Saturday, October 21, 2006

Jeff Jones, you rock like no other!

One of the security blogs I read often is that of Jeff Jones from Microsoft. He has recently completed the most accurate 'apples vs apples' comparison of Linux (Red Hat and Ubuntu) desktops vs Windows XP.

This is something that has been long overdue. A by-the-numbers analysis of vulnerabilities, using vendor supplied security bulletins and accepted standards body methodology and definitions. [Insert standing ovation]

After pointing one of my work colleagues (a Unix engineer, and a very good one at that) to the initial post, the unsurprising response came back "Yes, but most of those security patches are nothing to do with the operating system - they're 3rd party applications that sit on top.". I retorted that although that may be the case, they are applications included in the distro by the Vendor, supported by the Vendor, patched by the Vendor, and were not applications that are unreasonable to expect on the average installation. Especially not a desktop installation.

However he did get me thinking... we have all lived through the pain of slammer, blaster, sasser and the like, yet having never worked in an environment that had Linux on the desktop or even a significant amount in the datacenter (and the smallest company I have worked for had over 9000 employees - I have spent most of my career working for companies with over 60000 employees), I felt that maybe he did have a point. Where were those anonymous, remotely exploitable vulnerabilities that have hit Windows so hard?

So I asked the question to Jeff, and he responded in his usual level headed, analytical manner, and you can all read the results here.

I've never understood why Linux people feel they can rubbish Windows without knowing a damn thing about it. I have rarely heard a Windows person put shit on Linux, and rightfully so because most of us wouldn't know any better. Conversely, I have heard *plenty* of Unix people deride Linux, and quite frankly they would know. It is from conversations with Unix geeks and my own limited experience with Linux that I derive my unfavourable opinion of it - not from some Microsoft funded 'independent' study or some marketing blurb, and certainly not because it is the status quo amongst the Windows community. But I still won't say a bad thing about it unless provoked.

Now, thanks to Jeff, we have some hard numbers to push back into the faces of anyone who makes that most ill-informed broad generalisation "Windows is less secure than Linux".

But even with such information at hand, as I have said numerous times, any admin worth their salt (*regardless* of platform) knows that it's all about who owns the box, not the OS running on it. It's a shame more people don't think like that... if they did, we probably wouldn't need this kind of analysis in the first place.

No comments: