Slashdot Mirror
Fred Moody Says Linux Worst Operating System Ever
I avoided posting this because it really is pretty lame, but its getting submitted a lot. Basically
Fred Moody says Linux Sucks on ABC. He calls it the worst operating system ever based on the fact that bug traq lists more bugs for it then any other operating system. Stories like this just make me roll my eyes: the thing will get tons of traffic from you guys and his editor will say "Good Job Fred" because they got to sell lots of banner ads on it. *sigh*
I've never seen a post about DOS on Bugtraq. So, but this logic, DOS is the best OS ever. :P
The SecurityFocus stats page clearly shows RedHat's '99 vulnerabilities as 38 - less than 40% of WinNT's.
So where did the 122 come from? Moody added RedHat's 38 to the Linux Aggregate of 84. He's done the same for this year's numbers (RedHat's count for this year is 17, and the total for Linux is 30 not 47). But the Linux Aggregate already includes the 38 RedHat vulnerabilities and it clearly states that in the preface on the page - Moody is either an incompetent researcher or he is deliberately counting vulnerabilities twice in order to discredit RedHat. I'd be consulting a lawyer about the possibility of a libel suit if I were them.
Obviously, no one has sent him the links (yes link_s_) to the "What's fixed in Win2k SP1" pages. I swear there are more bugs listed there than there are lines of source to Mozilla.
"If you look this list over, and measure each system's number of vulnerabilities against the number of its customers, Linux is arguably the worst operating-system product in history, and Microsoft's the best."
True. IF. Obviously, if you accept that criteria, he's right. He correctly notes earlier that NetBSD has just over one tenth the number of bugs as Windows. But, for whatever reason, it has a much smaller market share.
If you are a home user-- he may be right. Let's analyze a case: You are a home linux user. A vulnerability is reported Friday afternoon. Being a non-nerd computer geek, you spend your friday night at a bar. Saturday morning, you have a hangover. Saturday afternoon, you log on, and voila, a patch has been released! (Wow: an fast vendor response). But something else has happened. A lamer with no life rooted your box while you were out partying. Compare that to the following: You're a home NT user. Same scenario, only the bug wasn't reported. One super criminal has it... and maybe the Fortune 500 company is now screwed (which is why they need 24/7 sysadmins on a patchable OS), but there are no script kiddies around to attack you.
What Fred Moody forgets is that Windows is just as complicated an OS as Linux, and therefore, probably had just as many programming "mistakes" made which resulted in bugs. They're hidden... and he assumes they therefore don't exist. Oops. Obviously, in a high security case, this is absurd, and therefore for any serious target, they need an OS like *BSD (or Linux). But for the home user-- is full disclosure really the best choice?
-- Is "Sig" copyrighted by www.sig.com?
No there are not more bugs. There are LESS bugs.
Look at the chart for your self. I have no idea where Moody is drawing his figures from but it certainly is not the chart which shows Windows to be head and shoulders above everyone else's bug count. I would have expected it to do a lot better given the inavailability of their source code.
Heh, I was thinking the same thing as I went over to read the article. Well, I enjoy reading this crap - I love people proclaiming to be experts smucking themselves in public. But, given is pro-microsoft book and his other articles like "Microsoft Greed is Good", I sense that he's doing nothing more than writing a quicky column based on the very last site he went to with 0 (zero) research only to meet a deadline and get something published. ABC on the other hand publishes his crap because they know it'll get to Slashdot and they'll get a ton of traffic, boosting advert hits and revenue. What a twisted world we live in that rather than publishing something factual and with thought these guys publish garbage based on nothing more than a bar-graph and no education solely to generate hits regardless the gulible morons out there that would actually take his sentiment to heart...
But, it's business, right? "Nothing personal" to quote many a mobster while their victim bleeds to death...
Bugtrack should point out very clearly that it's Linux Open nature that causes such bugs to be openly exposed for the sake of fixing. We hide nothing and make no excuses - if there's a bug then we make sure we know about it and it gets fixed. No commercial OS like Microsoft or Solaris will sit there and publish every bug they find. 37 bugs for Win2000??? Last I heard it was over 65,000. Quite a site more than our measily 47...
The quantity of bugs an OS has is a completely meaningless statistic. What do you think would be a bigger security problem: 60 bullet holes in my front door, or one cannonball hole?
