[clue-tech] Linux vs. Windows security
Maxwell Spangler
maxlists at maxwellspangler.com
Fri Jan 22 00:00:55 MST 2010
On Thu, 2010-01-21 at 22:36 -0700, Jason Ash wrote:
> Hi,
>
> My fiancee, Lisa, and I were discussing the security of Linux vs.
> Windows tonight. Not to drag you into it, but my position is that *nix
> operating systems are more secure by design and she (a Windows
> aficionado) just says it's security by obscurity. I tried to explain
> about the unlikeliness of user privilege escalation, and other
> features such as shadow, PAM, tripwire, libcrypt, secure password
> enforcement, etc., but I don't think it was very convincing. (She's
You forgot NSA developed Security Enhanced Linux modules working within
the Linux Security Framework. That's a pretty big deal. We have
discretionary, mandatory and role based security on Linux now and things
can be locked down extremely tight when you want to configure a machine
to only do specific activities.
I think the security through obscurity argument fails flat -- Linux
isn't obscure, it's source code is completely wide open. So if there
are opportunities for exploits, those same people who work so hard to
make exploits on Windows can easily find exploits on Linux. But this
openness goes both ways: with so many eyes pouring over the code,
opportunities for problems are getting patched and closed all the time.
The real flaw with Microsoft Windows is its corporate culture of
producing software by committee in a large organization. Unless voices
within Microsoft speak up and make security stand out, security becomes
a feature like anything else to be balanced with limited resources. So
far they have been a victim of their high volume success: they can sell
to a world that has low expectations for security and get away with it.
The tragedy is that they could have used their volume position to
enforce more security and teach their users (most of the world) to
respect it and they would be raising the bar of expectations on security
and solidify their market share with quality instead of other tactics.
--
Maxwell Spangler
More information about the clue-tech
mailing list