Slashdot Mirror

November 26, 2002 | Paul Thurrott

According to a new Aberdeen Group report, open-source solution Linux has surpassed Windows as the most vulnerable OS, contrary to the high-profile press Microsoft's security woes receive. Furthermore, the Aberdeen Group reports that more than 50 percent of all security advisories that CERT issued in the first 10 months of 2002 were for Linux and other open-source software solutions. The report muddles the argument that proprietary software such as Windows is inherently less secure than open solutions. And here's another blow to the status quo: Proprietary UNIX solutions were responsible for just as many security advisories as Linux in the same time period. Could Windows be the most secure mainstream OS available today?

"Open-source software, commonly used in many versions of Linux, UNIX, and network routing equipment, is now the major source of elevated security vulnerabilities for IT buyers," the report reads. "Security advisories for open-source and Linux software accounted for 16 out of the 29 security advisories--about one of every two advisories--published for the first 10 months of 2002. During this same time, vulnerabilities affecting Microsoft products numbered seven, or about one in four of all advisories."

The stunning report makes several claims that seem to fly in the face of widely accepted beliefs. First, the Aberdeen Group says that Windows-based Trojan horse attacks peaked in 2001, when CERT released six such advisories, then bottomed out this year, when CERT didn't issue any alerts. However, Trojan horse-based attacks on Linux, UNIX, and open-source projects jumped from one in 2001 to two in 2002. The Aberdeen Group says this information proves that Linux and UNIX are just as prone to Trojan horse attacks as any other OS, despite press reports to the contrary, and that Mac OS X, which is based on UNIX, is also vulnerable to such attacks. Even more troubling, perhaps, is the use of open-source software in routers, Web servers, firewalls, and other Internet-connected solutions. The Aberdeen Group says that this situation sets up these devices and software products to be "infectious carriers" that intruders can easily usurp.

According to the Aberdeen Group, the open-source community's claim that it can fix security vulnerabilities more quickly than proprietary developers can means little. The group says that the open-source software and hardware solutions need more rigorous security testing before they're released to customers. This statement is particularly problematic because many Linux distributions lack the sophisticated automatic-update technologies modern Windows versions contain.

We can rail against Microsoft and its security policies, but far more people and systems use Microsoft's software than the competition's software. I believe that we'll never know how secure Linux is, compared with Windows, until a comparable number of people and systems use Linux. But despite the fact that Linux isn't as prevalent as Windows, we're still seeing a dramatic increase in Linux security advisories today. I think the conclusion is obvious.

November 26, 2002 | Paul Thurrott

According to a new Aberdeen Group report, open-source solution Linux has surpassed Windows as the most vulnerable OS, contrary to the high-profile press Microsoft's security woes receive. Furthermore, the Aberdeen Group reports that more than 50 percent of all security advisories that CERT issued in the first 10 months of 2002 were for Linux and other open-source software solutions. The report muddles the argument that proprietary software such as Windows is inherently less secure than open solutions. And here's another blow to the status quo: Proprietary UNIX solutions were responsible for just as many security advisories as Linux in the same time period. Could Windows be the most secure mainstream OS available today?

"Open-source software, commonly used in many versions of Linux, UNIX, and network routing equipment, is now the major source of elevated security vulnerabilities for IT buyers," the report reads. "Security advisories for open-source and Linux software accounted for 16 out of the 29 security advisories--about one of every two advisories--published for the first 10 months of 2002. During this same time, vulnerabilities affecting Microsoft products numbered seven, or about one in four of all advisories."

The stunning report makes several claims that seem to fly in the face of widely accepted beliefs. First, the Aberdeen Group says that Windows-based Trojan horse attacks peaked in 2001, when CERT released six such advisories, then bottomed out this year, when CERT didn't issue any alerts. However, Trojan horse-based attacks on Linux, UNIX, and open-source projects jumped from one in 2001 to two in 2002. The Aberdeen Group says this information proves that Linux and UNIX are just as prone to Trojan horse attacks as any other OS, despite press reports to the contrary, and that Mac OS X, which is based on UNIX, is also vulnerable to such attacks. Even more troubling, perhaps, is the use of open-source software in routers, Web servers, firewalls, and other Internet-connected solutions. The Aberdeen Group says that this situation sets up these devices and software products to be "infectious carriers" that intruders can easily usurp.

According to the Aberdeen Group, the open-source community's claim that it can fix security vulnerabilities more quickly than proprietary developers can means little. The group says that the open-source software and hardware solutions need more rigorous security testing before they're released to customers. This statement is particularly problematic because many Linux distributions lack the sophisticated automatic-update technologies modern Windows versions contain.

We can rail against Microsoft and its security policies, but far more people and systems use Microsoft's software than the competition's software. I believe that we'll never know how secure Linux is, compared with Windows, until a comparable number of people and systems use Linux. But despite the fact that Linux isn't as prevalent as Windows, we're still seeing a dramatic increase in Linux security advisories today. I think the conclusion is obvious.

According to a new Aberdeen Group report, open-source solution Linux has surpassed Windows as the most vulnerable OS, contrary to the high-profile press Microsoft's security woes receive. Furthermore, the Aberdeen Group reports that more than 50 percent of all security advisories that CERT issued in the first 10 months of 2002 were for Linux and other open-source software solutions. The report muddles the argument that proprietary software such as Windows is inherently less secure than open solutions. And here's another blow to the status quo: Proprietary UNIX solutions were responsible for just as many security advisories as Linux in the same time period. Could Windows be the most secure mainstream OS available today?

"Open-source software, commonly used in many versions of Linux, UNIX, and network routing equipment, is now the major source of elevated security vulnerabilities for IT buyers," the report reads. "Security advisories for open-source and Linux software accounted for 16 out of the 29 security advisories--about one of every two advisories--published for the first 10 months of 2002. During this same time, vulnerabilities affecting Microsoft products numbered seven, or about one in four of all advisories."

The stunning report makes several claims that seem to fly in the face of widely accepted beliefs. First, the Aberdeen Group says that Windows-based Trojan horse attacks peaked in 2001, when CERT released six such advisories, then bottomed out this year, when CERT didn't issue any alerts. However, Trojan horse-based attacks on Linux, UNIX, and open-source projects jumped from one in 2001 to two in 2002. The Aberdeen Group says this information proves that Linux and UNIX are just as prone to Trojan horse attacks as any other OS, despite press reports to the contrary, and that Mac OS X, which is based on UNIX, is also vulnerable to such attacks. Even more troubling, perhaps, is the use of open-source software in routers, Web servers, firewalls, and other Internet-connected solutions. The Aberdeen Group says that this situation sets up these devices and software products to be "infectious carriers" that intruders can easily usurp.

According to the Aberdeen Group, the open-source community's claim that it can fix security vulnerabilities more quickly than proprietary developers can means little. The group says that the open-source software and hardware solutions need more rigorous security testing before they're released to customers. This statement is particularly problematic because many Linux distributions lack the sophisticated automatic-update technologies modern Windows versions contain.

We can rail against Microsoft and its security policies, but far more people and systems use Microsoft's software than the competition's software. I believe that we'll never know how secure Linux is, compared with Windows, until a comparable number of people and systems use Linux. But despite the fact that Linux isn't as prevalent as Windows, we're still seeing a dramatic increase in Linux security advisories today. I think the conclusion is obvious.

Not soon. Paul is the original Microsoft/Windows apologist/sycophant. (Though he denies it, just read his work in aggregate)

The guy who wrote the review, Paul Thurrott, has a lot of contacts within Microsoft. The stuff he writes is almost always accurate (I regularly read two of his sites, WinInfo and the SuperSite for Windows). He was the first journalist to report on the merging of the Odyssey and Neptune projects to form Whistler (better known as Windows XP). Basically, he knows his stuff.

The guy who wrote the review, Paul Thurrott, has a lot of contacts within Microsoft. The stuff he writes is almost always accurate (I regularly read two of his sites, WinInfo and the SuperSite for Windows). He was the first journalist to report on the merging of the Odyssey and Neptune projects to form Whistler (better known as Windows XP). Basically, he knows his stuff.

