Saturday, October 23, 2004

Security Report: Windows vs Linux

The register is running a detailed assessment of vulnerabilities on both the Windows and Linux platforms:
The results were not unexpected. Even by Microsoft's subjective and flawed standards, fully 38% of the most recent patches address flaws that Microsoft ranks as Critical. Only 10% of Red Hat's patches and alerts address flaws of Critical severity. These results are easily demonstrated to be generous to Microsoft and arguably harsh with Red Hat, since the above results are based on Microsoft's ratings rather than our more stringent application of the security metrics. If we were to apply our own metrics, it would increase the number of Critical flaws in Windows Server 2003 to 50%
This reports' scope appears to be server systems, systems that run networked services for the public or within the enterprise.

While it is interesting to analyze design strengths and flaws in server edition of various operating systems, I believe those discussions tend to divert one's attention from what truly matters: a server's security and integrity depends GREATLY on the skill, experience, and diligence of who administers it. Linux/Unix/*BSD systems may have achieved greater, accelerated security-promoting-maturity through transparency, but in the end, it only takes one flaw to compromise a system. No server operating system will ever supplant the constant vigilance of a good systems administrator. Such a system is, by its very essence, constantly listening for incoming connections, ready to be engaged by any machine in the world, to execute a piece of logic triggered by foreign data input. From this process, layers of potential security breach are plentiful. It is not one human operating a single machine. Instead, an infinite amount of foreign systems, which may or may not be operated by humans, are interacting with your machine.

A consumer operating system, on the other hand, should be the exact opposite from a server operating system. Out of the box, upon initial installation, it should not "try" to be a server operating system by enabling ANY network services: consumers do not need to run services on their computers. If a user does, after initial installation, consciously choose to run such services, they should be made aware that they're running a hybrid consumer/server system, with the security implications this entails. Ideally, compromising a consumer operating system should only be the result of a user "doing something wrong" in their every day usage. A good consumer operating system will seek to anticipate such behavior and put safeguards in place. From this scope, a comparison between Mac OS X (consumer, aka "client" edition) and Windows XP would be more relevant.

As far as i'm concerned, the only "rational" reason to use Windows as a consumer operating system or as a server operating system, is to build and run .NET applications. All other reasons have to do with existing inertia, habits, uninformed perceptions, and a $100 to $500 price difference at the cashier, before hidden costs of having to separately purchase anti-virus and firewall software to maintain workability of a networked windows machine, and time lost dealing with viruses and spyware are factored-in.

No comments: