Slashdot Mirror
Security FUD On Linux
bobmatnyc writes "InfoWorld reports that Microsoft is planning an "security assault on Linux" by hyping results of a commissioned study pointing to the number of security holes in Linux vs. Windows, the number of days it takes to fill the patches, and by raising questions as to the reliability of code submitted throught the OS process. I suppose if they focus very narrowly on one measurement of security, completely ignore script-level vulnerabilities, default settings vulnerabilities (such as root access for all users), and the demographics of the user population, as well as a zillion other things I'm not clever enough to think of off the top of my head, they may have a point. "
I've been waiting years for Security FUD to run on Linux. I'm glad someone was able to port this over from Windows.
US Democracy:The best person for the job (among These pre-selected choices...)
As somebody pointed out to me not too long ago, as long as MS talks about security holes that are remotely exploitable, I don't think Linux has anything to worry about.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
A good rule of thumb in competition is to only start wars you know you can win. Something is not clicking here...
-You may license this sig for only $6.99.
How many Windows Security Threats have made me work over 24 hours straight? 1 every 2 two months in 2003
Guess which OS I like to support?
Strange women lying in ponds distributing swords is no basis for a system of government.
What frustrates me about these is that people actually BELIEVE them. Though given the recent security blunders by Microsoft (such as that little problem called 'Blaster') people might finally realise that this stuff is a load of BS.. or very very twisted fiction.
And I just wish that the comments & replies of key figures in the Open Source community made the headlines in the same way as these 'reports' do.
"Hey! Unless this is a nude love-in, get the hell off my property!!"
i can't wait to read it!!!!11! really!!!
IAALS.
That's not the case for NT, 2K, or XP. Heck the XP install even asks you for an administrator password and then the names of user accounts to make. Those user accounts default to non-root
First they ignore you
Then they laugh at you
Then they fight you
Then you win
Mohandas Gandhi
Physicists get Hadrons!
Bummer. But I have had stories rejected as well as accepted and they usually turn up by someone else within a couple of days. No problem. The big news will still make it out even if by a different oracle.
Who writes this tripe? This hasn't been true in Windows for years! It seems if your only experience of Windows is Windows 95, then of course it's all going to seem silly, but really, get with the program.
dominionrd.blogspot.com - Restaurants on
2003-11-11 17:34:02
What do you expect? You submitted it 3 hours in the future!
You forgot one point...
If they highlight the supposed flaws against the Open Source model by highlighting any back doors that may have been inadvertantly placed in the Linux kernel. (Conspiracy hats on.)
This can ONLY be done correctly by an unbiased third party. Testing security is such a compliated concept with so many variables, it is a piece of cake to do the audit in a way that makes any of the contenders come out on top.
The number of major-collateral-damage internet worms that have struck becasue of unpatched or unfixed problems in Microsoft OSes in the last two to four years.
And then I point at the number of similar-scale linux worms that have occured in the same time period.
And then note that despite the fact nothing but Windows worms so much as *register* on the scale, Windows is not a majority in the server space.
>> InfoWorld reports that Microsoft is planning
>> an "security assault on Linux"
Microsoft prefers marketing...
Linux prefers a solid product...
Perhaps Microsoft should spend some more money on fixing their own products instead of trying to bring down others, it's turned in to a politcal compaign for them.
It's been said many times before, but it bears repeating:
First, they ignore you,
Then they laugh at you,
Then they fight you,
Then you win.
- Mahatma Ghandi
Ruby on Rails Screencast
Linux isn't perfect. By design, the implementation, or the way people admin their machines.
There is an understanding that MS is also not perfect. People expect security holes, and bugs and crashes.
I think it is good that this might result in a nice list of where linux has gone wrong in the past, and what hurdles to overcome in the future.
If the competition wants to make you the "Build a better OS HOWTO" I think they should be as free as anyone to add to the LDP.
* 2003-11-11 15:53:05 MS to attack Linux Security - "Days of Risk (articles,microsoft) (rejected)
So good to see the editors keeping up on this.
Since there is no such thing as bad publicity this has to be considered a good thing.
Think about it, the article mentions Red Hat and lets them discuss what think of the whole matter.
Microsoft will start, and finish this war. Your average numbnuts office worker wants ease and reliability, even if every once in awhile things go to shit. See my sig!
-Where there is blue screen, there is OWNAGE
heh, is this ever worth talking about? we deal with MS servers and Linux servers here, lots of Linux distro's and windows NT-2k3 boxes... the Linux side of things does WAY better on the security end of things than the windows end. Who cares what MS thinks they want to prove about this. From my experience, a security minded Linux box is way more secure than a security minded windows box. the biggest heel in the face of linux is that the idiots who make the servers dont patch them. Windows like to give you the option of doing that automatically. Gentoo Linux: emerge rsync emerge -u world nuff said. [please ignore any gratuitous opinion in the above post]
penetrate with what?!
(it better be a 10 foot pole!)
ender-iii
Given that Microsoft got caught lying to a Federal judge (during the antitrust case) why is anyone suprised that they'll lie to their customers?
Isn't that a given?
Anybody looking to a vendor to provide accurate data about its products or the products of its competitors deserves the crap they get.
DG
Want to learn about race cars? Read my Book
such as root access for all users
On Windows, even the Administrator account (which is the level that lots of people log in to) is not really root access. The Local System account is comparable to root. The Administrator has control over all user-controllable parts of the OS but there are parts that are not user-controllable.
Any sufficiently simple magic can be passed off as mere advanced technology.
You know what I'm going to do?
When these studies are released, I'm going to write down the URL.
And then I'm going to blanket-spam the internet with Windows Messenger Service messages giving the URL, and asking, aren't you glad that Microsoft OSes are so secure? Aren't you glad you chose to use such a secure OS?
I'm sure all the windows users will be very happy for the reminder (in the form of a random, unbidden pop-up) of how much more secure their OS is. It will probably just give them a warm fuzzy feeling.
This is such good news for me, and here I was, ready to throw windows out of my life and become a linux guru, thanks microsoft for showing me what a mistake that would be!!!
Help Brendan pay off his student loans
Ummm, because we can look at it before we install it instead of just 'trusting' someone that it is good?
And just how much code comes out of China anyway!?
"Some things have to be believed to be seen." - Ralph Hodgson
It would not come as a shock if we found out MS was behind the attempt to add a root exploit to the Linux kernel that happened last week...
2 49 &mode=thread&tid=106&tid=185
http://slashdot.org/article.pl?sid=03/11/06/058
Just what lows are they willing to sink to?
Or am I just paranoid?
Let's see, a corporation that stands to lose hundreds of millions of dollars in revenue to an open-source collective effort...
If I were MS, I know I'd be afraid and might even do something like that....
Has there been any new information on the security breach?
I don't know the meaning of the word 'don't' - J
Hmmm, that's much better than my original idea of using several open source penises. It would save us from being sinfully arroused by closed source.
Thanks.
Linux IS a security risk
Like it or not, there are just as many vulns in Linux as there are in Windows. Get out of your open-source-or-die denial.
Windows is a totally different operating system then Linux. Of course there are going to be differences on the way its manipulated.
their study can find whatever it wants, I think most IT people will still notice that the MS systems still topple like dominoes ever three months or so with a new virus while no other vendors products seem to have that problem.
Allow me to be the first to say,
BSD! BSD! BSD!
Whew, now that its out of the way, resume discussion...
I know i'm way off topic here, but what is with that advertisement bar moving to the side? It looks like crap! I'm fine with the ad at the top of the page, but why move it down to the side?
Don't waste time... procrastinate now!
If Microsoft's FUD is at the same trivial level as the pitiful mewlings of their Slashdot shill, Overly Critical Guy, then Linus and the Linux community as a whole have nothing to worry about.
even third parties take side...
you'll never get any opjective true test...
"Why should code submitted randomly by some hacker in China and distributed by some open source project, why is that, by definition, better?"
How about because I can look at that code, know 100% for certain what it does, and fix / customize / improve that code as I see fit? By definition, that does make it "better".
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
See to bash windows is easy. Point the finger at Redmond and call "liar!".
Who exactly represents this "Linux" thing I hear of. To me the whole scene just reaks of ignorance. First off "Linux" is just the kernel. Not the userland. Second, most changes to the kernel are driver fixes and additionals. Security flaws fixes are rare.
Third and most imporantly, there is more than one distro of linux. Just because one may be out of date and insecure doesn't mean "linux" is insecure.
Tom
Someday, I'll have a real sig.
I submitted this story in January of 1996. It was rejected.
This is blatantly unfair. What do you have against me, slashdot editors??
I just noticed this :
And at the end of October, Ballmer gave the audience at Gartner's autumn symposium a taster of what was to come when he attacked Linux's assumed security superiority. "In the first 150 days after the release of Windows 2000," he said, "there were 17 critical vulnerabilities. For Windows Server 2003, there were four. For Red Hat Linux 6, they were five to ten times higher."
Yes.. some more classic FUD. But something did strike me about this comment. If they were to talk purely about the core operating system, i'd be willing to be that Linux fared equally or better than Windows.
Red Hat 6 is a distribution, and as such comes with a whole host of applications & suites when you do a full install. Windows Server 2003 is just the OS. If you were to bolt Microsoft Office, and all of the other comparable applications onto Windows that a Linux distribution includes, I am sure the security patch figures would not be in Microsofts favour.
It just shows that Microsoft are worried about Linux.. if their product was so damn good, they could sit back and let it sell itself. But its obviously not, and they have to resort to this slander to try and win over the more gullible people to their side.
Drives me crackers!
"Hey! Unless this is a nude love-in, get the hell off my property!!"
It should be interesting to see whether the issues that Miscrosoft highlights during their campaign are fixed more quickly, more securely, etc.
