Slashdot Mirror
Security FUD On Linux
bobmatnyc writes "InfoWorld reports that Microsoft is planning an "security assault on Linux" by hyping results of a commissioned study pointing to the number of security holes in Linux vs. Windows, the number of days it takes to fill the patches, and by raising questions as to the reliability of code submitted throught the OS process. I suppose if they focus very narrowly on one measurement of security, completely ignore script-level vulnerabilities, default settings vulnerabilities (such as root access for all users), and the demographics of the user population, as well as a zillion other things I'm not clever enough to think of off the top of my head, they may have a point. "
As somebody pointed out to me not too long ago, as long as MS talks about security holes that are remotely exploitable, I don't think Linux has anything to worry about.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
First they ignore you
Then they laugh at you
Then they fight you
Then you win
Mohandas Gandhi
Physicists get Hadrons!
Linux isn't perfect. By design, the implementation, or the way people admin their machines.
There is an understanding that MS is also not perfect. People expect security holes, and bugs and crashes.
I think it is good that this might result in a nice list of where linux has gone wrong in the past, and what hurdles to overcome in the future.
If the competition wants to make you the "Build a better OS HOWTO" I think they should be as free as anyone to add to the LDP.
Given that Microsoft got caught lying to a Federal judge (during the antitrust case) why is anyone suprised that they'll lie to their customers?
Isn't that a given?
Anybody looking to a vendor to provide accurate data about its products or the products of its competitors deserves the crap they get.
DG
Want to learn about race cars? Read my Book
such as root access for all users
On Windows, even the Administrator account (which is the level that lots of people log in to) is not really root access. The Local System account is comparable to root. The Administrator has control over all user-controllable parts of the OS but there are parts that are not user-controllable.
Any sufficiently simple magic can be passed off as mere advanced technology.
That's no help at all if arbitrary users can elevate themselves to administrator priveleges. NT-XP is fundamentally broken. Maybe the next version of Windows will solve this design problem, but I doubt it.
This hole exists and actually has working exploits.
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
They're taking the appearance of security seriously: whether or not the security is real is effectively irrelevant to those who can't tell the difference. (It's a matter of who they listen to, and whether that 'who' is Micro$oft.)
John_Chalisque
You haven't "worked" in IT, have you? Part of that time is testing the patches to make sure they work and don't break something else worse that what the worm/virus/hole will do. Anyone who lets Windows update run fully automated on production servers is a fool.
Microsoft's apparent idea of security is to sue people who expose vulnerabilities and to put out bounties so that others who might be encouraged to exploit those vulnerabilities would be afraid to do something. This doesn't suggest that Microsoft is taking security seriously, it suggests that they're pissed that people are exposing how Microsoft ISN'T taking security seriously. Microsoft can create as many initiatives as they want, but so long as they continue to live in the world where providing dancing paperclips on the screen in a single click is more important than making sure that users have to actually understand their machines before letting programs change system files - they aren't doing the world or themselves any favors.
They also have the cash to pursue security problems, their problem appears to be design flaws that can only be 'corrected around'.
An obvious example is integrating their Web Browser into their OS to screw Netscape, a political decision taken by his Billship. Bugs in IE lead to the equivalent of root exploits, bugs in Mozilla mean that one user account can be compromised.
Another political decision has been to install software to offer all kinds of services, basically to keep third party vendors out. This software defaults to being active. What was that database port vulnerability again? Another consequence of this is that a virus/worm writer has reliable idea as to what components will be running/active.
They have the cash for PR *and* fixes, but political decisions have led to a situation where this does not help. Having said that, if as many computers ran Linux as the various Win versions, we would also be seeing more problems that at present - they just would not be as serious.
Mielipiteet omiani - Opinions personal, facts suspect.
The biggest score Microsoft has had is convincing it's users that all of the rebooting and crashing and poorly-designed security features are to be expected in powerful software, and to expect to not only pay for such software, but buy extra software and pay consultants to work around these misfeatures.
I don't know if making "Redhat" a synonym of "Linux" is all MS's fault though.
It's been said many times before, but it bears repeating:
The truthfullness of a statment is independent of the number of times it is repeated. (Is not! Is too!, is not! is too! is not times infinity!)
First, they ignore you,
Then they laugh at you,
Then they fight you,
Then you win.
SCO have been ignored, laughed at, are being fought at the moment, so do you expect them to win too?
Exigo spamos et dona ferentes
From the time that they acknowledge a bug until it's patched is VERY FAST.
The problem is that they won't acknowledge a bug until they already have a fix for it. Often bugs are known about by the world for months, and MS says there's no such bug. When they do acknowlege it, then yeah, there's a fix out within hours or a day or two at most.
So, apples and oranges. If Linux takes 4 days to patch a bug as soon as it's known, and Windows takes 4 months to acknowlege a bug's existance, then 2 days to patch, which is better?
This has been a long time coming, from the looks of it--Many of you are probably familiar with the Halloween documents, "an internal strategy memorandum on Microsoft's possible responses to the Linux/Open Source phenomenon." This was back in 1998. MS verified the documents as authentic but claimed it was "a mere engineering study that does not define Microsoft policy."
They've probably been building up a case for a long time. But as Linux is systematically sound, they've apparently been forced to find specific, technical problems since their Ominously Vague Murmurs don't seem to be taking. The problem for them is whatever they pick is, by definition, fixable and not an element that defines Linux as Linux. Additionally, if you find 50 holes in Linux and 25 in, say, Windows Server 2003, that's not nearly as relevant as the average lifespan of the hole. With all the Linux distros, there may be dozens of holes at any given time, but there is only one Windows Server 2003. I challenge them to focus on one major distro.
Lastly, MS is has been coming off increasingly hostile and banging the "Linux BAD!" drum so obsessively, that they run the risk of sounding like they're accusing corporate Linux licensees of incompetence, rather than trying to merely educate them.
So, even if Linux was the most bug-ridden operating system with massive security holes, it wouldn't even matter. It certainly doesn't excuse one of the largest and most powerful software companies on the planet, i.e., one that can marshal a massive amount of resources and money to produce respectable software, from the ridiculous numbers of security issues and bugs that arise in almost every product they release.
Politicians love tu quoque, by the way.
--Rick "If it isn't broken, take it apart and find out why."
Pointing out that a some other, "free", product has flaws is hardly a good defense for flaws in an expensive one.
A customer who takes this advice and removes Linux simply makes any Linux problems irrelevant - it doesn't make the past, present, and future Windows security problems magically go away.