Security FUD On Linux

bobmatnyc writes "InfoWorld reports that Microsoft is planning an "security assault on Linux" by hyping results of a commissioned study pointing to the number of security holes in Linux vs. Windows, the number of days it takes to fill the patches, and by raising questions as to the reliability of code submitted throught the OS process. I suppose if they focus very narrowly on one measurement of security, completely ignore script-level vulnerabilities, default settings vulnerabilities (such as root access for all users), and the demographics of the user population, as well as a zillion other things I'm not clever enough to think of off the top of my head, they may have a point. "

Finally!

I've been waiting years for Security FUD to run on Linux. I'm glad someone was able to port this over from Windows.

Re:Finally!

[msh104]

if that would just be all, 100 dollar on it that they are going only going to compare limitations of redhat only (perhaps even an old version) with their microsoft product. why don't they just spend that money and time on fixing bugs in windows instead of finding them in linux. perhaps we should create a bugzilla for them so they can post the problems they find there, i am sure someone will fix them.

Re:Finally!

[u-235-sentinel]

Fortunately in the words of Microsoft... we don't need perfect code.

Are they retracting that now?

Re:Finally!

[joseph.moore]

About a year ago, a prominant PC magazine did a comparison of security flaws between *nix and MS Windows. As you may recall they took a total of listings from the CERT database for *nix and compared it to a single Windows version. Quite a trick! Will Microsoft try that stunt again?

Re:Finally!

[Blikbok]

The biggest score Microsoft has had is convincing it's users that all of the rebooting and crashing and poorly-designed security features are to be expected in powerful software, and to expect to not only pay for such software, but buy extra software and pay consultants to work around these misfeatures.

I don't know if making "Redhat" a synonym of "Linux" is all MS's fault though.

Re:Finally!

Because they did that for a few weeks, that's when they discovered that marketing people do not have great coding skills...

Re:Finally!

[morleron]

I suspect that you're probably correct to a degree. However, I think that MS will probably dump all security problems, whether they're actually part of the Linux OS or not into the hopper and use that as their basis of comparison. For instance, problems with OpenOffice will be counted, but problems with MS Office won't because "MS Office is a separate product, while OO is distributed as part of the Linux system." This approach of counting Linux app problems against Linux, but not counting similar MS app problems against MS has been used before.

I'm not going to lose any sleep over a new MS offensive as the truth of the situation is obvious to anyone who looks at the situation with an unprejudiced eye. Yes, Linux has problems; yes, sometimes it takes a while to get patches out; yes, the Open SOurce process doesn't necessarily have a single point of contact when it comes to fixing a problem. The fact remains that, by any honest count, Linux has fewer problems, the problems get fixed faster, and the lack of a central contact means that a potential fix can come from anywhere. MS FUD notwithstanding I don't recall that Linux servers and workstations had problems with SOBIG, Blaster, etc. Let's approach this issue carefully and not fire until we see the whites of Microsoft's eyes.

Just my $.02,
Ron

Re:Finally!

[Progman3K]

It's been said that some day operating systems will be commoditized and that Microsoft knows this, but they aren't quick to step away from a market they make billions from...

So before they retreat from that business-model, we get THIS. An attempt to diry the competition they are afraid of by any means available.

Still, it's ALWAYS bad form to try to raise yourself up by bad-mouthing someone else, isn't it?

And it's ven more sad because it's doomed to blow up in their face...

Re:Finally!

[kasperd]

I don't know if making "Redhat" a synonym of "Linux" is all MS's fault though.

At least Red Hat is doing what they can to change that. But I guess there will just come another synonym of Linux, the question just is what it will be. Fedora, SuSE, Debian, Mandrake, or possibly something else?

Reward Program?

[BrynM]

From the article:

Last week, the company announced a $5 million reward program aimed at bringing virus writers to justice. Although it is unlikely to reap any tangible results, the message was clear: Microsoft is taking security seriously.

How seriously can they be taking it if all they did was start a $5Mil smoke and mirrors reward program? Tackling security problems with PR is not taking security seriously, it's being flippant with your solution. I wonder how much this program will eventually pay out. They didn't say that the reward was $5Mil, just that they allocated $5Mil to the program for creating rewards. Is that program in the marketing division or is it a real program?

Re:Reward Program?

[John+Allsup]

They're taking the appearance of security seriously: whether or not the security is real is effectively irrelevant to those who can't tell the difference. (It's a matter of who they listen to, and whether that 'who' is Micro$oft.)

Re:Reward Program?

[drooling-dog]

They'd probably be better off if they just shut up about the issue and hope it goes away. Drawing attention like this could easily backfire.

Re:Reward Program?

[smackjer]

The key phrase is "if all they did was...". Is this all they're doing to improve security in Windows? It's just one way to try to (a) dissuade virus writer and (b) get good press. Microsoft has launched security initiatives, which includes training their programmers to write more secure code, developing tools to analyze their source code and find common security holes like buffer overruns, and using managed code (like C#) instead of the potentially insecure C++ for new projects.

Re:Reward Program?

[Crimson+Midget]

Agreed. A realistic program might be something more like a reward for MS developers who take the time to dig through code and discover exploitable holes.

But really, with things like this, MS can simply release some statement with a lot of bluster, shouting random dollar figures and come out looking good. People will remember the original announcement and the high figure, but they'll never try and followup on it, find out if it's worked, find out if anyone's been paid.

I doubt there'll even be a /. followup on something like this. But even if there were, your average managerial unit wouldn't see it. They'd come away from all this with the thought, "Microsoft is taking security seriously." They'll believe it, they'll post it in memos, they'll repeat it at meetings with clients. Microsoft can say anything they want, put a dollar figure behind it and there will be people who believe it. And MS knows it.

The real virus writers here? Microsoft's marketing department.

Re:Reward Program?

[Jaysyn]

Didn't their "training" end up being a week long workshop or some crap like that?

Jaysyn

Re:Reward Program?

[iso]

The whole thing is ridiculous on so many levels. $5 million for a "rewards program" to Microsoft is about equivalent to me spending $30 on a haircut. In either case it's an example of spending a marginally more money in the hopes of looking good without actually changing anything.

Re:Reward Program?

[PierceLabs]

Microsoft's apparent idea of security is to sue people who expose vulnerabilities and to put out bounties so that others who might be encouraged to exploit those vulnerabilities would be afraid to do something. This doesn't suggest that Microsoft is taking security seriously, it suggests that they're pissed that people are exposing how Microsoft ISN'T taking security seriously. Microsoft can create as many initiatives as they want, but so long as they continue to live in the world where providing dancing paperclips on the screen in a single click is more important than making sure that users have to actually understand their machines before letting programs change system files - they aren't doing the world or themselves any favors.

Re:Reward Program?

[PierceLabs]

But of course I can see why they're upset. They know that the Windows desktop and Office product suite cannot sustain them going forward. They planned on making a move into the server side with web services and the like and they aren't getting traction - indeed losing position that they once had, so now they're desperate to demonstrate to the world that 'yeah we suck - but look at those guys!' Stupidity at its finest.

Re:Reward Program?

[smackjer]

It was a month, which is a long time for a programmer to be away from his desk. This initiative alone cost Microsoft MUCH more than $5M.

Re:Reward Program?

[GooberToo]

Microsoft is taking security seriously.

LOL. The correct quote is, "Microsoft 's Marketing Group is taking security hype seriously."

I think it was a misprint. Seems Bill doesn't know anything about the security initative that his marketing group spoke of.

Re:Reward Program?

[kinzillah]

thats an expensive haircut

Re:Reward Program?

[jazman_777]

They're taking the appearance of security seriously: whether or not the security is real is effectively irrelevant to those who can't tell the difference. (It's a matter of who they listen to, and whether that 'who' is Micro$oft.)

My question is, the people that buy into Microsoft's Propaganda Ministry, how does the market punish them? Because there should be some economic advantage to using a more-secure system. Or is that advantage overshadowed by other economic advantages of using Microsoft?

Re:Reward Program?

[dipipanone]

I thought this quote from the first of your Groklaw links was interesting:

"One of the best-publicized examples are a series of Linux-based supercomputer clusters used at Los Alamos National Labs. The most recent, Lightning, is used for the Advanced Simulation and Computing program, which is used to design and modify the US nuclear arsenal without requiring test" detonations."

So, can we infer from this that the SCO?Microsoft attacks on Linux are anti-American? Or just an attempt to undermine US national security?

Re:Reward Program?

[kardar]

I just hope that they don't create FUD to the point that the situation becomes ripe for an "attack" - that is, insult Linux, stage a DDOS or something.

This complete and utter nonsense is almost designed to piss people off, so it's only a logical step that it might become an attempt to further discredit Linux and other free / open source software by portraying Linux developers and enthusiasts as untrustworthy, irresponsible, disrespectful, malicious individuals. As long as we make it through this PR thing (if the rumor is true) without any kind of DDOS on Microsoft's servers, it'll be relatively inane.

There's always a trade-off between being on the cutting edge and being totally stable and secure; people need to weigh the pros and cons before they make decisions about these kinds of things.

If Microsoft were taking security seriously then they wouldn't be busy bashing other OS'es about security; this kind of nonsense, provided that the article, or rumor, is correct, is just wasted breath, because Linux security is not that bad, and Linux in no way makes Microsoft products less secure - there's no correlation.

Or maybe, just maybe... Microsoft is embracing Linux? Maybe they want to help make it more secure? One thing is for sure, Linux is NOT a waste of time. Microsoft certainly has to resources to contribute things to Linux, don't they? Instead of bashing it, why not help make it better? Thing is, it's pretty darn secure already.

When I saw this headline I thought it was a joke, but I guess it isn't. Kind of hard to believe, though - it's just so wrong.

The only fair comparison would be between software that is in development at Microsoft - beta Longhorn, for instance, or something like that. Linux is a very broad term that encompasses all kinds of levels of done-ness of software. Some stuff is in alpha, some in beta, some is in pre-alpha stages. Of course there are going to be bugs. If you want to use Linux, and you don't want bugs, you can't use alpha and beta software, and you need to go with the tried and true, not the cutting edge. I don't trust Microsoft to make those distinctions - it's not fair to compare development versions of one OS with stable versions of another. If you compare stable, non-cutting-edge versions of Linux with MS's current offerings, Linux wins hands down. Software that is under development is always going to have bugs - it's a fact of life.

Re:Reward Program?

[einer]

Actually, I think they're just re-directing attention.

Most of the patches released today address shortcomings in previous patches or new ways of exploiting old vulnerabilities. The security update released today to fix the most recent batch of Internet Explorer flaws replaces a patch that was issued last month, which was also a cumulative update.

It seems that one of this recent batch (of 9) is another IE vuln. Funny how their monopoly strategy is what's causing many of their problems. Funny like necrotic hemerhoids.

Re:Reward Program?

[vsprintf]

It was a month, which is a long time for a programmer to be away from his desk. This initiative alone cost Microsoft MUCH more than $5M.

And just look at how much better off the computing world is today! Makes me damned proud to be an American! (that was sarcasm if you weren't sure)

Re:Reward Program?

[smackjer]

If you're done trolling against Microsoft now...

Re:Reward Program?

[vsprintf]

If you're done trolling against Microsoft now...

The truth may be unpalatable to some, but that does not make it a troll.

Re:Reward Program?

[unother]

If you think that's an expensive haircut, then I fear for your appeal to the opposite sex.

Re:Reward Program?

[kinzillah]

You're fine as long as you stay away from the chain stores and find a good stylist/barber/whatnot that understands what you want. As for my appeal to the opposite sex, spending less money and getting a salad every day for lunch has helped more than a haircut ever did :D

Remotely vs. locally exploitable

[winkydink]

As somebody pointed out to me not too long ago, as long as MS talks about security holes that are remotely exploitable, I don't think Linux has anything to worry about.

Re:Remotely vs. locally exploitable

[BrynM]

It's their report and their numbers. Do you think that they would highlight the areas in which they are weak? The report will probably focus on printer exploits or something just as inane. I think the original submitter was right in the idea that they will ignore Outlook/Script exploits and focus on the OS itself (I know - not a good track record there either, but it's better). Since they are presenting data on the time to a fix, I know that they are ignoring the time that the public doesn't know about an MS exploit and making it seem like they work coding miracles. They may have hit on a very subtle point with Linux security without addressing it directly: Linux exploits get reported sooner and OSS coders encourage others to report exploits quickly. MS obfuscates their exploit reports and would rather only know about them behind closed doors.

Re:Remotely vs. locally exploitable

[cpghost]

Just have a look at bugtraq to get a feeling about how many bugs are Windows only, how many Linux/Unix related and how many cross site scripting (XSS).

We shouldn't fear biased comparisions which are made only to spread FUD.

Re:Remotely vs. locally exploitable

[Komi]

...they will ignore Outlook/Script exploits and focus on the OS itself...

But MS did a very good job of showing that Internet Explorer (which includes Outlook Express) is a part of the OS. I suppose now they'll overlook that detail.

Re:Remotely vs. locally exploitable

[Trepalium]

Chances are, they'll use raw number of published vulnerability reports. Say Windows 2000 versus Red Hat Linux 7.2. There would be a number of errors with this approach, such as the fact that nearly every distribution ships many different MTAs, FTP servers, etc, and they are generally mutually exclusive. Installing Sendmail and Postfix and QMail is probably technically possible, but highly unlikely, and usually completely impossible with official packages. There's also the fact that pretty much EVERY exploitable vulnerability gets a security advisory written up for it, unlike Windows, where Microsoft can slip a fix into the next service pack, and no one will ever really know about it. How many segfault bugs does Microsoft fix in their products that could be remotely exploitable if someone dig deep enough? I know I've seen advisories come out after someone dug up that a bugfix in an open source program actually fixed an exploitable hole.

The problem is, there's really no proof that either development process is better than the other. You can either accept the baseless claims from either side, or accept flaws conclusions from the public data that compares apples to oranges.

Re:Remotely vs. locally exploitable

[mindmaster064]

What is linux?

It's a kernel.. that's it..

At the "kernel level" neither Windows or Linux have very many problems.

Windows in its entirety is much more than a kernel. It's not even a fair comparison.

If you're comparing distros, well then.. You are much more likely to be exposed if you are running Red Hat/Debian/Whatever than simply running Windows due to the number of additional silent-ware installed that you probably do not know about. The only way you may be safer is running a stripped down or completely-customizable distro like Gentoo and for most WORKING people building kernels and packages all day is not practical at all.

Another fact that Linux geeks don't get. For every 1 person using linux, there are probably countless others running Windows. Bug frequency appears higher in number, but is lower as a ratio to the users. If there is one Linux user to every 100 Windows users and there are 10 Linux exploits a year vs. 20 for Windows then Linux would have much more vulnerability.

Let's assume that there are 1 million magic users in our comparison, that would mean that there are 10000 Linux users with 10 bugs one system exploit per 1000 users that leads to system comprimise.

Our Windows users are actually doing better because they're getting one exploit per 49500 users. Infact, the Windows people would have to get more than 400 bugs a year to even be competing with Linux on bugs. In our little example the numbers are fake, but it's not really that far-fetched if you put real user base numbers in the equation.

Real security is all about knowing this crap, even though the numbers are bullshit I'm mainly trying to prove the point that the bugs to user ratio is much more important. The chance of being exploited, the number of exploits, and the number of software packages are all factors. Just because Linux gets 10 bugs and Microsoft gets 40 doesn't mean "Linux Wins".. The Linux user base is much lower so the bug rate is exponentially higher than Windows.

Just some food for thought..

Re:Remotely vs. locally exploitable

[techno-vampire]

Anybody besides me remember Mellisa? A year later, the Love Bug struck, using the same, well documented security hole, which still hadn't been patched. Want to bet they're not including that data in the study?

Re:Remotely vs. locally exploitable

[ppanon]

That's true only if we can plubiicize why the data is misleading. Otherwise the public perception, no matter how erroneous, will be that Linux is less secure.

Re:Remotely vs. locally exploitable

[k12linux]

Since they are presenting data on the time to a fix, I know that they are ignoring the time that the public doesn't know about an MS exploit and making it seem like they work coding miracles.

Yeah, I keep expecting MS to issue a press release some day expaining how they everage 1.5 hours between security hole discovery and patch release. They'll have the advantage of all those "negative time to patch" when they release a patch and only later tell the public about it because some security firm leaks details.

Heck, maybe they can count the ones they NEVER tell the public about and have an infinately small average time for patch releases!

Re:Remotely vs. locally exploitable

[black6host]

So, all else being equal, your system is more secure, or the vulnerability becomes more acceptable as the number of Linux users increases, because the bugs to user ratio changes?

Re:Remotely vs. locally exploitable

[cpghost]

Another source for bias is that open software developers pro-actively seek to find, publicize and then stamp out bugs and security breaches.

Proprietary closed source software vendors generally tend to cover up their tracks, not to publish bugs unless they're caught red-handed, and would at best re-actively handle security.

All in all, the bad guys (pun intended) will always have the advantage of hiding their (coding) mistakes, something open source can't. Advantage w.r.t. biased security benchmarking, that is.

Re:Remotely vs. locally exploitable

[jardun]

Forgive me, but I don't see why the bugs:users ratio is important. It seems that 10 Linux bugs for 1000 Linux users is much less of a security problem than 100 M$ bugs to 1000000 MS users. Sure the M$ ratio is better, but with multitudes of users, especially users who are for the most part ignorant of the system's workings, a hole for M$ is much more likely to be a large problem.

Re:Remotely vs. locally exploitable

[bex+l]

I doubt they'd include it because they probably had a patch out for it. The fact that only tech savvy people and diligent people would have applied said patch won't be in the report.

Re:Remotely vs. locally exploitable

[bex+l]

I'd disagree. If it goes on then the media will (probably) pick up on it and publisize that microsoft is building a smear campaine. It could well just blow up in microsoft's face. And the linux community don't have to look like they're just as bad.

Re:Remotely vs. locally exploitable

[vsprintf]

Just because Linux gets 10 bugs and Microsoft gets 40 doesn't mean "Linux Wins".. The Linux user base is much lower so the bug rate is exponentially higher than Windows.

Congratulations! You just won a Darwin Award and a free copy of Studio.NET. Please come on down and collect your rewards while the rest of us applaud loudly.

Re:Remotely vs. locally exploitable

[BigRedFish]

You are much more likely to be exposed if you are running Red Hat/Debian/Whatever than simply running Windows due to the number of additional silent-ware installed that you probably do not know about.

Strike that, reverse it. Linux warned me about every port I opened when I installed. Windows silently opens critical ports and you couldn't close 'em if you wanted to. [Sometimes they flat-out ignore you. Try custom-installing MS Office 2000 and tell it you DON'T want Outlook Express. It'll install anyway. Sendmail's bad too, but if I say no sendmail, I get no sendmail.] MS's solution is to leave all the ports open and add yet another background process to block them again, and we won't even see it 'till next year. Wattaya bet it only blocks the ports that are used for attacks now, and leaves others open for future attacks? Antivirus to block incoming admin-level code that never should have been installable in the first place and can't be stopped at the OS level, firewalls to block ports that shouldn't be open in the first place and can't be closed, mail filters to block the SYSTEM-level VB scripts that never should have been auto-executed in the first place and can't be turned off, and buying ever-faster CPUs and ever-more RAM, so that you can run Windows at the same speed as before while the extra performance you bought is sucked up by band-aids on top of band-aids. And you still end up infested with spyware. Yeesh.

If I installed Windows on my machine, without a Linux box to run blocker, my mean time to infection would be under 30 seconds. By the time I logged in, fired up regedit, and started closing vulnerabilities it would already be too late. See below for explanation.

Another fact that Linux geeks don't get. For every 1 person using linux, there are probably countless others running Windows.

Wow, thanks for that news flash. I had no idea. So THAT'S why there isn't a computer store in the state that carries products for my platform. Who knew? I had an inkling there must be a massive number of Win boxes out there from my firewall logs. See below.

Our Windows users are actually doing better because they're getting one exploit per 49500 users.

Huh? My firewall drops all packets that are known Windows root exploits. According to my logs, I've been averaging one every ten seconds, for the past 8 months solid. During the mass-outbreaks a few months ago, it was even more, about 1 every 2 seconds for a couple of weeks there. But now it's back down to one every 10 seconds or so, so I'll take that as a normal level of Windows infections. That's six per minute, 360 per hour, 36,024 per day, 1,080,720 per month, 12,968,640 per year - UNIQUES. Since my firewall drops 'em without sending an ACK, it'll time out on their end and the virus won't try again from that machine. The logs bear this out.

So 1 in 49,500 my butt. You should see my logs. I rack up several GB per month just of logging rejected Windows-hack attempts at the firewall, and another several GB of logged HTTP requests trying to buffer-overflow MSADC - the script kiddies don't even bother checking for IIS first. This on a test machine that doesn't even have a DNS name. It's insane. And even with the large number of Win boxes out there, 1 in 49,500 is not enough to account for it. The parent's off by at least two orders of magnitude. I'm guessing it's more like one in 495 Windows boxes on the net that are rooted at any given moment, and that's being generous.

Real security is all about knowing this crap

It sure is. Know this: If an exploit can self-replicate onto other machines, it doesn't matter even if only one in a million gets hacked - once one's infected, the infection spreads at an exponential rate. Once one user hits the vulnerability, in a few hours they all have. That's what's wrong with the bugs/user argument. The better measure is how many root exploits come along that can auto-replicate. On Windows, that's all of 'em by design.

Re:Remotely vs. locally exploitable

[automatix]

And fresh from my mailbox... pretty much says it all... (abridged: removed affected platforms from the list)

Title: Microsoft Windows Security Bulletin Summary for November 2003
Issued: November 11, 2003
Version Number: 1.0
Bulletin: http://www.microsoft.com/technet/security/bulletin /winnov03.asp

Summary: Included in this advisory are three updates describing newly discovered vulnerabilities in Microsoft Windows. These vulnerabilities, broken down by severity are:

** Critical Security Bulletins

MS03-048 - Cumulative Update for Internet Explorer (824145)
- Impact: Remote Code Execution

MS03-049 - Buffer Overrun in the Workstation Service Could Allow Code Execution (828749)
- Impact: Remote Code Execution

MS03-051 - Buffer Overrun in Microsoft FrontPage Server Extensions Could Allow Code Execution (813360)
- Impact: Remote Code Execution

Re:Remotely vs. locally exploitable

[winkydink]

Not that I love MS, but to be fair, I did get this from RH yesterday:

1. Topic:

Updated Ethereal packages that fix a number of exploitable security issues
are now available.

2. Relevant releases/architectures:

Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386
Red Hat Linux 9 - i386

3. Problem description:

Ethereal is a program for monitoring network traffic.

A number of security issues affect Ethereal. By exploiting these issues,
it may be possible to make Ethereal crash or run arbitrary code by
injecting a purposefully-malformed packet onto the wire or by convincing
someone to read a malformed packet trace file.

A buffer overflow in Ethereal 0.9.15 and earlier allows remote attackers
to cause a denial of service and possibly execute arbitrary code via a
malformed GTP MSISDN string. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2003-0925 to
this issue.

Ethereal 0.9.15 and earlier allows remote attackers to cause a denial of
service (crash) via certain malformed ISAKMP or MEGACO packets. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0926 to this issue.

A heap-based buffer overflow in Ethereal 0.9.15 and earlier allows
remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via the SOCKS dissector. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0927
to this issue.

Users of Ethereal should update to these erratum packages containing
Ethereal version 0.9.16, which is not vulnerable to these issues.

Re:Remotely vs. locally exploitable

[red+floyd]

If you RTFA, you see that Ballmer compares Win2K3 with RH6 (not 7.2, but 6!!!!).

Re:Remotely vs. locally exploitable

[automatix]

Linux has plenty of vulerabilities, but the distributions often ship hundreds (or thousands in Debian's case) of applications which wouldn't be comparable to an average windows install...

Speaking of, my second MS Security email of the day just arrived...

Title: Microsoft Office Security Bulletin Summary for November 2003
Issued: November 11, 2003
Bulletin: http://www.microsoft.com/technet/security/bulletin /offnov03.asp

Summary:
Included in this advisory is an update describing newly discovered vulnerabilities in Microsoft Office (Microsoft Word and Excel). These vulnerabilities, broken down by severity are:

MS03-050 - Vulnerabilities in Microsoft Word and Microsoft Excel Could Allow Arbitrary Code to run (831527)
[snip...Affects Excel 97-XP, Word 97-XP, Works]
- Impact: Remote Code Execution

Re:Remotely vs. locally exploitable

[Ashtead]

The parent and grandparent posts started me thinking:

What is the probability of any randomly picked Linux machine running Ethereal? And thus the probability of a successful exploit of the holes therein? I don't know any certain numbers for this, but none of the Linux machines I have around here do, so whatever the probability, it is rather less than 1.0.

Now in contrast, what is the probability of any randomly picked Windows machine running the Workstation service? I would say this is close to 1.0, since this is something that is part of the Windows Operating system. Even if that system is a server, go figure...

Perhaps one could talk about security by absence here, as some variation of security by obscurity -- but the fact is that the various daemons and other software on a Linux system can be omitted on installation or removed later if they are not needed or desired. Whereas in Windows, large services cannot be stopped or removed lest the whole thing stops. This already gives Linux-systems a head start here.

Somewhat like marketing, the Windows Exploit Market is a lot bigger than the Linux Exploit Market, and thus sees more "suppliers".

Now while talking about marketing: Denigrating the competition is not a very effective way of advertising ones own products!

Re:Remotely vs. locally exploitable

[mindmaster064]

I understand where you are going, but most always-on internet connections are firewalled at this point (even on Windows machines) due to the awareness levels of users being higher than they were a few years ago. (Most ISP's are also pushing the concept, which is helping the users and them contain problems). Zonealarm and Norton Internet Security are common apps these days and they do ask permission for each port going outbound, and both of those products are easier to use than Linux equivalents; largely consisting of clicking "Yes" and "No" when programs want to communicate to the net.

Linux nor Windows are "Secure by Default" you have to know what you are doing with Linux and with Windows you have to at least know to install something like Zonealarm. We aren't likely to see anything like "Trusted Solaris" coming out of the Linux camp for awhile and until the tools come out to make Linux firewall as easy as Zonealarm it's more error prone and less secure. Hard to use is usually about as good as having nothing at all -- the average joe admin needs ease of use for time management and consistency. Many of the enterprise-type Windows firewall packages can be centrally managed which is a whole lot better than rolling config files for everyone or trusting people to come up with their own.

