Listen to this article
Deep underground somewhere in south-east England, security experts have built a data hosting centre almost entirely based on open source operating systems.
The cryptologists at the Bunker, an ex-Nato anti-nuclear hideout owned by a data hosting group also known as the Bunker, are so confident of good security, that they say they have no need for firewalls – the tools commonly used for keeping hackers away.
“We secure each system for its services rather than relying on firewalls to do that,” says Adam Laurie, technical director at the Bunker. “We will use [firewalls] now and then but they are open source – if customers request them and if we’re involved with the design process.”
Mr Laurie believes that open source operating systems, such as Linux and BSD, are more secure than Microsoft’s various versions of Windows.
He says: “The problem with Windows is that it’s not designed as a server technology. It is designed to offer a service to end-users and I’ve never understood why you would use that. Part of the problem is that they are always adding features that could cause problems and there are a 1m back doors.”
The superiority of open source security over Microsoft has almost reached the status of conventional wisdom. But is it true?
Much of the answer depends on which products are being compared. But one way of measuring the quality of software is to look at the number of weaknesses that hackers or virus writers exploit to disrupt systems.
In many cases, people who discover vulnerabilities submit their findings to Microsoft and open source developers. The developers then attempt to release patches that bung the holes as quickly as possible.
“With open source, it means you can get to a community and get a patch in relatively little time,” says Howard Schmidt, the former White House cyber security adviser. “Whereas with Microsoft in a production environment, you will get a high quality product but it may take longer. But I would encourage both sides to make better coding in their programs so they are less vulnerable.”
Between April and August this year, vulnerability experts at Secunia issued 21 warnings of flaws in Windows XP Professional. Of these, 1 per cent were dubbed “critical” requiring urgent attention, and 24 per cent were still awaiting patches by Microsoft at the time of writing. In the same period, Secunia issued 26 warnings for Novell’s SUSE Linux 9.3, all of which have been patched and none of which were considered critical.
Vulnerability experts at SANS, the security organisation, say security cannot be measured by patches alone, as an operating system is only as secure as its administrator makes it.
“It’s not the operating system that is weak, it’s the configuration,” says Johannes Ullrich, chief technical officer at the SANS Internet Storm Centre. “A skilled administrator can fix this, or an unskilled one can make it worse.”
Andrew Yeomans, vice-president of global information security at Dresdner Kleinwort Wasserstein, says there is not much to gain from counting patches: “For me, the main question is ‘Can I keep Microsoft or Open Source secure?’ to which the answer is ‘Yes’ to both, but at present it costs less for Linux than it does for Windows.”
Security accounts for a large part of the total cost of ownership of a product, as time-consuming tweaks are often required.
Research from Yankee Group analysts found that 88 per cent of companies said Microsoft’s Windows Server 2003 was equal to or better in reliability than Linux.
“I’m a bit wary of people who say open source is more secure,” says James Govenor, an analyst at Red Monk. “In coding, I think Microsoft is ahead as it is allocating resources to a particular problem.”
Mr Governor says that since the release of the update Windows XP service pack 2, Microsoft has tried to change its approach and develop software more securely.
The Yankee Group’s report also found that 73 per cent of companies use Windows 2000 or 2003 as server technology, with the rest mostly using some form of Open Source.
Microsoft has long argued that more hackers and virus writers target its operating systems because of its larger market share. But according to Zone-H.org, where hackers document their activity, more people are attacking Linux operating systems for website defacements.
In December 2004, there were 6,101 recorded attacks on the Open Source web server Apache and half that number on Microsoft’s IIS. There were also fewer general attacks on Windows (25,527) and BSD (724) than on Linux (27,245).
While the debate rages, companies appear to be mixing and matching the best tools for the job at hand.
“I see both of them working hard to resolve vulnerabilities and they are both fast to get patches out on a regular basis so that it’s not disruptive,” adds Mr Schmidt. “I don’t think either is better – there’s a place for both in this world which is why I use both.”
And even Mr Laurie, an open source advocate, concedes that Microsoft has improved its security: “On the positive side, they are doing auto updates. It’s still closed-source though.”
Dan Ilett writes for Silicon.com