This article from BetaDot came across my inbox this morning. When I saw the title, "Linux Vs. Windows Security: How About The Truth?", I was very interested. I think there's an opportunity here for someone to "crack the nut open." There are two camps out there: the "Linux is more secure" and the "Windows is more secure." Both are vocal, both have "independent analysis" to back their position (both paid and unpaid,) and both have reasoned and considered arguments. I, for one, would like to see a definitive analysis on this topic. This article is not it.
This article claims to be about "the truth", but the content doesn't live up. In short, we don't have any "truth" - just opinion. There's no case built describing why one security model is better than the other, no facts, no tests, no analysis. Take this paragraph for example:
The general design of Linux gives it an inherited security boost. Where Windows looks like it was a little hacked together, a bunch of different ideas stacked on top of each other in attempt to make something that “just works,” Linux shows the true makings of a Unix-based operating system: proper user support and file permissions, all kinds of little applications all handled by different groups to keep the security policy layered and a kernel which doesn’t contain unnecessary bloat.
So according to the author, Linux is better because it has "proper user support and file permissions," because it has "little applications all handled by different groups," and because it doesn't have "unecessary bloat." How do we know these things? For example, how can we quantify the amount "bloat" in Windows vs. the amount of bloat in the average Linux distribution? It's not "self-evident" as this article assumes; in my opinion, the only way to tell would be analysis of the source code - which clearly hasn't been done here. Basing an opinion like this on anything else (such as the size of the distribution,) is deceptive - last time I checked, XP was on one CD-ROM and Fedora was on 4. Does that make Windows less "bloated"?
I won't even go into the different models of access control, but ACL's (as per Windows) are very different from permission bits (as per Linux) - each serves a very different purpose and to say that one is "better than" the other really depends on who you ask. Ask someone who advocates simplicity of design, and you're likely to hear that the linux model is superior; ask someone like DISA and you're likely to hear Windows is better.
Finally, according to the author, the contra-evidence about Window's inferiority is based totally on subjectivity and opinion ("...Windows looks like it was hacked together...") So, casual observation is out test crieria?
All in all, this is not what I was looking for.
Posted by Ed at October 24, 2005 10:01 AM