I like Linux, but I will admit that you must be a Linux specialist to adequately secure it. A Windows user/server admin could install free zonealarm and be done with the issue completely after simply running the programs needing network access once. (my last install of Zonealarm took ohh, 5mins and no manual reading). The linux experience is completely different; you HAVE to either run some firewall configuration gui -- assuming you know what you are doing OR have enough knowledge of the proper /etc files to do the task. You would also have to know all the port numbers/services involved, a problem you do not have on Windows firewalling (it can figure out ports based on the applications using them, so it simply asks if you want the program to access the network). This makes security difficult and only available for those "in the know" for Linux.

IIS is another issue, as normal users wouldn't be running it. IIS is secure, if you're up on the patches or have an automatic patch solution. If you do not "patch up" with any web server you are vulnerable, simply put. A good IDS should always be in front of web servers, and set to trigger automatic blocking of ips that submit malformed or known exploit URL's. That eliminates the problems completely generally. If you aren't going to bother with all that, don't run the web server have it hosted. Nothing will save you if you're not using common sense. Firewall it, IDS it, Zonealarm it, Virus scan it, keep good backups, and read your logs. Most of the script kiddy exploits are known to IDS' and/or patched out quickly. Your mileage with server products is always determined by your protection screen. No machine or system is absolutely safe there is always an exploit in every product you use, but a good protection screen allows for failure in one component without compromising the screen -- thus, reducing the risks.

Linux systems are just as vulnerable to the spring-board attacks you described. Any compromise has a chance to become exponential, but in the Linux case the exploits are likely unique to certain packages which probably means that the exploit works on many different types of UNIX machines as thus may even be a bigger problem. SSH has broke, apache has, and we all know the mail packages have. Your defense in these times is the same as "the windows guy", get out your logs and see if you are rooted.

I've only had one Windows box rooted in all of my time working with them (which is about ten years now) and that was due to a trojaned software not a remote exploit. In all that time since I've been doing web servers, mail servers, and nearly everything else in windows without a problem even ONCE. Security is my religion and that may be helping, but it's easy to do so why wouldn't you? Just because you're using a "minority" os doesn't make you safer, it makes you less aware of the potential exploits because less people are prodding at them.

Talk about shooting yourself in the foot

[coolmacdude]

A good rule of thumb in competition is to only start wars you know you can win. Something is not clicking here...

Re:Talk about shooting yourself in the foot

[beacher]

There are 5 stages of denial - denial, anger, bargaining, depression, and acceptance. Wonder which stage this PR campaign fits?

Re:Talk about shooting yourself in the foot

[DrEldarion]

Depends on your definition of "win". Keep in mind the type of people that MS is aiming for with this and how good the company is at marketing.

Re:Talk about shooting yourself in the foot

[R2.0]

No, their is only 1 stage of denial.

I think you mean the 5 stages of loss.

Re:Talk about shooting yourself in the foot

[azzy]

There are 5 stages of denial.

* denial 1
* denial 2
* denial 3
* denial 4
* profit.. er.. denial 5

Re:Talk about shooting yourself in the foot

[tomhudson]

You wrote:

No, their is only 1 stage of denial.

I think you mean the 5 stages of loss.

That's because the gp poster is either into stage 1 - denial (like anyone who paid to watch Matrix - Revolutions) or stage 3 - bargaining - for how many stages there are:-)

Re:Talk about shooting yourself in the foot

[bex+l]

If you consider their marketing budget they probably think they can win. If they give linux enough bad press (deserved or otherwise) they take it away from themselves and voila! they're back on top.

Re:Talk about shooting yourself in the foot

[Fryboy]

There are 5 stages of denial - denial...

There are 5 stages of recursion - recursion...

Fry

Easy Question to Ask

[toupsie]

How many Linux Security Threats have made me work over 24 hours straight? 0 in 2003

How many Windows Security Threats have made me work over 24 hours straight? 1 every 2 two months in 2003

Guess which OS I like to support?

Re:Easy Question to Ask

[Sqwubbsy]

It's called Job Security.
Hint: You don't have to like it.

Re:Easy Question to Ask

[kfg]

And this is why Windows has a lower TCO.

Oh, wait. Nevermind.

KFG

Re:Easy Question to Ask

[zCyl]

It's called Job Security.

Job security like a janitor who runs around throwing dirt and trash on the floor?

Re:Easy Question to Ask

[TheRealSlimShady]

How many Windows Security Threats have made me work over 24 hours straight? 1 every 2 two months in 2003

Why did you have to work over 24 hours straight? Don't you have an automated patch management strategy in place? Surely that's part of supporting an OS? Surely after the first time you would have figured out that there's a better way to do it?

Re:Easy Question to Ask

[Sqwubbsy]

He's not the one 'throwing dirt on the floor', he's just cleaning up.
It's whoever purchased the system that's doing the dirt throwing.
His job is to clean up.
If he can make a good business case, that's great.
However, an admin who says they can help cut admin costs is digging someone's grave.

Re:Easy Question to Ask

[MKalus]

Guess which OS I like to support?

Windows, after all, it pays more overtime ;)

Re:Easy Question to Ask

[pmz]

Why did you have to work over 24 hours straight?

It probably took one hour to apply the patch and 23 hours to figure out what it broke plus decipher the new EULA.

Re:Easy Question to Ask

If only applying patches were all one had to do to administer a Windows box! Due to Microsoft's delayed reaction times, it goes something more like this:

Wake up, day 1, to phone call saying "all our computers are shutting down randomly!" You grumble and go to work.

At work, you pop in your trusty f_prot or other comparable antivirus software and BAM! There's Blaster/SoBig/Klez/whatever staring you in the face. You yell at a random staffer for opening attachments at work.

You begin isolating and cleaning all infected machines. You run scans on a few other machines just to make sure.

You lecture the entire office once again on how it never really is a cool screensaver or neat program that their friend sends them in the e-mail.

Two hours later someone comes back to your room carrying a printout of an e-mail with an attachment. "Is this a virus?" They ask. You cringe. The printout contains the words "application/octet-stream." You manage to croak something and nod hoarsely.

You grab your antivirus disk again and go clean the Klez off all the machines in billing. For a second time. You curse Outlook violently at this point and time. You are probably becoming irrational and violent, like an enraged monkey.

You go home at the end of the day and dream of playing Russian roulette with a shotgun.

This continues for a week until Microsoft releases the patch, which you download and install. You think everything will be OK for a while.

You get a call the following morning. Some idiot brought his laptop up from home, and his kids had been using it. You now have 30 more viruses to clean! Fun!

You tell your boss that he could pay you 1/3 of the pay he does (minus overtime) if he'd just go buy some Macs or let you install Linux on the office computers. He strokes his pointy hair and laughs at you.

You die cold, bitter and alone, and Bill Gates torments your soul for all eternity.

Re:Easy Question to Ask

[the_mad_poster]

I'm sorry, I work in IT in the U.S. What is this "overtime" of which you speak?

Re:Easy Question to Ask

[muckdog]

You haven't "worked" in IT, have you? Part of that time is testing the patches to make sure they work and don't break something else worse that what the worm/virus/hole will do. Anyone who lets Windows update run fully automated on production servers is a fool.

Re:Easy Question to Ask

[aws4y]

Yeah, most holes I have seen could be fixed by running up2date or 'apt-get update;apt-get upgrade' 24 hours or less after the vulnerabiltiy is discovered not after the exploit is in the wild.

thats at most 30 minutes of work, most of it just watching stuff download.

Re:Easy Question to Ask

[nodwick]

How many Linux Security Threats have made me work over 24 hours straight? ... How many Windows Security Threats have made me work over 24 hours straight?

If you're like the sysadmin in our lab, Windows makes you spend more hours on it for two reasons: (1) more machines are running it, and (2) the ones running Windows tend to be have more non-savvy users.

Point #1 says that if there's an equal number of exploits, and each exploit takes a constant amount of time per machine to fix, then since around 90% of machines are Windows boxes, your total time spent fixing them is obviously going to be a lot higher.

Point #2 says that the less mainstream nature of Linux tends to self-select a userbase that knows what they're doing, security-wise. On the other hand, many Windows users just have it so they can write up their reports and check their email, and have no idea what a security update is or how to install it. The recent infamous RPC exploit, for example, had a patch out for a couple of months before exploits for it appeared in the wild, but was ignored by most Windows users. A hypothetical similar Linux root exploit would have been quickly adopted by most computer geeks, while our sysadmin was complaining that even a month after Blaster made the rounds, there were still people bringing laptops into lab that were unpatched and quickly hacked. Add to this that many of the same people were unhappy about anyone else having access to their machine, but didn't care enough to secure it, and patching security exploits was one big headache.

I've heard many good reasons why the Microsoft article about Linux security is pretty slanted in their favor, but hours of work to fix isn't a fair one. A better metric might be hours of work per Windows box versus Linux box.

Re:Easy Question to Ask

[Tom7]

Damn, really? It was much harder for me to recompile sshd several times in the span of a few days than it was to go to windowsupdate and get the patches installed automatically. That one was a pain in the ass. (I suppose if RPM still worked on my system I could have used that, but it's not my fault that it's broken...)

Re:Easy Question to Ask

[Trepalium]

Haven't seen any Microsoft commercials recently, huh? "Do More With Less." Hint: They're not talking about licensing fees, or even number of servers.

Re:Easy Question to Ask

[mikk]

Anyone who uses Windows on production servers is a fool.

Re:Easy Question to Ask

[muckdog]

more good points AC, I almost forgot though... If we just loaded AOL 9.0 Optimized on all our servers it will automatically fix all our problems just like the commercial says!!!

Re:Easy Question to Ask

[TheRealSlimShady]

You haven't "worked" in IT, have you? Part of that time is testing the patches to make sure they work and don't break something else worse that what the worm/virus/hole will do. Anyone who lets Windows update run fully automated on production servers is a fool.

Eight years and counting, and most of that time in Windows environments. I didn't say that you didn't need to test, testing is a given. If you're not testing, you're a fool. However, the fact is that between the time the update comes out and the time an exploit is released there is generally a windows available for testing. Blaster is a case in point - the update was out for weeks. A good admin would have reviewed the update, seen that it was a remotely exploitable hole and started testing it. Then with the automated deployment tools it's a matter of releasing the update. For what it's worth, I don't recommend Windows Update on servers at all - I prefer to patch them in a more controller fashion. Of course, in some environments the volume of servers means you have to automate it in some way.

Re:Easy Question to Ask

[pompousjerk]

Damn straight.

Although, one thing needs to stay clear: Linux is only secure if you know what the hell you're doing. 51% of all known successful root compromises occur under Linux. (Linux has more than 51% of the market share, IIRC, so it's not a very fair comparison. If anybody has market share data, please provide it so we can look at ratios.)

I prefer running Linux, of course. At least I know I can secure it.

Re:Easy Question to Ask

Anyone who runs windows on a production server is a fool

Re:Easy Question to Ask

[TheRealSlimShady]

At work, you pop in your trusty f_prot or other comparable antivirus software and BAM! There's Blaster/SoBig/Klez/whatever staring you in the face. You yell at a random staffer for opening attachments at work.

This continues for a week until Microsoft releases the patch, which you download and install. You think everything will be OK for a while

This would be nice if it was actually true. How many exploits have there been where the exploit was out and spreading before the patch was released? Very few - I can't think of any. Blaster was patched weeks before the exploit was out, Code Red, Nimda, Code Blue - all the same.

Re:Easy Question to Ask

[PierceLabs]

Hmmm... so what do you do when you have a good 2-3k client machines to handle as well? If it were just servers that would be one thing - but when you have client applications all over the place and you have to go around installing and patching that's something entirely different.

Re:Easy Question to Ask

[mahdi13]

I'm sorry, I work in IT in the U.S. What is this "overtime" of which you speak?

One of those foreign mythical events, very simular to a "bonus"

Re:Easy Question to Ask

[MadMirko]

Well, I admin about a 150 Windows servers since the days of the late NT 4 (SP 5 and upwards), and I can't remember a MS patch that actually broke anything.

Besides, of course you do not run Windows Update on servers at all, because they generally shouldn't have someone using a browser on them.

Try SMS for automated deployment of tested patches to any number of servers, anywhere on your network. When you want, how you want.

Re:Easy Question to Ask

[TheRealSlimShady]

Hmmm... so what do you do when you have a good 2-3k client machines to handle as well? If it were just servers that would be one thing - but when you have client applications all over the place and you have to go around installing and patching that's something entirely different.

When you're running that many client machines you can either use a distributed SUS architecture, or for most businesses of that size they have management software in place (be it Altiris, SMS, Unicenter,or even HFNetCheckPro) that can be used to deploy updates in a sensible fashion. Sure, as soon as you get over about 100 machines you start getting to the point where the interdependencies start to get complicated, but if you can get say 95% of your machines with no manual intervention then you're winning. If you've got good test procedures, you should be able to get even more.

Re:Easy Question to Ask

[Geek+of+Tech]

> (I suppose if RPM still worked on my system I could have used that, but it's not my fault that it's broken...)

Okay.... how did you break your RPMs.... I'm dying to know....

Re:Easy Question to Ask

[caluml]

Have a look at grsecurity.org sometime. I used to use Lids, but grsec seems to be a fuller option. Same idea though.

Re:Easy Question to Ask

[PPGMD]

Anyone that actually believes that is a fool also.

Any modern OS can be both secure or insecure, it really depends on the user. Linux has had numerous security holes since I have been in IT, but the average admin is alert enough to patch them, not always true with Windows.

In fact I remember once a lower level admin was working on deploying a Linux server for a customer, at 5pm when he was done, he had it set up with RH 7.3, and put it on the network, leaving me with a note IP, root pass, and what the customer wanted. Unfortunate that admin accidentily hook that machine on our non-firewalled network (that company charged more for placing on the firewall network), well by the time I came it at 8pm that machine had been hacked and was DOSing some server.

Note default install of Linux, and non-firewalled network, in a honey pot book I read, the guys first honey pot Linux server hacked in 24 minutes flat (default install of Red Hat).

Being both a Linux and Windows consultant, I use both, but I make sure that both are deployed intelligently with patching systems and firewalls and gateways along with them if needed.

Re:Easy Question to Ask

[pebs]

However, an admin who says they can help cut admin costs is digging someone's grave.

Have you considered that maybe these admins are overworked as it is? There are many other important (and more interesting) tasks they could be doing, but they are stuck cleaning up after worms, etc.

Then there are some of us who are developers who also have admin responsibilities due to the fact that we are understaffed. We'd rather be writing code than running around patching systems and removing worms that people brought in with their laptops.

There's plenty of work, we don't need more. And we don't need this kind of petty shit for job security, there are real problems that need to be solved.

Re:Easy Question to Ask

[bdeclerc]

NT4 Service Pack 6 broke Lotus Domino, that's the main reason SP6a was out less than a month later...

I don't know what your servers were running, but just because it didn't happen to you doesn't mean it didn't happen to others, and Domino was (and is) a pretty major server application...

Re:Easy Question to Ask

[Qrlx]

You should put antivirus on your mail server. Or if you don't have a mail server, and users are using Outlook or OE for POP/IMAP access, put antivirus on your internet gateway.

Get fancy and put the laptop users on a separate segment with antivirus running on the gateway to the rest of the LAN.

Or you could add the Level1Add key to the registry at HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Ou tlook\Security and put .exe, .vbs, and .scr in the srting value.

There's many better options than trying to educate the (laregly uneducable) users.

Re:Easy Question to Ask

[jazman_777]

You haven't "worked" in IT, have you? Part of that time is testing the patches to make sure they work and don't break something else worse that what the worm/virus/hole will do. Anyone who lets Windows update run fully automated on production servers is a fool.

So you Solaris admins, do you just install patches (such as with Patch Pro) without worrying about them breaking any apps?

Re:Easy Question to Ask

[swillden]

NT4 Service Pack 6 broke Lotus Domino

That wasn't a bug, that was a warning shot...

Re:Easy Question to Ask

There are numerous problems with your rant. First, Blaster has nothing to do with email. The user doesn't have to take any action at all to be infected - he or she simply has to have an unpatched and unfirewalled system on the internet.

Second, Outlook doesn't play any role at all in the case of the two email viruses/worms you mentioned (Klez and SoBig). User stupidity and lack of proper antivirus protection are the only relevant factors.

Security patches are also not relevant to these email worms, since they don't use security exploits.

Finally, the patch for the RPC exploit was available well before Blaster appeared.

These are all nit-picks, but they point to an overall problem of incorrectly assigning blame. Is MS at fault in any way for an email virus that exploits no security holes (in MS products or otherwise), and can only infest and spread if the user is foolish enough to run it? No. The user is 100% at fault for running an untrusted program. The speed with which MS issues patches has absolutely no bearing on this situation - they can't patch against user ignorance or stupidity.

Likewise, is MS at fault in any way for a virus that exploits a security hole they've already fixed, but for which the user has not updated? No. They've done their part. The user has not.

You can argue that the hole should not have existed in the first place, but in the real world it happens. The only reasonable expectation we can have is that such holes are fixed in a timely manner. You are free to have your own opinion about whether or not MS meets this expectation, but the fact remains that many (most?) worms that exploit security holes exploit old, already patched security holes.

Re:Easy Question to Ask

[Psychotext]

You've made a mistake, your reasoned argument is not welcome here at Slashdot! To be honest, you could have picked even more holes in that poorly constructed rant - But that wouldn't have been nice would it?

Kudos though - Defending MS here takes guts.

Re:Easy Question to Ask

[bex+l]

It doesn't sound like MS defense. It sounds like common sense. Users ARE to blame...but then again, when you don't teach them they'll never learn.

Re:Easy Question to Ask

[antiMStroll]

You pray all those clients are near-identical hardware and the lab testing you did covers your ass. If you're not that lucky prepare backups for some of the latest patches breaking a system. We've run into that with some 2k machines running cards with older (though still the latest) drivers.

Re:Easy Question to Ask

[MrWa]

If you live in California (or any other place that mandates overtime after 8 hours in one day), need the money, and are non-exempt:

Windows!

Re:Easy Question to Ask

[BadDreamer]

Hint: look up the broken window fallacy. It doesn't actually related to Windows, but to broken glass.

In short, spending money to fix problems isn't nearly as good for the economy as if that money can be spent developing better and more useful systems.

All the resources wasted on fixing Windows issues keep people employed doing drudge work - if those resources were freed up, the IT department wouldn't be cut down; it would be used to further improve efficiency of the company. Which is, after all, the entire point of having an IT department ...

Re:Easy Question to Ask

[Psychotext]

How many of them are even willing to learn? Few in my experience.

Re:Easy Question to Ask

[ProtonMotiveForce]

Yeah, that's a trenchent insight.

A better question: Which OS do most people use? With this answer, ask yourself why virus writers _might_ target this OS. You have your answer.

Nobody gives a flying fuck about Linux because, relatively speaking, there are about 12 people using it, and 9 of them use it for backroom servers.

Re:Easy Question to Ask

[zCyl]

However, an admin who says they can help cut admin costs is digging someone's grave.

The whole point of economic growth is for society as a whole to be able to do more and produce more. The amount of labor being done remains relatively constant over time, and the amount of stuff made and services available increases.

System administrators who can do more with less time have more time to offer other productive services to their companies.

Re:Easy Question to Ask

[Ambassador+Kosh]

Didn't the first 2 patches or so for codered and nimbda break virtual hosting on IIS and a number of other configurations. From what I remember it was at least a week or two before they had a fully working patch for them and by that time admins where not very interested in touching the fixes since the others broke stuff.

Also haven't they "fixed" that rpc exploit about 3-5 times now? It seems to me that the first fix did not solve the various blaster variants since they just applied a bandaid and did not fix the problem.

Another 'comissioned' report...

[Chicane-UK]

What frustrates me about these is that people actually BELIEVE them. Though given the recent security blunders by Microsoft (such as that little problem called 'Blaster') people might finally realise that this stuff is a load of BS.. or very very twisted fiction.

And I just wish that the comments & replies of key figures in the Open Source community made the headlines in the same way as these 'reports' do.

Re:Another 'comissioned' report...

[frodo+from+middle+ea]

Truth (Marketing definition) :- A blatant lie, told with utmost confidence, and backup up by forged yet sensational statistics and meaningless pie-charts, and bar graphs.

Re:Another 'comissioned' report...

Yes but the open source community don't lie. Steve Ballmer recently cited CERT as proof that linux had more vulnerabilities than Windows for 2003. Funny that all the named linux applications on CERT's list could also run under windows, except sendmail (hands up who in their right mind still runs sendmail?).

So this makes all the supposed 'linux' vulnerabilities that Ballmer refered to equally windows specific, he's just too dumb to realise that.

Re:Another 'comissioned' report...

[aml666]

Sorry to tell you this but most "end users" see BLASTER and the other "worms" as an attack on Microsoft... not a failure of Microsoft.

Re:Another 'comissioned' report...

[pmz]

What frustrates me about these is that people actually BELIEVE them.

These are the same people who believe that a politician will solve their problems, that a car salesman really will save them money, and that the $5000 pre-approved loan offer they got is really a good deal (think of what we could buy with this and it doesn't matter that we didn't read the small print mentioning that stuff about 19% this and that).

Re:Another 'comissioned' report...

[Avihson]

Since InfoWorld changed their format and canned the politically-incorrect columnists, they have become a shill for Microsoft.
There was a time not long ago when InfoWorld knew the difference between OSS and Linux, they even had columns that championed Opensource and Linux.

Now, sadly, they print drivel like this, essentially comparing two corporate giants - MS and Linux: "..[MS] will criticize Linux for taking too long to fix bugs.."

Linux is not a corporation, Linux is not the source of Opensource Software. Linux is not the author of Samba, ssh, Apache, CUPS, or any of the third-party utilities and programs that had vulnerabilities.

Now in corrilary, Linus Torvalds is the overall architect of the Linux kernel. Can any security experts from Redmond tell us the number of remotely exploitable holes that the Linux kernel has had, or how many are still lurking there since.. oh let's say 1995? We just had a story on Slashdot on an attempted hack on the kernel that was caught within 48 hours, why does MS still have the same vulnerabilities in ALL their IP enabled versions except for Windows ME??

Re:Another 'comissioned' report...

[pmz]

That would make a great t-shirt to sell to people at conferences and trade shows.

Re:Another 'comissioned' report...

[JawFunk]

"People" can believe what they want. It is the administrators and the CEOs/CIOs that need to be able to separate the truths from the lies. As long as the threat of losing $millions in security bugs exists, I doubt anyone in those departments can afford to make decisionsbased on marketing campaigns, which are made to sell, not be truthful.

Re:Another 'comissioned' report...

[kfg]

So what you're trying to say is that Windows is really just a very elaborate Nigerian 419 scam, is that it?

KFG

Re:Another 'comissioned' report...

[Brataccas]

It may not be that people actually believe them....they WANT to believe them. Many companies have invested millions of dollars and thousands of man-hours setting up and supporting Microsoft infrastructures throughout their organization. The people who recommended, funded, and built these networks aren't exactly looking to be first in line to admit it was a bad decision. As long as MS puts out millions of dollars of ads and studies claiming that "everything is fine" or "everything will get better" or "the other options are just as bad" many companies will try to convince themselves that the market-speak is true. Psych 101.

It's a delaying tactic, and a very effective one.

Re:Another 'comissioned' report...

[Geek+of+Tech]

Our local county school system keeps funnelling them money in hopes of having a perfect system they costs NULL to operate. The commercials seem to say so to "Do more with less". They show all these companies spending little on Microsoft and then at the end of each on they end up saving thousands or millions. That comes pretty close to Nigerian scam. Thanks. I'd never made the connection before.

Re:Another 'comissioned' report...

[Geek+of+Tech]

That's funny most of the users I talked to seemed to think more that it was an attach from Microsoft. They didn't care why it was there, they just were annoyed at Windows for letting it be there.

Re:Another 'comissioned' report...

[ProtonMotiveForce]

Yeah, it's not like there haven't been a lot of security flaws recently for Unix operating systems or Unix apps.

Oh, wait, there have been - nobody cares enough to exploit them.

You Unix people are like some poor bastard sitting on his rickety porch, with cockroaches crawling all over him, who laughs at his rich neighbour who just got robbed. "Teehee - I just got me one of them thar new signs that says 'Guarded by GuardTech', I bet you wish you'd 'a thought of that, eh? Then maybe it'd be me who got robbed!"

News flash

[Lane.exe]

It's not the amount of holes in your software, is whether or not the typical cracker knows how to exploit them.

Re:News flash

[chooks]

It's not the amount of holes in your software, is whether or not the typical cracker knows how to exploit them.

God, there's nothing like exploiting holes in software...

Wait -- we're talking about women, right?

Oh never mind. Most /.'ers have no frame of reference on that one...

Re:News flash

[Evilive]

Sad, but it sure seems true for the most part, doesn't it?

Spreading FUD in a submission about FUD

[Quarters]

...(such as root access for all users)

That's not the case for NT, 2K, or XP. Heck the XP install even asks you for an administrator password and then the names of user accounts to make. Those user accounts default to non-root

Re:Spreading FUD in a submission about FUD

[tomstdenis]

Actually no. Those users are part of the Administrators [re: root] group. Check yer users settings sometime :-)

Tom

Re:Spreading FUD in a submission about FUD

[Coward+the+Anonymous]

" Heck the XP install even asks you for an administrator password and then the names of user accounts to make. Those user accounts default to non-root" Maybe in the Warez copy of XP you have, but the OEM XP Dell Disc that came with my laptop creates all users as Administrators.

Re:Spreading FUD in a submission about FUD

[EVuL_C]

umm. no. new users in XP and XP SP1 hall have administrative access to the system. just like ALL previous versions of windows.

Just because their name is not Administrator does not mean they don't have admin rights on the system.

Re:Spreading FUD in a submission about FUD

[Derek+Pomery]

That's no help at all if arbitrary users can elevate themselves to administrator priveleges. NT-XP is fundamentally broken. Maybe the next version of Windows will solve this design problem, but I doubt it.

This hole exists and actually has working exploits.

Re:Spreading FUD in a submission about FUD

[sammy+baby]

The advisory you link affects Windows 2000. Windows XP and its derivatives are listed as "unaffected."

Do you have a similar advisory for XP?