Handled correctly, this effort by Microsoft could be used to identify and repair the upper-tier issues, and then provide some publicity about all the good things about open source software (fast bug fixes, done in an open forum, good for everybody, etc etc etc) and in the end work in precisely the opposite direction as intended.
"Microsoft has hired several analysts to review how fast holes are patched in the open source software and is expected to announce that Windows compares favorably."
You gotta love it when analysts are paid to give an expected result.
Hey MS, can I have my analysts scour your source code for holes?
Shameless plug for my photos on Flickr
Period ending June '03, Micrsoft spent 1.336 Billion in R&D. Five million isn't even half of one percent of research spending. Serious security? Doubtful.
and let god sort them out. The FUD is getting so thick you could cut it with a knife.
Looks like its welcome to the prime-time Linux.
Quack, quack.
That's why Microsoft is so committed to solving security through obscurity -- they believe that keeping the flaws secret will keep crackers from developing exploits.
The "study" will also no doubt find that Microsoft fixes their bugs much faster than open source programmers since the Windows bug and downloadable fix are often announced on the same day.
MS can win a PR battle, because they have an endless amount of cash to pursue the cause.
On the other hand, OS can win the desktop domination war by creating better systems that are less vulnerable in real world situations if we focus on grass roots marketing.
Too long to fix bugs? Please. There might be other chinks in the Open Source armour that could be exagurated to make newpaper inches, but the speed of the bug fixes? No way.
PS. How do you spell that damn word? Exagerated?
Get your own free personal location tracker
I suppose if they focus very narrowly on one measurement of security, completely ignore script-level vulnerabilities, default settings vulnerabilities (such as root access for all users), and the demographics of the user population....[snip]
Tech savvy people use Linux. If you sat my mother down in front of Linux she'd open all the same email attachments and run all the same unsafe executables etc etc. Although I agree that in general open source systems are more secure than closed source implementations, this is more to do with the people using such systems than the systems themselves. Social Engineering security hacks anyone?
I'm increasingly convinced that a lot of the secureness of Linux boils down to better and more cautious sys admins, and, if this is the case, things can only get worse from here on in. If you run all your linux code as root and your password is 'password' (and I've met at least one person who does this), I don't think you have a wonderfully secure system. OTOH, W2K Server with the Security Pack applied is not a trivial thing to hack.
Virtually serving coffee
This is a hole the Linux community dug for itself, and now Microsoft is going to defend their record against the Linux record. If the Linux record doesn't fair well based on the facts, then maybe you shouldn't be making the ridiculous claims?
Or did you think that by repeating the mantra, "Well of course Linux is more secure" you weren't going to ever have to face up to reality?
Listen, when you realize you're in a hole, stop digging!
Here.. Quote from Ballmer "Why should code submitted randomly by some hacker in China and distributed by some open source project, why is that, by definition, better?" /.).. "These folks are some of the same great people who are supposed to be working for you anyway, plus a smattering of teenagers too young to work at Redmond, hackers, virus creators, and a menagerie of others with whom you will feel great pride in entrusting your IT infrastructure."
Check that Nigerian 419 article (this was in last week's
The marching orders have been given..
-B
It seems like MS is taking other people's security problems more serious than their own. Let's thank them for bringing our little security problems under our attention so we can fix them quickly like we always do.
-- Cheers!
These are not questions that Microsoft wants to raise. We've finally forced their hands, and for once I'm excited.
This is the opportunity for community leaders to finally start talking about the FUNDAMENTAL architecture differences between Windows and Unix variants that allow security issues to be contained (permissions/groups). It allows us to talk about the superior response time in fixing exploits, as well as the power of open coding in spotting them in the first place.
I think this type of FUD campaign aimed directly at our biggest (relative) strength is exactly what I've wanted for a very long time. It's an opening to get Linux onto the desktop.
Turn s60 photos into awesome videos with mScrapbook for all S60 3rd edition phones!
Sure, the study is 'slightly' biased. But an important thing to eep in mind is that windows also has a much, much larger installed user base.
Fact is, the more people use linux, the more people will be looking over it's code (for good and ill intents). And the more people who look into the linux code, and the more users linux has, the more security flaws will be found and exploited.
Point being, sure, now linux is secure as houses (yeah yeah, also due to it's structure and whole OS mindset), but the more people use it, the more malicious people will write virusses and find exploitable code and...exploit it.
For a large part, I'd say it's just a matter of numbers.
-- Waht? Tehr's a preveiw buottn?
I think it's funny that microsoft needs to pay people to say how great their products are. Maybe they should focus on building a better product than telling some analyst to write nice things about them. Come on. Anyone could do that.
This signature has Super Cow Powers
Microsoft is using a PR campaign to combat the bad press it has received lately. Their campaign is designed to change public perception, not address the actual problems.
Windows 2003 server certainly has more secure default behavior than it's predecessors, so atleast it isn't all window dressing. But they have a long road ahead on the security front.
Last quarter they had $800 million in unearned revenue, this PR campaign is focused on changing public perception in order to get that unearned revenue problem under control.
Linus should sue Microsoft for spreading lies about his project. Redhat is not Linux. And if redhat 6 has 500 flaws it is a lie to say that Linux has 500 flaws. It's even a common logic error that Microsoft does. Sadly some CEOs who don't care much about anything buy this lie...
Guys you can argue the technical merits all you want.. today's consumer has a short memory.
If MS makes it look for a short while like linux isn't really secure, and does an okay job of convincing people, the facts don't matter; the get more market, we get less.
What linux needs is an evil marketing company, on par with MS.
What kind of systems are they going to compare?
Ballmer: See, here we have two operating systems. One is Windows XP the way you get it after a fresh install(*. And over here we have Linux after a typical install(**. THe Linux-system has had alot more security-holes than this Windows-machine has had!
*) Which means that the system consists of Kernel, GUI, Solitaire, Notepad and handful of other apps
**) Which means that the system consists of Kernel, several GUI's, several editors, several server-tools, developement-tools, games, apps, office-suites, several browsers, several mail-clients. etc. etc.
Hardly an apples to apples comparison....
Lesbian Nazi Hookers Abducted by UFOs and Forced Into Weight Loss Programs - -all next week on Town Talk.
Hey Guys, For the first time after a decade on the net I was scare to connect to the net.. Do you know why? I just moved to a new house and I had to transfer my SBC/yahoo DSL account to there. They gave me 10 days for complete the moving so, I am without dsl connection on my house... I had to use dial-up (I forgot was slow it was) but the only machine I had available with modem was a station with Windows 2K professional that my wife use... To be sincere, I was too lazy to install a modem on my linux desktop that I use was a firewall for my home too. So, I looked to the Windows Desktop connected by dial-up and I start thinking... Jesus, I am connected to the internet using Windows and without a firewall or anti-virus (I don't like any anti-virus...I don't think I need one till I see my M$ windows connected to the net)!!!! As soon as I connected I got that SPAM using the the message service! Windows is a hell! Microsoft is a hell!
Of course the study found M$ superior, the analysts know full well what would happen to them if they found otherwise.
They tested it against only redhat 6, Of course windows 2003 is going to have less its not been out as long! I note also they can give a figure of 2000 and 2003 yet are unable to do it for redhat 6... Why? They must have calculated somehow....
... this is a FUD attack.... of course it does not make sence..... YAWN
Oh stupid me
James
You have to admit that the entire fiasco between microsoft, a multi-billion dollar a year company is being so shaken by a community of rogue hobbyists is really quite amusing. Microsoft should have a superior product. After all, they've been doing this for over a decade, pretty much have access to unlimited resources, and in the face of all that there are rival products out there that cost next to nothing to use. I think that in the next few years we are going to see some major economic shifting in the IT world. I think that the market is going to move towards supporting various services, and not charging for the actual software itself. Thats the glory of the internet - it gives power and recognition to those who earn it and not to those who buy it.
If they like many of us see Linux as the biggest credible threat out there, they might resort to fighting dirty. Linux does have the potential to shift the paradigm of the whole IT industry in the same way that Microsoft themselves did through the 80s and 90s. Sun et al are already feeling the heat in the server market. I'm certain that Bill and co are getting twitchy about how things are developing.
We all know Microsoft is pretty cold and calculated when it comes to competitors. If Linux is next in the firing line, the open source community needs to be ready for this battle and the wars that will follow...
First the Chinese get the Source Code for Windows then they decide to back Linux?
Sounds more like our government had better look at who is more secure.
There are security issues with linux and to describe those issues as FUD is an example of the double standard practiced here at slashdot. Worms and virii are written for MS simply because it has the largest market share so the potential effectivness of the virus or worm is higher than if it were designed for linux. Every remote root exploit has the potential to be a virus or worm. Doesn't sound like FUD to me.
Why don't you go listen to your ipod some more and get back to me.
...to the entire USA and that don't matter becuase over half the population still loves him and his adorable wife. But then again, if you twist the words around, technically he really didn't have sexual relations with Ms. Lewinski.... it was *the cigar* that had the sex. I can't help but wonder if he smoked it afterwards.
Yeah, yeah, it's all a conspiracy of Slashdot to make their primary user base Indian. And a conspiracy of people running around modding you down just to hide it all from the public.
Get real.
Who all thinks that MS might analyze open source software, looking for security holes, then dedicate an entire "team" with going around cracking and writing viruses for linux boxes?
The *could* do it. You think they would?
do() || do_not();
They may pull out all the stops, but they still have to explain why there is no memory protection built into the Windows Kernel, why the default user has install privleges, why they are now relasing patches on a monthly basis and not when the vulnerability is discovered.
My first point is the one I want answered, why can't Microsoft build a kernel that polices the processes that it runs?
Did Glenn Beck rape and kill a girl in 1990? gb1990.com
Dear Steve Ballmer,
How dare you insult Chinese population like that, you racist pig! Am I detecting neo-Nazism running in Redmond headquarter? For that matter, I wonder how many of your Chinese employees are setting up class action lawsuit against you and switch to Linux after your racial slur. Given recent successes of Chinese aerospace mission, it is only a matter of time that you and your company go down in blazes, similar to that had destoryed the maniacal visions of Adolf Hitler and the Axis of evil.
