 2003
    #3
  4. Please realize that there is NO such terminology as 'virii'. The term is viruses.
    Please read the following URL which explains the concept far better than I could ever do so.

    http://www.perl.com/language/misc/virus.html

    Dave



    "Peter James" <> wrote in message
    news:...
    | Some of the postings I read on this NG curdle my blood. What with
    | Virii, Trojans, Security lapses etc, etc.
    | So how secure is a good Linux distribution compared with Windows XP
    | that I am using now.
    | I do have a second HD running Suse, but it is very difficult to come
    | to terms with. MS on the other hand is a comparative doddle, but
    | secure....?
    | I am not trolling in order to start a flame war, just a concerned user
    | who is worried at some to the threats that are out there and waiting.
    | --
    |
    | Peter James
    | Change AT to @ to reply
    David H. Lipman, Dec 19, 2003
    #4
  5. Peter James

    Anonymous Guest

    On Fri, 19 Dec 2003, "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:
    >Please realize that there is NO such terminology as 'virii'. The term is
    >viruses.
    >Please read the following URL which explains the concept far better than I
    >could ever do so.
    >
    >http://www.perl.com/language/misc/virus.html
    >
    >Dave


    Wow, that really answers the posters question. You have perfectly explained
    the topic of Security comparison between Microsoft and Linux with your
    succinct response.

    -=-
    This message was posted via two or more anonymous remailing services.
    Anonymous, Dec 21, 2003
    #5
  6. Who said I wanted to, they both have tons of flaws. I provided the information that I
    wanted to. And your statement to me does nothing at all for the OP.

    Dave
    David H. Lipman, Dec 21, 2003
    #6
  7. Peter James

    sponge Guest

    On Fri, 19 Dec 2003 20:23:17 +0000, Peter James
    <> wrote:

    >Some of the postings I read on this NG curdle my blood. What with
    >Virii, Trojans, Security lapses etc, etc.
    >So how secure is a good Linux distribution compared with Windows XP
    >that I am using now.
    >I do have a second HD running Suse, but it is very difficult to come
    >to terms with. MS on the other hand is a comparative doddle, but
    >secure....?
    >I am not trolling in order to start a flame war, just a concerned

    user
    >who is worried at some to the threats that are out there and waiting.
    >--
    >
    >Peter James
    >Change AT to @ to reply


    I guess my first reply didn't show up, so here goes again...

    It's hard to answer that without knowing the intended use of the OS.
    Is it as a client, a server, or sometimes both? If a server, what is
    it running, what is it attached to or what services does it use...?

    Both OS', themselves, are reasonably secure, and the BSD Unix',
    particularly OpenBSD, are probably the most secure OS' available. As a
    pen-tester -- as an outsider trying to get in -- I find it easier to
    get into Unix and Linux systems than Windows. However, the popular and
    default applications for Windows are definitely the weakest link, and
    are the reason why Windows, when all is said and done, is undeniably
    less secure than Linux or Unix. Windows' RPC problems tend to be more
    severe too.

    As long as you avoid using IE, except perhaps for Windows Update,
    Outlook, and Windows Media Player, you can be reasonably safe in
    Windows. Also, avoid running applications as servers if you are
    running as a client unless you need to. The reason most Microsoft
    boxes get owned is because the user visits a website or opens an email
    which contains malware that takes advantage some particular flaw or a
    combination of them. Other OS' tend to be less prone to such flaws
    because their manufacturers actually put some thought into the
    security implications of each new feature before giving them a go.

    Of course, as long as you disable all but absolutely necessary
    services in Linux or Unix, you will (all else being equal) be a bit
    more secure in Linux or Unix. The key thing here is to disable
    unnecessary services, like sendmail or SWAT.

    That's the key, vital, ever-so-important point: All else being equal,
    any major OS can be as safe as long as the user and administrator
    harden it enough by removing unnecessary features, and as long as the
    user uses some basic tools and some good sense ("safe hex"). A golden
    rule in the security business is that "feature = potential exploit".
    This is especially true where MS products are concerned, as, again, MS
    doesn't pay a whit of attention to security risks of each new
    "feature".

    Sponge
    Sponge's Secure Solutions
    www.geocities.com/yosponge
    My new email: yosponge2 att yahoo dott com
    sponge, Dec 21, 2003
    #7
  8. Peter James

    Peter James Guest

    On Fri, 19 Dec 2003 20:23:17 +0000, Peter James
    <> wrote:

    >Some of the postings I read on this NG curdle my blood. What with
    >Virii, Trojans, Security lapses etc, etc.
    >So how secure is a good Linux distribution compared with Windows XP
    >that I am using now.
    >snipped

    Many thanks for all of the replies. I've learned a lot, not least the
    etymology of the noun "virus". Just like going back to my schooldays.
    "Now James, decline virus". "Yes sir, virus, virrii, viruses". Oh
    happy days.
    --

    Peter James
    Change AT to @ to reply
    Peter James, Dec 21, 2003
    #8
  9. Peter James

    James H. Fox Guest

    sponge wrote:
    >> Of course, as long as you disable all but absolutely necessary

    > services in Linux or Unix, you will (all else being equal) be a bit
    > more secure in Linux or Unix. The key thing here is to disable
    > unnecessary services, like sendmail or SWAT.
    >
    > That's the key, vital, ever-so-important point: All else being equal,
    > any major OS can be as safe as long as the user and administrator
    > harden it enough by removing unnecessary features, and as long as the
    > user uses some basic tools and some good sense ("safe hex"). A golden
    > rule in the security business is that "feature = potential exploit".
    > This is especially true where MS products are concerned, as, again, MS
    > doesn't pay a whit of attention to security risks of each new
    > "feature".
    >

    My limited knowledge of Linux suggests that you can install most programs
    with only "user" rights (if that is the right terminology). That is, you
    don't need root access for most purposes. This is nice for protecting the
    root files and those of other users, but it is not good news for preventing
    trojans and worms from installing, whenever the hackers get around to
    producing them. On the other hand, Win2K or WinXP in a "user" account seems
    to be quite secure; I don't think anything can install without your knowing
    about it. Maybe Linux can be made just as secure, but I have not found the
    way.
    James H. Fox, Dec 21, 2003
    #9
  10. Peter James

    sponge Guest

    On Sun, 21 Dec 2003 12:49:04 -0500, "James H. Fox"
    <foxjh_NOMAILSPAM_AT_rcn.com> wrote:

    >sponge wrote:
    >>> Of course, as long as you disable all but absolutely necessary

    >> services in Linux or Unix, you will (all else being equal) be a bit
    >> more secure in Linux or Unix. The key thing here is to disable
    >> unnecessary services, like sendmail or SWAT.
    >>
    >> That's the key, vital, ever-so-important point: All else being

    equal,
    >> any major OS can be as safe as long as the user and administrator
    >> harden it enough by removing unnecessary features, and as long as

    the
    >> user uses some basic tools and some good sense ("safe hex"). A

    golden
    >> rule in the security business is that "feature = potential

    exploit".
    >> This is especially true where MS products are concerned, as, again,

    MS
    >> doesn't pay a whit of attention to security risks of each new
    >> "feature".
    >>

    >My limited knowledge of Linux suggests that you can install most

    programs
    >with only "user" rights (if that is the right terminology). That is,

    you
    >don't need root access for most purposes. This is nice for

    protecting the
    >root files and those of other users, but it is not good news for

    preventing
    >trojans and worms from installing, whenever the hackers get around to
    >producing them. On the other hand, Win2K or WinXP in a "user"

    account seems
    >to be quite secure; I don't think anything can install without your

    knowing
    >about it. Maybe Linux can be made just as secure, but I have not

    found the
    >way.


    Unix/Linux and Windows are very similar in this regard. Yes, you can
    (and should) run as a user rather than as root in any *nix-type
    system, and can modify the application permissions so that users
    (people from groups other than an applications "owner" or "root) can
    have read, write, or execute permissions. This is key to proper
    security. You can do something vaguely similar on Win2k and XP -- run
    as a user, not as "admin", although you do not have the degree of
    control you do on *nix. This is one reason why *nix is theoretically
    more secure. In practice, though, there are so many files and items on
    a Unix or Linux system (and scattered rather haphazardly about the
    system no less), I've found that few administrators set proper
    permissions all or even most of them.