Re:Spreading FUD in a submission about FUD

[MadMirko]

NT-XP is fundamentally broken.

Oh please, don't overload us with FACTS!

That's no help at all if arbitrary users can elevate themselves to administrator priveleges

Yes, they can, if they got the Administrator password, they can't if they haven't. Like they can in every other OS.

You shouldn't try to counter FUD with FUD, that would make you look like an uninformed zealot.

Re:Spreading FUD in a submission about FUD

[cscx]

Uh, maybe you should stop spreading more FUD?

This can happen in Linux too, if you are interacting with ANY daemon that runs as root (e.g, SSHd, init, smbd, snmpd, lpd, getty, I can go on and on -- pretty much anything that executes setuid root) that happens to be interacting in some way with the local system but also interacting with users. The article you linked was a very specific occurence of a local root exploit (and most Linux people don't even consider those "exploits" at that!) that didn't handle input correctly... this is why people don't run ftp as root anymore; but some things inevitably have to run as root...

There was a version of Solaris/SunOS that had a local root exploit where all you would do is hold down the return key at the login prompt, and get root! That seems less complicated to do -- and in essence, how is it different?

Your message was worded in a FUDish manner... as if NO OTHER OSes have EVER had local root exploits, but Windows somehow is fundamentally broken by having this "feature?"

Please.

Re:Spreading FUD in a submission about FUD

[Necrobruiser]

Any new users created in XP Pro or 2000 Pro are created in the Users group by default. This may be different for XP Home; I'm not sure. But in the Professional versions, the users are NOT created in the Administrators group.

Re:Spreading FUD in a submission about FUD

[Derek+Pomery]

No, this is completely valid complaint. Windows Messaging was simply designed wrong. It does no verification of which process sent the message.
Thus, there is a pervasive and *unremovable* hole in Windows design.
Furthermore, while you can do careful message checking, you can't guarantee some base class in the Windows libs you are doing is catching the evil message.

I'm aware many daemons are exploitable, but I am unaware of an equivalent for this in Linux.

Re:Spreading FUD in a submission about FUD

[superchkn]

Maybe that's an updated XP?

I've installed XP on several computers and never did it "ask" if the user should be an administrator or to give them a password. Of course this is Home Edition I'm referring to, maybe other versions are different.

In every case I had to go to Control Panel->Users and manually make them a restricted user and give them a password. If I want to set a password on the "Administrator" account, I have to boot into safe mode just to set a password on that account!

This is in stark contrast to SuSE 8.0 which required me to enter passwords for all users (including root) and by default all users are non-root accounts.

But then those XP installation CDs were both from early 2003, maybe MS has changed the way the installer works. In any case I'm curious to which version of XP you're referring and the purchase date of the XP CD.

Re:Spreading FUD in a submission about FUD

[Derek+Pomery]

You didn't read the article, did you? I'd also suggest search for more information on Google regarding this flaw in Windows Messaging.

This hole, which has been around for ages, is part of the design of windows messaging. It allows *any* unpriveleged process to send messages to a priveleged process, without checking.
Thus, no administrator password needed.

Speaking of uninformed... It seems every Windows security story brings out people who feel the need to defend Windows at any cost.

Re:Spreading FUD in a submission about FUD

[Derek+Pomery]

No, haven't looked for one. It is entirely possible XP is unaffected due to this hole being patched or XP simply using different software.
I am unaware, though, of XP having fixed the problem of unchecked Windows Messages.

I don't think they can, either. It would undoubtedly break at least some backwards compatibility.

Re:Spreading FUD in a submission about FUD

[Ender+Ryan]

Is this exploitable in XP?

Re:Spreading FUD in a submission about FUD

[John+Courtland]

As brash as this is, it's true, although for some reason it doesn't give you FULL admin rights, just enough to fuck the box if necessary. There's some subtle stuff missing, I think it has to do with making changes that would affect the entire system, but I'm unsure, 'cause I don't give a shit.

Re:Spreading FUD in a submission about FUD

[miffo.swe]

Yeaaa...

Kind of funny it is.

Always the next version is the one they say will work, right up until the day the start on the version after that. Heck, with w2003 the started talking abour how longhorn would be betterm before 2003 was out.

Re:Spreading FUD in a submission about FUD

[Derek+Pomery]

I'd imagine, last I checked I saw this in a CERT search.

Researcher: Windows flaw remains
July 11, 2003

A class of attacks that allows a person to take
control of any PC or server could leave com-
puter systems in corporations and Internet cafes
vulnerable to attack, a researcher says.
Dubbed "shatter" attacks last year, the class of
security hacks uses the Windows messaging sys-
tem to request that insecure but privileged appli-
cations run malicious code. The Windows mes-
saging system is the medium through which ap-
plications and the Windows operating system
communicate with each other. (from CNET)

Re:Spreading FUD in a submission about FUD

[steve_l]

XP home acts as you described, so, I think, does XP professional. Win2K3 server is the only version of windows that could be viewed as vaguely locked down.

A fundamental issue with windows is that everything usually needs admin rights to install. Look at these
directX slides (esp slide 23) (sorry, PPT, but openoffice handles it), where they come out and say 'to install a game you need to be an admin'.

So you cannot even create a safe sandbox for a kid to do their thing, when they cannot plug in a game CD and expect it to run unless they have admin rights. What on earth were they thinking?

Re:Spreading FUD in a submission about FUD

[MadMirko]

I did, and I saw that it was a flaw in a SINGLE version of Windows (2000) namely, which has been patched for month.

What's your point again?

Re:Spreading FUD in a submission about FUD

[Derek+Pomery]

My point was, as explained in the article, which you clearly have not read, or at least not comprehended, the exploit was an example of a "Shatter" attack - a general class of exploits taking advantage of the fact that almost all Win32 apps out there use Windows Messaging without validating who sent the message.
Thus, these apps are exploitable in a number of ways. This is one patched example. There are undoubtedly many many more unpatched because the fundamental flaw has not been repaired - I would go so far as to say it *can't* be repaired since it is inherent to the model used.

Re:Spreading FUD in a submission about FUD

[MadMirko]

No, please look beyond the FUD.

From the article:

Affected Software:
Microsoft Windows 2000

Not Affected Software:
Microsoft Windows Me
Microsoft Windows NT Server 4.0
Microsoft Windows NT Server, Terminal Services Edition
Microsoft Windows XP
Microsoft Windows Server 2003

And even in 2000 there has been a patch for months.

Re:Spreading FUD in a submission about FUD

[Derek+Pomery]

Yo. Mad Mirko. Please read my response to him first, as well as my response to you. Thanks.

Re:Spreading FUD in a submission about FUD

[dot+niet]

Actually you are wrong. Under 2K and above (I think NT and above actually) new users only appear in the users group. Now, that doesn't mean they cannot damage the system. They can still double click attachments with Trojans, they can still delete files that are pretty important (unless you have a process in place to lock down all files under the windows directory or the Program Files directory). But it is entirely untrue that new users are added to the Administrators group on the NT family of OSes.

Re:Spreading FUD in a submission about FUD

[gbjbaanb]

So its IBM's fault - Windows Messaging (the lanmanager service, not Windows Messenger the IM chat thingy) is a part of Lan Manager, written by IBM, shipped as part of OS/2, and NT when MS took all the OS/2 networking code. (you can prove this in NT by typing 'net send ', all the LanManager commands are invoked that way.

Incidentally it is perfectly removable, disable the service. Easy.

And.. I think you'll find many programs don't bother checking who sent a message - I mean, is UDP a badly broken network protocol??

Re:Spreading FUD in a submission about FUD

[jjhlk]

My windows architecture knowledge isn't great, but the messager service is not the same as windows messaging. If I click on my application's window, the OS will send it the WM_CLICK message. Messages are used for events in windows. The particular exploit is to do with textboxes and related messages.

Re:Spreading FUD in a submission about FUD

[arkanes]

This "hole" requires interactive logon. As a previous poster mentioned, most Linux bugs that are similiar aren't even counted.

The article you link to is a specific exploit - it's a buffer overflow in a specific, trusted process. There are alot more trusted processes on a Windows machine than on a Linux one (usually), but pointing that out would take a level of analysis that I don't think you're interested in doing. On top of that, it takes a privledged process thats running with desktop interaction, which is relatively rare. On top of THAT, designing services that aren't vulnerable to this is fairly straightforward. A similiar flaw in linux would be, say, a cgi script that called exec() on user input - it's not an insecurity in the OS that allows that to happen, but an insecurity in the process that it's implemented that way.

Theres a danger, of course, and it's something to be aware of, but it's hardly the be all and end all of fundamental security problems that you make it out to be.

Re:Spreading FUD in a submission about FUD

[Derek+Pomery]

You are correct in part. There is little helping the ignorance of the Slashdot windows defenders.
They are clearly incapable of even reading a microsoft security bulletin which describes this.

I say in part because there are a great many messages. It isn't just due to textboxes. It could be a message to open a file, or change some value inside the program.

Re:Spreading FUD in a submission about FUD

[jjhlk]

I still use Windows 2000 frequently, and that is the most annoying problem with Windows. I used to rename the Administrator user (why not have some extra obscurity), and run Windows with a user who only has "user" rights. But you need Admin rights to do pretty much everything in Windows, so now I just use a relatively secure Windows 2000 where I run as administrator (hey, I can always reinstall).

Re:Spreading FUD in a submission about FUD

[Jaysyn]

Anyone who's ever set up a Win2K box knows it asks you during install if you want to set up multiple users (in the users group by default), if not, the default user (for auto-logon) is *still* not in the Admin group.

WinNT doesn't default to the Admin either.

XP on the other hand does behave just as you say.

Jaysyn

Re:Spreading FUD in a submission about FUD

[Electrum]

So its IBM's fault - Windows Messaging (the lanmanager service, not Windows Messenger the IM chat thingy)

You are way off base. This is talking about internal Windows event messages (i.e. a fundamental part of the GUI system), not an external messaging service.

Re:Spreading FUD in a submission about FUD

[m_pll]

How about you do this little experiment: Create a new local user on an XP Pro box (all default settings), and try to delete something from %systemroot% or %programfiles%. Access denied? Good.

Not surprizing, actually, given the default permissions:

E:\cacls "Program Files"

e:\Program Files
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE

Re:Spreading FUD in a submission about FUD

[Pontiac]

You are right and wrong..

on XP (pro and home) any accounts created during setup are part of the administrators group and have NO PASSWORD

Read the Q article
Q293834

Re:Spreading FUD in a submission about FUD

[Geek+of+Tech]

>> Any new users created in XP Pro or 2000 Pro are created in the Users group by default.

Some of the most vunerable people are the home users. They are usually the one without the firewalls and antiviruses. The majority of people at home use the home edition.

Re:Spreading FUD in a submission about FUD

[gbjbaanb]

yep, I hold my hands up on that - I was reading too many posts (one of which mentioned the Messaging service) instead of clicking every link that was posted :(

Re:Spreading FUD in a submission about FUD

[cpeterso]

XP Home adds new users to the Administrator group (for app compatibility). XP Pro does not because (supposed) Windows corporate desktops can be locked down.

Re:Spreading FUD in a submission about FUD

[m_pll]

Windows Messaging was simply designed wrong. It does no verification of which process sent the message.

Except that both processes have to be running on the same windowstation/desktop to be able to exchange messages. Thus the majority of services are not vulnerable to any of this - you have to *explicitly* configure your service to create any UI on the interactive desktop. People who understand how this works knew about the security implications of having interactive services long before the term "shatter attacks" appeared.

Thus, there is a pervasive and *unremovable* hole in Windows design.

It's not "pervasive" because by default services are not vulnerable. It's not "unremovable" because all known places where even interactive services could be exploited are fixed now. If you know otherwise, I'd like to see more details.

Re:Spreading FUD in a submission about FUD

[dot+niet]

I was referring to after installation. But you are right, defaulting to no password is bad. I think it is bad to allow creation of multiple users during setup, period. I think even the casual technophile may interpret any users other than the first one as being regular (non-priviledged) users.

Although I can just see the support call volumes shoot through the roof if when SP2 is released it warns about users with blank passwords during the installation. In my opinion it should do that but every person that just bought their system with XP preloaded would probably be startled.

Re:Spreading FUD in a submission about FUD

[Derek+Pomery]

You have remarkable confidence that all interactive services are fixed.
So this implies you *know* there are no exploitable holes in Norton Antivirus, McAfee disk tools, or countless monitors and workstation control applications that need higher priveleges to avoid being taken down by an underpriveleged user?
Any service which needs sufficient priveleges is a danger. Not to mention the fact that many are installed with those by default, whether they need them or not.

I'm sticking with label of pervasive since the number of applications that *don't* interact are quite rare in windows, as opposed to linux. Services are a fairly small subset and quite tightly controlled in comparison.

Re:Spreading FUD in a submission about FUD

[jazzmans]

The users in win2k pro default to the 'power users' group, which has some root access. as opposed to the 'restricted users' group which does not have any root access. I beleive xp pro works the same way, but it's been almost a year since I had to work with xp pro, so I won't claim this definitively. jaz

Re:Spreading FUD in a submission about FUD

[jazzmans]

p.s. how come my post is automatically scored 1 before it's even posted? this has something to do with karma doesn't it? jaz

Re:Spreading FUD in a submission about FUD

[m_pll]

I'm sticking with label of pervasive since the number of applications that *don't* interact are quite rare in windows, as opposed to linux. Services are a fairly small subset and quite tightly controlled in comparison.

Let's clarify the terminology. For the purposes of this discussion, let's say an "application" is a process running as the interactive user. It could be vulnerable to message attacks, but it wouldn't matter because it has the same privileges as the user.

A "service" is a process running as some privileged user. It could be a real service, or a COM+ application, or something like that.

An "interactive service" is a service that has taken the steps necessary to inject its UI into the interactive desktop.

So here's what we have:

1. Shatter attacks only matter for interactive services.
2. Most built-in services are not interactive.
3. Interactive services have been known to be a security risk for a long time.
4. Instead of using interactive services, developers have been encouraged to use a separate process running as the interactive user and some form of IPC to talk to the service (this is for example how SQL Server draws its icon in the taskbar).
5. If people ignore the warnings and decide to use interactive services, they can be vulnerable for two reasons: because they don't validate the messages themselves (this would be no different from opening a socket and not validating the data that comes in) or because of the bugs in the OS.
6. All known vulnerabilities in the OS code that could lead to a compromize of an interactive service have been fixed.

There are in fact problems in Windows that could be called "fundamental" and difficult to fix. But this isn't one of them. It boils down to the fact that if you accept input from untrusted sources, you have to validate it. Validating all possible windows messages is hard, so the best solution is to not accept them in the first place, which means not having any UI in a service unless you know what you're doing.

Re:Spreading FUD in a submission about FUD

[steve_l]

I use Win2K in a VMWare box at work too -it has less advertising and overhead than XP after all.

What I am actually doing is a sort of device drive, and we have to support Admin-only install, as it is the only way to install something with the right rights to send commands down to a physical device.

but we are testing that untrusted users, including XP users can run the system once it is running, which does require a lot of hackery indeed. Oh, for a setuid bit on code.

Re:Spreading FUD in a submission about FUD

[Derek+Pomery]

And to further simplify.
"which means not having any UI in a service unless you know what you're doing"

Simply because you would in fact have to catch any message that comes in.
What do you do if the message you don't handle is handled by the parent class in an unexpected fashion?
The fact that events can come from any process, without checking of priveleges by the OS, and that these events could be triggered by code you did not write seems to be a problem.
Yes, the solution is not to have the UI, but that isn't much of one, and still isn't the common solution.

Re:Spreading FUD in a submission about FUD

[ppanon]

I just installed Windows XP Professional. During the Installation procedures, it has a screen for creating up to 5 user accounts. At least one new user account must be created to get past the screen and, guess what, that account is an Administrator account.

Perhaps accounts created subsequently with the user management tool will default to Users, but those first few are definitely Administrators. So, which do you think anybody not on a corporate Domain network is likely to use?

Re:Spreading FUD in a submission about FUD

[ppanon]

Not only that but you are forced to create at least one of those accounts during XP Setup. In my opinion, that makes it less secure in the default install than either Windows NT or 2K. Of course, to avoid confusing all those Win 9X/ME users forced to migrate to XP, they're giving them the same wide open capabilities and eXPerience they've always had (and one full of trojans and viruses?).

Moving weel on into stage 3...

[Space+cowboy]

First they ignore you
Then they laugh at you
Then they fight you
Then you win

Mohandas Gandhi

Re:Moving weel on into stage 3...

[MooCows]

No, I believe we're moving to 4 already.

Re:Moving weel on into stage 3...

[znode]

You mean GandhiCon 3...

Re:Moving weel on into stage 3...

[cpeterso]

1. First they ignore you
2. Then they laugh at you
3. Then they fight you
4. ???
5. PROFIT!!

Re:Moving weel on into stage 3...

[geekee]

" First they ignore you Then they laugh at you Then they fight you Then you win Mohandas Gandhi"

This quote is meaningless, except in hindsight. For instance, if Ghandi had used the same tactics in Hussein controlled Iraq, insetad of British controlled India, the quote would go
First they ignore you Then they laugh at you
Then they fight you
Then you die.
He would have ended up in a mass grave with the other 300k people.

Re:My Story Was Rejected

[Uber+Banker]

Bummer. But I have had stories rejected as well as accepted and they usually turn up by someone else within a couple of days. No problem. The big news will still make it out even if by a different oracle.

Re:My Story Was Rejected

[jargoone]

2003-11-11 17:34:02

What do you expect? You submitted it 3 hours in the future!

You forgot one point...

[stephenry]

You forgot one point...

If they highlight the supposed flaws against the Open Source model by highlighting any back doors that may have been inadvertantly placed in the Linux kernel. (Conspiracy hats on.)

MS will win, of course, they are running the test.

[bgog]

This can ONLY be done correctly by an unbiased third party. Testing security is such a compliated concept with so many variables, it is a piece of cake to do the audit in a way that makes any of the contenders come out on top.

How about I point at one thing.

The number of major-collateral-damage internet worms that have struck becasue of unpatched or unfixed problems in Microsoft OSes in the last two to four years.

And then I point at the number of similar-scale linux worms that have occured in the same time period.

And then note that despite the fact nothing but Windows worms so much as *register* on the scale, Windows is not a majority in the server space.

Re:How about I point at one thing.

[bgog]

And you can't claim it is only because windows is a 'big' target. How many linux servers are on the internet. If you could drop half of them your worm would go down in history.

Re:How about I point at one thing.

[MadMirko]

The number of major-collateral-damage internet worms that have struck becasue of unpatched or unfixed problems in Microsoft OSes in the last two to four years.

And of course that's like blaming your car manufacturer for your accident when he "neglected to check tire pressure and brakes" for you.

The average end user did not have a proper understanding of the need to keep his machine up to date, but he has now. If that means he will turn the automatic update warning on again on his Windows box depends on how afraid he is that Microsoft somehow gets him for his pirated copy of the OS.

Corporate admins on the hand should have known better all the time, and those bitching the loudest about MS are easily identfied as the worst of their kind. Keeping an MS environment up to date is not difficult if you know the basics, MS provides several alternatives for differently sized organizations and budgets.

The cost my company accepts for patching our 2000 odd Windows PCs is marginal to the worst case. In fact it's so automated that I review the updates every Thursday, that will be deployed every Tuesday. We are patched a week after an exploit is discovered (and MS Security Bulletin keeps you very up to date, I have yet to see a hole that has been exploited sooner than a month after official MS bulletin release), we use Virus Scanners on Desktops as well as App-level Firewalls and transparent scanning of all email and web traffic, and we keep virus definitions up to date by automatic jobs. IT staff just monitors the smooth operation.

That's really not much if you know what to do, not different than with any ohter OS that deserves its name.

uh... wtf? :)

[wo1verin3]

>> InfoWorld reports that Microsoft is planning
>> an "security assault on Linux"

Microsoft prefers marketing...
Linux prefers a solid product...

Perhaps Microsoft should spend some more money on fixing their own products instead of trying to bring down others, it's turned in to a politcal compaign for them.

Re:uh... wtf? :)

[Zork+the+Almighty]

FUD is cheap, and it's maintained Microsoft's monopoly before.

Reaching towards the goal

[Ridgelift]

It's been said many times before, but it bears repeating:

First, they ignore you,

Then they laugh at you,

Then they fight you,

Then you win.

- Mahatma Ghandi

Re:Reaching towards the goal

[pmz]

I think Linux/Mac OS X/UNIX (read "interoperable systems") are already winning, it's just not obvious yet. It already has the attention of governments, and a number of Linux-desktop companies not only exist but haven't died yet. Even Sun is on the wagon with JDS, IBM puts it on mainframes, etc. OpenOffice.org's current popularity is just the tip of the iceberg. Once enough people realize that they can create decent documents and get real work done without lock-in to any company, it will "click" in their minds and the rest is history.

Re:Reaching towards the goal

[Zork+the+Almighty]

But what about all the other possibilities ? What else can happen ?

1) First they ignore you
2) Then you screw up and fail!

1) First they ignore you
2) Then they laugh at you
3) Then others laugh at you, and you fail!

1) first they ignore you
2) then they laugh at you
3) then they fight you
4) and they win !

Where are all those people ? I'd reckon they're still running OS/2.

Re:Reaching towards the goal

[AchmedHabib]

Tell that to Novell.
NetWare forever!

Re:Reaching towards the goal

[IIH]

It's been said many times before, but it bears repeating:

The truthfullness of a statment is independent of the number of times it is repeated. (Is not! Is too!, is not! is too! is not times infinity!)

First, they ignore you,
Then they laugh at you,
Then they fight you,
Then you win.

SCO have been ignored, laughed at, are being fought at the moment, so do you expect them to win too?

Re:Reaching towards the goal

[bstadil]

Wish I had mod points. Just added your Is Not Is too to my list of self referencing sigs. Like "never carry moderation to extremes" and the like

Your comment about SCO actually happened in reverse order so hopefully they will loose.

They were taken serious in the beginning, then we laughed and judging from the comments on /. most people have started to ignore them.

Re:Reaching towards the goal

[NTmatter]

Actually, the Linux community didn't ignore SCO. The Linux community repeatedly asked for proof of the existance of alleged code. SCO of course ignored these requests repeatedly. They laughed as people sent in their $699 "don't sue me" slips. Then they started fighting IBM. And Redhat. And Hollywood. All that's left is for SCO to lose.

Re:Reaching towards the goal

[slimy_dude]

First, they ignore you, Then they laugh at you, Then they fight you, Then you win.

SCO have been ignored, laughed at, are being fought at the moment, so do you expect them to win too?

I think it's worthwhile clarifying Gandhi's statement. He intends to say that when the opponent chooses to fight, you have already won. The "then" in the last line is deceptive. The message is that when the enemy attacks unfairly (fights), it is an admission of failure. At that very moment, you have won.

In this regard, it is unfair to say SCO has been "fought" against. With the exception of the unfortunate DOS attack a while ago, the attacks on SCO are justified, reasoned arguments. Thus Gandhi's aphorism doesn't apply.

Re:Reaching towards the goal

[swillden]

SCO have been ignored, laughed at, are being fought at the moment, so do you expect them to win too?

SCO == Ghandi? What?

I don't know about you, but I don't see a whole lot of passive resistance from SCO. Insane rhetoric, blind lashing out, grandiose claims, pernicious threats, blatant lies, but no passive resistance at all, unless you can somehow count their refusal to answer IBM's questions.

The analogy is still imperfect when applied to the Linux camp, but heck of a lot closer. And while the "Then you win" isn't a foregone conclusion, it certainly makes sense that when your opponents really start to focus on fighting you it's because they're concerned that you very well *might* win. Otherwise they wouldn't see the need to fight you (given that you're not fighting them).

Re:Reaching towards the goal

[tedrlord]

I don't know about most people, but when it comes to SCO, I'm still in the ignoring stage, bordering on laughing. If I ran into their CEO on the street, I'd probably punch him, but I don't think that's the kind of fighting they mean.

Re:Reaching towards the goal

[MrWa]

You have just succeeded in topping the feat of playing Diablo with a naked Sorceress!

Re:Reaching towards the goal

[Repran]

The truthfullness of a statment is independent of the number of times it is repeated.

Yes - but repetition is the mother of belive...

Linux isn't perfect

[nuggz]

Linux isn't perfect. By design, the implementation, or the way people admin their machines.

There is an understanding that MS is also not perfect. People expect security holes, and bugs and crashes.

I think it is good that this might result in a nice list of where linux has gone wrong in the past, and what hurdles to overcome in the future.

If the competition wants to make you the "Build a better OS HOWTO" I think they should be as free as anyone to add to the LDP.

Re:Linux isn't perfect

[Jason+Earl]

Exactly, in the past Microsoft has sponsored free Linux R&D (the Mindcraft benchmarks are an excellent example), and it has always worked to Linux's favor.

If Microsoft thinks that high-lighting Linux's security record, on the other hand, they are crazy. It is possible that you might come up with more Linux exploits if you count every single daemon, program, and service that you might possibly install, but that's a clear cut case of comparing apples to oranges. Linux sysadmins are going to take Microsoft's list, cross out all of the software they don't run, and be left with one heck of a short list of exploits.

Re:Linux isn't perfect

[jasondlee]

It worked with the Gartner report. Linux, from a kernel perspective, is a much more agile "organization" than Microsoft is. Bill and Steve had better watch out. The OSS community will have any valid holes they point out plugged almost as fast as the FUD machine points them out...

jason

Re:Linux isn't perfect

[GreatDrok]

It can't be stated often enough that all the effort MS or others put into pointing out the flaws in Linux does nothing but show us where to concentrate our efforts.

They would be far far better served by just keeping their gobs shut. Unfortunately, a company that is driven by marketing rather than technology will always be drawn to try and tear down the opposition.

So, keep 'em coming MS, no point in learning from past mistakes (Mindcraft!)

Free publicity

[LittleBigScript]

Since there is no such thing as bad publicity this has to be considered a good thing.

Think about it, the article mentions Red Hat and lets them discuss what think of the whole matter.

Re:Free publicity

[Haeleth]

> Since there is no such thing as bad publicity...