Signed,
Yang Li Wei
Send some penguins around the flank to get 'em real good in the 'security hole'!
Healthcare article at Kuro5hin
(Balmer)....He also questioned the notion that the open source's community approach to fixing problems was superior to Microsoft's. "Why should code submitted randomly by some hacker in China and distributed by some open source project, why is that, by definition, better?"
...because any one and EVERYone can see the source, if they think there is a problem, they can announce it and even fix it. In the Micros$$$ world. You are, basically, screwed.
Steve
Dear Mr. Gates and Mr. Ballmer:
Rather than spending more money on MS funded studies to undermine OpenSource and $5mil to play "bounty hunter game" just to ward off criticisms toward your swiss cheese OS, you might want to spend the same money to improve code in your products. Needless to say, I am very aware that my suggestion will be disregarded, as you do not agree a very common notion that better coding will improve security of an operating system.
It doesn't matter, really, as the amount of money you are spending for all these FUD tactics, marketing, settlements and donations to politicians is nothing significant in your bank account. But from my perspective, all your FUD attempts to undermine OSS is making you look like a biggle clown. You look good when you are with this fella.
Yours,
0
It's funny, laugh.
So the weaknesses that Linux has will be exposed to the public, is that it? So MS will actually be debugging Linux, letting everyone know what wrong so that the whole Open Source community is aware and fixes it promptly. I don't get it. I thought that MS was against Linux.
Uuh...We're at 9 now buddy.
[Please sign here]
Ok, so M$'s FUD machine is gearing up. What option do we have other than bitch on the /. forums? I know donate to the EFF, write open code, blah blah - bullshit.
/., despite arguements in IRC, despite all our efforts sooner or later the M$ FUD will find something that sticks in the back of the minds of all our PHBs. At which point OS security will be M$'s triumph instead of ours.
I want to know what I CAN DO. From writing a senator, to going postal at M$. What are our options as Open Source advocates to beat the M$ FUD machine? An OpenFUD project? Because despite flame wars on
-Coach
"Never upset a goalie, getting hit with a blocker is an unpleasent experience - facemask or not." -Me
Developers, developers, developers.
Paying top dollar to developers writing Windows viruses. Exteremely successuful viruses can earn as much as 250,000 US Dollars.
Submit your works, name, and SSN and wait for the knock on the door
Give that homeless person $5.00 and tell them to say "microsoft is WONDERFULL!" commissioned study, bah all that means is that they paid somebody to say something.
"It's so convenient to have a system where everyone is a criminal" - A. Hitler
That's what Ballmer implies:
...
17 critical vulnerabilities in Windows2000 and 5-10 times more in Red Hat Linux
Its too late now either way, the damage is done.
...
IMHO people have already experienced the insecurites , trojans, worms and so forth.
Busnesses have already been damaged and plagued by frequent attacks, and so they start switching. The momentum of linux adoption is quickenning pace all the time. Linux is the buzzword now and there isnt a lot microsoft can do about it.
Generally when people have had a bad time with something, they dont forget, and when they find something that works and does it well, then they stay with it, and more often than not it becomes gospel.
Linux is like life.... life finds a way.
nick
Electronic Music Made Using Linux http://soundcloud.com/polyp
Ancient Chinese Proverb:
"We are fastest to attack others for the weaknesses we most fear in ourselves".
OK, I just made it up, but it's true anyhow.
Ceci n'est pas une signature
Me no read article bad grammar contains
AC comments get piped to
If you mean the kernel - sure.
If you mean open source packages distributed with Linux distributions - think again.
Even the desktop orinted Linux distro's ship server daemons for SSH, or simple chat clients as BitchX....which may eventually happend to have some remoit exploit(it has already happened and will happen again). I've had a friend who has installed out of 13337-ness an ssh server on his home box.
The average user is ignorant and there lays the danger;o).(it's quiet normal many people decide to give Linux a shot without realizing that they should know at least a necessary minimum before the install......)
Of course that last part is completely true for the Windows users as well...
PS: I'm talking about desktop users here. Please, sysadmins don't get me wrong;o))))
1. No sig. 2. ???? 3. Profit!!!
This will prompt "virus writers" to further cloak their sources, making it even harder to bust anyone, while the MS platform remains unsecure.
[Please sign here]
Yeah, but MS will eventually pay the under handed buck to the "independent" 3rd party to bring them on the top.
Today, I was talking to a friend of mine who bought his first computer about 4 years ago. He wanted to back up every thing on his computer, so he dragged all the icons from the desktop over to his CD burning program. When I tried to explain to him that the only thing he burned onto the CD was a dozen shortcuts, and not the actual programs/data itself, he just looked at me with this totally blank stare and had absolutely no clue what I was talking about.
The point is this: When it comes to programmer-related problems (buffer overflows, etc) Windows and Linux seem about equal. The big problem with Windows is that Microsoft's focus has been entirely on "ease of use" for people who know little or nothing about computers. That's how you sell lots of computers (and lots of copies of Windows). They created all sorts of nifty features (scripting, etc.) and turned them all on by default -- never giving a moments thought to the harmful ways that these features could be used
Windows, in the hands of a knowledgeable person, can be just as secure as Linux.
But, "right out of the box" it's a security mightmare -- a disater waiting to happen.
What was the last exploitable problem in the Linux KERNEL? No need to mention the backdoor attempt from last week, we all know about that one. A) The last LOCAL exploit, and B) The last REMOTE exploit?
I have a vague recollection of some kind of ptrace() race condition that could get you root sometimes. As far as I know that's LONG been fixed. I seriously can't think of a single other thing.
You need to add some more phrases to your crapflooding script. This is just pathetic.
What happened to the base 16 v. 10 troll? At least his stuff was marginally amusing.
The Steve Ballmer quote shows their errored way of thinking: "...And at the end of October, Ballmer gave the audience at Gartner's autumn symposium a taster of what was to come when he attacked Linux's assumed security superiority. 'In the first 150 days after the release of Windows 2000,' he said, "there were 17 critical vulnerabilities. For Windows Server 2003, there were four. For Red Hat Linux 6, they were five to ten times higher." Where's the RH9 comparison? He's comparing an operating system (Windows 2000 Server) to an OS *AND* applications (Linux). If he were to simply compare Windows 2000 Server to the Linux kernel in RH 6, there were no Linux vulnerabilities. Instead he compares simple Windows 2000 Server to Linux which includes Sendmail, Apache, BIND, Netscape, mySQL, etc. If we apply the same rules to his test and compare RH6 to Windows 2000 Server with IE, Exchange, MSSQL, Windows Media Player, etc... the results will be much different.
This seems to be a common occurance around here. I particularly think it's disrespectful to the users to give them some sort of credit if they're going to pick and choose the submissions from users.
"Hmm, User A and User B submitted the same story, but User A came first, his also seems to have a better summary. Though, I don't like User A, so I think I'll give the credit to User B (User B could even Slashdot staff) and use the same summary. I'll try to make it not noticeable by posting it hours, or perhaps days later!"
The scenario above has happened to me a couple times before. If you're going to give people credit, don't snub certain people for arbitrary reasons.
Is this even legal in the USA, pointing out security hole I mean. I though the DMCA made that illegal, or was it some other silly law?
Anyway, strip down a Gnu/Linux distribution to a minimal and you'll see that the base OS has not had any major security issues. Strip down Windows and you'll still have one buggy browser to deal with, a GUI in the kernel (Pretty stupid when you think about it) and of cause you got the whole range of open ports, which of cause doesn't really do much, but still manages to pose a security risk.
Linux and Unix software isn't that much better than the Windows equivalent, but the basic operating system does have less security issues. This isn't because Linux developers are more skilled than Microsoft developers (It would be kind of weird if they where). Linux has the advantage of being just a kernel, everything else is an addon. Windows is huge and complex, even in a minimal installation, if such a thing even exists.
Microsoft can bash Linux all they want, I really don't care, it won't make me go back to Windows. I think Linux is a much better product in general, not just security wise and if Microsoft want me to think otherwise they will need to make some serious changes to Windows.
I've had a friend who has installed out of 13337-ness an ssh server on his home box.
What does that have to do with "l3337-ness?" Being able to remotely log into ones home machines is a life-saver (I've lost count of the number times I've needed to get some document, or just some data like an email address.)
I couldn't imagine not running sshd. And I'm not the slightest bit "13337."
"there were 17 critical vulnerabilities. For Windows Server 2003, there were four. For Red Hat Linux 6, they were five to ten times higher"
Red Hat 6? Steve, do a little research here. We're at 9.x now.
Let's compare apples to apples RH 6 was around during NT4 right? Now, let's count the security holes.
I have a second sig, I call it sig#2.
Personally, I think that it's telling that InfoWorld feels so comfortable talking about this report that's not written yet. That fact alone shows how biased M$-commissioned reports typically are, and how well-understood this is by the industry press.
I think the funniest thing will be if Microsoft doesn't release the report... meaning that they couldn't find any way to spin it so they look good!
Linux could have 10 times as many security holes as Windows, and it wouldn't matter. The freedom to fix a problem yourself or contract out to have it fixed, makes Linux infinitely preferable for enterprises.
With Windows, there's no guarantee that a security problem will get fixed, ever. There's no guarantee Microsoft will even let you make the existence of the problem publically known. And you certainly can't fix it yourself or hire a third party to fix it.
M$es' worst case scenario is it's source code being released publicly. It's not a matter of if but when. Linux and open source live and thrive in that scenario.
If M$ ever did release it's code, for a period of time things would be very bad, in the long run people would start seeing real changes in M$ security. But for now, it's a false sense of security and a big disaster waiting to happen.
