23 Reasons Why Windows Can’t Possibly Be More Secure Than Linux, From Slashdot, Asshole.

Thomas Ptacek | March 24th, 2007 | Filed Under: Industry Punditry, Slashdot Rounddown, Uncategorized

From the +4 comments. I may have skipped 4 of them.

  • Because patches don’t make operating system more secure, you idiot: “Wait…I’m supposed to think that fewer patches makes for a safer operating system?

  • Because Microsoft can’t be trusted to patch anything, so nobody knows how many vulnerabilities Windows has, retard: “Retarded. It relies on the trust that OS vendors always patch all holes they’re alerted to, AND announces every one they’ve patched or been alerted to. Trust like that is the beginnings of security problems in the first place.

  • And, “Windows had the most trivial and easy to fix vulnerabilities that they have fixed with a few number of patches, from possible an unknown number of undiscovered vulnerabilities”. Jerk.

  • Also, “I could stop patching Windows forever and it will be the bestest Operating System EV-ER! Like OMGWTFBBQ!” ROTFLMAO LULZ!

  • Also everything in Windows runs in the kernel because I like, totally read that somewhere, jackass: “Redhat particularly, but also Mac, bundle more software. This means you have many more lower priority vulnerabilities because you have more LOC in userspace.

  • Plus come on, Symantec is in Microsoft’s pocket, fool: “Symantec (who makes all of their profit from selling security products for Windows) says Windows is the way to go.

  • And Microsoft is evil! “Further, Linux folks release a patch when they see a problem, M$ releases a patch when forced to by someone who’s published exploit code.

  • Symantec shill! “This is a Symantec marketing campaign disguised as a press release disguised as a research report.

  • Also, Linux does more, and that has to count for something you asshole. “Windows XP Pro’s standard install media doesn’t include 2 RDBMS packages…

  • You’re a criminal. “Bot herders has named Windows as the most reliable operating system for hosting botnets and spam machines.

  • Patch time doesn’t mean anything, bitch: “Maybe OS X’s average patch time is higher because the vulnerabilities they had were less important to patch?

  • You fail. The only way to measure security is to see if people actually break in: “. It seems like a truer test would be to set up a machine (or rather, a statisically significant bunch of machines) and measure the average time to system compromise.

  • Computers are all insecure. That’s why I use Unix for security, moron. “As always, the most secure computer is the one that is turned off, and unplugged from the network. No security model is perfect, but I’d take any *nix for a web facing server any day.

  • What about 1999?!?! “This only covers the last 6 months. Why only 6 months? Surely a more representative sample would be years. In this case, MS doesn’t look so good. Didn’t BSD have it’s 2nd bug in a decade recently?

  • Doublespeak. “Windows is the most secure operating system. Windows has ALWAYS been the most secure operating system.

  • How could you not know that Symantec is a Microsoft puppet? “Symantec has invested millions to get in bed with Microsoft and gain insider information into the workings of the OS.

  • Didn’t you see that Windows mbuf bug? “A lot of the security fixes seen in OS X are related to applications, things like “a maliciously crafted quicktime movie could lead to elevated privleges”. This is a whole world different than “a buffer overflow in the TCP stack allows remote code execution”.

  • You can’t even install Windows securely, traitor: “My usual response to that is to challenge the speaker to do a base install of Windows and a base install of Linux or MacOS with a machine plugged into the raw internet. Then measure how many times each OS has been pwned before it’s done installing.

  • At least Linux boxes all auto-update for security patches: “Microsoft didn’t allow me to download the SP2 images from my Linux box either. They didn’t like my web browser.

  • My hand-rolled Gentoo distribution doesn’t even run statd! “Not every OS opens up all sorts of services by default, you know. A decent Linux workstation will have sshd, if anything.

  • My cat smells like cat food! “If we assume that the vast majority of people who find security holes do the right thing and notify the vendor, then we can conclude that the vast majority of security holes should not be exploited prior to it being patched. From this, we can conclude from the relatively high zero-day-flaws-to-patch-count ratio that the vast majority of known Windows security holes probably remain unpatched, thus making the above numbers dramatically understated. Just a hunch.

