Microsoft Raises Security Game, Notes Shortcomings Elsewhere

LMCBoy writes "Steve Ballmer recently told an industry conference that Microsoft software is more secure than Linux. PJ at Groklaw has a nice, thorough analysis of this dubious claim. She points out that not only are there vastly more Microsoft exploits reported, but that the exploits tend to be much more severe, involving remote administrator access." In related news, mhesseltine writes "According to an article from the Washington Post, in an unusually ironic twist, Microsoft has started talking smack about their own products, instead of those of their competitors. Bill Gates said of Office 'it's too hard to find things in e-mail' and described some features of Word as 'clunky.'"

Really?

[DAldredge]

Do you think it could POSSIBLE be due to the fact that Office 2003 just came out and the need to find a reason to get people to buy it?

"Bill Gates said of Office 'it's too hard to find things in e-mail' and described some features of Word as 'clunky.'""

Re:Really?

[Rary]

Precisely.

This is nothing new. Remember when Windows 2000 came out, and magazines were filled with all those Microsoft ads making fun of the Windows 98 BSOD?

They trashed Win98 to sell Win2K. Why wouldn't they trash Office2K/XP to sell Office03?

Sure Windows is more secure than Linux...

[Realistic_Dragon]

When the version of Linux is Lindows and it's adminstered by a monkey who leave it lying around a student lab logged in as root.

On a more serious note, securit depends more on the person administering it than the software itself up to a point. Sure you _can_ leave yourself wide open on Linux as well as on Windows, it's just that on Windows it's much easier (eg using OE or IE or not turning off messaging services or RPC) compared to Linux (installing something compromised or bad physical security).

Re:Sure Windows is more secure than Linux...

[bigjocker]

Actually any Joe User can install Mandrake 9.2 and use the "High" level of security (which basically closes all ports except for SSH) and have a more secure system than your average Windows installation.

Of course, OpenSSH remote exploits appear once or twice a year, but that would be about it ...

FUD.

[Eric_Cartman_South_P]

Even if the shit MS is shoveling was true, which it isn't, I'd rather have a system with 100 security holes a year that all get fixed in hours (think *BSD, Linux, and with a sprinkle of extra time even MasOS X) than a system with 10 security holes a year that get patched months later if at all (think Windowe).

Re:FUD.

[jridley]

I believe that this is a result of design. If you have a well designed system, then a vulnerability is probably a result of a simple programming flaw. Fixing such problems is usually just a matter of changing a few lines of code, or at most perhaps adding a layer of error checking.

If you have a system designed like a Big Ball of Mud, then a vulnerability is likely to be the result of unanticipated interactions between different modules. When you try to fix that, then you are just changing to a different set of unanticipated interactions. Fixing such systems often involves making sweeping changes across all of the modules that you can think of that interact with the problem module.

It's not surprising that "fixing" something in such a system breaks other things. All you can hope for is that you break less than you fix, and the breaks won't be discovered for a while.

Nobody's ass on the line?

[morven2]

Ballmer states that there's "nobody who has his rear end on the line" with Linux.

I posit that Linux developers have something rather important on the line; their reputations, professional and personal. When you ship open-source code, you are showing the world how good, or how bad, you are. Your reputation can be made or broken by the code you release.

Contrast that with all too many developers in commercial shops, whose code is read by nobody but their immediate co-workers and nobody takes responsibility for bugs.

If Microsoft employees' asses are on the line, show me a firing or two every time a security hole shows up. And not just the line programmers; bring me the heads of the designers who designed things badly, the project managers who made hitting deadline more important than getting it right, and the managers who let it all happen.

I would say that in the vast majority of cases, commercial programmers' asses are NOT on the line, in terms of security problems. As long as you crank out code fast enough to keep up with your co-workers ...

Re:Nobody's ass on the line?

[rutledjw]

I disagree. People who contribute to the Linux kernel are PERSONALLY known. One can find out directly who implmented a particular module from pubilc records. Can you do that with MS or any commercial vendor?

Further, Linus and others review code that's coming in, particularly from newbies. One has to earn the right to contribute.

If you have examples of crap code, feel free to post them. Keep in mind that "not-as-good-as-I-would-do-it" isn't necesarily fair. Assuming you're a good/great coder (which I have no idea) someone may not be "as good" or may simply have a different view of an appropriate implementation. be careful with comments like that. It's a broad brush and that can misrepresent the current sitution...

Re:Nobody's ass on the line?

[OglinTatas]

And who's ass is on the line when the EULA states that microsoft is not responsible for its own products?

YOU are entirely responsible. Talk to your reseller for support, and if things break to an extent your business is damaged, don't expect more than a refund of the purchase price of the software. Same for open source, really. So what is Ballmer's point?

to wit:

" 5. PRODUCT SUPPORT. SOFTWARE support for the SOFTWARE is not provided by MS, Microsoft Corporation, or their affiliates or subsidiaries..."

and:

"EXCLUSION OF LIABILITY/DAMAGES. The following is without prejudice to any rights you may have at law which cannot legally be excluded or restricted. You acknowledge that no promise, representation, warranty or undertaking has been made or given by Manufacturer and/or Microsoft Corporation (or related company of either) to any person or company on its behalf in relation to the profitability of or any other consequences or benefits to be obtained from the delivery or use of the SOFTWARE and any accompanying Microsoft hardware, software, manuals or written materials. You have relied upon your own skill and judgement in deciding to acquire the SOFTWARE and any accompanying hardware, manuals and written materials for use by you. Except as and to the extent provided in this agreement, neither Manufacturer and/or Microsoft Corporation (or related company of either) will in any circumstances be liable for any other damages whatsoever (including, without limitation, damages for loss of business, business interruption, loss of business information or other indirect or consequential loss) arising out of the use or inability to use or supply or non-supply of the SOFTWARE and any accompanying hardware and written materials. Manufacturer's and/or Microsoft Corporation (or related company of either) total liability under any provision of this agreement is in any case limited to the amount actually paid by you for the SOFTWARE and/or Microsoft hardware."

Note the comparison to RH6!

Ballsack^H^H^H^Hmer said: "The data doesn't jibe with that. In the first 150 days after the release of Windows 2000, there were 17 critical vulnerabilities. For Windows Server 2003 there were four. For Red Hat (Linux) 6, they were five to ten times higher"

Why don't we compare Windows Server 2003 to RedHat Enterprise v3? Or Windows 2000 to RedHat 9? RedHat 6? That's what, 3-4 years old now!

And don't make me bring up WinME, Steverino.

Ballmer's Personal Reality Field

[Lord+Grey]

From the Groklaw article, quoting Steve Ballmer:

"Should there be a reason to believe that code that comes from a variety of people around the world would be higher-quality than from people who do it professionally? ..."

Why, yes there is, Mr. Ballmer. Among other reasons, there's vastly more people looking at the code and none of them having marketing directors breathing down their necks. Many more reasons, stated by many different people, can be found via Google in five minutes.

"Why is its pedigree better than code done in a controlled fashion? I don't get that,' he said."

You've just stated something that everyone knew long ago.

"There is no road map for Linux, nobody who has his rear end on the line. We think it's an advantage a commercial company can bring--we provide a road map, indemnify customers. They know where to send e-mail. None of that is true in the other world. So far, I think our model works pretty well."

Roadmaps make good software? Email answered by overworked and underpaid contractors make good software? Indemnification makes a Microsoft OS-based computer more secure, perhaps?

No, no and no.

Re:Ballmer's Personal Reality Field

[Groo+Wanderer]

There is one thing most people don't realize about the Young Frankenstein monster's attacks on linux, they are not off the cuff responses. MS does rather carefull studies on what 'resonates' with CxO level buyers and attacks on that.

The last one of these had IP issues being the most scary to buyers, so they went after that, about the time the whole SCO thing surfaced. Before that. there were other avenues.

Since the whole IP liability issue is being handled rather deftly by the community, there is little to attack on anymore, so they went polling for the next round. The roadmap issue is the next 'attack point'.

Things like that don't get made up, it is not a broad enough topic to have been picked out of thin air. Expect to see a lot more of this in the near future, and when it gets summarily shot down, they will pay polsters and move on to the next topic. Same old same old. *YAWN*.

-Charlie

Gates stupid like a fox

[swordgeek]

"It's too hard to find things in e-mail." translation: "We're going to start the murmurings now for a proprietary database-backed email system, from back end to user interface."

By making comments like this now, Bill will have leverage against the DoJ when they bring up the spectre of the anti-trust settlement. "It's a necessary feature--we recognised that back in 2003."

Re:Pah

[pudding7]

That's the most ignorant thing I've read on here in a long time. Call your parents right now and ask them what their computer runs. They'll say Windows. Then ask them what Linux is. They'll say "A character in Charlie Brown?" Then call your kids junior high teacher and ask her, then call your priest and ask him, then call your gay uncle and ask him. The masses have no idea what Linux is, let alone anything about it's security vs. that of Windows.

Like shooting fish in a barrel

[FunWithHeadlines]

Oh boy, this is too easy to dissect such naked, false, and desperate Microsoft FUD:

"There is no road map for Linux, nobody who has his rear end on the line."

Quick, alert Linus and the rest of the kernel maintainers and planners. Also, better not spread around the road map for Linux so Ballmer won't look like a fool.

" We think it's an advantage a commercial company can bring--we provide a road map, indemnify customers."

ROFL! Indemnify?! Ever read a Microsoft EULA? You're on your own, buddy. How stupid does he think people are? Never mind, don't answer that...

" They know where to send e-mail. "

Oh, puleeeze! Ever try to complain to Microsoft about a bug in their software? Now, take that to the next level. Ever try to complain to one of their software developers about a bug in the particular software they wrote? What's that? You have no idea who wrote that piece of software? And you have no way of finding out? So tell me again where the accountability is.

"None of that is true in the other world. "

Uh, precisely the opposite of what you said, but thanks for playing anyway. Tell Steve what he's won. Seriously, it really is just the opposite. Linux code comes with people's name on it. You want accountability? Put your name on software used by millions and put it out into the world to be dissected.

"So far, I think our model works pretty well,"

(Wiping the tears from my face while I shake with laughter) If the current mess of the state of Windows is his idea of things working "pretty well," oh never mind...This speech sure wasn't directed at the cluefull.

That means, of course, that most reporters will report it verbatim and at face value. *sigh*

Re:More Slashdot bias

[ichimunki]

You are a regular laugh riot. RTFM. There is a preferences setting if you don't want to read about MS. Use it or shut up about the number of MS stories. It's really that simple. The quantity of different types of stories on Slashdot is probably directly related to the number of submissions on those topics made by readers.

I'm not even going to get into the logical fallacies going on with your comparison (via .sig) of MS and Linux security issues.

Re:More Slashdot bias

[k12linux]

Do we really need another bash-Microsoft article

No, you're right. We should leave poor MS alone. They're obviously confused. After all, this is the same company who during the antitrust trial, said they couldn't share their source code with anyone due to national security concerns if the code got into the wrong hands.

Then later (2002) they told a federal court that sharing information with competitors could damage national security. And even said the code was so flawed it could not be safely disclosed.

Then in early 2003, they agreed to share the source code with China.

So it seems clear to me that they are confused and just need our sympathy. After all I'm sure they wouldn't intentionally risk our national security nor lie about the risks of sharing their source on the stand in federal court.