Which is secure?...Windows or Linux

Well ,

i haven't been much into putting up posts these days.. i guess i was holidaying after scoring my 50... but ..i had to put up one over here coz..

1) This i feel is my field..(Linux)

2) I can understand the torture many of my frens are going through..

I first put my hands on a Linux box about 4 years back while i was doing my engg. and an hour later i was busy installing it. 5 hours later i swore i'll never touch linux again .....next day .. i got back to it again....only this time i was armed with information..i worked on it for bout a month or so to basically get a feel of it.

I next started working on it about a year ago .....it was part ofmy curriculum....learnt quite a bit from my frens...

One rule which i followed... under normal circumstances...u do not need to know more than 20 commands... with this set of commands u can practically find out about everything on the box..some of them are

ls
who
man
find
grep
whereis
locate
apropos
cd
pwd
rpm
tar
..........
its also a very good idea to read the man pages of these command once..and try out the various combinations.....keep a good book with u at all times..there is no substitute for that...

as far as security is concerned..i must say that both the systems are equally unsecure..though linux has a more secure architecture
but look at this way....suppose i have a win98 machine on the internet...and you have a linux machine....and a hacker comes along and compromises both our machines ,whose machine is it which can be used for more malicious purposes ???

To be quite honest, the debate about which is more secure really doesnt go anywhere... I get this quite a lot since I'm always trying to persuade people to use open-source (not necessarily economically free) alternatives to closed source products. Whenever people ask about a server, I usually recommend some nix variant.. and the first question that gets asked is 'why, because its more secure ?'.. I guess the general mindset is, I'm a security guy, I recommended Linux, it must be more secure.. thats not necessarily the case.

As I pointed out before, there are thousands of Linux systems out there that the admins have just about managed to get up and running, they haven't even thought about security.. however if you go get yourself someone knowledgeable, and they set it up properly, there is no competition.. you are a thousand times more secure than similar windows boxen.

One common arguement is that Windows appears more secure because hackers target it more.. this is a myth.. firstly, targetting a windows box is quite pointless, as maximus said.. owning a nix box is far more useful... you can actually do things with it other than playing solitaire.. therefore, serious attackers (who find vulnerabilities and write exploits -- not your 16 yr old wannabe types), will usually target a nix system.

Secondly, with regard to finding vulnerabilities.. it is actually easier in the open source world... which is a good thing ! The platform of closed source security revolves around security through obscurity. The thinking being "Yes there are bugs, this is insecure software, but if we hide it.. nobody will find it." This never works in practice.

The open-source universe works differently.. the thinking is "Yes everyone writes sloppy code, yes everyone makes mistakes, but you keep the code open and it will get noticed soon by other people who are looking over it"..

This leads to one advantage.. in the closed source world.. an attacker could potentially find a bug that security researchers wont know about.. in the open source world.. if someone finds a bug... other people will find it too.. because its easier.. Plus fixing open source software becomes so much easier because its all accessible.


Usually when I give this long diatribe, I end it with a simple well established truth.. Lets talk about crpyto systems.. it is universally acknowledged that proprietary crypto systems are not going to be secure... which do you trust more >

1. 3DES / AES
2. Proprietary 'secret' algorithm by the 'crypto experts' at XYZ Industries.

For cryptography to be proved secure, it has to be under conditions where THE ALGORITHM IS FULLY KNOWN.. you cannot say your crypto system is unbreakable because nobody can see the algorithm, its ridiculous, and it never works. Case in point:

The company where I work required copy-protection software.. we chose a very very popular product, that is patented, and is touted as unbreakable by the manufacturer..

When we used the product we were suprised that it required no key, passphrase.. nothing.. this led us to doing a little thinking about the product..

To cut a short story shorter, we broke the copy protection system in ten minutes, we also have a list of the hardcoded passwords that the product uses (think secret algorithm). The vendor has been informed. The do not believe its possible.. the first question they asked is 'how did you break our secret encryption !!'. Anyway the methodology is irrelevant.. my point here is that this is exactly how closed source security works.. on the assumption that if we hide the code, they will not find our mistakes. It never works.

Never.


Cheers