Reader Comments

Stupid bloody Americans with no security and buggy software

Nice spin, Paul. Let's quote directly from the mi2g study: "London, UK - 2 November 2004, 02:30 GMT - The most comprehensive study ever undertaken by the mi2g Intelligence Unit over 12 months reveals that the world's safest and most secure 24/7 online computing environment - operating system plus applications - is proving to be the Open Source platform of BSD (Berkley Software Distribution) and the Mac OS X based on Darwin." Yeah. How about some HONEST reporting, Mr. Thurrott?

C'mon, let's anylize this information realistically here. The majority of "permanently connected" systems are what? Web servers, right? So, Linux in this context is the largest attack surface, the frontline if you will, so they will inevitably be the hardest hit. Then you notice that medium and large businesses are the least hit. That's because they have people who know what they're doing. I can't tell you how many times I've gone to a site to see the default Apache "congratulations" page come up. I'm not a hacker, but that is basically a welcome mat that says "hey, come on in, the door's open." So, it's not the OS that's to blame here, it's the people who don't know what they're doing. Everybody and their mother knows that Windows is vulnerable, and, without having read the report, I'd guess that those malware attacks that caused "$202 billion in damages" were primarily directed against the Windows systems. I too am sorry to see this spun in such a way to try and make Windows look more secure than Linux.

For a writer to seriously claim such false evidence, for the sake of face, in one word is- appalling. Good reporting is reporting the truth. It is this kind of reporting that the UNIX and UNIX-Like communities look down on Microsoft and it’s supporters. To counter your claims: My family for the most part is largely Linux savvy. But, for school, the sisters must use Windows. IBM’s new laptops come with a OEM install of Windows XP Professional, this is fine - no work on my part. Within ONE DAY of use at school, for about four hours, the sisters’ laptops were infested with over 200 ad-ware infestations and two viruses, one of them being a “Trojan horse.” I have a default install of Gentoo 2004.2 and have been running it completely exposed to the Internet and it has not once been “infected” or compromised. Please, for he sake of you and your already-damaged reputation, bake your findings with REAL facts and perhaps some real personal experiences.

I've been running a default slackware 10 install connected 24/7 to internet without problems for months. But if you connect a windows 2k without firewall and antivirus it can last about 5-10 minutes without being attacked and infected by any worm/trojan

Hey Mr slackware 10 install, Try running a slackware install from 4 years ago and see how long it lasts. Install XP w SP2 and you're all set. Quit comparing yourself to old software to try to make yourself feel good.

Firstly people: Paul is just reporting the news, he didn't create this report. Next: Why is it impossible for this report to be true? Obviously the people releasing this knew they'd be the brunt of slashdot type venom and you would think they checked and rechecked their findings before releasing them. Lastly: Get over it.

Hey Greglara, you are obviously not a programmer but that's not important. My comments: It doesn't matter if linux has a "bigger attack surface", it's either more vulnerable or not. If it's in vulnerable than being attacked 10 times or 10 million times won't make it less vulnerable. Your comments about Apache don't really add up to help your side either. You are indicating you believe that default installs of apache are vulnerable to everyone and his mother out of the box. Wow, I'll bet apache would be bumed to know that. (small note: It has not been recorded anywhere that IIS6 has been exploited since it's release, can any other web server make that claim). Lastly, Paul didn't "Spin" anything, he just reported the findings of another companies research. Go talk to mi2g and complain to them with proof of the flaws in their methodology - I suspect you'll need more than anecdotal evidence.

To Annonymous with the linux savy family: Good for you! TOo bad your sisters are too stupid to turn on the built-in firewall (or have SP2 with it turned on by default) and have ignore all windows reminders to do so. However, something more important to note: you provide anecdotal evidence. You, one user. mi2g tested hundreds of thousands of events; do you think your 1 report can overturn the results of thousands of reports? Think again.

There is some spin going on here, but then again, who helps this magazine pay its bills? Who will pull back the toys from the writers if they cross the line in evaluating the software? Any of us who read these articles or who subscribe to this magazine should already know that. As for MS v. Linux, let me advance this to you all. Stop the brand-whoring, okay. The bottom line here is causality. Ask yourselves what causes these security breaches to happen on either platform in the first place? Is it a case of one type leaving vulnerabilities for the sake of ease-of-use? Is it the case of another brand being based on open-source thereby allowing shoddy and and careless programming to take place? In general, is it the fact that the PC world is so diverse that in order for all of this diverse hardware and software to work, that vulnerabilities are inherent? Are corporate intersts sacrificing security as a cost-savings measure? Finally, have corporate interests invented and perpetuated a problem so that a solution could be sold to the public; the "Make a Need to Sell a Better Mouse Trap so You Should Provide the Better Mouse" Theory. Some of these may seem crazy, but as a whole, all of these questions are not far-fetched. In the end, it all boils down to this computer stuff being a faily new technology and minds and social habits need to catch up.

Realistically it's hard (if not impossible) to determine which OS is actually more secure but anyone claims Linux is more secure solely on the number of successful Linux attacks then that person's an idiot. The person who has the Linux saavy family is obviously one of those people. Think about it this way...the majority of those 'attacks' are from companies that want to gain useful marketing data. Now I ask you this: why in God's name would anyone write something like that that would affect a Linux user? The answer is simple...they wouldn't. So maybe Windows is more secure...maybe not. But I hate it when people say Windows is less secure and the only thing they say to back it up is the number of electronic attacks made on Windows. Of course there will be more...it owns almost all of the market.

The article lacks links to the study itself, preventing readers from making their own interpretations and drawing their own conclusions. BUT... many reader remarks here point to rationalizing (where Linux is criticized) rather than any notion of objectivity.

It's obvious that Linuxes are preferred as targets of the crackers as *nixes are a more efficient platform for establisihing a spam relay of warez distribution site, etc. - whereas normal home Windows PC:s are typically compromised by net worms and like "less-purposeful" nuisances.

"I have a default install of Gentoo 2004.2 and have been running it completely exposed to the Internet and it has not once been “infected” or compromised." That's nice, but none of my Windows XP machines, all of which are connected 24/7 to the Internet have ever been infected or compromised. Let's face it, any competent computer user who exercises basic common sense and safe computing can keep their desktop systems safe and secure regardless of which modern OS they are using.

Code is code no matter what. It can all be 'compromised' because no OS is perfect. In the end... programmers and networkers made it, they can break it as well.

Ah yes another case of Windows fanboy spin to make it come out as the superior platform. Perhaps Linux servers suffered more attacks because there are more of them connected to the web? If only there was some evidence to back up this claim... Oh wait, there is! If one checks the latest Netcraft survey, one can see that Apache accounts for nearly 70% of web servers, and about 22% are Microsoft. This aligns pretty nicely with the mi2g results, so one could reasonably claim that each OS is equally secure, and suffers a number of attacks based on their population. Funny how this type of reasoning is only being used to discredit BSD and OS X (In all probability, those [BSD] machines weren't attacked simply because there was little incentive to do so, not because of any inherent superiority over Linux- or Windows-based systems.) as well as Linux.

Someone wrote "Paul is just reporting the news". Paul uses news as an opportunity for smugness. Just enjoy/detest it for what it really is; not what it pretends to be.

He is just reporting the news... No opinions were given on the article. What the Slashdot line is forgetting is that servers make up a very small proportion of computers conencted to the internet. So what they're connected more than regular computers? If the average computer is connected to the web for about 5 hours a day (thats taking into account offices windows drones being left on 9-5 mon-fri) and the average server is up 24 hours a day (as if) that means that there would need to be no more than five desktop users for each server which is online 24 hours a day for them to have the same "exposure time." (And then there's the fact that not every server is running Linux to take into account) The fact is that Servers make up a very small proportion of computers connected to the internet and comming up with contrived theories about exposure times, which frankly are rubbish. (I run Debian, FreeBSD, Darwin, OS X and XP Home)

Thurrott is a known shill. Does anyone really take his "reporting" seriously?

Most breached does not equal least secure. What a moran.

Paul and other readers. Instead of shooting you down about flaming Linux and promoting Windows, I decided to have a look at the original mi2g report first before commenting. I agree with a lot of the comments that your article is rather one-sided, but obviously this is the nature of this website. The fact that you didn't post a link to the original report is also shocking, are you affraid of people finding out the truth? If you look at the profile and spread of attacks in the study you'll notice that a lot of these Linux attacks were in fact manual attacks, and not by automated virii as is the case with most Windows attacks. Why? A SOHO user without enough Linux skills will get a friend's friend to install Linux because it is "secure". Linux is indeed incredibly secure, if you know how to configure it. Most people will just disable the firewall during installation, leaving services like FTP, SSH, Telnet open for a hacker to casually break into. Services that also run as root (BIND, Apache, etc) can also be fatal for a Linux box. Hence, Linux obviously has more attacks because 90% of the time there is an unmonitored, or unmanaged, daemon waiting to accept connections from anyone. Another fact is that a lot of these boxes studied were connected to the net via personal broadband connections, giving hackers lightning fast access to them, and most people think that only big internet servers get hacked and not their little office machine. In medium and large enterprises these intrusions were less frequent because these firms invest in their security (independant of their choice of OS). I'm a big Linux and open-source supporter. Not because I hate Microsoft, I believe they have a lot of good software out there, but because I believe that I can achieve what I want better with an open architecture and community driven efforts. In closing, if you properly secure any computer and only allow what is needed to get to the box you'll be inherently more secure. Computer security is an art that needs to be practised and exercised everyday to make sure everything remains intact. Windows, Linux, BSD, Apple. It's all the same, incompetent users will suffer where those who are prepared will survive the internet.

I think what we can learn from this is that whoever is the market leader is going to be considered the least secure. Windows clearly is least secure on the desktop because it has 90%+ market share for the desktop. Linux is (to my knowledge) the marketshare leader for the server market and, not surprisingly to me, appear to be the least secure. Microsoft gets a LOT more media attention with regard to their products, primarily because EVERYONE can relate to a buggy, virus-ridden version of Windows that they've used at one time or another AND because Microsoft is large, wealthy company that's been involved with antitrust scandals and various other legal entanglements. "Windows, Linux, BSD, Apple. It's all the same, incompetant users will suffer where those who are prepared will survive the internet." - Anonymous User I agree. I'm an MCSD, so it might seem like I would be quick to jump in Microsoft's corner. I do think the fact that their source code being closed source is a huge obstacle for many if they don't address security issues quickly (which they did not in the past). However, there are clearly disadvantages to the other products as well. It's all good for us, though.

I really don't see why the whining as the writer was only commenting of the findings of a survey carried out. As one person below mentioned Microsoft owns half if not almost all of this market. I still think wins 2000 and xp when configured properly with a good software firewall is very stable. I think my comments come across as someone who is a bit biased but then again and work and support day in day out. LOL.

This article is disinformation and innuendo on a CNN scale. I fail to understand why any magazine would print this drivel. Survey or no survey, any one with an ounce of common sense can see that the problem with attacks and security in general is not the server software, it is the users. They want the power of the Internet without the responsibility of protecting themselves from the potential of that power. If all of those people spent a couple of hundred bucks to get a competent professional to come to their home and set up their security infrastructure, they would have no problems - regardless of the OS that they are using.

The reason why this is study resulted in linux being more exploitable is because it did not include things like viruses when involved with windows, just pure raw hacking attempts. Linux is by far superior, and you can't run a survey if you don't include Windows virus exploits because that's the majority of the vulnerabilities. It's another BS MS get the facts survey.

With Linux being open sourced of course its going to be the most vunerable. Anyone can look at the blueprints and come up with an attack method. To all you Linux diehards out there, quit being so stubborn. Your systems are just as vunerable as Windows systems and its just a matter of time when virus writers start to plague your systems too. Instead of being stubborn, maybe the Windows and Linux communties should join forces to combat this problem and not brag over which OS is better? Think about it.

This just Seems Stupid. i must say i use both windows and linux. (windows for Desktop and linux (without X11 for servers.) i must say that personally i see linux has a lot more going for it appart from the fact windows is much more easier to configure it thru a gui however im sure if people spent the time to RTFM (F in this does not mean Fine) there would be no problems.

The fundamental flaw is in the original report from Mi2g consulting company. They simply counted all security breaches without taking the total number of systems into account. This is like comparing traffic accidents in London and Norfolk Island. There are much less accidents in Norfolk than London, thus Norfolk folk are better drivers. After doing some similar surveys myself, I wonder how Mi2g got reports from all these 235,907 incidents. Quite an achievement comparing U.S. presidential polls by really big research organisations.

I have just completed a huge study on the Internet and can with confidence say that Plan 9 is even _more secure_ than FreeBSD: http://www.googlefight.com/cgi-bin/compare.pl?q1=%22plan+9%22+exploit&q2=freebsd+exploit&B1=Make+a+fight%21&compare=1&langue=us It seems to be nearly 30 times as secure!

There are several fundamental flaws in many of the commentary here. Firstly, it matters not what percentage of the market any given operating system consumes when it comes to security. An operating system being 'secure' is a direct product of how popular to attack it is, and the reasons behind people attacking it. What would be very interesting would be a 'pound for pound' summation of security threats throughout a given period, each rated based on common critera. I know that I receive, daily, security updates for Linux that cover remote vulernability holes. Secondly, the author is just commenting on his taking of the report. Much like we are now, he adds his own commentary based on his reading of it, experience and views on the matter. My organisation runs entirely on Linux, except for a Windows 2003 TS server and Windows 2000 Pro clients. All my 'security' is Linux based, not because it is 'better', but because the TCO is better in my view. Unfortunately the Linux "community" has the absolutely disgusting attitude that their product is the God of security. This wouldn't be a bad thing, except that like I said, I receive daily remote vulnerability patch notifications. Furthermore, the Linux "community" also has this ub3r l33t attitude towards helping people in times of dispare. This is completely against the fundamental cause to which Linux is based on. What the whole situation comes down to is two things. Firstly, how many vital security breaches occur per capita for each operating system, and how much RELIABLE support can be offered for each operating system. I have no quantative proof on hand to support this, but I would suspect that when you weigh everything up, Microsoft stands out as being the far more reliable "product". Remember, my network runs almost entirely on Linux, but this is not by choice, rather budgetory constraints.

I don't know about the rest of you, but if you take a base install of XP or Server and a base install of linux put them on identical hardware on the same DSL hub and let both run in user space (Linux logged on as user ) 24 hours a day for a week. I garentee you that you will have at least one virus on the windows box by the end of the week. In fact I have had viruses on boxes during a 24 hour burn in. Sure load some antivirus software for Windows and everything is much better, but most users don't use Linux antivirus software even though it is available. I have run both Windows and Linux servers. Once you get use to Webmin and Telnet you'll wonder why you havn't been doing it all along. TCO is just a bonus. Set them up and let them run. Ever install a mass update on MS Servers. Install patch, restart. Install patch, restart. Install patch. Opps, machine won't boot. Hop onto the laptop and find that the drivers for your video card don't work with this patch. OK, recovery console then, but you still can't fix the problem. So now you have two choices; pull the server to change the video card to a diffrent brand so you can restart the machine and fix the driver problem or reload the OS and rebuild your configuration and install your backups. (This has actually happended to me BTW) If you have a backup of your server data and config files. You can format your drive, install the entire Linux OS, drop in your configs, do your updates, and be back up and running in 20 mins on a single server. Less if it's a simple web/FTP server. Take it for what it's worth. If you love Windows great, but I would rather spend my weekends riding the motorcycle then being proped up on a stool in front of a rack. Hoping to figure out what conflicts had been casued by the next security patch. Or sorting through file systems trying to remove viruses that the antivirus software can't remove. Just my 2cents.