  • Linux would win if your mom would just install her fucking compiler: “Oh dont forget Visual studio 2005 and all it’s plugins as redhat out of the box has a full development kit installed.

  • I blame America: “Well… I think you should talk to that norwegian bank wich was down for a week (11,000 PC’s and 1,000+ servers) a couple weeks ago about how secure Windows is… so no, not really “All quiet”.

6 Comments so far

  • Jon Bowie

    March 24th, 2007 9:57 am

    They obviously forgot, “Every security researcher on the planet knows closed source applications/operating systems have inherintly higher vulnerability rates than open source platforms, even if fewer of the vulnerabilities in the closed source platforms are reported.”.

    I would’ve expected some ./er, oopz, I mean /.er, to come up with that one.

    So I’ll play the devil’s advocate and ask the seemingly pertinent question at this point:

    “Is the more secure platform the one with the fewest historically reported vulnerabilities, the most historically reported vulnerabilities. Or, should it be the platform with the fewest _remaining_ vulnerabilities?” (Obviously this is a shortcut to thinking, as vuln. severity needs to be factored in somewhere, n+1 nobody->root bugs probably don’t even equate in severity to a single unauthenticated user breaking nobody, or root.)

    Since no one really knows the answer to the questions of ‘Which platform has the most remaining vulnerabilities of the highest severity?’ or ‘How do we quantify the severity of a vulnerability outside the context of a defined security model?’ aren’t we just chasing our tails?

    It just seems to me that it is unsubstantiable to say ‘Platform A is more secure than Platform B’. The only quantifiable comparison you can make between one product’s ability to protect the assets it stores and maintains and another’s is a historical one. This by no means accurately predicates or predicts which product or platform is better at the moment, it just gives you an idea of which one is likely to be the best.

  • Andy

    March 25th, 2007 3:33 pm

    Mr Bowie,

    I disagree that we can use historical track record for gauging the security of a platform, if it hasn’t existed in the past.

    Two companies are making buildings in an earthquake zone. Both have historically used bricks and mortar to construct their buildings. One of them used better quality materials, built on better ground, spent more time and money. Their buildings traditionally stayed up better in earthquakes and/or suffered less damage.

    The “worse” company switches to steel reinforced concrete with built-in flexibility and wave-damping.

    The “better” company stays with how they’ve always been building buildings.

    Which building is safer?

    I’m not going to say this is a perfect analogy by any means. It does point out the role that processes and materials play in the overall process.

  • Dr. Strangelove

    March 26th, 2007 8:25 pm

    Andy,

    That was my point; that you can’t use either of those two things, even though they’re seemingly the most convenient points of reference. The root question results in the paradox which stems from the fact that you never know how insecure an application (let alone an entire computing platform) is until its bugs are found! ;)

    Since the only base of reference we have for assessing a product’s current security posture is a historical one; we are left to the realization that the question itself asks us to draw a conclusion based on the analysis of a perpetually incomplete data set.

    Your building analogy very nicely illustrates the point I was trying to make by the way :)

  • Antagonymous

    March 27th, 2007 7:56 am

    ’cause when so many people could look at the source code it’s just automatically more secure, dillweed.

  • Alfred Huger

    April 2nd, 2007 3:11 pm

    Well, I suppose all of this inane chatter is typical of ./ although I always hope for better.. I guess for both the people there and the folks who have posted here I would suggest that people actually read Symantec’s ISTR which is the source of this contention. The report never states one OS is more secure than another. It simply states patch times and reported vuln numbers. The ‘more secure’ bit came from a press story. The comments pasted above point to the general qaulity of the ‘linux’ community who uses ./ more than it does to illustrate anything of interest around vendor security. IMO.

    -al

  • Thomas Ptacek

    April 2nd, 2007 3:17 pm

    The concern is, what’s typical of Slashdot is probably typical of IT — particularly, incoming “green” IT professionals.

    • Leave a reply