Slashdot Mirror
Microsoft: Trust and Antitrust
Microsoft is in the news for two reasons today: the continuing saga of the antitrust cases, and Microsoft's public relations push for "trustworthy computing". A selection of links: Microsoft claims two months of code reviews and half-day seminars surpasses everything ever done by the open source community; Salon talks about the problems with a monoculture; SBC, an abusive telecom monopoly, complains about Microsoft's behavior, an abusive OS monopoly; and Microsoft responds, claiming that SBC is merely being self-serving.
Maybe they've seen all the security flaws and bugfixes required, but I hardly think even with all of Microsoft's power, they could not outstrip the entire OSS community in just two months.
There's still a lot more manpower in OSS. It's just more fractious.
If I weren't nailed to the penis, I'd be pushing up the daisies!
The key to user security is to enable it by default. Most people running Win2K at home don't bother modifying their file permissions, closing off unnecessary services, etc. They leave settings at the default and go on their way. If Microsoft made the default installations more secure it would drastically improve the security of its OS. How many times has Security Focus reported on vulnerabilities related to Windows file-sharing? The answer to the problem is to turn it off and let the user decide if they want to turn it on. Outlook scripting, ActiveX, file sharing, Windows messaging, etc. Removing or disabling these services are necessary to secure a Windows box, and to reducing the bad PR that Microsoft receives every time a new vulnerability is discovered.
Or shouldn't be. It's like plants, see. If your crop has all the same genes, it'll be sensitive to one disease and fail. If you have diversity, some genes make it through.
Not necessarily. Many times in the OS community, new code is added to a project. How often does the ENTIRETY of the code get reviewed? Yes, I believe that open source software does seem to result in fewer vulnerabilities. But it doesn't mean that there are NO vulnerabilities in open source software. Windows 2000 has approximately 50 million lines of code. If they've even gone through 1/4 of that it's astonishing. When was the last time someone actively poured through every line of the Linux kernel looking for possible bugs? Very often, code is reviewed in small chunks rather than from start to finish. This will solve small bugs and vulnerabilities related to specific functions, but BIG bugs require reviewing a LOT of code. That's probably what Mr. Lipner is talking about.
Quoting Michael Howard, the security expert who designed the course for Microsoft:
"Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed."
I was astonished that he can make such bold claims. I have always thought that geeks have a mindset all of our own, and not one to be brainwashed easily. But then I found this quote:
"Microsoft has always had a crisis-driven mentality," said Mr. Howard, the security expert. "You have my word: we will lead the industry in delivering secure software."
And I couldn't help but laugh my ass off.....
Blah Blah Blah.
> "Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed," he said.
I was surprised by this quote too. The implication that developers at MS are some sort of automatons taht are easily brainwashed is amazing. I'm no fan of MS, its products or its tactics but the developers who work there are robots. I have found the MS people I have met to be pretty party-line company guys but they did have brains and were capable of independent thought.
The other problem with training like this is that without reinforcement from management it is not terrible useful. Sure some of the developers will "get religion" and will be absolutely scrupulous about writing secure code, but others will get lazy, forget the training or go back to old bad habits. Without code review and standards enforced by management in some way training is ineffective.
I look at all the man months that have gone into the development of Windows, etc. and I look at the results. The sheer amount of time put in is no assurance of the quality of the results.
In fact, if I recall right, the sauthor of the book "the Mythical Man-Month" came to the conclusion that the more people you throw at a software project, the slower the project goes.
So the question is how of the work at MS falls into that category
"It is a greater offense to steal men's labor, than their clothes"
Ok, im a student at a good university.
looking at this -
dozen half-day training sessions for its programmers, about 1,000 at a time.
And i fail to see how you can teach. Its hard as hell to learn in a lecture hall of 300, but 1000? thats insane.
Not only that, but for a half day? Cmon, americans have an attention span of what? 15 sec? if that? (dont anyone take insult...:))
How do they expect coders to pay attention to a small figure in front for a full 6 hours....1.5 hours is hard as it is for a normal college lecture.