But there is. That's why libel laws exist.

now here's a funny one

[rwven]

heh, is this ever worth talking about? we deal with MS servers and Linux servers here, lots of Linux distro's and windows NT-2k3 boxes... the Linux side of things does WAY better on the security end of things than the windows end. Who cares what MS thinks they want to prove about this. From my experience, a security minded Linux box is way more secure than a security minded windows box. the biggest heel in the face of linux is that the idiots who make the servers dont patch them. Windows like to give you the option of doing that automatically. Gentoo Linux: emerge rsync emerge -u world nuff said. [please ignore any gratuitous opinion in the above post]

Re:Counter assult.

[ender-iii]

penetrate with what?!
(it better be a 10 foot pole!)

Hardly suprising

[DG]

Given that Microsoft got caught lying to a Federal judge (during the antitrust case) why is anyone suprised that they'll lie to their customers?

Isn't that a given?

Anybody looking to a vendor to provide accurate data about its products or the products of its competitors deserves the crap they get.

DG

Re:Hardly suprising

[Zimm]

Given that Microsoft got caught lying to a Federal judge (during the antitrust case) why is anyone suprised that they'll lie to their customers?

Well if microsoft lied, why not put him/her/it in jail(what is a microsoft?). I suspect a *person* working for microsoft lied to a judge, and that person should be punished.

Root access? No.

[shrikel]

Not to be inflammatory, but ...

such as root access for all users

On Windows, even the Administrator account (which is the level that lots of people log in to) is not really root access. The Local System account is comparable to root. The Administrator has control over all user-controllable parts of the OS but there are parts that are not user-controllable.

Re:Root access? No.

[foniksonik]

This is true... Windows gives just enough access to really mess things up and not enough access to do anything about it.

Re:Root access? No.

[caluml]

Actually, I had a thought. Log in to your favourite Linux box as root, and edit /etc/fstab so that / is mounted from a non-existent partition ( e.g. /dev/hda13 ). Reboot.
Now, to fix it is a cinch. Boot from favourite recovery CD ( Gentoo LiveCD for me), mount /, and edit /etc/fstab. Simple.

On Windows 2K, right click My Computer, Manage, and go into the Disk Management. Change the C drive letter to X and reboot. What steps do you have to take to fix it then? (And it's a genuine question.)

What about doing similar stupidness via lilo.conf, and boot.ini (i.e. changing the boot partition to something that doesn't exist).

Re:Root access? No.

[pmz]

My favorite is when I'm logged in as the Administrator, when Windows says (paraphrasing) "you don't have permissions to do that". Well, then, why even bother logging in as Administrator?

Re:Root access? No.

[shrikel]

What about when you try to execute a non-executable file on *nix (even as root), and it replies "Access denied."

It doesn't mean that your access level isn't high enough, it means that you're attempting an illegal operation.

Re:Root access? No.

[caluml]

Indeed. What was I thinking?

Re:Root access? No.

[pmz]

There's a big difference between Windows saying I can't kill a process and UNIX saying I am trying to execute a non-ELF file.

Re:Root access? No.

[bryceco]

Admistrator and Local System are ultimately equivalent WRT to access rights, since Administrator is allowed to run arbitrary applications within the Local System account (using the service and/or task scheduler interfaces).

Re:Root access? No.

[Electrum]

There's a big difference between Windows saying I can't kill a process and UNIX saying I am trying to execute a non-ELF file.

Just like you can kill kernel processes on Linux, right?

# uname -sr
Linux 2.4.21
# ps acux | grep keventd
root 2 0.0 0.0 0 0 ? SW Sep05 0:00 keventd
# kill -KILL 2
# ps acux | grep keventd
root 2 0.0 0.0 0 0 ? SW Sep05 0:00 keventd

Re:Root access? No.

[gbjbaanb]

well, changing boot.ini is easy - press F8 while booting, choose the 'command line' option (in XP at least). edit and fix. reboot.

Or.. for other versions (NT or W2k), boot from the OS CD you installed from, choose R for repair, then C for Recovery Console. correct boot.ini.

If you change the drive letter from C: to X: the OS will still load (you mean, you thought you had to load Windows on primary partition called C:? shame). Some apps won't run properly though (fair enough really, they were coded to read absolute paths). Go back to Disk Management and change it back to C:. And that's a genuine answer.

Isn't that procedure quite like what you'd do with Linux?
See, windows isn't as bad as people think (no, really!), though I should say that that statement is qualified by a) windows being the NT-based kernels (not 95/98/ME), b) 'people' being Linux enthusiasts who aren't really that that knowledgeable about Windows.

Re:Root access? No.

[pmz]

You should be able to kill just about anything in UNIX. keventd must be some sort of Linux invention, so I'm not sure what their take on it is. Right now, I'm not on a system where I'm brave enough to try killing processes 0 through 3. The thing I'm remembering about windows is non-kernel-related processes, even user processes, being blocked from "Administrator", because the OS is obviously wiser than the person using it.

Re:Root access? No.

[dipipanone]

Just like you can kill kernel processes on Linux, right?

It makes some sense that you wouldn't be able to kill a linux kernel process.

However, I don't for the life of me understand why I can't kill a crashed instance of Cubase in Windows 2000.

I assume it has something to do with drivers, because it's invariably software that's talking to my sound card that stops me from killing it after a crash?

Re:Root access? No.

[Jaysyn]

Even more interesting, go into the security properties of the root drive & remove SYSTEM from the list of users. Now reboot.

Congratulations, you now have an ex-computer (This was on an NT system BTW, don't know if it will work on Win2K).

Actually, if you are good enough at hex editing, you can fix this, but it's a bitch to find the correct bit.

Jaysyn

Re:Root access? No.

[Karellen]

Sorry, I think I've gone a little dense here, 'cos I must be missing something.

The point of being root on UNIX is that you can run other programs as root, which can do anything to the system. (e.g. overwrite the kernel image when you install a new one)

What good is this Local System account if no users (not even Administrator) can run programs as it? If no programs can be run as Local System, what use does it have? If the Administrator cannot do some things to the system, who can? How do you upgrade your core system files if no-one has access to them?

Great news!

[DaHat]

This is such good news for me, and here I was, ready to throw windows out of my life and become a linux guru, thanks microsoft for showing me what a mistake that would be!!!

Re:Great news!

[kfg]

On the other hand, Microsoft, for some reason, has taken it upon themselves to repeatedly point out that Linux gurus are better trained, harder to find, and thus make much more money than MCSEs.

Why they seem quite so bent on informing world plus dog that MCSEs are undertrained and a dime a dozen is beyond me, but if I were you I'd take their career advice and keep reading that copy of Linux in a Nutshell.

KFG

China distributes Linux code?

[mahdi13]

"Why should code submitted randomly by some hacker in China and distributed by some open source project, why is that, by definition, better?"

Ummm, because we can look at it before we install it instead of just 'trusting' someone that it is good?
And just how much code comes out of China anyway!?

Re:China distributes Linux code?

[happyfrogcow]

"Why should code submitted randomly by some hacker in China and distributed by some open source project, why is that, by definition, better?"

The actual sentance isn't what matters here. It's the words used, which are meant to trigger thoughts of "malicious hackers" and "red commie bastards". The meaning inherant to the sentance is irrelevant, its the implications that they were aiming for.

There is nothing inherantly wrong with a Chinese computer nerd submiting usable code into a Free software project. I can still look at that Chinese developers code, whereas some developer who works at Microsoft might not have anyone look at his code at work in a review process, and will have *no one* look at his code once it's "rented" out to the consumer. It seems to me that there are many reasons why that is better.

Re:China distributes Linux code?

[mahdi13]

Have you ever looked at the code before you installed something? or did you just rpm it or make ; make install?

If it's coming from an unknown/untrusted source, yes.
If it's coming from little people like kernel.org or mysql.com, no.

And how about you Mr. Anonymous Coward? Why are you hiding? ;-)

It would not come as a shock

[Progman3K]

It would not come as a shock if we found out MS was behind the attempt to add a root exploit to the Linux kernel that happened last week...

http://slashdot.org/article.pl?sid=03/11/06/0582 49 &mode=thread&tid=106&tid=185

Just what lows are they willing to sink to?

Or am I just paranoid?

Let's see, a corporation that stands to lose hundreds of millions of dollars in revenue to an open-source collective effort...

If I were MS, I know I'd be afraid and might even do something like that....

Has there been any new information on the security breach?

Lies, Damd Lies, and statistics

[giblfiz]

their study can find whatever it wants, I think most IT people will still notice that the MS systems still topple like dominoes ever three months or so with a new virus while no other vendors products seem to have that problem.

Re:Lies, Damd Lies, and statistics

[slcdb]

And that's really the heart of the issue. I think MS's point is that they are not to blame for these problems. They happen to be a bigger target than Linux, so of course more viruses aim at them. Why are they a popular target? Because their software is running everywhere. If roles were reversed, and Linux was running on 99% of all PCs, then Linux would be the bigger target.

lets get it over with...

[0x41]

Allow me to be the first to say,
BSD! BSD! BSD!

Whew, now that its out of the way, resume discussion...

They still don't get it ....

[molarmass192]

"Why should code submitted randomly by some hacker in China and distributed by some open source project, why is that, by definition, better?"

How about because I can look at that code, know 100% for certain what it does, and fix / customize / improve that code as I see fit? By definition, that does make it "better".

Re:They still don't get it ....

[MarkusQ]

No. It makes it better for YOU. 0.5% of people who use a computer. How is that BETTER?

Nuts. It makes it better for everyone. Look at it this way: would you rather take a drug that has been tested by hundereds or thousands of independent testing labs around the world, who published their results for all to see, or one that was produced by some big company who assured you that theirs was safe and effective, but wouldn't tell anyone what was in it?

You don't have to be an independent testing lab to benefit from the existence of independent testing labs. Likewise, you don't have to be a coder to benefit from open source software.

-- MarkusQ

Who is this Linux?

[tomstdenis]

See to bash windows is easy. Point the finger at Redmond and call "liar!".

Who exactly represents this "Linux" thing I hear of. To me the whole scene just reaks of ignorance. First off "Linux" is just the kernel. Not the userland. Second, most changes to the kernel are driver fixes and additionals. Security flaws fixes are rare.

Third and most imporantly, there is more than one distro of linux. Just because one may be out of date and insecure doesn't mean "linux" is insecure.

Tom

Ballmer comment...

[Chicane-UK]

I just noticed this :


And at the end of October, Ballmer gave the audience at Gartner's autumn symposium a taster of what was to come when he attacked Linux's assumed security superiority. "In the first 150 days after the release of Windows 2000," he said, "there were 17 critical vulnerabilities. For Windows Server 2003, there were four. For Red Hat Linux 6, they were five to ten times higher."


Yes.. some more classic FUD. But something did strike me about this comment. If they were to talk purely about the core operating system, i'd be willing to be that Linux fared equally or better than Windows.

Red Hat 6 is a distribution, and as such comes with a whole host of applications & suites when you do a full install. Windows Server 2003 is just the OS. If you were to bolt Microsoft Office, and all of the other comparable applications onto Windows that a Linux distribution includes, I am sure the security patch figures would not be in Microsofts favour.

It just shows that Microsoft are worried about Linux.. if their product was so damn good, they could sit back and let it sell itself. But its obviously not, and they have to resort to this slander to try and win over the more gullible people to their side.

Drives me crackers!

Re:Ballmer comment...

[kidgenius]

What i don't understand is this. Redhat 6??? When did that come out? Back in probably 1999 or something. How about we compare that, to the number of security holes in Windows 98, or NT4. As operating systems mature, holes disappear (sometimes) and new ones reappear. But it is unfair to compare newer software to older software.

Re:Ballmer comment...

[sgasch]

I see your point but a similar case can be made for NT. A lot of Windows security flaws are in code like Outlook, Outlook Express, IE, the RPC service, etc... Windows ships with all of these things (except Outlook) so a bug in one of them is a "bug in Windows". But Linus likes to define linux as a kernel. If you take a look at the NT kernel and the number of security flaws in it... I think you find MS is doing ok.

The problem is bloat. Shipping the kitchen sink along with the OS -- indeed "integrating" webbrowser libraries etc... into the base Windows "distribution" means that if the quality of this userland code is poor you have a "bug in the OS".

But to hear people complain about Outlook Express or IE bugs and say they are "NT bugs" or "Windows bugs" bothers me... think of it like someone calling a bug in Mozilla a bug in "linux". Windows is a distribution where a lot of userland has been written to make it easy to use but without good security. That said, there's no getting around this or excusing it. Especially the RPC bug that caused Blaster -- there's a good case for calling that part of the OS since it was a integral OS service. But the NT kernel is very solid code and if you ignore "3rd party" apps in a linux distribution (like mozilla, mutt, the kde stuff etc) don't be surprised when I want to distance NT from the all stuff that comes with it.

Re:Ballmer comment...

[DA-MAN]

> If you take a look at the NT kernel and the number of security flaws in it... I think you find MS is doing ok.

No you wouldn't, you forget that Microsoft includes everything but the kitchen sink in the kernel. The Graphical Display Interface, IIS, Internet Explorer, and things like that.

IIS is the bane of any Windows Admin's existance and it is put in the kernel.

Re:Ballmer comment...

[sgasch]

You apparently don't know the difference between a kernel and usermode shared libraries (DLLs). The only thing you got right there was the GDI.

expected results?

[vmxeo]

"Microsoft has hired several analysts to review how fast holes are patched in the open source software and is expected to announce that Windows compares favorably."

You gotta love it when analysts are paid to give an expected result.

Hey MS, can I have my analysts scour your source code for holes?

Re:expected results?

[RocketSHE]

This comes on the heels of the TCO study, which didn't come off as very credible. Even the windows-only guys I talked to thought that was TCO study was pretty laughable. This analysis sounds like a similar waste of time. Maybe, they should get out of the study business, get out of the analysis business, and focus on fixing their code.

Agreed

[ttyp0]

Period ending June '03, Micrsoft spent 1.336 Billion in R&D. Five million isn't even half of one percent of research spending. Serious security? Doubtful.

Re:Agreed

[kfg]

Don't be silly. 1.3 Billion of that R&D money was spent on DRM projects.

How can you possibly say they aren't serious about security?

KFG

Re:Agreed

[bigjocker]

On another note ...

Given this announcement, to whom would have been most beneficial the introduction of last week's backdoor to the linux kernel?

Re:Agreed

[miffo.swe]

How the h*** did they manage to spend that kind of money without making anything useful with it? What did they do? They have spent that kind of money and samba still runs burning circles around Windows cifs, the security still sucks and the damn thing isnt either smaller nor faster!

Re:Agreed

[cdrudge]

It's ok. You call say hell here. You can even say works like fuck, shit, bitch, or any one of several hundred other 3, 4, adn 5 letter words.

Re:Agreed

If you lost your dog and offered up a 100$ reward yet you made 100,000$ salary, would you not be serious about getting your dog back?

No. You wouldn't be.

Whatever you may think, 5 million is still a lot of money.

Sure. It is. But for the type of marketing work it did for MS it was a bargain... even if they had to actually pay it all out.

I mean come on... X-Box marketing budget was something like $500mil! I'd say MS is 100 times more serious about selling X-Box than about Windows security.

Re:Agreed

[schon]

If you lost your dog and offered up a 100$ reward yet you made 100,000$ salary, would you not be serious about getting your dog back?

Well, if you spend all of that $100,000 on your other pets when they get lost, then I'd say no, you really wouldn't be that serious.

Re:Agreed

[unother]

Ohmigod! Even so, I coulda swore we weren't allowed to say "adn"!!!

P.S. ;)

Re:Agreed

[ssstraub]

You mean like when I install a new XP box and it gets infected with nachi before I login the first time ? That's a real great feature!

(Yes, I now install the RPC patch before connecting to the network for the rest of the patches.)

Kill them all..

[msimm]

and let god sort them out. The FUD is getting so thick you could cut it with a knife.

Looks like its welcome to the prime-time Linux.

Ob "security through obscurity" post

[Jetson]

It's not the amount of holes in your software, is whether or not the typical cracker knows how to exploit them.

That's why Microsoft is so committed to solving security through obscurity -- they believe that keeping the flaws secret will keep crackers from developing exploits.

The "study" will also no doubt find that Microsoft fixes their bugs much faster than open source programmers since the Windows bug and downloadable fix are often announced on the same day.

Re:Ob "security through obscurity" post

The "study" will also no doubt find that Microsoft fixes their bugs much faster than open source programmers since the Windows bug and downloadable fix are often announced on the same day.

As I can see it, this logically suggests one of two conclusions:

1. Microsoft knew about the bug beforehand and waited until they had a solution to tell us.

or

2. Microsoft believes that quality code for security bug-fixes can be written, tested and released within the span of a day.

Gee... both of those sound like winning ideas to me! ;)

Re:Ob "security through obscurity" post

[OECD]

The "study" will also no doubt find that Microsoft fixes their bugs much faster than open source programmers since the Windows bug and downloadable fix are often announced on the same day.

An excellent point. The legnth the vulnerability is open is what's key. If I leave my back door unlocked for a week, and then announce it a minute before I close it, then I have been vulnerable for a week, not a minute.

Another consideration is the legnth of time before the vulnerability is fixed in the real world. MS may pick up some ground here with its recently announced automatic Windows Update.

Re:Ob "security through obscurity" post

[Thurn+und+Taxis]

Maybe that's why Microsoft has switched to sending out vulnerability announcements only once a month - they're hoping to get a negative "time-to-fix" score!

Easy Answer

[missing000]

MS can win a PR battle, because they have an endless amount of cash to pursue the cause.

On the other hand, OS can win the desktop domination war by creating better systems that are less vulnerable in real world situations if we focus on grass roots marketing.

Re:Easy Answer

[Vlad_the_Inhaler]

They also have the cash to pursue security problems, their problem appears to be design flaws that can only be 'corrected around'.

An obvious example is integrating their Web Browser into their OS to screw Netscape, a political decision taken by his Billship. Bugs in IE lead to the equivalent of root exploits, bugs in Mozilla mean that one user account can be compromised.

Another political decision has been to install software to offer all kinds of services, basically to keep third party vendors out. This software defaults to being active. What was that database port vulnerability again? Another consequence of this is that a virus/worm writer has reliable idea as to what components will be running/active.

They have the cash for PR *and* fixes, but political decisions have led to a situation where this does not help. Having said that, if as many computers ran Linux as the various Win versions, we would also be seeing more problems that at present - they just would not be as serious.

Re:Easy Answer

[allan_q]

It's not just a better system. You also need some PR to get people to try them. People will not switch desktops on the promise that they are better. They must feel that the benefit of a new system outweighs the cost of keeping the old.

Re:Easy Answer

[pmz]

MS can win a PR battle, because they have an endless amount of cash to pursue the cause.

Why buy lies when the truth is free?

Re:Easy Answer

[PierceLabs]

They are also going up against Linux and the nameless company that is open source. While open source is great in that Microsoft has no one specific target to sue, exploit or otherwise screw over - its bad because there also is no unified marketing arm, no marketing budget, and no clear marketing message.

Re:Easy Answer

[Zork+the+Almighty]

Why buy lies when the truth is free?

Because the truth doesn't always say what you want it to ?

Re:Easy Answer

[jimsum]

You should be more optimistic. You said: "if as many computers ran Linux as the various Win versions, we would also be seeing more problems than at present". Why not say if more people ran Linux, we'd see more problems being fixed than at present?

Everyone knows there is no such thing as bug-free code. All you can do is test the code and fix the bugs you find. More people using the code means more testing, and therefore more bugs exposed.

This is the point where open source and commercial development differ. When there are more open source users, there are also more open source programmers, so there are extra bug-fixing resources to go with the extra bugs. There is no compensating increase in programmers to go with an increase in users of commercial software. Yes, more users mean more revenues for a company, but you have to depend on the company owners to apply some of that extra revenue to fixing bugs, when they could just pocket the extra money.

Forget about how many bugs there are in an O/S, how good is the process for fixing them? O/S exploits are open source, and the entire world is free to examine the source and improve those exploits. Why should we tie our hands by limiting the number of programmers who can defend against those exploits? I think the number of good programmers far outweighs the number of evil programmers, we should use that fact to our advantage and not let a company limit the number of good programmers working on a proprietary O/S.

Re:Easy Answer

[jazman_777]

Why buy lies when the truth is free?

Didn't George Carlin suggest that if Americans started telling the truth, the whole system would collapse?

Re:Easy Answer

[pmz]

Didn't George Carlin suggest that if Americans started telling the truth, the whole system would collapse?

Only when negotiating something is unadulterated truth bad. Unfortunately, we are always negotiating whether it is for a cookie or for a bill in Congress. Wishful thinking would hope for fewer hidden agendas in Congress.

Re:Easy Answer

[bex+l]

But isn't the truth that MS DO make plausable software. It's just not very configurable and it's a big capitalist venture. Sure it's got an overwealming amount of problems but saying linux has very few problems is also a lie. A comparason could only really be made if you left out the opinions and statistics and went on the merits of the code.

Re:Easy Answer

[k12linux]

Having said that, if as many computers ran Linux as the various Win versions, we would also be seeing more problems that at present - they just would not be as serious.

One very telling fact, IMHO, is that currently Apache holds over 3x the market share for web servers compared to MS's IIS. (Source November Web Server Survey - 67% vs 21%.) Yet look at the number and type of security alerts for each over the past year or two.

Re:Easy Answer

[m_pll]

An obvious example is integrating their Web Browser into their OS to screw Netscape, a political decision taken by his Billship. Bugs in IE lead to the equivalent of root exploits, bugs in Mozilla mean that one user account can be compromised.

That's an interesting claim. Do you have any specific examples of this actually happening?

As far as I know, all IE code runs as the user which means exploits in IE can't automatically elevate to root.

I even went to the security bulletin search, searched for IE6 bugs and clicked on several at random. They all had this text:

If an attacker exploited these vulnerabilities, they would gain only the same privileges as the user.

So, again, where did you get this idea that IE bugs lead to root exploits?

Re:Easy Answer

[RzUpAnmsCwrds]

" Bugs in IE lead to the equivalent of root exploits"

This is simply bullshit. Yes, IE has security problems, some of them extremely severe, but they are certainly not root exploits. Bugs in IE are little different than bugs in Mozilla - of course, IE has far more of them.

IE runs with all of the same permissions and restrictions of any other application. Believe it or not, IE isn't really integrated into Windows. Explorer.exe, the Windows shell, depends on IE; as does the help system and some other things - but all of these applications run under the privelages of a user's account. For IE to cause a "root exploit", the user would have to be running as Administrator - and Mozilla can cause a problem just as severe in that situation.

Re:Easy Answer

[servies]

And the stupid thing is that the first user added has the same privileges as the administrator.
Most systems have only one account besides the administrator and there you have your root exploits...

Re:Easy Answer

[Vlad_the_Inhaler]

Damn - you are so obviously right.

I have since checked the installation in question and the user rights are set way too high. I hardly touch windows nowadays and made the usual mistake of trusting someone competent.

Too long to fix bugs?

[caluml]

Microsoft Corp. is preparing a major PR assault over Windows' perceived security failings in which it will criticize Linux for taking too long to fix bugs, we have learned.

Too long to fix bugs? Please. There might be other chinks in the Open Source armour that could be exagurated to make newpaper inches, but the speed of the bug fixes? No way.

PS. How do you spell that damn word? Exagerated?

Demographics

[Svennig]

From the editorial:

I suppose if they focus very narrowly on one measurement of security, completely ignore script-level vulnerabilities, default settings vulnerabilities (such as root access for all users), and the demographics of the user population....[snip]

Tech savvy people use Linux. If you sat my mother down in front of Linux she'd open all the same email attachments and run all the same unsafe executables etc etc. Although I agree that in general open source systems are more secure than closed source implementations, this is more to do with the people using such systems than the systems themselves. Social Engineering security hacks anyone?

Re:Demographics

[Vlad_the_Inhaler]

Your mother would only have the same level of problem if she ran everything as root. I know someone who had XP Professional at home and ran everything there as 'Administrator' or something with the same rights. I was asked to come around and help when the system was already toast. They had no concept of different users for different tasks.

The weakest link

[melonman]

I'm increasingly convinced that a lot of the secureness of Linux boils down to better and more cautious sys admins, and, if this is the case, things can only get worse from here on in. If you run all your linux code as root and your password is 'password' (and I've met at least one person who does this), I don't think you have a wonderfully secure system. OTOH, W2K Server with the Security Pack applied is not a trivial thing to hack.

Re:The weakest link

[caluml]

If you run all your linux code as root and your password is 'password' (and I've met at least one person who does this), I don't think you have a wonderfully secure system.

Of course, knowing the root password doesn't necessarily make your system insecure.
ssh root@selinux.dev.gentoo.org , password gentoo. (It's a public box - you won't get told off for logging in.)

Yeah, but do you SEE it?

[beacher]

Here.. Quote from Ballmer "Why should code submitted randomly by some hacker in China and distributed by some open source project, why is that, by definition, better?"
Check that Nigerian 419 article (this was in last week's /.).. "These folks are some of the same great people who are supposed to be working for you anyway, plus a smattering of teenagers too young to work at Redmond, hackers, virus creators, and a menagerie of others with whom you will feel great pride in entrusting your IT infrastructure."
The marching orders have been given..
-B

Re:Yeah, but do you SEE it?

[BrynM]

Sarcastic Ballmer:

These folks are some of the same great people who are supposed to be working for you anyway, plus a smattering of teenagers too young to work at Redmond, hackers, virus creators, and a menagerie of others with whom you will feel great pride in entrusting your IT infrastructure.

And how many former black hats are security experts now? The industry knows that it takes someone very familiar with exploits and viruses to combat them effectively. I wonder how many former black hats work at MS... Ballmer should have been named Assmer - a more appropriate piece of anatomy for him. It blows my mind how weak the MS FUD can be.

MS takes security seriously

[tsa]

It seems like MS is taking other people's security problems more serious than their own. Let's thank them for bringing our little security problems under our attention so we can fix them quickly like we always do.

Re:MS takes security seriously

[grolschie]

I remember reading that they couldn't fix one massive security flaw without redesign on OS from ground up. Thus copping out by saying that if you got physical access to a pc, then you have no security.

Oppurtunity (at last)

[enjo13]

These are not questions that Microsoft wants to raise. We've finally forced their hands, and for once I'm excited.

This is the opportunity for community leaders to finally start talking about the FUNDAMENTAL architecture differences between Windows and Unix variants that allow security issues to be contained (permissions/groups). It allows us to talk about the superior response time in fixing exploits, as well as the power of open coding in spotting them in the first place.

