Linux is more secure because...I can't easily count the number of times I've been told that Linux is more secure than Windows. It happens so often that it has almost become "true" because so many people believe it. It's basically common knowledge at this point.
But what is this assertion based on? I suspect a lot of it is based on a combination of two things.
First is that Microsoft security gaffs get a lot of attention and rightfully so. Windows is used by 90%+ of all desktop users. Windows Servers run the majority of the Fortune 100. If there is a security problem with these products, people should know about it. Not to mention the fact that if there is a bug in software that 90% of people run, it has a very good chance of hurting a very large number of people.
Combine this with the widespread ABM (Anything But Microsoft) attitudes and you have a recipe for a seemingly endless stream of media stories about security holes in Microsoft products.
Second is that, on the flip side, you hear almost nothing about Linux vulnerabilities. Linux advocates constantly crow about how secure their OS is, and how you would have to be a fool to run the Swiss cheese that is Windows. Even when there is a security hole reported by the media, the stories almost always end with "but the hole was fixed in a patch released this morning".
But what's the real deal here? How do you quantify how secure a piece of software is? I would say that the only even remotely valid way of quantifying security is by counting the number of known vulnerabilities while taking into account how long users were exposed before patches were available.
As it turns out, at least when you're
comparing Windows XP SP2 with Redhat Desktop Linux, Linux has quite a few more vulnerabilities than Windows, and, in general, users are actually exposed for a longer amount of time than for their Windows counterparts.
I know what many of those Linux advocates out there are saying right now. "But wait! Linux is open source! That means anybody can look at the code, and that means that more bugs will be discovered. Windows is closed source, so vulnerabilities hide out in that code until bad guys find them."
That may be true. Windows may have more vulnerabilities in the code, but there are several problems with concluding that Linux (and open source software in general) is therefore more secure.
- Just because something might be true, doesn't mean it is. Yes, it might be true that Windows has more buggy code. But there is no way to prove this other than by looking at the numbers. The only numbers we have are the ones regarding known vulnerabilities. Making conclusions based off a completely unproven (and probably improvable) assumption is foolish.
- Unknown vulnerabilities don't hurt anybody. If nobody ever finds that vulnerability, it's just as good as if it never existed in the first place. I know some coding purists out there are getting all mad right now, but it's a simple fact and you have to accept it. Security through obscurity does work if it stays obscure. Since fewer vulnerabilities are known for Windows, this likely means that Windows is more secure.
- Vulnerabilities can hide out in open source code as well. When there are hundreds of thousands or millions of lines of code, bugs don't exactly jump out at you. While there have been some iffy studies done on the quality of open source vs closed source code and how open source tends to have fewer bugs per line of code, the "Many Eyes" theory of open source security has never had any real numbers to back it up.
- It's an assumption that more people actually look at the source code when it's open. It's also an assumption that more eyes will result in more discovered vulnerabilities. In fact, many types of security issues require highly trained eyes to be detected. The kinds of eyes that companies like Microsoft employee many of and that are paid to look at the code day after day.
Now, again, I know what many Linux advocates are saying to this argument. They're saying something like "But you have no idea who knows about all those publicly unknown vulnerabilities. There could be bad guys using undisclosed exploits against Windows machines all over the planet right now!"
Again, that's true. But, again, there is basically no data to support that assertion. If you can find some data that suggests that Windows falls victim to a greater number of exploits that were previously unknown to the public than Linux (and you adjust for the far greater usage of Windows over Linux when considering those numbers), then you'll have a point. But until then, you got nothing.
One last point I'd like to make is that there is a difference between how dangerous a piece of software is, and how insecure a piece of software is.
If I'm using "Bob's Awesome Web Server" (BAWS), and BAWS has 300 vulnerabilities it might still be less dangerous to use than Apache or IIS. Why? Because I'm the only one using BAWS. Very few bad guys are going to take the time to write exploits for BAWS if basically nobody uses it.
This is one reason why I currently use Firefox. I don't really think that Firefox is more secure than IE. In fact, I'll take an educated guess and say there are likely more holes (many of which are yet to be discovered) in Firefox than there are in IE. (That's a guess, not an assertion. I can't prove it's true, and it really doesn't matter in the context of the point I'm making.) But Firefox is a lot less dangerous to use at this point. Why? Because IE has 90%+ market share, and Firefox has less than 7%. The bad guys are still spending most of their time hacking IE.
