Linux Sux Redux: A Rebuttal

SmooC writes "This is SecurityFocus's reaction to Fred Moody's article, claiming that NT is more secure than Linux. Ran on slashdot last wednesday. Ben Greenbaum who manages the Microsoft Focus Area, sees it from a different perspective."

Have a look at ABC's `Linux FAQ'

[LizardKing]

You might want to check out ABC New's very own Linux FAQ - some of the innacuracies are quite amusing and suggest a general cluelessness at ABC as a whole. The URL is http://abcnews.go.co m/sections/tech/DailyNews/linux000403.html.

Some notable cock-ups are:

Linus isn't in charge of Linux any more, but his opinions are taken very seriously by Linux developers

Hmmm, arguably he never was `in charge' of Linux as it's licensed under the GPL. However ABC seem to be implying he's taken a back seat, which will come as a surprise to readers of Kernel Traffic.

The core of Linux is a text-based operating system, like DOS. But several different competing graphical interfaces have sprung up to make it friendlier. They look like a streamlined version of Windows or the Mac, generally with bigger icons and fewer shadows

I can see a DOS / Unix shell comparison being valid given the likely cluelessness of ABC's regular readership, but they clearly haven't got much idea about the X Window system and its relationship to desktop environments, etc.

It may soon become easier to use with a product called Eazel, being developed by several of the original programmers for the Macintosh. They claim that they'll be able to put an easy-to-use face on Linux

Hmmm ... Eazel - that'll be the people making one key application that will be the new file manager shell in Gnome 2.0. Not that Gnome isn't already a viable easy-to-use interface.

Critics of Linux say that the software is a "perpetual beta" - always under development, always mutating, always buggy, and never quite ready for prime time

Critics (like good old Fred Moody) might say that, but most people writing crass editorials aren't experts in any field, let alone Linux. And if it's so buggy, why have I spent the last four years working for big companies where Linux is increasingly the server OS of choice thanks to its stability and flexiblility? My current employer doesn't have anything but Linux on the servers - including file, print and database servers, not just our firewall or web servers.

What applications are available? Lots of server and Internet software, but little else

They might want to check out freshmeat.net - not all that stuff can be vaporware ...

The three biggest Linux companies are Red Hat (partially owned by Intel), Slackware, and VA/Linux

Now I stand to be corrected on this one, but Slackware - a company? And waht about SuSE or the makers of TurboLinux? Do I detect classic signs of Yankocentricism in this great American institution?

Linux is a complex system, and tech support is usually a must

For a newbie, yup. But I've yet to come across a company or cluefull user that needed tech support.


Chris

Haiku

[comcn]

Eighty-four bugs max.
This also includes RedHat:
Moody cannot count!

WARNING: this looks like an elaborate troll

[LizardKing]

This AC comment looks like a cut & paste from a kernel traffic article where someone was bemoaning the lack of zero copy trnsmit in Linux' TCP/IP stack. The fact it's posted anonymously smells a bit fishy as well, 'cos if I remember rightly the KT article went on to discuss why the complaints were not really valid.

I'll try and find the relevant Kernel Traffic issue when I've got a spare five minutes.

Chris

Re:Actually, it points out Moody is wrong

[Masem]

It's well known that two parties can take the same set of statistical data, and derive two vague but conflicting statements from it, depending on the type of spin they want. This is a perfect example: Moody says one thing, Bugtraq says another. Only with full disclosure of the raw data (as done here with Bugtraq) and experience can one make a truly informed decision on the reliability of statistics. (And of course in this case, it's weighted heavily in Bugtraq's favor).

This is similar to the ad going around from MS about W2k increasing sales from a company by 13% or 5% -- because we can't see all the raw data, there might be something they didn't want to include, or the like, and would make these numbers go the opposite way.

While a pain in the butt, peer-review in scientific journals is a very good thing :D

article text since SF is /.ed

Linux Sux Redux: A Rebuttal
by Ben Greenbaum
Thu Aug 03 2000
This is in response to an article posted at abcnews.com by Fred Moody, available at:
http://abcnews.go.com/sections/tech/FredMoody/mood y.html, in which he claims that
Linux is a far less secure operating system than NT, based on his interpretation of the
Bugtraq vulnerability statistics.

