Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Operating Systems Software Windows Linux

Windows Developers Agree: Linux More Secure 62

theblackdeer writes "eWeek has an article up about an Evans Data Corp survey that the majority of Windows developers agree that linux is a more secure OS. "Linux scored high for innate security among respondents, more than two- thirds of whom 'use or target Windows with their code.' Indeed, only 23 percent of the developers were primarily Linux developers.""
This discussion has been archived. No new comments can be posted.

Windows Developers Agree: Linux More Secure

Comments Filter:
  • by Anonymous Coward on Friday October 24, 2003 @11:13AM (#7301174)
    Seriously, the people have been programming Windows all their career, and now somehow you ask them for authoritative opinion that requires knowledge of a multitude of platforms.

    What's next?

    Linus Torvalds agrees, VB is pretty cool.

    RMS agrees, Microsoft Visual Studio .NET is the best tool available for J#.NET

  • Baloney (Score:3, Funny)

    by prostoalex ( 308614 ) * on Friday October 24, 2003 @11:20AM (#7301256) Homepage Journal
    Put the following in your web server cgi-bin:
    #!/usr/bin/perl

    use CGI;

    my $cgi = new CGI;
    my $input = $cgi->param("userinput");
    system($input);
    and let me know what the URL of your Linux box is.
    • Re:Baloney (Score:5, Funny)

      by vigilology ( 664683 ) on Friday October 24, 2003 @11:28AM (#7301347)
      Give us the URL of your Microsoft box. You don't need to give us special permissions. We'll make our own.
    • Re:Baloney (Score:2, Funny)

      by Anonymous Coward
      haheheha change ur lunix pasward to hakked an I hak u! proof lunix si insekure!
    • Re:Baloney (Score:3, Informative)

      by AT ( 21754 )
      Because it is possible to write an insecure program in Linux, Linux is less secure? What a total non-sequitur.

      It is trivial to write the above program in any language on any platform; that has absolutely nothing to do with an operating system's security.

      What you will notice, though, is that with most Linux/Apache setups, $input will run as user "nobody" or "apache", with very few privileges, so an additional local root exploit would be necessary to do real damage. Unix was designed from the start to all
      • Re:Baloney (Score:2, Informative)

        by prostoalex ( 308614 ) *
        This was intended as humor, perhaps misunderstood by moderators. Of course OS-level security (where you depend on underlying OS code) is different from app-level security (where anyone writing the app can introduce serious holes).

        Once again, wasn't intended as a flamebait.
    • by Anonymous Coward
      /home/www/cgi-bin doesn't exist, where to I put it? And how do I tell what the URL of my linux box is? I don't think Dell put a URL in when I bought the machine, can I get one a Best Buy?
    • My root password is "i2n5i3hs]f ds4 a" without the quotes. I'm running OpenSSH on port 22, open to everyone.

      Just try and hack me. You may find the root password is not enough.
    • how about root pwd? (Score:3, Informative)

      by Xtifr ( 1323 )
      I'll do better than that. How about the address and root password [coker.com.au] of a public Linux box. As seen in Linux Journal. Please feel free to log in and play around -- that's what it's there for. (I'm hoping that the fact that this is a second level comment in a not-posted-just-this-second article will help keep the poor box from getting slashdotted.) Sure, it's SELinux, not quite the same as an off-the-shelf RH boxed set, but what does Windows offer that's anywhere near this level of security?
    • Um it aint going to do a lot if the perl instance runs under User-Mode Linux and in a chroot jail - effectively a poor man's VM with features enough for secure hosting. I looked for it on Windows, but unless I buy VMware, not such feature.
  • Yeah but... (Score:3, Insightful)

    by curtisk ( 191737 ) on Friday October 24, 2003 @11:26AM (#7301326) Homepage Journal
    "Development experience talks, a higher percentage of Windows developers said Linux is more 'innately secure' than did Linux developers."


    What do they base this perception or opinion on? Actual roll-up-your-sleeves analysis or the "features list" on their distro's box? Its kinda vague.

