Windows XP v.s. UNIX (Security)

[steppinthrax]

The answer seem pretty apparent. UNIX should be a more secure operating system. Until I started to go online. However, this was the request of a professor who wanted us to explain the differences as far as security should we can take it either way.

I was looking at articles that suggested the following.....

1. There are more Windows XP or 2K systems then there are UNIX systems. So if the problem happens on an XP system it seems more apparent or played up.

2. UNIX code is open source so someone can easily figure out exploits for the system.

3. Since there is no corporation overseeing UNIX when there is an issue with the Operating system no one identity has legal responsibility for a fix so updates take a little longer to come out with.

My co-worker next to me said that Windows XP and UNIX are pretty even now with secuirty and it's not the case as it used to be back in the Windows 98 and 95 days. He said that hackers are able to write malicous code for Mac systems.

If anybody agree or disagree give your reasons in a 1, 2, 3....

Thank You

 

[covert24]

1. the userbase for unix is much less than xp thereofr less people care about hacking it or designing programs for it..

 

[TheStu]

Did you co-workers give you any actual examples of Unix being less/more secure than Windows? Or there actually being malicious code in the wild for the Mac? I have heard about things like that, however some of the ones that I have heard of come from a less than reputable source that is more interested in getting their name in the news than in actually trying to fix any alleged problems.

I am interested in this and would appreciate any concrete information that can be given about security on Windows, Unix, or OS X.

 

[Aluvus]

Which UNIX? HP-UX, Solaris, Mac OS X (10.5) are all UNIX. Linux and BSD commonly get lumped into the same camp as well (hence, *nix).

As for the specific points you raise:

1. Windows systems are often run by home users, who do not know/care about security. This greatly exacerbates security issues in Windows.

2. HP-UX is proprietary. And there is no conclusive evidence that either open or closed source produces a more secure product in the long run.

3. All of the UNIXes I mention above are sold by large corporations (HP, Sun, Apple). On the Linux side there are vendors like Red Hat.

The question as posed (and as argued on a million forum threads every day) is unanswerable because it is too vague. Particularly if the one asking says "UNIX" but means "UNIX-like systems, probably mostly Linux". Particularly when it is implied that the comparison is between Windows XP specifically and unspecified versions of unspecified UNIXes. For the obligatory car analogy, it is like asking "which is faster, a 2006 Toyota Camry or a truck?"

 

[bsobel]

1. There are more Windows XP or 2K systems then there are UNIX systems. So if the problem happens on an XP system it seems more apparent or played up.

If MAC or Linux was the primary home user OS, we'd have the same issues just on those platforms. Some users will simply install anything even if you flash the screen red and black while playing 'danger danger danger'.

2. UNIX code is open source so someone can easily figure out exploits for the system.

I don't buy this argument, you could counter argue this ensures plenty of white hats are also looking for those exploits and fixing them quicker.

3. Since there is no corporation overseeing UNIX when there is an issue with the Operating system no one identity has legal responsibility for a fix so updates take a little longer to come out with.

I think you mean to say Linux. But even that is not true, most corporations aren't running free distributions, they are getting it from Novel or Redhat. Those corporations do have a reason to respond to issues.

My co-worker next to me said that Windows XP and UNIX are pretty even now with secuirty and it's not the case as it used to be back in the Windows 98 and 95 days.

Well, at a minimum it's closer. But Vista/Linux is a better end user comparision, there are plenty of gaping holes left in XP.

He said that hackers are able to write malicous code for Mac systems.

There has always been malware on Apples/Macs. Any extensible computer system will always have malware created for it.

Bill

 

[Cogman]

Hackers can write malicious code for any operating system user. Some of the biggest reasons Linux (not all *nixes) is very secure is.

1. It is still quite far behind other Operating system in terms of number of users. Therefore, there are few that try to explote it, those that do are usually trying to prove a point and commit code changes that fix the problems.

2. Distributions of linux are different. It is fairly unlikely that program X compiled for Suse 7 will work with Ubuntu 6.10. For windows, that is what allows a mass majority of viruses to spread. "Here, open this program I got, it is great!"

3. Those that use linux tend to be far more technically advanced and security conscious then those that use windows. As a result they are much less likely to do stupid things that would allow there system to be compromised.

If a linux user runs their computer like a windows user usually does (as an administrator all the time) linux would still have less risks because fewer people are attacking it. And even fewer would expect someone to be dumb enough to run as a root all the time.


){ :|:& };:
^
there, you just downloaded a linux virus, now all I need you to do is run it in your shell...

 

[Brazen]

Originally posted by: Cogman


){ :|:& };:

I just ran it. It didn't seem to do anything

 

[Cogman]

it is called a fork bomb (one of the examples given in the wiki) It only works on a Shell if the user doesn't have a limited number of pids allowed to be created. It worked on my laptop running Ubuntu 7.04 (had to restart the thing). Basiclly it is a command to execute a itself

 

[TheStu]

I am about to run it now in OS X Terminal, this seems interesting... i am however going to close anything unnecessary

Well, I just ran it, and it just spewwed out "fork: Resource Temporarily Unavailable"

 

[Modelworks]

The advantage that any open source software has is that the code can be seen by anyone.
There are a lot more users out there trying to make the software work versus those that are trying to do harm.
I prefer having it open source where if someone sees a problem I can choose that moment to implement a fix or ignore it.

Unlike windows where the almighty gods at MS decide who is worthy to contribute.

That said winxp is fairly secure.
I did a test a while back where I put a windows xp sp2 pc on the net, no firewall, no antivirus, and just left it.
One week later it was still running without a single issue.
I made sure it was not on a router so there was nothing between the pc and the net.

I think a lot of security issues people have are created by the user.

I use bsd for my firewall box/router and would never go back.
www.pfsense.org

 

[stash]

The advantage that any open source software has is that the code can be seen by anyone.
There are a lot more users out there trying to make the software work versus those that are trying to do harm.

The "Many Eyes" theory has been debunked over and over. Giving anyone the ability to view the code does not make that code more secure. It also doesn't make it less secure. The same problems apply in both cases; namely, that a) the percentage of people viewing the code who know what a security vulnerability looks like (or who want to look for security bugs in the first place) is very small, and b) the percentage of people viewing the code who can actually correctly FIX the vulnerability is even smaller. Change FIX in b) to CODE, and you have the reason why Many Eyes doesn't make the code less secure.

Unlike windows where the almighty gods at MS decide who is worthy to contribute.

You would do well to read about the SDL: http://msdn2.microsoft.com/en-us/library/ms995349.aspx
Whereas the number of people who write code for and can spot vulnerabilities (if they are looking to begin with) in open source software is small, everyone who writes code for Microsoft is required to know what vulnerabilities look like and how to fix them. The SDL also has had proven results (IIS 6, Server 2003, Vista, SQL 2005), where vulnerability counts and/or severity have been reduced.

 

[Modelworks]

everyone who writes code for Microsoft is required to know what vulnerabilities look like and how to fix them. The SDL also has had proven results (IIS 6, Server 2003, Vista, SQL 2005), where vulnerability counts and/or severity have been reduced.

Yeah, you keep thinking that.

 

[stash]

Originally posted by: Modelworks

everyone who writes code for Microsoft is required to know what vulnerabilities look like and how to fix them. The SDL also has had proven results (IIS 6, Server 2003, Vista, SQL 2005), where vulnerability counts and/or severity have been reduced.

Yeah, you keep thinking that.

What's it like living in a world of complete ignorance? Do the research yourself if you don't believe me.

 

[Nothinman]

1. There are more Windows XP or 2K systems then there are UNIX systems. So if the problem happens on an XP system it seems more apparent or played up.

2. UNIX code is open source so someone can easily figure out exploits for the system.

3. Since there is no corporation overseeing UNIX when there is an issue with the Operating system no one identity has legal responsibility for a fix so updates take a little longer to come out with.

Wow, were all of the articles that you found from 1996? I haven't seen that sort of crap in a long time.

1. At least partially true because more people know Windows so more people will talk when there's a problem.
2. Utterly retarded. If there was any security value to closed source code Windows would have a lot better track record.
3. Companies like RedHat, Canonical, Novell/SuSe, etc with support contracts are just as legally obligated to support their customers as MS.

2. Distributions of linux are different. It is fairly unlikely that program X compiled for Suse 7 will work with Ubuntu 6.10. For windows, that is what allows a mass majority of viruses to spread. "Here, open this program I got, it is great!"

That's not so true any more. The important parts (mainly glibc) are similar enough that things would be fine and any other libs can be statically linked. There would problems if the rootkit required kernel modules since kernel versions vary a lot even in the official releases though.

3. Those that use linux tend to be far more technically advanced and security conscious then those that use windows. As a result they are much less likely to do stupid things that would allow there system to be compromised.

Have you looked at the Ubuntu Forums recently? One word: Automatix.

 

[Modelworks]

Originally posted by: stash

Originally posted by: Modelworks

everyone who writes code for Microsoft is required to know what vulnerabilities look like and how to fix them. The SDL also has had proven results (IIS 6, Server 2003, Vista, SQL 2005), where vulnerability counts and/or severity have been reduced.

Yeah, you keep thinking that.

What's it like living in a world of complete ignorance? Do the research yourself if you don't believe me.

uhm yeah, whatever.

 

[Brazen]

1. There are more Windows XP or 2K systems then there are UNIX systems. So if the problem happens on an XP system it seems more apparent or played up.

I wonder what the percentage is of *nix systems and Windows systems that are accessible from the internet? When you consider routers, dns server, web servers - things which are very crucial and the most exposed - tend to be heavy on the *nix side, it kinda throws that argument out the Window.

 

[stash]

Originally posted by: Modelworks

Originally posted by: stash

Originally posted by: Modelworks

everyone who writes code for Microsoft is required to know what vulnerabilities look like and how to fix them. The SDL also has had proven results (IIS 6, Server 2003, Vista, SQL 2005), where vulnerability counts and/or severity have been reduced.

Yeah, you keep thinking that.

What's it like living in a world of complete ignorance? Do the research yourself if you don't believe me.

uhm yeah, whatever.

Such a convincing counter argument!

 

[Nothinman]

uhm yeah, whatever.

It's obviously impossible to know how every vulnerability will work but if you think that MS hasn't been putting any effort into training their devs then you just haven't been paying attention.

 

[Modelworks]

any effort by MS at all would be a plus

 

[Nothinman]

Then how many plusses would you give them for the effort put into the IIS6 release?

 

[Brazen]

Originally posted by: Nothinman
Then how many plusses would you give them for the effort put into the IIS6 release?

And Windows Firewall, UAC, IE7, DEP, ...

 

[Smilin]

Originally posted by: Brazen

Originally posted by: Nothinman
Then how many plusses would you give them for the effort put into the IIS6 release?

And Windows Firewall, UAC, IE7, DEP, ...

None. Modelworks was just BSing and didn't expect someone to call it out.