From www.mi2g.com http://www.mi2g.com/cgi/mi2g/frameset.php?pageid=http://www.mi2g.com/cgi/mi2g/press/feedback.php "For the record, we are supporters of Linux and run www.mi2g.net on Linux. The mi2g Security Intelligence Products and Systems (SIPS) Engine runs on Linux, Apache, MySQL and PHP (LAMP) architecture. We believe that good administration is central to working with Linux. Those skills are lacking in the global market and are the root cause behind Linux receiving a much higher number of manual hacker breaches. Manual breaches can be much more complex and sophisticated than automated ones proliferated through malware."

We run Windows boxes and Linux boxes -- Paul's reporting just doesn't match our experience. In fact, its so far off the mark its hard to take it seriously and it undermines the credibility of this newsletter.

Personally i am sick of the endless bickering between OS supporters. My hat is off to the only person to read the study in question before posting. I also agree that both MS and Linux communities should help one another with security issues. Me, the average home user( not permenatly connected to the net) chose to use Linux not based on just security, but STABILITY. the one mayjor flaw in the study was that all the attacks on the linux systems were "Manual attacks". the majority of attacks are also completely random. most generally are exicuted by use of malware, and/or trojan horse, a lot of crackers wont take the time to manually attack a home user's PC. to conclude my excessive rambling; all OS's are vulnerable to attack if not properly monitered. I think the most important thing to home user's is stabilty. there is nothing more annoying then having your windows OS crash while your are in the middle of something important. (to show im not biased i run both Windows 98 and Xandros Linux) I personally like them both for certain things...though i now use windows only for gaming perposes.

Unfair to Linux, favors Windows. I cannot see how this could be possible.

.

Why should one broke in a Lada for a fruit basket if there's armored truck left next to it unguarded and loaded with gigabytes of visa passwords? For the other Anonymous user: "That's nice, but none of my Windows XP machines, all of which are connected 24/7 to the Internet have ever been infected or compromised." Or then You got no antivirus or the first virus disabled the antivirus database and with fast computer It's hard to notice if there is couple of less agressive spambots already running in system. Another way of course would be if you got non Microsoft HW-firewall and You don't use MS-Outluck have disabled ActiveX, Java and JavaScript or use Web Browsers without those. There is like 15 unnesessary services running in windows after default installation >) Maybe some MS-fanboy could tell me for what casual user needs telnet server???

It depends on who you ask. My boss is a dedicated Debian user who only sits in front of a Windows box if he has to. I however use both happily. I personally don't care which one anyone else thinks is more secure, I know how to secure both. But the fact of the matter is, the only boxes our organization has allowed to directly "touch" the internet over the last 4 years were Linux of some flavor and we haven't regretted it yet. My advice is do your own study, draw your own conclusions, do what's right for your own organization.

Your all a bunch of idiots, there is no operating system that is secure. Get over it, whatever your preference install a firewall, install anti-virus, install spyware tracking, install a lock and bolt the thing down and it will still be infected and broken into if someone really wants to. So do your thing and keep your favorit op system patched!

Windows, Linux, BSD, Apple. It's all the same, incompetent users will suffer where those who are prepared will survive the internet. ---- Huge Insult to Apple Users of BSD OS X

It is a shame that people who blindly favor Windows see it fit to write these articles that are ridden with lies.

http://www.mi2g.com/cgi/mi2g/frameset.php?pageid=http%3A//www.mi2g.com/cgi/mi2g/press/021104.php

I'm such an ID-10-T! I love Windows on the Desktop, and I love Linux as a server. I just moved to a new location, and didn't have a chance to bring my Linux server, so I hooked up my Windows machines to the router so I could surf. I thought it would be OK since I generally turn off the Windows machines when not in use. The next time I logged on, my Windows machine just had the hour glass for a long time. I couldn't believe it. I shut down and restarted. Same result. I brought up task manager. That's odd, AV was disabled. I discovered a trojan running a process! It wouldn't let me stop the task. I shut down and went to safe mode. I ran regedit to kill the process. The files were marked read only hidden system files. Attrib -R -H -S *.scum. Disconnected everything from the INTERNET. Restarted Windows. Uninstalled/re-installed AV. Performed full scan. Trojan had built-in FTP, and called several viri to aid in the attack. They killed my AV again during the scan, and in front of my very eyes! The only thing that saved this system, is the fact that I pulled it off the NET. Three hours later, the attack was over, and I had somehow won the battle. Unfortunately, the war goes on. Had I hooked up my Linux server in the first place, this likely would not have happened. I give thanks to the virus writers for this valuable lesson on system security.

With money, you can buy anything. Maybe tomorrow you will read a report saying that Sun and Moon is build by M$.

Of Course, the Sun and the Moon were built by M$; but the rest of the universe is Linux!

"There are statistics, statistics and damn lies" Anything can be spun in any direction. Just learn to ignore this "best" O/S BS and let's get back to making money on both.. I am...