Is anyone else sensing a hint of *desperation*? I think the fact that MS is spending sooooo much time and effort on Linux should be enough to have the PHB's look into it further. After all, if Linux is not a viable alternative, why waste time debunking it?
You got me wrong. The dude *didn't* know it was installed. He practically installed 99% of the proposed packages. I do run ssh on my home box and it is indeed a live saver. Cheers.
1. No sig. 2. ???? 3. Profit!!!
The strategy, called "Days of Risk," measures the number of days it takes programmers to release a public patch after a vulnerability is revealed.
Since M$ tends to not reveal security issues until they are ready to release a patch.....how fair a comparison is this?
Does that mean that MS is using its "security" forces to assault Linux? Well if those forces are the people responsible for the past few MS security patches then Linux better run up its while flag...we don't want them anywhere near Linux with their WMDs (Weapons of Mass Disfunction)
"Look Lois, the two symbols of the Republican Party: an elephant, and a fat white guy who is threatened by change."
This is no time to get complacent. I have seen security issues with Linux as well as all the other alternatives. Beating Windows is not exactly difficult, but it is also not nearly enough. If a few slanted articles is what it takes to motivate the community to make Linux more secure, so be it.
Couldn't that be due to the time zone they're in? Then again, I could be wrong.
That should have been, "terrorist hacker in China."
Somebody should call Microsofts Public Relations department and ask what 'associated applications' they are talking about, and also ask why they are comparing Windows Server 2003 wihch was released this year to a version of Linux released SEVERAL years ago... I mean, wouldn't comparing Redhat 9 to Windows 2003 server be more appropriate?
Oh look.
A name and a phone number...
Microsoft Trustworthy Computing, Privacy and Security Issues
Name: Waggener Edstrom
Bellevue, Wa
(425) 638-7000
[Something witty and intelligent should have appeared here.]
{Traicovn}
The Jacksonville Jaguars take on the San Diego Chargers!
Oy! Again with the Linux vs. Windows security comparisons.
Comparing those two is like comparing the Jaguars and the Chargers, the two worst teams in the NFL.
So Microsoft is going to go out hunting for bugs in Linux? Great! We always need more debuggers! And if MS pays some of them, even better! If they'd publish the source code for Windows (no need for Free(tm) Software or Open Source or accepting patches, just publishing it so we can see it) we'd help them out with debugging too. But meanwhile, we can fix the bugs they find faster in Linux than they can fix the bugs in Windows they find, and it's usually a lot safer to patch Linux systems than Windows systems.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Sticking feathers up your butt does not make you a chicken - Tyler Durden
Informative, Funny, and insightful! No. it's NOT my post!
We all know Microsoft produces inferior software, but they have more money to throw against the wall in campaigns to derail any OSS project out there.
Since the media is what counts in this world, it seems like its just a matter of time before the entire OSS community is cast as 'thieving pirates' and 'insecure, crap.. nothing free is good'.
Enough mass marketing of this, the public will believe it as reality, and we will have lost in effect...
Then next will come the legal battle as only criminals will want OSS.....
Laugh if you like, but it is their agenda.... And they DO have the funds to pull it off, and the patience....
---- Booth was a patriot ----
Unfortunately the article does little more than play the part of OS-War Meteorologist, but there was one quote we can sink our teeth into, according to Steve Ballmer:
"In the first 150 days after the release of Windows 2000," he said, "there were 17 critical vulnerabilities. For Windows Server 2003, there were four. For Red Hat Linux 6, they were five to ten times higher."
Now I'm going to figure that he's saying there were somewhere between 20-40 'critical' vunerabilities in Redhat 6 in the first 150 days post release.
I assume that the reason he's picked Redhat Linux 6 for this comparison is that it was the release which moved to glibc 2.1, and migrated to the 2.0 kernel. So he's picked a big move for Redhat, instead of a point release. This isn't entirely fair (in fact its hard to draw a close comparison on security issues) due to the fact that Redhat 6.0 was released in April of 1999, whereas windows 2000 wasnt released until February of the following year. Furthermore Microsoft (wisely) relied heavily on a certain "Break into Windows 2000" campaign to test the hell out of that OS. (remember the guestbook on that server? what a riot)
Finally, comparing Redhat 6 to Windows 2003 is outright foolish. We may as well compare a freshly patched Redhat 7.3 to NT Service Pack 2 (though even this is an unfair analogy, 7.3 is far more stable than Win3k server).
In sum: Bah.
StrategyTalk.com, PC Game Forums
More than 99.9% of all viruses in the wild will only work with Microsoft software.
Sobig, Mimail, Sircam, Lovebug, Nimda, Code Red the list goes on.
Microsoft will say that this is because most computers on the Internet run Windows, but a look at netcraft.com shows that more than 2 thirds of web servers run Apache, and only about 20% run IIS.
Windows has more than 90% of desktops, but not more than 99.9%. I run Linux on my desktop, and don't even bother to run the Sophos antivirus client I have a license for, no point, no one could infect my desktop with any of the 80,000+ viruses sophos detects.
If Microsoft are going to try this one then they will have to tell lies and pay for carefully run studies.
I bet they will not compare Windows and Linux viruses!!
. . . hunt those wascally viwuses?
MS can release "news" as a press release, and the newspapers eat it up. The public believes it. The hardware manufacturers "sell" this crap because they sell MS to consumers for Microsoft at a profit. Wall Street helps the process. Analysts hype the latest "features" for the latest vapor product from MS, due in 2012.
MS sells themselves to the public by issuing press releases. They can say whatever they want, as long as they make a claim that they're doing something. There is no accountability. No one holds them responsible. Consumers keep throwing money at MS. Occasionally, someone points a finger, but MS then releases more press releases about vaporware due in 200x.
Politicians do the same thing, "We need to spend more money on _____. We've been spending money on _____ for ___ years, and we've not solved the problem. We are renewing our effort."
In other words, "We're going to light some money on fire, pose for a few photos with the underprivileged, and then waste a lot of money on cigars, dinner, and entertainment."
Microsoft has excellent people playing the press release game. Everyone sells Microsoft products for MS.
How many people have actually met a Microsoft employee? Yet 1/2 of the planet owns or uses something with Microsoft products in it.
-- No sig for you!
is to read the report carefully and address any legit or even semi-legit issues it raises. One of the things we tend to do is to dismiss out of hand anything negative of linux. What we should do is fix any process or technical problems this report finds. Not that we shouldn't point out the flaws in such a study but we should always make the best of criticism rather than just get defensive. In the end this approach will make Linux that much better.
Any account in the Administrators group can elevate its security context to LocalSystem, and this can be done programmatically. This is good enough to prevent a user from killing CSRSS, but it offers no security against trojans and such.
Seems to me that Microsoft wants to draw the attention away from it's own security issues, and put the focus on something else. Unless they have something to gain, they would just have SCO claim they owned the copyright to security.
boycott slashdot February 10th - 17th check out: altSlashdot.org
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Microsoft will be counting holes in their core operating system, which also comes with a Web browser, email client, and music player. From what the article says, they're not even including Office, certainly not IIS or any of their other products.
Red Hat has many, many more applications, with varying levels of complexity, development, and use. Almost no one will have all of these security advisories apply to them. So Red Hat, which ships well over four times the amount of software packages, has four times the bugs? GASP! And how many of these were remotely exploitable holes which caused machines to reboot almost continuously?
If you want to be fair, MS can count security fixes for the Linux kernel, Mozilla + Mozilla Mail, XFree86, Mplayer (hey, there was one), and whichever windowing system has the most bugs (hey, let's give them a little help, they'll need it). They have to pick one windowing system, because you won't be using multiple windowing systems at the same time.
I could go for the extra point and complain that Microsoft foists a Web browser and windowing system on anyone who wants to run a simple Web server, increasing the number of applicable security holes, but they're far enough behind already.
WMBC freeform/independent online radio.
Actually, how much MS code is written by Islamo-terrorists working in MS-India, vs the typical honest Indian coder?
How closely does MS inspect the code as long as it spits out the proper results? Click the icon, wait, and the dancing paperclip comes out, what else is happening in the background?
Outsourcing is good for the bottom line, but is it good for security in a closed source operating system.
Just like I tell my Algebra class, you should be prepared to show your work, if you have to hide the steps you took to get the answer, all I can surmise is that you got the answer from someone else's paper!
What would you rather have, Open-Source or Hidden-Source?
Write an article to loudly *teach* MS how to secure Windows.
They can choose to accept it, then the Linux camp take the credit.
Or they can choose to ignore it to save face, and continue to have security problem. People will migrate away from MS.
A WIN either way.
Find an unbiased third party to do the study. What, they want money to do the study? If it comes from MS, they've got an MS bias. If it comes from Redhat, they've got a Redhat bias. If it comes from IBM, it's got an IBM bias. What, you found someone to do a study for free? Then they must have a hidden bias, because they picked a winner and had to have done it for some reason because they weren't getting paid for it (you can think they don't, but you aren't going to convince the people wearing the tinfoil hats otherwise).
You aren't going to get study done that everyone considered unbiased.
The only thing you can do is read the study when it comes out with a giant black marker, and anytime it's obvious that a particular result was due to testing bias, black it out.
The stuff that isn't blacked out when you're done reading the report is stuff you need to fix.
End of story.
The strategy, called "Days of Risk," measures the number of days it takes programmers to release a public patch after a vulnerability is revealed.
The question is revealed by who? Many times security problems have been reported to MS before the general public is notified as a courtesty to MS. But there have been many examples of security holes that MS leaves untouched for months without even an acknowledgement to the original discoverer that there is a problem. Then the discoverer gets fed up after months of no response and informs the public about it. 'Lo and behold MS engineers work on the problem and find a solution within days. Sure the response time looks great if you count the days between public disclosure and public patch. But what about time between initial discovery and public patch. If you include these dates, MS looks very bad.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Is that will everyone can audit every line of code of open source OS's, nobody (apart from microsoft) can audit windows... Who can say that windows don't have backdoors to FBI or worse?
we're not knocking anywons dieties? why so upset? won man's pathos, is another's fools' errand?