That's where the difference lies. Microsoft security holes on bugtraq are almost guaranteed to be worse than Linux holes. Why? Because, without the source, someone has already encountered the bug in day-to-day use. A lot of these Linux bugs are things like, "Wow, this wasn't coded exactly right; in theory, although I don't know how it could be done, this could be exploited.". Microsoft bugs are likely to be along the lines of, "Ha, ha, I just exploited your OS again!"
"Beware he who would deny you access to information, for in his heart he deems himself your master."
This guy is a well known Microsoft fan. He wrote a book about a year inside MS with the incredible and unironic title
I Sing the Body Electronic: A Year with Microsoft on the Multimedia Frontier . His partisan pro-MS credentials are impeccable.
This would be a good time to check out the Linux Advocacy HOWTO, before lighting up those flamethrowers.
The best-known competitor is Red Hat, but others - notably TurboLinux and Mission Critical Linux - are in the market as well.
Notably? Am I the only one who has NEVER heard of "Mission Critical Linux"? (I'm NOT saying it's bad, but it's pretty much an unknown, and he ranks it up there as "notable." How about Slackware? Debian? Those aren't notable, but "Mission Critical Linux" is. He hasn't done his research.
Linux zealots for years have insisted that the operating system is an invulnerable perpetual motion machine, incapable of crashing or being infested by the kinds of worms and viruses that hackers are constantly sending Microsoft-powered servers.
Can I ask who has ever said that Linux is "Invulnerable", or "incapable of crashing"? I've *NEVER* heard those claims. This guy is an Asshole! Seems to me, he's overexaggerating this crap just to start up the FUD machine.
This looks like an alarmingly high number in comparison with Solaris' 34 or NetBSD's 10, but it is significantly less than the 122 racked up by Red Hat...
For the 800 BILLIONTH TIME: Red Hat is NOT Linux! This idiot is taking a select few distros, and catagorizing them all as "Linux." Someone smack this moron.
If you look this list over, and measure each system's number of vulnerabilities against the number of its customers, Linux is arguably the worst operating-system product in history, and Microsoft's the best. As Linux zealots are beginning to find out, it's a lot easier to
masquerade as a better product than it is to go out and be one.
I could tear this entire paragraph up, but we all know it to simply be FUD. This jackass is trying to generate hits, and he's probably doing a good job.
Oh, did you happen to notice the bottom of the article? Look:
Fred Moody is the author of I Sing the Body Electronic: A Year with Microsoft on the Multimedia Frontier
-- THIS ARTICLE IS A PAID ADVERTISEMENT FOR MICROSOFT CORPORATION. --
-- Give him Head? Be a Beacon?
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
Not only is his claim that Linux has the most bugs disengenuous because he admits that no attempt is made to grade the bugs on severity or whether or not their fixed, but he's patently dishonest. An important part of his claim is that:
This is a bogus claim, though, because he's getting that number by adding up the count for each different version of Linux. That means that, for example, a kernel exploit being discovered will result in not just one but several vulnerabilities on his list- one for each version of Linux that uses that kernel.
To account for this, in fact, Bugtrax has its own Linux aggregate that avoids such double counting and has 84 total Linux bugs last year and 30 this year. (Actually, even that 122 figure seems a bit odd, since if you add up the figures separately you still only reach 98 for all of the distributions listed. It appears that he got it by adding the Linux(aggregate) figure to that of Red Hat, which is totally ridiculous.) Of course someone who uses only one version of Linux would experience only a fraction of these, but an honest count shows that even if you used Debian, Red Hat, Slackware, and SuSe in a heterogeneous network you'd still have fewer vulnerabilities than NT.
There's no point in questioning authority if you aren't going to listen to the answers.
... For Fred Moody's article:
Score: -1 (Troll)
-- iCEBaLM
He seems to be adding the Redhat number to the LINUX (all) number to get his "122" figure. That means the Redhat bugs are being counted twice.
All this is well-covered over on LinuxToday, btw.
Were we display aggregate number of vulnerabilities (Linux and BSD) the number is
the size of the set that results from the union of all vulnerabilities for the components
without duplication. Vulnerabilities are not counted twice.
(quoted from the introduction at the top of the stats page he used http://www.securityfocus.com/vdb/stats. html)
Okay, lets for a moment assume that we want to go distro for distro... and most people believe that RedHat is one of the more insecure of them...
