Rebecca Mints   
Thursday, 10 April 2008

This years RSA Conference was the grounds for a classic debate on which OS is more secure - Microsoft or Linux. The two experts could not come to a conclusion on a concurrent metrics system, and the debate ended in a draw. On one side there was Jeffrey Jones, the security strategy director for Microsoft's Trustworthy Computing, and championing Linux was Dr. Richard Ford, a Linux advocate and professor at the Florida Institute of Technology.

Jones kicked things off with an interesting tidbit - Redhat WorkStation 4 Operating System had 268 vulnerabilities fixed during the full last calendar year compared to Vista which had just 45. Jones said "No matter how you look at it, there’s a ton of vulnerabilities there for anybody to be able to claim [Linux] is inherently more secure."

Ford's response was that one can't make comparisons between stats like those between two different operation systems. "Comparing the two operating systems is worse than comparing apples and oranges but more like comparing apples and bananas." Ford also said "there is a problem with measuring Linux or Windows security or any two security metrics across any two completely different operating systems. So many things change when you move from one operating system to another and it’s one of the reasons why it’s been so difficult to come up with really good metrics and cost offering systems." Ford went on to argue that the these differentiators devalue the credibility of Jones's raw vulnerability counts. He said that raw vulnerability counts were a useless tool of measurement, adding "raw numbers themselves show very little."

Jones's rebuttal: "It’s unacceptable to say that it’s apples and oranges [instead] we have to take some steps to say, ok then, how do we compare small round fruits?"

Ford defended his argument by stating that what is important is to look at the severity of the vulnerabilities and not just how many there are total. "Vulnerabilities were not created equal, some sort of small DDOS attack is not as severe as an SQL vulnerability. You have to look at the severity," chimed Ford.

Jones remarked that the audience, with is primarily IT admins, should just focus on the critical vulnerabilities. Ford went on to say that they should all be given attention, with the primary and initial focus given to the critical ones. Then Jones pulled out another stat - last year there were 22 critical vulnerabilities found in Redhat WS 4 while there were only 12 in Vista.

The debate then moved on to Ford taking a shot at Microsoft and their practice of silent fixes, suggesting that the numbers were not what they truly should be. Jones retorted saying that Linux could very well be doing the same thing.

Some of the final back-and-forth of the argument was about the speed at which the patches are delivered from each company. Ford pointed out that Linux does patch their holes much more quickly. "When a vulnerability comes out, within about 10 minutes somebody’s posted a patch or workaround in the code. You can have a community approved patch where you’re not sitting there like prey." Jones replied by stating that before a patch goes public, Microsoft users want their fixes to be tested.

In the end neither declared themselves victor, and said "We clearly learn from each other."