So can I. But two people can't.
If you are saying nudge, nudge wink, wink that Microsoft has programmers looking thru FLOSS source for vulnerabilities, well, it wouldn't stay secret for long. They would be overheard bragging to each other, or misdirect a memo or email, or have second thoughts.
In addition, if these Microsofties are as good and hard working as the propoganda mills claim, then good that someone is finding more bugs for us.
Plus, these Microsofties won't be doing anything evil for the evil empire, but instead doing good for the rebels. This is like the FBI undercover agents in peace marches, great!
Infuriate left and right
And that can't be destroyed by whatever FUD Tactics.
FUD Strategies simply will not work.
Maybe I'm naive (or wise) ?
Regards,
First they laugh
Then they fear
Then they lose
If MS is running scared, we should be happy
Isn't this how Microsoft wins?
First they ignore you...as the Unix establishment did from 1985-1995.
Then they laugh at you...as the Unix establishment did from 1995 to 2000.
Then they fight you...as the Unix/Linux establishment is doing from 2000 on.
Then Microsoft wins...aka Longhorn.
The war has been going on for some time already. Maybe you just havent been around long enough to see it clearly. Will this be cyclic with Linux?
+2
Maybe some naive people will believe it, but this is by no means the first time Microsoft has cried wolf. Each time it is shown to be false, they lose more credibility.
This will bring security to more people's attention, and they will notice in subsequent reports that Linux holes get patched quicker and are less serious to start with.
There is nothing to fear here, instead this is a good sign, and will end up being good PR for Linux, at Microsoft's expense.
Infuriate left and right
...meet flogging stick
From the time that they acknowledge a bug until it's patched is VERY FAST.
The problem is that they won't acknowledge a bug until they already have a fix for it. Often bugs are known about by the world for months, and MS says there's no such bug. When they do acknowlege it, then yeah, there's a fix out within hours or a day or two at most.
So, apples and oranges. If Linux takes 4 days to patch a bug as soon as it's known, and Windows takes 4 months to acknowlege a bug's existance, then 2 days to patch, which is better?
Did they hire three mathematicians from MIT?
Here is my NEW INVENTION COMING SOON!
I have patented a brand new invention called the 'HACKO_METER', which I liscence for $699, it is based on a reverse two prong graphical tree selection process. I am hoping to test it in major metropolitan areas.
You take one IT professional, and give him $500 in cash, if he leaves early, he only gets to keep $50. He is not told the task. Then lock him in 10'x10'x10' box with a computer hooked up to the net. Then he chooses which system he wants, Linux or M$. He is given the opposite of his choice. He is then told he must stay there until the computer gets a virus, trojan, spyware or hacked.
Unfortunately, a bullet/sound proof observation mirror is between him and the computer, so he can only watch as random people go up and surf the web and view email and listen to music. The 'HACKO-METER' TM uses a patented ongoing questionaire that measures the resulting fear and frustration level as the IT worker watches idiots, neophytes and morons surf the web and do stupid stuff, hoping each one will download a virus so he can collect his cash. The IT person is realeased after 12 hours if no infection occurs(but he doesn't know that). He can leave any time and collect $50.
This 'HACKO-METER'TM patented test will not measure the reliability of each system, it will measure the pain threshold for each system, which I believe is a more accurate indicator of performance and reliability.
Yep, they fixed em.
Wake up folks. Its more than FUD. Microsoft has had security problems in the past for the same reason that most software companies do. They didn't have a business intrest in fixing them. Now that they do, watch out.
Just a few fun facts.
-MS is porting a huge amount of their code to managed code, this is the real solution to buffer overflows. I think it will be a long, long time before we see a move toward using safe languages in the open source community on any significant scale.
-MS has done a huge amount of education and culture/process transformation in the last year. As all good security types know, building secure software is about processs, and MS is clearly poised to smoke most open source stuff in this area.
-MS research has produced some pretty cutting edge stuff such as SLAM to help keep bugs out of code via. static analysis, again, count on MS to keep pushing on the tools front.
-MS patch managment solutions seem to be quite solidly ahead of what is out there in open source.
-Testing...nuff' said
The open source community has the ability to produce a huge amount of stuff that mostly works. However, its not at all clear that most projects out there can match the level of quality, or even clue about security that we are seeing inside Microsoft.
Keep in mind that the Linux kernel, Apache etc. are the exception, not the rule.
If the open source community hopes to keep pace with MS in tightening down their code, some
major technological and cultural changes are going to need to take place.
There is a whole lot of backslapping and smack talking right now about how secure linux is, but really not a whole lot in the way of process, technology, etc. to back it up.
Basically, if you think about it, we have everything we need for one good OS company. MS handles business/marketing, Mac handles user interface and user loyalty, and Linux peoples actually make the OS...
;)
(*BSD people and BeOS types can go on doing their thing
Returned Peace Corps IT Volunteer
manage by numbers or statistic without looking deeper into the causes for such "statistic" heavy report is a great recipe for killing your own business. and I am just amazed by how this FUD always walk on that line.
It means that the MS reps calling MS customers found out that using the SCO case as a reason why Linux could be illeagal to use no longer is working....so what do you think will be next? I'm going to guess they will start attacking specific uses of Linux like Linux on the desktop...maybe even a few weird comercials like the ones where those office workers are celebrating just because they are using MS office...only instead they'll show that they have all gone insane trying to setup Linux or something to that affect. It's only going to get worse.
Microsoft has another roundup of critical patches out for Windows.
Now, on the one hand that's a sort of good thing in that the bugs aren't there anymore (at least not after you patch, we hope, not like DCOM) but on the other hand... have they been sitting on these vulnerabilities for a while until they could roll the fixes up neatly in a package with others?
That, too, is irresponsible...
I love the biased nature of the summary.
As if Linux people don't "hype" things against Windows, either.
Meanwhile, the rational, quiet people whose opinions aren't voiced in boisterous +5 posts all the time just watch from the sidelines, shake their heads, and use the right tool for the job, whatever that may be.
"Sufferin' succotash."
Hey, guess what? Microsoft is spreading FUD about Linux. Hey, guess what, Linux zealots everywhere are spreading FUD about Microsoft. And the reality?
the computers run by people who have a clue are reasonably secure. The ones that aren't? They aren't. And guess what? The only totally secure computer you can have has no information on it, no I/O, and is encased in concrete.
I think you just insulted the "Nigerians".
The Blaster worm defect 5 year+ in age. Now in most cases you have 2 years for a virus writer to find and use bug or 4 months for a data thief. Linux is staying inside the safe space note I would like it better but nothing is perfect. But the blaster flaw was know for sure in 1995. I found it then on a data thiefs howto site(know you enemy). The reason for not patch was user want network conections out the box. Ok why in hell did it allow the port through dial up connections and why in hell could you not disable it on network cards.
That is right you have to install a firewall third party. Here is microsofts bigest problem no good default firewall. Most linux faults can be blocked out by the default firewall. The next verion will target programs if everything goes to plan what will make linux even harder to attack.
Note the one in windows XP is a poor firewall a free one shiped with the OS would have been better.
The other defence of linux is in most cases we do not have one program to do just that task. Ie mult ftp servers, different versions of appache and removal modules, mult email server.
Basicly linux defence is patch or swap out of operation. Swap out of operation stuff has patchs that are slower because there is no need to rush the patch. Ie if everyone has swap out as directed there will be no problem. Basicly a swap out directive better be called a full patch at the directive or microsoft has stuffed up it report.
Unless we're missing something... Who's to say that Microsft haven't been doing a little unpublished research, looking for buffer overflows and other vulnerabilities that they're soon going to demonstrate?
[...]
If they like many of us see Linux as the biggest credible threat out there, they might resort to fighting dirty.
The thing is, most OSS developers I know (myself included) welcome public review and full disclosure. If I get advance notice of a security problem, I look at that as a luxury, and have no problem with finding out along with the public. Once problems are pointed out, it's usually easy enough to fix them quickly. Having Microsoft auditing open source code for free would actually be quite beneficial.
The reason full disclosure is so important is that without it, these holes still exist, circulating among the black-hats. Unlike Microsoft who'd rather sweep problems under the rug. Disclosing problems isn't "playing dirty"; it's step one in getting them fixed.
So, even if Linux was the most bug-ridden operating system with massive security holes, it wouldn't even matter. It certainly doesn't excuse one of the largest and most powerful software companies on the planet, i.e., one that can marshal a massive amount of resources and money to produce respectable software, from the ridiculous numbers of security issues and bugs that arise in almost every product they release.
Politicians love tu quoque, by the way.
--Rick "If it isn't broken, take it apart and find out why."
the OSS projects that make up Redhat Linux are an order of magnitude larger now then they were than. It stands to reason their response time to bugs will be better now. Not only that, but isn't win2k3 based off of win2k? It's not like win2k3 is a brand new product Microsoft cooked up from scratch. It's like comparing an early beta to a 3.0 release.
:).
Moreover, I'd like to know how Windows compares to Linux in the time it takes to get suitable workarounds available. In general, I see good workarounds within 24hrs for linux. Maybe Linux isn't being patched as fast because it doesn't need to be. If your design is good enough that you can workaround most problems, you can take your time with your patches and do them right
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Plus, only the paranoid survive. Microsoft proved more than once in the past that it is capable of spreading FUD and ruining everything in their way.
Remember? They hi-jacked the browser market!!!
I have heard comments from Balmer, returning to me from some clueless sysadmin. The guy didn't even know what was the origin of those statemets.
That is what FUD is all about -- it gets quoted in the media as just another thing someone said, but then it gets to unexpected places -- just like a rumor.