Vendor, Bugs in 1997, 1998, 1999, 2000 (so far)
LINUX (all), 10, 23, 84, 30
RedHat, 5, 10, 38, 17
WinNT, 4, 6, 99, 37
Geee... despite a minor problem at the beginning the numbers look a little different... don't they? In fact evem the agregate Linux numbers come up better then NT (while not a benchmark I would like to use, its the one he seems to be using). To compare the Unix agregate number properly to Windows, we would have to include the Win9x statistics also... right? Somehow I doubt he'd want to do that.
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
>Damn right. I propose that the link to
/. editors post something like this, it should be preceded with a warning: "get some ad-blocking software first not to generate eyeballs for the troll".
>Moody's "editorial" be removed from the story...
>why should we do this bastard the favor of
>slashdotting his pile of BS?
Because then everybody will go to the ABC site anyway, only to get at the story they will have to sift through many more ad-infested sites.
When
The author seems to confuse bugs in Linux (which is a kernel) with bugs in applications that run under Linux. Microsoft is never blamed for bugs in Windows program that they don't create (say ICQ for example), so why should Linux be blamed for bugs in applications that run under it (like sendmail)? I can think of 1 bug that ever crashed Linux from remote (which was fixed in no time), yet I can remember 3 that affected Windows 95/NT (remember OOB?!).
If an article were ever posted that said Windows is insecure because a lot of applications that run under Windows are buggy, Microsoft's army of lawyers would cause the page to be taken down in an instant. It's too bad there's no one to look out for Linux and other "free" OSes. Besides, to anyone with a clue, bugtraq specializes in bugs relating to UNIX type environments. There's a mailing list called "NTBugtraq" (www.ntbugtraq.com) which deals with all the bugs in Windows.
I'm sure I could ramble on longer if I actually read the article past the initial sentence..
In part, probably because he is published.
One can always peruse the reviews posted for and against his book, I Sing the Body Electronic , or The Visionary Position .
Of course, I should warn that these link to amazon.com -- but the reviews seem pretty split on the merits of his book-length work, too -- some are even a bit witty.
Or, I guess one could simply write him and ask.
Here is what I sent to http://www.abcnews.go.com/service/Help/abc_contacu s.html
Dear Sir,
I was suprised to read a news article on your site that was so clearly biased against Linux and so clearly biased in favor of Microsoft.
In the above article, Mr. Moody's conclusions are suspect and his methods are questionable.
Some of the mistakes that he makes are the following:
The totals for Linux includes many more software packages than does NT. For instance, the apache server is included in the Linux numbers, but the IIS web servers numbers are split apart from the NT numbers and Mr. Moody didn't trouble himself to add them into the list of NT vulnerabilities.
Since Linux distributions include several times the number of servers, clients and other software than an NT distribution, it hardly seems fair to directly compare the two OS'es in this manner. For a valid comparision Mr Moody should probably add in the mail, web browser, and other commonly installed server and client software vulnerablities for say the top three Windows packages in several different catagories to the number of vulnerabilites found in NT.
Since Linux is used as a desktop machine by 4% of the worlds computer users it has a lot of non-server software installed. It is possible to install only server software, turn off the services that you don't actually need and only have to update packages for security reasons 1-2 times a year. It is also possible to run Bastile software against a Redhat box and close numeous security holes before they are even a problem.
Because Bug Track is the primary method of tracking bugs in open source distributions nearly all the bugs will be reported here. Microsoft often hides its bugs in a security through obscurity method that rarely works.
It appears that if a single package has a vulnerablity in Linux then the Bug track list includes the vulnerablity for each affected distribution. Thus, a sendmail report will be counted once for each distribution that uses that version of sendmail. This will tend to artificially inflate the Linux numbers.
Mr. Moody also doesn't take into account how long it takes any given OS to fix each know vulnerablity. Linux will often post the fix with the bug report, or within a couple of hours, while NT products will often go many days or even weeks until a hot patch is released. An example of this is the current vbs vulnerablity that exists in the MS mail client. This is clearly a well known problem, but windows clients are hit again and again by the exact same mail worm.
A final point to make is the fact that even though NT is only used on a third of the web servers on the internet, nearly half the page defacements are against NT boxes.
I am not saying that any OS is more or less vulnerable than any other OS. All OS'es have vulnerabilities and need constant monitoring by well trained security personnel. But some OS'es are much more open and honest about their problems than others.