    Sponge
    Sponge's Secure Solutions
    www.geocities.com/yosponge
    My new email: yosponge2 att yahoo dott com
    sponge, Dec 21, 2003
    #10
  11. Peter James

    James H. Fox Guest

    sponge wrote:
    > Unix/Linux and Windows are very similar in this regard. Yes, you can
    > (and should) run as a user rather than as root in any *nix-type
    > system, and can modify the application permissions so that users
    > (people from groups other than an applications "owner" or "root) can
    > have read, write, or execute permissions. This is key to proper
    > security. You can do something vaguely similar on Win2k and XP -- run
    > as a user, not as "admin", although you do not have the degree of
    > control you do on *nix. This is one reason why *nix is theoretically
    > more secure. In practice, though, there are so many files and items on
    > a Unix or Linux system (and scattered rather haphazardly about the
    > system no less), I've found that few administrators set proper
    > permissions all or even most of them.
    >

    You can change file permissions in Win2K and WinXP also, and in fact I have
    to do that frequently to get programs to run properly in a User account
    after installing them as Administrator. By default the installed folders
    are usually set too secure; that is, they will not have the proper
    permissions to run in a User account. Surprisingly, many Windows
    programmers appear to not have a clue about User (non-administrative)
    accounts.
    James H. Fox, Dec 21, 2003
    #11
  12. "James H. Fox" <foxjh_NOMAILSPAM_AT_rcn.com> wrote in message
    news:3fe62782$0$4744$...
    > sponge wrote:
    > > Unix/Linux and Windows are very similar in this regard. Yes, you can
    > > (and should) run as a user rather than as root in any *nix-type
    > > system, and can modify the application permissions so that users
    > > (people from groups other than an applications "owner" or "root) can
    > > have read, write, or execute permissions. This is key to proper
    > > security. You can do something vaguely similar on Win2k and XP -- run
    > > as a user, not as "admin", although you do not have the degree of
    > > control you do on *nix. This is one reason why *nix is theoretically
    > > more secure. In practice, though, there are so many files and items on
    > > a Unix or Linux system (and scattered rather haphazardly about the
    > > system no less), I've found that few administrators set proper
    > > permissions all or even most of them.
    > >

    > You can change file permissions in Win2K and WinXP also, and in fact I

    have
    > to do that frequently to get programs to run properly in a User account
    > after installing them as Administrator. By default the installed folders
    > are usually set too secure; that is, they will not have the proper
    > permissions to run in a User account. Surprisingly, many Windows
    > programmers appear to not have a clue about User (non-administrative)
    > accounts.


    Poor programming technique, bought with them from Win9x.

    NT's /always/ had more granular security, but only M$ seem to use it..
    leaving a car unlocked with the keys is the ignition is not, IMHO,
    equivalent to claiming that the car's alarm doesn't work.

    Still nowhere near Dave Cutler's previous effort in that regard, though
    (VMS). Lots more granularity than an on/off switch for root.. mind you, it's
    much harder to leave a "hole" in something so simple.

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
    Hairy One Kenobi, Dec 22, 2003
    #12
  13. Peter James wrote:
    > Some of the postings I read on this NG curdle my blood. What with
    > Virii, Trojans, Security lapses etc, etc.
    > So how secure is a good Linux distribution compared with Windows XP
    > that I am using now.
    > I do have a second HD running Suse, but it is very difficult to come
    > to terms with. MS on the other hand is a comparative doddle, but
    > secure....?
    > I am not trolling in order to start a flame war, just a concerned user
    > who is worried at some to the threats that are out there and waiting.



    First, I'd like to say that I've run _both_ Win and Linux as both
    desktop and Internet servers.