I think this type of FUD campaign aimed directly at our biggest (relative) strength is exactly what I've wanted for a very long time. It's an opening to get Linux onto the desktop.

Re:Oppurtunity (at last)

[TheRealSlimShady]

This is the opportunity for community leaders to finally start talking about the FUNDAMENTAL architecture differences between Windows and Unix variants that allow security issues to be contained (permissions/groups)

Guess what? Windows has permissions and groups as well. And they're used for the same purposes - restricting access to resources. The fact that many don't use them is a valid point, but fundamentally the architecture is in place. This is how professional shops are providing secure Windows environments. It's not rocket science

Two things:

[Mac+Degger]

Sure, the study is 'slightly' biased. But an important thing to eep in mind is that windows also has a much, much larger installed user base.

Fact is, the more people use linux, the more people will be looking over it's code (for good and ill intents). And the more people who look into the linux code, and the more users linux has, the more security flaws will be found and exploited.
Point being, sure, now linux is secure as houses (yeah yeah, also due to it's structure and whole OS mindset), but the more people use it, the more malicious people will write virusses and find exploitable code and...exploit it.
For a large part, I'd say it's just a matter of numbers.

Re:Two things:

[brianosaurus]

It may be true that as more people use it, more exploits might be found. But at the same time, as exploits are found, there will be a larger number of users who can investigate and fix them.

The real advantage to Open Source is that if you discover something, you can look at the code and figure out what is wrong. If you discover a bug in Windows, you have to just deal with it until someone else fixes it.

Re:Two things:

[the_mad_poster]

Point being, sure, now linux is secure as houses (yeah yeah, also due to it's structure and whole OS mindset), but the more people use it, the more malicious people will write virusses and find exploitable code and...exploit it. For a large part, I'd say it's just a matter of numbers.

This is such an old, tired argument that I can't believe it still comes up.

If it's a game of numbers, why doesn't the Internet come screeching to a halt under the onslaught of a Linux worm? There are certainly enough critical systems out there running Linux to do it, yet it hasn't happened yet. Why?

We don't even have to get into that speculation though - the fact of the matter is that the most frequent, serious worms are executed on Windows machines. In particular, they're executed on 32-bit Windows machines. If the overwhelming majority of widespread attacks originate from infected Windows machines and affect Windows machines, then it's a pretty safe conclusion that Windows machines are more vulnerable. Maybe the SEVERITY of the attacks is a numbers game, but that's not what the vulnerability numbers suggest.

Re:Two things:

[bex+l]

If the overwhelming majority of widespread attacks originate from infected Windows machines and affect Windows machines, then it's a pretty safe conclusion that Windows machines are more vulnerable. No it's not. More users = bigger target = bigger effect = more publicity for the virus/exploit writers. Linux is generally more secure but only because it takes more technical knowlege to damage it. It's not less vunrable but it takes smarter people to mess it up.

Re:Two things:

[the_mad_poster]

Which, to extend on your statement, is still Microsoft's fault. If they're targetting dumb sysadmins and users, it's their responsibility to build the product appropriately.

And yes - it IS. The Linux machine target is undoubtedbly MUCH sweeter than Windows on the Internet. You can cuase plenty of irritation by targetting Windows boxes, but by targetting the major Linux machines on the 'net with worms the caliber of Blaster, it could all be brought to a screeching hault for a SIGNIFICANT period of time. Yet, this hasn't happened. Why?

ha ha...

[cshark]

I think it's funny that microsoft needs to pay people to say how great their products are. Maybe they should focus on building a better product than telling some analyst to write nice things about them. Come on. Anyone could do that.

Re:ha ha...

[caluml]

I think it's funny that microsoft needs to pay people to say how great their products are.

Yeah, look at me - Gentoo is great, everyone - give it a try!

And, believe it or not, I don't get any money at all when I say that.

Re:ha ha...

[cshark]

Right. It's a quality product.

If it wearen't quality, there would be no reason to use it based on it's merits.

And if the folks at Gentoo wanted more people to use it without having to take the time to develop a better product, they would have to spread doubts about competing products.

After all, if both choices are bad, you want the lesser of two evils, right?

How else could they ensure that you would buy into their invasive DRM, ever more propriatary protocols, deplorable business practices, constand security problems, and forced renewable licensing that they know damn good and well that you don't want?

Re:ha ha...

[KD5YPT]

Windows is awesome, Microsoft are nice people. Linux are the OS for the Communists and written by a bunch of hackers.

Now Bill Gates, pay up.

Re:ha ha...

[Dwonis]

What's funny is that Linux zealots spread Windows FUD in the same manner ezcept for free.

"FUD" is typically reserved for unjustified fear, uncertainty, and doubt. The truth is generally not called "FUD"...

;-)

Re:ha ha...

[abradsn]

I think it's funny that microsoft needs to pay people to say how great their products are.

Well, I think it is interesting that no one seems to do security audits of scripting in Linux. I can think of a million attacks to do with perl, and since it is installed on damn near every linux machine, Linux is not far from Windows in script security problems. We just need to increase our user base to the billions so that we can share more equally in the problems of Windows.

Re:ha ha...

[abradsn]

I second that. Why do moderators seem to mod all of these down? Leave us a one so that other's can see it, and possibly respond. ? ? Profit!

A PR campaign is used to fight bad press.

[Dark+Fire]

Microsoft is using a PR campaign to combat the bad press it has received lately. Their campaign is designed to change public perception, not address the actual problems.

Windows 2003 server certainly has more secure default behavior than it's predecessors, so atleast it isn't all window dressing. But they have a long road ahead on the security front.

Last quarter they had $800 million in unearned revenue, this PR campaign is focused on changing public perception in order to get that unearned revenue problem under control.

Lies.

[thegent]

Linus should sue Microsoft for spreading lies about his project. Redhat is not Linux. And if redhat 6 has 500 flaws it is a lie to say that Linux has 500 flaws. It's even a common logic error that Microsoft does. Sadly some CEOs who don't care much about anything buy this lie...

The consumer has a short memory.

[mindstrm]

Guys you can argue the technical merits all you want.. today's consumer has a short memory.

If MS makes it look for a short while like linux isn't really secure, and does an okay job of convincing people, the facts don't matter; the get more market, we get less.

What linux needs is an evil marketing company, on par with MS.

Re:The consumer has a short memory.

[NullProg]

Oracle ?

What kind of comparison?

[10Ghz]

What kind of systems are they going to compare?

Ballmer: See, here we have two operating systems. One is Windows XP the way you get it after a fresh install(*. And over here we have Linux after a typical install(**. THe Linux-system has had alot more security-holes than this Windows-machine has had!

*) Which means that the system consists of Kernel, GUI, Solitaire, Notepad and handful of other apps

**) Which means that the system consists of Kernel, several GUI's, several editors, several server-tools, developement-tools, games, apps, office-suites, several browsers, several mail-clients. etc. etc.

Hardly an apples to apples comparison....

Re:What kind of comparison?

[mopslik]

the system consists of Kernel, several GUI's, several editors, several server-tools, developement-tools, games, apps, office-suites, several browsers, several mail-clients. etc.

Indeed, many of the "security holes" previously cited by Microsoft-backed "researchers" are in supplemental packages or applications, rather than in the OS itself. For each KaZaA-based worm, does that say that Windows has a security flaw in it? Not necessarily. The application is often to blame.

With that in mind, add up all of the flaws in Windows apps, and the number will probably be staggering.

first time SCARE to connect to the net...

[imbert]

Hey Guys, For the first time after a decade on the net I was scare to connect to the net.. Do you know why? I just moved to a new house and I had to transfer my SBC/yahoo DSL account to there. They gave me 10 days for complete the moving so, I am without dsl connection on my house... I had to use dial-up (I forgot was slow it was) but the only machine I had available with modem was a station with Windows 2K professional that my wife use... To be sincere, I was too lazy to install a modem on my linux desktop that I use was a firewall for my home too. So, I looked to the Windows Desktop connected by dial-up and I start thinking... Jesus, I am connected to the internet using Windows and without a firewall or anti-virus (I don't like any anti-virus...I don't think I need one till I see my M$ windows connected to the net)!!!! As soon as I connected I got that SPAM using the the message service! Windows is a hell! Microsoft is a hell!

Shocked. Shocked, I Say.

[cstrom]

Of course the study found M$ superior, the analysts know full well what would happen to them if they found otherwise.

Redhat 6?

[oolon]

They tested it against only redhat 6, Of course windows 2003 is going to have less its not been out as long! I note also they can give a figure of 2000 and 2003 yet are unable to do it for redhat 6... Why? They must have calculated somehow....

Oh stupid me ... this is a FUD attack.... of course it does not make sence..... YAWN

James

You have to admit...

[tdk2fe]

You have to admit that the entire fiasco between microsoft, a multi-billion dollar a year company is being so shaken by a community of rogue hobbyists is really quite amusing. Microsoft should have a superior product. After all, they've been doing this for over a decade, pretty much have access to unlimited resources, and in the face of all that there are rival products out there that cost next to nothing to use. I think that in the next few years we are going to see some major economic shifting in the IT world. I think that the market is going to move towards supporting various services, and not charging for the actual software itself. Thats the glory of the internet - it gives power and recognition to those who earn it and not to those who buy it.

Re:You have to admit...

[SmallFurryCreature]

ehm you do know linux is also a decade old? Of course MS has been doing it for a bit longer then 1 decade. Hell the current windows looks will soon be a decade old (1994 yes I know it was released officially in 1995). But MS has been around a bit longer. Hell they used to be a unix company :P

Re:You have to admit...

[tdk2fe]

I'm not sure as to how long various flavors of linux have been around, but I was just pointing out that a single company that has been working on the same general idea for over a decade should have gotten it right by now. And by 'right', I mean that XP is the first release of Windows that I have ran which decently accomplishes tasks like plug and play, intuitive networking (albeit not always secure), and overall something I don't need to reboot three times in one day. All of the above features were heavily touted in '95, '98 and ME. With all of the resources MS has, it seems preposterous to entertain the thought of other companies developing software that is on the same level of MS. It's along the same lines as paying Contracter A to build you a house, and in the course of ten years you need to have them come back to fix the plumbing, locks, and electricity - When you could ask Contracter B to do the same thing for you and not have to pay him anything.

Coincidence is divine:

[DeltaSigma]

I love the random blurb that popped up at the bottom of the page when I read this article:

When the blind lead the blind they will both fall over the cliff. -- Chinese proverb

An evil play??

[markxsd]

Unless we're missing something... Who's to say that Microsft haven't been doing a little unpublished research, looking for buffer overflows and other vulnerabilities that they're soon going to demonstrate? There are still bright people at Microsft. There are certainly people bright enough to find bugs in software (maybe they won't find much wrong with the Linux kernel, but it's not going to be too difficult to find bugs in myriad GNU and other packages that come with a typical distro). They might view finding and making public security holes in the competition as a more valuable and profitable exercise than securing their own OS and software.

If they like many of us see Linux as the biggest credible threat out there, they might resort to fighting dirty. Linux does have the potential to shift the paradigm of the whole IT industry in the same way that Microsoft themselves did through the 80s and 90s. Sun et al are already feeling the heat in the server market. I'm certain that Bill and co are getting twitchy about how things are developing.

We all know Microsoft is pretty cold and calculated when it comes to competitors. If Linux is next in the firing line, the open source community needs to be ready for this battle and the wars that will follow...

Re:An evil play??

[Geek+of+Tech]

If the holes could be patched immediately, this might show some of the dedication of OSers. Also, if Microsoft starts publicly showing security holes in linux, then that means the rest of us should do the same for Microsoft. Right??? Instead of giving them time to fix their holes before we tell the world, just let them read about it off bugtraq or some such list. Don't give them any prep.

Re:An evil play??

[SCHecklerX]

in *linux*? Linux is just a kernel. Administrators can easily not run, or fix any service that has a problem. The issue with the crap that comes from M$ land is that you CAN'T disable the shit you never use. It breaks all kinds of apps...the RPC worms this year, for example.

Re:An evil play??

[SmallFurryCreature]

Ehm, if you are suggesting MS will somehow start writing exploits or something to bring down linux you are either mad or think MS has gone mad.

That would land them in so much hot water if found out that it is just not funny anymore. FUD is nothing new, actually attacks are something different. The last one is just good bussines the latter is investigated by the police. Not by jokers like the SEC but real cops who put you in handcuffs and put you in jail with a guy called bubba.

Do you think any MS coder is going to risk getting slammed like some of the other virus writers?

No, MS will try to discredit Linux and all its competitors. It may even publish "research" showing it to be so. But it will not resort to clear and blatant criminal acts.

Re:An evil play??

[lcde]

I agree, but the difference between a company and a community is that the community has no one to target in particular.

Microsoft may attack Linux security and weaken the buzz being created right now. But some serious buisnesses are looking into linux as a solution to their computing needs. Worse comes to worse Linux goes back to the way it was 4 years ago.

To me it seems the community doesn't need the corporations, the corporations need the Linux community and its high standards.

Re:An evil play??

[Logicdisorder]

I think they are also going to over loo that fact that people that run production Linux system harden them and alot of that can be done at install time. This is an area where MS ahs fallen on its ass. I have spent many hour going though harden a Windows system(apart from 2003, it is pretty good out of the box). Which has not been the case when I have built Linux systems. I am sure there are heaps of secirty holes in Linux but as has been stated it is packages add in not the core OS itself. Not to say there are none but that fact is that Linux has a lager developer base and since you can get access to the source it can be fixed quickly. This is were MS will never be able to compete, they had a limted resource.

Re:An evil play??

[SQLz]

I think they are demonstrating on Redhat 6...I think those bugs have long been patched.

Re:An evil play??

[pebs]

If Microsoft is going and finding bugs/vulnerabilities in OSS, great! OSS can use the extra bit of help finding these bugs.

Microsoft, can you do us a favor and send a bug report while you're at it?

Re:An evil play??

[Captain+Beefheart]

"If they like many of us see Linux as the biggest credible threat out there, they might resort to fighting dirty."

This has been a long time coming, from the looks of it--Many of you are probably familiar with the Halloween documents, "an internal strategy memorandum on Microsoft's possible responses to the Linux/Open Source phenomenon." This was back in 1998. MS verified the documents as authentic but claimed it was "a mere engineering study that does not define Microsoft policy."

They've probably been building up a case for a long time. But as Linux is systematically sound, they've apparently been forced to find specific, technical problems since their Ominously Vague Murmurs don't seem to be taking. The problem for them is whatever they pick is, by definition, fixable and not an element that defines Linux as Linux. Additionally, if you find 50 holes in Linux and 25 in, say, Windows Server 2003, that's not nearly as relevant as the average lifespan of the hole. With all the Linux distros, there may be dozens of holes at any given time, but there is only one Windows Server 2003. I challenge them to focus on one major distro.

Lastly, MS is has been coming off increasingly hostile and banging the "Linux BAD!" drum so obsessively, that they run the risk of sounding like they're accusing corporate Linux licensees of incompetence, rather than trying to merely educate them.

Re:An evil play??

[theKiyote]

Unless we're missing something... Who's to say that Microsft haven't been doing a little unpublished research, looking for buffer overflows and other vulnerabilities that they're soon going to demonstrate? There are still bright people at Microsft. There are certainly people bright enough to find bugs in software (maybe they won't find much wrong with the Linux kernel, but it's not going to be too difficult to find bugs in myriad GNU and other packages that come with a typical distro). They might view finding and making public security holes in the competition as a more valuable and profitable exercise than securing their own OS and software.

Shear numbers. Although Microsoft can employ brilliant people to look for security holes in their competitor`s OS, Red Hat, SuSE, Mandrake, etc also have brilliant people on their staff looking for holes, in addition to the thousands of users, who are also looking for holes as a hobby, then coming up with fixes for them.

And the best part of this is, because of the Open Source initiative, if one distro finds a fix, soon all of the distros that have similar holes have fixes.

Re:An evil play??

[ChopsMIDI]

We all know Microsoft is pretty cold and calculated when it comes to competitors. If Linux is next in the firing line, the open source community needs to be ready for this battle and the wars that will follow...

That sounds like something a nerdy Braveheart character inspiring his army would say just before the big fight for freedom in some movie that should be made.

Or Soemthing like that.

Re:An evil play??

[mystran]

They might view finding and making public security holes in the competition as a more valuable and profitable exercise than securing their own OS and software.

If this is what they think, they go wrong in two places. First one is obvious ofcourse, it won't make their own OS more secure, but there's more; if Microsoft invests energy to find bugs in OSS, they are working for the OSS community. If they publish the bugs (or even where they might be) they'll get fixed.

The trick is, when you have a closed source model, you are out-numbered almost certainly. If you are in this position you should NOT waste effort of your programmers on helping OSS community to find problems. Those problems can be fixed by some people, while other people continue to find problems in your closed source system, which you can't fix, 'cos you've just assigned all your programmers to find problems in competitors products.

Ofcourse Microsoft is large enough to invest in both, but the most they can win is a small short-term PR victory. In the end they'd help OSS. If they understood the nature of OSS, they'd just accept it's existence, and spend to effort to fight it. Resistance is futile anyway..

Re:An evil play??

[yoshi_mon]

...that they run the risk of sounding like they're accusing corporate Linux licensees of incompetence...

Agreeded. I walked into a local shop one time to find a new mobo. This little shop that just turned a profit for the owners I'm thinking. It looked good, but good brick and mortar pretty is costly. And what came next I'm quite sure proved me right.

Anyway, I needed a new mobo for an AMD boxen. No prob, I mean I use whatever CPU depending on what the customer wants. I prefer AMD for it's performance for cost ratio but thats just me.

So I ask the guy for a new mobo and the 1st question he asked me is what CPU did I have? I said an AMD 1800+ and he said something to the effect that oh, they don't even stock anything AMD. They consider them an inferior part and not worthy of being in any computer.

My mind went blank. This guy is some po-dunk computer store. AMD has taken on Intel and, well we will see how it all turns out but damn, they have done more than this guy could ever invision in his wildest dreams. I simply walked out at that point. He was not even pretending to use logic, he was just some marketdroid that had been programed.

Lest to say, I found a better local retailer who has a more even head but the fact that that kind of mindset can flurish still befounds me.

Re:An evil play??

[bex+l]

It's happened before hasn't it? MS sponsered benchtesting (MS agains linux). MS came out on top but the whole exercise provided linux maintainers with a serious bug (to do with scaling) which got fixed. MS got a nice bit of good PR but if they hadn't dont that linux would have got a whole lot more bad PR further down the line. MS trying to discredit linux (and other OSS) through technical problems only leads to linux gaining insight into said problems and fixing them. I'd say to MS to keep up the good work.

Re:An evil play??

[jrumney]

Who's to say that Microsft haven't been doing a little unpublished research, looking for buffer overflows and other vulnerabilities that they're soon going to demonstrate?

Microsoft's claim is that Open Source security bugs take longer to fix after they are revealed than Microsoft bugs. If they are about to reveal a whole host of Open Source bugs they could just be proved wrong. I think it is more likely that their claims will be centred around the fact that they do not consider a Microsoft bug to be revealed until Microsoft themselves admit to it, which is usually in the release notes to the bugfix. So Microsoft security bugs are fixed within 0 days of being "revealed", whereas Open Source authors tend to alert users to security problems before they have released the fix if a fix cannot be released immediately.

Re:An evil play??

[seaton+carew]

Tinfoil-hat-conspiracy-theory:

What if Microsoft were behind the recent (and very clever) attempt to insert a backdoor into the Linux kernel??

They wouldn't do that. Would they? {*shudder*}

The Chinese know....

[i_want_you_to_throw_]

First the Chinese get the Source Code for Windows then they decide to back Linux?

Sounds more like our government had better look at who is more secure.

Re:The Chinese know....

[DJ+Rubbie]

Sorry to break it out to you, that you didn't really pay attention to the date of the actual article. Anyway, China was already backing Linux since 2000, as the link you have provided suggests. Then in 2003 Microsoft shows China the source to Windows, as the first article you linked up showed. Either way, China already concluded that Linux is better than Windows.

Re:The Chinese know....

[Roadkills-R-Us]

You kind of have those backwards. They went with Linux a while back (story was 2000), but were licensed to see the Windows source only this year. So all we can really tell from this is that MS is getting desperate over Linux.

Re:The Chinese know....

[El]

They needed the source code in order to write better viruses to infect the Taiwanese computers... any of your tinfoil-hatted compatriots could have told you that. Did they ever say they needed the source because they were planning on using Windows themselves? Unless they are allowed to compile the source for their own use, what guarantee do they have that the source they were given actually corresponds to the machine code they are running?

Conspiracy theories aside...

[devphaeton]

Who all thinks that MS might analyze open source software, looking for security holes, then dedicate an entire "team" with going around cracking and writing viruses for linux boxes?

The *could* do it. You think they would?

Re:Conspiracy theories aside...

[RocketSHE]

And this has ever happened when? On the other hand, if MS wants to dedicate an entire team to finding bugs in Linux, that's cool. More eyes are always welcome. If they are going to do that though, they really should follow accepted proceedures and use a more recent distribution.

Re:Conspiracy theories aside...

[tdk2fe]

I don't think that Microsoft would go so far as to hire any 'consultants' to write cracks for linux. While an arrogant company, they know that with all of the corporate scrutiny right now with the american economy it could lead to another Enron / Worldcom scandal.

However, with enough money you could hire any team of 'experts' to find whatever you wanted them to. Like that famous lines from Reservoir Dogs; "If you beat him enough he'll tell you he started the goddamn San Francisco fire!"

Please respond to this post Microsoft

[aws4y]

They may pull out all the stops, but they still have to explain why there is no memory protection built into the Windows Kernel, why the default user has install privleges, why they are now relasing patches on a monthly basis and not when the vulnerability is discovered.

My first point is the one I want answered, why can't Microsoft build a kernel that polices the processes that it runs?

FUD you, Ballmer

Dear Steve Ballmer,

How dare you insult Chinese population like that, you racist pig! Am I detecting neo-Nazism running in Redmond headquarter? For that matter, I wonder how many of your Chinese employees are setting up class action lawsuit against you and switch to Linux after your racial slur. Given recent successes of Chinese aerospace mission, it is only a matter of time that you and your company go down in blazes, similar to that had destoryed the maniacal visions of Adolf Hitler and the Axis of evil.

Signed,

Yang Li Wei

Attack, huh?

[pmz]

Send some penguins around the flank to get 'em real good in the 'security hole'!

Ballmer's balls up

[SteveAstro]

(Balmer)....He also questioned the notion that the open source's community approach to fixing problems was superior to Microsoft's. "Why should code submitted randomly by some hacker in China and distributed by some open source project, why is that, by definition, better?"

...because any one and EVERYone can see the source, if they think there is a problem, they can announce it and even fix it. In the Micros$$$ world. You are, basically, screwed. Steve

How you use your $,$$$,$$$,$$$,$$$

[mm0mm]

Dear Mr. Gates and Mr. Ballmer:

Rather than spending more money on MS funded studies to undermine OpenSource and $5mil to play "bounty hunter game" just to ward off criticisms toward your swiss cheese OS, you might want to spend the same money to improve code in your products. Needless to say, I am very aware that my suggestion will be disregarded, as you do not agree a very common notion that better coding will improve security of an operating system.

It doesn't matter, really, as the amount of money you are spending for all these FUD tactics, marketing, settlements and donations to politicians is nothing significant in your bank account. But from my perspective, all your FUD attempts to undermine OSS is making you look like a biggle clown. You look good when you are with this fella.

Yours,
0

Re:Why is this FUD?

[Sjobeck]

That is not true, there are not "just as many vulnerabilities in Linux". That is simply not true. Now, you ask, please prove that, well, that is a fair question, & I'd like to support it, but I'm in possession of those facts, so I am hopign that someone who is can jump in here and help me out with a URL or three. But, we all know that Linux, drawing on a very long, time-tested, people-tested, secure history from UNIX, is so far ahead of Windows (which is what 10 years old), there is no comparison.

Uuuh

[JawFunk]

"In the first 150 days after the release of Windows 2000," he said, "there were 17 critical vulnerabilities. For Windows Server 2003, there were four. For Red Hat Linux 6, they were five to ten times higher."

Uuh...We're at 9 now buddy.

OpenFUD

[iCoach]

Ok, so M$'s FUD machine is gearing up. What option do we have other than bitch on the /. forums? I know donate to the EFF, write open code, blah blah - bullshit.

I want to know what I CAN DO. From writing a senator, to going postal at M$. What are our options as Open Source advocates to beat the M$ FUD machine? An OpenFUD project? Because despite flame wars on /., despite arguements in IRC, despite all our efforts sooner or later the M$ FUD will find something that sticks in the back of the minds of all our PHBs. At which point OS security will be M$'s triumph instead of ours.

-Coach

Re:OpenFUD

The best thing you could do is to write your own rebuttal to the MS commissioned study and debunk their findings point by point. Then publish this paper somewhere prominent on the net, such as slashdot, or even host the paper on your own personal web site. Then submit the site to the engines and voila! You have contributed to the fight against FUD.

This way whenever someone searches for stuff like microsoft and security, or other keywords, they will hopefully get your paper instead of Microsoft's commissioned study. Better still, they will get both and make their own conslusions.

Either way, I think this is the best thing any SINGLE person can do to fight stuff like this.

Please note I haven't read the MS commissioned study, so it may or may not be FUD. No clue. It is probably biased, but this alone does not make every claim untrue. Only Slashdot can do that.

150 Critical Vulnerabilities in Red Hat Linux?

[konmaskisin]

That's what Ballmer implies:

17 critical vulnerabilities in Windows2000 and 5-10 times more in Red Hat Linux ...

Too Late

[polyp2000]

Its too late now either way, the damage is done.

IMHO people have already experienced the insecurites , trojans, worms and so forth.

Busnesses have already been damaged and plagued by frequent attacks, and so they start switching. The momentum of linux adoption is quickenning pace all the time. Linux is the buzzword now and there isnt a lot microsoft can do about it.

Generally when people have had a bad time with something, they dont forget, and when they find something that works and does it well, then they stay with it, and more often than not it becomes gospel.

Linux is like life.... life finds a way.

nick ...

Projection

[heironymouscoward]

Ancient Chinese Proverb:

"We are fastest to attack others for the weaknesses we most fear in ourselves".

