i found this interesting article on server security. of course this does not take into account cost or uptime.
http://linux.slashdot.org/linux/05/02/17/1616232.shtml?tid=172&tid=109&tid=106

Linux, out of the box, is going to be less secure. I don't think that's any secret. The reason why people say linux is more secure is that it has the capability to be more secure. If you have two 1337 admins, one Windows and one Linux and allow them both to do as much as they can to lock down their server the Linux box will be more secure. (Even in the article they note that a lot more could have been done to lock down the Linux box.) Linux (and other *nix varieties for that matter) tend not to assume much about you. They give you a blank (insecure) canvas and the tools with which to lock it down, should you so wish.

Although I hate to say it I would kinda agree with one part of the Windows argument against Linux. It does cost more than people imagine to manage well and this is why I believe this. Windows is made easy, it can be set up, out of the box to be pretty secure without a huge amount of grief. On the other hand, in order to maintain a well managed, fiercely secure linux box you need some pretty damned 1337 admins. Something which generally costs quite a bit. Basically, with linux (and *nix in general) your security model is quite literally only as good as your admins, where as Windows closes some of the wider holes for you.

To bring this post kicking and screaming back into the context of the article, I really don't like their criteria. "Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk — the period from when a vulnerability is first reported to when a patch is issued." So, if you don't report your vulnerabilities and you don't issue patches then you rate higher ... :bemused: ... right, 'coz that sounds like a good measure doesn't it?

I always felt 95% of the security comes from the quality of the installation and administration. And way too many installations are done by people that know little about security. Linux or not.

http://x3.putfile.com/2/4812163615.gif
I know very little about setting up a server securely (not something I'm proud of, just a fact) which is why I let our sysadmin guy handle all our server setup. I'm learning slowly but untill I'm ready I'll just stay well out of his way :p

At my last job they had mostly window servers and to get one up and running was a piece of cake, but to secure the server required the completion of a 40 page checklist. You also had a group that continually scanned for vulnerable servers on the network, if the group found one then the port for that server would be shut down. Turning the port back on was a b%tch.

Originally posted by pohopo
I always felt 95% of the security comes from the quality of the installation and administration. And way too many installations are done by people that know little about security. Linux or not. Dave Cutler, who headed the Windows NT development project, allegedly got into shouting matches with Gates when he realised the latter was planning on dumbing down the OS with wizards and whatnot so that Windows NT would look so simple that even monkeys could administrate it.

So Windows NT (read: Windows 2000, Windows XP, Windows 2003 server) looks so simple that even monkeys can administrate it (it's not true of course), while Linux makes no such pretense.

The result of course is that many systems administrators are monkeys, because they're cheaper. But their failings are more obvious on Linux systems.

There's a lot more to take into account here though. Network security would be the first line of defense. Talking strictly from an OS point, I would say off the jump, they're both equally secure.......if you're not plugged into the internet. Though on a corrupted network, I'd say Windows is a lot less secure out of the box because it hasn't been patched to the teeth yet. I recently built a laptop and had to put Windows on it. Doing it from work, on our network, I had two viruses detected before I even had time to get the patches in.

Originally posted by Weedpacket
Dave Cutler, who headed the Windows NT development project, allegedly got into shouting matches with Gates when he realised the latter was planning on dumbing down the OS with wizards and whatnot so that Windows NT would look so simple that even monkeys could administrate it.

So Windows NT (read: Windows 2000, Windows XP, Windows 2003 server) looks so simple that even monkeys can administrate it (it's not true of course), while Linux makes no such pretense.

The result of course is that many systems administrators are monkeys, because they're cheaper. But their failings are more obvious on Linux systems. According to some pundits, the whole M$ camp was run by shouting matches for years.

I guess maybe now they don't shout as much, they just squish you or gobble you up piecemeal. I suppose we could ask Netscape and some other companies (if they still exist) about that.

Who's seen Windows 2003 server? The default install pops up an interface that screams "webmin" to me....

Originally posted by dalecosp
According to some pundits, the whole M$ camp was run by shouting matches for years.Cutler's teammembers would follow him as he left those meetings, and mount picture frames around the holes he kicked in the walls.

I suppose when you're worth $150M to the company, you're allowed a bit of renovatory license.

One should also take into account the attitudes of the hacker culture. I don't really know a secure system from my rear but I do know that there's a lot of animosity toward M$. Everybody loves to hack M$. I haven't seen a lot of renegades shouting anti-linux slogans.

Hacker facists? do they exist?

I think a lot of it isn't so much animosity towards Microsoft per se, it's just that they make such an inviting target. If everyone was using OS/2, OS/2 would be the one getting pounded on.

Meanwhile, no-one is bothering to come up with new attacks against Linux (there has been a measurable decrease in the rate of attacks against Linux; see the December 21 whitepaper listed here (http://www.honeynet.org/papers/index.html)).

True enough. When Microsoft was what, 12 people in some rented warehouse, and religious wars were things like Fortran vs. Lisp and VMS vs. UNIX and time-sharing was the "norm", way before "PC vs. Mac" and possibly even before Sun workstations, IBM *was* the "Evil Empire". But, true to the demonstrated nature of the dark side, a new dark lord has ascended the throne, crawling up on the unconscious, mutilated body of his predecessor, and the reign of terror deepens...

Today, Microsoft is the EE, and worse, possibly *much* worse, than IBM was --- largely because of scale, as Weed observes, although there are plenty of other reasons. (http://www.euronet.nl/users/frankvw/rants/microsoft/IhateMS.html) Can you tell I find this guy's rant rather compelling? If nothing else, a historical viewpoint worthy of consideration....

OTOH, the EE has largely been responsible (by luck?) for creating an environment where many of us can squeak by ... unless you work directly for them, or one of their minions, in which case I suppose you've got it "made in the shade", or darkness, whatever ....

I was over at ZdNet "talkback" the other day; one fellow disagreeing with some analogy someone had made (and me, indirectly) made the point that "Microsoft was the land owner, and we are just tenant farmers" ... and the analogy continues. It's pretty scary.

I'd love to chat more, and sit here in my freedom, basking in sunshine, reading my server logs comforting myself by with `uptime | mail -s "This box rocks!" me`and writing more shell scripts (and especially PHP!), but I've gotta go.

Viruses and spyware are summoning me from the very fringe of computer hell, and I must do battle as I am an honorable knight.

Sometimes it just feels like I'm still enslaved, because I must continually fight the darkness in order to enjoy the light ....

:)

Ah, see that's why you have to love dalecosp. He can so elequently word posts like that, and while I feel the exact same way, I can usually only conjure up things like "MS is the f*cking devil!!!", as I shake my fist.

Heh, heh. I think you are much more eloquent where it counts.

Or, how about this for eloquence: if ($JPEG == ($words*1000))

http://www.euronet.nl/users/frankvw/rants/microsoft/MSimages/msslave.jpg

Now, I don't hate Bill or Steve personally (although maybe a twinge of jealousy that I didn't invest way back when <?>), but I do think that I have a "corporate animosity" that directly correlates with the number of bluescreens, lockups, and security compromises I have encountered in the last ten or so years.