Slashdot Mirror
Bill Gates: Windows Patched Faster than Linux
petard writes "In a very interesting interview published by the Register, Bill Gates made several interesting claims about Longhorn. Many of them have been extensively covered recently, including plans to force users to patch automatically. Surprisingly, everyone seems to have overlooked his statement that Microsoft fixes bugs faster than Linux developers do. 'We've gone from little over 40 hours on average to 24 hours. With Linux, that would be a couple of weeks on average.' Either he's lying or woefully misinformed; their recent performance seems to be more on the order of 3+ months, or over 2000 hours."
Maybe they meant they make bugs faster?
Mod me down with all of your hatred and your journey towards the dark side will be complete!
The real question is which OS needs to be patched faster.
Bill Gates is a very intelligent man... who is currently acting like a very intelligent trained monkey, spouting defensive FUD. But that's nothing new.
I wouldn't be surprised if MS does make pages in under 24 hours. But I bet the process looks like this.
- Microsoft notified about a problem.
- Notification email sits in Exchange server for a week due to problems with a corrupted mailbox.
- Flunky reads email, decides it would never happen in real life, demotes to low priority.
- MS Updates their problem tracking database. Issue is lost in the db move.
- Another flunky goes through and re-adds all the issues from emails.
- Smarter employee upgrades importance, flags it as 'do now!'
- Issue languishes for another few weeks.
- Vulnerability 'approved for fix!'
- Programmers fix it in under 24 hours.
- Patch enters testing queue.
- Patch is tested in an inadequate number of systems that all include only MS software an no 'unusual' configurations like, say, not using IE as default browser.
- Patch is sent to deployment team.
- Wait another week.
- Deployment team packages fix, places it on wu.ms.c.
- Fix breaks on many systems, system admins tear out hair, MS pats themselves on backs for their fine bug fixing system.
Myrddin.
"I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
Didn't you know that Bill Gates' watch runs Windows CE and it crashed some months ago do to an exploit in RPC in the second hand. Now it just goes really slow. What is a month to you or me is 2 hours to him. He now talks that slowly as well.
...his personal desktop. "It's good to be da king!" (-:
Got time? Spend some of it coding or testing
I mean, after I install an average workstation of redhat 9.0 I see a lot more patches downloaded from up2date than the 36 or so for a fresh XP Pro install. Of course I mean for all the apps, not just core kernel stuff.
Minor version numbers for *nix packages seem to increase faster, which is a good thing because that means more holes getting patched faster [than Windows].
I guess my comment is that we need to see more Windows patches at a much faster rate, and stop being surprised when MS issues 4 patches in one day. Hell, up2date issues 4 new updates a day on a slow day ;)
It seems that Microsoft is attacking the system, not the kernel.
I havent really heard anything about Linux, really.
I have heard about the SSH issues, ect, but never about Linux. SSH, OpenSSH,ect. are just parts of a Linux system, or BSD for that matter.
has there actually been a Linux KERNEL exploit in the last few years?
and besides, when there is a Linux KERNEL exploit its fixed in hours, or minutes! I think it would be impossible for M$ to match that.
this article qualifies for more M$ Fud.
Why do you think they are giving Linux so much attention these days? I think this means we are now in between the "They laughed at us" and "They tried to fight us" part.
And if we follow Mahatma Gandhi's approach, the best approach is to keep doing what we do while letting MS bash away. Eventually it will become quite evident as to which side is interested in doing good for their fellow man.
Un-news
And NONE in the preceding month. Microsoft may (or may not) be fixing them in 24 hours. But they are now officially on a once a month patch RELEASE schedule.
Bill never said the 640K Quote, and I'm willing to bet he never said the 4GB one, either.
I know everytime this quote is used, someone has to debunk it, but there's no reason to perpetuate a false quote by one of the geniuses of our time.
Slashdot: News for nerds. Stuff tha-- MICRO$OFT IS THE DEVIL!!1
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
Immunix: Security Hardened Linux Distribution
I'd like to know what part of the process he is talking about? Is that the time between when the hole is made public and when the patch is released? That would explain things a bit... since MS typicaly can keep the news under wraps until they release the patch simultaneously.
Including a lot of "0 seconds between bug announcement and patch release" is bound to give you a much lower average. So, it would be possible for MS to receive 85 bug reports, surpress all but one for three months, release 85 patches and average just a bit better than 24 hours between public announcement and patch.
Now I'm no Gates apologist -- I haven't even used Windows for years, except when I am forced to kicking and screaming -- but harping on these statements bothers me.