Disagreement is as healthy as competition. Bickering (as I understand it) is argument based on ideology, not evidence. Without grounding, any argument can be found to be self contradictory. The real issue here is whether or not this report holds true. Whether or not mi2g runs their enterprise on a linux based platform is immaterial (the ad hominum fallacy). However, the security expertise of the company itself is certainly relevant to the accuracy of this report. I've just read some interesting info from the security guys at Attrition: http://www.attrition.org/errata/charlatan/mi2g-history.html It does seem that there is some bias here, but the general conclusions seem solid: we cannot trust a report (which noted as above by Oz_Nerd) misrepresents the sample size comparison methodology from a company that misrepresents it's security research history. Most of the 'facts' that journalists have drawn from the report in question, are coming from an included PDF FAQ. Check out some of the language: "Based on the information garnered through SIPS in March 2004 for twelve trailing months, Linux is the most breached operating system followed by Microsoft Windows. For the twelve trailing months as of March 2004, 68.0% of all overt digital attacks were on systems running Linux and 17.2% were on systems running Windows." It justifies most 'breached' with an unrelated statistic on the number of 'attacks'. The terms 'attack' and 'breached', while clear in the mind of even security novices, seem to be used interchangeably. In our network, we see lots of 'attacks' on each platform we have run. We have only had one 'breach' in the last 36 months. This doesn't include virus infections on windows workstations (which seem not to be counted in the report). Another excerpt: "... poorly configured or updated third party applications and server running on a Linux system are often a bigger threat to online server security than up-to-date Microsoft applications and server running on a Microsoft Windows platform." Gee, how insightful. Translation: the worst security Linux has to offer could be worse than the best security Microsoft has to offer. That's about as profound as claiming that rotten food often tastes worse than fresh fruit. The most telling detail of all lies in the fact that most of these inferences come from small sections of the report. Why? Turns out that you have to *BUY* the whole thing if you want to read it! So, they release some juicy, controversial and obviously counter-intuitive statistics, and wait for the security community to buy copies of the report in droves, just to see what these guys know, that nobody else does. Hmm. Could it be good old fashioned shock-marketing for free publicity? We shall see. Certainly Microsoft isn't going to win with friends like these, and Linux certainly gains nothing in notoriety by refuting a flimsy report. Then, we spend our time here posting comments instead of making money!! Make no mistake; the *only* winner here is mi2g.

"There are statistics, statistics and damn lies" What? Statistics and Lies?

I believe that quote (although it is a bit bastardized) can be attributed to Mark Twain. The original quote went something like "there are lies, damn lies and statistics".

You are miss informing and you are stupid, see how many permanent server are MS and how many are Linux, also. btw i have windows 2000 server when I install it out of the box and connect this to the internet in 2 minutes I have virus, before i can download patches or service packs

It's amazing how many of you get a virus so fast when you first install Windows. I've done dozens of installations over the years and never have I gotten the instant virus or worm or other b.s. some of you are spouting as happening. Neither has anyone I known had a virus instantly attack them. In fact it usually takes several days or action on their part to get infected. Either you're very much exaggerating your claims or I and pretty much everyone else I know is just lucky we were not instantly victims. Linux is not the end-all best OS out there and if it was so secure and so much better, then why doesn't it have a larger market share? Could it be how painfully inadequate it is as a casual or home user operating system? Until it can catch up and become user-friendly, it'll be relegated to IT nerds and people who want to be cool and hop on alternative bandwagons who like to type M$. It's more amusing to me though so many of you seem to hate Windows, yet you're on this website which apparently, is devoted to Windows. Tell me, are you all masochists or just lost on your way to the "I Hate M$ Party?"

Most of it comes down to the same thing as everything else in life: "Responsibility." Windows is a big target and therefore the zealots will automatically go on a rant about how awful it is without considering it is the easiest for a novice user to install and maintain. Unfortunately most of those novice users don't listen when told how to maintain it. I would love to find a LinHead or maccer that could show me in a an honest review how any of the three is really better than the other. It all comes down to who is using it and what they want to do with t it. The Maccers usually glaze over the fact that their OS is designed to run on a very finite range of machines and combinations therein, the LinHeads forget that the process of getting their os to be compatible with any random hardware on the market usually involves jumping through hoops of trying to find compatible drivers, and the majority of novice Windows users go blissfully on their merry way clicking like mad on anything that moves on their screen. Of course MS is too blame for some of this. So is Novell. And IBM. and Apple. etc,,,, Let's face it folks, they are ALL money grubbing evil corporations, it's just the size that differs. Also, I think the article Paul refers to is talking about intrusions for DDoS and such, not the sreadables like blaster and welchia that usually did not actually compromise data, even if they did expose it. It seems to refer to traditional intrusions by a third party which would make the numbers line up better since those guys usually go after servers that are exposed through firewalls for outside access and such. Just my two cents. Let the flames begin.

i don't understand what the significance of the survey's results are, given that we don't know what the ratio of Windows to Linux machines. if Linux runs on 60-70% of all machines which are online 24/7, and Windows on 25%, then the figures would indicate that the frequency of breaching is the same for both OSes. it's not really surprising since Windows does have automatic updating and patching that's usually enabled. also of interest is the pretty obvious fact that Windows systems are the lion's share of systems compromised by random automated attacks (worms, viruses, DDoS

i don't understand what the significance of the survey's results are, given that we don't know what the ratio of Windows to Linux machines. if Linux runs on 60-70% of all machines which are online 24/7, and Windows on 25%, then the figures would indicate that the frequency of breaching is the same for both OSes. it's not really surprising since Windows does have automatic updating and patching (usually enabled). it's pretty obvious that Windows systems are the lion's share of systems compromised by random automated attacks (worms, viruses, DDoS), but it's also pretty obvious that Windows has a lot more tech-unsavvy users than Linux. what i'd like to know is how regularly-patched, Linux systems run by security-conscious users fare against a similar group of Windows systems. comparisons as general and vague as the survey's don't help.