This
MS obtained the BSD networking stack legally & ethically. Unlike some other company/OS *ahem* *Red Hat* *ahem* *Linux*
Since Gates sent out the letter pushing security, there have been a few patches. Only one of them (From what I can remember) wasn't credited to some security firm. Other companies are finding their code weaknesses and telling them. This is their plan???
Keep in mind that Red Hat Linux has released several versions where the default installation settings had practically everything turned on. This is not a windows-only problem.
It's a complete waste of time listening to these liars. That is all they are. Liars, deceivers, and power-hungry control freaks that wish to see any sense of community destroyed in order to protect their monopoly and cash flow.
It would be a much wiser thing for us to do instead to focus on implementing our own open, Free, and standardized technologies that present solutions in the best interest of the community. This is the issue, and, whether we realize it or not, this is the war. We either leave these things to them and be controlled by them, or implement these solutions ourselves and protect our liberties.
Simple as that.
It could not possibly survive by selling bug-free software - it's just not in their interest. The vast majority of users DON'T blame MS for the crashes, rather they either blame a 3rd party program or themselves even though the fault lies almost entirely on Microsoft.
They DON'T get bad press from outlook viruses - the evil hacker delinquent kids do. MS is seen, of course, as the victim.
Windows2000 was released with, what, 20,000 known bugs in it. It seems to me that my Windows partition works worse and worse with each new version I put on it. So I buy another.
Don't you realize, this is the best business model of all? But of course, now that the nerds, geeks and generally intelligent people are widely blaming microsoft they want to quickly sidestep widespread scrutiny by (you guessed it) telling us security is their highest priority.
Microsoft sells software that is so bloated that if they actually did a decent code audit (which, of course, would be far too expensive) and tightened things up, you wouldn't need that couple gigs just devoted to the OS. In short: MS NEEDS you to upgrade. Why on earth would they really mend their ways? Especially if it would cost more and get less overall business?
Comment removed based on user account deletion
Huh. That's exactly what they did at OpenBSD-- they stopped and reviewed all the code (am I wrong? isn't that what they did?). MS can stuff themselves with this self-serving deception. My favorite is the line where they pretend that "easy to use means easy to hack". What a load! That's the same sort of dishonesty they perpetrate with their "just reboot/reinstall to solve bug X, Y, or Z" approach. Ease of use and security are entirely orthogonal. Microsoft will say *anything* to get you to ignore problems they've helped create.
I do not have a signature
This Salon article asks if people would trust Microsoft enough to allow their programming to fly planes or spaceships. Of course, a plane running on windows 3.1 or win98 would be scary indeed... but even a bloated NT/XP or *nix installation would make anybody nervous.
... but what about a DOS box?
... what about a stripped down *nix box?
It seems to me (a windows user) that the power of the *nix systems is the ability to strip it down to the bare essentials... to remove variables that could cause problems. DOS also kinda had the feel to me.
I wonder if we all would trust microsoft stuff more if we as users could completely remove the nonessential parts... and slowly build as we needed. Everybody knows it's impossible to debug in multiple dimensions...
Until that time... nobody would fly in one of those planes... due to the constant worrying if the movie that they are watching will suddenly change into the "blue screen of death."
Anyway... be gentle... my karma is so fragile...
Davak
Comment removed based on user account deletion
Not all monopolies are abusive. I have no serious objection to Intel's or Cisco's market dominance, and IMHO SBC falls into the same category.
After they took over Ameritech's operations, service and especially support improved dramatically, at least for me. I'm happy to have them here -- the best telecom company I've ever dealt with (I've done business with Ameritech, PacBell, AT&T, MCI/Worldcom, Sprint, Verizon, and some others).
Ah, but this "big deal" negatively affects their revenue and earnings, which is why I think it is little more than PR.
Historically, Microsoft has piled in multitudes of features and foisted what should be beta software on the market. They find out what breaks, and provide bug fixes (euphemistically called "service packs") for the things people really whine about. This approach maximized their revenue, and accelerates it.
Ask yourself if Microsoft would have turned Windows 2000 into Windows 2001 if a significant security hole was found on the eve of the launch.
It's Linux, damnit! Pay no attention to renaming attempts by self-aggrandizing blowhards.
