Slashdot Mirror
Fred Moody Says Linux Worst Operating System Ever
I avoided posting this because it really is pretty lame, but its getting submitted a lot. Basically
Fred Moody says Linux Sucks on ABC. He calls it the worst operating system ever based on the fact that bug traq lists more bugs for it then any other operating system. Stories like this just make me roll my eyes: the thing will get tons of traffic from you guys and his editor will say "Good Job Fred" because they got to sell lots of banner ads on it. *sigh*
I've never seen a post about DOS on Bugtraq. So, but this logic, DOS is the best OS ever. :P
The SecurityFocus stats page clearly shows RedHat's '99 vulnerabilities as 38 - less than 40% of WinNT's.
So where did the 122 come from? Moody added RedHat's 38 to the Linux Aggregate of 84. He's done the same for this year's numbers (RedHat's count for this year is 17, and the total for Linux is 30 not 47). But the Linux Aggregate already includes the 38 RedHat vulnerabilities and it clearly states that in the preface on the page - Moody is either an incompetent researcher or he is deliberately counting vulnerabilities twice in order to discredit RedHat. I'd be consulting a lawyer about the possibility of a libel suit if I were them.
"If you look this list over, and measure each system's number of vulnerabilities against the number of its customers, Linux is arguably the worst operating-system product in history, and Microsoft's the best."
True. IF. Obviously, if you accept that criteria, he's right. He correctly notes earlier that NetBSD has just over one tenth the number of bugs as Windows. But, for whatever reason, it has a much smaller market share.
If you are a home user-- he may be right. Let's analyze a case: You are a home linux user. A vulnerability is reported Friday afternoon. Being a non-nerd computer geek, you spend your friday night at a bar. Saturday morning, you have a hangover. Saturday afternoon, you log on, and voila, a patch has been released! (Wow: an fast vendor response). But something else has happened. A lamer with no life rooted your box while you were out partying. Compare that to the following: You're a home NT user. Same scenario, only the bug wasn't reported. One super criminal has it... and maybe the Fortune 500 company is now screwed (which is why they need 24/7 sysadmins on a patchable OS), but there are no script kiddies around to attack you.
What Fred Moody forgets is that Windows is just as complicated an OS as Linux, and therefore, probably had just as many programming "mistakes" made which resulted in bugs. They're hidden... and he assumes they therefore don't exist. Oops. Obviously, in a high security case, this is absurd, and therefore for any serious target, they need an OS like *BSD (or Linux). But for the home user-- is full disclosure really the best choice?
-- Is "Sig" copyrighted by www.sig.com?
No there are not more bugs. There are LESS bugs.
Look at the chart for your self. I have no idea where Moody is drawing his figures from but it certainly is not the chart which shows Windows to be head and shoulders above everyone else's bug count. I would have expected it to do a lot better given the inavailability of their source code.
Heh, I was thinking the same thing as I went over to read the article. Well, I enjoy reading this crap - I love people proclaiming to be experts smucking themselves in public. But, given is pro-microsoft book and his other articles like "Microsoft Greed is Good", I sense that he's doing nothing more than writing a quicky column based on the very last site he went to with 0 (zero) research only to meet a deadline and get something published. ABC on the other hand publishes his crap because they know it'll get to Slashdot and they'll get a ton of traffic, boosting advert hits and revenue. What a twisted world we live in that rather than publishing something factual and with thought these guys publish garbage based on nothing more than a bar-graph and no education solely to generate hits regardless the gulible morons out there that would actually take his sentiment to heart...
But, it's business, right? "Nothing personal" to quote many a mobster while their victim bleeds to death...
Bugtrack should point out very clearly that it's Linux Open nature that causes such bugs to be openly exposed for the sake of fixing. We hide nothing and make no excuses - if there's a bug then we make sure we know about it and it gets fixed. No commercial OS like Microsoft or Solaris will sit there and publish every bug they find. 37 bugs for Win2000??? Last I heard it was over 65,000. Quite a site more than our measily 47...
The quantity of bugs an OS has is a completely meaningless statistic. What do you think would be a bigger security problem: 60 bullet holes in my front door, or one cannonball hole?