OK, I just made it up, but it's true anyhow.

bad, bad grammar

[Sebby]

"to tackle one of main worries business has with its proprietary operating system"

Me no read article bad grammar contains

Re:Yes and no.

[botzi]

If you mean the kernel - sure.
If you mean open source packages distributed with Linux distributions - think again.
Even the desktop orinted Linux distro's ship server daemons for SSH, or simple chat clients as BitchX....which may eventually happend to have some remoit exploit(it has already happened and will happen again). I've had a friend who has installed out of 13337-ness an ssh server on his home box.
The average user is ignorant and there lays the danger;o).(it's quiet normal many people decide to give Linux a shot without realizing that they should know at least a necessary minimum before the install......)
Of course that last part is completely true for the Windows users as well...

PS: I'm talking about desktop users here. Please, sysadmins don't get me wrong;o))))

Good Call!

[JawFunk]

...just that they allocated $5Mil to the program...

This will prompt "virus writers" to further cloak their sources, making it even harder to bust anyone, while the MS platform remains unsecure.

Re:Good Call!

[ppanon]

This will prompt "virus writers" to further cloak their sources, making it even harder to bust anyone, while the MS platform remains unsecure.

Well, I don't know about that, but I think it will change the makeup of the virus-writing community. If Microsoft had done this 10 years ago, it might have made a small effect. I have gotten the impression that, back then, virus writers mainly did it for exposure and bragging rights. If you could no longer brag about it because it increased the odds that someone you bragged to would turn you in for $$$, it might have dissuaded a fair number of virus writers.

However now, a substantial number of virus/trojan/worm writers seem to write cyber-parasites to get zombie machines to play core wars-style turf games on the Internet (such as DDOSing the people they don't like) or to spam for money.

The motivation is no longer the same and these bounties are likely to have much less of an effect. It's too little, way too late.

Users are the security problem

[rudy_wayne]

Today, I was talking to a friend of mine who bought his first computer about 4 years ago. He wanted to back up every thing on his computer, so he dragged all the icons from the desktop over to his CD burning program. When I tried to explain to him that the only thing he burned onto the CD was a dozen shortcuts, and not the actual programs/data itself, he just looked at me with this totally blank stare and had absolutely no clue what I was talking about.

The point is this: When it comes to programmer-related problems (buffer overflows, etc) Windows and Linux seem about equal. The big problem with Windows is that Microsoft's focus has been entirely on "ease of use" for people who know little or nothing about computers. That's how you sell lots of computers (and lots of copies of Windows). They created all sorts of nifty features (scripting, etc.) and turned them all on by default -- never giving a moments thought to the harmful ways that these features could be used

Windows, in the hands of a knowledgeable person, can be just as secure as Linux.
But, "right out of the box" it's a security mightmare -- a disater waiting to happen.

Re:Users are the security problem

[the_mad_poster]

Windows, in the hands of a knowledgeable person, can be just as secure as Linux.

In another dimension...

Tell me - can I not install any vbScript? Can I not install IE or Outlook Express? Can I UNINSTALL IE once it's installed? Can I skip RPC? What about messenger? What about the GUI? What about any of those dozens of services that run by default on my XP box?

Can I install JUST a linux kernel and the absolute bare bones minimum of tools for my box if I'm so inclined?

It's possible to tweak Windows down to help shrink your liability, but never as far as you can go with Linux.

Otherwise, I agree with most of what you said - especially about the users. It might helpful to look at it the OTHER way: in the hands of an idiot, Linux is just as dangerous as Windows. In fact, probably more-so because it's faaaaarrrrr more powerful.

Re:Users are the security problem

[rudy_wayne]

"Tell me - can I not install any vbScript? Can I not install IE or Outlook Express? Can I UNINSTALL IE once it's installed?"

While it's true that you can't uninstall MSIE or Outlook Express, a Knowlegeable user doesn't use these programs in the first place. I've had zero virus infections and I've never had my browser hijaacked by malicious scripts.

"look at it the OTHER way: in the hands of an idiot, Linux is just as dangerous as Windows. In fact, probably more-so because it's faaaaarrrrr more powerful."

Wrong. Linux, in the hands of an idiot, such as my clueless friend mentioned previously, is harmless because they'll never figure out how to get it to work.

One of the things that makes Linux more secure is that you actually have to have a basic understanding of how things work.

Re:Users are the security problem

[the_mad_poster]

Wrong. Linux, in the hands of an idiot, such as my clueless friend mentioned previously, is harmless because they'll never figure out how to get it to work.

Ok, good point. Maybe not a complete idiot and people who just don't care - but when someone with a LITTLE bit of knowledge gets hold of it, then you have problems. When I first started out, I used Mandrake... 6? I think 6.. maybe older, don't know what Mandrake's at now.. I hate it. Anyway, I used Mandrake ??? and left a telnet daemon running. Oopsy! I got a connection on it! Haha! 'course - you learn MIGHTY quick that way.

a Knowlegeable user doesn't use these programs in the first place. I've had zero virus infections and I've never had my browser hijaacked by malicious scripts.

I intentionally downloaded an Exploder control once just for fun at work. It's still sitting in the /temp folder. However, I've never had trouble with Windows either (to be fair.. it and Linux are both behind an OpenBSD firewall now, but I mean long ago). I turn on the ICF on every new install, I shutdown almost all the services, don't open attachments etc. etc. However, few people know to do that. So you wind up with this huge security problem caused by Microsoft's apathy and users' technical ignorance. Blech. Not a nice situation at all.

Re:Users are the security problem

[geekoid]

"While it's true that you can't uninstall MSIE or Outlook Express, a Knowlegeable user doesn't use these programs in the first place. I've had zero virus infections and I've never had my browser hijaacked by malicious scripts. "

in short, Knowlegeable user don't use Microsoft product.

well said.

Please enlighten me

[pclminion]

This is a serious question. I could just ask Google but I'd like to see discussion on it.

What was the last exploitable problem in the Linux KERNEL? No need to mention the backdoor attempt from last week, we all know about that one. A) The last LOCAL exploit, and B) The last REMOTE exploit?

I have a vague recollection of some kind of ptrace() race condition that could get you root sometimes. As far as I know that's LONG been fixed. I seriously can't think of a single other thing.

Apples and Oranges

[Supp0rtLinux]

The Steve Ballmer quote shows their errored way of thinking: "...And at the end of October, Ballmer gave the audience at Gartner's autumn symposium a taster of what was to come when he attacked Linux's assumed security superiority. 'In the first 150 days after the release of Windows 2000,' he said, "there were 17 critical vulnerabilities. For Windows Server 2003, there were four. For Red Hat Linux 6, they were five to ten times higher." Where's the RH9 comparison? He's comparing an operating system (Windows 2000 Server) to an OS *AND* applications (Linux). If he were to simply compare Windows 2000 Server to the Linux kernel in RH 6, there were no Linux vulnerabilities. Instead he compares simple Windows 2000 Server to Linux which includes Sendmail, Apache, BIND, Netscape, mySQL, etc. If we apply the same rules to his test and compare RH6 to Windows 2000 Server with IE, Exchange, MSSQL, Windows Media Player, etc... the results will be much different.

Re:Apples and Oranges

[Supp0rtLinux]

North County Computers

Re:My Story Was Rejected

[Kneo24]

This seems to be a common occurance around here. I particularly think it's disrespectful to the users to give them some sort of credit if they're going to pick and choose the submissions from users.

"Hmm, User A and User B submitted the same story, but User A came first, his also seems to have a better summary. Though, I don't like User A, so I think I'll give the credit to User B (User B could even Slashdot staff) and use the same summary. I'll try to make it not noticeable by posting it hours, or perhaps days later!"

The scenario above has happened to me a couple times before. If you're going to give people credit, don't snub certain people for arbitrary reasons.

What about the DMCA ?

[Simon+Lyngshede]

Is this even legal in the USA, pointing out security hole I mean. I though the DMCA made that illegal, or was it some other silly law?

Anyway, strip down a Gnu/Linux distribution to a minimal and you'll see that the base OS has not had any major security issues. Strip down Windows and you'll still have one buggy browser to deal with, a GUI in the kernel (Pretty stupid when you think about it) and of cause you got the whole range of open ports, which of cause doesn't really do much, but still manages to pose a security risk.

Linux and Unix software isn't that much better than the Windows equivalent, but the basic operating system does have less security issues. This isn't because Linux developers are more skilled than Microsoft developers (It would be kind of weird if they where). Linux has the advantage of being just a kernel, everything else is an addon. Windows is huge and complex, even in a minimal installation, if such a thing even exists.

Microsoft can bash Linux all they want, I really don't care, it won't make me go back to Windows. I think Linux is a much better product in general, not just security wise and if Microsoft want me to think otherwise they will need to make some serious changes to Windows.

Re:Yes and no.

[Hobbex]

I've had a friend who has installed out of 13337-ness an ssh server on his home box.

What does that have to do with "l3337-ness?" Being able to remotely log into ones home machines is a life-saver (I've lost count of the number times I've needed to get some document, or just some data like an email address.)

I couldn't imagine not running sshd. And I'm not the slightest bit "13337."

RH 6?

[piobair]

"there were 17 critical vulnerabilities. For Windows Server 2003, there were four. For Red Hat Linux 6, they were five to ten times higher"

Red Hat 6? Steve, do a little research here. We're at 9.x now.

Let's compare apples to apples RH 6 was around during NT4 right? Now, let's count the security holes.

See what happens

[Piquan]

Personally, I think that it's telling that InfoWorld feels so comfortable talking about this report that's not written yet. That fact alone shows how biased M$-commissioned reports typically are, and how well-understood this is by the industry press.

I think the funniest thing will be if Microsoft doesn't release the report... meaning that they couldn't find any way to spin it so they look good!

Control

[Mark_MF-WN]

Linux could have 10 times as many security holes as Windows, and it wouldn't matter. The freedom to fix a problem yourself or contract out to have it fixed, makes Linux infinitely preferable for enterprises.

With Windows, there's no guarantee that a security problem will get fixed, ever. There's no guarantee Microsoft will even let you make the existence of the problem publically known. And you certainly can't fix it yourself or hire a third party to fix it.

Re:Yes and no.

[botzi]

You got me wrong. The dude *didn't* know it was installed. He practically installed 99% of the proposed packages. I do run ssh on my home box and it is indeed a live saver. Cheers.

It's all in the wording

[QuietGeek]

The strategy, called "Days of Risk," measures the number of days it takes programmers to release a public patch after a vulnerability is revealed.

Since M$ tends to not reveal security issues until they are ready to release a patch.....how fair a comparison is this?

Re:It's all in the wording

[RocketSHE]

Or until damaged users force the issue by publicizing the problem and trying to take defensive measures. This activity is vorciferously discouraged by MS. Remember "we wish they would just keep their mouths shut", IIRC. This was referring to windows users posting security problems on the web in an attempt to find some work-around or reverse-engineer a 3rd party fix. Arrgghh!

Re:Why is this FUD?

That depends on what your definition of "Linux" is. It's pretty standard form for Microsoft to lump all the third-party packages that could conceivably come with any packaged Linux distribution and call them "Linux".

Thus, to MS marketing, a WU-FTPD security hole is a Linux security hole. A ProFTPD security hole is ANOTHER Linux security hole. It doesn't matter that these services are not included in all distros, off by default in all the distros that ship them, not even installed by most users, and it's pretty-much guaranteed that both services won't be running on the same system, and they AREN'T LINUX VULNERABILITIES. This is all irrelevant to MS marketing. It's two Linux security vulnerabilities to them.

Four actually, if you add the two SuSE vulnerabilities to the two RedHat vulnerabilities. Make that six for Mandrake. Isn't this fun?

Well, you could do the same for Windows. There's the RPC vulnerability in Windows Server 2003 and the one in Windows XP. That's two. Then there's some vulnerabilities in QuickTime and RealPlayer--if we count one apiece, that'd be four vulnerabilities, to cover both current operating systems. Oh, and Gator, that's a popular Windows app! Etc, etc. Wait, I almost forgot Windows Tablet Edition and PocketPCs! Multiply all bugs by four!

Slanted media or not...

[dcavanaugh]

This is no time to get complacent. I have seen security issues with Linux as well as all the other alternatives. Beating Windows is not exactly difficult, but it is also not nearly enough. If a few slanted articles is what it takes to motivate the community to make Linux more secure, so be it.

Re:My Story Was Rejected

[Kneo24]

Couldn't that be due to the time zone they're in? Then again, I could be wrong.

Balmer's PR mistake

[ortholattice]

[Balmer] questioned the notion that the open source's community approach to fixing problems was superior to Microsoft's. "Why should code submitted randomly by some hacker in China and distributed by some open source project, why is that, by definition, better?"

That should have been, "terrorist hacker in China."

Re:Balmer's PR mistake

[cyt0plas]

Because most patches to fix bugs and the like are trivial, a simple skimming will usually suffice. If it's a buffer overflow (or even several), a patch can weigh in a couple of lines. That's easy for those of us who read code to check. On the other hand, some black box patch coming from MS may fix the bug, or it may not. It may even introduce even more bugs.

Besides, I trust the noname chinese cracker far more more than Microsoft anyway.

Microsoft Bashing for Fun and [karmatic] profit.

Re:Balmer's PR mistake

[El]

Random submissions are not by definition better. However, I beleive the peer revue process for GNU/Linux is an order of magnitude better than the peer revue process at Microsoft, and random, suspect patches are simply not accepted for most open source. From the stuff I've seen coming out of Redmond (e.g. a "fix" to MFC that broke most apps ability to print, which I has to work around be going back to the _previous_ version of MFC) I strongly doubt whether most changes at M$ are reviewed at all.

Re:Balmer's PR mistake

[fuzza]

Exactly.

My first thought when I read the quote in the article was:

"Um, maybe patches from some `random hacker' in China are regarded as better simply because they are? (Technical conciseness, etc). Whereas MS is hoping to maintain their opposite assumption, namely, that the patches out of their multi-billion-dollar corporation in the all-powerful USA (oops, that wasn't meant to be a flame...) are better by definition."

My $AU0.02, anyway.

Somebody should call them

[Traicovn]

Somebody should call Microsofts Public Relations department and ask what 'associated applications' they are talking about, and also ask why they are comparing Windows Server 2003 wihch was released this year to a version of Linux released SEVERAL years ago... I mean, wouldn't comparing Redhat 9 to Windows 2003 server be more appropriate?

Oh look.
A name and a phone number...

Microsoft Trustworthy Computing, Privacy and Security Issues
Name: Waggener Edstrom
Bellevue, Wa
(425) 638-7000

Re:Root access for all users??

[LadyLucky]

Replying to my own post, but still..

Windows has many levels of user access. The administrators group is closest to the concept of 'root' in the world of unix, but it isn't identical. Local System is the real 'root' user, which you cannot log in as.

It's perfectly permissable to run Windows not as a root user. And like Linux, this causes problems, and will require you to escalate priveleges to do certain operations (think: mounting a network share which requires elevated access in linux, or binding to ports I'm not claiming that it's got perfect security or that local escalation exploits don't exist, they do (Shatter attacks in particular!), but they also exist on all platforms. Time to take blinkers off, SlashBots.

Re:Overly Critical Guy

[heironymouscoward]

Hey, OCG just made my day! A new Foe. Anyhow I have to go and read the OCG journal, if it's anything like his comments I'm going to enjoy them.

"Linux is made for stupid people." :) :) :) ROTFL.

That's More Debuggers for Us!

[billstewart]

So Microsoft is going to go out hunting for bugs in Linux? Great! We always need more debuggers! And if MS pays some of them, even better! If they'd publish the source code for Windows (no need for Free(tm) Software or Open Source or accepting patches, just publishing it so we can see it) we'd help them out with debugging too. But meanwhile, we can fix the bugs they find faster in Linux than they can fix the bugs in Windows they find, and it's usually a lot safer to patch Linux systems than Windows systems.

denial version 2.0

[Ender+Ryan]

denial, anger, going Postal!

Eventual Defeat?

[nurb432]

We all know Microsoft produces inferior software, but they have more money to throw against the wall in campaigns to derail any OSS project out there.

Since the media is what counts in this world, it seems like its just a matter of time before the entire OSS community is cast as 'thieving pirates' and 'insecure, crap.. nothing free is good'.

Enough mass marketing of this, the public will believe it as reality, and we will have lost in effect...

Then next will come the legal battle as only criminals will want OSS.....

Laugh if you like, but it is their agenda.... And they DO have the funds to pull it off, and the patience....

Lets have a go at this, then...

[angst7]

Unfortunately the article does little more than play the part of OS-War Meteorologist, but there was one quote we can sink our teeth into, according to Steve Ballmer:

"In the first 150 days after the release of Windows 2000," he said, "there were 17 critical vulnerabilities. For Windows Server 2003, there were four. For Red Hat Linux 6, they were five to ten times higher."

Now I'm going to figure that he's saying there were somewhere between 20-40 'critical' vunerabilities in Redhat 6 in the first 150 days post release.

I assume that the reason he's picked Redhat Linux 6 for this comparison is that it was the release which moved to glibc 2.1, and migrated to the 2.0 kernel. So he's picked a big move for Redhat, instead of a point release. This isn't entirely fair (in fact its hard to draw a close comparison on security issues) due to the fact that Redhat 6.0 was released in April of 1999, whereas windows 2000 wasnt released until February of the following year. Furthermore Microsoft (wisely) relied heavily on a certain "Break into Windows 2000" campaign to test the hell out of that OS. (remember the guestbook on that server? what a riot)

Finally, comparing Redhat 6 to Windows 2003 is outright foolish. We may as well compare a freshly patched Redhat 7.3 to NT Service Pack 2 (though even this is an unfair analogy, 7.3 is far more stable than Win3k server).

In sum: Bah.

99.9% of all viruses in wild - Microsoft only

[Netlink]

More than 99.9% of all viruses in the wild will only work with Microsoft software.

Sobig, Mimail, Sircam, Lovebug, Nimda, Code Red the list goes on.

Microsoft will say that this is because most computers on the Internet run Windows, but a look at netcraft.com shows that more than 2 thirds of web servers run Apache, and only about 20% run IIS.

Windows has more than 90% of desktops, but not more than 99.9%. I run Linux on my desktop, and don't even bother to run the Sophos antivirus client I have a license for, no point, no one could infect my desktop with any of the 80,000+ viruses sophos detects.

If Microsoft are going to try this one then they will have to tell lies and pay for carefully run studies.

I bet they will not compare Windows and Linux viruses!!

MS is like politicians.

[bs_02_06_02]

MS can release "news" as a press release, and the newspapers eat it up. The public believes it. The hardware manufacturers "sell" this crap because they sell MS to consumers for Microsoft at a profit. Wall Street helps the process. Analysts hype the latest "features" for the latest vapor product from MS, due in 2012.
MS sells themselves to the public by issuing press releases. They can say whatever they want, as long as they make a claim that they're doing something. There is no accountability. No one holds them responsible. Consumers keep throwing money at MS. Occasionally, someone points a finger, but MS then releases more press releases about vaporware due in 200x.

Politicians do the same thing, "We need to spend more money on _____. We've been spending money on _____ for ___ years, and we've not solved the problem. We are renewing our effort."
In other words, "We're going to light some money on fire, pose for a few photos with the underprivileged, and then waste a lot of money on cigars, dinner, and entertainment."

Microsoft has excellent people playing the press release game. Everyone sells Microsoft products for MS.
How many people have actually met a Microsoft employee? Yet 1/2 of the planet owns or uses something with Microsoft products in it.

Re:MS is like politicians.

[DrugCheese]

Amen

I give Microsoft credit for their Marketting and Public Relation skills.

Everything else has been bought

Rosie Odonnell could pay to make herself look like Pamela Anderson, but she'd still be an ugly bitch underneath it all.

Re:hypocrits

[superchkn]

I see you subscribe to the MS FUD newsletter. ;-)

Here's a little reality for you:

1. RH6 !== Windows 2003 Server
2. Applications !== OS
3. Remote Root Exploit !== Every security patch

Instead of reading the comments, you blindly replied with a canned response. I've listed the most common subject of the postings I've read so far so you'll know what to look for when reading the posts yourself.

If you'd like to respond to these issues point-by-point and explain how this is an objective scientific study and not (at the very least) an ignorant and misleading article, I'd be happy to join in a discussion.

Why not have SCO mount the attack?

[bl8n8r]

Seems to me that Microsoft wants to draw the attention away from it's own security issues, and put the focus on something else. Unless they have something to gain, they would just have SCO claim they owned the copyright to security.

Linux and Security Holes

[jd]

Inspired by this research, I sought to find other examples of security holes in Linux which do not occur in Windows.

• Linux is more stable, thereby giving crackers more time to break passwords.
  
• By not fixing things, Microsoft Windows causes crackers to become lazy and slothful, so when a patch does arrive, the cracker won't be expecting it.
  
• Many Linux distros use MD5 hashing for passwords, which is much slower than just storing in plain text, making it possible to run a denial-of-service against a Linux box.
  
• By renaming COMMAND.COM to CMD.EXE, Windows is secure against DOS attacks. At least, those up to 6.22.
  
• Windows cannot trigger world chaos in safe mode. It's disabled.
  
• By using all available memory, Windows cannot run additional viruses.
  

And of course, YET AGAIN

[autechre]

Microsoft will be counting holes in their core operating system, which also comes with a Web browser, email client, and music player. From what the article says, they're not even including Office, certainly not IIS or any of their other products.

Red Hat has many, many more applications, with varying levels of complexity, development, and use. Almost no one will have all of these security advisories apply to them. So Red Hat, which ships well over four times the amount of software packages, has four times the bugs? GASP! And how many of these were remotely exploitable holes which caused machines to reboot almost continuously?

If you want to be fair, MS can count security fixes for the Linux kernel, Mozilla + Mozilla Mail, XFree86, Mplayer (hey, there was one), and whichever windowing system has the most bugs (hey, let's give them a little help, they'll need it). They have to pick one windowing system, because you won't be using multiple windowing systems at the same time.

I could go for the extra point and complain that Microsoft foists a Web browser and windowing system on anyone who wants to run a simple Web server, increasing the number of applicable security holes, but they're far enough behind already.

Hidden Code from India

[Avihson]

Actually, how much MS code is written by Islamo-terrorists working in MS-India, vs the typical honest Indian coder?
How closely does MS inspect the code as long as it spits out the proper results? Click the icon, wait, and the dancing paperclip comes out, what else is happening in the background?

Outsourcing is good for the bottom line, but is it good for security in a closed source operating system.

Just like I tell my Algebra class, you should be prepared to show your work, if you have to hide the steps you took to get the answer, all I can surmise is that you got the answer from someone else's paper!

What would you rather have, Open-Source or Hidden-Source?

Someone from the Linux camp needs to

[Wolfier]

Write an article to loudly *teach* MS how to secure Windows.

They can choose to accept it, then the Linux camp take the credit.

Or they can choose to ignore it to save face, and continue to have security problem. People will migrate away from MS.

A WIN either way.

Re:MS will win, of course, they are running the te

[Keeper]

Find an unbiased third party to do the study. What, they want money to do the study? If it comes from MS, they've got an MS bias. If it comes from Redhat, they've got a Redhat bias. If it comes from IBM, it's got an IBM bias. What, you found someone to do a study for free? Then they must have a hidden bias, because they picked a winner and had to have done it for some reason because they weren't getting paid for it (you can think they don't, but you aren't going to convince the people wearing the tinfoil hats otherwise).

You aren't going to get study done that everyone considered unbiased.

The only thing you can do is read the study when it comes out with a giant black marker, and anytime it's obvious that a particular result was due to testing bias, black it out.

The stuff that isn't blacked out when you're done reading the report is stuff you need to fix.

End of story.

Already one flaw in their logic

[UnknowingFool]

There's going to be many holes in the M$ argument. For example focusing on security holes of third party applications in Linux vs MS core applications (Apache holes vs IIS holes). But this quote is telling already of their strategy:

The strategy, called "Days of Risk," measures the number of days it takes programmers to release a public patch after a vulnerability is revealed.

The question is revealed by who? Many times security problems have been reported to MS before the general public is notified as a courtesty to MS. But there have been many examples of security holes that MS leaves untouched for months without even an acknowledgement to the original discoverer that there is a problem. Then the discoverer gets fed up after months of no response and informs the public about it. 'Lo and behold MS engineers work on the problem and find a solution within days. Sure the response time looks great if you count the days between public disclosure and public patch. But what about time between initial discovery and public patch. If you include these dates, MS looks very bad.

The major security problem...

[Kindaian]

Is that will everyone can audit every line of code of open source OS's, nobody (apart from microsoft) can audit windows... Who can say that windows don't have backdoors to FBI or worse?

Re:Bill Clinton also got caught lying...

[GSloop]

Hmmm...

Bush lies in the State of the Union speech about matters of life and death.

"The British Government has learned that Saddam Hussein recently sought significant quantities of uranium from Africa."

From - http://news.bbc.co.uk/2/hi/americas/3056626.stm

A lie is a lie, but the repercussions of a lie to a deposition in a civil case, vs. a lie to the American public about a war - I know which I'd rank higher.

All presidents lie. If you believe that GWB is somehow better than Clinton, you're a crack smoking kook.

Cheers,
Greg

Can you keep a secret?

[A+nonymous+Coward]

So can I. But two people can't.

If you are saying nudge, nudge wink, wink that Microsoft has programmers looking thru FLOSS source for vulnerabilities, well, it wouldn't stay secret for long. They would be overheard bragging to each other, or misdirect a memo or email, or have second thoughts.

In addition, if these Microsofties are as good and hard working as the propoganda mills claim, then good that someone is finding more bugs for us.

Plus, these Microsofties won't be doing anything evil for the evil empire, but instead doing good for the rebels. This is like the FBI undercover agents in peace marches, great!

For me, it's only about FREEDOM and INDEPENDANCE!

[Freidenker]

And that can't be destroyed by whatever FUD Tactics.

FUD Strategies simply will not work.

Maybe I'm naive (or wise) ?

Regards,

... that will put egg on Microsoft's face

[A+nonymous+Coward]

Maybe some naive people will believe it, but this is by no means the first time Microsoft has cried wolf. Each time it is shown to be false, they lose more credibility.

This will bring security to more people's attention, and they will notice in subsequent reports that Linux holes get patched quicker and are less serious to start with.

There is nothing to fear here, instead this is a good sign, and will end up being good PR for Linux, at Microsoft's expense.

dead horse...