Anyway, next time you hear somebody assert that Windows is less secure than Linux, ask them to give you the hard numbers and don't let them change the subject.
The ADO.NET Entity Framework is Microsoft's entry into the rapidly growing ORM market. It allows developers to concentrate on their business logic and not worry about data access or maintaining a brittle data access layer that is heavily dependant on the database schema.
Pretty nifty stuff, especially when combined with LINQ. Most of this stuff is not new, but it's definitely a welcome addition to the .NET Framework.
read more |
digg story
It misses several of my favorite features, but this article provides a decent summary of some of the larger, more visible features in Vista and why you'll want to make the jump when it finally arrives.
read more |
digg story
I've been messing around with adding a blog to my web site for the past few weeks. Really, my site has had a blog since day one, but this was long before the term "blog" came to be.
The problem with my old blog (called "News"), was that I didn't have any CMS or tool that allowed me to easily publish new blog items. Instead, I had to go and modify my site manually and then upload it.
Well, now I can easily add posts using a wide variety of tools, both web based and offline. I plan on being a lot more active now that I can do this.
Don't worry, my
old news pages are still available... for all 4 of you that ever read them. :)
Watch this incredible video of the new Valve game "Portals". The concept is simple. You have a gun that can create portal from one place to another. The game consists of various puzzles of varying complexity and you the portal gun to solve them. Very original, and very cool. It looks pretty good too since it's built on the Half Life 2 Engine.
read more |
digg story
The Galapagos finches made famous by Charles Darwin's theory of natural selection, the underpinning of Evolution, have shown clear signs of recent evolution over just the past 25 years. Thanks to the invasion of a foreign species and a recent drought, Evolution has yet more evidence to support it.
read more |
digg story
I recently responded to a particularly annoying post on slashdot regarding Windows and the fact that before Vista, the default user created was always an administrator. You can read the comment I was responding to
here. Below is my response.
I know it's hard sometimes, but please try and actually read the post you're responding to before ranting:
Once a program is running, it can do anything, up to the limits of what you yourself can do on the computer.
As far as Windows being the only OS where the user is admin by default, you're correct. Of all modern operating desktop systems, Windows XP is the only one to make the first user admin by default. But did you ever ask yourself why?
You claim it's a simple matter of "twenty years of fraudulent marketing bullshit trying to claim it wasn't a problem". Find me a single example of this. You can't, because you just made it up.
The fact of the matter is that Windows has a very long history on the desktop, and for a large percentage of that history they haven't even had memory isolation or a permissions system. (Read: Win X.XX, Win 9x, Win ME.) In Microsoft's defense, the Internet took them a bit by surprise. Until the Internet, desktop security wasn't an issue for anybody except businesses, and that's why they used NT.
Over those years many, many, many applications were written for those flavors of Windows. These applications all assumed they were running as admin, and for good reason... they were! It wasn't until just 5 years ago that Microsoft finally made the push to get consumers on to the NT kernel, with all its nice security features and the new world of multiple users with varying permissions. Ut oh. There in lies the problem. Microsoft couldn't simply make users non-admin by default because now almost all existing desktop applications, the very thing people buy Windows for in the first place, would break.
So Microsoft had to make a hard choice... break all existing applications and go out of business, or have the users run as admin by default. Tough choice.
Admittedly, Microsoft should have done a MUCH better job over the past 5 years to get people to develop Windows applications the correct way. Aside from their "Logo Certification", they've done almost nothing.
Vista's UAC is a huge step forward for Windows, and it solves a very difficult technical problem that is absolutely unique to Windows: a massive legacy software library dating back 20+ years that *must* run flawlessly on every new version of Windows. Microsoft does not have the luxury of breaking every existing application like Apple does (thanks to their extremely small, yet insanely loyal user base), nor do they have the pleasure of having a software library written with multi-user systems in mind from the get-go, like Unix/Linux.
Cleary this isn't as simple as Microsoft being "fraudulent", nor is it "marketing bullshit", and they certainly have never claimed it wasn't a problem.
