I've been reading a lot lately about how Windows is more secure than Linux, Linux is more secure than Windows, and no one cares about Apple. I'm fairly convinced that arguing over which operating system is more secure is wasting breath. Here is my attempt to catalog a few points that people tend to omit or ignore when they write on the subject. - Uniformity The term "Linux" really only refers to the kernel. This is why some strange-looking people that smell faintly of ganja will tell you that "Linux" should actually be called "GNU/Linux". When people say "Linux", however, they almost never refer to only the kernel. It's anyone's guess as to what they're actually referring, because a system based on the Linux kernel can take many forms. It's not uncommon for two different Linux systems to be completely different. Now compare this to Windows. I know how to use Windows. This means that I can sit down at any Windows-based system and use it effectively. Windows is uniform. There are of course exceptions, but any Windows vulnerability will very likely be present in every Windows system everywhere. There is no correlation to this when vulnerabilities for Linux are announced. There are a myriad of distributors for Linux-based systems, and it is likely that not all will be affected by any given bug. Even looking past distributions, every Linux user has a different array of programs installed. Depending on how careful I am, 30 security advisories could come and go before one that affects my Linux box appears. With my Windows box, I'm going to have to pay attention to each and every advisory. - Source Availability It's not entirely fair to associate all open source software with Linux and all closed source software with Windows, but many authors make these associations. While this may not be valid in reality, it is a handy generality, since Linux is an open source OS and Windows is closed source. At first glance, closed source software seems like a walled city while open source software looks like a vinyl tent when it comes to security. However, if you keep your valuable possessions in a walled city, you may assume that the massive wall will provide all the security that you will need. If you know that your valuable possessions are going to be kept in a vinyl tent, you won't be tempted to trust the security of the tent itself. You have to think of more clever ways to secure your valuables. What people don't realize is that there are people out there that are experts at scaling walls. It takes longer to scale a wall than it does to open up a tent, but once the wall is scaled and the tent is open, if you don't have a backup plan, your gold is as good as gone. The strength of open source software is that it doesn't have to rely on a wall it did not build. This is also a weakness. If you keep your valuables in a tent, a clever thief has more time to examine the apparatus you are using to protect them. The trick is to outsmart the thief, and buliding a bigger wall isn't going to help. Open source software and closed source software can't be judged by the wall or the tent alone. They have to be judged by the strength of the safe that's inside. - User base Each day I become more and more convinced that the security of a system has less to do with the system itself and more to do with the user or users of the system. Linux and Windows has vastly different user bases, due to their differing designs. Windows is made for people that don't know a mouse from a printer. Linux is made for people that enjoy watching ext2's fsck progress meter for 40 minutes after the power went out. If I have 3 knowledgeable people using Windows and 3 clueless people using Linux, it doesn't take a genius to guess that the Windows systems will be more secure than the Linux ones. It doesn't take a genius to realize that the people who get hacked more are going to be the ones that know less about securing their systems. There is no doubt in my mind that people will continue wasting their breath trying to compare the size of their... uh... penguins in "My OS is more secure than yours" debates. However the question of which operating system is more secure is completely invalid. Comparisons have to be made at the software level if they are going to be made at all. For example, trying to compare the security of Linux and Windows is invalid, but trying to compare the security of Apache and IIS is acceptable. Still, while all you columnists are getting out your rulers, remember that the true measure of the security of a system is in the users of that system.