That should be foremost in your mind when you see reports about “Linux” being less secure than $PROPRIETARY_OPERATING_SYSTEM, like the one published by security firm mi2g recently.
To start with, there’s the old canard of lumping Linux together with everything else that’s running on the server. That is, if your box gets rooted through the web or mail server it’s running, it was Linux that got cracked. This over-simplification isn’t helpful, especially when you consider that the same servers can run on other operating systems as well, even Windows.
What the insecurity reports really tell us is that open source software is being deployed on a large scale. Further, they tell us that the deployment is done with cost-cutting as the primary goal, not security.
I know this, because not a day goes by when I don’t hear of someone trying to save money by pulling an old PC out of the closet and installing an ancient Linux distribution on it. Of course, then the system gets connected to the internet -- and gets broken into within hours. Even though there’s been plenty of publicity about how hostile the internet is, people persist with the digital equivalent of bending over trouser-less in a shipyard with “Hello Sailor!” scribbled across their buttocks.
The scene in The Matrix where Trinity cracked the computer controlling the power grid was probably more true to life than the directors intended: the version of SSH featured in the scene was ancient and vulnerable, with ready-rolled cracking scripts available for it. So much for the future, huh?
Unfortunately, there isn’t a great deal to be done about this sort of user behaviour. It will continue to happen, with some people figuring out what they did wrong and others blaming “Linux” for being insecure.
Possibly taking a cue from the likes of OpenBSD, Microsoft has made Windows Server 2003 behave in the opposite fashion to its predecessors. That is, you have to explicitly start up the services you wish to run on the server; no longer does Windows light up like a Christmas tree, promiscuously offering potentially insecure services to anyone asking for them.
This is a good thing, of course, and Microsoft even provides a check list to help admins avoid common security bugaboos. But from there to say that Windows is now more secure than “Linux” is a bit of a stretch in my opinion.
For starters, when you fire up a service in Windows it is usually dependent on a number of other services to run. Nothing wrong with that per se, but do you know what they all do and whether or not there are security issues to consider?
Second, even if Microsoft is somehow able to write totally secure code for all the components in Windows, you might want to run a third-party application on the server or one that your developers have written. Will that one be as secure as the rest of the OS, or literally serve as an entry point into your network?
Ultimately, security is much less dependent on the OS than the marketroids will have us believe. Linux distributions can be secure, ditto Windows, but blind trust in reports that keep generalised tallies of cracked boxes won’t get you there.