In 1981, NOBODY needed 640k on the desktop. IBM PCs shipped with a tenth that amount of memory. Even assuming memory growth is exponential in the same manner as Moore's Law, this meant that the average user probably wouldn't need 640k for five years or more. Even in 1987, I remember programs (such as WordPerfect 4.2) that could fit on a single 360k floppy -- so the 640k prediction held for several generations of machine. Not a bad prediction in the computer industry.
There were good reasons for making the 640k assumption. All I'm saying is, don't fault an engineer for making a design decision, even if you don't like him personally.
Having said that, you want a desktop application that takes up more than 4 GB of physical memory? Go download the OpenOffice source and add a line:
calloc(4294967296,sizeof(char));
Take THAT, Bill!
Toronto-area transit rider? Rate your ride.
reminds me of the Iraqi "Information" Minister.
"What Americans? There are no American troops on Iraqi soil"
Also good to note that Linux patches have been kicking more ass than Windows EVER will, from back in the day with the port 139 "bug" (Linux patch was out within hours, Windows, took ALOT longer for obvious reasons) to any in the unforeseen future.
Hell...I think Ol' Gatesy is mistaken; bugs that are intentionally placed in software in order to patch and call it an upgrade, well....they don't count.
Most likely, he's just reporting what he's being told. And most likely, it's being mis-measured by someone.
Microsoft is a big company, and Windows is a very complex beast. My initial thought is that perhaps the security developers do indeed code and submit a patch within 24 hours.
But then the patch has to wend its way through the labyrinth of QA and regression testing. Because Windows is so highly integrated, even small changes can have big unforeseen consequences, so they can't rush patches out the door without breaking things. I believe Microsoft makes patches available via their support pages well before it hits Windows Update. What *we* are measuring is the time from bug report to being in Windows Update; what *they* are probably measuring is time to patch submittal or time to initial availability via support.
I really, really prefer the improved code separation in the Unix environment; if, say, BIND has a problem or exploit, it's highly unlikely that a patch it will break Postfix or Apache. Because things are better-separated, the developers understand their packages better and can more confidently push patches into their stable branches.
I worry a little about the way the Unix desktops are becoming increasingly interdependent, with lots of libraries and lots of integration... are we going to end up in the same place, eventually? Microsoft doesn't employ idiots, and considering the amount of trouble they've had scaling, well.... I just hope the free software developers are thinking about this.
There were 7 updates yesterday!
And none of those updates covered the RPC vulnerability, again! That's right the Microsoft RPC vulnerability that has already been patched twice is STILL vulnerable and an exploit exists. Word is that Microsoft has been informed but, as usual, no word from Microsoft yet. The notification was sent 10 days ago.
So much for 24 hour patches. On the other hand, I must admit that I have no desire to reboot my servers every 24 hours so, it's just as well that Bill isn't as fast as he says he is.
I wonder if they will actually fix RPC on the third attempt.
Sig removed because it was obnoxious
..no one is posting any hard data, any more than he is. This post references actual numbers, but other than "what a freaking liar/what a misinformed idiot" no one is offering proof on the matter.
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
I mean, MSBlast patched my box in no time...
how long until
By "time until fixed in the source tree", I'm just pointing out that Microsoft may take months to roll out a patch to users in a hotfix or service pack.
Also, to be fair, I suspect that few users immediately apply kernel patches in the Linux world. They wait until RH's up2date or Debian's apt-get sucks down the latest and greatest. A fair comparison should might say "Microsoft does not attempt to supply a 'rapid-release' patch for technical users at all, unlike the Linux community. However, it's time-to-Joe-end-user-release is comparable to that of Red Hat." or something along those lines.
I certainly feel that, at least applying the immediately obvious and most useful criteria, Microsoft does *not* fix bugs (release patches) more quickly than the Linux community.
May we never see th
Actually, I think he's referring to the time between Microsoft admiting there is a bug and the time a patch is available.
Example: Today's Windows bug. Microsoft announced it today and patched it today. That's less than 24 hours to "fix" it.
This type of logic makes perfect sense to the PR or marketing departments.
- Tony
It's not like revisionist history is a new concept. In 1981, I could completely see, Bill Gates saying the 640K quote, and have it taken out of context. One of the Watson's (of founding IBM fame, I can't remember if it was Sr, or Jr. I'm guessing Sr), once said that worldwide we'd probably only need 5 computers ever. It's not like he's terrible stupid either.
If you really want to have fun and games, write down a particular fact that you can't remember a specific event ever happening in your childhood. Now, store that piece of paper someplace safe. Now everyday imagine that event happening. Picture in your mind how you would remember it if it happened. Over the course of time, you'll "remember" it as a fact that is just like all of your other memories from childhood. You'll know it's inaccurate, but to your mind you can't tell between a the old true memories, and the newly fabricated memories. It's a simple form of brainwashing. I've specific memories that I know for a fact never happened. I constructed a conversation I never had once for the purpose of trying this out. It's the old adage about a lie repeated often enough becomes true.
