http://linux.slashdot.org/linux/05/02/17/1616232.shtml?tid=172&tid=109&tid=106

http://seattletimes.nwsource.com/html/businesstechnology/2002182315_security17.html

Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows....Ford said the idea was to represent what an average system administrator may do
If you ever ran, or currently run a hosting company you'll know you always hardend your server before-hand. But since Linux is free, most newbies never manage to do that.

This study is pretty pointless.

Also, please look at who sponsored the studies.

Seattle Times is a well known outlet for microsoft.

I wonder whether I should go to the nearest computer shop and buy a copy of Server 2003, after removing Linux from my hard disk :lol:

Seriously, for me as an user, Linux is much more secure than windows. Last time I booted into windows (and I only do it once in a while) I found lots of adware programs and norton antivirus came up showing some nice virus as well.

But these kind of studies target medium and large size companies that are thinking in moving to a real linux solution for their servers. These companies are not going to read the nitty gritty but the title "Windows is more secure than Linux". It is in Linux hands to do real serious studies to probe that they are wrong (if they are).

Seattle Times is a well known outlet for microsoft
And why doesn't that surprise me??

These companies are not going to read the nitty gritty but the title "Windows is more secure than Linux".
Thats what really made me mad was the misleading title.

the earth was once flat & smoking wasn't bad for you

very funny article.
KG students does that study ?

As I understand it the study focused heavily on the number of patches/updates over a given time. The Linux development model has always been to quickly release updates for any bug, no matter how (un)important, while MS bundles lots of bugfixes in larger patches, which don't get released as often (and often overlook trivial bugs which don't harm your server). You can debate the merits of both systems, but it seems short-sighted to base the (lack of) security on Linux on the fact that it publishes its bugfixes in the way it does.

The Linux development model has always been to quickly release updates for any bug, no matter how (un)important, while MS bundles lots of bugfixes in larger patches
Exactly, which makes the study kinda near-sided.

"Study proves you can hang an elefant by tying it's tail to a daisy.."

how much will you bet me I can prove that as well?

The article mentions the comparison for about half the article and then goes on to market some hardware. It then mentions 9-11 and pearl harbour.

Can you say Republican?

I had read some data about this sort of days-of-risk study and the main argument has been that you cannot compare non-security bugfuxes with security updates. Apparently, this was taken into consideration, here. The fundamental flaw is that the infrastructure of the two systems are different.

In Windows, you have a small development base and a large userbase. The users who find security holes tend to not report them, but exploit them. It can never be known when the security hole is actually noticed by Mocrosoft. In linux, you have a much smaller userbase, but a much larger developmental base. Many more people are look at the code and finding bugs.

You will never be able to compare the two side by side unless they have a roughly equal userbase and you have at any given time the absolute number of security flaws to be found. It is not possible.

Apparently (I cannot back this up) insurance premiums are lower for a company which uses linux than for a company which runs Windows. Can someone here validate that?

why windows keep making it more harder? i mean hello they dont accept that idea that their security is a myth and is flawed...

This was said, albeit a bit differently, on Slashdot, and I fully agree with the stance it took.

A server is only as good as it's administrator. :) If you have a newbie start up a Linux server, and does nothing more, of course it will be compromised soon enough. If you have an advanced and smart administrator start a Windows 2003 Server, more than likely the server will survive longer than the Linux one.

However, most of the time, if you have two people of the same caliber maintaining a Linux and a Windows server, the Linux server will last longer, and this has been proven many times.

I have five computers on my home network behind a hardware router. Of those 5, only one is running WinXP and it belongs to my wife who thinks she can't live without Windows. A week ago, her hard drive crashed and I reinstalled WinXP to a new HD but did not download any patches or Service Packs. I specifically told her to not download anything until I was able to secure her system. Lo and behold, WinXP AUTOMATICALLY reactivated her software and even downloaded SP1 and placed it on her desk top!!! I found this out when she asked me what the new icon was on her desktop and should she click on it!!

Now, my network is hardened with strong passwords everywhere. ALL ports are stealthed and nothing shows up on a port scan. There are no servers running. However, Microsoft was able to activate her software and download a Service Pack without any human intervention after a completely new install of WinXP.

If MS can actually download software to her machine and run it, someone else can too. And that is just one more reason why I don't run Windows.

If MS can actually download software to her machine and run it, someone else can too. And that is just one more reason why I don't run Windows.

If she uses IE, programs are downloading and installing on her box all the time...

Put one letter out of place in the URL, and IE will make you pay for it with a few hours of your life (well...maybe. Some malware is worse than others. But its all getting really bad recently. )

I pass out Firefox CDs in class.

http://linux.slashdot.org/linux/05/02/17/1616232.shtml?tid=172&tid=109&tid=106

http://seattletimes.nwsource.com/html/businesstechnology/2002182315_security17.html
This is pure FUD.

They are relying on a single metric.
Average patch times are not a sole security metric.

Let's say you compare IE 6 vs. FireFox 1.0. There are some issues that MS never fixes. What does this do to the average patch time?

Someone also made this comparisson.
There are two emergency rooms. One has an average response time to treatement of 15 minutes, the other one has 30.
Someone near to you has a heartattack, to which room do you take him? number 1?

Going deeper into the issue, the second room tends to treat people with a life-treatening condition before people with a broken leg. If you come in with a broken leg, you may have to wait 30-45 minutes, yet your heartattack gets dealt with immediately.

It is a stupid comparison, I know, but it highlights the danger of using single metrics.

Another thing worth mentioning. They only look at security holes.

Now, some systems are hacked by actual holes, but the design of a system also determines how vuln. you are.

For example, the ftp protocol authenticas in clear text, this will not trigger an advisory or patch.
Kerberos on the other hand has two-factor authentication and does everything over an encrypted channel. It may trigger more patches then ftp programs, but in practice it is more secure.

Then there is the other myth, that a large installbase makes you a bigger target.
Apache on *nix dominates the webserver market. Win/IIS are a rather small player there, yet they seem to be targetted a lot more, an inconsistency in their own reasoning.

An interesting article about such studies:

http://www.securityfocus.com/columnists/299?ref=rss