    The way I see it is this: those that are able to run Linux, run Linux.
    Could the average computer user setup my Slackware 9.1 that I'm using
    now? Doubtful. Are you familar with what happens to initiat a ppp link?
    (No, I don't mean clicking "connect") Are they using CHAP or not? Know
    your ISP's DNS server's IP's? Their NNTP? Are you going to use their
    SMTP or Sendmail? Fetchmail & procmail or setup a POP3 server? Remember
    what /dev your HD is ? Is it /dev/hde, /dev/hde1, /dev/hdc, or
    /dev/hda2? Modem? Symlinked to what serial? What's in your fstab/mtab?
    You OK with recompiling your kernel from C sources, mv bzImage /boot; ln
    -s /boot/bzImage vmlinuz ? What's the exact specs for your monitor? Too
    high and the xserver'll fry it. Can you write out the XF86Config?
    Linux comes from Unix. Unix is for Edu's, students studying CS,
    developers and such. It was made by techies for techies, to stay running
    long-term, such as a server. Windows is a commercial desktop system
    with the 1# goal of ease of use. Generally the people that rally behind
    Windows have, 1) Never had any real time using Linux ( > 3 weeks) or 2)
    Afraid of it, as an OS that does take some time to learn, especially if
    you have no Unix knowlege.
    But security? Hands down, Linux. In all but the most recent versions of
    Windows, anyone can write all over anything at anytime. To contrast, I
    could give any of you a user account on my system, you could go
    absolutely nuts, try to damage the system as much as possible, and it
    wouldn't even be scratched. Linux was designed from the ground up to be
    a secure, multi-user, multi-tasking OS functioning in a server
    environment. Remember Windows 3.1? It was little more than a DOS shell.
    I used it then. I switched to Linux several months ago after taking all
    I could from Micro$oft. My Windows Os was constantly at the mercy of
    each new virus and exploit out. I ran Anti-viruses, looked for Spyware,
    looked for trojan's, wondered what the hell those odd files where doing
    in my Windows folder. And the registry? Who can decode that thing? I
    tried to use Windows to run these services: httpd, ftpd, smtp, telnetd.
    If the webserver was being accessed , forget it. You waited. Or the
    thing locked. Reboot time. That's not secure. There are thousands upon
    thousands of viruses for Windows. That's not secure. Look at the recent
    Swen Virus... is that an example of secure? SoBigF? Is that secure? Now,
    tell me which major threat jepordized Linux this year, that wasn't fixed
    instantly, or within hours of discovery. Linux is open source. You see
    the code. Compile your own Apps. Know _exactly_ what is going on your
    system. That's secure. Check each and every single line of code with
    your own eyes. It's all there for you to look over, if you so choose.
    Not hidden behind some legal mumbo-jumbo 30 page license like Windows
    is. That's secure. Someone said Linux is trying to make up for poor
    security by now including firewalls by default- this is plain not true.
    Mine came with several pre-made iptables scripts (read: firewall, on
    Linux), in /etc/ppp. As far as I can tell, Linux has been shipping with
    iptables, and before that ipchains since way, way back. Linux is
    commonly configured as a firewall or proxy for other computers on a
    network, I wouldn't dare try that with Windows. And let's face it-
    spyware simply doesn't exist on Linux. It doesn't. And, while there are
    several dozen binary viruses, they have such a hard time as to not be
    effective at all. At worst, they will kill only the user's files that
    runs them. Windows Update? That's the worst! Once, I downloaded one of
    their "critical" updates - screwed my system so bad, I couldn't boot
    anything but "safemode", if I was lucky. That's not secure.
    I'm currently running Linux as an Internet server, serving http
    (Apache), ftp (Proftpd), smtp(Sendmail), pop3(Gnu), sshd(Openssh),
    mysql(MySQL), silcd(like irc), uucp, bsd ntalk, nessusd and X11. All on
    the same hardware, now viable with Linux, that once struggled to keep
    Windows afloat, up 24x7, with myself and several other users. I've had
    lots of worm probes, portscans, exploit attempts, bruteforce attempts,
    and plain out script kiddy BS come my way. The only time this system
    goes down is when I issue %shutdown -h now. That's secure.