Anonymous User -November 04, 2004 -------------------------------------------------------------------------------- Hey Mr slackware 10 install, Try running a slackware install from 4 years ago and see how long it lasts. Install XP w SP2 and you're all set. Quit comparing yourself to old software to try to make yourself feel good. It would last a hell lot longer than XP would've imagined. XP lacks compliances to RASIS (Reliability Availability Stability Integrity Security). In fact, show me the best windows uptime you can pull on the internet, I can guarentee you in no time your xp will be asking for more memory until it dies and asks for reboot. Anonymous User -November 06, 2004 -------------------------------------------------------------------------------- I really don't see why the whining as the writer was only commenting of the findings of a survey carried out. As one person below mentioned Microsoft owns half if not almost all of this market. I still think wins 2000 and xp when configured properly with a good software firewall is very stable. I think my comments come across as someone who is a bit biased but then again and work and support day in day out. LOL. Same response for you, show me your uptimes that you can pull with your machine and compare it with other oses, tell me then that your windows box is actually a hell lot better compared to non-MS oses. Go figure..

*SIGH* Who's dragging Novell into this? "they are ALL money grubbing evil corporations" is a generality that may or may not be true (probably not). Sorry, I see companies like Novell providing a good product for the money spent. It's called FAIR EXCHANGE. (Something Microsoft may want to look up in a dictionary and start applying someday.) As a Novell and Windows Engineer for 8 years, the only security problem I've ever HEARD re: Novell was what is commonly referred to as "social engineering" - someone hacked their phone system years ago, impersonated a tech that was on vacation, and through the false identity got an admin to reset that programmers password so the thief could download a beta version of Novell 5. Personal security breach encounters: ZERO. That being said, our financial institution was examined by a security consultant less than a week ago - and could find NO vulnerability on our Novell platforms exposed directly on the internet. Contrast that with NUMREOUS Windows issues I've had over the years - yes, I've had driver issues crash my server, virus problems - heck, NT 4.0 crashed weekly until SP3 was released and I installed it! I will say our current Win2k servers and XP workstations have been relatively trouble-free, but only because A) MS has now had 8 years to fix their Windows problems, disguised as "upgrades", and B) 3rd-party firewalls, antivirus, antispyware, etc. do most of the security for Windows. A properly configured Novell server needs NONE of these. So I didn't have to *BUY* the report to know this was *BS*, but am glad someone did to properly discredit this article.

I hope Mr. Thurrott spends his MS payoff money wisely.

---quote--- (small note: It has not been recorded anywhere that IIS6 has been exploited since it's release, can any other web server make that claim). DrestinBlack --- end quote --- You bet your bottom dollar that the default install on OpenBSD certainly can. BTW, I use Windows XP on one machine that is plugged into the internet 24/7 and it is reasonably safe - primarily because it is behind two firewalls in addition to the desktop firewall of its own (hardware, software (Linux) and Desktop). One question about this report is why narrow it down to machines that are online 24/7 (shouldn't we call this 168 instead???). Everybody knows that around 80 per cent of all spam comes from comparomised WIndows machines that are online only occassionally. The spammers have developed their mail distribution system so that it makes full use of such systems so narrowing this report down to only '168' machines reduces any residual objectivity in the report to somewhere close to zero.

I'm so tired of the MS / Linux debate. Get a life. Move out of your mom's basement and find a girlfriend.

[Move you of your mom's [sic] bedroom and find a girlfriend] Actually, I'm married with kids. If you bothered to read any of the above, you would see that it is also about *BSDs. Maybe you should move out of your mother's attic, stop eating the fisheads and look at what is going on in the real world. We are all fed up with being attacked by Microsoft machines that have been attacked and turned into Microsoft Zombie Server 2004.

Ok install yours XP and 2003 a nd cry, when you see a shutdown screen!!!!

Collons quanta inutilitat... DEBIANITAS AL PODER. GNU/LINUX Open your mind to the open source. The only language we all speak is silence.

mi2g is only trying to get public attention. No more, no less. The more polemic conclusions they come up with, the more attention they'll get. No matter how stupid the claims are, this is just business. A little googling about mi2g will tell you.

subzerohitman721 some would argue open source software is more secure because by the time software becomes mature, tons of people have reviewed the source code, looking for vulnerabilities. As for DrestinBlack's comment on installing SP2 and configuring the firewall...um obviously you haven't seen the proof of concept exploits around to get around the SP2 firewall. Anyone that relies on a software firewall for any O.S is asking to get hacked. "There is no 'patch' for stupidity." -- www.sqlsecurity.com