From the very start, I would like to proclaim that I am not a Linux zealot, or for that matter
an ardent defender of any OS. I manage the Microsoft Focus Area here at SecurityFocus. My
personal machines at home run on various flavors of both MS and Unix operating systems.
Different OS'es have different strengths, and I freely and gladly use whatever is best in my
experience for the purpose at hand.

The problem I have with Mr. Moody's article is not the conclusion he comes to, although I do
disagree with it. It is instead a problem with the methods used to reach that conclusion.

The author is writing about the results of the Bugtraq vulnerability statistics page at:
http://www.securityfocus.com/vdb/stats.html

These statistics are meant for general interest purposes. The text on the statistics page
clearly states:

"The statistics should not be taken to imply that some particular operating system or
application is more or less secure than another one."

However, these stats are for public use, to be interpreted as the user sees fit. As with any
statistics, they can fairly easily be twisted and misrepresented to support whatever goals the
author may personally have. This is to be expected to some extent any time statistics,
especially unscientific statistics, are used to prove a controversial or questionable point.

The worst situation by far is when the statistics are not only "massaged" to serve personal or
corporate goals, but interpreted incorrectly in the first place. The Bugtraq stats have been
used and referenced in various articles and endeavors, with varying degrees of accuracy. The
most egregious example of misuse and misinterpretation by far to this point is in the article
referenced above, where Mr. Moody states that Linux is the most insecure OS available. This
is based on a gross misreading of the available data.

To wit: (regarding statistics for 1999)

"122 racked up by Red Hat and the other Linuxes "

Whereas the actual statistics are:
[image table here]

All Linuxes combined: 84
RedHat only: 38

Which, as you can see, add up quite neatly to 122, the number of vulnerabilities claimed by
Mr. Moody for "RedHat and the other Linuxes". So now, we pause for a brief explanation of
the word "Aggregate". First, from the text of the page itself:

"Where we display aggregate number of vulnerabilities (Linux and BSD) the number is the
size of the set that results from the union of all vulnerabilities for the components without
duplication. Vulnerabilities are not counted twice."

The numbers for "Linux (aggr.)" reflect the total number of reported vulnerabilities across all
distributions of Linux; if it's a Linux, it's in there, RedHat included. Also, if the same
vulnerability is present in more than one distribution, it counts once. Therefore, for a
representative number of all known Linux security bugs, one would only look at the Linux
(aggr.) statistic.

Therefore, since 84 (for Linux) is demonstrably less than 99 (for NT) I submit that these
statistics can certainly not be used to prove that Linux has more vulnerabilities than NT.

Mr. Moody ends his article with the sentence:

"As Linux zealots are beginning to find out, it's a lot easier to masquerade as a better product
than it is to go out and be one."

I agree with that statement, and I believe that the Linux community has done an admirable
job in many ways on both counts. In closing, I propose to the security community and to Mr.
Moody that what is true for products is sometimes true for journalists as well.

Ben Greenbaum
Director of Site Content
SecurityFocus
bgreenbaum@securityfocus.com

Some history

[mwillis]

Some posters are not remembering why the phrase "Linux sux" was mentioned. Moody wrote a previous flamebait article with this line back in 1998 and got roasted on slashdot. Moody had claimed to have a secret informant who had to use Linux but was afraid to speak out the "truth", that "Linux sux". He never substantiated this informant, of course.

This will come back and bite us.

[Mark+F.+Komarinski]

Anyone remember the "report" from 5 years ago that said 90% of the Internet was pr0n? Time did a big 'ol article on it, the report wound up on the Senate floor, etc.

Too bad the data used for the report was completely wrong.

Too bad that report is still probably being used to decry the evils of the Internet.

No matter how many rebuttals there are, it won't stop the fact that Moody's article is out there. We must demand a correction from Moody or abcnews.com that also gets linked to the original article. Otherwise, 3 years from now, this will come back and bite us again.

Somewhat OT, Somewhat Not.

[haystor]

Instead of a rebuttal, which I don't think Moody's article really deserves since it would be considered flamebait to anyone that can add, I propose something different. When something that bad comes up, everyone on /. should follow the banner adds from the page Moody's article is on, find customer service on that site, and tell them exactly why you visited the site. Explain that their advertisement was on page spewing FUD, and that they have consequently been affected by this. Explain that their banner ad went to waste because you have no intention of spending your money with sombody that supports those idiotic views. Also explain that you don't care that they don't have editorial control over the content, they do have control over which editor's sites they spend ad money on.

Moody's article

[cje]

Does anybody believe that Moody's "article" was intended to do anything other than generate page hits, rile up Linux users, and get them to send scathing flames that can later be used to show the "immaturity of the community?" Personally, I would have rather seen Slashdot ignore this story altogether. Anybody who knows anything about Moody's past associations and opinions knows that he has a clear agenda, and that agenda does not particularly care for the success of Linux.

IMHO, while it's good to write a rebuttal to an obvious nonsense article, it's also probably giving Moody's troll a bit more attention than it deserves.

Re:Moody's article

[Fishstick]

Yep, they're fully aware of us now, they've figured out how to push our buttons, and the herd reacts exactly as anticipated, playing right into their hands.

It is a sad fact of life. "A person is smart, people are dumb, panicy animals... and YOU KNOW IT!"

Individual /. readers/posters might understand this BS that is being pulled, and be able to refrain from giving them the hits and flames they are trolling for. Unfortunately, the diverse mob on /. simply can't resist unleashing the 'Dreaded Slashdot Effect [TM]' on sites that are calculatedly pushing our collective buttons.

Taco knows full well how this kind of article works /. into a lather, can't figure out if he sincerely wanted to avoid posting it, or is too tempted to flex the slashdot-effect once in a while for some reason or another.

"I avoided posting this because it really is pretty lame, but its getting submitted a lot. "

"Stories like this just make me roll my eyes: the thing will get tons of traffic from you guys and his editor will say "Good Job Fred" because they got to sell lots of banner ads on it. *sigh* "

Yeah, but /. makes its living off the same business-model, so posting this kind of story certainly contributes to revenue from banner hits and has to be hard to resist.

Plus, I personally don't want /. to back off from posting these stories. Yeah, there is a lot of immature flaming and the site gets a bunch-o-hits, but there always seems to be a calm, rational, factual debunking that emerges the next day. Sheltering the /. readership from crap that might make us flip-out doesn't seem to me to be the right way to handle this.

I'd rather see situations like this play out and maybe some of the flamers will get it. No, we won't ever get everyone to control their urge to send profane e-mail to the authors of these articles, but even if only a few learn from the example set by others in showing restraint and dignity in the face of one of these, I think it is worth it.

Re:Feh

[(void*)]

Did you bother to READ before posting?

The guy clearly states that he does not care about the conclusion of Moody's report ("Linux Sux"). In fact, all he did was to criticize the statistical method of taking numbers which clearly overlap and add them together to produce a highly inflated number. That isd all he said. I think that is an extremely fair comment. You don't have to be a journalist with integrity to appreciate that.

How we feel about the conclusion that "Linux Sucks" does not matter at all!

Flamebait

[mwalker]

can we just mod moody's article as flamebait? his only evidence is that bugtraq lists more linux bugs than NT bugs. of course it does... that's because the linux community uses bugtraq and open review to fix bugs, and microsoft's "bugtraq" is a closed system that happens behind closed doors in redmond.

windows 2000 gold was shipped with over 10,000 known, documented bugs. and no, they're not listed at bugtraq.

i could go on and on (index the # of windows bugs in the knowledge base, closed source bugs vs open source bugs) but i've already given this flamebait more attention that it deserves.

whatever you do, when you read this article, don't click through the banner ads. then he's won.