Face it, with a few exceptions, the Open Source community is focused on creating a product, not on creating a secure product.
You speak as if "the Open Source community" is a cohesive and organized group. They are not. This "open Source Community" that you speak of is awfully hard to define, consisting of many different people in different countries and speaking different languages with many different opinions and different ideologies. Have you read the debates between the BSD proponents and the GPL proponents? Given how different they are, would you still group the two in this so-called "Open Source community"? Do you not realize that many of the people you may be putting in that camp take issue with the very term "open source"?
And what product is "the Open Source community" focused on creating? Fact is, these people are creating multiple different products, ranging from small applications to programming languages to full-featured office suites to entire operating systems. Some of them are highly focused on being secure. Some are not. You seem to be grouping all of them under an "unsecure" umbrella, and this is not only inaccurate, but insulting to those who do focus on security.
Its not necessarily a bad thing, but the open source community, as a whole, doesnt do much in the way of code audits.
This is a fairly arrogant statement for you to make. How would you know, anyway?
I don't make the rules. I just make fun of them.
"I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."
I love this quote; it's _so_ MS.
Two months of a several thousand developers = 60 days * 8 hours per day (being generous and throwing in weekends) * 9,000 coders = ~ 500 man-years. Not too shabby!
Bullshit, that's playing with numbers. I could further "statistics-ize" this to say that this means every line of Windows XP got 8 minutes of attention in the last 2 months.
The reality is that secure development takes _time_ and _experience_ as well as eyeballs. Not everything is repaired correctly the first time, and the corrections themselves often need further review and correction. A fast fix is often worse than a naive bug.
This sort of thing is even more likely to happen when you're changing your development habits to take security into account - transitions are always messy. I doubt much effective security work actually "got done" on the Windows code in those 2 months, relatyive to the amount of "security twiddling".
While I have to applaud MS for finally _beginning_ to take security seriously, it's complete B.S. on their part (and very much in classic MS form) to suddeny claim that they're "the securest of the secure" when they're just entering the field.
Big difference between adding an IP stack and a browser component and debugging/stabilizing/refactoring/etc your entire product line.
.NET initiative? If (and its still an "if") they follow through on that vision they will have completely changed their software architecture to a completely Internet-centric model.
Well if you think that's all Microsoft have done to become Internet-centric then you are vastly missing the point. Have you looked at their
Sailing over the event horizon
Perhaps it is me, but two months doesn't seem like a very long time to do "security reviews" ("you see a problem, Frank?" "Yeah, but at $5.00/Hour they don't pay me to fix problems, Joe...").
Okay, so let us say they DID review it. Did they fix anything? Or is it just on their ever-growing (read never-ending) list of problems they just haven't gotten around to yet (lets all give them a Round TUIT, eh?).
Personally, after seeing the level of "quality" shipped in some of the source for CE (drivers that hang, etc.), I've been underwhelmed at the code quality. I've seen Open Source that beats the pants off of it.
Ah, but whadda I know? I'm just brainwashed...
Okay, hold your arms out and recite after me: Brains...brains...brains...
IANAL, but I've seen actors play them on TV
It's the only part that made sense to me.
Rather than have a VP or some PHB decree that code was going to be written "THIS WAY", it sounds like they got a few of their top geeks to categorize the common security issues and find examples in the code.
Then, you bring all the programmers in and begin reviewing code en-mass...showing them common errors and why they're wrong and what happens when you do that.
No blame. No finger pointing. No official decrees. Just straight solid training.
OpenBSD defaults to several YEARS of code reviewing. Years between any security hole in the latest release. (Or more, does the openSSH hole count?)
FreeBSD has trusted BSD which has similear aims, plus some code that would be really nice to have.
Sardonix is trying to start a general project to do code reviews. Not really running yet, but good goals, I hope they work out.
Just a quick search of open source sites and code review reveals that most projects think highly of code reviews and encourage them.