Also a point to remember we have much to thank in the Open Source world to the same rumor engine (no big expensive PR). We should know better than to underestimate it.
In fact we should have a well designed counter campaign -- explaining to people (and journalists) in a well organized and behaved manner what the truth is and point to the independent sources of information.
Open source forum. Usually talking about things of interest. It's not a soap box, it isn't television and it could not even be concidered public.
Just shooting the shit.
1. Your position is vital to the company.
2. The position is NOT outsourced as they need someone on site every day to fix stuff.
3. You keep your job.
4. YOU Profit.
And all our base are belong to them? ;P Don't get me wrong, I love Linux, but when a journalist screws up a quote, I just have to have a little fun.
Un-news
And what happens after the first 150 days. If you have a look at the Microsoft Update Catalog, you find 24 Critical Updates for 2003 Standard Server.
For Windows 2000 RTM, there are 77 Critical updates and 5 Advanced Security Updates.
So maybe Linux (Redhat) has got more holes in the first 150 days, but they are solved after that. While for Windows we have just started counting. :)
What power has law where only money rules.
Maybe its time a Linux Company released a Microsoft Security FUD.....
The people at MS truly don't get it with respect to Open Source. All that the strategy of highlighting problems with Linux will do is:
1) Make developers aware of bugs.
2) Encourage developers to fix said bugs
3) Ulitmately, Linux will get more reliable and secure.
MS should learn from their attempt to beat Apache - Open Source is a force of nature.
-- $G
Amazingly enough many people don't gather all available evidence, analyze it, and think for themselves. They look around, see who's got it going on in the area in question, and adopt their "best practices". It's human nature, and it's whats driving Linux adoption right now.
My Linux Command of the Day site : LCOD
Wait until the report is out until you bash it? Linux does have many known security issues and is far from perfect, afterall.
You are right and wrong..
on XP (pro and home) any accounts created during setup are part of the administrators group and have NO PASSWORD
Read the Q article
Q293834
If you think it's expensive to hire a professional to do the job, wait until you hire an amateur. --Red Adair
Quoting the original article:
"and the demographics of the user population,"
Err, isn't a bit of a paper tiger to complain about their user population as a source of security concerns? I mean, if Linux really is better than Windows, it should be able to deal with those users as well.
Bring it on Micro$ludge !
Crisis is the rule, not the exception.
Would MS be unsrupulous enough to be actually planting real security holes in Open Source systems? Could they, with their huge funding, have actually been the ones behind the recent backdooring attempt in linux? Could other projects, using less secure repositories, have been backdoored? I'm thinking of KDE, GNOME and Apache in particular here, they'd be obvious targets..
That would be an absolutely brilliant PR move.
"Microsoft Windows: More secure, because if you have security problems, it's your fault."
There is a difference in the ways of responding to security holes.
On discovery of a security hole, Linux's and other Open Source way is to announce publicly that there is security hole that need people's attention, ways to safeguard oneself against the security holes is first discussed. A patch is then quickly produced and distributed.
On the other hand, on discovery of a security hole, Microsoft do *NOT* announce the security hole, fearing wide-spread exploitation would lead to catastrophie. A patch is produced in the mean time (when the general public have no awareness that a security hole even exists). At about the same time of annoucement of a security hole, a patch is release to the general public.
Microsoft might take advantage of this difference in the patching process to tip the scale in their favor. The public perception of "speed" of patching would be faster, because the patch is provided at around the same time as the annoucement, when the actual time between discovery and completion of patch may (or may not) be longer.
Windows is just an operating system and desktop environment, but almost every Linux distribution includes a full suite of applications - office, connectivity, scientific, graphics and so forth. Of course there are likely to be more problems where there are more places for them to appear. If you have a vegetable garden where you grow peas, beans, cabbages, carrots, potatoes, celery, onions, beetroot and turnips, then you are potentially vulnerable to more pests and diseases than a commercial farmer who grows just oil-seed rape.
Everything in the open source community is done under a rather large microscope. Good guys outnumber bad; so, statistically, there is a greater chance of a vulnerability being discovered by a good guy {who intends to get it fixed} than by a bad guy {who intends to exploit it for his own ends}. Everything closed-source, on the other hand, is kept under cover - until the covers are forced off. And anyway, it's better to make a mistake and admit to it than to pretend you never make mistakes.
At the end of the day, I will never trust someone who refuses to let me see their source code. If they want to hide something from me, I do not want to have anything to do with them - because what might be hidden in closed-source software is far, far worse than a simple error of programming.
Je fume. Tu fumes. Nous fûmes!
Sorry, but you can't base the security of an OS on the demographics of its userbase. There's either a bug or there isn't.
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
I'm all for keeping everyone honest. After all, without some form of sanity checking, everyone is prone to getting a little carried away. Linux advocacy included.
But that sanity checking goes both ways.
Lines like this really make me chuckle. If I didn't know better, it would sound like Microsoft was the voice of reason. In fact, Microsoft is certainly capable of just as much, and often much more, hype in their own favor. They have a history of it. Furthermore, they often profit from pushing their technology in to every role whether it is "the right tool for the job" or not.
Yelling "black" doesn't make you any more insightful just because you're the kettle and not the pot.
Pointing out that a some other, "free", product has flaws is hardly a good defense for flaws in an expensive one.
A customer who takes this advice and removes Linux simply makes any Linux problems irrelevant - it doesn't make the past, present, and future Windows security problems magically go away.
Maybe source patches make sense?
M$ really ought to STFU, my saturated broadband connection isn't down to a load of Linux unpatched boxes doing MSBLASTER exploits STILL hammering my connection, along with existing Code Red infected machines causing my ISP's router in my location to send out continuous ARP broadcast storms.
Perhaps there should be a worldwide collated database from users on the attacks they currently receive, the results alone would make Mr Gates shit his pants.
Yes, I'm sure it has nothing to do with the fact that
1. you are an idiot
2. your tendency to use all caps makes you sound like an idiot
3. you don't understand how a modern free economy is supposed to work to create wealth for all countries
I hope you're happy. I responded to your -1 troll comment, so the slashdot moderators haven't squelched your free speech...unfortunately.
Go ahead and boycott slashdot. Spend your days here: http://www.hireamericancitizens.org/
I really like the fact that they are comparing an end user OS (RHL) to a server/enterprise OS. I would much rather have seen a comparison between RHAS. But even then, it's RedHat 6!!! Maybe someone should mention to them that RHL 6 is so old it isn't even supported any more.
I also like the fact how they are clumping "Linux" in with all open source...I would love to see how they reached these figures...and how would Windoze compare if we started including all of M$'s own software in with their figures...
But exaclty who are they targeting with this? I mean, any sysadmin worth his salt will be able to see right through this and any manager that sees this will surely have a laugh once his Linux ppl tell him how it is...
I'm going to guess that their poor attempt at FUD is a response to Novell's merger with SUSE and IBM's subsequent investment.
What impresses me even further is that this is obviously the best they can do right now...which means that the Linux community is really doing its job when it comes to fixing bugs...
However, most geek worry about holes in code, but those of us in security know that over 80% of "hacking" jobs are inside jobs. Some angered sysadmin gives out the password to a friend or competitor for $$$. Or, my favorite, someone calls, says they forgot their password, and the help desk or someone gives it to them. That kind of security holes are platform independant...
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
Everything is integrated... So, if there's one security risk *somewhere* in the system, you can count on it that your entire system is exposed to that security hole. This goes even if you do not need the service in question. This makes each vuln. critical... quite painful.
If they want to get better on security then linux, they should do the following things, and then they might actually become more secure.
1) Get rid of the registry. It is a security risk. period (all your eggs in one little basket). It's also a unnescesarry system load.
2) An operating system is a operating system... NOTHING MORE... In other words, integrate only those things which absolutely need to be integrated. (So no web browser, no e-mail client, no servers, no directx). The rest should be external programs or libraries, which should be treated as such.
3) Sanitize the default configuration...
A user should tell the system when he wants a server, otherwise no servers should be running.
Web browsers are exactly that: web browsers, so somebody on the web should not be able to execute or see things at your side of the line.
4) Don't automate things which don't need automation.
5) And last, but not least. Get some decent privelage seperation (virusses, trojan horses anyone?)
O, and by doing these things Microsoft might make their OS perform better too. Most likely they won't do items 1, 2 and 4. These items ensure their controll over the desktop... But untill they do those 3 things, they *will* remain more insecure, unstable and slower then the rest; because 1 bug will affect the enitre system. And bugs are rampant in a huge monolithic project like that.
For me that sounds like they are begging for a really devasting Windows Virus/Worm.
I would suggest rethinking their strategy.
I'm sure this will be along the same lines as the commercials they run for Windows, .Net, and whatever. Stupid people will see the commercial and think it's real when it's actually a bunch of actors and nothing is real. This study will be no different. They paid some people to put on a show. The end.
Microsoft Issues Security Patches every 2 weeks these days. (this set announced just an hour ago).
Great timing:
[shout]Hey, look over there! Linux has flaws![/shout]
[mumble]By the way, we have a handfull of new remote root exploits on XP and 2k to announce...[/mumble]
MSRP - Tax, Title & Licence Extra Your Milage May Vary
Default install of RedHat 9 compromise time: 10 days.
/.'rs seem to claim it is? No.
:)
Default install of Windows 98 compromise time: 4 years and counting...
I'm going to get modded down for this, but if I click the default crap on any Linux distro I'm more than likely going to install some god-forsaken client (in the case above, an ftp service) that will sit on an open port and eventually be scanned and compromised.
How is this any better than the RPC exploits?
I'd feel a lot safer if installations of *nix had easy to understand installation options.
Sure, someone can brag that you can get infected by Nachi in 6 seconds with an XP machine, but how often do you get rooted? How quickly do you notice? Is Linux as "fire-and-forget" as
Stick with Apache on *dows.
Windows has downloaded another critical update to apply....