Notes on the Longhorn Alpha

It's always humorous seeing other news agencies pick up stories days after they've first run in WinInfo or the SuperSite, and my Longhorn alpha build preview is one perfect example, with a variety of legitimate news Web sites suddenly discovering Longhorn build 3683 after I wrote about it ten days ago. Two items arose in the aftermath of this event. First, this build is old, and doesn't even slightly resemble the Longhorn we'll be using years down the road (heck, it barely works), let alone more recent builds. Second, much of the email I've gotten about this and other leaked alpha builds revolves around where I got it and whether I can distribute it. I won't generally answer email of that nature, sorry, but to answer to one bizarre query, no; I wasn't responsible for the leak either. There's something about leaked Windows builds that gets people in a tizzy, but remember: We're on the XP train now and will be for some time. This Longhorn stuff is really just a shell for technology tests at this point. It isn't something anyone would actually use day-to-day.

Instead, read about some of the new features and improvements to Windows that Longhorn introducts by reading Paul's Longhorn FAQ. I especially like the SQL Server .NET-based file system - "Originally slated for Blackcomb, I've now verified that Longhorn will ship with a new SQL Server .NET-based file system, originally code-named "Storage+". Based on the "Yukon" release of SQL Server, this file system will let Microsoft's search tools work across a wider range of storage devices, including the file system, Active Directory, SQL Server databases, and Exchange Server data stores." Sweet!

I'll take that bet.

67 million non-corporate copies of Windows XP--the fastest selling OS in history--have been sold over the past year.

That doesn't seem to square with the public antipathy that your hypothesize.

The Selecting Blendolini Causes Choco-Banana Shake Hang From the BSOD-on-my-toaster dept issue was a real error in a Microsoft related program, "Someone's in the Kitchen." There used to be a whole technet article describing the crash involving the choco-banana shake recipe, but it was pulled. For reference, check this out: Q157668 Mystery solved.

According to the IDC report, Linux-generated revenue shrank 5 percent in 2001, the first time the fledgling OS has seen its market contract. A similar NPD INTELECT report says that the Linux market shrank 10.2 percent last year.

"Geekstreet.ca has a story on a new concept invented by Philips called Detachable Monitor


Considering Microsoft already have 'invented' the idea (Mira), and that Philips have just announceed that it will deliver Mira devices, don't you think the article summary is a bit um...made up?

Perhaps this article would never have made it to the main page if it had said that Microsoft 'invented' the idea.

10p = tempe = temp
as in temporary, until XP SP1?

• One could argue that any potential remedies would have to be limited to the states in question, but we all know that isn't very feasible

Bollocks, mate. Microsoft already sell worldwide, and have to deal with local legal issues (like Germany demanding clear instructions on removing Defrag in Win2K because it's written by a company headed by a Scientologist). This would only add one more region to their markets: US-B (for BASTARDS!).

I agree it's too bad he got a lot of "frothing" email. But I hardly think this response is a model of rationality either. He makes the point that compaines bet their future on Windows, and it wouldn't be true if it were "really so insecure." The same could be said about Linux. The fact that something is usuable does not mean it is more or less secure.

He states What I am trying to say is that Linux is not more secure than Windows. It's impossible.

That makes no sense. Of course it is possible for one system to be more secure than another. Maybe he means that you either are or aren't secure. OK, that's a valid point, but looking at the number of flaws discovered for a system in a given year gives you some idea of how likely it is that a new security flaw will be introduced in the future.

He also argues that fewer Linux vunerabilities are found because it is less widely deployed. I also think that this argument is invalid. Yes, fewer automated exploits are written against Linux vunerabilities because of this. Sure, this is why fewer Linux systems are broken into. However, I would argue that the communities of people who look for security vunerabilities on Windows and Linux are of comparable size, and large enough to find a comparable percentage of flaws.

The fact is, his original Short Take was simply blatantly incorrect in stating that for "the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux" The only way you can come up with that is by adding the numbers for each distrubution together, which is ridiculous (this same issue came up last summer).