And finially, the typical way to get into open source is to do start reading code, and then contribute when you can do something. One of the things you can do is find potential holes
None of the above is perfect. All are useful, and all go on all the time. Maybe Microsoft put in more work into theirs, but I remember openBSD which was just a better netBSD, and not secure. By fixing problems they got secrure. I've been a programer long enough to know that each fix has implications elsewhere. Microsoft might have solved a lot of problems, but my expirence is the first two months introduce more problems than they fix, it is only after fixing those new problems that you begine to make progress, and it takes months to get them all closed.
Yes - but this is what led to many of their security problems today. They decided they were going to "do" the internet, and so mashed a truckload of net features into all their products. So Word got the ability to detect hyperlinks, Outlook used IE to render web pages and so on.
The problem is - they didn't really do the net at all. Compared to say KDE, where I can give any KDE program a net URL to open and it'll just do it, the Windows internet integration is a joke. They never resolved key policy decisions, like which takes precedence: windows file metadata (with extensions) or MIME types? This is the problem that means I now get several emails every day that contain an embedded wave file, except it isn't a wave file, it's an EXE. IE sees that it's MIME-typed as a WAV, so passes it to the OS, which then makes its own, independant decision and detects from the extension that it's a program and so autoruns it.
The same problem surfaces with web pages. IE usually ignores MIME types - when I was developing a web application recently I wanted to see some XML embedded into an iframe, and then be able to copy and paste it. I return the XML as text/plain, but IE realises it's XML and shows it in that pretty tree thing. Now I can't copy and paste it. Mozilla however follows the rules, so I have to use that instead.
That's not a problem that can just be fixed overnight - it's a key design flaw. How do they fix that virus problem? By switching off the WAV background sound feature (something nobody ever used anyway) in emails. That's just a bandaid, and doesn't get to the core problem, which is the internet code in Windows usually ignores or doesn't receive MIME type info.
Now I have no doubt that after this session of looking at code, MS products will have caught up with the competition in terms of security. Nobody should underestimate them. But as has been pointed out, whether that'll change their long term mindset is anybodies guess.
Also, he is ignoring Open Source projects that start out to be secure code in the first place ie. qmail,djbdns... The thing about open soure is we have a choice. More then likely Windows users don't.
I used to have the same problem in college, but then again, I went to class several times a day, 5 days a week, 2 semesters a year, for several years. I fell asleep (mentally if not physically) many times, even in 1 hour classes. Now that I'm out of school, I have no problem paying attention to a 5 hour training session. It's actually a nice break. It's not like I do it every day, or even every week.
C'mon. He's making a good point about geeks -- you can use their love of learning new stuff and putting it to use makes it possible to change their collective direction quickly. It's a valid insight.
Microsoft has been able to exploit this better than any other large company. It's a matter of hiring the right people. They don't always get the right direction, but they can be moved rapidly when necessary. Remember Microsofts total lack of preparation for the Internet a couple of years ago? Now we're worrying about the possibility they may coopt it.
I would view a similar microsoft shift towards more trustworthy software development practices as an unmitigated good. You can't dominate the field of "trustworthy" software. It's just about producing higher quality software, which benefits both their customers and even people who aren't their customers (how many non-windows sites suffered collateral damage to Code Red).
The problem is the inevitable PR baloney that goes with it. Perhaps Microsoft sincerely wants to produce more trustworthy software; this is good. However they want their customers to trust their products right now, so they're trying to make them think that most of the problems have been fixed by a gargantuan effort. This is bad. You can't fix years of shoddy work with a couple of months of auditing. Fixing security problems is, I don't know, but I'd guess at least a ten times as hard as avoiding them in the first place.
A little humility would make people who know better feel a bit more comfortable that this is more than PR hype.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
From the Salon monoculture article:
"Software engineers are not traditional engineers. They're rock stars," Copeland says, meaning they're less interested in meticulously removing all flaws from a design the way a skycraper architect would feel compelled to do.
I take issue with this. What software engineer doesn't try to remove all the flaws from their code? All good engineers do this...heck I could almost be called obsessive-compulsive about making sure my code works correctly. Maybe there are a bunch of bad programmers out there who think they're rock stars. And if there are, I don't want them working for me. Ever.
This is a really awful way of doing it. In order to get a good implemenation you need:
1) A solid design. That means no automatic execution of attachments.
