Linux Sux Redux: A Rebuttal

SmooC writes "This is SecurityFocus's reaction to Fred Moody's article, claiming that NT is more secure than Linux. Ran on slashdot last wednesday. Ben Greenbaum who manages the Microsoft Focus Area, sees it from a different perspective."

Re:We Should Rejoice In Moody's Article...

[Skald]

The sadest part is that new stories like this don't last in peoples mind longer.

I'm sure somebody here will brood over this, make Fred Moody dart boards, and send the guy hate mail till he dies. Actually, that's one of the things I love about slashdot... there's always some bitter old fellow waiting to remind you of stuff like this. You know the sort of post:

IBM!?! I was working tech support for an accounting company when they took over Electronic Typewriters... bastards changed the mountings on the platen knobs, wouldn't return our letters, and we wound up having to hire a guy to carve new ones! Cost us nearly $15, and then the guy got drafted... I'm telling you, never buy IBM!

Re:Moody's article

[jdoyle99]

As a matter of fact, if you read the footer notes for the article Mr. Moody wrote, you'll see the reasons of his statements.

It matter of factly says that he wrote the book:

"I Sing the Body Electronic: A Year with Microsoft on the Multimedia Frontier".

Now if that doesn't show bias i don't know what could.

--Justin

Re:Feh

[Misch]

Damn. I know journalistic integrity doesn't apply
Did ABCNews mention that Fred Moody was a Microsoft employee at one time? He spent 1-2 years with them as Microsoft developed a childrens multimedia guide, reporting on their processes, and state of the team project, etc.

I'd expect a little more journalistic integrity out of ABCNews...

inflated due to ie inclusion?

[gruntvald]

He now claims the NT number is inflated "because (they) consider it part of the OS"?! Wait a minute, isn't that the whole crux of Microsofts case in the DOJ thing? Have you ever tried to maintain NT boxes WITHOUT installing ie? This ringpiece needs to be blacklisted, he's just trawling for hits.

Re:crap

[ryanr]

I'm working on it.

For the newbie it is

[topdogg]

When i started out, I ran both. My linux box was hacked 3 to 4 times, the NT box wasn't hacked at all.

Re:For the newbie it is

[Fastolfe]

This has little to do with inherent "bugs" or vulnerabilities in the operating system and everything to do with a lack of knowledge and proper system configuration.

It's also far easier to utilize a newly hacked Linux system for evil than it is to do the same with NT, so Linux tends to be more of a target. And if you stupidly set up an insecure system and advertise its presence to the world, it will be a much more tantalizing target.

He should be fired, not banned

[FreeUser]

I sent an email to ABCNEWS asking them to ban him, but I doubt that will happen. I did point out the flaws in his arguements though. I haven't received a respounce as of the writing of this.

I wish you had considered your words more carefully. The word "ban" is loaded (and not what you are really trying to say) and using it effectively pushes everyone's buttons, especially in the media. It smacks of censorship.

What Mr. Moody has done is act in an unprofessional manner (by deliberately spreading misinformation). His lack of 2nd grade mathematical skills has demonstrated his lack of qualification to write about any technical subject. Not that it is necessary, as the arguments he uses and the conclusions he draws do this stunningly well also.

He should be fired for incompetence, or at least reassigned to a job more worthy of his skills, perhaps as a movie critic or janatorial assistant.

One thing is certain, by employing him as a technical writer (or pundit) ABC's reputation with respect to technical matters suffers tremendously.

He shouldn't be banned for writing whatever he wants, however, his employment should reflect the quality of his work, i.e. none.

Re:Moody's article

[styopa]

Moody wrote the ABC article that is the subject of this rebuttal posted today.
Here is the slashdot article on Moody's editorial.

Have a look at ABC's `Linux FAQ'

[LizardKing]

You might want to check out ABC New's very own Linux FAQ - some of the innacuracies are quite amusing and suggest a general cluelessness at ABC as a whole. The URL is http://abcnews.go.co m/sections/tech/DailyNews/linux000403.html.

Some notable cock-ups are:

Linus isn't in charge of Linux any more, but his opinions are taken very seriously by Linux developers

Hmmm, arguably he never was `in charge' of Linux as it's licensed under the GPL. However ABC seem to be implying he's taken a back seat, which will come as a surprise to readers of Kernel Traffic.

The core of Linux is a text-based operating system, like DOS. But several different competing graphical interfaces have sprung up to make it friendlier. They look like a streamlined version of Windows or the Mac, generally with bigger icons and fewer shadows

I can see a DOS / Unix shell comparison being valid given the likely cluelessness of ABC's regular readership, but they clearly haven't got much idea about the X Window system and its relationship to desktop environments, etc.

It may soon become easier to use with a product called Eazel, being developed by several of the original programmers for the Macintosh. They claim that they'll be able to put an easy-to-use face on Linux

Hmmm ... Eazel - that'll be the people making one key application that will be the new file manager shell in Gnome 2.0. Not that Gnome isn't already a viable easy-to-use interface.

Critics of Linux say that the software is a "perpetual beta" - always under development, always mutating, always buggy, and never quite ready for prime time

Critics (like good old Fred Moody) might say that, but most people writing crass editorials aren't experts in any field, let alone Linux. And if it's so buggy, why have I spent the last four years working for big companies where Linux is increasingly the server OS of choice thanks to its stability and flexiblility? My current employer doesn't have anything but Linux on the servers - including file, print and database servers, not just our firewall or web servers.

What applications are available? Lots of server and Internet software, but little else

They might want to check out freshmeat.net - not all that stuff can be vaporware ...

The three biggest Linux companies are Red Hat (partially owned by Intel), Slackware, and VA/Linux

Now I stand to be corrected on this one, but Slackware - a company? And waht about SuSE or the makers of TurboLinux? Do I detect classic signs of Yankocentricism in this great American institution?

Linux is a complex system, and tech support is usually a must

For a newbie, yup. But I've yet to come across a company or cluefull user that needed tech support.


Chris

Re:Have a look at ABC's `Linux FAQ'

[Black+Parrot]

> the core of Linux is a text-based operating system, like DOS. But several different competing graphical interfaces have sprung up to make it friendlier. They look like a streamlined version of Windows or the Mac, generally with bigger icons and fewer shadows

Oh, this kills me. When I read the first phrase a vision popped into mind of an OS kernel that ran text files rather than machine code:

If the first one is bigger than the second one, skip to page two. Otherwise, continue with the instructions below.

And the bit about the "bigger icons and fewer shadows" ripped my gut. Gee, that's important stuff to know when you first hear about a new operating system!

--

Re:It's not the number that counts...

[HeUnique]

Windows has update features..

According to Microsoft, this update will let you update drivers, security holes and other updates needed..

I got a windows 2k machine and guess what? from all the fixes that appears on SP1, only 1 appeared here (which wasn't even related to my configuration!)

Give me a break!

bad comparison

[kaisyain]

the "10,000 known, documented bugs" that you talk about are, for the most part, vastly different from the kinds of things listed on bugtraq.

A marginally better comparison would be a list of reported bugs in gnome:

http://bugs.gnome.org/db/ix/full.html

At the very least compare apples to apples.

Re:bad comparison

[Lxy]

I agree!! That article about 63K+ known bugs in Win2K was BUGS, not security issues. How many security leaks does NT/2K really have? Only Redmond knows. I would assume it's much higher than Bugtraq is aware of. The other important note here is that the bugs in linux were found because hackers were sifting through the code trying to block any open doors. NT bugs are found the day AFTER the server is completely comprimised, then it's documented.

I grep, therefore I am

Rah rah Linux *sigh*

[Fervent]

Is there anything that pulls more on the heartstrings than a bunch of Linux zealots going "Rah rah Linux" in reaction to some idiot's "article"? Let's face it, Moody's a total moron -- why are we even giving it the time of day? Then we post "rebuttals" from people we like more. How childish.

Dear Rob Malda: get a clue. It's supposed to be "News for Nerds. Stuff that matters." not "Dumb articles from supposed Nerds. Stupid advocacy." "Rah rah Linux" -- fuck it. Give me something that actually matters.

Re:Rah rah Linux *sigh*

[Fervent]

And before you could be targetting this as flamebait, think of this -- we could be talking about gene sequencing right now (or PARC's recent contributions to digital paper).

Re:Rah rah Linux *sigh*

[Yam-Koo]

Um, most of the articles aren't pro-Linux, they're anti-Moody. The majority of them state how his facts are wrong, and how calling Linux the worst OS ever is vastly innacurate.

Additionally, would you expect the responses to this article to be anything different? Why should people NOT point out that there is blatant mis-information out there?

Re:article text since SF is /.ed

[fsck]

You can block ads in your browser using software. This type of software exists for both Windows and Linux/X11. Junkbuster is one such example.

Re:Mirror

[Delphis]

Just wanted to say thanks for posting that mirror :) .. SF has been unavailable to me all day :D

--

unfortunately...

[ebbv]

90% of it is not /good/ pr0n :(
...dave

(moderators : correct: Funny, incorrect: Offtopic)

Re:rebuttal?

[Shadowlion]

using the numbers to say that linux is not less secure than, and therefore more secure than nt.

No, that's not actually what he's saying. He is simply saying, "These numbers don't provide enough foundation for you to conclude that NT is any more secure than Linux is." He isn't implying that Linux is more secure than NT is - he is simply saying that you can't argue NT is more secure than Linux based on the numbers Moody used. That isn't to say you can't make arguments that NT is more secure than Linux, only that misusing a set of BugTraq statistics isn't good proof to back up your claims with.

It's sort of like a court trial - being found "not guilty" is NOT the same as being found "innocent." Being found "not guilty" simply means the evidence didn't meet the burden of proof. Being found "innocent" means you are completely exonerated and that the evidence shows that there is unequivocably no way you could have committed the crime (you were out of the country, in jail, physically incapable of committing the crime, etc.).

Comment from ABC

[jea6]

Received this from abcnews.com today:

Subject: Re: abcnews.go.com User Feedback (KMM70266C0KM)

Hi Juan,

Thank you for contacting us.

We appreciate your comments and your feedback to improve the quality of
our services. We will forward your e-mail to our Technology Section
Producer for review.

Just to let you know, Fred will be revisiting the subject on August
16th, addressing this and other issues.

Regards,
Alice
ABCNews.com
http://abcnews.go.com/

Re:IE has more bugs

[topdogg]

Hah, Linux has more bugs that all Winxx os's together, Not saying I hate linux, I love linux as much as I love NT. But Myself found more bugs it a lot of packages

Re:Feh

[Enoch+Root]

Did you bother to READ my post?

I'm not criticizing the article; I'm criticizing Slashdot for their editorial choices. Would you ever see such an article linked to a debunking of a 'Linux rulz!!' article? As a matter of fact, I bet that if it ever came across Slashdot's editorial 'desk', it was promptly ignored.

Re:Moody's article

[synesthesia]

I agree with jmccay and actually did write a letter 2 days ago. Yesterday I was pleasantly surprised with a response. Who knows if it will ever come to anything, but at least someone read it and took the time to respond to me in person, even if it is a form letter. IMHO the way to get attention is to question the journalistic integrity of not only the writer, but the organization that sponsors the writer. This usually gets someone's attention because there are usually people at news organizations that take their job seriouly. I for one felt insulted by Moody's arrogant disregard for the facts and not his opinion that MS is a better product. Not only does this reflect poorly on Moody, but on ABCNews.com as well.

Response from and letter to ABCNews.com follows:

Hi Michael,

Thank you for contacting us.

We appreciate your comments and your feedback to improve the quality of our services. We will forward your e-mail to our Technology Section Producer for review.

Regards,
Alice
ABCNews.com
http://abcnews.go.com/

Original message follows:
-------------------------

attn: Editorial Review Board, abcnews.com

I recently read Fred Moody's article ("Linux Sux Redux") at your abcnews.com site and was displeased to see that Mr. Moody deliberately misrepresented the numbers he gathered at www.bugtraq.com in order to show that Linux is worse than the competing Windows product. I take no issue with the fact that Mr. Moody believes windows to be a better product than Linux, but for him to blatantly twist the facts (in order to come up with his number of 122 bugs, he had to count the Red Hat distribution bugs TWO times) in order to make his point insults me as a reader and should raise serious questions about his journalistic integrity. abcnews.com's toleration of such a violation of ethics brings into question the integrity and bias of the whole news site. As such, unless a public clarification of his data is issued, I will no longer read any content on your site.

Sincerely,
Michael

Troll Troll more troll...

[rkt]

"As Linux zealots are beginning to find out, it's a lot easier to masquerade as a better
product than it is to go out and be one."

I agree with that statement, and I believe that the Linux community has done an
admirable job in many ways on both counts. In closing, I propose to the security
community and to Mr. Moody that what is true for products is sometimes true for
journalists as well.

Now lets see how moody feels about that satement :)

rkt

Thanks Ben Greenbaum

[Beckman]

Perhaps someone should write Ben Greenbaum to thank him for his article.

It's quite inspiring when civility overcomes what has too often become flame wars between opposing factions.

Would we have reacted similarly has we encountered unjust article smearing microsoft? I'm guessing that most of us would just let it slip under the rug.

Haiku

[comcn]

Eighty-four bugs max.
This also includes RedHat:
Moody cannot count!

Re: WARNING: this looks like an elaborate troll

[Omniscient+Ferret]

I couldn't find anything in the kernel traffic archives, but there's an archive of the mailing list - this might be the initial post you're thinking of. That was in June; there seem to be followups to that in September. I found those using "zero copy transmit" on this search page.

ouch

[rvr]

The last paragraph Ben quoted Moody, Moody had said:

"As Linux zealots are beginning to find out, it's a lot easier to masquerade as a better product than it is to go out and be one."

And then Ben said:

I propose to the security community and to Mr. Moody that what is true for products is sometimes true for journalists as well.

Ouch.

ciao,
-rob

Re:Why can I NEVER acccess securityfocus's pages

[ryanr]

The Slashdot traffic sometimes temporarily pushes us past the amount of traffic we can handle and still have a reasonable response time. I'm working on some upgrades to address the issue.

Re:Address?

[synesthesia]

comments@abcnews.go.com worked for me. I got a response in just over 24 hours. Cheers!