When VCR's are outlawed, only outlaws will have VCR's.
Here's a question. Are they testing just the linux kernel or all the apps and things that come with it too? I think that's a major difference between windows and Linux. If that's the way they're going to do it then they can't really be compared at all. It's all just...FUD!
There's nothing like seeing something fail silently because you were watching it like a hawk.
Vindication of my contempt!
I don't know how bad it is that the rpc patch for Blaster was supplanted by a subsequent patch for the same area of code. If they didn't suck, I'd be inclined to give them a pass. Maybe it was an unrelated flaw that they found with a stringent code review. Since they do suck, I am content to assume they should have caught the second hole when they patched the first one.
Are you stating these as times since you did an install until you got compromised?
Becuase if you have a Windows 98 default install and give it an unfirewalled connection to the Internet with a real IP address you've got 5 maybe 10 minutes before you're compromised.
I'm assuming you meant ftp server and not client, as for your box to get 0wn3d through a client requires your participation to some level.
The Nachi virus *does* root you. That's what's amazing about Windows. Many Linux vulnerabilities allow some types of access, but full remote root vulns in Linux itself are rare. Windows just doesn't seem as infected becuase most virus writers aren't out to wreck your machine and delete your data. Nachi, or any of the other ones, could have easily deleted your files, or read them and mailed the goods to the bad guys.
I'd stake money that one day in the next couple of years some malicious virus writer will strike, and all Windows users will realize that every virus since Melissa has had full control of their computers. Unfortunately, until it happens, nobody will think that virus' are more than minor nuissances.
My Linux Command of the Day site : LCOD
Or does it seem silly that Micro$oft is expending time, energy, and money to bash Linux instead of using that effort to work on the security problems they have?
Of course, it doesn't help the Linux community to bash Micro$oft, either. We incur the wrath of a company that has a bigger PR company than many of the companies that support Linux. And, unfortunately, the suits listen to the PR instead of the techs.
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
While reading this article I recieved probably my 6th e-mail from NTBugTraq about a remote windows hole.
Before it was taken down becuase they've fallen for more M$ marketing tactics about beefing up security, there were 31 unpatched IE vulns. I'm sure that Microsoft wouldn't count IE vulns in their Windows 2003 patches, since it's not really part of Windows...
It's sad to see the pressures of non disclosure creeping back in after such as nice period of full disclosure.
Wake up people, we need full disclosure and exploit code to get Microsoft to patch anything.
My Linux Command of the Day site : LCOD
Even if you buy the security through obscurity model (and I don't think you should), you have to accept that Windows code is not obscure. Not to the bad guys, anyway.
The Chinese government has the code. Every contractor in the Operating Systems Group (+dog) at MS has the code. Disgruntled employees and contractors at "major partners" (not us peons) has the code. Think the black hats don't have the code?
Now, who DOESN'T have the code? Me. Not that this matters, because I'm too lame to find holes via code review. What does matter is that no PFY can find them via code review, either. Which means there's an asymetry. While pretty much any interested black hat can review the code, a small subset of white hats can/will, and few of them will be motivated. I'd much rather open it up to all the white hat PFYs looking to make a rep by PUBLISHING their finds. All MS has done is open it up to a subset of white hats employed by China, Russia, and large, mainstream IT (not where I'd look for talent in this area), and all the black hats.
It's the worst of both models.
Screw Microsoft and the shit pit they crawled out of!
That Bill has hired Darl as FUDmeister.
Now we know where that 50mil came from.
And we have already determined that Darl spent it all on crack..
and any engineer/programmer/sysadmin/techie who knows anything will typically wait for that third party to do a similar report. Only nieve people will listen to MS because of their report.
I'm currently fighting an anti-XP battle at my organization; so far I'm winning on the basis of security flaws, but this FUD makes my job harder.
Most people could make a list of the number of MS OS bugs that have taken months or years to be fixed, if at all.
What they seem to be proposing is a pissing contest over the number of days it takes to fix a bug, which makes me wonder when they intend to start. When they can actually fix a bug within days? When they decide that a vulnerability is "allowed" to be public?!
I notice that Ballmer is taking the easy out by targeting Red Hat. Not a bad divide and conquer tactic, but a piecemeal approach could well backfire, because it's so easy to refute. A bigger problem is making yourself heard over the (soon to be) tidal wave of FUD noise...
insecurity asks the wrong question irritation gives the wrong answer
After the article a few days ago on AP that said a dangerous trend was showing up. Too many people, businesses, and municipalities are leaving MS for Linux and it's actually starting to show in the bottom line.
Now they react, it wasn't important till it hit the wallet!
Professional Politicians are not the solution, they ARE the problem.
If it's on a linux distro, it's a part of the OS.
You can't just restrict your list of security holes to the kernel - NT's kernel has had only one security hole that I can think of in the entire time it's been released (almost 10 years), that one had to do with the debug privilege IIRC.
Most of the vulnerabilities found in Micro$oft products are in user-mode components (like dcom) that are included on the CD but can be disabled.
Just like linux.
You CAN make a strong claim that many vulnerable services on Linux are not enabled by default (Apache, Sendmail) while they are on Windows, but don't bring out the "If it ain't in the kernel, it's not a Linux vulnerability".
That dawg don' hunt.
And at the end of October, Ballmer gave the audience at Gartner's autumn symposium a taster of what was to come when he attacked Linux's assumed security superiority. "In the first 150 days after the release of Windows 2000," he said, "there were 17 critical vulnerabilities. For Windows Server 2003, there were four. For Red Hat Linux 6, they were five to ten times higher."
aside from comparing an old version of a single distribution of linux to the brand new version of windows, leaving out the mass-market windows XP, of course, the statement is failing to take into account the actual likelihood of exploitation, which is dependent on a few other variables besides the mere presence of said security vulnerabilities.
Just because a security vulnerability exists does not mean that it is so easy to exploit that every 13-year-old with a pirated copy of VB is going to be able to format your hard drive. Every OS has security holes, but whether or not they have 1023 or two does not matter if the two in the supposedly "more secure" OS are so easily exploited and so horribly intertwined with the OS that fixing them would mean breaking everything else in the system.
Quality, not quantity, Ballmer.
Just another freak in the freak kingdom.
Belief always starts with the wallet...
If you're making a living the Microsoft Way, you're bias is theirs. The only way to be un-biased is to make your living using any available "tool", using Sun, BSD's, Microsoft, Apple and others, equally.
Guess that makes me a real big Linux biggot!
MS,
Does bashing others progress you any further down
the path of security? Or does it strengthen
the argument that something virtually free
is just as good as MS material or better?
Money wasted in the long run. They should be
concentrating on their own material. I think
they are losing focus of the whole argument.
It been just revealed that Balmer likes to
suck Bill Gates dick since windoze is such a piece of shit
If, through shear brute force search, they do manage to find bugs in GPL software, then so what? Any problems that are actual bugs will be immediately fixed, and the net result will be Microsoft contributing to improving their competition's software! Any problems that aren't actual bugs will just make them look desperate. If that's what they want to do, I say we welcome 'em with open arms.
"Freedom means freedom for everybody" -- Dick Cheney
Last time I checked, Jim Allchin (VP at MS) talked about "unfixable security flaws" on the stand at the antitrust trial. That alone has made me laugh any time Microsoft starts talking about their security measures. Therefore, I'll take any talk on security Microsoft makes seriously only after they announce a fix for their unfixable flaws -- things like shatter attacks.
Do you like Japanese imports?
Maybe it's time for a pre-emptive strike, and to release the results of such a study before MS does.
The Linux report could show ALL the security holes, not the ones MS wants to show, how long it took to patch them, with an estimated cost of the hole and the time it took to patch. It should be aimed at PHB's and other non-technical types who make deployment decisions to show Linux's advantages over MS.
Maybe it's time for the Linux community to go on the offensive instead of reacting to MS.
How many remotely exploitable holes has the NT kernel had in it's lifetime (10 years or so)?
Don't compare apples and oranges.
Concerning SCO, it's more like:
...
First, they ignore you,
Then they laugh at you,
Then they laugh at you,
Then they laugh at you,
Then they laugh at you,
Then they laugh at you,
Then they laugh at you,
Then they fi--
Then they laugh at you,
Then they laugh at you,
Wouldn't it be better for Linux if they focused on local exploits? After all, GETROOT.EXE clones are a dime a dozen on Windows, whereas on Linux, as soon as someone finds one (like that one in mplayer), it's fixed right away.
Karma: It's all a bunch of tree-huggin' hippy crap!
Microsoft working for open source? Giving away their hours to hunt bugs so we don't have to waste our time?
My brain hurts.
Karma: It's all a bunch of tree-huggin' hippy crap!
Why isn't google using them? :) I'll start believing Microsoft once the world's fastest search engine starts using their products.
...but you're hardly the first to realize this. Gandhi himself knew his tactics only worked because he fought a free society with a free press; his strategy of non-violence, in fact, was designed to use that free press to communicate the oppression without allowing himself to be labeled as an enemy. In other words, Gandhi chose his tactics after knowing his enemy.
To try to apply Gandhi's logic to this topic, we can let Microsoft continue its ruthless (and illegal) business practices, knowing full well that some people at least will see it and help fight it, and hope that the masses see it someday and stop supporting them. Or maybe that strategy isn't really applicable to this example, and this whole thread should be modded "offtopic."
It's nothing but crumpled porno and Ayn Rand.
My god that was hilarious... you own me the dry cleaning bill for the shirt I'm wearing... It would not be covered in juice if it weren't for your above post.
Careful here. MS is known for creative accounting. The R&D figure includes things that other companies with stricter accounting policies put in marketing expenses, e.g. organizing expos and giving free software copies. Their R&D figures are not all research. You cannot trust the figures they publicize.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
They don't get paid either (although they go to trade shows and are rewarded with free MSDN subscriptions).