That's where the difference lies. Microsoft security holes on bugtraq are almost guaranteed to be worse than Linux holes. Why? Because, without the source, someone has already encountered the bug in day-to-day use. A lot of these Linux bugs are things like, "Wow, this wasn't coded exactly right; in theory, although I don't know how it could be done, this could be exploited.". Microsoft bugs are likely to be along the lines of, "Ha, ha, I just exploited your OS again!"
"Beware he who would deny you access to information, for in his heart he deems himself your master."
Were we display aggregate number of vulnerabilities (Linux and BSD) the number is
the size of the set that results from the union of all vulnerabilities for the components
without duplication. Vulnerabilities are not counted twice.
(quoted from the introduction at the top of the stats page he used http://www.securityfocus.com/vdb/stats. html)
Okay, lets for a moment assume that we want to go distro for distro... and most people believe that RedHat is one of the more insecure of them...
Vendor, Bugs in 1997, 1998, 1999, 2000 (so far)
LINUX (all), 10, 23, 84, 30
RedHat, 5, 10, 38, 17
WinNT, 4, 6, 99, 37
Geee... despite a minor problem at the beginning the numbers look a little different... don't they? In fact evem the agregate Linux numbers come up better then NT (while not a benchmark I would like to use, its the one he seems to be using). To compare the Unix agregate number properly to Windows, we would have to include the Win9x statistics also... right? Somehow I doubt he'd want to do that.
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
The author seems to confuse bugs in Linux (which is a kernel) with bugs in applications that run under Linux. Microsoft is never blamed for bugs in Windows program that they don't create (say ICQ for example), so why should Linux be blamed for bugs in applications that run under it (like sendmail)? I can think of 1 bug that ever crashed Linux from remote (which was fixed in no time), yet I can remember 3 that affected Windows 95/NT (remember OOB?!).
If an article were ever posted that said Windows is insecure because a lot of applications that run under Windows are buggy, Microsoft's army of lawyers would cause the page to be taken down in an instant. It's too bad there's no one to look out for Linux and other "free" OSes. Besides, to anyone with a clue, bugtraq specializes in bugs relating to UNIX type environments. There's a mailing list called "NTBugtraq" (www.ntbugtraq.com) which deals with all the bugs in Windows.
I'm sure I could ramble on longer if I actually read the article past the initial sentence..
In part, probably because he is published.
One can always peruse the reviews posted for and against his book, I Sing the Body Electronic , or The Visionary Position .
Of course, I should warn that these link to amazon.com -- but the reviews seem pretty split on the merits of his book-length work, too -- some are even a bit witty.
Or, I guess one could simply write him and ask.
Here is what I sent to http://www.abcnews.go.com/service/Help/abc_contacu s.html
Dear Sir,
I was suprised to read a news article on your site that was so clearly biased against Linux and so clearly biased in favor of Microsoft.
In the above article, Mr. Moody's conclusions are suspect and his methods are questionable.
Some of the mistakes that he makes are the following:
The totals for Linux includes many more software packages than does NT. For instance, the apache server is included in the Linux numbers, but the IIS web servers numbers are split apart from the NT numbers and Mr. Moody didn't trouble himself to add them into the list of NT vulnerabilities.
Since Linux distributions include several times the number of servers, clients and other software than an NT distribution, it hardly seems fair to directly compare the two OS'es in this manner. For a valid comparision Mr Moody should probably add in the mail, web browser, and other commonly installed server and client software vulnerablities for say the top three Windows packages in several different catagories to the number of vulnerabilites found in NT.
Since Linux is used as a desktop machine by 4% of the worlds computer users it has a lot of non-server software installed. It is possible to install only server software, turn off the services that you don't actually need and only have to update packages for security reasons 1-2 times a year. It is also possible to run Bastile software against a Redhat box and close numeous security holes before they are even a problem.
Because Bug Track is the primary method of tracking bugs in open source distributions nearly all the bugs will be reported here. Microsoft often hides its bugs in a security through obscurity method that rarely works.
It appears that if a single package has a vulnerablity in Linux then the Bug track list includes the vulnerablity for each affected distribution. Thus, a sendmail report will be counted once for each distribution that uses that version of sendmail. This will tend to artificially inflate the Linux numbers.
