[Eug-lug] __Why__ Linux is more secure than Windows.

Neil Parker nparker at LLX.COM
Fri Apr 14 22:06:40 PDT 2006 

Larry Price wrote,
>interesting article on zdnet
>http://blogs.zdnet.com/threatchaos/?p=311
>
>It confirms the perceptions and prejudices of most of us on this list, I'm sure.
>What I find fascinating about it is that it's the first time I've seen
>a solid metric
>covering the actual behaviour of the SUT  that acts as a predictor for
>how vulnerable the system is likely to be in real life.

I dunno...with the proviso that I haven't actually dug through the
pile'o'pdfs at sanasecurity.com, my immediate reaction is that the graphs
have been misinterpreted.  They're not so much an argument about why Linux
is more secure than Windows, but why Apache is more secure than IIS.

And I'm not really sure they show even that.  There's no indication on
either graph (at least none that I can read) that shows just what's being
graphed.  I presume the nodes are the system calls, and the lines
are tracing data used in more than one system call, but that's just a
guess.  If the nodes are the system calls, then it's not obvious to my eye
that the Windows/IIS graph has significantly more of them than the
Linux/Apache one...most of the difference seems to be in the messiness of
the connecting lines, and who's to say that a good sorting algorithm run
on the Windows/IIS graph might not neaten it up like the Linux/Apache
graph?

I can think of two much better tests than the one shown in the article:
1.  Compare Apache on Linux vs. Apache on Windows.
2.  Compare Apache on Windows vs. IIS on Windows.

Either one would eliminate an independent variable, resulting in much more
meaningful statistics.


Even biased as I am to believe that Linux is better than Windows and that
Apache is better than IIS, I don't think I believe that those graphs prove
what they purport to prove.  (The more I think about it, the more
convinced I am that what they prove is that people who don't know how to
design good scientific studies shouldn't trusted to design studies.)

              - Neil Parker

More information about the EUGLUG mailing list