    • Re:Yeah but... (Score:2, Insightful)

      What do they base this perception or opinion on? Actual roll-up-your-sleeves analysis or the "features list" on their distro's box? Its kinda vague.

      The survey was simply asking about perception, not why that perception existed. More than likely a great deal of that has to do with the number of security patches that have come out for Windows XP over the last year, and the more general press about Linux and security.

      I think the idea that any OS is 'innately secure' is somewhat rediculous, though, as almost
    • by Feztaa ( 633745 ) on Friday October 24, 2003 @02:06PM (#7303019) Homepage
      The grass is always greener on the other side of the fence, of course.

      I think most windows developers are just fed up with all of windows' flaws, and when they responded to the poll, they were thinking "whatever 'linux' is, it has to be better than this" :)
    • Your question is actually more critical of Windows security than the results of the survey: you doubt that the Windows developers surveyed can (or will) actually assess and report software security..

      The end result is that either Windows developers know their software is insecure on an insecure platform, or that they are not qualified to make that distinction, and by default their software is untrusted and insecure.

  • by cfadam ( 220860 ) on Friday October 24, 2003 @11:52AM (#7301645)
    I don't see how a VB programmer can speak with any authority about the security of servers since that is most likely not their primary job function. I'd rather hear what Windows admins think (preferrably ones who also admin Unix systems).

    I administer a large network of both Windows and Unix server. Yes, I patch my Windows systems more often, but that is because patches are brought to my attention more often (via email as well as released more often _and_ they are easier to apply. Get SMS into the works and patching servers/desktops is even easier.

    I see no reason to apply every security patch Microsoft (or Sun or Red Hat) releases, a large number of them are for apps/services I don't utilize. Not patching them immediately (or ever) doesn't necessarily compromize my security model, nor have I had any issues in the past re: this scheme. Good luck exploiting a hole in WMP on my servers.

    As for which is more secure, its hard to say. That is really up to the administrator. I can make a Windows server more secure than most Linux installs out there.. but nothing is inherently secure.
    • Windows 2k's firewall is severly lacking. Linux 2.2 kernel firewall is much better and Linux 2.4 is even better. Yes you can get forewall software for Windows (eg zonealarm) but it really should, in this day and age come with a good stateful firewall.

      Also it seems by default windows has ALOT of ports open for services eg 135-139, 445, countless 1xxx ports. Not sure what it does with all these servies. Linux with X just listens on 6000 / 7000 (I think those are the ports) probably one or two more. Poin

      • it really should, in this day and age come with a good stateful firewall

        By not having the firewall in their server product and user product until Windows XP, Microsoft has allowed a cottage industry [com.com] of independent software vendors to appear that sell such software.

        Bundling something complex and of high quality with the product will basically kill off those guys, and give them good reasons for antitrust investigation.

        From a different perspective, Microsoft did buy that Romanian security vendor, although
    • I don't see how a VB programmer can speak with any authority about the security of servers since that is most likely not their primary job function

      This is pretty late in the game, but here goes.

      I write code for both Windows and Linux (very little Linux so far admittedly). On the Windows platform I write C, C++, Perl, and yes, VB. I'm not sure if you were saying that Windows developers are VB developers, but that's not what I have issue with. There are good VB developers out there. Granted, since VB
  • by ERJ ( 600451 ) on Friday October 24, 2003 @12:16PM (#7301898)
    In other news, 3/4 of all carpenters polled agree that plastic tubing is better then metal tubing for plumming.
  • by foooo ( 634898 ) on Friday October 24, 2003 @01:12PM (#7302475) Journal
    I have often wondered why windows is less secure. Could it be that a larger installed base means more exposure to security issues?? (ie. popularity = more exploits?)

    If that is the case one would assume that if linux grows in popularity it will begin to get exponentially more volume as it's *unskilled* user base grows.

    Is the difference between security merely a product of linux admins being more excellent or more fanatical than windows admins?

    Until someone answers these questions I won't start *blaming* MSFT for bad security. It could simply be inevitable that a popular system has more exploits.