The One and Only reason that Microsoft Has a competitive advantage over any open source or other O.S. is that no one has realy developed the most ammount of userfriendly software on these OS's, let's face it M$ has become a Monopoly because we are to lazy to devlop anything userfriendly in *NIX's. The same reason that M$ is not good at keeping security is that the only resources they have for development are the people they have on their payroll, yet on open Source we have more people working for a common purpose and still we do not make it to the market as much as M$ does because "*NIX Does not Advertise and Market itself" Don't we get it. Yes M$ Sucks at programming, but We "*NIX gurus" Suck at Marketing and Advertisement. If only we found a way to Commercialize, Advertise, Market, Sell, any *NIX for the general comsumption then will we have a strong OS that everyone uses and will be more stable than MS. But on the other hand then that OS will be the dominating target. In Conclusion: No matter who holds the ball, that is who will be attacked in every way. It's human nature to attack empowerment to only try to gain it ourselves. - RC

You're all right!

I agree - Everybody is right, depending on your unique view of the world. Now, move on!

FUD

this Article is not made with exact informations. No one can prevent the glory of Linux over windows as it rises again and again with more apps, security and 3D Games

The figure of 235,907 computers compromized in one year by *manual* attacks is astonishing. Particularly if you add to this figure all the computers compromised while the admin did not even notice it. In fact, it is so high that it raises questions about the level of analysis of each case (since mi2g did not invest 100+ years×man in this study.) About the result, if we are fair and consider that the average Linux admin is no better than the Win server one, and lags several release behind, the 65/25 ratio give a measure of the OS used by SMEs to connect to the Internet... This helps to understand the target of the marketing campaigns of Redmond.

I wonder how much Microsoft paid for their (mi2g's)drugs.

oh ya bunch of linux babies. first Linux's claim to superiority was size. now it takes 9 install discs compared to MS's one. Then it was all about security and now it's the most hacked. Let's face it, Linux was never better and never will be. Get MS Windows, get a girlfriend, get a life, and do something else besides writing your own rpms all day long.

let me tell you something!! My company tried to install xp sp2 and what happened? It just didnt wanna work and we had to clean the machine and reinstall EVERYTHING!!!!!! So dont come to me and tell me how wonderfull microsoft is!!!

Remember, No matter where you go, there you are. Geez, techno nerds are a whiny bunch. Linux cry babies need to get real. Microsoft is King and you can't stand that. Go save some whales instead.

Dude... Windows is "King" because they are ruthless business dealers that post untrue articals like this to hurt their compitition. dont you think its funny that the windows 3.0 gui came out just a little bit after apple showed microsoft the source so as they could use programs such as MS word and IE explorer? or that it was only released over seas so as not to be sued? or that win 3.1 gui was nearly exactly the same as the old mac gui's except that every thing was oppesite?(finder on top- start menu on bottom)(X button on right side of screen-X on left side of scree) all im trying to say is that windows is a rip off and the only reason that everyone uses it is because everyone else uses it. now as far the security issue goes: Linux is Unix based.... INPENITRABLE!!! you cannot hack into that!!! the only way is because of stupid people clicking on things such as "you win!! click here!!" which downloads a virus.... just becuase you dont have the info doesnt mean its just a bunch of "techno stuff" it means your uninformed!!! and the reason we are a "whiny bunch" is because this article is completly false. but hey im just a whiny techno linux cry baby that need to get real.

Look at the amount of posts!! Micro$oft has all the reasons to be afraid, very very VERY afraid of the GNU/Linux movement.. ..they have lost the server battle... ..desktops are next. *calls his broker* "Sell microsoft, NOW!!"

Wow! What a non-issue. Use whatever does what you need, and acquire it for free. Windows just doesn't do what I need, such as provide security from the ground up like OpenBSD... Just remember that security is a comprimise, so if you like to run more services then you are putting yourself more at risk... How about a comparison of OS's default configurations!? Pretend that the admin is a complete cretin and installs without configuring much of anything. (Which can sometimes even happen on accident) OS's should be secure BY DEFAULT! How hard is that to understand? REALLY? WTF are people shelling out money for if it isn't secure OUT OF THE BOX! Hmmm... One thing M$ could do to help would be to cut out all the damn bloat!? Why add too much useless garbage to the default install? Disable it BY DEFAULT with an option to put it in for people who want it... How many people would actually install half of the garbage if they knew it was there? IE sucks donkey balls, btw :) I saw that on a website someplace and in my heart I know it is true ;) Rmember where TCP/IP came from and Bow Down, windows zealots! What's it like to me a machanic who cannot look under the hood?

I just can't believe that an article can be so far from the truth. I have been running on-line services for the past 6 years. Linux being more exposed to external users (and attacks!) has been far more stable than my Windows servers. A couple of days ago I got a report about the number of bugs in the code for the Linux Kernel and they have 0.17 bugs per 1000 lines of code, where the 'standard' is way more (70 or something like it). Of the 5.2 million lines of code, there were just about 900 bugs, mostly due to null pointers and just a few may cause a potential threat to the system (crashes or memory corruption, not vulnerabilities). I wonder how many bugs per 1000 lines would have the windows kernel in its massive amount of lines (54 millions???). How much more stuff like this would we have to deal with on a daily bases to make all understand thad Linux IS more stable and secure than Windows by far. Unfortunally some software vendors still aren't supporting Open Source OSs and kept providing Windows only apps. I just hope that one day, all these people will wake up, smell their coffees and port their stuff to a realy secure OS. Cheers!!!

wow... ever think Linux is more exposed to attacks because it is used more?? Alot more servers are linux than they are windows.

To add abit more from my post above where I said: "wow... ever think Linux is more exposed to attacks because it is used more?? Alot more servers are linux than they are windows." I'm no programmer but give me a break. Welcome to the frikin spin zone. Cpanel which has been the most used web control panel on the internet doesn't have a windows platform; only BSD and Linux... so go figure. That's like saying "My city has the least crime in the world!" And leaving out: Population 52 A better example is this post below from November by greglara: ****************************************** C'mon, let's anylize this information realistically here. The majority of "permanently connected" systems are what? Web servers, right? So, Linux in this context is the largest attack surface, the frontline if you will, so they will inevitably be the hardest hit. Then you notice that medium and large businesses are the least hit. That's because they have people who know what they're doing. I can't tell you how many times I've gone to a site to see the default Apache "congratulations" page come up. I'm not a hacker, but that is basically a welcome mat that says "hey, come on in, the door's open." So, it's not the OS that's to blame here, it's the people who don't know what they're doing. Everybody and their mother knows that Windows is vulnerable, and, without having read the report, I'd guess that those malware attacks that caused "$202 billion in damages" were primarily directed against the Windows systems. I too am sorry to see this spun in such a way to try and make Windows look more secure than Linux. greglara -November 04, 2004

I use XP and have tried some linux distros that have disappointed me. Now I run mainly FreeBSD on a desktop and I would say it's just so GOOD. End to the endless package havoc and numerous XP reboots. But lets talk about statistics. It is science anyway, so stop with the stupid jokes about it! It's not so hard to calculate the real percantege of how often the different OS's get hacked. Using the Bayes' theorem it's easy to calculate the posteriori probability a hacked system to be win/lin/bsd/mac/etc. All the data needed is: how spread an OS is. (example lin=60%, win=30%, bsd=4%, misc=6%) What would be harder to find is how many machines running certain OS get hacked/breached/etc. For example of 10,000 linux servers worldwide, 4500 got hacked in a period of time, which is 45%. Being provided with this data, everyone can calculate more realistic numbers, and not the obviously misinterpreted results from mi2g. Another way to measure the stability of an OS is to compare it longest running times. If a system has been running for 2.5 years, doesn't that speaks for it stability? Of course it could have been hacked but the attacke wasn't able to break the system down. Think about it! Go check this: http://uptime.netcraft.com/up/today/top.avg.html

I'm on the fence with this issue. I've admistrated RedHat for years as well as Windows and found that Linux is often broken into but ONLY when you don't keep on top of security updates. With the new RedHat Network it's rare that a common hacker will find a threat that hasn't been automatically patched. At my current job all of our Windows servers are behind firewalls while our Linux servers are the ones out in the DMZ or on the net all alone (with IPChains or IPTables running). Our Windows web servers go through a firewall as well. I'd say that Linux is easier to break into if you don't do your homework but for me the biggest reason I prefer Linux for internet servers is becuase it's so much more flexible, faster and cheaper than windows. Linux can be secure and so can Windows but so many people don't do their work and somehow expect that the OS will do it for them - those are the ones who get burned. I've run RedHat 7.2 (yeah 7.2) on a crap laptop in my home for five years on DSL - I don't even patch the thing because it's just a little junk server - no one ever touches it becuase it's got a firewall something a lot of home users won't do. I don't believe these reports much because MS obviously scared of Linux and putting lots of money into making it look bad. I've used Mac OS X and found it to be the wave of the future and MS is terrified of it all linux ports.

My current system is Fedora Core + CentOS with Windows inside a secure Virtual Machine. I am a regular home user but here's my views, if you have common sense you will not get viruses or *EVER GET HACKED*. I have seen what others are talking about where viruses come out of nowhere, it only happens on a fresh 98/2000/XP install from an *original CD without any patches* and without a *hardware* firewall - people in that situation should use their brains and update their CDs. On my PC I have never got a virus, and anyone who says that a secured Windows PC gets viruses out of nowhere is spreading FUD. I have never had problems because removing the unnecessary cr@p that is (useless for home users) included with both Linux and Windows and hardening system permissions makes everything more secure. The issue with Linux security is too many people are using systems like Ubuntu or SuSE OSS for servers and believing they are secure out-of-the-box for a server. Who would use Windows XP SP2 for a server no-one would, because it isn't built to be used on a server. I believe more people know how to use Windows (obviously, common sense right?) which means less people know how to use Linux properly (again, common sense). So therefore more people are going to know all the precautions to take with windows (disable 3/4 of it's services, put on antivirus & firewall, fix sh!t file system permissions, login as limited account etc.) Less people will know what to do on Linux (check for updates constantly, setup all server bits in a chroot etc.) Each system has problems if you know what the problems are and use the built-in security each OS has you will be OK. It's a matter of intelligence and mi2g obviously has none. Sorry for the long post but you all sound like you either back Linux or Windows. P.S When someone says Slackware vs Windows 2000 that is a fair contest because Windows 2000 still gets security updates making it as up to date as Slackware with regards to security.