Yes, the numbers show Win 2K beating RedHat last year. They also show a troubling increase in the number of Linux bugs in general. No, this issue shouldn't be dismissed out of hand. Yes, I'm sure a lot of people were offended by this article because they thought with their heart. However, I would hardly call putting out insultingly incorrect statements "thinking with your head"

On Feb. 1, Microsoft also posted links to this WinInformant story on their press page with the title "Windows more secure than Linux? Yup."

(The story says that there are more BugTraq entries for Linux than Windows 2000. QED.)

this article on wininformant seems to confirm that MS is going to stop developing for a time and work on bugs, or at least security bugs..

I mean, Microsoft already has fewer vulnerabilities than Linux distributions (securityfocus, wininformant). If they actually go and clean up their code and get this new initiative working as well as their "take over the Office software market" or "take over the browser market" initiatives, in a year or two Linux people are going to have to be on the defensive about their own less stable and secure operating system...

I don't think you get it.

Slashdot is a site from the (tech)people for the (tech)people, that's why it gets a hell of a lot of typos, comments, double-posts, discussions, flamewars and bias.

I am really happy that there are still sites not controlled by huge corps.

Of course this is a hard concept for some people.

If you love to look at sites with no typos, no comments, no double-posts, no discussions, no flamewars and a more subtile form of bias, why don't you go here or here

On those sites there is no need to tell people to shut up, because people don't get to speak at all.

C|Net disagrees.

Intrestingly enough WinInfo predicted this sort of response. Look under the title "InfoWorld Disses Windows XP: Who Do You Trust?" to see how the other half lives.

I wish these "OS reviews" were as in-depth as the gaming site's card and driver reviews. Both the C|Net and Infoworld reviews leave me with more questions they answer.

This article is somewhat misleading. While amazon did say that they cut their technology costs by 25% last quarter by switching to linux. They did not achieve this by replacing the desktop windows boxes, but rather by replacing their proprietary Unix servers.

Paul Thurrott (admittedly someone with a strong pro MS bent) has a well written article. Here is an excerpt:

There have been some high-profile Linux adoption stories lately, with companies such as Amazon and even Intel Corporation espousing the wonders of this open source solution. The one crucial fact these stories don't highlight however, is that the Linux adoptions are replacing proprietary and expensive versions of UNIX, not Windows. And as both Amazon and Intel are quick to point out, neither is even considering replacing its Windows boxes with Linux.

from a comment PRickard posted on Friday May 04, @07:28AM in response to the article "Linus Responds To Mundie" ---------------- Gates founded Corbis several years ago, 1995 or 1996 as I recall, so he'd have somewhere to store the Codex, which he had purchased at an auction some time before. Corbis has since then bought out the Bettmann Archives (10 million + photos), plus the original photographic archives of the Chicago Tribune, United Press International, Sharpshoters, New York Daily News, Saba Press (French), and other news agencies. Corbis has additionally purchased smaller archives of fine artwork, and has exclusive digital reproduction rights to the collections of several major museums. Gates wants to control all intellectual property and licensing rights to most of history's artifacts. The only companies anywhere near the size of Corbis are Getty Images, Corel's Photodisc division, and Superstock. Next time you get a magazine like Time or (especially) US News and there's a generic or historical photo in it, check the margins and see if it doesn't give a credit to Corbis. I just picked a random news magazine off my desk and 2/3 of the stock and historical photos in it were credited to Corbis or Corbis/Bettmann. Additionally, Corbis is taking millions of photos that have never been digitally reproduced and locking them into an old mine in Pennsylvania for safe keeping. The company apparently has no plans to ever make copies of them, and will let them rot in that mine instead of hiring more employees to speed up the process of sharing them with the public. (see WinInfo for a decent report)

There is more about porting .NET to FreeBSD. We can read at Microsoft to Help Port C# to FreeBSD.

The original link is at http://www.win2000mag.net/channels/net/.

From the original article:
"Contrary to reports, this porting effort doesn't constitute an implementation of .NET on FreeBSD, but involves only some of the low-level technologies that are part of .NET. Microsoft's decision to use FreeBSD rather than the far more widely used Linux is reportedly because of the company's disdain for Linux's GNU Public License (GPL), which Microsoft has described as "Pac-Man like" and "a cancer." The FreeBSD license is reportedly far more amenable to Microsoft because the license doesn't require the author of commercial works to provide the source code to others, as does the GPL."