    ~fooo

    • by Dan Ost ( 415913 ) on Friday October 24, 2003 @02:10PM (#7303067)
      I have often wondered why windows is less secure. Could it be that a larger installed base means more exposure to security issues?? (ie. popularity = more exploits?)

      No, the problem with Windows is that just about any exploit allows for the running
      of arbitrary code with full privileges (equivelent to rooting a Linux box).

      With a real OS (Linux, BSD, etc), to get similar privileges, you need both
      a exploit to gain access to a machine and some way of escalating your privilege.
      There has historically been a fraction of exploits that granted root from the
      start, but that fraction has become vanishingly small.
      • by Anonymous Coward
        > With a real OS (Linux, BSD, etc)...

        Damn, how foolish of me to assume that Windows was a real OS! I mean, it's only controlling my hardware, managing my files, and running my programs. I will delete it at once and install a real OS. This said "real OS" won't work with my hardware, won't be able to access my files, and won't run any of my programs, but at least the likelihood of someone breaking into my computer will be reduced from one in a billion to one in a gazillion!
    • Until someone answers these questions I won't start *blaming* MSFT for bad security. It could simply be inevitable that a popular system has more exploits.

      Netcraft [netcraft.com] says that Apache web server has 64.61% marketshare, while IIS has 23.46%.

      We all know which one has more security flaws..

      There goes the theory that more popular == more exploits.

  • When will people realise that security is not about products and operating systems. Security is a process that is ongoing and evolving.
    • It's a process that involves using tools. Now, do you want a workbench with Makita, Dewalt, Milwaulke, and Porter Cable tools, or do you want the Playskool workbench?
    • Commies can review the Windows source code, while I cannot. M$ refuses to let me on the grounds that I will find security problems.

      Products and operating systems are unique by nature, each with their own benefits and drawbacks. Any good security arrangement will avoid Windows like the plague.

      Security as a process is important, but a strong foundation will make static security possible.
  • I would not agree that Linux is more secure. I would however say that linux is less vulnerable as a desktop. I saw some numbers on slashdot somewhere (I'm not gonna look) that said that more linux servers are hacked than windows servers EVEN if windows is less secure due to the fact that there are more linux SERVERS than windows servers out therre. Now the same is true for desktops... more windows desktops are hacked than linux desktops because of the numbers. Bigger target = more attacks.

    In short... mor
  • i'm surprised nobody has mentioned that in the previous weekend Microsoft took out a full page in a lot of the English papers (Guardian on saturday, Observer on sunday at least) telling people how to update their computers to guard against viruses etc. wasn't an advert (no pictures, just text) but a warning, like some kind of product recall notice.

    andy
  • by skookum ( 598945 ) on Friday October 24, 2003 @03:45PM (#7304198)
    This summary, and the article it links to, both seem to paint the picture that there are two distinct sets of developers in the world, those that target Windows and those that target Linux (or other open source platforms). This is just simply misleading, as I don't think it's the case at all.

    First of all, most people who write code for a living have little control over what target OS they are developing for. These things tend to be dictated by the business that the company is in, or their clients, or the decisions of upper management, or historical reasons, etc. Most developers write code for Windows at work because that's where most software development happens, not because that's really their choice.

    And just because you code for Windows at work doesn't mean you don't use Linux or participate in open source development at home or in your free time.

    I guess what I'm getting at here is that I'm not surprised at all that Windows developers thought Linux was more secure, as a lot of them probably have used Linux or use it at home in some form (such as for a firewall.) In other words, you can't just break software people up into "Windows people" and "Linux people" and expect the members of each set to view their target OS as more secure, more stable, etc. People develop software for Windows for lots of reasons -- "it's a day job", "that's what the client demanded", "it's just corporate policy", etc. I guess what I'm saying is that this article doesn't really prove much, other than the fact that a lot of people think Linux is secure, but we knew that much already. Or simply: "Sure I write code for Windows for $DAYJOB, but that doesn't mean I think Windows is secure, and I use FreeBSD for my firewall at home."

Time is the most valuable thing a man can spend. -- Theophrastus

Working...