2) Continuous review of the code. If the code sits for 3 years before it's reviewed, then you've exposed yourself to bugs in that time, and perhaps you've even accidentally built stuff which relies on that bug.
This may sound like a troll, but it's honestly my own perception: Microsoft operates on a cult-like corporate culture. It was especially evident during the antitrust trial; the behavior of the lawyers and execs and their obvious inability to concede, even to themselves, that they just might not be arguing from a rock solid position. It really did remind me of Scientology.
And I'm offended that Mr. Howard thinks of us "geeks" as such simple, predictable, uniformly malleable children. Methinks he's been working in a cult organization too long.
I can see the fnords!
In response to you and cscx (below)...
crudeboy writes: (in regards to IE and Media Player) but... a more correct question might be: Why bother to remove it?
End user applications have no business existing on a dedicated server machine. As for why, see below:
cscx writes: Second of all, you don't install all the goodies in Windows 2000 server/advanced server. Why do you need IE? Well, it's handy as hell. You can locally install updates while at the box in the server room, run windows update, download hotfixes, etc. Plus, it's also useful for visiting tech documents / howtos to diagnose problems that the Novell and Linux servers in the same server room are having (yes, this has happened to me before ;P)
So you're going to be surfing random sites on a critical server machine... while logged in as Administrator?????
I'm glad you don't work for me. That would be grounds for a reprimand, at the very least.
Back in the old days, surfing the web ran no risk to the client machine. Nowdays there are all kinds of risks because of mobile code (ActiveX, Javascript, etc.) and exploitable client programs (increasingly complex web browsers). Do either of you guys remember how those worms were spreading last year? Sooner or later, someone's going to figure out yet another exploit for IE.
Yes, yes, you can limit the risks with security settings, but that is no longer proof against attacks.
crudeboy writes: If you really think that you probably shouldn't work with security at all... To say that things you do when implementing a software solution should be carried out first is just plain nonsense...
Well, if "limit your exposure" isn't supposed to be #1 on a security checklist, then it is #2 or #3.
Since you don't seem to understand the basics, then I suggest you read up on the subject before you start calling things "nonsense".
When one of the DNS root servers switches to NT, please let me know - not that DNS is that stable or secure.
When IIS has a 60% market share (as Apache does now), I might also get a bit concerned.
When the Microsoft Sybase rip-off has a 46% market share (as Oracle currently has), we might start worrying about the datacenter.
When they have a stable, scalable 64-bit version of Windows, we might start worrying.
In order for Microsoft to get any of these markets, they will have to have a good product, good customer service, and good interoperability with other vendors products. I don't see that happening anytime soon.
After all, we gave them SMTP, and look what they did with that.
1000+ people in a dozen half day seminars?? Are they nuts??
/. way of admitting that friendly fire isn't.
Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."
Well, here's some tips.
1) Code inspect in groups of 4-6
2) Don't have the author read the code.
3) Have clearly assigned Moderator, Reader and
Inspector(s) roles. They can overlap, but
remember 2)
4) Don't go for more than 2 hour sessions, twice a day.
5) Don't do more than 200 lines of code a session.
6) Prep on the code.
7) Follow up on minutes.
Most designers hate code inspections, in my experience (myself included), but they do
serve a purpose, and aren't too painful when
you follow thse guidelines.
9000 people should have been able to inspect the
entire Windows codebase in this space of time,
if they've stopped or even slowed development.
Ideally, this is _part of the development process_. Or something similar, at least.
Members of the select group initially showed some resistance to the process, but in the end the experience of seeing offending snippets of code on a giant screen in a large auditorium proved humbling, said Michael Howard, the Microsoft security expert who prepared the training material for the company's security retraining and led the security classes
Yea, that's it. Humiliation really works in
rooting out those bugs. How professional.
O ya. Laptop. Ergonomics. Smarten up! Geesh.
AC is the
Oh goody, a borgette.
>Thousands of people across various product teams >have attended security lectures,
That means they will write more secure code why? In the past you have called the "many eyes make bugs shallow" idea a myth for pretty much the same reasons that "attending lectures on writing secure code" would make code more secure.
