Windows XP vs Linux in terms of security...

ExitiosuS · Dec 20, 2003, 12:59 PM

Hey guys,

I was just in a small debate with a friend of mine in terms of which has better security... and basically what I thought it came down to is that Windows has better security overall, except it has more people attacking the vulnerabilities than Linux does.

What I'd like is to hear what you guys think, in terms of experiences, sources, etc... Maybe this is a repeat, not sure.... 7am and I'm kinda tired so probably missed it. :P

Anyways,

Thanks for whatever input you guys can provide!

JustaGuy · Dec 20, 2003, 04:50 PM

Well, it really depends...

Windows is a whole system, with a lot of... hmm... stuff, and most of it has vulnerability problems: IE, Outlook Express, RPC-related software, IIS, even the core Services system and the "kernel" too (very hard to make out what the kernel is in Windows).

Linux is modularized. There are some packages that have security problems, but security problems in the kernel are very rare (I remember one recently with Linux 2.4.22, if I'm not mistaken, which was promptly patched). One of the programs with some problems in Linux is OpenSSH. They occasionally find bugs there. The same happens with other server-type software. The really great thing is that those bugs are almost immediately corrected (usually the patch is in CVS the next day), unlike Windows, where some IE vulnerabilities that have been discovered over six months ago still have to be patched...

And then, if you use a nice distro with frequent package database updates, like Gentoo, you only have to get the latest version and patch the fix.

Windows does NOT have better overall security than Linux, I'd like to hear what arguments your friend used to support this claim. Its vulnerabilities are definetely more exploited than Linux's, that's true. But if you run a tight Linux system, you should have nothing to worry about. Windows on the other hand is a whole different matter, and no-one can live by without a firewall.

That's one of the reasons that led me to change my main working environment to Linux (I only use Windows for gaming now).

The_Neon_Cowboy · Dec 20, 2003, 05:33 PM

viruses/ trogans/ hacks are useally done for windows machines...

people writeing a virus/trogan want the biggest impact so the taget the os that dominates say 90% of the desktop market.... when you go to the local elertics shops look at the boxes and see what programs run on... you'll see mabe 9 linux programs (5 being ver the os itself), mabe 10 mac (2 being os versions) and about 150 - 300 windows titles....

if your a hacker do you really want to waste your time looking for exploits on a os that mabe 7% have?
-no way

you look for he most common os and you target the most common software!

and assuming your running a router with hardware firewall and a firewall on your pc.... your pretty safe

caqde · Dec 20, 2003, 06:10 PM

Yeah Microsoft doesn't have much going for it. Not only is it targeted more, but it also has more security problems to exploit. Thanks in large to thier love of integration. What do you get when you integrate a buggy web browser and the OS GUI - a good looking and large amounts of bugs/security holes.

found a good quote

Quote:

To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it.
By Scott Granneman Oct 02 2003 10:59AM PT

another good quote explaining why linux is more secure. talking about running e-mail attachments in windows compared to linux. having already gone through the know fact that you can have someone run a program by just click on an attachment.

Quote:

This sort of social engineering, so easy to accomplish in Windows, requires far more steps and far greater effort on the part of the Linux user. Instead of just reading an email (... just reading an email?!?), a Linux user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable. Even as less sophisticated users begin to migrate to Linux, they may not understand exactly why they can't just execute attachments, but they will still have to go through the steps. As Martha Stewart would say, this is a good thing. Further, due to the strong community around Linux, new users will receive education and encouragement in areas such as email security that are currently lacking in the Windows world, which should help to alleviate any concerns on the part of newbies.

Quote:

For all these reasons, even if a few individuals got infected with a virus due to extremely foolish behavior, it's unlikely the virus would spread to other machines. Unlike Sobig.F, which is the fastest spreading virus ever, a Linux-based Virus would fizzle out quickly. Windows is an inviting petri dish for viruses and worms, while Linux is a hostile environment for such nasties.

quotes from http://www.securityfocus.com/columnists/188

Yeah viruses/trogans/hack are done for windows, but it still doesn't justify the fact that windows in and of itself is very unsecure compared to linux. The only unsecure linux is Lindows as it tries to emulate Windows.... and even then Lindows is more secure than Windows.

The_Neon_Cowboy · Dec 20, 2003, 06:30 PM

don't get me wrong people still hack linux boxes...

if linux had 90% of the market .. windows users would be considering linux unsecure .
as linux users call windows now. becouse not only does you os have to be secure every pice of software also must be secure! and thier are a heck of a lot more programs for windows then linux.... any you can unintergrate/uninstall the ie browser

right out of the box linux is a bit more secure then xp
but with proper configeration, updates and added software thier both pretty secure o/s's
stablity is a nother issue.. linux can handle a few thing windows can't
but when it come down to going to the store to buy hardware or software windows becomes the way to go least for me....

btw: the latest windows xp service pack adds whole lot of securty

caqde · Dec 20, 2003, 06:49 PM

Neon I must say your uneducated or misinformed on OS's or just about Linux. Linux and Windows configured correctly are far from having similar security levels. Windows by far is unsercure. A NORMAL WINDOWS USER CAN INSTALL DLL's. Not Admin but just a normal user. How is that secure? Linux would never let you do that. It won't even allow you to run under admin/root without reamming your neck with warnings. And as far as IE goes how can you uninstall/unintegrate your GUI? The desktop is IE(when everything is minimized all you see is IE).

It is a matter of how an attack hit's Linux. All of the attacks that have hit Windows can't hit Linux at the same level. They would either A) not happen. B) only hit really stupid/nieve users. that gave that program rights to run on their system. C) Only hit one or two computers by insiders. etc.. Linux hacks/trogans/virus's just can't do as much damage to a system as Windows one's can. The Linux OS won't allow it. Yeah I understand the difference in the amount of software, but even so if the system won't allow certain action's then no matter how much software you have those action's just aren't going to happen. You can't do something that can't be done(computerwise). Software running on an OS can only do what the OS allows it to do.

UberLord · Dec 22, 2003, 12:38 PM

Security all depends on the administator of the box, not the OS it runs. The only reason why people percieve Linux/BSD to be more "secure" than Windows is because it comes pretty much locked down out of the box compared to Windows.

Providing the windows box is well firewalled, a zero tolerance policy has been installed and stupid services disabled then Windows can be very secure.

Remember that an idiot can assign blank/stupid passwords and enable remote root access on Linux boxes as well.

As to remote services having holes, open source does have a better reputation for closing holes quickly. All software has exploitable bugs. For example, a linux kernel bug was found a few weeks back that allowed a remote root exploit. This bug had been around for quite some time ....

Dec 24, 2003, 10:11 PM

Quote:

Originally posted by UberLord
As to remote services having holes, open source does have a better reputation for closing holes quickly. All software has exploitable bugs. For example, a linux kernel bug was found a few weeks back that allowed a remote root exploit. This bug had been around for quite some time ....

Where did U found the info?

UberLord · Dec 31, 2003, 02:45 PM

http://forums.gentoo.org/viewtopic.php?t=112116

Slashdot also reported it.
A gentoo mirror server was compromised
A debian server was compromised
A gnu server was compromised.

Dec 20, 2003, 12:59 PM	#1
ExitiosuS Simian Masterpiece! Join Date: Aug 2002 Location: London, Ont. Canada Posts: 358 Rep Power: 59 System Specs	Windows XP vs Linux in terms of security... Hey guys, I was just in a small debate with a friend of mine in terms of which has better security... and basically what I thought it came down to is that Windows has better security overall, except it has more people attacking the vulnerabilities than Linux does. What I'd like is to hear what you guys think, in terms of experiences, sources, etc... Maybe this is a repeat, not sure.... 7am and I'm kinda tired so probably missed it. :P Anyways, Thanks for whatever input you guys can provide!

Dec 20, 2003, 05:33 PM	#3
The_Neon_Cowboy HardwareHeaven Extreme Member Join Date: Dec 2002 Location: U.S.A. Posts: 16,009 Rep Power: 90 System Specs	viruses/ trogans/ hacks are useally done for windows machines... people writeing a virus/trogan want the biggest impact so the taget the os that dominates say 90% of the desktop market.... when you go to the local elertics shops look at the boxes and see what programs run on... you'll see mabe 9 linux programs (5 being ver the os itself), mabe 10 mac (2 being os versions) and about 150 - 300 windows titles.... if your a hacker do you really want to waste your time looking for exploits on a os that mabe 7% have? -no way you look for he most common os and you target the most common software! and assuming your running a router with hardware firewall and a firewall on your pc.... your pretty safe __________________ Last edited by The_Neon_Cowboy; Dec 20, 2003 at 05:39 PM.

Dec 20, 2003, 06:30 PM	#5
The_Neon_Cowboy HardwareHeaven Extreme Member Join Date: Dec 2002 Location: U.S.A. Posts: 16,009 Rep Power: 90 System Specs	don't get me wrong people still hack linux boxes... if linux had 90% of the market .. windows users would be considering linux unsecure . as linux users call windows now. becouse not only does you os have to be secure every pice of software also must be secure! and thier are a heck of a lot more programs for windows then linux.... any you can unintergrate/uninstall the ie browser right out of the box linux is a bit more secure then xp but with proper configeration, updates and added software thier both pretty secure o/s's stablity is a nother issue.. linux can handle a few thing windows can't but when it come down to going to the store to buy hardware or software windows becomes the way to go least for me.... btw: the latest windows xp service pack adds whole lot of securty __________________

Dec 20, 2003, 06:49 PM	#6
caqde HardwareHeaven Senior Member Join Date: Oct 2002 Location: US, IL Posts: 502 Rep Power: 64 System Specs	Neon I must say your uneducated or misinformed on OS's or just about Linux. Linux and Windows configured correctly are far from having similar security levels. Windows by far is unsercure. A NORMAL WINDOWS USER CAN INSTALL DLL's. Not Admin but just a normal user. How is that secure? Linux would never let you do that. It won't even allow you to run under admin/root without reamming your neck with warnings. And as far as IE goes how can you uninstall/unintegrate your GUI? The desktop is IE(when everything is minimized all you see is IE). It is a matter of how an attack hit's Linux. All of the attacks that have hit Windows can't hit Linux at the same level. They would either A) not happen. B) only hit really stupid/nieve users. that gave that program rights to run on their system. C) Only hit one or two computers by insiders. etc.. Linux hacks/trogans/virus's just can't do as much damage to a system as Windows one's can. The Linux OS won't allow it. Yeah I understand the difference in the amount of software, but even so if the system won't allow certain action's then no matter how much software you have those action's just aren't going to happen. You can't do something that can't be done(computerwise). Software running on an OS can only do what the OS allows it to do. __________________ AMD Phenom II X4 925 AM3/ Giga-byte MA790XT-UD4P XFX HD5770 1GB / 2x2GB of GSKILL DDR3 10666 8-8-8-23 Samsung SH-S182D DVD-RW drive / Sony Optiarc BD-5300S BD-RW drive Western Digital WD1501FASS(Primary)/Western Digital 15EADS(Secondary)/Western Digital 7500AACS(Secondary)/Seagate Barracuda 7200.10 320gb(Secondary)/Western Digital 3200KS 16MB 7200rpm SATAII HD(Secondary) Antec TP-550 / CoolerMaster CMStacker Sound Blaster X-FI Titanium Fatal1ty Professional / Creative Inspire 6600 6.1 speakers Samsugn T200HD 20" LCD Monitor / Logitech Internet 350 Black Keyboard Logitech MX510 Mouse Last edited by caqde; Dec 20, 2003 at 06:54 PM.

Dec 22, 2003, 12:38 PM	#7
UberLord A Legend in Underwear Join Date: May 2002 Location: Unknown Posts: 5,255 Rep Power: 70	Security all depends on the administator of the box, not the OS it runs. The only reason why people percieve Linux/BSD to be more "secure" than Windows is because it comes pretty much locked down out of the box compared to Windows. Providing the windows box is well firewalled, a zero tolerance policy has been installed and stupid services disabled then Windows can be very secure. Remember that an idiot can assign blank/stupid passwords and enable remote root access on Linux boxes as well. As to remote services having holes, open source does have a better reputation for closing holes quickly. All software has exploitable bugs. For example, a linux kernel bug was found a few weeks back that allowed a remote root exploit. This bug had been around for quite some time .... __________________ Gentoo Linux - Developer (baselayout) Read my blog "I contend that we are both atheists. I just believe in one fewer god than you do. When you understand why you dismiss all the other possible gods, you will understand why I dismiss yours." Stephen Roberts

Dec 20, 2003, 04:50 PM	#2
JustaGuy DriverHeaven Junior Member Join Date: Dec 2002 Posts: 44 Rep Power: 0	Well, it really depends... Windows is a whole system, with a lot of... hmm... stuff, and most of it has vulnerability problems: IE, Outlook Express, RPC-related software, IIS, even the core Services system and the "kernel" too (very hard to make out what the kernel is in Windows). Linux is modularized. There are some packages that have security problems, but security problems in the kernel are very rare (I remember one recently with Linux 2.4.22, if I'm not mistaken, which was promptly patched). One of the programs with some problems in Linux is OpenSSH. They occasionally find bugs there. The same happens with other server-type software. The really great thing is that those bugs are almost immediately corrected (usually the patch is in CVS the next day), unlike Windows, where some IE vulnerabilities that have been discovered over six months ago still have to be patched... And then, if you use a nice distro with frequent package database updates, like Gentoo, you only have to get the latest version and patch the fix. Windows does NOT have better overall security than Linux, I'd like to hear what arguments your friend used to support this claim. Its vulnerabilities are definetely more exploited than Linux's, that's true. But if you run a tight Linux system, you should have nothing to worry about. Windows on the other hand is a whole different matter, and no-one can live by without a firewall. That's one of the reasons that led me to change my main working environment to Linux (I only use Windows for gaming now).

Dec 31, 2003, 02:45 PM	#9
UberLord A Legend in Underwear Join Date: May 2002 Location: Unknown Posts: 5,255 Rep Power: 70	http://forums.gentoo.org/viewtopic.php?t=112116 Slashdot also reported it. A gentoo mirror server was compromised A debian server was compromised A gnu server was compromised. __________________ Gentoo Linux - Developer (baselayout) Read my blog "I contend that we are both atheists. I just believe in one fewer god than you do. When you understand why you dismiss all the other possible gods, you will understand why I dismiss yours." Stephen Roberts