    --
    jayjwa
    @micro$oft.com, Dec 23, 2003
    #13
  14. Peter James

    Rowdy Yates Guest

    I was happily strolling along my merry little way in alt.computer.security,
    when I looked down and saw a little note from Peter James on Fri 19 Dec 2003
    03:23:17p who wrote:

    > Some of the postings I read on this NG curdle my blood. What with
    > Virii, Trojans, Security lapses etc, etc.
    > So how secure is a good Linux distribution compared with Windows XP
    > that I am using now.
    > I do have a second HD running Suse, but it is very difficult to come
    > to terms with. MS on the other hand is a comparative doddle, but
    > secure....?
    > I am not trolling in order to start a flame war, just a concerned user
    > who is worried at some to the threats that are out there and waiting.


    NOTHING IS SECURE OUT OF THE BOX. Patch it. Lock it down. Apply ACL, DAC
    properly. This will help it be more secure.

    SUSE is a lovely OS! Just connect it to the internet and do the automatic
    updates just like you would on your MS XP box.

    With MS XP, disable remote desktop, terminal services, IIS, FTP. unless you
    are using them of course. Make patching your MS box a higher priority
    naturally. Run updated anti virus with real time & email scanning as well.



    :)

    --
    Rowdy Yates
    MCSE, Security+
    (working on a CISSP and lovin' it!)
    Rowdy Yates, Dec 23, 2003
    #14
  15. Peter James

    Rowdy Yates Guest

    I was happily strolling along my merry little way in
    alt.computer.security, when I looked down and saw a little note from Rowdy
    Yates on Mon 22 Dec 2003 10:17:07p who wrote:

    > I was happily strolling along my merry little way in
    > alt.computer.security, when I looked down and saw a little note from
    > Peter James on Fri 19 Dec 2003 03:23:17p who wrote:
    >
    >> Some of the postings I read on this NG curdle my blood. What with
    >> Virii, Trojans, Security lapses etc, etc.
    >> So how secure is a good Linux distribution compared with Windows XP
    >> that I am using now.
    >> I do have a second HD running Suse, but it is very difficult to come
    >> to terms with. MS on the other hand is a comparative doddle, but
    >> secure....?
    >> I am not trolling in order to start a flame war, just a concerned user
    >> who is worried at some to the threats that are out there and waiting.

    >
    > NOTHING IS SECURE OUT OF THE BOX. Patch it. Lock it down. Apply ACL, DAC
    > properly. This will help it be more secure.
    >
    > SUSE is a lovely OS! Just connect it to the internet and do the
    > automatic updates just like you would on your MS XP box.
    >
    > With MS XP, disable remote desktop, terminal services, IIS, FTP. unless
    > you are using them of course. Make patching your MS box a higher
    > priority naturally. Run updated anti virus with real time & email
    > scanning as well.
    >
    >
    >
    >:)
    >


    here's a link that you might like.

    Is Linux Really More Secure Than Windows?
    October 1, 2003
    By Sharon Gaudin
    http://itmanagement.earthweb.com/secu/article.php/3086051

    cheers,




    --
    Rowdy Yates
    MCSE, Security+
    I am Against-TCPA
    http://www.againsttcpa.com
    Rowdy Yates, Dec 23, 2003
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eigenvector

    Shot speed and a comparison between digital and film

    Eigenvector, Sep 23, 2003, in forum: Digital Photography
    Replies:
    6
    Views:
    540
    Michael Meissner
    Sep 25, 2003
  2. Howard Tam

    Comparison between Minolta A1 and Fuji S7000Z

    Howard Tam, Oct 29, 2003, in forum: Digital Photography
    Replies:
    5
    Views:
    598
    Howard Tam
    Oct 31, 2003
  3. Jamie Pollard
    Replies:
    1
    Views:
    1,841
  4. rapee
    Replies:
    0
    Views:
    718
    rapee
    Mar 14, 2008
  5. Lawrence D'Oliveiro
    Replies:
    6
    Views:
    370
    Sweetpea
    Jul 2, 2010
Loading...

Share This Page