Security FUD On Linux

bobmatnyc writes "InfoWorld reports that Microsoft is planning an "security assault on Linux" by hyping results of a commissioned study pointing to the number of security holes in Linux vs. Windows, the number of days it takes to fill the patches, and by raising questions as to the reliability of code submitted throught the OS process. I suppose if they focus very narrowly on one measurement of security, completely ignore script-level vulnerabilities, default settings vulnerabilities (such as root access for all users), and the demographics of the user population, as well as a zillion other things I'm not clever enough to think of off the top of my head, they may have a point. "

Talk about shooting yourself in the foot

[coolmacdude]

A good rule of thumb in competition is to only start wars you know you can win. Something is not clicking here...

Re:Remotely vs. locally exploitable

[BrynM]

It's their report and their numbers. Do you think that they would highlight the areas in which they are weak? The report will probably focus on printer exploits or something just as inane. I think the original submitter was right in the idea that they will ignore Outlook/Script exploits and focus on the OS itself (I know - not a good track record there either, but it's better). Since they are presenting data on the time to a fix, I know that they are ignoring the time that the public doesn't know about an MS exploit and making it seem like they work coding miracles. They may have hit on a very subtle point with Linux security without addressing it directly: Linux exploits get reported sooner and OSS coders encourage others to report exploits quickly. MS obfuscates their exploit reports and would rather only know about them behind closed doors.

Re:Root access? No.

[foniksonik]

This is true... Windows gives just enough access to really mess things up and not enough access to do anything about it.

Re:Good Call!

[ppanon]

This will prompt "virus writers" to further cloak their sources, making it even harder to bust anyone, while the MS platform remains unsecure.

Well, I don't know about that, but I think it will change the makeup of the virus-writing community. If Microsoft had done this 10 years ago, it might have made a small effect. I have gotten the impression that, back then, virus writers mainly did it for exposure and bragging rights. If you could no longer brag about it because it increased the odds that someone you bragged to would turn you in for $$$, it might have dissuaded a fair number of virus writers.

However now, a substantial number of virus/trojan/worm writers seem to write cyber-parasites to get zombie machines to play core wars-style turf games on the Internet (such as DDOSing the people they don't like) or to spam for money.

The motivation is no longer the same and these bounties are likely to have much less of an effect. It's too little, way too late.

Re:As if...

[Lodragandraoidh]

I started out as a Dos/Windows user from day 1 (actually I really started out as a TI 99a user - but that is another story). I have also managed and used all of the windows operating systems from Win 3.1 up to the present Win XP. When I didn't know any better, I used to think the DOS command line was the best thing since sliced bread, and batch files were my scripting nirvana.

Then I started using *nix. I loaded Linux for the first time in 1992, and have been using it ever since. I was also a Unix system administrator during my career, and was using Sun systems in college before that. I learned the tool building paradigm of Unix, and absorbed awk, sed, perl, python, lisp, java, and a host of tools unheard of in the Microsoft world. Things that I spent hours accomplishing with Windows and DOS, I was accomplishing in minutes with Linux.

From my vantage point, it is plain to see that the Microsoft products are not up to the task of being a general purpose workstation/server operating system. When compared to industrial strength Unix and Linux distributions, it is a toy - and should be advertised as such.

I think the key distinction we need to understand is the ability of an end user to ameliorate security problems and other bugs when they manifest themselves. In *nix, usually the source code is available for modification, or a work around can be accomplished quickly with a scripting language because of the clear text interprocess communication mechanisms available. On the Microsoft side of the house, we are clearly dependent upon the good will and scheduling of Microsoft to get the fix implemented - and there is not much we can do to alter the outcome. So, the choices are independent ability to fix things, as needed - or Big Brother Knows Best; I know what I prefer.

Given the above, Microsoft is never the 'right tool for the job', unless your job is a toy application that is expected to be obsolete within a few years. The simple measure of this is to look at all the DOS applications that are currently being used by end users, versus *nix applications (albeit in GNU form) - *nix wins hands down. Don't believe I haven't tried using various DOS and Windows tools - but they just don't have the overall flexibility and usefulness that can be plentifully found under *nix.

What really boggles me about this whole issue is how people can be screwed by MS a thousand times over (non backwards compatible file formats, blecherous incomplete implementation of java, a malformed central configuration repository that causes complete system meltdowns when corrupted - that end users are not shown how to backup out of the box, etc...the list goes on and on), and yet come back smiling for more! What is really amusing (sad, really) is how I see some people rationalize that they were the ones at fault: "It was silly of me to build my spreadsheets in MS Works 1.4 back in '85 - what was I thinking! I should have copied all those entries across to Excell back in '95". To me this is a red flag that I am being taken for a ride. I woke up. I hope you do too.