Slashdot Mirror
Microsoft Raises Security Game, Notes Shortcomings Elsewhere
LMCBoy writes "Steve Ballmer recently told an industry conference that Microsoft software is more secure than Linux. PJ at Groklaw has a nice, thorough analysis of this dubious claim. She points out that not only are there vastly more Microsoft exploits reported, but that the exploits tend to be much more severe, involving remote administrator access." In related news, mhesseltine writes "According to an article from the Washington Post, in an unusually ironic twist, Microsoft has started talking smack about their own products, instead of those of their competitors. Bill Gates said of Office 'it's too hard to find things in e-mail' and described some features of Word as 'clunky.'"
Do you think it could POSSIBLE be due to the fact that Office 2003 just came out and the need to find a reason to get people to buy it?
"Bill Gates said of Office 'it's too hard to find things in e-mail' and described some features of Word as 'clunky.'""
Even people that don't know anything about computers know that Linux is that "other thing" that's "more secure". I know which would be my chosen OS to run any kind of internetwork-connected services. And it's not Windows.
Get your own free personal location tracker
When the version of Linux is Lindows and it's adminstered by a monkey who leave it lying around a student lab logged in as root.
On a more serious note, securit depends more on the person administering it than the software itself up to a point. Sure you _can_ leave yourself wide open on Linux as well as on Windows, it's just that on Windows it's much easier (eg using OE or IE or not turning off messaging services or RPC) compared to Linux (installing something compromised or bad physical security).
Beep beep.
Since the sources to windows are not open, it would be most likely to have the fewest discovered security holes. Programs like OpenSSH and the Linux kernel itself (and many others) has sources available which makes it easier to locate the security holes but then again they are fixed quicker.
Now, since this isn't even true (according to PJ at Groklaw), we can only imaging how much more there is in Microsoft Windows.
Note to self: get smarter troll to guard door.
Ballmer states that there's "nobody who has his rear end on the line" with Linux.
...
I posit that Linux developers have something rather important on the line; their reputations, professional and personal. When you ship open-source code, you are showing the world how good, or how bad, you are. Your reputation can be made or broken by the code you release.
Contrast that with all too many developers in commercial shops, whose code is read by nobody but their immediate co-workers and nobody takes responsibility for bugs.
If Microsoft employees' asses are on the line, show me a firing or two every time a security hole shows up. And not just the line programmers; bring me the heads of the designers who designed things badly, the project managers who made hitting deadline more important than getting it right, and the managers who let it all happen.
I would say that in the vast majority of cases, commercial programmers' asses are NOT on the line, in terms of security problems. As long as you crank out code fast enough to keep up with your co-workers
Ballsack^H^H^H^Hmer said: "The data doesn't jibe with that. In the first 150 days after the release of Windows 2000, there were 17 critical vulnerabilities. For Windows Server 2003 there were four. For Red Hat (Linux) 6, they were five to ten times higher"
Why don't we compare Windows Server 2003 to RedHat Enterprise v3? Or Windows 2000 to RedHat 9? RedHat 6? That's what, 3-4 years old now!
And don't make me bring up WinME, Steverino.
No, no and no.
If Honda Accords cost $250,000 and Ferrari's were $19000, there would be more problems with Ferrari's than Hondas. Point is, there are millions and millions of people pounding away at MS products with little or no technical expertise and being productive with them. This comes at a price, which is ease of use and simplicity and a standard setup. Simplicity and a standard setup lead to security holes. This doesn't mean MS products are shit, it only means they have security holes.
unusually ironic twist, Microsoft has started talking smack about their own products,
When you get into the big leagues, a league of your own, a world of your own, then the only critic you can accept is yourself.
Because, after all, everyone else is incompetent, a sniping dog of a rival, etc., or they wouldn't be as successful as us!
A consistent attitude from a company that brings us Innovation through embrace, extend and extinguish.
"Provided by the management for your protection."
I'll bet a few bucks that it does not allow customers to "indemnify" MS in any manner that the agreement could possibly defend against in a court of law, and a few that it couldn't, just for good measure.
"Neque enim lex est aequior ulla, quam necis artifices arte perire sua."
"It's too hard to find things in e-mail." translation: "We're going to start the murmurings now for a proprietary database-backed email system, from back end to user interface."
By making comments like this now, Bill will have leverage against the DoJ when they bring up the spectre of the anti-trust settlement. "It's a necessary feature--we recognised that back in 2003."
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
1. Microsoft now has to spend as much of its time competing against itself as it does everyone else. (Quote: "With each version of Office it gets harder for Microsoft to move customers up," said Michael A. Silver, vice president and research director at the research and advisory firm Gartner Inc.)
DUH. Pretty much everyone admits this. If they never EOL'd anything, people would probably just stay on NT4 with Office 97 (assuming it works for them).
2. Microsoft thinks it offers more advanced, and usually better products, and offers metrics to prove those points.
DUH. In other news, Linux organizations (along with "grass-roots" sites like Slashdot) offer counter-points and different metrics of performance, value, and success.
In 10 words or less, "Microsoft practices marketing, others offer rebuttal."
How's the new Office if you're a home user with small email volume? Is it a compelling upgrade?
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
That's not the problem...the problem is you have to pay several hundred dollars for it over and over again every year or two.
"Should there be a reason to believe that code that comes from a variety of people around the world would be higher-quality than from people who do it professionally? Why is its pedigree better than code done in a controlled fashion? I don't get that,"
I can see that: random security modules being submitted by guys at NSA. I mean really, what does the NSA know about computer security? Clearly the MS campus is streets ahead of those unprofessional losers...
Jedidiah
Craft Beer Programming T-shirts
Ballmer did make a questionable claim, but the submitter of this story made it more general than it really was.
In other words, he didn't say Microsoft Software (people start imagining IE, Outlook, etc...) in general is more secure than Linux, he said Windows 2000 and 2003 had fewer 'critical vulernabilities' than Redhat 6.
Now, I'm not defending Ballmer here, but I do wish story submitters would chill on the flame-bait headlines.
Now, with that aside, here's a few things wrong with that statement:
- One of those 'critical vulnerabilities' in Windows 2000 facilitated a very wide spread attack, something that hasn't happened with Linux.
- Redhat is up to what.. 9 now? Redhat 6 is going back at least a couple of years. It's disappointing that he didn't pick a more recent version of Redhat. Something tells me that their numbers for critical issues wasn't so interesting.
- The number of security issues is not a very good measure of security. Though it sounds great for the PHB's out there, but it is well documented that Microsoft's foundation is, in general not very secure. Those critical vulnerabilities are going to do more damage on a Microsoft Platform than a Linux based one.
So, to summarize: Ballmer's full of shit and the authors need to be more responsible in their reporting, especially when sites can be Slashdotted.
"Derp de derp."
"There is no road map for Linux, nobody who has his rear end on the line."
Quick, alert Linus and the rest of the kernel maintainers and planners. Also, better not spread around the road map for Linux so Ballmer won't look like a fool.
" We think it's an advantage a commercial company can bring--we provide a road map, indemnify customers."
ROFL! Indemnify?! Ever read a Microsoft EULA? You're on your own, buddy. How stupid does he think people are? Never mind, don't answer that...
" They know where to send e-mail. "
Oh, puleeeze! Ever try to complain to Microsoft about a bug in their software? Now, take that to the next level. Ever try to complain to one of their software developers about a bug in the particular software they wrote? What's that? You have no idea who wrote that piece of software? And you have no way of finding out? So tell me again where the accountability is.
"None of that is true in the other world. "
Uh, precisely the opposite of what you said, but thanks for playing anyway. Tell Steve what he's won. Seriously, it really is just the opposite. Linux code comes with people's name on it. You want accountability? Put your name on software used by millions and put it out into the world to be dissected.
"So far, I think our model works pretty well,"
(Wiping the tears from my face while I shake with laughter) If the current mess of the state of Windows is his idea of things working "pretty well," oh never mind...This speech sure wasn't directed at the cluefull.
That means, of course, that most reporters will report it verbatim and at face value. *sigh*
I know you're trolling, but for others who might actually be feeling this way, you can always go into prefs and turn Microsoft stories off.
But that would be a reasonable solution to your problem, wouldn't it? Sorry.
These threads invariably involve, at the top mod levels, derogatory comments about the quality of Microsoft code and products, conspiracy theories about the true motives behind Microsofts intentions (always), sarcastic jokes agreeing with the action in question, a sad reflection on how new users, PHBs and/or the world at large is accepting this action, and an impressively-inventive-if-completely unneccesary variety of miscellaneous other anti-Microsoft rhetoric.
I am not going to rehash the old and tired arguments about Microsoft, or even say I disagree with much of it. That is beside the point.
What is important is that open source in general and slashdot in particular should be different, and they are utterly NOT. Steve Ballmer comes out and spreads some FUD on Linux. Ya, it's FUD, and it's not true, and he's fundamentally wrong about quality and open source, and besides Microsoft just this and that and blah blah blah. So what.
I can see how the first two or three or ten times you hear this shit from Microsoft you want to scream from the mountaintops how wrong it is. What I utterly will never ever understand is how you can get off, get this big rhetorical hard on, four and five times a day week in and week out over the SAME BULLSHIT. It's FUD now just like it was FUD last year and FUD the year before that and, as far as the slashdot crowd is concerned at least, FUD in 1976 when Bill Gates wrote an Open Letter to Hobbyists.
It would seem to me that, confronted with all of this disagreeable stuff coming out of Microsoft, the slashdot crowd would eventually learn the productive and elevated response is to
A> Shrug.
B>Take the high road and acknowledge every sliver of truth in every criticism, ignoring the juvenile manner in which it may have been delivered, and use this reflection to further improve open source. Parse FUD for constructive crisiticism. If there is none to be gleaned see A>. Is there *anything* about Linux's patching model or security that could be improved? Is there the slightest kernel of truth in what Ballmer says?
But when I think about it I realize the benefit of anti-Microsoft jihad posts filled with propagandist comments isn't to convey any new information or spark new insights but to further reinforce and perpetuate the community formed around slashdot. Read Clay Shirky's brilliant A Group Is Its Own Worst Enemy. External enemy, religious veneration, it's all here. It's here to perpetuate the group, as human groups naturally want to do -- even when such patterns are against the interest of the original or stated goal of the group. A choice excerpt:
I'm sick of it, so what, everyone seems to love it, I'll just go now and click a preference and never look at the borg crap again. I just hope in time there is enough other content to read.
You are a regular laugh riot. RTFM. There is a preferences setting if you don't want to read about MS. Use it or shut up about the number of MS stories. It's really that simple. The quantity of different types of stories on Slashdot is probably directly related to the number of submissions on those topics made by readers.
.sig) of MS and Linux security issues.
I'm not even going to get into the logical fallacies going on with your comparison (via
I do not have a signature
in an unusually ironic twist, Microsoft has started talking smack about their own products, instead of those of their competitors.
It's not ironic, because Microsoft stands to suffer nothing by pointing out problems with Outlook. And that is because 1) it is still probably the most widely used email program, 2) there are no real significant challenges or competitors to Outlook (or Excel, or Word) out there, and 3) the problems BG is pointing out are relatively trivial and plague every other email program anyways. So MS can make these kinds of knocks on their products as much as they want...they just can't knock Windows.
And, as someone else has already pointed out, it always helps to sell new product. Doesn't almost every new feature set in any product imply there was something wrong with the previous versions ?
Microsoft's greatest value to customers is building these features into the core operating system, he contended. "We essentially take cost and complexity out of the system ... as opposed to having to force our customers to cobble them together themselves," he said. "That is part of the open source world, the customer puts things together. We think part of our value proposition has to be we have to take a lot of that effort out. N
Wrong. You take the "cost and complexity" out of 3rd party software, so instead of the money going into other company's accounts, it goes into your own pockets.
As for 'putting things together' in the open source world, doing apt-get isnt harder than popping CDs in and doing installations. We do the putting together because we like to customize rather than being forced stuff down our throats. People order from a menu at the restaurant because they want to choose what they eat.
my blog
On the other hand, when I contribute stuff to Apache projects, I write tons of comments about why a particular approach was chosen and how the code might be extended. Plus I can do all the testing I want before I check it in. I don't about others, but I tend to write a piece of code, let it sit for a couple of days and review it. I try to be as brutal as I can and see where it's stupid or sucks. then once I am happy with the quality of the actual code, I test the hell out of it. That includes profiling, benchmarking and writing good documentation. How can MS compete against programming done correctly in the long run? I don't think they can change their culture over night or in a couple of years.
"Should there be a reason to believe that code that comes from a variety of people around the world would be higher-quality than from people who do it professionally? Why is its pedigree better than code done in a controlled fashion? I don't get that," he said.
So, Linus Torvalds, Bruce Perens, Richard Stallman et. al. are not professional software engineers?? hat'll be news to them and a lot of other folks that I know!
Arf!
sPh
Obviously, when you're a monopoly and you want people to believe in your company you're going to say, "We know all of our shortcomings and our only goal is fixing them".
However, if you're the _underdog_, you're NOT going to put the focus on your flaws. But, if you're the only bully on the block and everyone hates you for it, you're going to play the symphathy role: "My parents beat me into beating you".
Yeah right.
Fool me once, shame on you. Fool me twice, shame on me.
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
I like to develop on Windows but for anyone to claim that Windows networking is easier is obviously smoking crack.
.NET either corrects or masks some of those deficiencies, except, most notably, in socket and file handle and process support. However, even in the case of .NET, "hard" problems of sockets are traded for make work for admins dragging and dropping and touching configuration files, with no clue.
Sockets are much easier to develop in Unix because Unix does the right thing with them. You can easily pass file handles between processes in Unix and it works quite well. All programming languages in Unix have convenient mechanisms that make it straightforward to pack and unpack data from streams, fairly easily. The whole concept of "rolling a protocol" that seems so mysterious on Windows is mysterious because the tools suck for that task on that platform!
Imagine, on Unix, you've been able to printf across a network [via a socket] for at least 10 years. What's up with Windows where even binding a socket to a c style file handle has to even take place?
Needless to say, Windows and Windows development tools have traditionally lacked in the networking department. Prior to the above, the official MS networking solution was DCOM, the languages were weak, the O/S APIs unfathomable, and the string handling facilities sucked and file handling was abyssmal.
Sockets and files themselves have not gotten fundamentally better in Windows since Windows NT 3.5. The only way this socket sharing across apps [ a prerequisite for stable web services ] is the kludgey HTTP.SYS driver that is in the next go around of Windows 2003 Server. Processes are still fundamentally peered, not owned, and killing an application still strands DLLs, and, the tools, while much better, generally either wrap an expansive library around an anemic O/S that by all rights should do it, or, write mountains of "wizard" generated code.
For thousands of dollars, you can go ahead and buy yourself a crappy version of what Linux has done since 1992 for free, and then spend thousands of dollars more on the tools required to program it.
Just keep in mind that if networking was so easy on Windows, then, Web Browsers, Web Servers, Email, Chat and virtually every other application that uses internet protocols in general and networking in particular was invented on UNIX, AND NOT WINDOWS.
I have 38GB on a new hard drive on my machine, and it's going to be partitioned for Linux.
This is my sig.
In a sense, this is exactly what makes Linux an ideal server platform: it's not "features" focused, and it's more into substance than style.
No, that's BSD. I mean come on... Linux is as much about hype as anything else.
-a
No, you're right. We should leave poor MS alone. They're obviously confused. After all, this is the same company who during the antitrust trial, said they couldn't share their source code with anyone due to national security concerns if the code got into the wrong hands.
Then later (2002) they told a federal court that sharing information with competitors could damage national security. And even said the code was so flawed it could not be safely disclosed.
Then in early 2003, they agreed to share the source code with China.
So it seems clear to me that they are confused and just need our sympathy. After all I'm sure they wouldn't intentionally risk our national security nor lie about the risks of sharing their source on the stand in federal court.