In this case I doubt it. Windows can and will store a bunch of stuff it doesn't absolutely need to. Like every installed driver ever, and every copy of it ever. And while NTFS supports hardlinks under the covers, almost nothing lets you use them, so I doubt windows does either.

I had viruses automatically show up on an XP vm without even opening a browser. No joke. Just don't patch it, and they will find their way in.

Was XP installed legitimately from an actual disk, or from a cracked ISO?

As usual, people are remembering wrong. XP has not always been so secure or reliable. That came with age, and even then I'm sure it's still possible to compromise them. Especially since Microsoft won't patch it anymore. The NSA probably has a book full of exploits.

FTFY.

As much as I agree Linux is more secure:

http://www.exploit-db.com/platform/?p=linux

Let's not say it's bulletproof.

I generally try to make everything go through SSH, and I make SSH only accept keys. I need to tend to my firewall and blocklist, though...

Yes, there is a lot of *nix software that is vulnerable (e.g., PHP is usually a bad sign). Of course, most of it you don't need and shouldn't be using on a public server. The robust server stuff is far less vulnerable. It happens, of course, but it's rare. On my server the only services that I think are listening to the public interface are sshd and nginx (and maybe starman running as a regular user on a high port). These things tend to get scrutinized a lot because they're vital to public facing production servers. Bugs slip by, but they usually slip past the black hats too. Until they don't, and usually they get fixed. It's far less severe than putting a Windows box on a public facing interface without manually hardening it and protecting it.

Append:

bambams@test-chamber-1:~$ uptime
 23:36:49 up 587 days,  8:03,  2 users,  load average: 0.01, 0.02, 0.05

There have been several kernel updates, and I really should reboot, but my uptime. I think that most vulnerabilities have been local, but that doesn't mean that I'm not vulnerable. This is a public facing server though and to my knowledge I'm good... Not that it's a popular server.

Jeez, don't you people ever turn your computer off? Just sucking electrons down the pipe. :/

Only if I have to. I agree that it's a big waste of electricity, but at the same time cold starts take a lot of time and I jump on and off of the computer too often. For somebody like me that is on the computer an average of 16 hours a day it doesn't really make a lot of sense to shut them down.

Besides that, that uptime is from a Web server so it is intended to be up 24/7. You never know when somebody somewhere on the planet will request it. Well, OK, never, but that's beside the point.

For the most part, the only updates that cannot apply to a running Linux system are kernel updates (including system drivers). Everything else, from services to applications, can generally be updated live. I'm only missing security fixes for the Linux kernel and drivers. I'm sure there have been many (probably 10 or more), but I don't recall any that seemed threatening to me. Mostly they related to local attacks, and I'm practically the only local user of my server.

In UNIX, files and filenames are indirectly related. The file can continue to exist while the file the name references changes (or the name is even deleted). This allows for executables in a UNIX-like system to be updated while they are in use. The users that already have it running will continue to use the old instances of the files (because they are already opened). Users starting the applications anew will get the new stuff. They can be running simultaneously (unless they conflict in some way, which will typically be built into the update script and/or process logic). In Debian, services are typically restarted automatically when you update them after all packages have been updated and therefore all updated dependencies are in place.

That said, you might have a tiny hiccup in uptime while the service is stopped and before being started again, but most of the time it's so fast that few users would notice. If something breaks then you could potentially have more downtime so you typically would want to try it with a testing machine before production.

There are virtualized environments that actually allow the kernel to be hot-swapped so that you can upgrade the Linux kernel without even rebooting the machine! It's a proprietary service though that isn't cheap, and really most people wouldn't need it. I'm not sure how reliable it is either.