[SC.LUG] Linux vs. Windows Viruses

Mon Oct 13 06:52:32 BST 2003

I wrote:
> I do believe that Linux's security is and will remain better
> than Microsoft's.  That still requires maintenance, good administrator
> security practices, and care on the part of users; and even with all
> of these you may still be vulnerable to something.

On Fri, Oct 10, 2003 at 07:58:54PM +0100, Rick [Kitty5] wrote:
> I don't know if it will remain better in real world terms, the perception of
> good Linux security fuelled by developers quickly releasing patches is
> another matter. MS have extensive testing procedures that often delay patch
> releases, so while their patches may on the whole be less likely to cause
> problems, they will not appear to be as security focused as Linux.
> 
> MS got a lot of flak over windows updates breaking things a while back
> resulting in increased quality control. Open source on the other hand isn't
> compatibility tested to anything like the standards MS impose upon
> themselves. This helps get opensource patches out the door faster, but is
> sometimes the cause of updates coming in pairs, one to fix the bug, another
> to fix the stuff that the fix broke.
> 
> This all adds up to make Linux appear more secure.

Actually, Linux's adherence to real standards is far more effective
at producing better security than Microsoft's adopting 'standards
that they impose upon themselves', which are rarely as well conceived
or as well argued.  And Microsoft's 'extensive testing procedures'
haven't prevented their having to release pairs of fixes in the
past two months.

Microsoft's security is poor because it was added as an afterthought;
they really need to rewrite the operating system from the ground up
with a clear security model in mind from the outset, enforced in
every detail.  I don't believe they will ever approach that without
actually making their source freely available.  There have been
similar problems in Linux because the original Unix security model
was weak and inconsistently applied throughout the system, but
these are being fixed fairly systematically.

The testing of open source patches is patchy, with, for example,
openssh scoring badly because changes are tested much more thoroughly
on openbsd, while the version released for other Unixes often doesn't
even compile on the target systems -- for minor reasons, admittedly,
but apparently no one has ever tried to compile it before it gets
released!  But many open source packages get pretty exhaustive
tests; it depends, of course, on the maintainers.

I don't find the instant fixes terribly impressive on either side,
but I do find the Microsoft approach means that there are bigger,
more dangerous security holes in their released software than in
any Linux system to begin with.  So, I believe Linux's security is
better, and I stand by the claim that it will remain better for
the foreseeable future.

     -- Owen
     LeBlanc at mcc.ac.uk