- Related Stories
-
Microsoft's blast from the past
August 12, 2004 -
Better tools let hackers strike more quickly
July 28, 2004 -
What Linux can learn from Windows
March 11, 2004 -
IDC: Windows cheaper than Linux
December 3, 2002
On Friday, David Aitel, a noted security professional and managing director of vulnerability assessment firm Immunity, published a paper stating that "owning" a computer--hacker-speak for compromising a system--is easier if the target computer runs Windows. While couched in puns and jokes, the paper takes a serious stance on the security of Windows compared with modern Linux, Aitel said.
"We are having some fun with it, but the underlying data and conclusions are real," he said.
The paper, titled "Microsoft Windows: A lower Total Cost of 0wnership," mocks other, typically Microsoft-funded, research, such as a study done by IDC that maintains Windows costs less to implement in four out of five corporate applications. Another such study, released by Forrester, found that a particular measure of the threat of vulnerabilities was higher for Linux than for Windows--but the data used by the study was broadly questioned.
The Aitel paper marks the first time that a security professional with hands-on experience of hacking both Linux and Windows systems has weighed in on the issue.
His conclusion: The security of Windows computers is easier to breach than modern Linux computers, despite more than two years of work by Microsoft to secure its operating system under its Trustworthy Computing initiative. Microsoft declined to comment on the paper.
The report has very little supporting data, however, making it less of a challenge to Microsoft and more of another voice in the long-running debate between the two operating-system camps.
Based on their tentative data, Immunity's researchers found that their average time to find a flaw in the Red Hat-sponsored Fedora Core 2 distribution of Linux was about six days--twice as long on average as it took to find previously unknown Windows vulnerabilities. Several factors affect that time, including better tools for finding flaws in Windows systems, better kernel-level defenses in Linux, and more known points in Windows to execute attack code, the researchers noted.
Microsoft recently released a massive security update for Windows XP, a reaction to the massive spread of the MSBlast, or Blaster, worm a year ago, but that still will not close most of the holes until a major security feature in PC processors is more widely available, Aitel said. That feature, known as the nonexecutable flag or write-XOR-execute bit, allows processors to prevent attackers from executing code. However, only Advanced Micro Devices has introduced the technology, which it calls enhanced virus protection (EVP), into its mainstream processors.
Adding to the security issues he has with Windows, Aitel pointed out that, while getting customers to patch is a problem for both platforms, Linux patching utilities update a wide variety of applications, not just the core operating system, as is typical of Windows fixes.
I know many folks, especially folks completely new to computers and experienced computer users whose experiences include several OSes, who find it very usable. In fact, I've not found anything that can't be done on it that anyone is doing on another system.
I have found people who are so locked into their systems that they can't work with anything else. But then, Linux is probably not for them either.
Wrong. Surf, e-mail,coding, graphic arts, music, etc. - everything I want my computer to do is done BETTER on Linux than on Windows.
If you like Windows better, that may say more about you than about Linux.
Windows does 2 things better - play games, and crash.
I have both windows and Linux servers and workstation in working production environments with real users on both. Both sides can do the same things. The Linux side is cheaper to purchase, run and maintain. The Windows side has a grwoing cost side and is prone to security problems, while a little more intuitive.
I have servers in both flavors that do both DNS, web and database and the only real difference is that the windows servers require regular reboots and are under almost constant attacks from script kiddies. The Linux servers just seem to keep on runnning without complaint and shrug off the feeble minded attemtps of the "evil doers".
Needless to say we (my company) are moving to a cheaper, more stable, more secure environment. The current windows users are learning that they can do everything they have done in the past and then some.
We heard the same line that you are spouting from some of them and have shown them that everything that they need is there. While there are a small few that refuse to grow and move forward we will miss them.
because the computer never gets used."
- Hardly used? I use mine just about every day.
I use it for the same reason anybody else in
business would - office-based applications,
banking and some flowcharting. I'm not much
into games except on the console and since I
have no real reason to use Windows and open my
files up to the world, despite Microsoft's "best
efforts" to patch, I won't install it. Remotely
printing is a necessity and that was set up
without installing bloated driver and
application software like what's found on a
typical Windows-based printer CD (read HP).
"There are lots and lots of application
available for Linux, they just all do the same
thing as other applications."
- Those same applications are available for
Windows as well and not privileged just to Linux
- various editors, graphics applications, office
applications, flowcharting applications, CAD,
etc. The good thing is that they're all free,
as opposed to all the shareware, ad-ware, and
non-freeware apps you'd have to shell out money
for. Real innovation is derived from user
input, not $$$.
"Forget usability, for Linux, there is none."
- That being the case, you wouldn't see this
response to your 100% baseless claims.
"Linux needs a lot of work to make it as easy to
use as the Macintosh, at least, not to mention
getting it to the usability level of Windows."
- The computer is only as useful as the user
wants to make it with the software that's given
to him or her. Linux, for all intents of this
discussion, refers to the actual kernel, which,
in itself, is very very usable. There is a lot
of hardware support that isn't dependent on
vendor-specific drivers - it's all in the chip,
which is as it should be. PnP specifications
with PnP ID's was a disaster - coming from a
company that used PnP ID's in various products
ranging from sound cards to modems to even video
and network cards, I can say that it was the
most painful thing I ever had to work with, no
to mention tweaking the INF files for them to
work with Windows. Now if you wish to talk
about usability with regards to the software you
can build on top of it, talk to the various open
source project developers: KDE - which I'm
using quite nicely, Gnome, OpenOffice, GIMP,
Mozilla, OpenSSH, Apache, OpenSSL. If you're
going to complain about usability, at least be
correct in your specifics - the Linux kernel
isn't software to be used by the user as an
application.
"When Linux grows up, then maybe we might have
something to talk about."
- When you learn how to differentiate between
what is and what isn't a usable application,
then we may have a worthwhile debate.
I know many folks, especially folks completely new to computers and experienced computer users whose experiences include several OSes, who find it very usable. In fact, I've not found anything that can't be done on it that anyone is doing on another system.
I have found people who are so locked into their systems that they can't work with anything else. But then, Linux is probably not for them either.
Wrong. Surf, e-mail,coding, graphic arts, music, etc. - everything I want my computer to do is done BETTER on Linux than on Windows.
If you like Windows better, that may say more about you than about Linux.
Windows does 2 things better - play games, and crash.
I have both windows and Linux servers and workstation in working production environments with real users on both. Both sides can do the same things. The Linux side is cheaper to purchase, run and maintain. The Windows side has a grwoing cost side and is prone to security problems, while a little more intuitive.
I have servers in both flavors that do both DNS, web and database and the only real difference is that the windows servers require regular reboots and are under almost constant attacks from script kiddies. The Linux servers just seem to keep on runnning without complaint and shrug off the feeble minded attemtps of the "evil doers".
Needless to say we (my company) are moving to a cheaper, more stable, more secure environment. The current windows users are learning that they can do everything they have done in the past and then some.
We heard the same line that you are spouting from some of them and have shown them that everything that they need is there. While there are a small few that refuse to grow and move forward we will miss them.
because the computer never gets used."
- Hardly used? I use mine just about every day.
I use it for the same reason anybody else in
business would - office-based applications,
banking and some flowcharting. I'm not much
into games except on the console and since I
have no real reason to use Windows and open my
files up to the world, despite Microsoft's "best
efforts" to patch, I won't install it. Remotely
printing is a necessity and that was set up
without installing bloated driver and
application software like what's found on a
typical Windows-based printer CD (read HP).
"There are lots and lots of application
available for Linux, they just all do the same
thing as other applications."
- Those same applications are available for
Windows as well and not privileged just to Linux
- various editors, graphics applications, office
applications, flowcharting applications, CAD,
etc. The good thing is that they're all free,
as opposed to all the shareware, ad-ware, and
non-freeware apps you'd have to shell out money
for. Real innovation is derived from user
input, not $$$.
"Forget usability, for Linux, there is none."
- That being the case, you wouldn't see this
response to your 100% baseless claims.
"Linux needs a lot of work to make it as easy to
use as the Macintosh, at least, not to mention
getting it to the usability level of Windows."
- The computer is only as useful as the user
wants to make it with the software that's given
to him or her. Linux, for all intents of this
discussion, refers to the actual kernel, which,
in itself, is very very usable. There is a lot
of hardware support that isn't dependent on
vendor-specific drivers - it's all in the chip,
which is as it should be. PnP specifications
with PnP ID's was a disaster - coming from a
company that used PnP ID's in various products
ranging from sound cards to modems to even video
and network cards, I can say that it was the
most painful thing I ever had to work with, no
to mention tweaking the INF files for them to
work with Windows. Now if you wish to talk
about usability with regards to the software you
can build on top of it, talk to the various open
source project developers: KDE - which I'm
using quite nicely, Gnome, OpenOffice, GIMP,
Mozilla, OpenSSH, Apache, OpenSSL. If you're
going to complain about usability, at least be
correct in your specifics - the Linux kernel
isn't software to be used by the user as an
application.
"When Linux grows up, then maybe we might have
something to talk about."
- When you learn how to differentiate between
what is and what isn't a usable application,
then we may have a worthwhile debate.
http://www.immunitysec.com/resources-papers.shtml
It's the newest paper (August 12). Your first clue about the content is seen before your read a single word of the paper: It is offered as a .sxw (OpenOffice.org), or as a pdf (Adobe/XPDF/etc.), but not as a .doc file.
The Executive Summary has a pie chart showing the "Difficulty of owning Windows" being only 1/2 as large as the difficulty to make the pie chart. He goes on to say things such as "Finding a vulnerability is like finding a fish", but instead of following up with talk about learning to fish, he goes off into another analogy about Nascar Drivers who drive Dodge Neons. Then he goes back to the fish: you don't need to learn how to fish in the Windows Pond, because Microsoft gives away so many free Win32 fish in their patches.
He concludes, "the best platfrom for your targets to be running is Microsoft Windows, allowing you unparalleled value for their dollar. This result reinforces the fact that it is important to consider more than just licensing fees when your targets choose their OS...."
To paraphrase, just because Windows costs a LOT MORE MONEY than Free Software doesn't mean that the revenue has made buyers of Windows OS Software more safe from YOUR "()nuRShi%p" of THEIR computers.
"Windows has demonstrated itself to be the top contender... in both the server and desktop space for" (lowest) "Total Cost of Ownership".
There are a few facts sprinkled in here and there, but the data consists "Time to 0day" values for 10 exploits. (Immunity's Management REQUESTS a vulnerability against an OS, and the researchers deliver it. LOL!) The table shows an average of 3 days per Windows Exploit, 6 days per Linux exploit, and only 1 hour per Mac OS X exploit. (He goes on to sneer that there's really no need to discuss the "toy" MAC OS X. LOL again!)
It is a white paper and not really for the lay reader, however, anyone can easily find them --
http://www.immunitysec.com/downloads/tc0.pdf
http://www.immunitysec.com/downloads/tc0.sxw
These are two common formats -- and Adobe provides a free reader (along with ghostview and a few others) for the pdf format.
"Your first clue about the content is seen before your read a single word of the paper:"
Not true. Your first clue about the content, and it goes way beyond a clue and gives away the conclusion, is in the title. You obviously didn't understand that this is really a paper about the ease of hacking into and gaining control of someone's computer. The word "ownership" is spelled not with a capital "o" but with a zero. To 0wn a computer is to be able to control it at the root level -- this is a hacking term well understood by those in the computer security industry.
The paper's conclusion (that it's much easier to compromise a Windows system than a Linux system) has been well-known for ages, but its contribution is by providing the precise details regarding why that is true. Again, as you clearly demonstate, this paper was not written for the lay reader who is not privy to how these studies are done or even what the terminology is actually referring to.
An example of a standard procedure you don't understand at all: "(Immunity's Management REQUESTS a vulnerability against an OS, and the researchers deliver it. LOL!)"
And this is an example of how you don't understnad the data provided: "The table shows an average of 3 days per Windows Exploit, 6 days per Linux exploit, and only 1 hour per Mac OS X exploit. (He goes on to sneer that there's really no need to discuss the "toy" MAC OS X. LOL again!"
The only thing you got right that most people got wrong is that you did notice there was data -- many folks thought the paper had no data at all -- and the author of the CNET article is also guilty of that mistake.
Immunity is measuring how long it takes (in their case, an expert) to hack into a system correctly installed and configured according to the manufacturer's specifications.
The precise details of the vulnerability the hacker (who is a member of Immunity's staff) exploited to gain control at the root level of the system in question is the 0day.
"Number of 0day" means number of exploitable vulnerabilities (otherwise known as "fish" in this report).
For OS X, they caught three fish or exploitable vulnerabilities ("Number of 0day") and they were found by Immunity's researchers on average within an hour from when they started looking for them ("Average Time"). There were four fish caught for Windows, and they were found within three days of looking for them. For Linux, they caught three fish and it took six days to get them.
Typically, these studies are done with more than one staff member attempting the hacks. The average time is the average of all of their times to a successful hack. This is standard in the computer security industry.
What typically happens, then, is that they notify the software manufacturer about the vulnerabilities they found and provide the details of how it works.
In the Mac example, Immunity would alert Apple that they need to fix the three newly identified problems. In addition, Immunity would also be required to alert certain regulatory agencies about the newly identified vulnerabilities. Apple would then fix the problem, ensure that Mac users get the fix, and alert the regulatory agencies that the problem has been dealt with. Finally, the regulatory agencies publish the details of the exploitable vulnerability.
When this works correctly, there is no user or enterprise system that actually gets infected. The whole procedure is intended to prevent that from happening.
Regulatory agencies do put time limits on how long a software manufacturer has to close the potential exploit, and they will publish the details before an exploit is taken care of, if the software manufacturer takes too long to adequately respond to the alert.
Normally a paper like this would not be reported in the popular media. I think it was because there is so little being written to counter the huge offensive that Microsoft has been engaging in against Linux. MS has taken out loads of ads claiming they have a lower TCO and as well as booking media tours focusing on spreading that claim. So far, none of the TCO "studies" they've sponsored have passed muster, even among folks who aren't sure of all of the issues.
Before MS got scared (because they started losing a lot of business), they used to flip their customers the bird if the customer complained that the costs were getting too high, and they would suggest that the customer try Linux. MS hasn't done that in years. They've discovered that too many of their former customers loved Linux once they were forced to try it.
When a report like this one written by a highly respected member of his profession comes out, the media swoop down on it to have something to provide the appearance of balanced reporting.
http://www.immunitysec.com/resources-papers.shtml
It's the newest paper (August 12). Your first clue about the content is seen before your read a single word of the paper: It is offered as a .sxw (OpenOffice.org), or as a pdf (Adobe/XPDF/etc.), but not as a .doc file.
The Executive Summary has a pie chart showing the "Difficulty of owning Windows" being only 1/2 as large as the difficulty to make the pie chart. He goes on to say things such as "Finding a vulnerability is like finding a fish", but instead of following up with talk about learning to fish, he goes off into another analogy about Nascar Drivers who drive Dodge Neons. Then he goes back to the fish: you don't need to learn how to fish in the Windows Pond, because Microsoft gives away so many free Win32 fish in their patches.
He concludes, "the best platfrom for your targets to be running is Microsoft Windows, allowing you unparalleled value for their dollar. This result reinforces the fact that it is important to consider more than just licensing fees when your targets choose their OS...."
To paraphrase, just because Windows costs a LOT MORE MONEY than Free Software doesn't mean that the revenue has made buyers of Windows OS Software more safe from YOUR "()nuRShi%p" of THEIR computers.
"Windows has demonstrated itself to be the top contender... in both the server and desktop space for" (lowest) "Total Cost of Ownership".
There are a few facts sprinkled in here and there, but the data consists "Time to 0day" values for 10 exploits. (Immunity's Management REQUESTS a vulnerability against an OS, and the researchers deliver it. LOL!) The table shows an average of 3 days per Windows Exploit, 6 days per Linux exploit, and only 1 hour per Mac OS X exploit. (He goes on to sneer that there's really no need to discuss the "toy" MAC OS X. LOL again!)
It is a white paper and not really for the lay reader, however, anyone can easily find them --
http://www.immunitysec.com/downloads/tc0.pdf
http://www.immunitysec.com/downloads/tc0.sxw
These are two common formats -- and Adobe provides a free reader (along with ghostview and a few others) for the pdf format.
"Your first clue about the content is seen before your read a single word of the paper:"
Not true. Your first clue about the content, and it goes way beyond a clue and gives away the conclusion, is in the title. You obviously didn't understand that this is really a paper about the ease of hacking into and gaining control of someone's computer. The word "ownership" is spelled not with a capital "o" but with a zero. To 0wn a computer is to be able to control it at the root level -- this is a hacking term well understood by those in the computer security industry.