[the-build-chicken]

...meet flogging stick

Microsoft IS FASTER

[jridley]

From the time that they acknowledge a bug until it's patched is VERY FAST.

The problem is that they won't acknowledge a bug until they already have a fix for it. Often bugs are known about by the world for months, and MS says there's no such bug. When they do acknowlege it, then yeah, there's a fix out within hours or a day or two at most.

So, apples and oranges. If Linux takes 4 days to patch a bug as soon as it's known, and Windows takes 4 months to acknowlege a bug's existance, then 2 days to patch, which is better?

Re:Microsoft IS FASTER

[Cyno]

So there's no reason to even care about time in this equation. What they should be looking at is how severe and how many severe bugs are found and possibly the rate at which they are discovered, but the code could have been written years ago.

My point is as soon as the developer releases the code and says its production quality it is their fault if there is a bug in that software. Microsoft should not have any bugs because they have well-paid professional code monkeys and QA before their products are released. Linux does not.

Re:Microsoft IS FASTER

[jridley]

I think there was an article on slashdot a couple of months ago, saying that there is an unpatched microsoft bug database online. The point of the article was that the database had been taken offline, but I have talked to people who know more about it than I, and they say yes, there are vulnerabilities that are well known, have been known for months, and Microsoft won't acknowledge them.

Maybe someone will point us to the site.

Security FUD on Linux

[alw53]

Did they hire three mathematicians from MIT?

My invention is unbiased!

[whittrash]

Here is my NEW INVENTION COMING SOON!

I have patented a brand new invention called the 'HACKO_METER', which I liscence for $699, it is based on a reverse two prong graphical tree selection process. I am hoping to test it in major metropolitan areas.

You take one IT professional, and give him $500 in cash, if he leaves early, he only gets to keep $50. He is not told the task. Then lock him in 10'x10'x10' box with a computer hooked up to the net. Then he chooses which system he wants, Linux or M$. He is given the opposite of his choice. He is then told he must stay there until the computer gets a virus, trojan, spyware or hacked.

Unfortunately, a bullet/sound proof observation mirror is between him and the computer, so he can only watch as random people go up and surf the web and view email and listen to music. The 'HACKO-METER' TM uses a patented ongoing questionaire that measures the resulting fear and frustration level as the IT worker watches idiots, neophytes and morons surf the web and do stupid stuff, hoping each one will download a virus so he can collect his cash. The IT person is realeased after 12 hours if no infection occurs(but he doesn't know that). He can leave any time and collect $50.

This 'HACKO-METER'TM patented test will not measure the reliability of each system, it will measure the pain threshold for each system, which I believe is a more accurate indicator of performance and reliability.

This Could Go Like Mindcraft

[mrwiggly]

Anyone remember what happened when mindcraft pointed out linux bottlenecks?

Yep, they fixed em.

Its more than FUD

Wake up folks. Its more than FUD. Microsoft has had security problems in the past for the same reason that most software companies do. They didn't have a business intrest in fixing them. Now that they do, watch out.

Just a few fun facts.

-MS is porting a huge amount of their code to managed code, this is the real solution to buffer overflows. I think it will be a long, long time before we see a move toward using safe languages in the open source community on any significant scale.

-MS has done a huge amount of education and culture/process transformation in the last year. As all good security types know, building secure software is about processs, and MS is clearly poised to smoke most open source stuff in this area.

-MS research has produced some pretty cutting edge stuff such as SLAM to help keep bugs out of code via. static analysis, again, count on MS to keep pushing on the tools front.

-MS patch managment solutions seem to be quite solidly ahead of what is out there in open source.

-Testing...nuff' said

The open source community has the ability to produce a huge amount of stuff that mostly works. However, its not at all clear that most projects out there can match the level of quality, or even clue about security that we are seeing inside Microsoft.

Keep in mind that the Linux kernel, Apache etc. are the exception, not the rule.

If the open source community hopes to keep pace with MS in tightening down their code, some
major technological and cultural changes are going to need to take place.

There is a whole lot of backslapping and smack talking right now about how secure linux is, but really not a whole lot in the way of process, technology, etc. to back it up.

3 = 1

[griffjon]

Basically, if you think about it, we have everything we need for one good OS company. MS handles business/marketing, Mac handles user interface and user loyalty, and Linux peoples actually make the OS...

(*BSD people and BeOS types can go on doing their thing ;)

Re:Root access for all users??

[GoneGaryT]

Yes but...

Windows exploits that '0wn' your machine go in at System privilege level. That's one above Administrator; you can be logged in as such while someone 'sploits your box and there's *nothing* you can do to defend it (apart from introducing sudden air-gap security). On a GNU/Linux box, you can at least try to defend it during an attack if you wish.

As if...

[Overly+Critical+Guy]

I love the biased nature of the summary.

As if Linux people don't "hype" things against Windows, either.

Meanwhile, the rational, quiet people whose opinions aren't voiced in boisterous +5 posts all the time just watch from the sidelines, shake their heads, and use the right tool for the job, whatever that may be.

Re:As if...

[amcnabb]

Meanwhile, the rational, quiet people whose opinions aren't voiced in boisterous +5 posts all the time just watch from the sidelines, shake their heads, and use the right tool for the job, whatever that may be.

Are you implying that Windows is the right tool for the job? For any job? Whoa.

For non-techies, Apple is the way to go. For corporate and/or programming environments, Linux/UNIX is the way to go. Not much room for Microsoft in the middle.

Re:As if...

[sacrilicious]

I love the biased nature of the summary. As if Linux people don't "hype" things against Windows, either.

It's great, isn't it. What I love is watching people talk about *anything* they believe in. They're always biased in favor of the stuff they believe in, arguing in its favor and presenting it in a good light. It's horribly un-objective.

Re:As if...

[bex+l]

What about all those non-techies who've only ever used windows? The transition might be difficult.
Also, many popular applications ONLY run on windows (including corporate ones). I wouldn't tell corporations to switch over just yet since open source needs time to get more apps out there for every business. It won't happen over night.

Re:As if...

[Lodragandraoidh]

I started out as a Dos/Windows user from day 1 (actually I really started out as a TI 99a user - but that is another story). I have also managed and used all of the windows operating systems from Win 3.1 up to the present Win XP. When I didn't know any better, I used to think the DOS command line was the best thing since sliced bread, and batch files were my scripting nirvana.

Then I started using *nix. I loaded Linux for the first time in 1992, and have been using it ever since. I was also a Unix system administrator during my career, and was using Sun systems in college before that. I learned the tool building paradigm of Unix, and absorbed awk, sed, perl, python, lisp, java, and a host of tools unheard of in the Microsoft world. Things that I spent hours accomplishing with Windows and DOS, I was accomplishing in minutes with Linux.

From my vantage point, it is plain to see that the Microsoft products are not up to the task of being a general purpose workstation/server operating system. When compared to industrial strength Unix and Linux distributions, it is a toy - and should be advertised as such.

I think the key distinction we need to understand is the ability of an end user to ameliorate security problems and other bugs when they manifest themselves. In *nix, usually the source code is available for modification, or a work around can be accomplished quickly with a scripting language because of the clear text interprocess communication mechanisms available. On the Microsoft side of the house, we are clearly dependent upon the good will and scheduling of Microsoft to get the fix implemented - and there is not much we can do to alter the outcome. So, the choices are independent ability to fix things, as needed - or Big Brother Knows Best; I know what I prefer.

Given the above, Microsoft is never the 'right tool for the job', unless your job is a toy application that is expected to be obsolete within a few years. The simple measure of this is to look at all the DOS applications that are currently being used by end users, versus *nix applications (albeit in GNU form) - *nix wins hands down. Don't believe I haven't tried using various DOS and Windows tools - but they just don't have the overall flexibility and usefulness that can be plentifully found under *nix.

What really boggles me about this whole issue is how people can be screwed by MS a thousand times over (non backwards compatible file formats, blecherous incomplete implementation of java, a malformed central configuration repository that causes complete system meltdowns when corrupted - that end users are not shown how to backup out of the box, etc...the list goes on and on), and yet come back smiling for more! What is really amusing (sad, really) is how I see some people rationalize that they were the ones at fault: "It was silly of me to build my spreadsheets in MS Works 1.4 back in '85 - what was I thinking! I should have copied all those entries across to Excell back in '95". To me this is a red flag that I am being taken for a ride. I woke up. I hope you do too.

Re:As if...

[LX.onesizebigger]

People favour the things they favour. That should hardly be surprising.

The interesting question is why, given its relative user base, is Linux favoured so strongly by so many?

I hear very little subjective promotion of Microsoft (except where subjective == for profit), especially given its large user base (I hear a lot of complaints from their users, though). Isn't the relative intensity of voluntary, subjective lauding of software an assessment as objective as any at the end of the day?

Re:As if...

[Afrosheen]

In the same vein as the Visa adverts..

'For industrial strength linux applications, there's Linux. For everything else, there's VMWare.' Vmware, bridging the gap between you and your company's proprietary apps.

Ok now VMWare, pay up.

Re:As if...

[lullabud]

vmware still requires windows to be the final solution to whatever problem it is that requires vmware to solve. it's true, some apps only do run in windows, and that's a damn shame.

Re:As if...

[beowulf405]

Apple is great for some non-techies who are willing to pay a premium price for a PC. Linux is good for high end programmers. That only leaves enough in the middle for Microsoft to be declared a monoply and have the one of the highest profit margins of any company in the US.

Re:As if...

[Penguinshit]

Wow.. you just completely described my own experience. Back in '81 I started using the original IBM PC and though DOS was da shiznit. I've used and supported every Microsoft OS from the beginning through XP. In the early 90s I got my first taste of UNIX (albeit IRIX...) and in the mid-90s started using Linux. I was a *nix convert almost immediately, even attempting to install one of the first versions of UnixWare on an old 486-SX80.

I'm glad that I finally saw the light; realizing what a true operating system is and does and how one should behave. It actually feels quite "Matrix" like..

I know the difference, and I like to help others to do the same.

Re:As if...

[sacrilicious]

I should come clean: my post was intended as *very* tongue-in-cheek. And without getting specific about the points you raise, I like (and agree with) where I think they lead as a line of inquiry. It's a tricky question, that of at what point a person may be unduly promoting something that they at least initially were objective about. To rephrase the spirit of my initial post more plainly, I'd probably write that there are good reasons for people to like things (linux included) and I didn't feel that the parent post had done a sufficient job of differentiating between structured criticism vs abject advocacy bashing.

Re:As if...

[El]

For non-technies that already know how to use Windows and nothing else, unfortunately Windows is the right tool for the job. Linux is kicking Windows' ass in the server and embedded markets, where retraining users isn't much of an issue. Unfortunately, Windows owns the desktop and will continue to own the desktop for the foreseeable future -- until either most current users are replaced with people that didn't learn Windows as their first OS, or until M$ changes Windows so much that it is easier to switch to Gnome than to learn their latest shell.

Re:As if...

[Dave_bsr]

being most popular doesn't make it the best tool...For your average office+ie+mail desktop, Linux is getting ever closer to not just matching Windows, but being BETTER. Especially in a biz environment where security and managability is important.

Re:As if...

[abradsn]

coward

Re:As if...

[abradsn]

Awesome!

Re:As if...

[abradsn]

STOP WITH THE CRASHING ARGUMENT!!!!! All you bastards running windows 98, UPGRADE!!!!

Re:As if...

[00420]

until either most current users are replaced with people that didn't learn Windows as their first OS

Computers will need to come with Linux for this to be a possibility. Personally I think that if a person went to buy a computer and the salesperson told them it would be cheaper to get a computer with Linux, a lot of people would do that. Although knowing how computer illiterate some people are a lot of them would probably still think they had Windows anyways.

Re:As if...

[LX.onesizebigger]

I had a feeling that was the case, but just as you observed, some people sincerely hold the opinion that you voiced ironically, which is why I (somewhat humourlessly) decided to kill the party with the reasons such statements are absurd.

Re:As if...

[eam]

> For non-technies that already know how to use
> Windows and nothing else, unfortunately Windows
> is the right tool for the job.

The problem with this argument is it assumes that non-techies already know how to use Windows. In my experience most Windows users don't know how to use Windows.

Switching to Linux wouldn't be that much of a learning curve because they won't ever learn how to use it (just like they never learned how to use Windows).

Re:As if...

[hesiod]

> That's a 100% waste of valuable time.

Not necessarily. "Keep your friends close, but keep your enemies closer."

Re:As if...

[4of12]

Windows is the right tool for the job? For any job?

Qualifications: I'm enthusiastic about Linux, have run it for years, and I'm disgusted by Microsoft's tactics of locking in users to expensive tangleware and steamrolling their business rivals.

But when the job calls for dealing with Microsoft's proprietary file formats, particularly Powerpoint, I use the right tool for that job.

[Digression 1: Win2K, updated and patched, is a perfectly adequate desktop OS for most corporate folks. There is little need for them to upgrade to either Windows XP or to Linux.]

[Digression 2: If I had US$10M I'd fund someone to create SVG authoring tools, presentation tools and nice font sets so I could be free of Powerpoint.]

Re:As if...

[Overly+Critical+Guy]

How am I a vocal Microsoft shill just because I point out the obvious--Linux isn't ready for the desktop (Red Hat agrees...), Linux is like any other operating system and is not perfectly secure (instead, it's up to administrators to secure things), and that Slashdot posts biased articles (the front page typically has more Microsoft articles than Linux articles!)?

You're proving my point with that bizarre response. How dare I have positive and negative opinions about Windows and Linux, right? Run off, troll.

Re:As if...

[Overly+Critical+Guy]

Given the above, Microsoft is never the 'right tool for the job', unless your job is a toy application that is expected to be obsolete within a few years.

In other words, you have an opinion. Neat. The rest of the world actually LIKES having drivers for their hardware, office applications that work and don't take 20 seconds to start, sane interfaces that resemble each other, games, and general usability.

They don't like hacking X config files or screwing around when RPM breaks something.

The simple measure of this is to look at all the DOS applications that are currently being used by end users, versus *nix applications (albeit in GNU form) - *nix wins hands down.

This is completely bizarre. DOS hasn't seen widespread use since the late 90s. What on earth does DOS have to do with a comparison between *nix and Windows? Besides, chances are that DOS is used more often anyway--I used to work at a bank data company that updated ATMs and accounts nightly. It was run by a big OS/2 mainframe on a huge DOS network. You've also got the old users who still use Wordperfect for DOS, Windows 98 (which is a shell on DOS), etc.

Don't believe I haven't tried using various DOS and Windows tools - but they just don't have the overall flexibility and usefulness that can be plentifully found under *nix.

I've tried both. *nix has certain tools, and Windows has certain tools. I have yet to find a useful one that didn't have a port to Windows (or at the least, Cygwin) anyway. It looks like your post is just baseless FUD.

Re:As if...

[Overly+Critical+Guy]

Are you implying that Windows is the right tool for the job? For any job? Whoa.

For non-techies, Apple is the way to go. For corporate and/or programming environments, Linux/UNIX is the way to go. Not much room for Microsoft in the middle.

Is that why Windows has the most marketshare? Please. You and I both know why Windows is the most-used.

Re:As if...

[Lodragandraoidh]

Most, if not all, services on a *nix box reside in user space - not within the kernel; well behaved applications take input from standard input and provide output via standard output - in addition to using local sockets for IPC to allow the network ports to be redirected appropriately. Thus inserting a filter between the application and its input datastream (a wrapper) is relatively simple without having to alter the application itself at all in most cases.

What can take a few hours writing a script under *nix, will take waiting for several things to happen outside of your control:

1. Microsoft to recognize and acknowledge the problem.
2. Microsoft to put resources into building the fix into their code base.
3. Microsoft doing regression testing to validate the fix.
4. Microsoft releasing the fix.

In every case system administrators and end users do not have the ability to do anything in the meantime except sit on their hands and wait.

Additionally, the real focus of Microsoft's FUD is businesses who have system administrators anyway; any *nix system administrator worth his salt will be able to create a stop gap executable if the service in question is needed, and no prepackaged fix is forthcoming. Again - not even possible for your windows system administrator - because he does not have the possibility of having the source code.

This is why security through obscurity is bogus, and why depending on a single opaque source for fixes is dangerous and potentially costly for your organization.

I can't believe you don't see the benefit of having source code over and above the Microsoft way of doing things. Before you put it down again, open your mind. Try *nix - and I mean really try it, understand the tool making and interprocess communication paradigm inherent in *nix, learn how to write a shell script, learn some introductory Python or Perl, try your hand at building a simple GUI with either language's TK module, load Zope and build a simple web enabled application - and I guarantee you will wonder why you spent all these years mucking about with proprietary windows APIs.

Re:As if...

[ogre57]

STOP WITH THE CRASHING ARGUMENT!!!!! All you bastards running windows 98, UPGRADE!!!!

My brandy new in May laptop crashed 3 times in the first 2 days. I upgraded it from the supplied Windows XP Home to SuSE 8.2. Zero problems since.

My cubicle mate cusses and reboots his XP Pro system on average at least twice a day. I'm running Red Hat 9 with an uptime of ..

09:48:19 up 96 days, 12:28, 13 users, load average: 0.16, 0.03, 0.01

Granted that Win98 stability was even worse than XP's, your point is ???

Re:As if...

[Overly+Critical+Guy]

A monopoly isn't illegal.

Let's face it. If Linux was the better software, people would be switching over in droves. Especially after all the press coverage it got at the turn of the decade. It was the media's darling.

However, people waiting for something to happen with it, and yet we're still using X11, still dealing with awful interfaces and non-functioning cut-and-paste, still dealing with the inanities of the Linux community. The revolution never came. And now Microsoft is going all .NET, taking everyone with them.

At this point, people usually bring up Apple. "What about MacOS? It's the better software, yet it's not on top. It's because of Microsoft." No, it's because of Apple's pricey hardware. There's always a reason.

Look, if you're giving something away for FREE and people still won't switch, maybe it's time to examine the reasons behind that and address them instead of playing the "M$" blame game. Bill Gates has a well-known quote in which he says the biggest windfall for Microsoft is when his competitors focus on trying to bring them down instead of focusing on making a good product.

What rationalization will you come up with now? Is Microsoft holding people by gunpoint to use Windows? According to you and your ilk, OpenOffice can open and use Office documents, so there's no need to stick with Windows, right? Linux has all the apps it needs, and everything is perfect. Right?

Next.

Re:As if...

[godefroi]

As if Linux people don't "hype" things against Windows, either.

You mean like this: (such as root access for all users)?

That's never been true in any multi-user version of Windows (NT/2K/XP/2K3).

Re:As if...

[Lodragandraoidh]

Progress is not breaking continuity with everything that came before - forcing everyone to change so they can communicate with you (and so you can sell more software, by the way).

Its not about fear. Its about the immorality of forcing everyone to change without a significant benefit for the overall community. Its about the lack of choice in the equation, because the 3000 pound gorilla can do what he wants for his benefit, to hell with everyone else. What you see in my eyes is outrage - its not fear.

XML is good. Plain text is even better. Portability above bells and whistles.

Re:Bill Clinton also got caught lying...

[pHDNgell]

Bill Clinton also got caught lying to the entire USA and that don't matter becuase over half the population still loves him and his adorable wife.

Clinton got caught lying about something that wasn't anyone's business. It's his personal life and you've gotta be some odd kind of sheep to hate his wife for it.

MS lies about things that directly affect people in my industry. They do so to destroy competition (technology, jobs, etc...).

So, to review:

Clinton lies to protect his personal life and family from his own mistakes at the potential cost of his family.

MS lies to grow its business at the cost of jobs, technology, and freedom of people in the computer industry.

Bush lies to protect his investments at the cost of lives and governments.

Everybody lies. Why do you lie?

What in Heck nowhere near as bad as 5 years

The Blaster worm defect 5 year+ in age. Now in most cases you have 2 years for a virus writer to find and use bug or 4 months for a data thief. Linux is staying inside the safe space note I would like it better but nothing is perfect. But the blaster flaw was know for sure in 1995. I found it then on a data thiefs howto site(know you enemy). The reason for not patch was user want network conections out the box. Ok why in hell did it allow the port through dial up connections and why in hell could you not disable it on network cards.

That is right you have to install a firewall third party. Here is microsofts bigest problem no good default firewall. Most linux faults can be blocked out by the default firewall. The next verion will target programs if everything goes to plan what will make linux even harder to attack.

Note the one in windows XP is a poor firewall a free one shiped with the OS would have been better.

The other defence of linux is in most cases we do not have one program to do just that task. Ie mult ftp servers, different versions of appache and removal modules, mult email server.

Basicly linux defence is patch or swap out of operation. Swap out of operation stuff has patchs that are slower because there is no need to rush the patch. Ie if everyone has swap out as directed there will be no problem. Basicly a swap out directive better be called a full patch at the directive or microsoft has stuffed up it report.

Re:What in Heck nowhere near as bad as 5 years

[Elbereth]

I do not understand.

Please post in French or German, as I think I would understand that better than your English.

Great! You find, we fix.

[Rex+Code]

Unless we're missing something... Who's to say that Microsft haven't been doing a little unpublished research, looking for buffer overflows and other vulnerabilities that they're soon going to demonstrate?

[...]

If they like many of us see Linux as the biggest credible threat out there, they might resort to fighting dirty.

The thing is, most OSS developers I know (myself included) welcome public review and full disclosure. If I get advance notice of a security problem, I look at that as a luxury, and have no problem with finding out along with the public. Once problems are pointed out, it's usually easy enough to fix them quickly. Having Microsoft auditing open source code for free would actually be quite beneficial.

The reason full disclosure is so important is that without it, these holes still exist, circulating among the black-hats. Unlike Microsoft who'd rather sweep problems under the rug. Disclosing problems isn't "playing dirty"; it's step one in getting them fixed.

Re:Why is it FUD?

[SCHecklerX]

Except that services running on linux are not linux. What, exactly, are they going to 'test'?

Meet 'tu quoque'

[inkswamp]

Microsoft needs to learn the Latin phrase tu quoque which translates as "you're another." The term is used in the study of formal logic and refers to a logical fallacy, that is, defending oneself by pointing out the weaknesses of another. Of course, if I own a company that produces a shoddy operating system with consistently lousy security and a puzzling number of thoughtless or bad decisions in terms of general design, pointing out the same in a competitor does absolutely nothing about my own shortcomings. However, this is a wonderfully effective rhetorical technique for throwing the attention off my problems and on to yours.

So, even if Linux was the most bug-ridden operating system with massive security holes, it wouldn't even matter. It certainly doesn't excuse one of the largest and most powerful software companies on the planet, i.e., one that can marshal a massive amount of resources and money to produce respectable software, from the ridiculous numbers of security issues and bugs that arise in almost every product they release.

Politicians love tu quoque, by the way.

Beyond that

[rsilvergun]

the OSS projects that make up Redhat Linux are an order of magnitude larger now then they were than. It stands to reason their response time to bugs will be better now. Not only that, but isn't win2k3 based off of win2k? It's not like win2k3 is a brand new product Microsoft cooked up from scratch. It's like comparing an early beta to a 3.0 release.

Moreover, I'd like to know how Windows compares to Linux in the time it takes to get suitable workarounds available. In general, I see good workarounds within 24hrs for linux. Maybe Linux isn't being patched as fast because it doesn't need to be. If your design is good enough that you can workaround most problems, you can take your time with your patches and do them right :).

Never underestimate the enemy!!!

[kresa]

Plus, only the paranoid survive. Microsoft proved more than once in the past that it is capable of spreading FUD and ruining everything in their way.

Remember? They hi-jacked the browser market!!!

I have heard comments from Balmer, returning to me from some clueless sysadmin. The guy didn't even know what was the origin of those statemets.

That is what FUD is all about -- it gets quoted in the media as just another thing someone said, but then it gets to unexpected places -- just like a rumor.

Also a point to remember we have much to thank in the Open Source world to the same rumor engine (no big expensive PR). We should know better than to underestimate it.

In fact we should have a well designed counter campaign -- explaining to people (and journalists) in a well organized and behaved manner what the truth is and point to the independent sources of information.

From the article...

[Trolling4Dollars]

...and our customers considerable it superior...

And all our base are belong to them? ;P Don't get me wrong, I love Linux, but when a journalist screws up a quote, I just have to have a little fun.

Re:Bill Clinton also got caught lying...

[dougnaka]

"The British Government has learned that Saddam Hussein recently sought significant quantities of uranium from Africa." Saddam Hussein DID try to get significant quantities of Uranium out of Africa. The current problem is the Intelligence community can't find his supplier, Francis Sonto Mbomam. Seems the only contact between him and Saddam was via email. But he did say he had $20.5M (TWENTY MILLION FIVE HUNDRED THOUSAND POUNDS OF URANIUM) for transfer to Saddams Uranium account.

First 150 Days

[The_DoubleU]

In the first 150 days after the release of Windows 2000," he said, "there were 17 critical vulnerabilities. For Windows Server 2003, there were four. For Red Hat Linux 6, they were five to ten times higher."

And what happens after the first 150 days. If you have a look at the Microsoft Update Catalog, you find 24 Critical Updates for 2003 Standard Server.
For Windows 2000 RTM, there are 77 Critical updates and 5 Advanced Security Updates.

So maybe Linux (Redhat) has got more holes in the first 150 days, but they are solved after that. While for Windows we have just started counting. :)

Re:First 150 Days

[dougnaka]

I think the problem with the 150 types of numbers is that the flaws are in related software. So a flaw in XMMS counts like a flaw in Linux by Microsoft's counts. Imagine if you added up the total flaws in ALL Windows based software. You can't count that high.

Microsoft Security FUD

[0583]

Maybe its time a Linux Company released a Microsoft Security FUD.....

Thank you MS

[salesgeek]

The people at MS truly don't get it with respect to Open Source. All that the strategy of highlighting problems with Linux will do is:

1) Make developers aware of bugs.
2) Encourage developers to fix said bugs
3) Ulitmately, Linux will get more reliable and secure.

MS should learn from their attempt to beat Apache - Open Source is a force of nature.

Re:OpenFUD -- Tell people

[dougnaka]

It seems obvious, but tell people that you think Linux is more secure. Odds are you're someone people look to for technical advice.

Amazingly enough many people don't gather all available evidence, analyze it, and think for themselves. They look around, see who's got it going on in the area in question, and adopt their "best practices". It's human nature, and it's whats driving Linux adoption right now.

