http://zone-h.org/winvslinux/

I thought that was rather interesting, given that one of the advantages of Linux had been apparently better security.

hmm... well it makes sense. Since Windows is so greatly more attributed, there are more people working on making it less suceptable to attack, I guess.

But it kind of even outs because of the same reason. Most people use Windows, so there is more purpose to attack Windows than OS X or Linux.

This is the fault.

Windows does not make it easy (if possible at all) to implement patches for security holes. If you find a security hole, you have to submit it to Microsoft, have them review it (which they usually won't do until there are thousands of reports), and then hope they implement the proper patch for it.

Sure, there are tons more people to find holes, but no one to patch them. That's one of the great faults. Remember the WMF picture issue? On linux, you could have that patched that same night. Microsoft took a week, which by their standards is incredibly fast. (And only because of media pressure did it get out that quickly)

Now Linux is better for security because patching is MUCH easier. The code is visible to anyone, so finding holes and fixing them is trivial. As the Linux userbase grows larger and larger, the more secure it will be.

Well, traditionally monolithic kernels (like Linux) are less secure than a hybrid kernel (ala Windows) design.

The Windows vs. Linux security debate is a silly one though, because it's pretty much apples and oranges since you have Windows, widely used mostly consumer OS, vs. Linux, widely used OS for more technical applications like servers and getting geeks off. And it's easy to target the ignorant consumer.

lol, "more technical applications ... like getting geeks off"

Another thing to remember is that nowadays every idiot gets himself a server, puts Webmin on it to run it as a gameserver.
Perhaps the thought process goes as follows: "Hmmm, I want ma own servr for games and ftp and a uber-neat homepage with ma favorit pictchars. I'll take Linux. It's the most secure thing. I've got me this here how-to. Then I'll never have to do anything and ma servr is secure."
You can run an insecure Linux if you don't know what you're doing and you can run a secure Windows if you know what you're doing.

The thing I don't understand in this article is why they take defacements when they compare OS-security. AFAIK defacements are mostly done through holes in the webservers, so that would be OS-independent.

Solaris FTW!

*runs away*

(now, if only I could figure out System VII config files)

Absolutely true. Real admins always strive to tell the new folk in the area to "Harden their box". It is so important to do this, it's not even funny. When I first bought my Sorrowind server, I spent 2 weeks hardening the box, adding brute force detection, and such stuff. Running without this sort of protection is like wading through lava.

OSX is MUCH better protected than Windows anyways, if someone decided to attack Macs...

mmm... lava.

Web site defacements (typically) occur becuase of security holes in popular CGI toolkits, CMSs, and forum packages.


Moral of the story? Dont use PHP, and roll your own toolkits.

Moral of the story? Use PHP responsibly :p

[QUOTE=Cool Matty]Moral of the story? Use PHP responsibly :p[/QUOTE]
s/PHP/alcohol/;

From what I gathered, the site only provided statistics on the quantity of attacks.

I'm not exactly sure if all the attacks it's counting are succesful hacks, or just attempts.

In any case, like Impi said, you can run a very insecure Linux or very secure Windows depending on whether or not you know what you're doing.

Yeah...

This is talking about servers. And as mentioned, it's almost always a vulnerability in an unsecured ssh/weak passwords (I'm looking at you kirby), an error in apache (which affects the Windows versions too) or faulty perl/php/whatever.

Linux is difficult to target on the desktop front due to the security model. Under Windows it's very easy for a virus to escalate to root permissions, because most users already run in administrator accounts. On Linux all users have very low permission levels, and the sysadmin picks/chooses what permissions to give them.
While a virus download could nuke a user's home directory and all of his files, it's not going to affect the OS as a whole.

I'm not saying I think Linux is a great choice for a webserver. I'm rather fond of Solaris on that front, but Linux is solid for the desktop and that's where security vulnerabilities affect us.

I just finished converting my entire household - including my mom's computer and my sister's laptop - to Linux. Why? Not because of any inherent security problems, but because of Microsoft's attitude about them. The WMF issue was the last straw for me. They ignored the problem for weeks. They made a patch, and they sat on it so they could translate it into every other language. Meanwhile, while waiting for the patch, my mom's computer got hit by it and I had to fix things.

Soon Microsoft is going to be launching Windows OneCare. It's a combined antivirus/antispyware/support package which will cost a monthly fee. How quickly do you think vulnerabilities will be patched once Microsoft enters the antivirus market?

Funny you mention the wmf exploit - I had Izzy running Knoppix for the 2 weeks or so it was out (only when she was browsing).

[QUOTE=Cool Matty]I spent 2 weeks hardening the box[/QUOTE]

hehehehehehehe

childish humour, can't beat it.

And if you got a virus per e-mail or downloaded one you'd first have to save it to the hd, chmod it to make it executable and then execute it, which is not possible by simply clicking on it, you have to type it in.

[QUOTE=Unknown User]OSX is MUCH better protected than Windows anyways, if someone decided to attack Macs...[/QUOTE]
This is a commonly believed fallacy. OSX still has many of the basic vulnerabilities that Unix had many, many years ago because they just took the kernel and didn't bother messing with the security too much. Hell, up until 10.4.4 you could still easily create an admin account via the console no matter your user status.

[QUOTE=Dj Yoshi]This is a commonly believed fallacy. OSX still has many of the basic vulnerabilities that Unix had many, many years ago because they just took the kernel and didn't bother messing with the security too much. Hell, up until 10.4.4 you could still easily create an admin account via the console no matter your user status.[/QUOTE]So? That's not a security issue so much as a design requirement. The rule is that if you have physical access to a machine, its security is already compromised. Even if you locked down a copy of Windows you could boot with a Linux LiveCD and rip the hard drive. Or put the hard drive in another computer.

Apart from that, Apple wrote its own group administration utilities independent from the BSD versions. Security issues with OS X's group/user/password utilities would not affect those in BSD, Linux, or any other UNIX-like operating system. Are there any other "common UNIX security vulnerabilities" on your mind?

Brilliant.

[QUOTE=Mr. Stafford]hehehehehehehe

childish humour, can't beat it.[/QUOTE]

Geez, that's a stretch if I ever heard one... :/

Whaddya mean Windows ain't secure??

IIS is built like a fortress.

Ok, I couldn't even keep a straight face.