> new development >has been stopped, old code and new code has been >stringently reviewed,
1. For Joe User, the code reviews will mean exactly nil.
When exactly will users of Win 95,98,ME,NT 4.0 be seeing the fruits of those labors...simply put they won't. As always Microsoft is only focusing on the latest-greatest products they are shipping. Economically this makes sense, but how many thousands of NT 4.0 IIS 4.0 servers, SQL 7.0 servers and (soon to be obsoleted) Win2K Pro boxes will continue to hammer my clients firewalls because Microsoft refuses to maintain any sort of legacy product support?
2. No Proof of coding reviews.
What sort of reviews? In the past you have called for formal, codified coding review policies. I have yet to see Microsoft document how exactly they are reviewing their code. Simply sending developers to a lecture and making them re-read their code does not = more secure coding practices. How many patches has Microsoft released to fix bugs found in released products because of this review? Combing bugtraq I see none.
>Now on to counter the main claims of your post >that releasing software with security issues is >a good business [snipped for space]
3. Insecure software still makes sense for Microsoft.
It still unfortunately makes good business sense. Shall I send you the ads from Microsoft that litter my inbox, touting that WinXP is more secure than previous Microsoft OS's...Again, Microsoft is NOT releases patches for past products where security flaws are found, The message has stayed the same. Want a "secure" os/platform, then upgrade to our latest and greatest.
>[...]when in truth there is more to security >than just applying a buzzword technology or >software development style
4. Yup, re-read what you wrote again. Memos of "we must do better", 2 months of reviewing and sending developers to lectures on a topic they should ALREADY know do not change decades of practice, nor the underlying attitude of management. If you want to produce secure, reliable code it takes a consistent attention to detail, a emphasis on quality and a understanding that code you write today may well be in use long after you've retired. It takes understanding of basic principles of software development; it takes understanding software development as an engineering practice, not as a semi-skilled trade.
What surprises me is that Microsoft (and much of the industry) acts like writing secure software is something new. Software security problems have been around since before telenet was patching holes left and right because of the quality of their login code. If you think Microsoft is bad about security, you should browse the quality of code that many in-house projects have though.
I would add that if you really have a commitment to security, then you must be willing to understand that you can't call it secure and then shoot the messenger when he/she posts a vuln that says otherwise
Bugs Bunny was right.
Even if they were actually successful (not likely) in cleaning up the massive number of unintentional screw-ups in their code, the stuff they do intentionally is worse, including the Product Activation 'technology', their Secure Audio Path crapola (==selling their users's rights to the highest bidder), that abominable Plug'n'Play crap that just 'decides' to randomly re-configure your system hardware, and Anything.Net. Also, their gratutitous changes to file formats, communications protocols and APIs to enforce upgrades and preclude competition.
It's the stuff they do with full knowledge and intent that makes them un-trustworthy.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
Yes, they probably will do some good. Yes, they will probably help a little with the perennial problems with Microsoft software: that it is dumped on the market with way too many bugs, that it is dumped on the market with way too many features, and that it is dumped on the market much earlier than the software from more conscientious competitors, driving them out of business.
But it doesn't address the fundamental problems. Microsoft software is still closed source and it is still written and controlled by a small number of programmers up in Redmond, programmers who often have no experience of anything beyond Microsoft. Even if Microsoft made all their software "shared source", the economic incentives would favor the crackers (other developers don't have much interest in contributing fixed to Microsoft that they just have to pay for again in the next release).
Most importantly, however, Microsoft's goal of total market domination is their own worst enemy: an OS that runs on 95% of the machines is intrinsically and unavoidably not secure. We need operating system diversity. If no single OS or server software runs on more than 5-10% of desktops and servers, then security problems are automatically self-limiting. And, as a bonus, the increased competition would give us better products and more innovation. (And, yes, these comments apply to Apache as well.)
You may be right. I'll never know. Because I will never agree to what I've seen of the recen MS licenses.
So I will continue to percieve MS software as basically unfriendly, useless, insecure, etc. The last versions that I could legally look at and evaluate were that way, and I see no reason to change my opinion. Any company that makes it illegal to post reviews of their current products does not deserve any amount of "suspension of disbelief".