Thank You!
-- Never make a general statement.
With quotes like "[a]ll that aside, though, one conclusion is inescapable", it's clear he understands the flaws in his argument but is willing to propound it anyway. He's clearly trolling for ad revenue and perhaps enough controversy to make a follow-up mea-culpa article a winner also.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
Here's an article at SecruityPortal that looked at the same bugtraq data and came to the conclusion that Linux had superior security to NT and showed fewer total advisories and a fewer hacker recess days per advisory.
It seems obvious that ABC is full of crap and has fabricated their results by deliberately misrepresenting factual data.
Now why would ABC (A Bunch of Crap) News do such a thing?
Why are people like Mr. Moody automatically the authoritative source of information on whatever subject they feel like at that moment? Anyone with at least a partial clue knows that posts on bugtraq means fixes are soon to come, which is good for everybody. But how do we get people like Mr. Moody to only comment on subjects he knows and understands?
--
Moody notes that Red Hat Linux leads the way with 122 noted vulnerabilities. Given the shockingly high number of holes open in a RH install, not to mention the overall lack of security (Red Hat 5.1 didn't even enable shadow passwords, and this was preserved in updates all the way up to 6.1, when I reformatted and went to Mandrake) this shouldn't surprise anyone.
"Other Linuxes" (sic) total 47 bugs, which means that any one distribution has fewer reported vulnerabilities than the 99 in Windows NT. Aren't numbers fun?
For more information, click here.
I'm glad someone mentioned this. Remember when Slashdot reported that Windows 2000 had 63,000 bugs in it? Of course, everyone here jumped at it and said, "See, that's why Open Source reigns supreme!" However, a bunch of people replied to that story, saying that Debian and Red Hat were comparatively just as bad.
So what's the point with this?
A bug isn't necessarily a design flaw that's going to take down your program (that bug could just be some complaint of a nitpicky programmer)
Quoting raw statistics without further elaboration is misleading
Just my two cents.
--
--
The real Raunchola isn't cool enough to have any imposters
the scientific community too; when he ran an article: http://www.abcnews.go.com/sections/tech/FredMoody/ moody990914.html about how the new relativisiic heavy ion collider expirements at brookhaven. apparently he thought they were going to accidentally create a black hole that would destroy the world(completely unaware of the fact that collisions of comparable energy occur in the upper atmosphere every day, and we still exist). so he wrote an idiotic little scare column about 'evil scientists'. after recieving a huge amount of email from scientists who work in the field, informing him of how much of a moron he is, he wrote another 'oh poor me' column a few weeks later. now he's doing it again with linux! good job fred, you did it again! and now your burning at the stake will come from the tech. community. :] enjoy!
- "Hear that?! The percolations are imminent! Cease your ingress!"
After reading some of the blatant falsifications and b.s. in his article, I posted a comment through abcnews.com's contact page.
I would appreciate if, for the benefit of your readers, you would note that Fred Moody is a former Microsoft employee. I would also appreciate it if one of your editors would have a chat with him about journalistic integrity and how even a columnist shouldn't misrepresent statistics to further an agenda.
I refer to his column on Linux vulnerabilities, where he "uses" statistics from SecurityFocus to claim Linux is the "worst" OS of all time and Microsoft is the "best". SF states in the first paragraph of their vulnerability statistics page that the stats shouldn't be used to judge how secure an OS is, yet that's exactly what Moody proceeds to do. He then flagrantly fakes a total of "122" vulnerabilities for Linux in 1999, taking Red Hat's 38 and adding that to the aggregate (meaning all distributions, including Red Hat) total of 84. In effect, he counts Red Hat vulnerabilities twice to inflate Linux vulnerability numbers. He also fails to note that each individual distribution has fewer vulnerabilities than either Windows NT or 95/98. Were one to aggregate the Windows numbers, the total would come to 146. Windows NT alone racked up 99 vulnerabilities - higher than the Linux aggregate total.
He also glosses over the "package vulnerabilities" statistics near the bottom of the page. Microsoft products claim the first 12 spots. In 2000, MS products claim 7 of the first 12 - the various Red Hat products (which are known among Linux users as not focused on closing obvious holes) take the other 5. Only TurboLinux gets mentioned in the 2000 list, with 6 vulnerabilities in each of hte two packages mentioned at the bottom of the list.