Re:This Needs to Be Publicized

[Jon+Shaft]

We have to force ABCNews to post some corrections (plus maybe the link to Greenbaum's response), because the article is obviously violating journalistic integrity. In addition, it will be better to have the major news sites like CNet or ZDNN to cover this.

Hah, it soudns good on paper..er a web forum, however try making it a reality. It's scraping that line in between impossible and never happening. The "major" news sites aren't going to care what a bunch of intelligent, insightful consumers. They're only going to care about the big majority of the public, all of which doens't seem to concern Linux much (YET). I'd be great if someone big replied with a counter article to one of those news sites. (Hell, wake Katz up. The rest of the world loves him... and so did Slashdot a year or so ago when he was introduced here... Just read back a long, long time ago when Taco posted Katz's welcome. It's quite funny to compare it to how everyone treats him today). But anyways, I'd love to see ABC rebuttle the article and post changes and additions, but I doubt it's going to happen. ;(

I'd be great of Securityfocus would contact ABC or one of the other news sites and proved he had no integrity, and that he was wrong in using those statistics completely :-)

oh welp. Cheers.

I know...

[jmccay]

Mr. Moody is really on Microsoft's payroll for linux spin control!

Re:Bullshit

[0xdeadbeef]

those that use it - and the religious right

That's redundant...

Re:article text since SF is /.ed

[Wah]

please moderate down, it is no longer /.'ed and I'd hate to see the flamebait get more banner ads than the firehose. Thanks

--

Re:NT more secure?

[Lally+Singh]

Although, it can become quite easy to have say a perl script with a nice frontend that downloads the patch, applies it, recompiles, and reruns lilo. But doesn't redhat just update their kernel .rpm packages?

--

WARNING: this looks like an elaborate troll

[LizardKing]

This AC comment looks like a cut & paste from a kernel traffic article where someone was bemoaning the lack of zero copy trnsmit in Linux' TCP/IP stack. The fact it's posted anonymously smells a bit fishy as well, 'cos if I remember rightly the KT article went on to discuss why the complaints were not really valid.

I'll try and find the relevant Kernel Traffic issue when I've got a spare five minutes.

Chris

Re:More secure?

[talesout]

Damn that humor!

I've got to quit reading ./. About three times a day I spew Mountain Dew all over my monitor and keyboard when I read some non-sense joke.

Firewall, toaster, hehe, oh boy.

Re:About Credibility...

[Jon+Shaft]

The sad thing is your thinking exactly as how I'd see most non-knowledgable people who probably read that article... :-\

Absolutely

[Sloppy]

Moody wrote the flamebait:

As Linux zealots are beginning to find out, it's a lot easier to masquerade as a better product than it is to go out and be one.

and now Greenbaum has taken the bait. Here is the (justified) flame:

I propose to the security community and to Mr. Moody that what is true for products is sometimes true for journalists as well.

It's an open and shut case.
---

Re:Moody's article

[rikkards]

I think you missed his point which was why do we care what an idiot like Moody says since we know he is full of crap. The key reason to care is not because we know he is crap but a potential admin who wants to use Linux as a server rather than M$'s may get his idea ixnayed by a pointy-haired management type who happen to come across this article and panics.

Re:More secure?

[Clubber+Lang]

Hey! Your toaster isn't secure at all! It's probably plugged into the power grid right now just waiting for the gremlins to come take it over.

Geez! Everyone knows that the why-2-kay bug didn't hit us because 2000 isn't really the millenium! Bill Gates is just biding his time unitl dec 31 when he can unleash the beast on all of us! ABC told me that viruses can get transmitted through power lines, and if I don't watch out, my microwave will fry me in my sleep!

Gotta go, they're trying to steal my brainwaves again...

Re:It's not the number that counts...

[iie1195]

Think you misunderstood me. The point I was trying to make (and, yes, I do realize that I didn't make myself clear enough), was that the whole structure of Windows NT makes it less secure than Linux/*BSD based OS'es. And I didn't mean that RH, Caldera or SuSE or whatever are great at delivering packaged-and-ready fixes in hours. Because they don't. The Distros are generally bad at that. I'm talking about the actual developers, not the distros. And No, not everyone chooses OS'es for security. No OS is 100% secure anyway. Even OpenBSD (all tho OpenBSD comes really, really close...) As for my users, well, I no longer work with NT (even tho I'm hold a MCE) I'm currently working as a *nix sysadmin. And I'm never going back to the unstable BOD-filled Windozw NT. Besides, the users could care less as long as they get their emails, their web-stuff, and their apps. Everyone here that works as a sysadmin or other technical stuff know that this is true... ;-) Oh, and the Redmond "joke" was only a joke about how poorly written this article was and how little research went into it. I'm not a conspiracy-theorist. Jeez, dude...

Re:Some history

[Black+Parrot]

> He never substantiated this informant, of course.

I have a secret informant who tells me that Moody's secret informant was a hand named 50ck Pupp37.

--

More secure?

[AbbyNormal]

So is my toaster according to his point of view.
Where can I get what Moody's smoking? Nice name Moody. Does he switch his position to favor Linux security when his Aunt FLOW comes to visit?

You are a unique individual...just like everyone else

Re:More secure?

[kieran]

My toaster is far more secure than Linux. In fact, I'd be happy to have this tested.

Go on, hack my toaster. If anyone can get root on my toaster, I'll give it to them, and buy them a few beers into the bargain.

But I warn you: it's pretty darn secure.

Re:More secure?

[Tower]

That's why your toaster should be 'firewalled'...
--

Re:More secure?

[AbbyNormal]

In a couple of years when everything is part of your house network...I'll take ya up on the offer. hehehe. Can you imagine?
"Dammit Urma, Script Kiddies burnt my toast again! Those Bastards!"

SecurityFocus site...

[Sir_Real]

That's weird... The page doesn't load...

a mirror perhaps?
no sig here... move along

Re:SecurityFocus site...

[ryanr]

Yes, we've been experiencing degraded performance today due to the Slashdot traffic. I'm working on some upgrades that should help with that.

Re:SecurityFocus site...

[jmccay]

The stats age loaded yesterday. The stats are on images. They were not loading today. I bet they got /.ed.

Re:SecurityFocus site...

Well, you asked for it. Here is the full text of the article. Can you say copyright violation?

Linux Sux Redux: A Rebuttal
by Ben Greenbaum
Thu Aug 03 2000
This is in response to an article posted at abcnews.com by
Fred Moody, available at:
http://abcnews.go.com/sections/tech/FredMoody/mood y.html,
in which he claims that Linux is a far less secure operating
system than NT, based on his interpretation of the Bugtraq
vulnerability statistics.

From the very start, I would like to proclaim that I am not a Linux
zealot, or for that matter an ardent defender of any OS. I manage
the Microsoft Focus Area here at SecurityFocus. My personal
machines at home run on various flavors of both MS and Unix
operating systems. Different OS'es have different strengths, and I
freely and gladly use whatever is best in my experience for the
purpose at hand.

The problem I have with Mr. Moody's article is not the conclusion
he comes to, although I do disagree with it. It is instead a problem
with the methods used to reach that conclusion.

The author is writing about the results of the Bugtraq vulnerability
statistics page at:
http://www.securityfocus.com/vdb/stats.html

These statistics are meant for general interest purposes. The text
on the statistics page clearly states:

"The statistics should not be taken to imply that some particular
operating system or application is more or less secure than
another one."

However, these stats are for public use, to be interpreted as the
user sees fit. As with any statistics, they can fairly easily be
twisted and misrepresented to support whatever goals the author
may personally have. This is to be expected to some extent any
time statistics, especially unscientific statistics, are used to prove
a controversial or questionable point.

The worst situation by far is when the statistics are not only
"massaged" to serve personal or corporate goals, but interpreted
incorrectly in the first place. The Bugtraq stats have been used
and referenced in various articles and endeavors, with varying
degrees of accuracy. The most egregious example of misuse and
misinterpretation by far to this point is in the article referenced
above, where Mr. Moody states that Linux is the most insecure
OS available. This is based on a gross misreading of the available
data.

To wit: (regarding statistics for 1999)

"122 racked up by Red Hat and the other Linuxes "

Whereas the actual statistics are:

All Linuxes combined: 84
RedHat only: 38

Which, as you can see, add up quite neatly to 122, the number of
vulnerabilities claimed by Mr. Moody for "RedHat and the other
Linuxes". So now, we pause for a brief explanation of the word
"Aggregate". First, from the text of the page itself:

"Where we display aggregate number of vulnerabilities (Linux and
BSD) the number is the size of the set that results from the union
of all vulnerabilities for the components without duplication.
Vulnerabilities are not counted twice."

The numbers for "Linux (aggr.)" reflect the total number of
reported vulnerabilities across all distributions of Linux; if it's a
Linux, it's in there, RedHat included. Also, if the same
vulnerability is present in more than one distribution, it counts
once. Therefore, for a representative number of all known Linux
security bugs, one would only look at the Linux (aggr.) statistic.

Therefore, since 84 (for Linux) is demonstrably less than 99 (for
NT) I submit that these statistics can certainly not be used to
prove that Linux has more vulnerabilities than NT.

Mr. Moody ends his article with the sentence:

"As Linux zealots are beginning to find out, it's a lot easier to
masquerade as a better product than it is to go out and be one."

I agree with that statement, and I believe that the Linux
community has done an admirable job in many ways on both
counts. In closing, I propose to the security community and to Mr.
Moody that what is true for products is sometimes true for
journalists as well.

Ben Greenbaum
Director of Site Content
SecurityFocus
bgreenbaum@securityfocus.com

holes per service - apples and oranges

[fatphil]

I'd bet that the 99 NT security holes pertain to a fairly small range of services (mail and disk sharing, I'd wager)
I'd then guess that the 84 Linux security holes pertain to a far broader range of services being provided.

What proportion of the services offered are insecure?

FatPhil

NT more secure?

[B00yah]

How can a product so inflexible be more secure...When a security hole is found in NT, it is not an easy task to remedy, while with Linux, it takes little effort...

Re:NT more secure?

[Mr+Z]

I think the general arguement in favor of distributed computing in a businees environment is cost.

Of course, that cost equation rarely has a term for the amount of employee time spent working around Windows' features. I put a script on my PC at work which counts the number of times I've rebooted. (It's a crappy little QBASIC program that's in the Startup folder, so it only counts successful boots.) You can tell when I've been using my PC vs. when I've been using my Unix box just by looking at the log. I generally end up having to reboot that PC multiple times if I'm doing any heavy-duty work. Annoying.

Almost as annoying as the time I accidentally dragged a menu option out of one of the menus in Microsoft Word, and had to spend a good part of a day figuring out how to put it back. First, I had to convince myself that the option had been there to begin with, and that I hadn't entered some mode in which "Insert Character..." had not been disabled for some silly reason. Turns out, I had to drag the option out of the "Customize" dialog (used for configuring tool bars) in order to get it back. I'd never learned how to use the configurable tool bar, so I didn't think to check the tool bar configuration stuff to determine why my menu option had gone away. Pull-down menus in MS Word are now just tool bars with text instead of icons, effectively.

So, when people talk about the cost-effectiveness of PCs, I bring up these stories. I also sometimes bring up the relative cost of the applications I would use on the PC if I had to (Visual Studio, Outlook, etc.) vs. the cost of the tools I do use on Unix (gcc, mutt, etc.) (For bonus points, I mention the net revenue loss for each should a macro virus come through.... Big $$ for Outlook, $0.00 for mutt.)

--Joe
--

Re:NT more secure?

[Ayon+Rantz]

With the current distributions, I'd say it takes _less_ skill to update the kernel or one of the userland tools than it takes to install an NT service pack. Take a look at the Mandrake Update program, for instance.

However, I think it's a shame that some users (and more importantly sysadmins) are so unwilling to learn how to do things like this.. After all, it's not _that_ difficult. With distros like Mandrake and Red Hat, I found myself hopelessly trying to work around all the tools and additions they made to the base system. Recently I discovered Linux From Scratch, which proved to be an excellent way to learn, and resulted in a more basic and much less bloated Linux installation.
--

Re:NT more secure?

[demon]

Yah, unless you're lucky enough to be installing a service back that horribly breaks something that some piece of software you're running is dependent upon - then things get nasty. Or the whole dance of getting NT installed with some particular service... install these service packs, then install app, install another service pack, install app service pack, do dance with rubber chicken... come on.

With Debian, I do 'apt-get update ; apt-get dist-upgrade' and I have _everything_ up to date. No problem.
_____

Re:NT more secure?

[sheldon]

Aren't you taking the same position people are yelling at Mr. Moody about?

Re:NT more secure?

[GlassUser]

That depends entirely on your level of skill. As an admin/programmer, you and I may see no difficulty in patching the kernel or a library, but your average desktop user will be totally overwhelmed. Eventually, it comes down to the fact that 95% of the desktop users in the world will NEVER hack (or even follow step-by step directions to patch) their kernel, but they'd be happy to install a single-run service pack. End result, their Linux never gets patched, but NT will, while it may take a few months, be patched.

Re:NT more secure?

[MadPhatTim]

In my opinion, this is one of the biggest problems with computing today. Most users have no idea how to install/fix anything and are unwilling to learn. We might dismiss them as lazy or stupid, but should they really have to be a system administrator if they just want to get some work done? The physics department at my university had a computer lab full of xterms. All your files and all the software was stored on a central server which was administered by very competant staff. Users could log in using any terminal and see exactly the same thing on the screen. Users never had to apply software upgrades, configure printers, install new software, or anything. The administrators would take care of the central server (including making backups and doing any maintenance work) and everyone was happy. Thanks to some nice X defaults set up by the admins, most people didn't have to touch the scary Unix command line; there was a nice little graphical menu with icons for all the commonly used software (Navigator, Mathematica, IslandWrite, etc.).

That always strikes me as a much better paradigm for most corporate environments, which is arguably where people spend the most time with computers. But everywhere I go, I see de-centralized, poorly maintained, misconfigured workstations. Why do we bother? What was wrong with letting a competant adminisrator manage a central server and letting the users worry about getting their work done instead of babysitting their PCs?
---

Re:NT more secure?