More to the point, any company that insists on the right to add, delete, copy, or remove whatever software it chooses from my hard disk cannot be considered secure no matter how secure the software itself actually is. That legal requirement is nearly the zenith of possible insecurity, and renders any software that requires it unsuitable for any application that I can conceive of.
Perhaps you've changed your license again. Is there any reason for me to believe that you won't change it back just as soon as I buy in? You seem to be requiring the right to change the terms of the license without my agreeing to it, of even knowing of it (via "license specs are kept on a web page").
I don't see how things COULD be less secure, for the end user.
I think we've pushed this "anyone can grow up to be president" thing too far.
I was trying to avoid direct criticism here, but since you started...I understand what disputable means, thank you. Unfortunately I think you need to look into what the scientific method is before writing an article like you did. You reference articles with misleading statistics, your logic has gaping holes in it, and your conclusions are invalid. All other things being EQUAL (developed by the same people, with the same tools, at the same time in computing history, written in the same language, going through the same review process, etc.) open source software would be more secure as *additional people* would be able to audit the code. Comparing AIX or HP-UX to a Linux distro has *no statistical relevance* because there are DOZENS of other factors that *skew* the results. You even say so in your claim that we shouldn't compare Windows to Linux/OSS because they are so different, then go onto to do the same flawed comparison with commercial Unices vs. Linux.
In conclusion, I find your article nothing more than semi-sophisticated FUD.
Fear - Be afraid, that OSS might not be very secure.
Uncertainty - Well, if it isn't secure you probably shouldn't deploy it, should you. Use commerical software (and keep my paycheck coming).
Doubt - Hmm, well, maybe we should stick with the tried and true, good ole MS. (or IBM if we want to go back in time.)
One can bicker back and forth all day long about statistics on this system or that system, and how based on CURRENT trends, some such system is more safe than some other system.
None of this, however, is relevant to the basic principle that what I don't know about or don't have control over (e.g., access to code, purchasing choice) is inherently insecure to me. It's not known problems I'm worried about, it's possible FUTURE ones. You cannot feel secure without control, and MS is the last corporation to place control in the hands of anyone but itself.
The problem is that once we put all our eggs in MS's basket, they have control over what I can and can't buy, how I buy things, and what I use. And when MS has complete control, we lose the ability to determine what MIGHT have been had MS not had an illegal/unfair monopoly. MS also loses any practical incentive to give me the security I want (I would argue they already have).
I don't give a rat's ass how much MS might be improving its security, to tell you the truth. The problem is, once MS has complete control over a market, there is no way of knowing at a future point in time if something better might have been available had they not had a monopoly.
Comparing open source distributions to proprietary distributions IS flawed in this regard, because regardless of the libre nature of the software, I would argue most sociologists, etc. would argue that MS's current emphasis on security is the direct result of OPEN DISCUSSION of MS's flaws and the presence of ALTERNATIVES to compare it to.
Once we lose the ability to openly discuss software security and lose alternatives, we make our systems inherently less secure.
Is open source more secure? Maybe, maybe not. But what is more secure is an open MARKET, which we don't have without Linux and UNIX.
Seems to me to be an abusive monopoly here in L.A. I'd like to know where else I can go to get DSL (that will be around for the long run) and local phone service (I may be clueless on this one but I don't know the names of any local telecoms that provide residential local phone service) since SBC/PacBell's customer service is ABSOLUTELY HORRIBLE!!! I've been working on a billing problem every month for 6 months now. And 3 years ago when I got my first DSL line with them I spent 9 months straightening out a double and triple billing problem. If they're not a monopoly I'd sure like to hear of the alternatives. And, no, cable and cell phones aren't alternatives for me.
This will solve small bugs and vulnerabilities related to specific functions, but BIG bugs require reviewing a LOT of code.
No, big bugs require reviewing the architecture which the code implements. Bad design is the cause of big bugs, and you have to be willing to scrap the bad design and start over from -architecting- the code before even reimplementing it.
Is MS willing to do that?
The enemies of Democracy are