It is clear that Moody is abusing available statistics, ignoring others, and using his pulpit to push a pro-Microsoft agenda. It is disheartening that ABC would give Moody credibility by posting his columns while they contain such falsifications and omissions. At the very least, a disclaimer noting Moody's past employment would help readers put his writing in perspective. At the most, I would like to see someone technically knowledgable review his columns before publication to ensure he can't twist facts and numbers like he did in this one.
Regards,
Mark Bialkowski
If you decide to feed the troll and read the article, send a comment to ABCnews.com through the aforementioned contact page. A flood of comments questioning Moody's "integrity" might prompt action on ABC's part. Or not. Either way, take the opportunity to call out Moody on this one.
Oh, and make your comment civil. Don't flame, swear, or threaten to "fucking kill" someone. Just explain your reaction to the column and what you feel should be done.
Someday, you're going to die. Get over it.
In other news:
A recent study announced that American president Bill Clinton coughs more than any other American citizen. Clinton has been seen coughing in public and on television over ten times this year, compared to three for actress Julia Roberts, one for celebrity Regis Philbin, and an average of 0.0000001 for every other citizen.
-----
Go ahead, blame me... I voted for Nader!
I'm wondering if the drive by the major distributors to release a new version every 6 days or so is to blame for the problem. Most of the bugtraq exploits seem to involve redhat based distro's. I don't see very many for debian or slackware.
Basically, I think the issue is one cramming too much stuff in the distro and rushing things out the door.
Am I wrong here? I'm not a security expert, but these bugs seem to be due to overly fast releases.
I think it's a warning sign when a system goes from version 2.x to 7.x in a year. It means that marketing is in control and that's never a goodness.
--Shoeboy
No e-mail address, but you do have a vehicle to express your concerns. Take advantage of the ABCNews.com contact page, and let them know what you think about this.
As for the article, yes, people will be concerned with how buggy Linux is. However, Moody inflated the numbers to make Linux look bad. He added the Red Hat 1999 total of 38 to the aggregate total of 84 (which I assume would include Red Hat) to get 122 vulnerabilities. In short, he counted Red Hat twice. After doing that, he didn't mention a word about Windows' own stats - 99 for NT, 47 for 95/98. The Linux aggregate is less than NT alone.
Also, if you add the separate distro numbers, you come up with 98. I think this means vulnerabilities present across distributions were only counted once, though the page isn't too clear on that. The individual distro numbers are interesting - Red Hat is the worst at 38, Debian next at 29, yet both are lower than Win9x's total of 47.
Any way you slice it, Moody's screwing with the stats to promote his agenda.
Someday, you're going to die. Get over it.
The best-known competitor is Red Hat, but others - notably TurboLinux and Mission Critical Linux
Hands up - how many of you never heard of Mission Critical Linux until this? How many of you have never heard of Debian, Caldera or SuSE? And TurboLinux is major?
Linux is arguably the worst operating-system product in history, and Microsoft's the best
I don't think that there's one vulnerability in there for BeOS. I doubt there are any for AtheOS. Therefore, they're even better than Microsoft's platforms.
This boast[linux isn't vulnerable to worms/viruses] has been easy to make, since until 1999 Linux was too much of a fringe product to stand up to the kind of abuse more widely used systems endure.
Actually, it's because Linux is a true multi-user operating system, something not even NT can claim. Solaris is also immune to those kinds of things. If I try to delete every file on my system right now (I'm on Solaris) I will fail, except for wiping out some of my own data. The backups will remain. The system will still boot. Other users will be unaffected.
Free BeOS, runs from a Linux partition
He may be in need of a clue, but isn't this the sort of thing that the common folk look at to make their decisions.
." and the general public won't think any more about it. They will accept is as given that Windows is better because of it.
If Linux is ever going to make it into mainstream, the mainstream will be looking at things just like that. Microsoft will come out with an ad campaign: "We've got less bugs than
So again it raises the question. Should Linux be mainstream? Is it even close to being ready for mainstream? I know a lot of zealots will start flaming away on this one, but when it comes to the general public, they are like sheep. Large numbers (unless it's their salery) frighten the sheep...
Does anyone out there have Moody's email address? Maybe someone could explain NICELY how he completely missed the boat on the bugs.
In Soviet Russia...michael would be rotting in Siberia!