Mostly they appear ranting in defense of encroachment by other OSs into their ego zone: previously they had to fend off Amiga users, now Apples (which aren't "hardcore") and BSD/Linux (which is "too difficult, and thus for nerds").
Bleh.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Is anyone aware of Windows root kits with similar functionality to the kits that I've seen installed on many Linux boxes? Eg. packet sniffer, trojan ssh daemon, usually some kind of DDOS device, IRC bot etc. as well as various password cracking tools (l0pht crack?).
Do these exist?
Fudding should be illegal. If we know Gates is going to do this, we should put him in jail.
Keep your eyes to the sky.
n/t
How many remote holes in Linux, (10 years or so)?
Show me the NT Kernel!
How about some pointers to official documentation as to installing JUST the NT kernel, and no remote exploits along with the OS?
Every mainstream distribution of linux gives the oprotunity to install just the minimal kernel. The third party OSS applications that make up the distribution have to be selected.
The vulnerabilities in NT are coded by Microsoft, are they not? How much time did Linus put into ssh, or sendmail, or apache?
I thought so....
Can't help comparing apples to oranges, when at Microsoft, security is job 3.1.
But....
A multi million dollar code review being done by Microsoft for us for free. Imagine, they could find thousands of flaws, publish the results and within three weeks we could go from 2.6.0-test9 to 2.8.0-secure !!! Go Bill!
We must remember, however, that Linux can detect the flaws much earlier (more manpower with access to the source), and Windows generally starts counting from the first exploit :)
If it weren't for fog, the world would run at a really crappy framerate.
Any source for that?
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
I still laugh when i see people ask about linux 8.2. Its hilarimous.
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
The tears of the overconfident/arrogant sales clerk are the sweetest of all.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Applications my man, applications. Usability is close enough that it doesn't matter any more. If you could get every windows game and every windows app for linux, we really wouldn't be having a "linux is good enough" debate. We'd be having a "linux vs. windows on the desktop: what is right for you" argument. And Linux would probably be "right for" most people if the apps were there. And they had broadband.
give it 3 years.
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
There are a lot of windows zealots. I just read something on securityfocus from one of them, about how it's the user's fault that there are security problems with MS. He's partially right, btw.
however, I kinda laugh because it seems like the linux zealots are getting lazy and the windows zealots are getting scared and desperate....
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
It's simple really. One team has lots of experiance and is in tip top shape from the massive training they received. The other team is slower. They get woken up once in a great while to fix a problem. It's simple to note the fully mobilized team would have a faster responce team. They have response finely honed by experiance now.
The truth shall set you free!
Naive.
FUD tactics _DO_ Work... how do you think microsoft got their current marketshare, and held onto it in the face of superior competition (Mac, OS/2, BeOS)
It certainly wasn't by having a superior product, it is well accepted that given versions of OS/2 BeOS or MacOS have always been superior to the versions of windows available at the same time. OS/2 had the best chance, since at the time not only was it compatible and capable of running windows/dos programs, it was also considerably faster and more stable than windows.. How did microsoft beat them? they held them back with FUD and then changed their api for intentional incompatibility.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
In the article they mention RedHat 6. Is Microsoft comparing vulns in @in2k3 server to ancient RedHat 6?
Ever wonder if they are hiding and protecting hidden code in their programs ive never seen a company that twists around thru smoke and mirriors and shady acts of bullshit.
I think MS should also stress that the hardware support in Red Hat 4.0 is abysmal !!! There is
no USB support in it!! No Wi-fi support!
Just compare it to Windows XP where you can use
almost any device you buy in the store!
The billparish link definately is.
Working for necessity's mother.
Funnily enough, I just met one today. Not just a Windows zealot, but a *PowerPoint zealot*. Real asshole, as you'd expect.
He talked some smack about my baby, the office iMac. "It's not a proper PC, and it's not a proper Mac." Had I not been sputtering with rage at that point (you try being forced to hear a 45 minute conversation on the finer aspects of MonkeyPoint) I might have explained that it was the only machine in the buiding with a "proper operating system." But as it was I just ripped ass and waited for him to leave.
Wonderful term. Implies just a few days, and you know what - its just risk - executives will take that one at face value. Slides right off the tounge.
Next time a virus hits,I'll be quoting that one to the board. A chart showing days of risk 320 out off 365 in red, days our goose was cooked (7)black, and the rest in purple indicating expensive unbudgeted overtime patching. PTL that MS is not running safety camps - It only takes a second to have a car accident, and a minute to drown. A punch drunk operating system,is horribly unacceptable to pointy hair, who was under the delusion that MS has sub hour response times. Go for it.
Yes, there are plenty of those, but not expressed as a fraction of the MS user base, and rather than promoting Windows, they are defending it. That alone should speak volumes.
I for one welcome our new SCOviet Russian overlords to whom all our base are belong.
I am seriously wondering if anyone at Microsoft actallu paid as much attention to the Halloween documents as the open source community does.
In the first document, the writer states: "OSS is long-term credible... FUD tactics can not be used to combat it."
If you install a workstation, you must explicitly request servers. You must punch holes in your firewall to run some software.
See my journal, I write things there
... for one OS in another, without emulator.
In such a regime, Mandela knew the next step after the "they fight you" step, which is "you fight back" followed by "you go underground".
And then you win.
IANAL but write like a drunk one.
The Mahatma knew his cause was just and that his supporters, and many in the side of his enemy, knew it. That was the context in which that saying was said.
Can SCO claim the same?
IANAL but write like a drunk one.
I think a good portion of the problem is a mentality difference. Windows users are more set it and forget it, used to a certain level of separation from the workings of the OS whereas Unix folk are more traditionally involved in every aspect of the configuration of their system. Only recently has the abstraction come to Linux with the install-everything-in-one-go abilities of so many distributions, but still admins and older unix junkies still are aware they have to configure things and secure them. Unix people in general pay attention to security news and install patches right away. Windows people tend to click on "remind me in 2 weeks" if they even have the auto update feature installed. I know people that are years out of date on updates.
One concession about windows though, is there are so many things you cant turn off or uninstall. At least with linux you can have no open ports if you so desire.
for the release of MS03-049 (i.e. Yet Another M$ OS Critical Patch!)
Don't be silly. 1.3 Billion of that R&D money was spent on DRM projects.
How can you possibly say they aren't serious about security?
Logical follow-up question is:
Security of who? And against what?
hany
Wi-Fi equipment is also "cripled" in such a way. Reason? Realy "silly": So users of such equipment does not cook up their heads or heads of some neighbours.
What a shame. :)
hany
Freenet? Entropy? GNUnet?
- Voice of Ambience -
When we refer to a Microsoft vulnerability, we refer to software created by Microsoft, not just any software that runs under a Microsoft OS.
... vulnerability. A vulnerability in the linux kernel version 2.4.5 is a linux vulnerability. A vulnerability in rpm is a RedHat vulnerability. A vulnerability in OpenOffice, etc.
A vulnerability in WinAmp (for instance) would not not considered a Microsoft, or even a Windows vulnerability. It would be considered a vulnerability in an application that runs on Windows. Might also be a vulnerability in a version of that application that runs on other OS's.
A vulnerability in Apache is not a Linux vulnerability. A vulnerability in Apache is certainly not a RedHat, or SUSE, or Debian, or
On the other hand, a vulnerability in Windows2k, Exchange, Outlook, Internet Explorer, Windows Media Player, Word, Excel, Visual Basic, etc. are windows vulnerabilities.
Since most people don't bother to examine boundaries (hmmm, socially engineered wetware buffer overflows?) it is easy to send this entire discussion off into outer space.
Damn, I think I might have already exceeded my MTV attention span limit. No One is probably reading this anymore. They've all gone to check their E-Bay bids.
To recap:
It doesn't matter if they are lying or not, or if Bill lied, or George lied. LOOK!!! There's Elvis!!!
The issue is scope, and we have allowed the scope to be whimsically defined. The scope is self-referentially defined as Windows vs. Linux vulnerabilities but we all apparently have a problem following a train of thought without flying off to Vegas for a long weekend of drinking and gambling... I wonder if they use windows in those slot machines? Hmm. People in Vegas stay up all night a lot don't they? I heard George Bush stayed up all night once with Bill Clinton at a Whitewater development party.
Ultimately the whole thing is a convenient distraction from more important social issues that, because of the limitations of our collective intellect, we can't deal with either.
For those of you who made it this far, I will recap one more time:
Vulnerability in software created by X = vulnerability in software created by X.
Vulnerability in software created by Y that runs in, under, on or needs in some other way software created by X = vulnerabiity in software created by Y.
Vulnerability in Exchange = Microsoft vulnerability.
Vulnerability in sendmail = sendmail vulnerability.
Vulnerability in sendmail running on windows != windows vulnerability.
Vulnerability in sendmail running on linux != linux vulnerability.
Vulnerability in sendmail running on RedHat != RedHat vulnerability.
Vulnerability in RPM = RedHat vulnerability.
Vulnerability in RPM when run on Debian system = RedHat vulnerability.
Have you tried corel 10 for windows? It is very slow. Does that count as office...hmmm. So you actually like windows...maybe I should give it a try too...can I make a beowulf of it? Can I diskless boot it? Can I have multiple keyboards/screens? Can I get it free(just to try it first)? Which distribution will run in 64 bit mode on my new AMD64?
I don't really know the answers to these things, should I? Oh! Can I run it on my playstation?
The only reason people make viruses for microcrap programs is their such a large target that im sorry is not at all hard to exploit (excuse spelling) and desides unless ur a idiot and trying to be malitious most people only use exploits/viruseses to gain more control over their systems and take it away from microsoft. lets face it microsoft loves it when people do this 1 it puts their products right front page of the news and 2 they learn their exact weakness and apply new patches because u know that all the computers in the company use "Windows" yea my ass it had to be created by something
So.. are you really the star queen of old?