Saturday, April 15, 2006

My Authoritative Perspective - Which Is More Secure: Linux or Windows?

I have just enough temerity to think that my perspective settles the divisive opinions on this topic, so read on for Nirvana-ish enlightenment.

IMO, most discussions that revolve around the core philosophical question of Which OS is better than the others? ultimately boil down to ideological preference, bias, selective filtering of ambiguous facts and degree of zealotry. And I'm okay with this. I think one of the coolest parts of the technology field is how passionate people are about their favored platforms.

I have a bias toward Microsoft. I think MS makes great software and I think MS has contributed a lot to the technology landscape as well as to the US GDP over the years. And just as the slashdotters look askance at the likes of me, I cast a cynical eye toward the rants and raves of open sourcers who think that Linux is inherently more secure than "Windows."

I quote Windows because when it comes to security, there are significant differences between versions of Windows. Windows Server 2003, IIS 6 and XP SP2 are substantially better designed to defend against malicious attacks than Windows Server/Professional 2000, Win9x and Exchange 2000/5.5. So, without defining the version of Windows that is being compared to some other platform, the comparison becomes immediately suspect in my mind.

I have long argued that any OS or application has inherent weaknesses for one simple reason: they were made by a team of humans. They lacked awareness of future technologies, tools and skills that would expose their product to risks they were not aware of. This is the reality of the opportunity cost of the Future: you do not know what is coming and so don't know how to invest in the right capabilities to defend attacks.

Further, I have felt that the blame for OS security gaps has been inordinately laid at the feet of the OS itself rather than the feet of system administrators who are responsible for configuring, hardening, monitoring and maintaining their servers. If it is true that any OS has inherent faults, it is then the vendor's responsibility to patch those faults. But this implies a significant responsibility on sysadmins: take care of your freaking servers and desktops!

Many slashdotter-types want to blame MS entirely for security gaps. While I think this is a fairly legitimate accusation for Windows 2000 and Exchange 2000, it is no longer legitimate. Windows 2003, Exchange 2003 and XP SP2, in partnership with Windows Automatic Updates provide a much higher level of resistance to attacks because of the original design and the ability to quickly distribute patches as the need arises.

Because they are sociopaths, virus writers derive satisfaction from having their destructive work recognized publicly and from major consequences of their actions on other people . Consequently, for virus writers, ubiquity is the key: writing a successful virus to a ubiquitous platform holds more appeal than writing to a rare platform (when was the last time you heard of someone being pissed because their Amiga got wormed?). It's hard to get more ubiquitous than Microsoft, so there's more appeal in attacking it than writing to Amiga. But Linux is not immune from Security by Obscurity - a security "strategy" that relies on being invisible to attackers. Because Linux is gaining market share, more viruses are being written to it.

So, when it comes to the question of Which is most secure? a different approach is needed. Controlled tests should compare attack frequencies against not only different versions of different OS's but more importantly, against various levels of patch maintenance.

In a controlled test, current versions of Windows and Linux would be compared with varying levels of update maintenance: no update maintenance, inconsistent update maintenance and 100% current maintenance. The susceptibility of a computer will be a function of the diligence of the application of security updates rather than the unanswerable religious question of which is inherently more secure.

Such a study would be more realistic and I believe would expose the ignored factor of sysadmin diligence in network security. My suspicion is that it would be markedly clear that all OS's are weak to varying degrees and for this reason, well-maintained servers of any OS will prove to be markedly more secure than systems not diligently administered. Such a study would shift the religious question from Who is better? to Just how important is being a diligent sysadmin anyway?