The paper's conclusion (that it's much easier to compromise a Windows system than a Linux system) has been well-known for ages, but its contribution is by providing the precise details regarding why that is true. Again, as you clearly demonstate, this paper was not written for the lay reader who is not privy to how these studies are done or even what the terminology is actually referring to.
An example of a standard procedure you don't understand at all: "(Immunity's Management REQUESTS a vulnerability against an OS, and the researchers deliver it. LOL!)"
And this is an example of how you don't understnad the data provided: "The table shows an average of 3 days per Windows Exploit, 6 days per Linux exploit, and only 1 hour per Mac OS X exploit. (He goes on to sneer that there's really no need to discuss the "toy" MAC OS X. LOL again!"
The only thing you got right that most people got wrong is that you did notice there was data -- many folks thought the paper had no data at all -- and the author of the CNET article is also guilty of that mistake.
Immunity is measuring how long it takes (in their case, an expert) to hack into a system correctly installed and configured according to the manufacturer's specifications.
The precise details of the vulnerability the hacker (who is a member of Immunity's staff) exploited to gain control at the root level of the system in question is the 0day.
"Number of 0day" means number of exploitable vulnerabilities (otherwise known as "fish" in this report).
For OS X, they caught three fish or exploitable vulnerabilities ("Number of 0day") and they were found by Immunity's researchers on average within an hour from when they started looking for them ("Average Time"). There were four fish caught for Windows, and they were found within three days of looking for them. For Linux, they caught three fish and it took six days to get them.
Typically, these studies are done with more than one staff member attempting the hacks. The average time is the average of all of their times to a successful hack. This is standard in the computer security industry.
What typically happens, then, is that they notify the software manufacturer about the vulnerabilities they found and provide the details of how it works.
In the Mac example, Immunity would alert Apple that they need to fix the three newly identified problems. In addition, Immunity would also be required to alert certain regulatory agencies about the newly identified vulnerabilities. Apple would then fix the problem, ensure that Mac users get the fix, and alert the regulatory agencies that the problem has been dealt with. Finally, the regulatory agencies publish the details of the exploitable vulnerability.
When this works correctly, there is no user or enterprise system that actually gets infected. The whole procedure is intended to prevent that from happening.
Regulatory agencies do put time limits on how long a software manufacturer has to close the potential exploit, and they will publish the details before an exploit is taken care of, if the software manufacturer takes too long to adequately respond to the alert.
Normally a paper like this would not be reported in the popular media. I think it was because there is so little being written to counter the huge offensive that Microsoft has been engaging in against Linux. MS has taken out loads of ads claiming they have a lower TCO and as well as booking media tours focusing on spreading that claim. So far, none of the TCO "studies" they've sponsored have passed muster, even among folks who aren't sure of all of the issues.
Before MS got scared (because they started losing a lot of business), they used to flip their customers the bird if the customer complained that the costs were getting too high, and they would suggest that the customer try Linux. MS hasn't done that in years. They've discovered that too many of their former customers loved Linux once they were forced to try it.
When a report like this one written by a highly respected member of his profession comes out, the media swoop down on it to have something to provide the appearance of balanced reporting.
So thanks for acknowledging that error.
Whether or not the other commenters who posted here missed the white paper's point is not apparent from their posts, since they were responding to other comments and not to the story or white paper. However, it is clear that most commenters on other boards where the story got discussed missed the distinction completely.
- Ho hum.
- by August 21, 2004 5:22 PM PDT
- Thanks for pointing out it's a TC0 study, not a TCO study. I'm sure a lot of us would have completely missed that otherwise.
- Like this Reply to this comment
-
-
- You're welcome
- by dhk August 22, 2004 9:42 AM PDT
- It's apparent from your comments as well as the comments of James Freedle and Rick Stockton that you three did miss that it was a TC0 study. You three thought it was something else. In your case, you explicitly say you thought it was written "tongue in cheek" and therefore not a technical report at all.
- Like this
-
(50 Comments)So thanks for acknowledging that error.
Whether or not the other commenters who posted here missed the white paper's point is not apparent from their posts, since they were responding to other comments and not to the story or white paper. However, it is clear that most commenters on other boards where the story got discussed missed the distinction completely.