I'll willingly admit it's entirely possible Bill never said that, and he surely can't prove he never said it. However, I'll never trust Bill's memory about him not saying it. However, if you tracked down the original references to it and debunk that, now you have something. Somebody has to cite it. It's in the Usenet Archives, or in old papers and trade magazines. Find the originals and debunk them, don't cite Bill saying 15 years later that he didn't say it. That's not debunking.
Here, I'll prove it to you. "I've done some stupid things, and I've done some wrong things, but I was never born. Nobody in the human race would ever say they were born.". Does that "debunk" the fact that I was born or not? I'd say my sitting here, and typing into slashdot is pretty strong evidence I was born at some point in the past.
A number of statistics have been proven to be false, but are cited all the time in the past. If you follow all of the original citations back, you'll find they all start at one single reference. The original person who stated it, either lied, or had something wrong with the way they came to the conclusion. By the time anybody figures that out, it'll be a "fact". I know this happened on stuff reguarding sexual orientation (formely common cited stat that 10% of all men are gay), and I believe it's happened on several other occasions about other commonly cited stats.
Debunking involves getting reasonable close to the source and debunking it. Not asking somebody 20 years later, who has a vested interest in not looking like an idiot, if he said something that's blatantly stupid 20 years ago. Read up on what Bill has said about what he thought of the internet.
I believe it was Cringely who pointed out that Bill always proclaims he was a visionary about the net, and saw ahead of everyone how much that could change the world. Yet when you read his book from that time where he was spouting off about what he thought was the next big things in computers, just as the internet went mainstream he never mentioned it once. Bill's in a position where he can't afford to say, I missed that huge new technology. He's Bill Gate's, he thinks Microsoft single handedly invented the Personal Computer. Just read the end of the article.
Kirby
I think the original post is misleading. Gates didn't say anything about forcing updates. He said that by default they would be installed automatically. There was no mention of forcing that.
From the article:
That's fine by me. Make it the default but leave a way to turn it off for those who wish to. Microsoft has a habit of puting out buggy patches that create worse problems than whatever they are fixing.
I wouldn't even mind if they made the off switch hard to find. If someone can't figure out on your own how to turn the thing off, most likely they are exactly the type that needs it turned on.
Only on
From Gates himself "How could we ignore the browser?," Gates responded. 'The Explorer is fully integrated with the operating system, take it away and the OS grinds to a halt. When you call up Help, you're using the browser. In Office 2003 instead of going to the local files, the browser will go online and fetch the latest documents."
Any software engineer/programmer who reads this can make a good case for bad design of windows because it's not modular. What morons design an OS that depends on a higher level application. In this case it's IE but it it could easily be any other application, like solitare. Of course it's rubbish that the Windows OS depends on IE but this is the story they have to front ever since they won the case against Netscape.
My thoughts exactly. The fact is, MS usually waits until it is ready to release a patch before it announces the vulnerability, and whines loudly when someone decides to notify the user community before the hotfix is available.
The problem is, the bug may be discovered independently by some knowledgable crackers and taken advantage of for months while stolid MS works at its own pace to 'fix' the problem. (Which, incidentally, often a) doesn't fix the whole problem, or b) introduces other problems.)
Worse yet, when the user community doesn't have knowledge of a problem and a cracker does, the user, who may have been able to obviate the problem through another means (blocking RPC at the firewall, or whatever), is now left defenseless until MS gets around to telling them about the problem.
So if MS can keep everybody's mouth shut about the problem until it's ready to release the patch, of course they're going to have an incredible record for getting patches out quickly.
You're right. Microsoft has gotten better. Whether they've caught up is a point for debate. But at least they have generally improved their reaction speed. Let's give credit where its due.
Now - issues such as ignored bugs, fundimental design flaws, non-patches, destructive patches, so-called Responsible Disclosure, "I wish those people just would be quiet", etc are all fodder for other holy wars.
Heaven forbid someone think that Microsoft's attempts to "address the issues" might be anything but. You refer to this whole article as an Anti-MS troll. Pray tell what you think Mr. Gate's statement is. How does Linux play in to the improvment of Microsoft's commitment to a secure product?
Instead of trying to get in a (questionable) jab at Linux... perhapse he could have referred to his own company's record. Something along the lines of "We've gone from little over 40 hours on average to 24 hours. We've really improved since the mid-90s and Windows NT when we didn't really have any focus on security."
But hey - that's just not Mr. Gate's style. And I'm sure he's got quite a following of fanboys who call that "agressive" and "good business". Even as they snear at "Linux zealots" and "anti-MS" criticism.
IIRC, I got my Debian SSH and Sendmail patches same-day. I have NEVER seen Microsoft even respond to a bug submission that fast, let alone release a working patch.
I have something in common with Stephen Hawking...
It's quite obvious that he's talking about the rate at which they are finding vulnerabilities, not the rate at which they are fixing vulnerabilities.
Slackware, what else when it must be secure, stable, and easy?
The reality is that no one can produce, however we have tried, a perfectly bugless software.
And there is no way we can be certain that our softwares don't have any unintentional vulnerability either.
Nobody likes software patches, but it is a necessity if we want to make our softwares work better.
The question is not how fast one makes the patch - although it's very important - the keypoint in making patches is how EASY we can make our patch-delivery system works.
No doubt that the Linux patches, at least most of them, come out way faster than those of the MS-Windows camp. But there is _one_ thing that we can learn from Microsoft - they have made their patch delivery system (aka www.windowsupdate.com) something that can be used by most users.
I am not saying that the Linux patching process is cumbersome, but we gotta admit that the average users (not sysadmins) just can't begin to understand how to patch their Linux boxes.
If we can come up with something that approach the ease of www.windowsupdate.com, perhaps Linux can be used by even more not-so-tech-savvy users.
I know, I know, there's a world of difference between MS-Windows and Linux, but what I am talking about is the deliverance of our software patches - and in this case, Microsoft has something that we can learn from.
Thank you for reading.
Muchas Gracias, Señor Edward Snowden !
In comparison, I've seen Linux fixes come out in less than 30 minutes. Likely having Linux hackers spanning all time zones helps a lot to improve bug fixing time. Report bug at 6pm, patch available 8am.
Engineering is the art of compromise.
I have set up Linux and Windows workstations in production environments. Hell, most of the people who use my Linux terminals are oblivious to what's running underneath, save that it is windows. Is it a drop in replacement for Windows: hell no. Can it work on a large scale: hell yes. Do you realize that certain design assumptions built into windows are utterly assine: only if you did it right.
Your first sign of trouble is a "week long rollout." For god sakes, It's taken our organization 3 years to migrate to 2000. And that's only 300 workstations. We are installing Linux on our end-of-life machines and setting it up in a few public labs for people to beat on. I find out what people break (or percieve as broken) before I reformat one machine.
And for the record, if you are migrating to Linux to save money you missed the point.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
I recently was in a Microsoft webinar regarding patch management. If you are interested, or a glutton for punishment, this was it. At one point they showed a histogram on the screen that was intended to show vulnerabilities in operating systems and how MS was beating everyone on the planet. Major Microsoft products were all broken down by release, e.g. Windows 20003, Windows XP, Windows 2000, Windows NT, etc.. Linux and BSD were categorized by distribution only, e.g. Redhat, Debian, BSD etc...
Windows 2003 appeared at the far left with only a few vulnerabilities. Windows 2003 was actually the "winner". It even "beat" BSD! Now think about that histogram for a minute. It created false divisions that did an apples to oranges comparison. The sum total of Debian vulnerabilites likely refer to all released versions of a Debian distribution with all possible packages installed while Win2003 likely refers to only a Win2003 retail box installed with the bare minimum options.
Marketing is a black art. I have some personal experience, but NDAs to bind me. It's an art of trying to create and/or shape ideas in the mind of your customers, critics and competitors. The most successful marketing is that which makes them believe they came to the ideas you wish them to hold of their own volition.
Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout
--------
Gates also doesn't seem to have a lot of faith in 64 bit technologies in the consumer space. "64 bit is coming to desktops, there is no doubt about that," he said. "But apart from Photoshop, I can't think of desktop applications where you would need more than 4 gigabytes of physical memory, which is what you have to have in order to benefit from this technology. Right now, it is costly."
---------
This coming from the same person who said 640kb is more then enough for anyone?
and this one
---------------
Gates is optimistic about meeting the challenge of the new security threats, he told reporters. "We have to. We invented personal computing. It is the best tool of empowerment there has ever been. If there is anything that clouds that picture, we need to fix it."
---------------
I thought apple invented personal computing?
Brielle
Let's look at MS03-041, examine the Windows XP Gold patch.
/x" to extract the components.
Run "WindowsXP-KB823182-x86-ENU.exe
24 Jul 2003: date of most recent component file
25 Jul 2003: date of patch file (using wget to obtain timestamp).
14 Oct 2003: "Date published" according to Microsoft.
I make that 82 days to release.
Andrew Yeomans