[GlassUser]

I'd have to disagree with that. NT service pack == double-click on the icon, click "Agree", drool, reboot (generally in that order). I don't think you grasp the total cluelessness of the average desktop user, though. I can not have users install service packs by themselves (even with this three-click procedure and written instructions). They simply won't do it. For example (this is an actual event, I took this support call, I shit you not), the users had printed instructions on installing a Norton AV update. Step by step, foolproof, right? A dialogue comes up, says to select your location ("Houston, Woodlands, Toronto, Muncy"). "Click on your current plant location, click okay." The user said "I'm in Muncy, but I don't know what to pick. What do I pick?".
I'm sorry, but these types of users are not going to be capable of installing any kind of service pack.
I agree with your basic argument, it's a shame that these users choose not to learn (despite recurrent examples of near terminal stupidity, I still hold hope that it's possible), but too many people just see it as unnecessary to get their work done, and won't think otherwise. If you want your business to make money (thereby keeping you in a job), you're going to have to coddle these children.

Re:NT more secure?

[DrgnDancer]

I think the general arguement in favor of distributed computing in a businees environment is cost. It is cheaper to get several computers that can all run Microsoft Office themselves than one comuter that can run a dozen instances of a word processor , and terminals for everyone. Additionally, as users started to aquire home systems, they became more used to Microsoft OS's and thus more productive in a Microsoft environment (not to mention less whiny. Until recently we had a few Unix workstations left, and everyone complained incessently when they had to use them. Even in X. The fact that it looks and acts like Windows was insufficent. They thought Unix was hard to use, so it was hard to use. Reality has a hard time replaceing a good delution in some people.)

Figures lie, and liars figure

[Tau+Zero]

That number double counts redhat's security errors.

To compound the sin, it counts every distinct security vulnerability in any Linux distribution. A Red Hat user doesn't have to worry about a Debian-only security hole, and Slackware folks needn't concern themselves with problems particular to SuSE, but the author (who obviously flunked statistics) decided that "Linux was less secure". Looks to me like Red Hat has 38, NT has 99, so NT is more than 250% as vulnerable as Red Hat (and, being closed-source, far more difficult to fix).
--

Re:Feh

[Segfault+11]

He probably didn't, here's why:

If you post and you are wrong, someone will correct you. If you refresh the page after a few minutes, some karma whore will summarrize the entire article.

Makes you wonder why people even bother reading the articles at all...

Actually, it points out Moody is wrong

[Croaker]

I suspect you didn't read the article. This response wasn't taking issue with Moody's conclusion. Instead, it demonstrated that Moody made a naive mistake by adding up all of the stats for all of the Linux distributions. Meaning that bugs shared between Debian and Redhat counted twice. The aggregate Linux total (which is what Moody should have used, since it counts Linux bugs once, even if they appear in more than one distro). The Linux aggregate score shows Linux has *less* security bugs than NT.

Re:Actually, it points out Moody is wrong

[Masem]

It's well known that two parties can take the same set of statistical data, and derive two vague but conflicting statements from it, depending on the type of spin they want. This is a perfect example: Moody says one thing, Bugtraq says another. Only with full disclosure of the raw data (as done here with Bugtraq) and experience can one make a truly informed decision on the reliability of statistics. (And of course in this case, it's weighted heavily in Bugtraq's favor).

This is similar to the ad going around from MS about W2k increasing sales from a company by 13% or 5% -- because we can't see all the raw data, there might be something they didn't want to include, or the like, and would make these numbers go the opposite way.

While a pain in the butt, peer-review in scientific journals is a very good thing :D

Re:Actually, it points out Moody is wrong

[Legolas-Greenleaf]

i have a copy of it here
-legolas

i've looked at love from both sides now. from win and lose, and still somehow...

Re:Actually, it points out Moody is wrong

[kiwaiti]

Its even worse. Moody was stupid enough to take the correct figure (Linux aggr., which already discounts duplicates) and ADD THE REDHAT BUG COUNT TO THIS TOTAL. This way, he managed to get a figure with all redhat bugs counted twice, even if they did not turn up anywhere else - clever, isnt it?

Kiwaiti

Re:Actually, it points out Moody is wrong

[jmccay]

It's funny, Moody never scrolled down a little more. It has Microsoft listed as the top 12 packages most vulnerable in 1999. I may have gotten the title wrong because I checked it yesterday before it was /.ed.

Re:Actually, it points out Moody is wrong

[Asic+Eng]

Isn't Moody even more wrong, then the article
points out? Any given user of Linux can not
experience the aggregate of security bugs -
in the "worst" case he'd have the distribution
with the most reported bugs. In this case RedHat
with 38.

This of course working with *his* assumption that
the number of reported bugs is a measure of
security - which it is clearly not, as has been
pointed out by many people here already.

Re:Who cares?

[java_sucks]

Amen to that my brother. It's all about the clicks baby... it's all about the clicks. Hype, incite, troll and create buzz for the clicks. The Net is now being run by the suits... the mainsream media, who has never really been too concerned with the facts, rather the viewing audience. It's all about the clicks.

I think it's actually a shame that we even have to respond to this, it's almost like trying to reply to a slashdot troll, you are basically doing excatly what he wants...generating even more buzz...buzz buzz..click click....welcome to the Internet year 2000.

Good rebuttal

[epcraig]

Nice, polite commentary on basic bugtraq definitions. One small sideswipe at an author conclusively demonstrating he didn't read his homework assignment at all carefully.

Re:Moody's article

[North]

hehe, i can picture it now...

thanks for that book Mr. Moody...
thanks
right, how much did we say?
umm, i think about $2 million
ok then, let's call it a round $50 million, and what say you put in a good word for us on your next article, eh?

Re: NTBugtraq

[b0z]

There is actually a seperate NT Bugtraq mailing list. I got stuff a lot, although not as much as the regular bugtraq mailing list since it's focus is so narrow.

Check out www.ntbugtraq.com

We Should Rejoice In Moody's Article...

[Psarchasm]

Rejoice in the fact that Moody has once again shown himself in the truest light: Bill Gates' lapdog.

This is the first anti-Linux article I've read from him which can be so easily rebutted and turned around to debase Windows using his own argument.

The sadest part is that new stories like this don't last in peoples mind longer. For a brief period anyone that cares will know Moody for what he is: a crappy journalist with low integrity. But four or five articles from now, all will be forgoten and we'll just start it all over again.

Re:We Should Rejoice In Moody's Article...

[Billy+Donahue]

That's why we need to publicize this mistake
and make it memorable. A lot of people here
are chanting that we shouldn't feed the troll,
but I think that his fundamental math error
shows that he doesn't really take his writing
seriously, and he should be ridiculed and
ridiculed, and riduculed for it. If we forget
who he is, then he'll be starting from zero,
instead of from (-2: troll)

Re:Feh

[Psion]

But Enoch Root, if what you said was true, wouldn't journalistic non-integrity demand that Slashdot ignore Moody's article in the first place?

Re:crap

[comcn]

SecurityFocus always seems to be fairly slow... perhaps they should upgrade? (Especially after begin Slashdotted!)

Security Focus Should sue!

[farrellj]

Security Focus should sue both Moody and ABC news for the misrepresenting Security Focus, and for damaging their good name.

ttyl
Farrell

Re:The aggregate figure means nothing. Whats NT+98

[fsck]

Since 95/98 offers no security what-so-ever, the number is infinite.

Remember, Windows 95 is secure because it asks for a password (only hackers hit Cancel) !

No, he is just a .....

[linuxgod]

No, moody is just a fucking dumbass...
Linux is NOT redhat. (This guy doesn't know this?)
Linux is a kernel, 2.2.x = 2 exploits? compared to 2000's 107? HA. M$ security my ass.

Re:The post has been updated

[synesthesia]

From revised Moody article (conclusion):

All that aside, though, one conclusion is inescapable: If you look this list over, and measure each system's number of vulnerabilities against the number of its customers, Linux is arguably the worst operating-system product in history, and Microsoft's the best. As Linux zealots are beginning to find out, it's a lot easier to masquerade as a better product than it is to go out and be one. [bold and italics added]

For some reason, I'm having trouble believing he actually posted this. My eyes see it, but still I don't believe...

Re:Gotta love it

[symbolic]

If Moody issues a retraction and/or apology, or a clarification of his statements, his journalistic integrity might be saved. If not, that last comment in the article defintely has merit.

comments on ABCnews.com?

[indiigo]

Another nice feature of this site is a complete lack of a forum system to give feedback on articles or discuss with peers... Is this intentional? msnbc.com and cnn.com both have had these features pretty much from their inception. Perchance ABCnews.com should rethink their user participation.

What do you expect?

[kelzer]

The three biggest Linux companies are Red Hat (partially owned by Intel), Slackware, and VA/Linux

Now I stand to be corrected on this one, but Slackware - a company? And waht about SuSE or the makers of TurboLinux? Do I detect classic signs of Yankocentricism in this great American institution?

What do you expect from the American Broadcast Company? Heck, they wouldn't even think to mention Corel - after all, Canada isn't part of America, you know.

Here is my email to Fred Moody

[Roach]

Fred Moody melmoth73@hotmail.com,

As a Microsoft Windows NT user, running NT 4 server and MS SQL 7
server on our primary e-commerce site, I have some observations to
share with you on your article...
http://abcnews.go.com/sections/tech/FredMoody/mo ody.html

You are quite possibly one of the worst journalists I have ever
encountered while reading articles on abcnews online. You have
falsified information and ignored the facts in a way that is
blatantly obvious to almost anyone, including yourself.

You seem to really like Microsoft products, but as a journalist
you are not supposed to bias your articles to reflect your own
personal opinions. I certainly hope that you do not write any
political articles or anything with actual reader impact.

If I were to ever encounter you in a public place, I would strike
you bluntly in the face with my fist. You disgust me and I am
nauseated by this kind of shoddy journalism.

-Roach

Re:Moody's article

[Black+Parrot]

> I think it was a troll, because he didn't even come close to scratching the surface on all the reasons why Linux sucks.

Damb straight. But it sucks less than most of the competition in my price range, so I'm sticking with it for now.

> All the ditributions are too fat or too skinny.

Well, if you think the Papa Bear and Baby Bear distros have it all wrong, you might be able to get rich by starting a Mother Bear distro.

--

The aggregate figure means nothing. Whats NT+98?

[fatphil]

Noone simultaniously runs more than one linux on a single PC. The aggregate is meaningless anyway.

Why don't we add the NT+2000+98+95 figures, and see what it comes to.

I'm glad to see the truth will out...

FatPhil

Re:Moody's article

[talesout]

I've heard it said recently that journalist are not so much news reporters anymore, but artists.

There was a time when it was important (or was considered important) to impart news as quickly and as accurately as possible. Now it is far more important to take the time to 'paint' the appropriate picture to generate the most revenue you possibly can for any given piece of journalism. Thus it is not important that they get the facts straight, or that they give an impartial account. It is important that you get as many people as possible as riled up as you possibly can get them and hope that they will keep coming back for more. After all, if there is anything that history has taught us it is that people will lap up anything that pisses them off.

You don't believe me? Then why did you read this article?

While journalists have become artists (in a fashion), they are much like pop-rock artists. They want to make as much cash as possible, by whatever means necissary. Sell your soul if you have to, but make that bottom line climb.

Linux Sux

[Cable]

Also some goobers, possibly MacJihadists, started a Yahoo Club Linux S*cks and they totally started flamewars on it.

Ironic that MacOS and MacOS X so very little bugs in security. OSX being based on BSD Unix, yet BSD Unix has more security exploits? WTF? Or is it that nobody even bothers to check OSX for security exploits?

For more info visit Jihad Speak

Re:Linux Sux

[Phroggy]

Ironic that MacOS and MacOS X so very little bugs in security. OSX being based on BSD Unix, yet BSD Unix has more security exploits? WTF? Or is it that nobody even bothers to check OSX for security exploits?

Partially that users don't test Mac OS X for security holes much, and partially that maybe Apple does. The fact that Mac OS X hasn't even been released to the public yet must surely have something to do with it too, although Mac OS X Server and Darwin have been available for some time.

--

Sacrificing Credibility

[askheaves]

If this whole fiasco has taught us anything, it is that an institution like ABC does not mind having rogue "journalists" under its wings. It seems that Moody is not concerned with the credibility he is supposed to have as a journalist. And, as a representative of ABC, he shines a poor light on the credibility of the empire as a whole.

I think it is great that so many people are getting on his case about technical and statistical inaccuracies. If some corporate CEO decides one way or another because of something that spouted out of Moody's arse, then the world loses.

When Moody lowers himself to the level of a troll, it disgraces the whole of ABC. Beyond the click-throughs on the banner ads, the company loses out in the end. ABC has been my favorite national news source, but this type of article places a small nugget of doubt in my mind.

Free speech guarantees everybody a right to be an a-hole, but it also gives everyone else the right to call him on it.

Re:Moody's article

[Kazir]

Ahh, the fine lines betwix slander and so called truth. dc:

About Credibility...

[Wedman]

Who are you going to trust more:
- An ABCNEWS columnist
- The Manager of Microsoft Focus Area for Security Focus?

I don't know, but I'm thinking that them ABCNEWS dudes are pretty savy. Security Focus has nothing on them, man. Especially the ABCNEWS columnists. Whoa, like, dude: The are like, so totally computer smart. I mean, like, who's ever even heard of Security Focus before today?

Dude out, dude, man.

Re:About Credibility...

[Wedman]

...In a world where one's boss would believe a PC Mag review over the tech that work for him.

Re:Moody's article

[matman]

on the contrary, a person who is a spokes person for a large news organization is given a huge ammount of trust... most readers will take his conclusions as truth (incorrectly) but the fact is that he's being irrisponcible. He has just the same right to say something false or unfounded as I do, but what I say isnt automatically assumed to be true by most people who read it. The news organization needs to watch for integrety of it's articles, or else they risk turning into the Weekly World News.

uhm

[Clay+Mitchell]

isn't this the place where you use the quote:
"There are lies, damned lies, and statistics"? (prolly got that wrong, but thats gist of it!)

oh well, just more proof that people need to learn to listen and read before they learn to talk

Mr. Moody...

[jmccay]

I seriously think Mr. Moody should be banned form writing any commentary on technical arctles for the press. He made several mistakes. If you scroll down on the page that Mr. Moody was basing thing on, you'd see that Microsft had the top twelve most vulnerable packages. Unfotunately, I can't seem to get the page to bring up the graphics with the stats. Look's like it is being /.ed. I sent an email to ABCNEWS asking them to ban him, but I doubt that will happen. I did point out the flaws in his arguements though. I haven't received a respounce as of the writing of this.

Journalism

[kiwaiti]

Unfortunately, most media is much less interactive than e.g. slashdot. Moody can get away with not thoroughly reading the pages he bases his article on because his readers do not see, as they would here, modded-up posts pointing out the sh*t, just a single PgDn away.

Unlike present-day mass media, slashdot discourages the posting of stirred dung (well, mostly).

I sincerely hope this model will be developed into something that can be used by the masses. It would probably not work the same way (imagine all the penis birds...), but were going the right way.

Kiwaiti

Re:Feh

[jmccay]

You obviously didn't read the origanal article and check the stats he was quoting. Other wise you'd not be saying this.

that's called...

[mattdm]

That's called a "target audience". I don't think slashdot ever claimed to be unbiased.

--

Call for class action lawsuit!

[Jason+Straight]

Ok, we have the people that provided the stats say this guy is full of shit, us linux people/programmers that are effected monitarily by the acceptance of linux should get a class action suit against ABC's Fred Moody!

Re:numbers proportionate to usage

[Psarchasm]

Er yeah thats it. It couldn't be because distributions like MacOS aren't truley multi-user systems. Or that OSes like OpenBSD go through stringent security and code reviews.

Nah, that can't be it.

Ooooh... BURN

[eGabriel]

This Greenbaum is a regular Winston Churchill.

Re:Moody's article

[Fishstick]

dunno about guidescope, but IIRC, junkbuster doesn't even forward requests to the adfarms and so denies them the hits.

Reply I sent to Mr. Moody:

[the-banker]

I have read your article on www.abnews.com and have the following comments:

1. You need to disclose your bias toward MS as you have done extensive research on their company and products. After reading your article I see that you have yet to undertake such an evaluation of linux.

2. How do you figure that NT has taken over as the server platform of choice? I direct you to www.netcraft.com for a complete survey of internet servers and their platforms. NT is no where near the leader.

3. Being open source, bugs are much easier to find and report in linux. Generally, Microsoft does not even disclose the existence of bugs it does not have a fix for. The 99 NT bugs is a depressed figure.

4. Given that your 99 NT bugs are significatly (over 15%) greater than linux, and the 99 number is a depressed value, how do you justify your "worst operating systems ever" statement.

5. Admit your mistake in not reading the footnotes to the table

6. All of the linux bugs have been patched. I challenge you to produce 99 patches for NT. Also, evaluate the timeliness.

I urge you to research these topics before you continue your position as a Microsoft tool printing FUD (fear, uncertainty, doubt).

Marc A. Dukes

Marc Dukes
Provident Bank
mdukes@provident-bank.com

Re:Moody's article--Funny

[cronos-cronos]

Moody must have seen that he screwed up. As of today in the middle of the article where the supposed "122 exploits" were mentioned, it is now corrected to 84, and there is this note on the page: . [Please note: Upon further research, I realized that my original numbers were a bit off. The numbers above are new and revised. Fred Moody, 8/4/00.]

It was simply slander

[alexk]

Moody's article was a clear case of slander.
It has a potential to harm business of RH and other distributions. So, it would make perfect sence of the commercial Linux distros to take Mr. Moody and ABC to court. Even a mere threat of such an action would make ABC drop Mr Moody, faster than you can say settlement. That will be a good riddance and a service to the journalistic community.

Re:Moody's article

[TheReverand]

I wish I could troll like Katz & Co.

By that argument...

[afreyt]

"If you look this list over, and measure each system¦s number of vulnerabilities against the number of its customers, Linux is arguably the worst operating-system product in history, and Microsoft¦s the best. " --Fred Moody If a lot of people buy Hondas as their car of choice, then the Honda is the superior car? MS' OS is the best because people buy a lot of it? Where did [Moody] come up with that argument? My OS is the best because my anticompetitive practices force people to buy it with their computer, and my office suite has become the business standard; even though the system has to be rebooted daily and you have to download dozens of patches before things work the way I advertised. I would argue that if more people use a particular OS, its has less of an excuse for having vulnerabilities. More people are available to report them, and it has a larger resource base of profits to hire people to fix them. Its vulnerabilities are WORSE, because there are more available at a given time to be exploited, more hackers spend time learning about them because of the availability of targets, and more man-hours need be wasted fixing them. By that argument, MS' OS is the worst, undeniably. And that argument makes a lot more sense than [Moody's] piece of flame bait. Chris Ross Prokaryotic Developmental Responses The University of Texas at Dallas

moody has updated his article...

[tikiboy]

he has changed 122 to 84, stating his numbers were "a bit off"...since when is 30% a bit?

and also states that 99 is "scarcely larger" than 84...so 17% is "scarcely"

what an ultramaroon....

Moody still does not get it.

[Stephan+Schulz]

If you check Moody's original article, you will see that he has corrected the numbers. However, he has not dealt with the other systematic errors in his "analysis". I sent him the following letter describing just one problem:

Dear Mr. Moody,

I am writing to you concering your article "Linux Sux Redux", available at http://abcnews.go.com/sections/tech/FredMoody/mood y.html. I am fairly certain that you are getting a large amount of mail about this article, so I'll try to keep it short. I noted that you corrected the original misinterpretation of the statistical data from Bugtraq. However, your "further research" apparently did not include reading all of Bugtraqs disclaimers.

In your revised article you state "And the NT number is inflated by BugTraq's inclusion of IE vulnerabilities, since it considers IE part of the operating system". If you read the Bugtraq disclaimer, you will note that BugTraq likewise counts bugs in software coming e.g. with the Red Hat distribution as Linux Bugs. Considering the extremely large amount of Software included in the typical Linux distribution (let alone in _all_ distributions covered by BugTraq), the count for Linux is inflated to a much larger degree than the count for Windows NT.

I can understand your desire to keep the conclusion of your article intact, however, the data collected by BugTraq simply does not allow such a conclusion - as is clearly stated in the disclaimers.

Yours faithfully,

Stephan Schulz

Re:Truth hurts?

[Psarchasm]

Hahaha. Can I laugh at myself? Yes.

werd...

[american_bongo]

[waddles to computer with biker shorts covering 50% of ass][talks to self in Simpsons Comic Man like voice] Worst Article About Operating Systems Ever!

I will now voice my displeasure by talking to thousands of similar people on slashdot. [snort] [ercle laugh].

Let's apply his methods to Windows

[YoDave]

If we do the same with all versions of Windows we would combine the non-NT vunerabilities (46) with double the NT vunerabilities (99) for a total of 244. That's exactly double the number he gives for Linux

Dave
~""~

Re:IE has more bugs

[powerlord]

No silly! IE isn't a package... its part of the Operating System.

Hasn't all that MicroSquish marketspeak taught you anything?

;)

Re:Linux *still* doesnt cut it.

[Delphis]

Why not replace the Linux TCP/IP stack with the FreeBSD one then? drivers and all .. I thought that's what open source was about.. not having to reinvent the wheel from scratch because your mate over the fence happens to have a smoother rounder wheel than you do. You just ask if you can copy it.

Do I have too simplistic a view of it? .. I'm sure it wouldn't be a case of just 'plopping' in a new stack 'module'.. but surely if it's all kernel stuff then it could happen in just this one place. Once it's done, it's done.. hurrah to Alan Cox etc..

--

Re:Feh

[Eccles]

His arguement that linux sucks is based on a number.

A number of the errors were labelled Linux 2.3. Others listed 2.3 and earlier kernels. Seems to me that number also includes errors in dev kernels -- do the Windows numbers include errors in Windows alphas and betas? If not, yet another strike...

Yeah, yeah, yeah,, and,,?

[Bender+Unit+22]

If you were to install every single RPM you could find, then, yes you would have a very open server with lots of security holes.
But you see, I only install those programs needed for the server to perform the tasks needed, so a lot of security problems that gets discovered, don't apply to me.

---

Update: Changes on the original Moody Article

[codegen]

It appears that Mr. Moody has become aware of his faux pas. The original article has been updated to use the proper numbers, and a little tidbit has been end of the paragraph:

"[Please note: Upon further research, I realized that my original numbers were a bit off. The numbers above are new and revised. Fred Moody, 8/4/00.]"

Further research?
Oh well...

Re:Update: Changes on the original Moody Article

[pedro]

"[Please note: Upon further research, I realized that my original numbers were a bit off. The

numbers above are new and revised. Fred Moody,

                    8/4/00.]"

</pre>

rebuttal?

[jargoone]

how ingenious.

he says "this other guy misused the numbers to say linux was the most insecure os in the world."

in the same breath, he says "since linux has less than nt, you can't use these numbers to say linux is less secure than nt." using the numbers to say that linux is not less secure than, and therefore more secure than nt.

i know the abc guy's article was a farce; this is far worse.

Windows NT bugs

[Wolfier]

Moody, we are good at mathematics, so you can't cheat us! Let's see - you're not using the same definition of the + operation on all the operating systems!

If the total number of Linux bugs is that of RedHat + "other Linux flavors", then the total number of NT bugs should be the total of:

NT 3.51 gold + Sum(j=1 to 18) NT 3.51 SPj + NT 4.0 gold + Sum(i=1 to 6) NT 4 SPi + Win2000

which rounds down to roughly 100,000...let's put it to bugtraq!

This Needs to Be Publicized

[rusti999]

The bad thing is, even though we /.-ers know that his article is totally baseless, the general public who read the article may not. We have to force ABCNews to post some corrections (plus maybe the link to Greenbaum's response), because the article is obviously violating journalistic integrity. In addition, it will be better to have the major news sites like CNet or ZDNN to cover this. The more publicity we get about this, the better so that more of the general public know that Moody's argument is wrong.

Re:Feh

[Enoch+Root]

Not given the fact that it was posted in such a way as to ridicule his opinion, no. I'm not complaining about what gets posted, but about the bias demonstrated in these postings. You'll never see this kind of article:

"Here's an article saying Linux sucks. It may not be cool hearing that, but the numbers pretty much hold up... Oh, and that other article about how sucks big donkey balls was actually bogus. Score one for Microsoft."

Before someone says, 'It's because these articles don't exist', know that I don't subscribe to your narrow-minded view of the world.

Slander?

[Mongoose]

Moody did slander RedHat... Think Bob Young might want to step up to bat? You need to beat down on this type of jornualism from time to time. Perhaps email abc news about this too. It hurts the credibility of ABC in general, which is pretty poor to start with. People forget and forgive the news media too much.

Blacklist journalists with hidden agenda

[idlmx]

There are a certain number of journalists who play this stupid game of writing misleading articles about linux, open source or whatever that we have. They do this for attention, why don't we just add these twerps to a black list, make sure their article never makes it to slashdot, deprive them of the pleasure. I will truely say slashdot has matured the day we can do that.

Re:Blacklist journalists with hidden agenda

[arivanov]

There is no such thing as a journalist without hidden agenda. They have their salaries, stock options, friends and relatives. They are people too. And their employers have owners and shareholders.

Journalism when taken on a very large average can be considered to reflect community views which are also biased of course. And it reflects them mostly because if it does not noone will read it or listen to it or view it. But there is no such thing as unbiased mass media.

And to conclude IMHO, you are an idiotic fanatic. Grow up.

Re:Blacklist journalists with hidden agenda

[the_other_one]

There should be a blacklist but not necessarily for the purpose of preventing articles from getting to /.

The blacklist should be used so that these "journalists" can be watched by those with a clue. It is important that rebuttals to such drivel as this are posted in as many forums as possible so that fewer sheep and PHB's take such misinformation as fact

Re:Blacklist journalists with hidden agenda

[streetlawyer]

Yeah, at least that would mean no more articles by Eric Raymond .... oh, you mean a "hidden agenda" that you don't already agree with. Yeh, let's silence all dissenting opinion, that way we need never learn anything that disconcerts us.

Re:Moody's article

[jmccay]

Rather than flames, I would have rather seen everybody write ABCNEWS pointing the obvious problems with his article. Then asking them to ban him from ever posting a tech article in any of their news outlets.

Bullshit

[Psarchasm]

The world, and more specifically the American populus, has the average attention span of fruit fly these days. Not to mention what they actually manage to retain.

No one cares about that report anymore. The Internet shown through for what it is - a superb communications tool. Big business has latched on, and all we've gone is up. About the only people that care about porn on the net anymore are those that use it - and the religious right. And quite frankly I care more about the former than the latter.

The bottom line is... truth is very hard to coverup.

Re:This will come back and bite us.

[Mr.Phil]

FYI: It was an artical in "Times" mag. Did a school report on it back then in college.

Re:Feh

[pallex]

There is always the possibility that windows DOES suck more than Linux, and that many people here come here precisely because this is a good place to find out about linux related issues, which are ignored elsewhere precisely because of Microsoft apologists such as yourself.

Re:Moody's article

[Dracophile]

Pardon my ignorance, but WTF is Moody? You lot make it seem as though he's important or something.

Why can I NEVER acccess securityfocus's pages

[govardha]

Everytime there's been a security focus posting, I am never able to get to their page. Is it because of the slashdotting effect? or just lousy configuration of their web server?

A bothersome term: Linux Zealot

[Tiger+Smile]

Mr Moody, Linux Zealot? I do not like that term. It is often uttered by people who wish to discredit a reply before it is offered. Maybe I don't use Linux, but happen to disagree with Mr Moody's "new math." Well, then like a witch hunting congressman from the 40's he'll just classify me. The word Zealot most easily applied to Mr Moody. He has said what he has to adance some goal he seems tightly wound around. If I protested what was being done to the native americans, I would be branded as an 'Indian Lover'. If I didn't like what the House Unamerican Affair Commity was doing to people's lives I'd be called a commie. If I was German and protested what was happening to the Jews diring the 40's I'd have been called a jew lover. It's not as extreme in this case, but it's a tactic used often to discredit a reasonable argument before it's made, by discrediting anyone to offten a differing point of view. In this sense Mr Moody is the worst of cowards. Aside from not being able to add, he lacks the ability to except other's opinions. I don't know Mr Moody. He could be a nice guy, or someone who kicks puppies for fun. Maybe he just had a bad day and make an error in judgement by pissing away some of his creditablity. All I do know is, that he seems to be very wrong. I know from his other writings that he is smart. This means there was an agenda attached to his misinformation. Maybe he'll apologize and hope the whole thing goes away. It's not going to. I'll remember this, and ignore any other writings of his and all his furture opinions. I myself use Linux, NT, and many oter operating systems. I do know that the free stuff sticks around longer than the not free stuff. After all SNA, IPX/SPX, Apple Talk, and a host of other network standards died while TCP/IP stuck around. Linux was here before, and will be here long after, NT ot Microsoft. After all Unix out lasted it's birth company, Unix Systems Labs(not Bell Labs,which is still here). Knowing what will be here a good twenty years from now is what got me into the TCP/IP, Linux, Web, SQL, business. Mr Moody, I do have an agenda. Right now it's to get to the gym, work with tools I like, have a great job, raise my kids to be honest. I trust my opinions over your's. I have not been wrong at any turn in my career. You my friend ring hollow.

From the original article

[oznet]

If you look this list over, and measure each system's number of vulnerabilities against the number of its customers, Linux is arguably the worst operating-system product in history, and Microsoft's the best.

Not even. If you go by just the figures he quoted, NetBSD is the best not Microsoft.

Retarted writers

Re:Moody's article

[Twanfox]

I'll be short. I just think that we should really write and state that his articles of such a nature be flagged as Editorials, rather than true stories. Editorials are personal opinion, as Moody's are. Facts have to be verified.

Re:Moody's article--Funny

[bgreenbaum]

Even more funny is that it now says this: "Windows NT totaled 99 new vulnerabilities on the BugTraq list (snip...) but it is scarcely more than the 84 racked up by Red Hat and the other Linuxes" Interesting definition of "scarcely".

Comment I posted to ABC News feedback form.

[BigBlockMopar]

Hey guys and gals, I thought I should share my thoughts after reading Mr. Moody's column on Linux. Go take another look at his column; when you do, take a look around the site, you can send feedback.

Don't know who at ABC, if anyone, will read it, or what the reaction will be. But voice your opinions! Be concise, clean, amusing, factual and well-formatted, otherwise the editor won't even bother reading it.

Without further ado, here's what I sent to ABC:

Mr. Moody clearly owns Microsoft shares. Or he enjoys products that perform only with mediocrity. I wonder if Mr. Moody drives a Hyundai and praises its virtues similarily to those of Windows.

I'm new to Linux, but I'm not new to UNIX or to computers. In fact, I signed up for my first Internet access in 1988, at the tender age of 14. Back then, it wasn't called the Internet, it was called ARPANET. I've seen a lot of changes, since I've been online longer than Yahoo.

Now, while I don't think I'm ready to praise the virtues of Linux as a desktop environment - I still run Windows 95B OSR2 for that - but I'm pleased to say that I've formatted my server's hard drive and have replaced Windows NT 4.0 with RedHat Linux 6.2.

Sure, the learning curve has been steep. Sure, I've had frustrations. And sure, the operating system completely lacks the polish and refinement of Windows NT. This is primarily why I don't feel it's ready for mass desktop deployment. But, on the other hand, in a server-duty machine, it really shines.

Linux is an operating system by computer geeks and for computer geeks. It is therefore full of technical tools and features that would cost thousands of dollars to buy from Microsoft. It's far more configurable than Windows. It's a UNIX derivative, meaning it's closely related to the most core architecture of the Internet. Being a UNIX family member, it's also a multi-user operating system, with all the related user sercurity features and sophistication that are inherent to a multi-user platform. Compare that to Windows, which is merely a multi-tasking operating system.

And, I'm sorry, but by nature of the fact that it's an open-source operating system, every bug gets detailed, documented and fixed. While a Microsoft user might have to manage a complex set of variables in order to find a given "undocumented feature" of Windows, a fresh pair of eyes looking over a chunk of source code can in minutes reveal errors that might never be spotted in Windows.

None of today's software can or will ever be perfect. Implementation of libraries, millions of lines of source code, dozens of different platforms and operating system variables all can contribute to creating weird behavior. If there are 10,000,000 lines of code and they're 99.995% right, there will still be 50,000 bugs.

Better to have those bugs discovered in advance of exploits and/or lost data. Better to have those bugs addressed by thousands of developers working together in a collaborative manner, bringing together the best of talents in a relaxed setting. Better to be able to have the source code and not rely on Microsoft's small (in comparison) team of developers.

I'm sorry that Mr. Moody feels the way that he does. I'm sorry he couldn't research his article more objectively. And I'm sorry that ABC's editorial staff apparently don't live up to the image of impartial professionalism that I had expected.

I would have expected to see an article like that coming from the people at MSNBC, who brought us mainstream tabloid journalism like Dateline NBC; not from the fine news agency that brings me Peter Jennings and Ted Koppel every night.

Re:Who cares?

[ConceptJunkie]

Well, if Slashdot can do it with an article whose title implies Hotmail is about to fail due to Windows 2000, when no such thing was stated in the article, then I guess others can too.

You're right, it's all about the clicks.

Rick

Re:Moody's article

[Fyndo]

When you try compiling application X, it's missing library Y. When you download library Y, you can't compile it because library Z is out of date.

Well, I vauely remember my officemate installing IE 5 on NT 4. it went something like:

1. install NT
2. install service packs 1-3
3. install IE 5
4. install SP 3
5. install SP 4 & 5

Same stuff going on, different packaging. Software is hard.

Also keep in mind that this happens most with gnome stuff, most of which is still in 0.xx releases, and nobody's claiming is stable yet.

I hate SysV init. BSD init makes more sense, but its configuration ends up being redundant and messy looking. Why not register each daemon in their own file with the instructions to start/stop them, and then have a flat file for each runlevel indicating which daemons should be started and stopped?

Personally, I've administered machines with both. I love sysV init. I'm not sure how a directory of symlinks is that different than a flat file... I suppose is a little more complicated, but hardly strikes me as a big deal, and having the init scripts as executable scripts makes turning services on and off much easier (like to restart a daemon, or something).

besides, is easy to reconfigure the way you want.

# cd /etc/init.d/rc3.d/
# rm *
# cat > Srunlevel3 << EOF
#!/bin/sh
../init.d/service1 start
../init.d/service2 start
...
EOF
# cat > Krunlevel3 << EOF
#!/bin/sh
../init.d/service1 stop
../init.d/service2 stop
...
EOF

ok, that's two flat files per runlevel, but hey...

but in OS X, I believe it's in /System.

This is no longer a Linux rant, but a unix rant. Yes, we are all irked by the way no two unixes do anything the same way.

If common environment variables were used instead of explicit paths, software would be easier to install the way you want it Symlinks are not the answer for everything...

Umm... no. This opens up a whole can of worms. first, if any of these environment variables gets modified things will break when it can no longer find a writable log file directory or it's shared files. Second, it makes accessing any installed file a security concern. We've already had enough risks due to LD_LOAD_PATH and people putting in their own security-related shared libraries, and there's a number of conventions/rules the loader has to support to prevent this. If it happens with any file...

$ echo root::0:0:root:/root:/bin/bash > ~/passwd
$ ETCDIR=~ /bin/login
login: root
password:
#

These environment variables have to be visible at the user level, so the apps can find their data, so you need read-only environment variables to prevent this sort of attack, or every app needs to recognize "security critical" files. Maybe having a single absolute path to /system-layout.conf or something would work, but hardly strikes me as worthwhile.

My Problem with Mr. Moody

[DeadVulcan]

I know most of this has probably all been said before, but I guess I'm feeling very vocal, and I just have to get this off my chest. Will this reduce my karma? I dunno. I don't care. Here goes.

Firstly, the whole idea of using BugTraq stats to measure OS security is wrong-headed. A simple count of vulnerabilities is an extremely poor measurement of security, mainly because it ignores the severity of each vulnerability. The BugTraq web page says this.

Even if a simple count were a valid measure of security, BugTraq is first to admit that its statistics are nowhere near complete. Whether a vulnerability appears on BugTraq or not can depend on many factors, and the web page says this also.

Even if BugTraq were complete and authoritative, Mr. Moody made the mind-bogglingly stupid mistake of misinterpreting the information, and adding two figures that overlapped, arriving at an incorrect number. He apparently didn't take the time to read the explanations that would have told him what the numbers mean. This is also on the very same web page.

Finally, even if we ignore all the above, Mr. Moody has the audacity to claim that the numbers lead to an "inescapable conclusion." Such a statement, if it is to be believed, reflects more on Mr. Moody's reasoning ability than on the OSes in question. Of the vulnerabilities that get reported in BugTraq, which ones actually get exploited the most, is a far more complex question than I care to contemplate.

Mr. Moody's argument is a tower of cards, based on misconceptions, oversights, and outright errors. His article displays a level of incompetence that is truly astounding.

Now, I notice that the ABC web page contains a correction, stating the actual number of Linux vulnerabilities in 1999 (as counted by BugTraq) to be 84, not 122. Well, I'm glad he can admit it when he makes a gross error.

But Mr. Moody acknowledges his mistake with the note: "Upon further research, I realized that my original numbers were a bit off." Further research!! What that means, of course, is that he went back and read the parts of the web page that he evidently skipped the first time around! I see that he hasn't changed his claim that the "conclusion is inescapable." I still wonder if he's read the whole thing.

I should say that I love Linux, but I'm no zealot. Linux has its place. It's not the ultimate OS. It's not the best in all cases, and certainly will never be the best in all cases. But that's not what I'm ranting about here.

I'm ranting about journalistic integrity. I know that cynics will laugh at me, but I'm not afraid to say that I'm a bit of an idealist and I'm proud of it.

Okay, I've ranted altogether too much now.

Re:Feh

[finkployd]

Lord help us if Slashdot ever becomes an objective discussion site.

There is no such thing. I just accept that Slashdot has it's biases (like EVERY OTHER NEWS SOURCE) and take it with a gain of salt.

What I DO like about it that when it's blatently wrong about something, they usually get called on it in the comments.

Finkployd

Finkployd

Re:Moody's article

[Hartwell]

Free speech is irrelevant with corperations, it only applies to the government.

If I run a website with an open forum, it is my right to censor anything I see fit on that forum. You are also free not to visit that forum on those premises. Free speech simply says that the government may not censor what is on that forum, only I can.

linux sux!

[ArchieBunker]

Here just read this page for an explanation:

http://www.spatula.net/proc/linux/index.src

Re:linux sux!

[Mecha[drone]]

Does Linux suck in comparison to *BSD... Sure. Does Linux suck in Comparison to Windows? Not so much..., which is what the root article was all about... The link you posted says nothing about NT... Is it superior to Linux, just neck and neck with BSD? You must love Windows to hate Linux so much.

FUD and the art of Media maintenance...

[sheldon]

The media is fickle. They like to report on new stuff because well that's their job. They also tend to like to help overhype new stuff, because that get's attention.

What you've seen with Linux over the past year or two is the report and overhype. It had been a pretty slow couple of years for them because everybody was waiting to see what would happen with Windows 2000. They needed filler for the pages.

So the media hypes up this thing, whatever it is... An OS, CRM, ERP, ASP, Workflow, Knowledge Management, Network Computers, Java, whatever. It's always a new buzzword for them.

They spend about a year hyping it up and making everybody in IT think it's the next big thing.

Perhaps it is, who knows at this point.

But then some of the IT people start taking the hype seriously and go out and try to implement the idea. Sometimes these implementations cost millions upon millions of dollars.

Then the reports come in, "This shit don't work.", or "What the hell did this gain us?", or maybe "Are we doing this right? This didn't solve the problems you said it would."

At this stage, now the media starts pushing back on the vendors and supporters of the new buzzword. Why isn't this solving everybody's problems like you said it would? Whatever.

In some cases the people take the complaints and reevaluate and reimplement their system to take these complaints into account. They release version 2 which has dramatic changes and improvements.

In the end if the product does not become the Shangra-La it was hyped up to be, and doesn't begin to dominate. Well the media loses interest and moves onto something else.

This happened with OS/2, all of a sudden about the time of the release of NT 4, news on OS/2 died. People had come to realize that it was being heavily overhyped and didn't live up to the realities.

I think the questioning and pushing back on ASP(Application Service Provider) is happening right now in the press.

And I think Linux is starting to hit that phase. Does it live up to the hype, can it survive, is it worth looking at now that the reports are in?

I'll just say, given my past experience watching things which had incredible amounts of user zealotry like Amiga, OS/2, etc. When the press starts raising these questions, you had better be prepared to answer them effectively.

Mail bombing them, and whining a lot doesn't help. That's what us Amiga users did, and all it succeeded in doing was give the impression to the media "Wow if you say anything bad about the Amiga, they'll mail bomb you. Oh hell, actually if you say anything good with any sort of caveat they'll mail bomb you. Hell with that, it ain't worth it." and they shut up. After a while the whiners become the brunt of jokes in the media.

AmigaDOS for many years was the brunt of jokes. OS/2 quickly became this as well, and their ballot box stuffing on the Infoworld product of the year in '96 really didn't help the cause.

So anyway, with Mr. Moody... Be very careful how you respond. The best response might be none at all.

Re:marketing angle

[demon]

Not to mention those who apparently lack the comprehension skills of an average sixth-grader.

Moody is an embarrassment, no matter what news agency he's with.
_____

The nature of statistics...

[slambo]

98% of all statistics are just made up numbers.

Re:Moody's article

[agentZ]

Screw journalistic integrity, that's not ABC's business. ABC is in the business of selling advertising. The content they provide on their web site is merely a means to show you ads. (This is also the basis of free television in America...) Why should they care if the article is factual or not? In fact, ABC probably wants to post provoking pieces to show those web banner posting advertisers that it's good way to market things to the technologically inclined... ($REFERRING_PAGE =~ /\.slashdot\.org$/ && $showGeekAd = 1).

If you want to hit ABC where it hurts, you would have to convince the advertisers that you won't buy their products because they advertise on ABC. -- I'm not saying that will be effective, but it would get their attention...

The post has been updated

[GC]

Here is the paragraph with the bug numbers:

BugTraq keeps these statistics on 22 different operating systems, from the mainstream Windows NT to various exotic flavors of Unix. Given that Microsoft's product is the runaway market leader, it is not surprising that it leads in vulnerabilities: In 1999, the year it took over the server market in earnest, Windows NT totaled 99 new vulnerabilities on the BugTraq list. (So far in 2000, the count stands at 37.) This looks like an alarmingly high number in comparison with Solaris' 34 or NetBSD's 10, but it is scarcely more than the 84 racked up by Red Hat and the other Linuxes (their 2000 count stands at 30). And the NT number is inflated by BugTraq's inclusion of IE vulnerabilities, since it considers IE part of the operating system. [Please note: Upon further research, I realized that my original numbers were a bit off. The numbers above are new and revised. Fred Moody, 8/4/00.]

Re:The post has been updated

[GC]

oops... accidentaly hit submit instead of preview.

Oh well more scope for moderation :-)

The article now becomes pretty lame - Still stating that Linux Sucks because it has less bugs than NT is not a good argument.

Accident? I think not...

[mav[LAG]]

I was going to post this in reply to the first story but it's just as applicable in the followup. My point is this: Pro-Microsoft pieces in the media do not happen by accident - especially when the author is a well known inspector of Gates' colon. Spin, media relations and public perception are very carefully managed by most companies and Microsoft is no exception.

My guess as to what prompted this knee-jerk reaction: the IDC server software revenue figures. I don't have a URL but in a nutshell, units have soared but revenue is flat - thanks to the frightening growth in Linux servers. Microsoft are not at all happy about this and are desperately looking around for a reason to gain the upper hand in mindshare.

No doubt our Ed got a call and agreed (or decided) the best way to spearhead this quick FUD campaign was to put out the message that Linux is buggy. Anyone considering getting a Linux-based server would then think "uh-oh" and go back to safe, reliable old NT.

Of course, Microsoft have shot themselves in both feet by rushing this one. First, Moody's credibility has been given a serious dent - not the least of which because he can't (or won't) add properly. Secondly, the author - who's neutral - says he's impressed that the Linux community has "done an admirable job" in making a better product. So exactly the reverse effect has been achieved - Moody is seen as a Microsoft zealot and the Linux community is seen as full of reasonable, honest adherents.

Go Fred go! I look forward to your next piece on why Microsoft license agreements are so easy to understand...

the security issue

[GC]

I don't see security as being an operating system issue. It's really more of a human issue.

Most of the exploitable holes could be avoided by careful planning, firewalling etc...

Choice of operating system is but a small factor in assesing the secureness of a system.

Re:Moody's article

[Bombcar]

This is probably offtopic, but I'm running Guidescope (which blocks banner ads), and I am wondering - do they still get a "hit" for the banner ad if my "proxy" doesn't download the stupid image?

.sig

article text since SF is /.ed

Linux Sux Redux: A Rebuttal
by Ben Greenbaum
Thu Aug 03 2000
This is in response to an article posted at abcnews.com by Fred Moody, available at:
http://abcnews.go.com/sections/tech/FredMoody/mood y.html, in which he claims that
Linux is a far less secure operating system than NT, based on his interpretation of the
Bugtraq vulnerability statistics.

From the very start, I would like to proclaim that I am not a Linux zealot, or for that matter
an ardent defender of any OS. I manage the Microsoft Focus Area here at SecurityFocus. My
personal machines at home run on various flavors of both MS and Unix operating systems.
Different OS'es have different strengths, and I freely and gladly use whatever is best in my
experience for the purpose at hand.

The problem I have with Mr. Moody's article is not the conclusion he comes to, although I do
disagree with it. It is instead a problem with the methods used to reach that conclusion.

The author is writing about the results of the Bugtraq vulnerability statistics page at:
http://www.securityfocus.com/vdb/stats.html

These statistics are meant for general interest purposes. The text on the statistics page
clearly states:

"The statistics should not be taken to imply that some particular operating system or
application is more or less secure than another one."

However, these stats are for public use, to be interpreted as the user sees fit. As with any
statistics, they can fairly easily be twisted and misrepresented to support whatever goals the
author may personally have. This is to be expected to some extent any time statistics,
especially unscientific statistics, are used to prove a controversial or questionable point.

The worst situation by far is when the statistics are not only "massaged" to serve personal or
corporate goals, but interpreted incorrectly in the first place. The Bugtraq stats have been
used and referenced in various articles and endeavors, with varying degrees of accuracy. The
most egregious example of misuse and misinterpretation by far to this point is in the article
referenced above, where Mr. Moody states that Linux is the most insecure OS available. This
is based on a gross misreading of the available data.

To wit: (regarding statistics for 1999)

"122 racked up by Red Hat and the other Linuxes "

Whereas the actual statistics are:
[image table here]

All Linuxes combined: 84
RedHat only: 38

Which, as you can see, add up quite neatly to 122, the number of vulnerabilities claimed by
Mr. Moody for "RedHat and the other Linuxes". So now, we pause for a brief explanation of
the word "Aggregate". First, from the text of the page itself:

"Where we display aggregate number of vulnerabilities (Linux and BSD) the number is the
size of the set that results from the union of all vulnerabilities for the components without
duplication. Vulnerabilities are not counted twice."

The numbers for "Linux (aggr.)" reflect the total number of reported vulnerabilities across all
distributions of Linux; if it's a Linux, it's in there, RedHat included. Also, if the same
vulnerability is present in more than one distribution, it counts once. Therefore, for a
representative number of all known Linux security bugs, one would only look at the Linux
(aggr.) statistic.

Therefore, since 84 (for Linux) is demonstrably less than 99 (for NT) I submit that these
statistics can certainly not be used to prove that Linux has more vulnerabilities than NT.

Mr. Moody ends his article with the sentence:

"As Linux zealots are beginning to find out, it's a lot easier to masquerade as a better product
than it is to go out and be one."

I agree with that statement, and I believe that the Linux community has done an admirable
job in many ways on both counts. In closing, I propose to the security community and to Mr.
Moody that what is true for products is sometimes true for journalists as well.

Ben Greenbaum
Director of Site Content
SecurityFocus
bgreenbaum@securityfocus.com

Some history

[mwillis]

Some posters are not remembering why the phrase "Linux sux" was mentioned. Moody wrote a previous flamebait article with this line back in 1998 and got roasted on slashdot. Moody had claimed to have a secret informant who had to use Linux but was afraid to speak out the "truth", that "Linux sux". He never substantiated this informant, of course.

Um, yes there was, and yes /. covered it.

[mbourgon]

Mindcraft/Netcraft, the huge thing about SAMBA being better on NT than Linux. Due to the hue-and-cry generated about it (they apparently called the wrong number for Linux tuning advice, so Linux wasn't tuned at all, MS send system engineers, etc, etc), they re-ran the tests, and MS won. And /. posted it.

Excellent article!

[Nickbot]

This guy's ten times the journalist Fred Moody is, I just wish someone could have persuaded him to end the article with "..and the horse you rode in on!"

Don't Know

[SigVn]

But I would miss the Darwan awards.... :-)

This will come back and bite us.

[Mark+F.+Komarinski]

Anyone remember the "report" from 5 years ago that said 90% of the Internet was pr0n? Time did a big 'ol article on it, the report wound up on the Senate floor, etc.

Too bad the data used for the report was completely wrong.

Too bad that report is still probably being used to decry the evils of the Internet.

No matter how many rebuttals there are, it won't stop the fact that Moody's article is out there. We must demand a correction from Moody or abcnews.com that also gets linked to the original article. Otherwise, 3 years from now, this will come back and bite us again.

Re:This will come back and bite us.

[the_other_one]

Moderate up and email this post to every mailing adress you can find at ABC.

Astonishingly
Biased
Commentary

Well then, who *does* have journalistic integrity?

Tell us, oh holy one, whom may we trust for a fair and impartial review of Linux? webmasters (most of whom run apache on *nix)? Academia (still mostly *nix and where *nix started)? Or the PC market (where average joe's hardware was incapable of running *nix for the longest time, during which "something else" had to be created and continues to dominate only out of tradition and for backwards compatibility.)?

Tell us, oh omnipotent one, who or what is the One True Source of unbiased OS reviews?

I'm waiting....

Still waiting...

Somewhat OT, Somewhat Not.

[haystor]

Instead of a rebuttal, which I don't think Moody's article really deserves since it would be considered flamebait to anyone that can add, I propose something different. When something that bad comes up, everyone on /. should follow the banner adds from the page Moody's article is on, find customer service on that site, and tell them exactly why you visited the site. Explain that their advertisement was on page spewing FUD, and that they have consequently been affected by this. Explain that their banner ad went to waste because you have no intention of spending your money with sombody that supports those idiotic views. Also explain that you don't care that they don't have editorial control over the content, they do have control over which editor's sites they spend ad money on.

Mirror

[Bensari]

Here is a mirror that will undoubtedly go down fast. Enjoy it while it is up ;0).

Greenbaum article

http://198.86.162.43/greenbaum.html
Which way now? Down.

Re:Mirror

[Bensari]

Actualy, my server has never been tested against heavy traffic, as it is a little Pentium MMX 200 that I built with scrap parts to teach myself Apache server administration. Despite it's small processor, little RAM, and old IDE hard drive, it handled the Slashdot traffic without slowing down a bit--I was even running X. Consider that our duel processor NT server crashes from much less, I'd say that makes Moody look pretty uninformed. I'm no Linux zealot, but at least I have experience to speak from instead of some slanted statistics.
Which way now? Down.

OK, Moody screwed up...

[haus]

Moody was looking for something to hang his penguin-hating hat on and jumped at something without really reading it. It just goes to show you that often when person is on a rant, they will see only what they want to see.

It is simply a good reminder to check your math, before you open your mouth.

all persons, living and dead, are purely coincidental. - Kurt Vonnegut

It's not the number that counts...

[iie1195]

Just a tought: He never mentiones what kind of bugs we're talking about here. Windows NT is full of security holes, and it takes them weeks if not months to fix it. With Linux, it can (literaly) be hours before someone creates a fix.

Another thing he fails to mention is the capabilities of the two OS'es, such as stability, scalability, in which Linux is clearly the best.

I spent 3 years as a NT administrator, but after trying out Linux / *BSD, I'm NEVER going back...

Calling Linux the worst OS of all time seems really silly. This man doesn't have all the facts straight... But he's free to express his opinion, just like all us Linux advocates. Just wonder if his paycheck includes anything that can be traced back to Redmond, tho... ;-)

Re:Linux *still* doesnt cut it.

[Tiger+Smile]

This sounds like a good project, and you seem to know what you are talking about. What do you say to lending a hand and working on this? I'd be willing to help.

Tanks for those good points.

Moody's article

[cje]

Does anybody believe that Moody's "article" was intended to do anything other than generate page hits, rile up Linux users, and get them to send scathing flames that can later be used to show the "immaturity of the community?" Personally, I would have rather seen Slashdot ignore this story altogether. Anybody who knows anything about Moody's past associations and opinions knows that he has a clear agenda, and that agenda does not particularly care for the success of Linux.

IMHO, while it's good to write a rebuttal to an obvious nonsense article, it's also probably giving Moody's troll a bit more attention than it deserves.

Re:Moody's article

[quux26]

Uh, oh! Did I say "free speech?" Another point of irony: /. rants constantly about free speech, yet when someone with access to a large-access forum makes a statement we /.ers don't like, we immediately start demanding that he be banned, not be allowed to make his statements, he needs to be shut up, he has no right to say what he wants to say.

Nonsense. Telling a news agency that an agent of thiers is displaying incredibly biased and falacious journalism is not a breach of free speech and I will take what they report with a grain of salt as a result.

I'm all for Moody having the right to say whatever he'd like, but as long as he's under syndication and ABC opts to carry him, I'm going to tell ABC what I think of their journalism.

This is not censorship. This does not fall under the right to free speech. You have a right to speak. You do not have a right to be heard.

My .02
Quux26

Re:Moody's article

[Segfault+11]

The AC already addressed the IE install, and I am just barely above the luser level. I don't want to go toe to toe with you on this, but hear me out:

The advantage of SysV is that each daemon is "registered" with a fixed script each time you start/stop/whatever a service. Its disadvantage is that nothing can start before everything is stopped, not to mention the fact that blank files with (K|S)(priority)(service), e.g. K20named is silly (and the KxxSERVICE scheme with blank files is silly.

The advantage of BSD is that you have complete control. You can start and stop things in any order you like. Its disadvantage is that you duplicate a lot of commands.

When you combine the "registration" of services in SysV with the flexibility of BSD, you can really get somewhere. Combine that with on-the-fly loading and unloading (like the windows NET commands), and you've really got something. When the daemon is registered, you could also define custom fields. NET ABOUT NAMED would tell you what the daemon is. NET STAT HTTPD would show the status of httpd, etc. -- kinda like a Cisco.

You've got some good points on the environment variable idea, but I really would like it if I could have more control over where things decide to install themselves.

Re:Moody's article

[CrosseyedPainless]

All too true. At least, with Linux, you have the ability to break the packaging system and install stuff yourself. Sure, it sucks, but I find it (marginally) better than MS's version of DLL Hell. It sucks extra when you have to break a great packaging system like Debian's. Oh, well....

Re:Moody's article

[Fishstick]

Yep, they're fully aware of us now, they've figured out how to push our buttons, and the herd reacts exactly as anticipated, playing right into their hands.

It is a sad fact of life. "A person is smart, people are dumb, panicy animals... and YOU KNOW IT!"

Individual /. readers/posters might understand this BS that is being pulled, and be able to refrain from giving them the hits and flames they are trolling for. Unfortunately, the diverse mob on /. simply can't resist unleashing the 'Dreaded Slashdot Effect [TM]' on sites that are calculatedly pushing our collective buttons.

Taco knows full well how this kind of article works /. into a lather, can't figure out if he sincerely wanted to avoid posting it, or is too tempted to flex the slashdot-effect once in a while for some reason or another.

"I avoided posting this because it really is pretty lame, but its getting submitted a lot. "

"Stories like this just make me roll my eyes: the thing will get tons of traffic from you guys and his editor will say "Good Job Fred" because they got to sell lots of banner ads on it. *sigh* "

Yeah, but /. makes its living off the same business-model, so posting this kind of story certainly contributes to revenue from banner hits and has to be hard to resist.

Plus, I personally don't want /. to back off from posting these stories. Yeah, there is a lot of immature flaming and the site gets a bunch-o-hits, but there always seems to be a calm, rational, factual debunking that emerges the next day. Sheltering the /. readership from crap that might make us flip-out doesn't seem to me to be the right way to handle this.

I'd rather see situations like this play out and maybe some of the flamers will get it. No, we won't ever get everyone to control their urge to send profane e-mail to the authors of these articles, but even if only a few learn from the example set by others in showing restraint and dignity in the face of one of these, I think it is worth it.

Re:Moody's article

[Nerds]

He can speak all he wants, but ABCNews should know better than to actually pay someone for writing this crap.

Re:Moody's article

[jmccay]

I will reply even though this is really flaimbait.

Actually, I had a complaint with a previous article of Mr. Moody's I don't usual read his anymore because I have found him to be more wrong than correct. Freedom of speech is one thing, but I think the media has a responcibility to get the facts right and not worry about the picture they want to paint for you to see. I have talk with a person in the indestry, and this person agrees that the media doesn't always care if the facts are straight--as long as it paints the picture you want to see.

This really isn't a free speech issue. It's a reliablity issue. Mr. Moody is not reliable for honest factual reporting. Even though he does editorials mainly, he should pay more atention to the details and facts before he writes (or types) his words of poor wisdom.

Re:Moody's article

[Segfault+11]

I think it was a troll, because he didn't even come close to scratching the surface on all the reasons why Linux sucks.

It's virtually impossible to stay up to date with the latest software. When you try compiling application X, it's missing library Y. When you download library Y, you can't compile it because library Z is out of date. Packaging tries to keep things up to date, but the only one that works is Debian, but doing so won't get you anywhere near the cutting edge of technology. Therefore, you have to get out of packaging and have to start breaking the packaging system, etc.

man pages suck ass. There isn't any useful, demonstative information given about commandline tools like cut, grep, and its cousins.

(and from here on out, I'll be complaining about distros, mostly Slackware vs. Red Hat)

All the ditributions are too fat or too skinny. I like Slackware, because it's minimalist, but it would be really nice if I could easily configure it with the Red Hat GNOME desktop.

Who in their right mind would come up with a scheme to start and stop services based on the asciibetical order of filenames? I hate SysV init. BSD init makes more sense, but its configuration ends up being redundant and messy looking. Why not register each daemon in their own file with the instructions to start/stop them, and then have a flat file for each runlevel indicating which daemons should be started and stopped?

Filesystem standards are terrible. I'm aware of LinuxBase (among others), and their rationale is good, but I don't see why there should be a standard on what those directories should be. In Linux, the kernel resides in /boot (according to the standards), but in OS X, I believe it's in /System. If common environment variables were used instead of explicit paths, software would be easier to install the way you want it Symlinks are not the answer for everything...

Anyway, that's my little rant about Linux. I use it, and I'd like to get more out of it beacuse of all the cool free stuff I can hack on, but getting half of it the way I want is a major PITA.

BTW, I have already gotten these responses: RTFM and STFU. I've heard them before, OK?

Re:Moody's article

[cactopus]

Forget that, lets start a kick-ass Uber BSD distro or Hurd distro. Better yet... Darwin+GNUstep+Windowmaker. Omnigroup would probably port... that OmniWeb Beta 4 is pretty sweet on DP4.

Re:Moody's article

[TheReverand]

So you don't think the same thing is going through Rob & Co.'s collective minds when they post this stuff? DId you see how many replies that article had? It's all about reload and page views my friend. If you think these articles are posted for anything other than generating hits then you are sorely mistaken. Take a look at Katz's last article. He insulted practically everyone who reads slashdot!

Re:Moody's article

[spitzak]

I also believe that Moody is trolling for page hits. There are legitimate complaints about Linux, such as you have listed

But easily-refuted or flat-out wrong information like Moody is apparently presenting produces a far more visceral and active response.

And why not fix init. There is no reason for the mortal user to rearrange the order of the things that are started. There should be a gui with an array of checkboxes, each column is a run level, each row is a service. And put a comment in the .rc files that this GUI can display so the user knows what they are turning on/off! And also put the turning on/off of net services in that same panel (the etc/inetd file I think it is called?) because most people think those are the same thing! Advanced users can control the start/stop order by renaming the .rc files, there is no reason to do everything in the GUI.

Before anybody complains, I am thinking of writing this myself...

Re:Moody's article

[fsck]

On the topic of security and Slackware, the last few Slackware 7.1 installs I've seen had /etc/shells world writable on installation.

Re:Moody's article

[Ether+Trogg]

Great idea, but unfortunately, the journalistic community defends its own as vigorously as we defend members of the Linux world.

Indeed, if Linus or Alan were to have written that article, and replaced every negative reference to Linux with Windows 2000, chances are we all would be praising the article for its "...accuracy and unbiased analysis of Windows 2000 in comparison with Linux...". Granted, Linus and Alan *wouldn't* write an article of that nature, but we're speaking hypothetically here.

If we make demands of ABC to ban Fred Moody (who is, obviously, not a true journalist, but an editorialist), they'll ignore us, or at best, defend Fred Moody's article as an exercise in free speech.

Uh, oh! Did I say "free speech?" Another point of irony: /. rants constantly about free speech, yet when someone with access to a large-access forum makes a statement we /.ers don't like, we immediately start demanding that he be banned, not be allowed to make his statements, he needs to be shut up, he has no right to say what he wants to say.

So, does free speech only apply to the things that we on /. like? Are we, in fact, espousing a double-standard? "Say what we like, and it's free speech. Say what we hate, and we'll ban you." Hypocracy isn't limited only to Fred Moody, it would appear.

Remember, chums, the journalists are going to defend Fredo, because he's one of their own. Let them. We need to start practicing what we preach. If we're going to be a forum advocating free speech, then we need to advocate that freedom for everyone, including Fred Moody.

Re:Moody's article

[xdaemon]

Pardon my ignorance, but WTF is Moody? You lot make it seem as though he's important or something.

He's some creepy guy that writes articles for ABCNEWs. He looks like some creepy hippy guy that would ask you for spare change on the street. I don't think I'd let him near a computer if I were ABC, he's just too creepy to be trusted.

Re:Moody's article

[SlightlyMadman]

I think that's somewhat obvious, and was stated in the original post. It seems the only reason that article was put up here is that there were so many submissions. So, the blame lies on us, as a community. Although, really, I would have wished the editors could check the (as is now pointed out, WRONG) factual content of the article before putting up a link.

Re:Feh

[(void*)]

Did you bother to READ before posting?

The guy clearly states that he does not care about the conclusion of Moody's report ("Linux Sux"). In fact, all he did was to criticize the statistical method of taking numbers which clearly overlap and add them together to produce a highly inflated number. That isd all he said. I think that is an extremely fair comment. You don't have to be a journalist with integrity to appreciate that.

How we feel about the conclusion that "Linux Sucks" does not matter at all!

a duck is made of wood

[osjedi]

Fred Moody logic:

Witches burn
Wood also burns
Witches must be made of wood
Wood floats
Ducks float
Ducks must be made of wood
If a person weighs the same as a duck they are a witch.

If you want to compare bugs between os's then tally the total number of apps/utils provided with each and then compare the bugs as a ratio of bugs to apps/utils. Most Linux distro's come with thousands of apps/utils. How many apps/utils come with NT?

Wow.

[A.+Lynch]

I'm impressed. This was a good step in showing everyone that we can all play nice and stop the OS bickering.

Not that it will really happen, but its a good start.

Address?

[ida_no]

well, we can't send them an email about the (lousy) journalistic practices taking place at their subsidiary without an email address to send it to. Outside of that small detail, I'm with you. Does anybody have an email address for someone at Disney, or ABC, laying around?

Journalistic integrity

[Tau+Zero]

ABC News could always refuse to publish pieces with known factual errors. Moody's editorial certainly qualifies as that. If Moody's piece would have the opposite spin without the lies\\\\errors in interpretation of statistics, or would appear as a mean-spirited rant if the numbers were merely deleted, that's Moody's problem. ABC would look better.

I wonder if ABC is going to put an "errata" link on Moody's editorial, or reference Security Focus' rebuttal? When pigs fly, I bet.
--

Re:Feh

[plague3106]

His arguement that linux sucks is based on a number. That number double counts redhat's security errors. Why would that not be important? I would argue the same way if the article was written that MS sucks based on a number were expliots were double counted.

Funky Syntax part II

[micahjd]

If the first one is bigger than the second one, skip to page two. Otherwise, continue with the instructions below.

Don't forget about Hypercard!

put the value of the object named 'field 1' into the variable 'x' if it is less than 50
vs
if (*field1<50) x = *field1;

And the worst thing about hypercard was that even though the commands were supposed to be more english-like, they still had a firm syntax. It was much more inconsistant than C so i always had to look it up...

Cease and desist

[kelzer]

If the first one is bigger than the second one, skip to page two. Otherwise, continue with the instructions below.

Dear Mr. Parrot, I am writing to inform you that you are in violation of my client's copyright, and have published trade secrets of their proprietary product, "CobolOS 2000".

Please be advised that my client is prepared to take any legal action necessary to prevent this from occurring again.

Sue D'Helloutayou
Senior Partner
Dewey, Cheatham, and Howe, P.A.

The users tell the true tale?

[mach-5]

Q1: How many Linux users are experienced with using Windows?
Q2: How many Windows users are experienced with using Linux?

To me, the answers to these questions are pretty obvious. My guess would be:

A1: 99%
A2: 1%

Just a guess, but I bet Fred Moody is in the A2 percentage. Anyone who uses Linux is a "zealot" for the very reason that it IS the superior OS (over doze). I use Linux and I love it. I also use doze, and I think that it has its pluses, but that Linux (or any Unix for that matter) will always be better (in some regards)[purely a matter of opinion]. I can truly say that BOTH OS's DO have their pluses AND minuses.

Anyway, what I wanted to get at is:

1. Any Linux user that smacks down doze, is quick to be flamed (see attachment).
2. Any Doze user that smacks down Linux is viewed cautiously.

Sure, the avid Linux users speak their minds here on /. But who ever saw a "Windows 2000 sucks" article posted on zdnet or abcnews??? If so, please point them out to me!

Attachment: Flames (below)

Who cares?

[pb]

Fred Moody is to Jesse Berst as a court jester is to a soulless accountant.

That is to say, exactly why do we care, again?

However, it is funny that Moody can't even get his statistics right. ...so it doesn't even matter that his argument was flawed.

I guess he was just being Moody about it...
---
pb Reply or e-mail; don't vaguely moderate.

IE has more bugs

[mgkimsal2]

The stats page Moody pulled his numbers from ALSO shows *IE* (one package!) having more reported bugs than all of RedHat 5.2. If he actually believes these numbers are accurate, why support a company that makes ONE PRODUCT with more reported bugs than an entire OS?

Re:Perhaps Moody should have read this first

[jmccay]

I quoted that and the next paragraph when I sent an email to ABCNEWS. I think I also said ABCNEWS should require Moody to appologise for his gross lack of intellegence in the tech field. I did state it nicer in the email. :)

Re:Flamebait

[mwalker]

yes, securityfocus points out that he is wrong. i did read the article. what i meant was that an entire article was more attention than moody's bullcrap deserved. that's why i said:

can we just mod moody's article as flamebait

sorry if i wasn't clear. my bad.

posting this lame reply without a +1, mwalker.

Open Letter to Disney (owner of ABC)

Dear Disney Enterprises,

We, members of the open source community request your company to review your story posted on ABCnews.com named "Linux Sux Redux", a commentary by Fred Moody located at http://abcnews.go.com/sectio ns/tech/FredMoody/moody.html. We request your company to review the story to bias and incorrect data. The source of the informaiton regrarding the sercurity problems, sercurityfocus.com, has responded to the article with this article. Additional please consider the statements made by the open source community at Slashdot: Linux Sux Redux A Rebuttal and Linux the Worst Operating System Ever/a. Thank you for your time.

Re:Feh

[finkployd]

I agree, when I come to a web site that caters to the Linux/BSD and open source crowd, I EXPECT to see anti-open source and anti-Linux articles. Imagine my shock when I found that the editors here seem to actually post stories that interest their target audience.

Finkployd

Send ABCnews.com our 2 cents about the story

[katmaikni]

I ask someone out there to send your 2 cents or all the stories with 5 pts or some links to the SF articles to the editors at ABCnews technology section. This is the link.

Try not to spam/flame them, just tell them to correct the story nicely.

Re:Send ABCnews.com our 2 cents about the story

[piku]

Now what if that story was against Microsoft and said the exact same things... would you post this then?

Mattheww Troll 7:15-16

[Troll+Messiah]

Watch out for false prophets. They come to you in the media's clothing, but inwardly they are ferocious trolls. By their OS you will recognize them.

doncha just HATE you hit Submit and not Preview?

[pedro]

"[Please note: Upon further research, I realized that my original numbers were a bit off. The numbers above are new and revised. Fred Moody,
8/4/00.]"

IE: My mail box is full of eels!
What a weasel!

But wait! It gets worse!
He *aggregates* bug reports across *all* linux distros. That's deceptive. VERY deceptive.
Redhat leads with 38 reports. Redhat also ships with just about every service you can think of turned on by default. That is still FAR shy of the 99 bugs for '99 (hmm.. coincidence?)
If we look at bugs for '00 , things look a tad better for M$. 37 for M$ vs 17 for Redhat, the *least* secure linux distro.
I run slack. I show up with zero severe security issues. That would make slack *infinitely* more secure than M$.
Moody is a moron. Case closed.

Spread the news.

[paRcat]

I'm thinking someone should rent ad space at abcnews.com linking to this article.

Not all they want however

[Felinoid]

They are looking for banner clicks...

Most news websites pull traffic to get visits. Visits turn into banner clicks.
So what to do? Well don't click on the banner ads.
It's a little hard to stop the angry mob from visiting but it's a good idea to tell them not to click on the banners.

What you mean they'll lissen? No not really... they won't click on banners anyway.. but Moody et all will look at the pees and then check banner stats.. and sure enough... the additional traffic generated NO additional banner clicks.
They may even see a significant number of them didn't even load the banners at all (Banner filters are your friend)... and some didn't load ANY GRAPHICS WHAT SO EVER!!! (All hail Lynx)...
Just bandwith and load... increasing costs without generating additional revenue....

Thank goodness someone is still sane

[rifter]

Of course we all know Mr. Moody's "controversial" article is only meant to draw advertising revenue. He has written some real gems, too.. check out his "past articles" section. No on second thought don't. Even if the statistics had been accurate, the correlation was so obviously spurious as to be comical.

Of course the media have not pointed out the other good things about Linux and Open Source in this area. For one thing, these vulnerabilities were found because the source was available. Often they were found before they were even used. With closed-source there are many vulnerabilities waiting to be "discovered," usually by someone cracking the box. The other thing to consider is that the vulnerabilities in Linux all get patched immediately. There are bugs in windows and NT that have persisted for years without Microsoft fixing them.

With Linux, you have a lot of power over your box and what is installed. Most of the vulnerabilities in distros are in packages you would not install on a box you wanted to secure. You also have the source so you can alter it and have a box that is very different from what any cracker might expect. With Windows you get what Mr. Bill feeds you and you'd damn better like it.

Of course there are flaws in both systems and strengths as well. But I will take the power of Linux any day. At least if my linux box does not work, I know who I can blame. I'd rather not wait for someone else to save me from my issues.

Re:As Mr. Moody himself might say...

[merbywerby]

most likley, he used the same knowledgeable format..Haha

Gotta love it

[thridur]

I like the end of the SecurityFocus article...the part where it says that it's a lot easier to pretend to be a good journalist than to actually be one. Ouch!

don't fall into the same logical trap

[TMB]

This response wasn't taking issue with Moody's conclusion. Instead, it demonstrated that Moody made a naive mistake by adding up all of the stats for all of the Linux distributions.

Very true. Very stupid mistake on Moody's part.

The Linux aggregate score shows Linux has *less* security bugs than NT.

That does not logically follow (although it's probably true). As was pointed out by many people yesterday, the total number of listed security problems is a very poor proxy for system security. Even if Moody's numbers had been right, his argument was flawed, and you're using the exact same argument now. Without taking into account the severity of the bugs, the fraction of bugs which are likely to be found, and the speed at which bugs are fixed (all of which vary wildly from OS to OS), a small difference in the number of reported bugs is not statistically relevant.

[TMB]

Re:Kill the Niggaz

[mangu]

Great Link!!! I read it avidly, page by page! Some excerpts:

"Many have said, that the government or the state, is theft. This is true. Even the best of states are a protection racket. These rackets are far more dishonest than unlicensed organized crime (the mafia, etc.). "

"The international style state is inefficient, to the maximum."

"However, a war against the Super State must be fought to the finish. Your ammunition is readily available. Cut economic support for the Beast. In short, starve the bureaucrats out. "

"The greatest help for the White race today, would be state and national legislators, that run on a platform of no new taxes, coupled with no new laws. To enact new laws, guarantees more taxes. Do you see how simple it would be?"

"Logic: Any program or method that circumvents taxes is a White revolutionary act."

"All tax avoidance, in any way, helps to bleed and weaken the Beast. Your sweat and hard earned wages are the source of power that is used against you. In short, the old adage applies. \"The power to tax is the power to destroy.\"" [Heinlein!!! "The Moon Is A Harsh Mistress"!!!]

"The underground economy is a fabulous mechanism, and well-suited to White survival."

"Remember that the underground economy is seditious to our enemies, but a great weapon for White racial advancement. Again, bleed the Beast. Spread these ideas among even your non-racial contacts, since all tax avoidance and underground economic activity, directly helps our cause. It is easy and it is fun! Use your imagination, and start your war today."

Security Focus is one of the better...

[Mark+A.+Rhowe]

...resources online. For example: FOCUS on Linux: Intrusion Detection on Linux is equivalent to the Koran for system security administrators.

BS

[rifter]

Redhat and Debian, for two distros, have automagic patches that are about as easy as a service pack. RedHat sells a support line such that one can have updates pushed to one's machine over priority FTP. Microsoft does not make it as easy as that.

The same user that cannot follow directions to patch will be found with SP1 or whatever the OEM put there (or whatever a technician walked them through installing step-by-step). They will also end up with mismatched files as installing programs and drivers overwrite new files with old ones thanks to Microsoft's Super-duper-strong *cough* versioning. A Service pack may help some of this, (except where it doesn't and breaks stuff with the wrong versions of files) but the user often does not know they need to install it.

At least in a packaging distro there is decent versioning (without resorting to the VMS way of puting versions in the filesystem.. hm why did NT not get that?) and a "look man you are installing old stuff on new stuff.. STOP." error message that you can always count on.

algorythms and such

IIRC the people advertising on ABC don't have a lot of control over what sites they get shown on. They pay 2 rates, targeted and untargeted, and then doubleclick or whoever the ad agency is adds their banner to the queue. The people at doubleclick don't care about Moody or Linux or anything else, and the people at ABCNews don't care about the people advertising there as long as doubleclick keeps 'em coming. The advertisers have no way of knowing which articles they will be shown on, so it is pretty ridiculous to complain to them.

So you are wasting your time either way. No one who cares has any power over the machine. No one with power cares. Moody gets his paycheck regardless...

bzrp

Re:Windows NT bugs - correction

[smagruder]

Correction: "... + Sum(i=1 to 6a) NT 4 SPi + Win2000 + Win2000 SP1Beta"

Aren't I a stinker? :)

Steve Magruder

Re:A better solution

[slickwillie]

Since the BSD license is even more open than GPL (i.e. "here's the code, do what you want with it, and now you don't even have to publish any credits"), why not just dump the whole Linux source tree and replace it with FreeBSD? Just get the Linux compatibility stuff working better and no one will ever know.

Flamebait

[mwalker]

can we just mod moody's article as flamebait? his only evidence is that bugtraq lists more linux bugs than NT bugs. of course it does... that's because the linux community uses bugtraq and open review to fix bugs, and microsoft's "bugtraq" is a closed system that happens behind closed doors in redmond.

windows 2000 gold was shipped with over 10,000 known, documented bugs. and no, they're not listed at bugtraq.

i could go on and on (index the # of windows bugs in the knowledge base, closed source bugs vs open source bugs) but i've already given this flamebait more attention that it deserves.

whatever you do, when you read this article, don't click through the banner ads. then he's won.

Re:Flamebait

[Drestin]

windows 2000 gold was shipped with over 10,000 known, documented bugs. and no, they're not listed at bugtraq.

Oh, and where are they documented? What 10,000? SP1 fixed everything known broken in W2K as of last month. Can you actually provide any proof of your ridiculous claim or are you just making it up (nice round number that 10K eh?) without any proof what so ever. Anyone running W2K knows it's rock stable.

Re:Flamebait

[customcpu]

One other thing to consider when taking into consideration the raw number of bugs. Most Linux "bugs" do not have to do with Linux at all. They have to do with third party programs included (but not written or maintained) by the Linux manufacturer. Windows on the other hand contains code written and maintained by Microsoft (or companies they have acquired).

Woah, woah, woah, woah, woah.

[commandant]

I just looked at the Bugtraq statistics myself, as posted on the securityfocus website. It turns out that aggregate Linux vulnerabilities only beat out WinNT by 1. Of course, I've never met someone who uses a "super-distribution": Debian, Redhat, Slackware, and SuSE, all combined (somehow magically overlaid upon one another, so that bugs are counted multiple times). Any single Linux distro has far fewer bugs than NT.

And if you look at the "Top Vulnerable Packages" for 1999 and 2000, NT tops the list by a long shot. In 1997 and 98, neither Linux nor NT even made the list.

Given the nature of the data, and the pompousness of Mr. Moody, it would seem that Freddy-boy was closely examining the data that's found in the latter half of his large intestine.

I'd expect this kind of idiocy from local news crews, but for ABC to give this guy nation recognition? This is why I get my news from CNN.com: I don't get some barely-made-it-through-college asshole trying to push his point of view into the news.

What ever made these people think we valued their opinions? Who watches TV news just to listen to Brokaw, Donaldson, and the lot? Now THAT should be a /. poll.

crap

[Bensari]

Security Focus seems to be slashdotted already.
Can someone manage a mirror?

Which way now? Down.

Perhaps Moody should have read this first

[luckykaa]

From the top of the bugtraq page

The following are statistics compiled from the data in the BUGTRAQ Vulnerability Database. The statistics should not be taken to imply that some particular operating system or application is more or less secure than another one. They are simply a count of how many vulnerabilities associated with each of them is in the database for these year.

Impossible

[xant]

I couldn't look at Katz's last article, because I now filter him out of the homepage entirely. User Preferences, check the box next to Jon Troll^H^H^H^H^HKatz's name, click save.

marketing angle

[visionik]

The Moody article does provide the linux community with some valuable market research:

Clearly, Microsoft is the preferred operating system vendor for people who lack basic math skills.

The only double standard here is from you.

[buckrogers]

According to you MS advocates can outright lie, because, hypothetically, if any of the open source leaders were to lie too then we would defend them.

This is not true for several reasons.

Open source leaders are too busy programming and leading the open source movement to actually even care that much about Microsoft. Do you really think that Linux or Alan even think about Microsoft that much?

But I bet you Billy G. was groups comprised of dozens of people that are devoted to monitoring Linux and producing weekly summaries and reports for Microsofts top executives. Linux is cutting into Microsofts server revenue, so it is getting a lot of attention from Redmond.

If our open source leaders ever did spout insane statistics like Mr. Moody then I would be the first to point out the inacurracies. These people are our leaders because they are smart, good with others, and don't lie. If they weren't they wouldn't have very many followers, now would they?

Since the basic primise of your argument is wrong, which you freely admit yourself, then the rest of your arguments are wrong as well.

Free speech doesn't mean that you are free to lie. And editors that allow their writers to continue lying, when the customer is compaining about those lies, don't remain editors for very long.

Clarification?

[Amokscience]

One small point I wanted to have clarified. As I understand it the only bugs that are (and should) be reported are bugs in server system software or security software, not every 'bug'. If it was every bug the database for all OSes would be gargantuan.

Jackass (jak'as')n. 1. Fred Moody 2. stupid person

[databurst]

It's true, found it in the dictionary..

Read the real page before the editor got through with it:

http://rinkworks.com/dialect/dialectp.cgi?dialec t=redneck&url=http%3A%2F%2Fabcnews.go.com% 2Fsections%2Ftech%2FFredMoody%2Fmoody.html

Nitwit (Moody, not you)

[quux26]

I don't know that I agree. I see the point you're making, but I've been reading slashdot for about 1.5 years now and never heard of of Moody (well, I heard his name mingled with his book, which I know nothing about). So reading his article - a vile mix of thinly veiled agenda and just incredibly shoddy journalism - really put him in perspective.

I am, however, a zealot. I agree with Stallman when he says that open source is better even if it doesn't work as well.

My .02
Quux26

I'd have to agree

[vaevictus]

"As Linux zealots are beginning to find out, it's a lot easier to masquerade as a better product than it is to go out and be one." (last line of moody's article)

Isn't this the whole damn reason everyone stopped using windows in the first place? Because their marketing is better than their product. I think Moody got it right, even though he thought he was saying the opposite.

Truth hurts?

[Psarchasm]

But seriously.

The crux of the matter is that his argument was silly and that the numbers were misrepresented (making his argument even sillier).

Fred Moody is a Microsoft lapdog, period. There are plenty of Linux lapdogs too. Just don't go getting all whiney because Moody is an idiot that caters to corporate idiots. He got called on bad reporting - deal with it.

Linux security have a long way to go? Yes. Is it going to get to Nirvana faster than Windows? Time will tell.

Re:Yeah, we know Linux sucks

[edmac]

where are all the other posts?

Moody - A Year With Microsoft on the Frontier

[zeppelin71]

From underneath the article:

Fred Moody is the author of I Sing the Body Electronic: A Year with Microsoft on the Multimedia Frontier

A Year with Microsoft on the Multimedia Frontier? In boardrooms bending arms? In courtrooms? Sounds like a "must read".

As Mr. Moody himself might say...

[Dr.Dubious+DDQ]

"There are three kinds of people in the world...
Those who can count, and those who can't."

Wasn't this the same guy that, some time ago, had the "I managed to scrounge up one disgruntled employee somewhere who says Linux sucks, therefore it does" article?

Joe Sixpack is dead!

Re:Feh

[Pharmboy]

Regarding the bashing of windows vs. linux. You miss the point that most people bash windows not for its security (the issue at hand) but rather for the policies of the company. Remember when Bill Gates said that each person on the internet accessing a server counts as a "seat" for licensing? (granted, that didnt last long) Remember the NTW to NTS patch that demonstrated that the two products were the virtually the same (kernel wise), the only difference was $500 in price, and some "free" web programs? Remember when Windows 95 was going to end GPFs, and then we learned it was only because they renamed them? Most windows bashing is because of company policy, monopolistic practices, false promises and "vaporware", not security. As to the issue, Linux CAN be less secure than NT, if configured incorrectly, just as a new Corvette CAN be slower than a Buick Regal, if you pull 4 spark plug wires off or haul a 6 horse trailer behind it. The real vulnerability is you must have a higher degree of understanding in Linux than NT. The weakest point in any operating environment is more likely to be the person who is installing and managing the network itself.

Further Research

[RandomFactor]

I guess if enough people contest your journalistic integrety, you'll call it 'further research' and edit your article :-P

BugTraq keeps these statistics on 22 different operating systems, from the mainstream Windows NT to various exotic flavors of Unix. Given that Microsoft's product is the runaway market leader, it is not surprising that it leads in vulnerabilities: In 1999, the year it took over the server market in earnest, Windows NT totaled 99 new vulnerabilities on the BugTraq list. (So far in 2000, the count stands at 37.) This looks like an alarmingly high number in comparison with Solaris' 34 or NetBSD's 10, but it is scarcely more than the 84 racked up by Red Hat and the other Linuxes (their 2000 count stands at 30). And the NT number is inflated by BugTraq's inclusion of IE vulnerabilities, since it considers IE part of the operating system. [Please note: Upon further research, I realized that my original numbers were a bit off. The numbers above are new and revised. Fred Moody, 8/4/00.]