Finger info for theoddone33@icculus.org...

I've been reading a lot lately about how Windows is more secure than Linux,
Linux is more secure than Windows, and no one cares about Apple.

I'm fairly convinced that arguing over which operating system is more
secure is wasting breath. Here is my attempt to catalog a few points that
people tend to omit or ignore when they write on the subject.

- Uniformity

  The term "Linux" really only refers to the kernel. This is why some
  strange-looking people that smell faintly of ganja will tell you that
  "Linux" should actually be called "GNU/Linux". When people say "Linux",
  however, they almost never refer to only the kernel. It's anyone's guess
  as to what they're actually referring, because a system based on the Linux
  kernel can take many forms. It's not uncommon for two different Linux
  systems to be completely different.

  Now compare this to Windows. I know how to use Windows. This means that
  I can sit down at any Windows-based system and use it effectively. Windows
  is uniform. There are of course exceptions, but any Windows vulnerability
  will very likely be present in every Windows system everywhere. There is
  no correlation to this when vulnerabilities for Linux are announced.
  There are a myriad of distributors for Linux-based systems, and it is
  likely that not all will be affected by any given bug. Even looking past
  distributions, every Linux user has a different array of programs
  installed. Depending on how careful I am, 30 security advisories could
  come and go before one that affects my Linux box appears. With my Windows
  box, I'm going to have to pay attention to each and every advisory.

- Source Availability

  It's not entirely fair to associate all open source software with Linux
  and all closed source software with Windows, but many authors make these
  associations. While this may not be valid in reality, it is a handy
  generality, since Linux is an open source OS and Windows is closed source.

  At first glance, closed source software seems like a walled city while
  open source software looks like a vinyl tent when it comes to security.
  However, if you keep your valuable possessions in a walled city, you
  may assume that the massive wall will provide all the security that you
  will need. If you know that your valuable possessions are going to be
  kept in a vinyl tent, you won't be tempted to trust the security of the
  tent itself. You have to think of more clever ways to secure your
  valuables.

  What people don't realize is that there are people out there that are
  experts at scaling walls. It takes longer to scale a wall than it does
  to open up a tent, but once the wall is scaled and the tent is open, if
  you don't have a backup plan, your gold is as good as gone.

  The strength of open source software is that it doesn't have to rely on
  a wall it did not build. This is also a weakness. If you keep your
  valuables in a tent, a clever thief has more time to examine the apparatus
  you are using to protect them. The trick is to outsmart the thief, and
  buliding a bigger wall isn't going to help.

  Open source software and closed source software can't be judged by the
  wall or the tent alone. They have to be judged by the strength of the
  safe that's inside.

- User base

  Each day I become more and more convinced that the security of a system
  has less to do with the system itself and more to do with the user or users
  of the system. Linux and Windows has vastly different user bases, due to
  their differing designs. Windows is made for people that don't know a
  mouse from a printer. Linux is made for people that enjoy watching ext2's
  fsck progress meter for 40 minutes after the power went out.

  If I have 3 knowledgeable people using Windows and 3 clueless people using
  Linux, it doesn't take a genius to guess that the Windows systems will be
  more secure than the Linux ones. It doesn't take a genius to realize that
  the people who get hacked more are going to be the ones that know less
  about securing their systems.

There is no doubt in my mind that people will continue wasting their breath
trying to compare the size of their... uh... penguins in "My OS is more
secure than yours" debates. However the question of which operating system
is more secure is completely invalid. Comparisons have to be made at the
software level if they are going to be made at all. For example, trying to
compare the security of Linux and Windows is invalid, but trying to compare
the security of Apache and IIS is acceptable. Still, while all you
columnists are getting out your rulers, remember that the true measure of
the security of a system is in the users of that system.