Mr. Moody also doesn't take into account how long it takes any given OS to fix each know vulnerablity. Linux will often post the fix with the bug report, or within a couple of hours, while NT products will often go many days or even weeks until a hot patch is released. An example of this is the current vbs vulnerablity that exists in the MS mail client. This is clearly a well known problem, but windows clients are hit again and again by the exact same mail worm.
A final point to make is the fact that even though NT is only used on a third of the web servers on the internet, nearly half the page defacements are against NT boxes.
I am not saying that any OS is more or less vulnerable than any other OS. All OS'es have vulnerabilities and need constant monitoring by well trained security personnel. But some OS'es are much more open and honest about their problems than others.
Thank You!
-- Never make a general statement.
With quotes like "[a]ll that aside, though, one conclusion is inescapable", it's clear he understands the flaws in his argument but is willing to propound it anyway. He's clearly trolling for ad revenue and perhaps enough controversy to make a follow-up mea-culpa article a winner also.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
Here's an article at SecruityPortal that looked at the same bugtraq data and came to the conclusion that Linux had superior security to NT and showed fewer total advisories and a fewer hacker recess days per advisory.
It seems obvious that ABC is full of crap and has fabricated their results by deliberately misrepresenting factual data.
Now why would ABC (A Bunch of Crap) News do such a thing?
Why are people like Mr. Moody automatically the authoritative source of information on whatever subject they feel like at that moment? Anyone with at least a partial clue knows that posts on bugtraq means fixes are soon to come, which is good for everybody. But how do we get people like Mr. Moody to only comment on subjects he knows and understands?
--
I'm glad someone mentioned this. Remember when Slashdot reported that Windows 2000 had 63,000 bugs in it? Of course, everyone here jumped at it and said, "See, that's why Open Source reigns supreme!" However, a bunch of people replied to that story, saying that Debian and Red Hat were comparatively just as bad.
So what's the point with this?
A bug isn't necessarily a design flaw that's going to take down your program (that bug could just be some complaint of a nitpicky programmer)
Quoting raw statistics without further elaboration is misleading
Just my two cents.
--
--
The real Raunchola isn't cool enough to have any imposters
the scientific community too; when he ran an article: http://www.abcnews.go.com/sections/tech/FredMoody/ moody990914.html about how the new relativisiic heavy ion collider expirements at brookhaven. apparently he thought they were going to accidentally create a black hole that would destroy the world(completely unaware of the fact that collisions of comparable energy occur in the upper atmosphere every day, and we still exist). so he wrote an idiotic little scare column about 'evil scientists'. after recieving a huge amount of email from scientists who work in the field, informing him of how much of a moron he is, he wrote another 'oh poor me' column a few weeks later. now he's doing it again with linux! good job fred, you did it again! and now your burning at the stake will come from the tech. community. :] enjoy!
- "Hear that?! The percolations are imminent! Cease your ingress!"
After reading some of the blatant falsifications and b.s. in his article, I posted a comment through abcnews.com's contact page.
I would appreciate if, for the benefit of your readers, you would note that Fred Moody is a former Microsoft employee. I would also appreciate it if one of your editors would have a chat with him about journalistic integrity and how even a columnist shouldn't misrepresent statistics to further an agenda.
I refer to his column on Linux vulnerabilities, where he "uses" statistics from SecurityFocus to claim Linux is the "worst" OS of all time and Microsoft is the "best". SF states in the first paragraph of their vulnerability statistics page that the stats shouldn't be used to judge how secure an OS is, yet that's exactly what Moody proceeds to do. He then flagrantly fakes a total of "122" vulnerabilities for Linux in 1999, taking Red Hat's 38 and adding that to the aggregate (meaning all distributions, including Red Hat) total of 84. In effect, he counts Red Hat vulnerabilities twice to inflate Linux vulnerability numbers. He also fails to note that each individual distribution has fewer vulnerabilities than either Windows NT or 95/98. Were one to aggregate the Windows numbers, the total would come to 146. Windows NT alone racked up 99 vulnerabilities - higher than the Linux aggregate total.
