Slashdot Mirror
Bill Gates: Windows Patched Faster than Linux
petard writes "In a very interesting interview published by the Register, Bill Gates made several interesting claims about Longhorn. Many of them have been extensively covered recently, including plans to force users to patch automatically. Surprisingly, everyone seems to have overlooked his statement that Microsoft fixes bugs faster than Linux developers do. 'We've gone from little over 40 hours on average to 24 hours. With Linux, that would be a couple of weeks on average.' Either he's lying or woefully misinformed; their recent performance seems to be more on the order of 3+ months, or over 2000 hours."
Maybe they meant they make bugs faster?
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Why do you think they are giving Linux so much attention these days? I think this means we are now in between the "They laughed at us" and "They tried to fight us" part.
And if we follow Mahatma Gandhi's approach, the best approach is to keep doing what we do while letting MS bash away. Eventually it will become quite evident as to which side is interested in doing good for their fellow man.
Un-news
And NONE in the preceding month. Microsoft may (or may not) be fixing them in 24 hours. But they are now officially on a once a month patch RELEASE schedule.
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc.
Immunix: Security Hardened Linux Distribution
I'd like to know what part of the process he is talking about? Is that the time between when the hole is made public and when the patch is released? That would explain things a bit... since MS typicaly can keep the news under wraps until they release the patch simultaneously.
Including a lot of "0 seconds between bug announcement and patch release" is bound to give you a much lower average. So, it would be possible for MS to receive 85 bug reports, surpress all but one for three months, release 85 patches and average just a bit better than 24 hours between public announcement and patch.
Now I'm no Gates apologist -- I haven't even used Windows for years, except when I am forced to kicking and screaming -- but harping on these statements bothers me.
In 1981, NOBODY needed 640k on the desktop. IBM PCs shipped with a tenth that amount of memory. Even assuming memory growth is exponential in the same manner as Moore's Law, this meant that the average user probably wouldn't need 640k for five years or more. Even in 1987, I remember programs (such as WordPerfect 4.2) that could fit on a single 360k floppy -- so the 640k prediction held for several generations of machine. Not a bad prediction in the computer industry.
There were good reasons for making the 640k assumption. All I'm saying is, don't fault an engineer for making a design decision, even if you don't like him personally.
Having said that, you want a desktop application that takes up more than 4 GB of physical memory? Go download the OpenOffice source and add a line:
calloc(4294967296,sizeof(char));
Take THAT, Bill!
Toronto-area transit rider? Rate your ride.
Most likely, he's just reporting what he's being told. And most likely, it's being mis-measured by someone.
Microsoft is a big company, and Windows is a very complex beast. My initial thought is that perhaps the security developers do indeed code and submit a patch within 24 hours.
But then the patch has to wend its way through the labyrinth of QA and regression testing. Because Windows is so highly integrated, even small changes can have big unforeseen consequences, so they can't rush patches out the door without breaking things. I believe Microsoft makes patches available via their support pages well before it hits Windows Update. What *we* are measuring is the time from bug report to being in Windows Update; what *they* are probably measuring is time to patch submittal or time to initial availability via support.
I really, really prefer the improved code separation in the Unix environment; if, say, BIND has a problem or exploit, it's highly unlikely that a patch it will break Postfix or Apache. Because things are better-separated, the developers understand their packages better and can more confidently push patches into their stable branches.
I worry a little about the way the Unix desktops are becoming increasingly interdependent, with lots of libraries and lots of integration... are we going to end up in the same place, eventually? Microsoft doesn't employ idiots, and considering the amount of trouble they've had scaling, well.... I just hope the free software developers are thinking about this.
Sig removed because it was obnoxious
By "time until fixed in the source tree", I'm just pointing out that Microsoft may take months to roll out a patch to users in a hotfix or service pack.
Also, to be fair, I suspect that few users immediately apply kernel patches in the Linux world. They wait until RH's up2date or Debian's apt-get sucks down the latest and greatest. A fair comparison should might say "Microsoft does not attempt to supply a 'rapid-release' patch for technical users at all, unlike the Linux community. However, it's time-to-Joe-end-user-release is comparable to that of Red Hat." or something along those lines.
I certainly feel that, at least applying the immediately obvious and most useful criteria, Microsoft does *not* fix bugs (release patches) more quickly than the Linux community.
May we never see th
When is the last time a vulnerability in the windows kernel was found? To be fair, we will include vulnerabilities in the HAL, since in Linux the kernel contains that functionality as well.
OpenSSH is a part of Linux as much as RPC or Windows Messaging is a part of Windows.
If a linux kernel exploit is fixed in minutes, then it was a pretty dumb bug. Microsoft has been good lately about doing proactive security reviews, and they often find holes before anyone else does. Linux mostly seems to do reactive fixes, at least from where I'm sitting. Which is to say, at a Windows XP machine, but right next to a gentoo Linux system.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Actually, I think he's referring to the time between Microsoft admiting there is a bug and the time a patch is available.
Example: Today's Windows bug. Microsoft announced it today and patched it today. That's less than 24 hours to "fix" it.