This week, Microsoft announced that it will work with Corel to port the .NET Common Language Infrastructure and the C# programming language to open-source OS FreeBSD, a Linux competitor ... Contrary to reports, this porting effort doesn't constitute an implementation of .NET on FreeBSD, but involves only some of the low-level technologies that are part of .NET. Microsoft's decision to use FreeBSD rather than the far more widely used Linux is reportedly because of the company's disdain for Linux's GNU Public License (GPL), which Microsoft has described as "Pac-Man like" and "a cancer." The FreeBSD license is reportedly far more amenable to Microsoft because the license doesn't require the author of commercial works to provide the source code to others, as does the GPL.

Gates wants to control all intellectual property and licensing rights to most of history's artifacts. The only companies anywhere near the size of Corbis are Getty Images, Corel's Photodisc division, and Superstock. Next time you get a magazine like Time or (especially) US News and there's a generic or historical photo in it, check the margins and see if it doesn't give a credit to Corbis. I just picked a random news magazine off my desk and 2/3 of the stock and historical photos in it were credited to Corbis or Corbis/Bettmann.

Additionally, Corbis is taking millions of photos that have never been digitally reproduced and locking them into an old mine in Pennsylvania for safe keeping. The company apparently has no plans to ever make copies of them, and will let them rot in that mine instead of hiring more employees to speed up the process of sharing them with the public. (see WinInfo for a decent report)

Shame it only runs on machines out of the reach of the average consumer and can't even burn CDs yet. MacOS is much harder for me to get running as it won't install on my PC. There's a quite enlightened synopsis of the state of the OS wars here
And if you think Linux is hard work now - well take it from me, it's come on leaps and bounds from when I started using it a couple of years ago. Linux is only around 10 years old (in fact I'm sure a birthday bash of some kind is bound to be due), and the first release of a vaguely user-friendly desktop happened a mere 4 years ago. Let's see where we are in 12 months shall we?

Some time ago, MS used to diss the idea that 'the network is the computer'. Now that the web is everywhere, we have .NET. ("Embrace and extend", all over again...) Make no mistakes folks, this company will do anything to stay on top of the software biz (as of course they have an obligation to their shareholders to). If tomorrow Linux makes it big, Red Hat will suddenly find Redmond pushing for the biggest slice of the pie. Remember the rumor about Mainsoft porting Office to Linux?

>Microsoft's applications business could
>easily make Linux versions of applications
>such as Word and Excel available with scant
>development costs.

Um, had a teeny doubt: the generally held wisdom is that the Word/Excel codebases are impossibly crufty and arcane... anybody here with who can comment on how XP they might be?

According to reliable sources, Microsoft is beginning to (hire another company to) port some of its applications to Linux. Starting with Internet Explorer and Windows Media Player 6.3 (which is already ported to Sun Solaris).

Hmm. Has this been on slashdot before? Has anybody else heard this news? And why would Microsoft do this (if it's true)? What would they have to gain?

Certainly they do not want to assist in bringing a free OS to mainstream desktops, do they? Is there an evil plan behind this, or do they just need things to spend money on...

According to reliable sources, Microsoft is beginning to (hire another company to) port some of its applications to Linux. Starting with Internet Explorer and Windows Media Player 6.3 (which is already ported to Sun Solaris).

Hmm. Has this been on slashdot before? Has anybody else heard this news? And why would Microsoft do this (if it's true)? What would they have to gain?

Certainly they do not want to assist in bringing a free OS to mainstream desktops, do they? Is there an evil plan behind this, or do they just need things to spend money on...

I saw something even more terrifying on the wininformant site - looks like MS are planning a car crash.

Heh, try this:

It's quite a surprise! I thought Paul Thurrott's wininformant said Apache runs only on college dorm servers ;-)
IIS is not losing to Apache where it matters

http://www.wininformant.com/display .asp?ID=2867