He also glosses over the "package vulnerabilities" statistics near the bottom of the page. Microsoft products claim the first 12 spots. In 2000, MS products claim 7 of the first 12 - the various Red Hat products (which are known among Linux users as not focused on closing obvious holes) take the other 5. Only TurboLinux gets mentioned in the 2000 list, with 6 vulnerabilities in each of hte two packages mentioned at the bottom of the list.
It is clear that Moody is abusing available statistics, ignoring others, and using his pulpit to push a pro-Microsoft agenda. It is disheartening that ABC would give Moody credibility by posting his columns while they contain such falsifications and omissions. At the very least, a disclaimer noting Moody's past employment would help readers put his writing in perspective. At the most, I would like to see someone technically knowledgable review his columns before publication to ensure he can't twist facts and numbers like he did in this one.
Regards,
Mark Bialkowski
If you decide to feed the troll and read the article, send a comment to ABCnews.com through the aforementioned contact page. A flood of comments questioning Moody's "integrity" might prompt action on ABC's part. Or not. Either way, take the opportunity to call out Moody on this one.
Oh, and make your comment civil. Don't flame, swear, or threaten to "fucking kill" someone. Just explain your reaction to the column and what you feel should be done.
Someday, you're going to die. Get over it.
In other news:
A recent study announced that American president Bill Clinton coughs more than any other American citizen. Clinton has been seen coughing in public and on television over ten times this year, compared to three for actress Julia Roberts, one for celebrity Regis Philbin, and an average of 0.0000001 for every other citizen.
-----
Go ahead, blame me... I voted for Nader!
No e-mail address, but you do have a vehicle to express your concerns. Take advantage of the ABCNews.com contact page, and let them know what you think about this.
As for the article, yes, people will be concerned with how buggy Linux is. However, Moody inflated the numbers to make Linux look bad. He added the Red Hat 1999 total of 38 to the aggregate total of 84 (which I assume would include Red Hat) to get 122 vulnerabilities. In short, he counted Red Hat twice. After doing that, he didn't mention a word about Windows' own stats - 99 for NT, 47 for 95/98. The Linux aggregate is less than NT alone.
Also, if you add the separate distro numbers, you come up with 98. I think this means vulnerabilities present across distributions were only counted once, though the page isn't too clear on that. The individual distro numbers are interesting - Red Hat is the worst at 38, Debian next at 29, yet both are lower than Win9x's total of 47.
Any way you slice it, Moody's screwing with the stats to promote his agenda.
Someday, you're going to die. Get over it.
The best-known competitor is Red Hat, but others - notably TurboLinux and Mission Critical Linux
Hands up - how many of you never heard of Mission Critical Linux until this? How many of you have never heard of Debian, Caldera or SuSE? And TurboLinux is major?
Linux is arguably the worst operating-system product in history, and Microsoft's the best
I don't think that there's one vulnerability in there for BeOS. I doubt there are any for AtheOS. Therefore, they're even better than Microsoft's platforms.
This boast[linux isn't vulnerable to worms/viruses] has been easy to make, since until 1999 Linux was too much of a fringe product to stand up to the kind of abuse more widely used systems endure.
Actually, it's because Linux is a true multi-user operating system, something not even NT can claim. Solaris is also immune to those kinds of things. If I try to delete every file on my system right now (I'm on Solaris) I will fail, except for wiping out some of my own data. The backups will remain. The system will still boot. Other users will be unaffected.
Free BeOS, runs from a Linux partition
He may be in need of a clue, but isn't this the sort of thing that the common folk look at to make their decisions.
." and the general public won't think any more about it. They will accept is as given that Windows is better because of it.
If Linux is ever going to make it into mainstream, the mainstream will be looking at things just like that. Microsoft will come out with an ad campaign: "We've got less bugs than
So again it raises the question. Should Linux be mainstream? Is it even close to being ready for mainstream? I know a lot of zealots will start flaming away on this one, but when it comes to the general public, they are like sheep. Large numbers (unless it's their salery) frighten the sheep...
Does anyone out there have Moody's email address? Maybe someone could explain NICELY how he completely missed the boat on the bugs.
In Soviet Russia...michael would be rotting in Siberia!