Slashdot Mirror
Microsoft Raises Security Game, Notes Shortcomings Elsewhere
LMCBoy writes "Steve Ballmer recently told an industry conference that Microsoft software is more secure than Linux. PJ at Groklaw has a nice, thorough analysis of this dubious claim. She points out that not only are there vastly more Microsoft exploits reported, but that the exploits tend to be much more severe, involving remote administrator access." In related news, mhesseltine writes "According to an article from the Washington Post, in an unusually ironic twist, Microsoft has started talking smack about their own products, instead of those of their competitors. Bill Gates said of Office 'it's too hard to find things in e-mail' and described some features of Word as 'clunky.'"
Wednesday, October 22 2003 @ 06:44 AM EDT
... disputed the notion that open-source code is more secure than Windows. 'The data doesn't jibe with that. In the first 150 days after the release of Windows 2000, there were 17 critical vulnerabilities. For Windows Server 2003 there were four. For Red Hat (Linux) 6, they were five to ten times higher,' he said.
...well, what would be the precise word here? You hate to say lying. It's so cold.
You know I couldn't resist covering this story. Microsoft's Steve Ballmer picked up his glove and slapped Linux across the face in a speech given at an industry conference thrown by...who else, Gartner?
In his speech, he said some peculiar things about security:
"Ballmer
"'The vulnerabilities are there. The fact that someone in China in the middle of the night patched it--there is nothing that says integrity will come out of that process. We have a process that will lead to sustainable level of quality. Not saying we are the cat's meow here--I'm saying it is absolutely not good reasoning to think you will get better quality out of Linux.'"
Ballmer's being a naughty boy again. China indeed. "In the middle of the night." Trying to frighten the children with overtones. And playing with numbers. What year is it again? Red Hat 6? Pardon me for pointing it out, but they are up to 9 now. He's choosing a 150-day period from back in the day -- and I wonder how long it took to pick the best segment of time to use -- and using that for comparison? There is a lot that can be said about this, but it's not really necessary to do any research on this sad subject, I don't think. Everyone on a Windows box just went through the worst summer and fall of security issues of all time. They already know he's just
However, let's do a little research, just for fun.
Judge for yourself which operating system is more vulnerable to security problems by going down the list on CERT's Incident Notes page. It goes back to 1998. And here is their Current Activity page. It's almost all Microsoft issues. Here's their Vulnerabilities Notes page. It's all Microsoft, except for one, which isn't Linux. Here is their most recent quarterly summary. And after you look at all the data, what do you think now? Was Mr. Ballmer accurate? The only way I could find Linux prominently on any list was to type it into the Customized Search engine by itself on this page , and then when you get to the list, it's a list for all vulnerabilities of all the distributions of Linux, not just Red Hat. I couldn't find anything equivalent to Microsoft announcing a vulnerability and then saying there was no patch and you should just shut that particular functionality down. Ballmer said there were 17 critical vulnerabilities in Windows 2000 in the 150-day period and that Red Hat had considerably more. But look at the list: it shows only 16 vulnerabilities for all flavors of Linux for the entire year of 2000. CERT only lists the big ones, but Ballmer did say "critical". It makes you wonder where he got his numbers from or how he defines "critical".
Funny he would choose such an old time period, don't you think, for his comparison? Maybe it's because looking at July through October of this year would be devastating? I see only two Linux vulnerabilities on the list for that time period, both buffer overflow vulnerabilities, so evidently there has been considerable improvement on the Linux side.
Look at what could happen to you on a Windows box in the first two weeks of September 2003, though, just using a handful of the many recent vulnerabilities here and here and here and here and here and here and here. I didn't include July and August or October or the rest of September, out of kindness. Now, what Mr. Ballmer needs to do is show me anything like that kind of news coverage of security vulnerabilities in GNU/Linux, for any two week period. And speaking of critical, look at what the results could be from the Windows security issues:
"'An att
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Bullshit.
80% of the computer newbies I talk to have no idea what Linux or UNIX are. A lot of them do not make a clear distinction between the OS and the hardware it runs on.
"What kind of computer do you have?"
"Windows 95!"
geeky shirts and more
I guess that's what happens when you bloat Office up with pinball games, flight simluators and 3D Doom clones.
sPh
No. Let's look at two cases:
1) Closed source. You write b/c you get paid, not necessarily b/c you like to. You may or may not care about your product. You write crap code, people may or may not see, and the probably don't care. If it squeaks past QA, it's good to go. If it has a hole, no one remembers that you wrote it, and no one cares.
1) Open source. You write it because you want to (99% of the time). For most major projects, it gets checked out before it is let into the cvs. Smaller projects may be different, but we're not talking about those. If your code turns out to be crap, people remember it, and that DOES affect your reputation.
I'm not saying that all open-source code is good and all closed-source is bad, I'm just giving the different environments in which they are written.
Small projects may take crap code, but the larger ones (ones that are used more often) don't take crap code.
anyone could change their root user to a different UID, and add a different user as root, who gives a damn.
What is slashdot?
My father has his own accounting firm. When the software vendor for his tax program told him they were announcing end-of-life support for their Windows 98 software, he faxed back their announcement with "so support LINUX!" written across it in big black sharpie ink.
Stupid sexy Flanders.
Yes, I tried to complain to Microsoft about a bug in their software. As a developer of a web-app we came across a limitation in IE, whereby when writing via javascript to the page body of a newly opened window, if those instructures referenced the loading of an external CSS or JavaScript file, the whole mess would lock up and foobar the browser. But only if ActiveDesktop was on, which at that point was a default setting for new installations (and everyone here knows what that means).
'Twas my job to isolate the exact cause and reproduce the example in a portable manner for Microsoft to examine whilst also finding us a workaround.
In the end, the only way we could get that bug report heard and perhaps, maybe possibly attended to in our lifetimes in a future version, was to submit it through a support contract.
That's right, it cost us money to tell them their software was bad and never saw anything in return (used up one of our support instances and that was it). Bravo, Mr. Land-of-indmenifying-software, bravo - we shipped product with the workaround, at additional time and development cost for the labor.
Any spoon would be too big.
Uhm... That was pretty stupid. Most people do not allow direct login with root, they login with a normal user and su to root, giving you your complete control. But it requires knowing 2 passwords instead of one.
This sig is the express property of someone.
# of high and medium vulnerabilities, last 3 months:
Windows2000 = 11
RedHat -- Linux = 4
# of high and medium vulnerabilities, last 6 months:
Windows2000 = 13
RedHat -- Linux =11
# of high and medium vulnerabilities, last year:
Windows2000 = 24
RedHat -- Linux = 11