By silicon.com, 3 August 2004 18:05
Research out today found that 78 per cent of developers working with Linux claim never to have had their systems hacked - cue widespread praise for the unrivalled security of open source operating systems.
But many readers will say to themselves: "So what?"
What does that statistic prove? Those that commissioned the research may well like us to believe it means Linux is fundamentally more secure than Windows. And there are many in the Linux community and wider IT audience who would concur. But let's assume that's not what the discussion should really be about - after all, IT is as much about perception and marketing as any product these days.
The question many will raise is: "But isn't that simply because it's less attractive to hackers?"
Wouldn't car thieves rather steal a Lamborghini than a Lada? So why shouldn't those in the business of cybercrime not want to target the biggest returns? And those bigger returns undoubtedly come with crimes against Microsoft products.
Others have come up with similar analogies. John Thompson, CEO of Symantec, recently came up with a fairly neat one, likening virus writers and hackers to graffiti artists.
Thompson said: "If somebody writes graffiti they're not going to write it on a wall at the end of a dead-end alley. They're going to write it on a train that travels right through the city centre."
In Thompson's opinion the ubiquity of Microsoft's operating system simply offers a more attractive canvas for the virus writers hence the higher number of attacks aimed at Windows vulnerabilities.
It's difficult to even address the 'inherently less secure' issue of Microsoft software when the targets are recognised as being so different in size.
At this stage it's worth noting that when earlier this year silicon.com asked its audience 'Why might Linux be more secure than Windows?' 41.2 percent said it would be because of the open source development model and 31.8 per cent said because it is not as widely used. Is that a victory for open source? Consider 27 per cent simply chose the response 'It isn't more secure'.
Bringing the matter back to today's research, there's the fact that 78 per cent say they haven't been hacked. That means 22 per cent have been.
Almost a quarter isn't necessarily a great return, not if there hasn't even been much of a concerted effort. Was this research the group really wanted to release?
Comments
There are 16 comments. Join the discussion
1. Anthony Fogleman
It appears that you're slanting the story toward MS when the vulnerability to hackers probably has more to do with the quality of the technician, than the OS. Perhaps it's also more about the server software that's running ON the OS than the OS itself. Consider also that according to Netcraft's Web server survey, Linux is the most popular platform for web servers with Apache running on about 2/3 of all web servers vs. IIS (MS). For businesses, however, IIS is more popular, runnong on about 55% of servers connected to the internet. Just for the benefit of the readers, Silicon.com (this web site) is running on Apache/1.3.27 (Unix) PHP/4.3.1
2. Jim Verhei
The quote quote ... "Wouldn't car thieves rather steal a Lamborghini than a Lada?"
I don't know, I would suspect that the owner of the Lamborghini may just take more care of his security ... but really, this is the same ol' look at all the attacks on this OS or that OS bluster. If I were to continue to use the car example ... it's a whole lot easier to steal the Lada.
So what's the point .... Oh, wait, on the right side of my screen, there's that advertisement from M$ ... don't see many of those from *inx vendors.
3. anonymous
It is strange how people who use Linux / Unix always jump to the defence in such a strong way, Use MS know it is slightly bug ridden, accept the fact that you will get a virus and live with it. Why write a virus or hack a system which has such a small %age of users
4. Lindsey Rockwell
Security?
You debate security eventhough you don't seem to know much about it!
It would be OK if somebody could learn somthing from it, but not the way you journalists write about it. You don't seem to be able to distinguish an operating system from Winodws.
There are technical reasons for why UNIX/Linux computers are safer. Of course that goes above and beyond a journalists comprehension.
Is the only method you are capable of doing something that resembles research doing interviews? How can people seriously believe all of you journalists + Forresters and Gartners when the only thing you can talk about is statistics and interviews.
How can YOU tell how many CD images for Linux and a like are downloaded every day?
How can you tell how many of those CDs are copied and redistributed?
How can you tell in how many computers all that software is then installed?
What magic "interview methods" do you use in order to come even close?
With a Linux distribution comes much more than the plain operating environment. For example SuSE-Linux is delivered on 9 (nine) CDs packed full of utilities, Office packs, web-, FTP-, Secure Shell-servers and many many more. All this plethora of different applications on Microsoft plattform would
a) cost a fortune
b) be as secure as M$ IIS
Considering the vast amount of software that we talk about, Linux and the rest of the associated software is far more secure than anything from Redmond.
Lindsey
---
5. Andy Bennett
Would a car thief rather steal a Lamborghini than a Lada?
In the hacking world the answer would probably be 'NO'. Any idiot can write alter somebody else's code to write a virus or worm for Windows. To try and hack into a Linux box that's been properly set up and is kept patched is extremely difficult... not to say virtually impossible.
So essentially there are two conflicting pressures. One, there are more Windows boxes out there so there are more to hack, and, two, even if I do hack one, who cares? A child can do it... and they often do.
Also, MS issues 'service packs' and such like, for it's software every so often. Unfortunately, though, all this does is to highlight the issue of what happens to the bugs between one service pack, bug fix, security update etc., and the next one. In other words bugs are left unfixed for days and weeks at a time because of the commercial pressure NOT to tell anyone about them until the next release or patch. With Open SOurce software this isn't an issue. Nobody has any interest, commercial or otherwise, in keeping things quiet.
So to try and pretend the debate about the pressures making Windows or Linux more secure comes down on one side or the other with any great force is ludicrous. What we should be having, then, is a debate about which system is more secure.
Is anyone seriously suggesting that Windows is inherently more secure than Linux?
6. Anonymous
That had to be one of the most ridiculous things I read in my life.
"To try and hack into a Linux box that's been properly set up and is kept patched is extremely difficult... not to say virtually impossible."
The same is true of Windows. However the reality is both boxes get hacked on a fairly regular basis. Recently, however, Linux boxes have been getting hacked more.
"Is anyone seriously suggesting that Windows is inherently more secure than Linux?"
Yes, they are. Which is why Windows can get security certificates than Linux can't
7. anonymous
i have the experience in administrating both windows2000 advanced server and linux debian, and all I can say is for you to judge these 2 systems and compare them you would have to first understand about how each kernel works, because when you talk about different software then it becomes a bit of a different issue cause now you arent just comparing the os.
I am not going to take sides cause that will not change anybodies opinion. All i will say is that before you make your judgements, dont just look at statistics and hear other people's opinions. Try learning the system for yourself and learn all its major capabilities.
maybe that will help most some of you who will actualy try to do it, because it took me around 4 years to grab most of the concepts that the linux platform had to offer, and aside from reading lots of books about the kernel, etc.. i had to also administer and solve the problems i had after installing this system onto my network. Same thing happened with MS Windows 2000 Advanced Server .., but after a while you start seeing which system can go further and have less limits..
8. anonymous
"those bigger returns undoubtedly come with crimes against Microsoft products."
This doesn't seem to take into account that linux is predominatly used as a server OS and Microsoft windows is predomatly used as a desktop OS.
To a hacker a server offers far greater 'returns' for than a simple desktop.
A virus writer however would simply be looking for the most prevelent, and also the easiest target, which is Windows.
9. Graham
Oh be quiet you anoraks. The leaders of IT media and corporate security say a few words in MS' favour and you still can't stomach it. This article is spot on, OK maybe a little slanted but only because there were no quotes from frothing-at-the-mouth *nix enthusiasts. Until the comments, at least...
10. simon
this isn't a linux vs ms battle so stop bickering. I administer both systems and both have good and bad aspects.
On the whole the Linux boxes are more secure, the code is open source and so scrutinised by far more people, fixes are fast, rarely require reboots and so far effective.
MS on the other hand is closed code scrutinsed by a handful of people. Often the patches, which take weeks to arrive require reboots which isn't always possible, and they do sometimes create new problems.
To those of you that say a hacker prefers to hack windows is a bit silly, think - if you were a hacker surely there is more prestige in hacking a *nix box ?
But ultimately anything that is connected is in some way vulnerable sooner or later. We can only hope that the people writing and looking at the code spot the mistakes before the hackers find them. Just take a look at any exploit site you'll see there are far more available for MS boxes than any *nix platform. This is down to inherent coding flaws and the closed nature of the software.
11. Mick Behn
The point isnt how has market domiance. I want a system that is secure period. I dont care if 5 billion poeple use it or 2. As long as it works and its secure. Microsoft has proven time and again that it cant secure its OS well enough against hackers.
So let poeple use windows and have to deal with the daily Viruses, Spyware, AD viruses, and MS updates. all that alone waste to much time.
Give me Linux, give my MacOS X, give me SunOS or Irix, I dont care, just make it work and secure and im a happy user. MS cant do that for me right now.
If it where any real world type company like Starbucks and I found bugs and viruses in my coffee ( i havent by the way)way too often i would have moved on to another coffee company.
But few poeple do move on. Let them live in the daily Hassle, Ive move on long ago.
12. Joel Buckley
Where's the Beef?
Has anyone done a comparitive security review of several OSes?
- Kernel Memory Access/Corruption
- Kernel ioctl Access/Corruption
- Required Server System Daemons
- Required Client System Daemons
- Default Installed Other Daemons
- Optional Other Daemons
- Default Installed User Applications
- Optional User Applications
How does Linux vary from other OSes in handling authentication, permissioning, tracking, logging, prevention, correction, etc?
Simply stating "my grass is greener" does nothing to clarify the topic. Add some meat to the discussion and provide details of security reviews.
Links to reviews are welcome.
13. Andrew Rice
None of my Windows or Linux systems have been hacked into to my knowledge. Neither have they distributed viruses.
Linux is inherently less secure as it does not have any active components, (especially any htt files)
Linux can be more insecure than windows and vice versa dependant upon how it is built.
14. anonymous
I don't have the technical understanding - or the 'religious' zeal - to have an opinion on whether Linux is inherently more secure than MS. But that doesn't matter.
What does matter is the current monoculture, which has been fostered intentionally by Microsoft. Greater diversity would be a Good Thing, whether you love or hate (or are indifferent to) Microsoft.
15. Paul Mansfield
The nature of the users must be examined.
I believe if you took two newbies, gave them the same amount of training, one on windows and one on linux, could both make their systems "secure" and more importantly understand what and why they were secure, and both be proof against all known attacks at that time.
However, the linux admin would be able to accomplish this in a shorter time, and more importantly, be able to maintain that security for longer periods, not require additional budget for software upgrades, and also be able to manage a larger number of machines simultaneously at a greater distance (i.e from across the planet, as opposed to same building with windows).
If the specific features of windows are required, then fine, but for the most part the overly complex and thus hard to secure features of windows network applications could be easily replaced with a much simpler and more manageable linux server. Case in point: apache.
I rest my case, m'lud.
16. anonymous
That's interesting I administer Windows and Linux servers covering 3 continents from work and at home. According to the previous chaps comments I am delusional and can only have been administering the Linux boxes.
One can only assume that the other comments he makes without any supporting information are equally as accurate.