This type of logic makes perfect sense to the PR or marketing departments.
- Tony
It's not like revisionist history is a new concept. In 1981, I could completely see, Bill Gates saying the 640K quote, and have it taken out of context. One of the Watson's (of founding IBM fame, I can't remember if it was Sr, or Jr. I'm guessing Sr), once said that worldwide we'd probably only need 5 computers ever. It's not like he's terrible stupid either.
If you really want to have fun and games, write down a particular fact that you can't remember a specific event ever happening in your childhood. Now, store that piece of paper someplace safe. Now everyday imagine that event happening. Picture in your mind how you would remember it if it happened. Over the course of time, you'll "remember" it as a fact that is just like all of your other memories from childhood. You'll know it's inaccurate, but to your mind you can't tell between a the old true memories, and the newly fabricated memories. It's a simple form of brainwashing. I've specific memories that I know for a fact never happened. I constructed a conversation I never had once for the purpose of trying this out. It's the old adage about a lie repeated often enough becomes true.
I'll willingly admit it's entirely possible Bill never said that, and he surely can't prove he never said it. However, I'll never trust Bill's memory about him not saying it. However, if you tracked down the original references to it and debunk that, now you have something. Somebody has to cite it. It's in the Usenet Archives, or in old papers and trade magazines. Find the originals and debunk them, don't cite Bill saying 15 years later that he didn't say it. That's not debunking.
Here, I'll prove it to you. "I've done some stupid things, and I've done some wrong things, but I was never born. Nobody in the human race would ever say they were born.". Does that "debunk" the fact that I was born or not? I'd say my sitting here, and typing into slashdot is pretty strong evidence I was born at some point in the past.
A number of statistics have been proven to be false, but are cited all the time in the past. If you follow all of the original citations back, you'll find they all start at one single reference. The original person who stated it, either lied, or had something wrong with the way they came to the conclusion. By the time anybody figures that out, it'll be a "fact". I know this happened on stuff reguarding sexual orientation (formely common cited stat that 10% of all men are gay), and I believe it's happened on several other occasions about other commonly cited stats.
Debunking involves getting reasonable close to the source and debunking it. Not asking somebody 20 years later, who has a vested interest in not looking like an idiot, if he said something that's blatantly stupid 20 years ago. Read up on what Bill has said about what he thought of the internet.
I believe it was Cringely who pointed out that Bill always proclaims he was a visionary about the net, and saw ahead of everyone how much that could change the world. Yet when you read his book from that time where he was spouting off about what he thought was the next big things in computers, just as the internet went mainstream he never mentioned it once. Bill's in a position where he can't afford to say, I missed that huge new technology. He's Bill Gate's, he thinks Microsoft single handedly invented the Personal Computer. Just read the end of the article.
Kirby
I think the original post is misleading. Gates didn't say anything about forcing updates. He said that by default they would be installed automatically. There was no mention of forcing that.
From the article:
That's fine by me. Make it the default but leave a way to turn it off for those who wish to. Microsoft has a habit of puting out buggy patches that create worse problems than whatever they are fixing.
I wouldn't even mind if they made the off switch hard to find. If someone can't figure out on your own how to turn the thing off, most likely they are exactly the type that needs it turned on.
Only on
My thoughts exactly. The fact is, MS usually waits until it is ready to release a patch before it announces the vulnerability, and whines loudly when someone decides to notify the user community before the hotfix is available.
The problem is, the bug may be discovered independently by some knowledgable crackers and taken advantage of for months while stolid MS works at its own pace to 'fix' the problem. (Which, incidentally, often a) doesn't fix the whole problem, or b) introduces other problems.)
Worse yet, when the user community doesn't have knowledge of a problem and a cracker does, the user, who may have been able to obviate the problem through another means (blocking RPC at the firewall, or whatever), is now left defenseless until MS gets around to telling them about the problem.
So if MS can keep everybody's mouth shut about the problem until it's ready to release the patch, of course they're going to have an incredible record for getting patches out quickly.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
I recently was in a Microsoft webinar regarding patch management. If you are interested, or a glutton for punishment, this was it. At one point they showed a histogram on the screen that was intended to show vulnerabilities in operating systems and how MS was beating everyone on the planet. Major Microsoft products were all broken down by release, e.g. Windows 20003, Windows XP, Windows 2000, Windows NT, etc.. Linux and BSD were categorized by distribution only, e.g. Redhat, Debian, BSD etc...
Windows 2003 appeared at the far left with only a few vulnerabilities. Windows 2003 was actually the "winner". It even "beat" BSD! Now think about that histogram for a minute. It created false divisions that did an apples to oranges comparison. The sum total of Debian vulnerabilites likely refer to all released versions of a Debian distribution with all possible packages installed while Win2003 likely refers to only a Win2003 retail box installed with the bare minimum options.
Marketing is a black art. I have some personal experience, but NDAs to bind me. It's an art of trying to create and/or shape ideas in the mind of your customers, critics and competitors. The most successful marketing is that which makes them believe they came to the ideas you wish them to hold of their own volition.
Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout