Finger info for email@example.com...
I've been reading a lot lately about how Windows is more secure than Linux,
Linux is more secure than Windows, and no one cares about Apple.
I'm fairly convinced that arguing over which operating system is more
secure is wasting breath. Here is my attempt to catalog a few points that
people tend to omit or ignore when they write on the subject.
The term "Linux" really only refers to the kernel. This is why some
strange-looking people that smell faintly of ganja will tell you that
"Linux" should actually be called "GNU/Linux". When people say "Linux",
however, they almost never refer to only the kernel. It's anyone's guess
as to what they're actually referring, because a system based on the Linux
kernel can take many forms. It's not uncommon for two different Linux
systems to be completely different.
Now compare this to Windows. I know how to use Windows. This means that
I can sit down at any Windows-based system and use it effectively. Windows
is uniform. There are of course exceptions, but any Windows vulnerability
will very likely be present in every Windows system everywhere. There is
no correlation to this when vulnerabilities for Linux are announced.
There are a myriad of distributors for Linux-based systems, and it is
likely that not all will be affected by any given bug. Even looking past
distributions, every Linux user has a different array of programs
installed. Depending on how careful I am, 30 security advisories could
come and go before one that affects my Linux box appears. With my Windows
box, I'm going to have to pay attention to each and every advisory.
- Source Availability
It's not entirely fair to associate all open source software with Linux
and all closed source software with Windows, but many authors make these
associations. While this may not be valid in reality, it is a handy
generality, since Linux is an open source OS and Windows is closed source.
At first glance, closed source software seems like a walled city while
open source software looks like a vinyl tent when it comes to security.
However, if you keep your valuable possessions in a walled city, you
may assume that the massive wall will provide all the security that you
will need. If you know that your valuable possessions are going to be
kept in a vinyl tent, you won't be tempted to trust the security of the
tent itself. You have to think of more clever ways to secure your
What people don't realize is that there are people out there that are
experts at scaling walls. It takes longer to scale a wall than it does
to open up a tent, but once the wall is scaled and the tent is open, if
you don't have a backup plan, your gold is as good as gone.
The strength of open source software is that it doesn't have to rely on
a wall it did not build. This is also a weakness. If you keep your
valuables in a tent, a clever thief has more time to examine the apparatus
you are using to protect them. The trick is to outsmart the thief, and
buliding a bigger wall isn't going to help.
Open source software and closed source software can't be judged by the
wall or the tent alone. They have to be judged by the strength of the
safe that's inside.
- User base
Each day I become more and more convinced that the security of a system
has less to do with the system itself and more to do with the user or users
of the system. Linux and Windows has vastly different user bases, due to
their differing designs. Windows is made for people that don't know a
mouse from a printer. Linux is made for people that enjoy watching ext2's
fsck progress meter for 40 minutes after the power went out.
If I have 3 knowledgeable people using Windows and 3 clueless people using
Linux, it doesn't take a genius to guess that the Windows systems will be
more secure than the Linux ones. It doesn't take a genius to realize that
the people who get hacked more are going to be the ones that know less
about securing their systems.
There is no doubt in my mind that people will continue wasting their breath
trying to compare the size of their... uh... penguins in "My OS is more
secure than yours" debates. However the question of which operating system
is more secure is completely invalid. Comparisons have to be made at the
software level if they are going to be made at all. For example, trying to
compare the security of Linux and Windows is invalid, but trying to compare
the security of Apache and IIS is acceptable. Still, while all you
columnists are getting out your rulers, remember that the true measure of
the security of a system is in the users of that system.
When this .plan was written: 2002-11-17 22:08:17
.plan archives for this user are here (RSS here).
Powered by IcculusFinger v2.1.27
Stick it in the camel and go.