Re:Bill Clinton also got caught lying...

[rpiotrow]

Bush lies in the State of the Union speech about matters of life and death.

"The British Government has learned that Saddam Hussein recently sought significant quantities of uranium from Africa."

Ok. Where is the rest of your proof. How is that a lie? The British government still stands by that statement to this day! If you are going to accuse the President of lying, you are going to have to do better than that! I hate it when facts get in the way of ideology.

Umm No.. but yes..kinda

[Pontiac]

You are right and wrong..

on XP (pro and home) any accounts created during setup are part of the administrators group and have NO PASSWORD

Read the Q article
Q293834

Re:Umm No.. but yes..kinda

[Pontiac]

This is also true for Windows 2000 boxes that were upgraded from Win95 or 98.

In that case all existing user accounts on the 9x box are by default in the Administrators group when upgraded to Win2k.

Read the Q Article
Q182734

Yes I am an M.C.S.E., Would you like fries with that?

Uh, brain.

[eclectric]

Quoting the original article:
"and the demographics of the user population,"

Err, isn't a bit of a paper tiger to complain about their user population as a source of security concerns? I mean, if Linux really is better than Windows, it should be able to deal with those users as well.

Security FUD On Linux

[infiniphonic]

Bring it on Micro$ludge !

Difference in ways of responding to security holes

[Kolinar]

There is a difference in the ways of responding to security holes.

On discovery of a security hole, Linux's and other Open Source way is to announce publicly that there is security hole that need people's attention, ways to safeguard oneself against the security holes is first discussed. A patch is then quickly produced and distributed.

On the other hand, on discovery of a security hole, Microsoft do *NOT* announce the security hole, fearing wide-spread exploitation would lead to catastrophie. A patch is produced in the mean time (when the general public have no awareness that a security hole even exists). At about the same time of annoucement of a security hole, a patch is release to the general public.

Microsoft might take advantage of this difference in the patching process to tip the scale in their favor. The public perception of "speed" of patching would be faster, because the patch is provided at around the same time as the annoucement, when the actual time between discovery and completion of patch may (or may not) be longer.

Look at it this way

[ajs318]

Windows is just an operating system and desktop environment, but almost every Linux distribution includes a full suite of applications - office, connectivity, scientific, graphics and so forth. Of course there are likely to be more problems where there are more places for them to appear. If you have a vegetable garden where you grow peas, beans, cabbages, carrots, potatoes, celery, onions, beetroot and turnips, then you are potentially vulnerable to more pests and diseases than a commercial farmer who grows just oil-seed rape.

Everything in the open source community is done under a rather large microscope. Good guys outnumber bad; so, statistically, there is a greater chance of a vulnerability being discovered by a good guy {who intends to get it fixed} than by a bad guy {who intends to exploit it for his own ends}. Everything closed-source, on the other hand, is kept under cover - until the covers are forced off. And anyway, it's better to make a mistake and admit to it than to pretend you never make mistakes.

At the end of the day, I will never trust someone who refuses to let me see their source code. If they want to hide something from me, I do not want to have anything to do with them - because what might be hidden in closed-source software is far, far worse than a simple error of programming.

Re:Bill Clinton also got caught lying...

[WuphonsReach]

Clinton got caught lying about something that wasn't anyone's business. It's his personal life and you've gotta be some odd kind of sheep to hate his wife for it.

Except that I have, perhaps naive, the notion that presidents should be trustworthy. If you'll lie / cheat / steal a little thing - what's to stop you from lying / cheating / stealing when the stakes are higher (and the reward for immoral behavior is larger)?

The issue doesn't start with the fact that he lied trying to protect his family from a scandal. The issue is that he was cheating on his wife in the first place! (And then compounded the problem by refusing to come clean.)

Demographics

[adrianbaugh]

Sorry, but you can't base the security of an OS on the demographics of its userbase. There's either a bug or there isn't.

Pots and Kettles

[_Sprocket_]

Meanwhile, the rational, quiet people whose opinions aren't voiced in boisterous +5 posts all the time just watch from the sidelines, shake their heads, and use the right tool for the job, whatever that may be.

I'm all for keeping everyone honest. After all, without some form of sanity checking, everyone is prone to getting a little carried away. Linux advocacy included.

But that sanity checking goes both ways.

Lines like this really make me chuckle. If I didn't know better, it would sound like Microsoft was the voice of reason. In fact, Microsoft is certainly capable of just as much, and often much more, hype in their own favor. They have a history of it. Furthermore, they often profit from pushing their technology in to every role whether it is "the right tool for the job" or not.

Yelling "black" doesn't make you any more insightful just because you're the kettle and not the pot.

This is a dangerous strategy

[One+Louder]

This could backfire on Microsoft.

Pointing out that a some other, "free", product has flaws is hardly a good defense for flaws in an expensive one.

A customer who takes this advice and removes Linux simply makes any Linux problems irrelevant - it doesn't make the past, present, and future Windows security problems magically go away.

binary vs source patch

[nuggz]

Maybe source patches make sense?

Re:Overly Critical Guy

[dipipanone]

I'm going to enjoy them

Heh. I just did. It seems he's a troll with a super-sekrit mission. A real man of destiny...

Perhaps he thinks if he trolls hard enough, Bill Gates will bless his efforts with dollar bills?

Re:SLASHDOT PROMOTES OFFSHORING!

[slimy_dude]

Please copy this note onto other threads... editors are putting a -1 on this quickly to avoid discussion of this subject.

Yes, I'm sure it has nothing to do with the fact that
1. you are an idiot
2. your tendency to use all caps makes you sound like an idiot
3. you don't understand how a modern free economy is supposed to work to create wealth for all countries

I hope you're happy. I responded to your -1 troll comment, so the slashdot moderators haven't squelched your free speech...unfortunately.

Go ahead and boycott slashdot. Spend your days here: http://www.hireamericancitizens.org/

Re:Bill Clinton also got caught lying...

[pHDNgell]

The issue doesn't start with the fact that he lied trying to protect his family from a scandal. The issue is that he was cheating on his wife in the first place!

I'm not sure where to begin on this...what does any of this have to do with being POTUS? There's a job he's hired to do. Whatever he does that does not affect this job is his own business.

Until we find something better than humans (or politicians or whatever) to run governments, we're going to have deal with them having human characteristics.

Honestly, unless you're Hillary Clinton, what difference does it make to you?

Where will this work???

[OneFix+at+Work]

I really like the fact that they are comparing an end user OS (RHL) to a server/enterprise OS. I would much rather have seen a comparison between RHAS. But even then, it's RedHat 6!!! Maybe someone should mention to them that RHL 6 is so old it isn't even supported any more.

I also like the fact how they are clumping "Linux" in with all open source...I would love to see how they reached these figures...and how would Windoze compare if we started including all of M$'s own software in with their figures...

But exaclty who are they targeting with this? I mean, any sysadmin worth his salt will be able to see right through this and any manager that sees this will surely have a laugh once his Linux ppl tell him how it is...

I'm going to guess that their poor attempt at FUD is a response to Novell's merger with SUSE and IBM's subsequent investment.

What impresses me even further is that this is obviously the best they can do right now...which means that the Linux community is really doing its job when it comes to fixing bugs...

Root is a basic threat...

[ducomputergeek]

I can see where having a root superuser is a critical weak point in Unix from a design stand point. But its no different than hacking an account with "administrator" access in Windows. Generally speaking, it much harder to do so on *iux enviroments unles you have someone that knows what they are doing.

However, most geek worry about holes in code, but those of us in security know that over 80% of "hacking" jobs are inside jobs. Some angered sysadmin gives out the password to a friend or competitor for $$$. Or, my favorite, someone calls, says they forgot their password, and the help desk or someone gives it to them. That kind of security holes are platform independant...

That'll be funny

[OMG]

For me that sounds like they are begging for a really devasting Windows Virus/Worm.

I would suggest rethinking their strategy.

Yeah, that's why we see headlines like this...

[ka-klick]

Microsoft Issues Security Patches every 2 weeks these days. (this set announced just an hour ago).
Great timing:
[shout]Hey, look over there! Linux has flaws![/shout]
[mumble]By the way, we have a handfull of new remote root exploits on XP and 2k to announce...[/mumble]

Re:Bill Clinton also got caught lying...

[spells]

I'm not American, but I thought the issue was that he lied to a Grand Jury, not simply that he lied.

For a President to lie under oath seems a little more important, but what do I know, I'm Canadian - we don't even elect our president :)

Re:Bill Clinton also got caught lying...

[LearnToSpell]

No wonder they can't find Saddam. He's at an airport in Brussels (or is it Amsterdam?) waiting for the guy to show up.

Linux vs. Windows

[Sheepdot]

Default install of RedHat 9 compromise time: 10 days.

Default install of Windows 98 compromise time: 4 years and counting...

I'm going to get modded down for this, but if I click the default crap on any Linux distro I'm more than likely going to install some god-forsaken client (in the case above, an ftp service) that will sit on an open port and eventually be scanned and compromised.

How is this any better than the RPC exploits?

I'd feel a lot safer if installations of *nix had easy to understand installation options.

Sure, someone can brag that you can get infected by Nachi in 6 seconds with an XP machine, but how often do you get rooted? How quickly do you notice? Is Linux as "fire-and-forget" as /.'rs seem to claim it is? No.

Stick with Apache on *dows. :)

Re:MS planting security holes?

_IF_ MS were actually doing that, it would simply point to insecurity and quality-assurance problems of Open Source software. I.e., if some random (malicious) jackass can insert buggy/trojan code into the Linux codebase and get it through (non-existent) quality assurance measures, to me that speaks to an inherent flaw in the Open Source concept as a platform for serious applications. As it stand now, at least. Please bear in mind that I'm not anti-OS, but you have to realize that QA standards have to be applied fairly to both sides...

Re:Bill Clinton also got caught lying...

[pHDNgell]

I'm not American, but I thought the issue was that he lied to a Grand Jury, not simply that he lied.

Sure, but that's not the argument I typically get from people. It's just that he lied. If a democrat lies in the US, it's over.

My personal feeling is that it's OK to lie about questions that shouldn't have been asked in the first place. We wasted millions of dollars worrying about some guy's sex life, and people still use him as an example of a horrible President because he lied about his sex life.

I don't really care about that. When will people start talking the same way about Bush lying about motivations for this war?

Oh, look!

[Harker]

Windows has downloaded another critical update to apply....

Windows Update...often doesn't

[JimmytheGeek]

There's nothing like seeing something fail silently because you were watching it like a hawk.

Vindication of my contempt!

I don't know how bad it is that the rpc patch for Blaster was supplanted by a subsequent patch for the same area of code. If they didn't suck, I'd be inclined to give them a pass. Maybe it was an unrelated flaw that they found with a stringent code review. Since they do suck, I am content to assume they should have caught the second hole when they patched the first one.

Re:Linux vs. Windows - wha?

[dougnaka]

I'm confused... "Default install of RedHat 9 compromise time: 10 days. Default install of Windows 98 compromise time: 4 years and counting..."

Are you stating these as times since you did an install until you got compromised?
Becuase if you have a Windows 98 default install and give it an unfirewalled connection to the Internet with a real IP address you've got 5 maybe 10 minutes before you're compromised.

I'm assuming you meant ftp server and not client, as for your box to get 0wn3d through a client requires your participation to some level.

The Nachi virus *does* root you. That's what's amazing about Windows. Many Linux vulnerabilities allow some types of access, but full remote root vulns in Linux itself are rare. Windows just doesn't seem as infected becuase most virus writers aren't out to wreck your machine and delete your data. Nachi, or any of the other ones, could have easily deleted your files, or read them and mailed the goods to the bad guys.

I'd stake money that one day in the next couple of years some malicious virus writer will strike, and all Windows users will realize that every virus since Melissa has had full control of their computers. Unfortunately, until it happens, nobody will think that virus' are more than minor nuissances.

Is it just me.....

[thewiz]

Or does it seem silly that Micro$oft is expending time, energy, and money to bash Linux instead of using that effort to work on the security problems they have?

Of course, it doesn't help the Linux community to bash Micro$oft, either. We incur the wrath of a company that has a bigger PR company than many of the companies that support Linux. And, unfortunately, the suits listen to the PR instead of the techs.

Re:You forgot something.

[khallow]

Wouldn't it be better if this guy were actually doing something productive rather than patching up MS security flaws that shouldn't exist in the first place? The answer for you morally impaired idiots is "Yes".

Too bad the IE vuln list is down

[dougnaka]

unpatched IE vulns

:(

Before it was taken down becuase they've fallen for more M$ marketing tactics about beefing up security, there were 31 unpatched IE vulns. I'm sure that Microsoft wouldn't count IE vulns in their Windows 2003 patches, since it's not really part of Windows...

It's sad to see the pressures of non disclosure creeping back in after such as nice period of full disclosure.
Wake up people, we need full disclosure and exploit code to get Microsoft to patch anything.

MS abandoned any obscurity for the code

[JimmytheGeek]

Even if you buy the security through obscurity model (and I don't think you should), you have to accept that Windows code is not obscure. Not to the bad guys, anyway.

The Chinese government has the code. Every contractor in the Operating Systems Group (+dog) at MS has the code. Disgruntled employees and contractors at "major partners" (not us peons) has the code. Think the black hats don't have the code?

Now, who DOESN'T have the code? Me. Not that this matters, because I'm too lame to find holes via code review. What does matter is that no PFY can find them via code review, either. Which means there's an asymetry. While pretty much any interested black hat can review the code, a small subset of white hats can/will, and few of them will be motivated. I'd much rather open it up to all the white hat PFYs looking to make a rep by PUBLISHING their finds. All MS has done is open it up to a subset of white hats employed by China, Russia, and large, mainstream IT (not where I'd look for talent in this area), and all the black hats.

It's the worst of both models.

I see....

[pair-a-noyd]

That Bill has hired Darl as FUDmeister.
Now we know where that 50mil came from.
And we have already determined that Darl spent it all on crack..

Re:MS will win, of course, they are running the te

[bex+l]

and any engineer/programmer/sysadmin/techie who knows anything will typically wait for that third party to do a similar report. Only nieve people will listen to MS because of their report.

Years of Risk

[ewe2]

I'm currently fighting an anti-XP battle at my organization; so far I'm winning on the basis of security flaws, but this FUD makes my job harder.

Most people could make a list of the number of MS OS bugs that have taken months or years to be fixed, if at all.

What they seem to be proposing is a pissing contest over the number of days it takes to fix a bug, which makes me wonder when they intend to start. When they can actually fix a bug within days? When they decide that a vulnerability is "allowed" to be public?!

I notice that Ballmer is taking the easy out by targeting Red Hat. Not a bad divide and conquer tactic, but a piecemeal approach could well backfire, because it's so easy to refute. A bigger problem is making yourself heard over the (soon to be) tidal wave of FUD noise...

No Big Surprise

[BCW2]

After the article a few days ago on AP that said a dangerous trend was showing up. Too many people, businesses, and municipalities are leaving MS for Linux and it's actually starting to show in the bottom line.

Now they react, it wasn't important till it hit the wallet!

What's a "part of the Linux OS"?

[LO0G]

If it's on a linux distro, it's a part of the OS.

You can't just restrict your list of security holes to the kernel - NT's kernel has had only one security hole that I can think of in the entire time it's been released (almost 10 years), that one had to do with the debug privilege IIRC.

Most of the vulnerabilities found in Micro$oft products are in user-mode components (like dcom) that are included on the CD but can be disabled.

Just like linux.

You CAN make a strong claim that many vulnerable services on Linux are not enabled by default (Apache, Sendmail) while they are on Windows, but don't bring out the "If it ain't in the kernel, it's not a Linux vulnerability".

That dawg don' hunt.

Re:What's a "part of the Linux OS"?

[abradsn]

Actually, isn't "the tied to everything else" thing ... really ... an asset! ? ! ? !

Red Hat Linux 6

[wuHoncho]

And at the end of October, Ballmer gave the audience at Gartner's autumn symposium a taster of what was to come when he attacked Linux's assumed security superiority. "In the first 150 days after the release of Windows 2000," he said, "there were 17 critical vulnerabilities. For Windows Server 2003, there were four. For Red Hat Linux 6, they were five to ten times higher."

aside from comparing an old version of a single distribution of linux to the brand new version of windows, leaving out the mass-market windows XP, of course, the statement is failing to take into account the actual likelihood of exploitation, which is dependent on a few other variables besides the mere presence of said security vulnerabilities.

Just because a security vulnerability exists does not mean that it is so easy to exploit that every 13-year-old with a pirated copy of VB is going to be able to format your hard drive. Every OS has security holes, but whether or not they have 1023 or two does not matter if the two in the supposedly "more secure" OS are so easily exploited and so horribly intertwined with the OS that fixing them would mean breaking everything else in the system.

Quality, not quantity, Ballmer.

Belief and Bills

[soloport]

Belief always starts with the wallet...

If you're making a living the Microsoft Way, you're bias is theirs. The only way to be un-biased is to make your living using any available "tool", using Sun, BSD's, Microsoft, Apple and others, equally.

Guess that makes me a real big Linux biggot!

So...What's the Point?

[Slavinski]

MS,
Does bashing others progress you any further down
the path of security? Or does it strengthen
the argument that something virtually free
is just as good as MS material or better?

Money wasted in the long run. They should be
concentrating on their own material. I think
they are losing focus of the whole argument.

And we'll thank them for their input!

[El]

They might view finding and making public security holes in the competition as a more valuable and profitable exercise than securing their own OS and software.

If, through shear brute force search, they do manage to find bugs in GPL software, then so what? Any problems that are actual bugs will be immediately fixed, and the net result will be Microsoft contributing to improving their competition's software! Any problems that aren't actual bugs will just make them look desperate. If that's what they want to do, I say we welcome 'em with open arms.

Wait a moment...

[Catiline]

Last time I checked, Jim Allchin (VP at MS) talked about "unfixable security flaws" on the stand at the antitrust trial. That alone has made me laugh any time Microsoft starts talking about their security measures. Therefore, I'll take any talk on security Microsoft makes seriously only after they announce a fix for their unfixable flaws -- things like shatter attacks.

More FUD from the /. crowd.

[LO0G]

How many remotely exploitable holes has the NT kernel had in it's lifetime (10 years or so)?

Don't compare apples and oranges.

Re:Bill Clinton also got caught lying...

[zforce920]

How can you naively think that what he does in his personal life doesn't affect HOW he does his job?

A person's true character is revealed in two places - When he/she is in a crisis and when he/she thinks no one is watching! Think about it.

Pres. Clinton made a poor decision to have an affair when he thought no one was watching. Then, when he was in a crisis -pressure of the Ken Starr investigation - he tried to lie his way out of it. Those actions show more about his true character than all his years of political life!

--"Integrity is doing what is right, even when no one is looking!"

Re:Bill Clinton also got caught lying...

[GSloop]

Oh, technically it was the truth, just like Bill Clinton "didn't have sex with that woman, Monica Lewinsky."

(Never mind that the British won't share their source for the documents. It's really the truth, I just can't show you. Remind you of anyone lately? SCO anyone?! Never mind that we reviewed the documents themselves and found them to be crude forgeries. Never mind that UNSCOM did the same, and came to the same conclusion.)

But only a moron would think that Bill Clinton didn't have sex, given what he DID do.

Only a moron would think that GWB didn't have the information that showed that the British info was wrong. (I'll even go one further, and say that we likely had the information that the British were going to claim this, and knew even before they claimed it, that it was wrong.)

Even if he didn't get that memo from Cheney, which he should have gotten from the State Department, then the only excuse is GWB and his appoited staff are total bumbling idiots.

(Not to mention the fact the the CIA had already warned GWB off the story once. One would think that one embarrassing retraction from a speech would be enough to make it stick in your memory.)

(If GWB was managing the local Wallmart, I'd not be too worried. But in case anyone hadn't noticed, somehow he woodwinked himself into the Whitehouse.)

It was a "white" lie. Sure, technically the British did say that. But GWB knew from independant sources it wasn't right, and used that statement knowing someday, if someone found out the truth, he could say "Technically it was true."

It was a lie, an intential lie and definitly intended to mislead.

Cheers,
Greg

Huh?

[Trejkaz]

Wouldn't it be better for Linux if they focused on local exploits? After all, GETROOT.EXE clones are a dime a dozen on Windows, whereas on Linux, as soon as someone finds one (like that one in mplayer), it's fixed right away.

What the...

[Trejkaz]

Microsoft working for open source? Giving away their hours to hunt bugs so we don't have to waste our time?

My brain hurts.

Re:This is good progress

[mabinogi]

I amazed at the number of times this post or similar has appeared on this story...it's stupid.

The world isn't tied to a narrative...Just because 3 things happened in sequence somewhere once does not mean that if the first 2 things appear to happen somewhere else, that the 3rd one will happen again.

People need to look at each situation in it's own light. Learn from the past, but do not think the past is doomed to repeat itself....that's the worst type of simplistic thinking.

No doubt...

[IthnkImParanoid]

...but you're hardly the first to realize this. Gandhi himself knew his tactics only worked because he fought a free society with a free press; his strategy of non-violence, in fact, was designed to use that free press to communicate the oppression without allowing himself to be labeled as an enemy. In other words, Gandhi chose his tactics after knowing his enemy.

To try to apply Gandhi's logic to this topic, we can let Microsoft continue its ruthless (and illegal) business practices, knowing full well that some people at least will see it and help fight it, and hope that the masses see it someday and stop supporting them. Or maybe that strategy isn't really applicable to this example, and this whole thread should be modded "offtopic."

Careful with the numbers - Creative accounting

[SysKoll]

Careful here. MS is known for creative accounting. The R&D figure includes things that other companies with stricter accounting policies put in marketing expenses, e.g. organizing expos and giving free software copies. Their R&D figures are not all research. You cannot trust the figures they publicize.

Oh don't kid yourself. There's tons of MS zealots.

[Ayanami+Rei]

They don't get paid either (although they go to trade shows and are rewarded with free MSDN subscriptions).

Mostly they appear ranting in defense of encroachment by other OSs into their ego zone: previously they had to fend off Amiga users, now Apples (which aren't "hardcore") and BSD/Linux (which is "too difficult, and thus for nerds").

Bleh.

Windows "root kits"

[Obasan]

Is anyone aware of Windows root kits with similar functionality to the kits that I've seen installed on many Linux boxes? Eg. packet sniffer, trojan ssh daemon, usually some kind of DDOS device, IRC bot etc. as well as various password cracking tools (l0pht crack?).

Do these exist?

More secure my @$$!

[boarder8925]

Microsoft on Tuesday included three 'critical' security patches in its new monthly bulletin, including a cumulative update for Internet Explorer, the world's [$#ittiest] Web browser.

The November alert, which is the second monthly update issued under Microsoft's plan to release security patches on a monthly cycle, also includes a fix for another 'critical patch in the Windows Workstation service that could allow harmful code execution.

According to the second monthly alert from the software giant, five newly discovered security holes were detected in Internet Explorer that could allow remote code execution and browser takeover.

The cumulative patch replaces the one that is provided in the MS03-040 update and affects IE running on Windows 98, Windows Millennium Edition, Windows NT Workstation, Windows NT Server Windows 2000, Windows XP (and XP Service Pack 1) and the newest Windows Server 2003.

The flaws affect Internet Explorer versions 5.01 through 6.0.

Of the five new vulnerabilities, Microsoft said three involve the cross-domain security model of Internet Explorer which keeps windows of different domains from sharing information. "These vulnerabilities could result in the execution of script in the My Computer zone," the company warned.

Microsoft said an attacker could host a malicious Web site containing pages designed to exploit the cross-domain vulnerabilities to take over a user's machine. "An attacker who exploited one of these vulnerabilities could access information from other Web sites, access files on a user's system, and run arbitrary code on a user's system. This code would run in the security context of the currently logged on user," the company warned.

Holes have also been plugged in the way that zone information is passed to an XML object within Internet Explorer. This vulnerability could allow an attacker to read local files on a user's system.

A fifth vulnerability patched involved performing a drag-and-drop operation during dynamic HTML (define) events in the browser. "This vulnerability could allow a file to be saved in a target location on the user's system if the user clicks a link. No dialog box would request that the user approve this download," according to the alert.

As with all previous cumulative patches for IE, Microsoft noted that the update will cause the window.showHelp( ) control to no longer work if the HTML Help update is not applied.

Read the rest of it at http://www.internetnews.com/ent-news/article.php/3 107511

Re:Off Topic

[ignipotentis]

I expected the moderator who would mod me down for being off topic, despite me declaring it to the world to begin with.

You make a good point, I did notice it. Its a shame though, becuase it really makes the site anoying when the add shows up there. I know i'm not going to be able to sway the almighty slashdot by thinking of reading my news elswhere, but it is very intrusive.

Oh well, thanks for the response. The light bulb went off in my head that slashdot is here to make money just like everyone else... It is NOT just here for us geeks.

NT Kernel?

[Avihson]

How many remote holes in Linux, (10 years or so)?
Show me the NT Kernel!
How about some pointers to official documentation as to installing JUST the NT kernel, and no remote exploits along with the OS?

Every mainstream distribution of linux gives the oprotunity to install just the minimal kernel. The third party OSS applications that make up the distribution have to be selected.
The vulnerabilities in NT are coded by Microsoft, are they not? How much time did Linus put into ssh, or sendmail, or apache?

I thought so....

Can't help comparing apples to oranges, when at Microsoft, security is job 3.1.

Probably already been said

[insertionPoint]

But....

A multi million dollar code review being done by Microsoft for us for free. Imagine, they could find thousands of flaws, publish the results and within three weeks we could go from 2.6.0-test9 to 2.8.0-secure !!! Go Bill!

'...days it takes to fill the patches...'

[ohad_l]

We must remember, however, that Linux can detect the flaws much earlier (more manpower with access to the source), and Windows generally starts counting from the first exploit :)

source?

[Dave_bsr]

Any source for that?

redhat != linux

[Dave_bsr]

I still laugh when i see people ask about linux 8.2. Its hilarimous.

Re:redhat != linux

[Peer]

I still laugh when i see people ask about linux 8.2. Its hilarimous.

Yeah, everybody knows version 9.0 is out already...

But.. but... that's the payoff!

[Ayanami+Rei]

The tears of the overconfident/arrogant sales clerk are the sweetest of all.

it's all about applications

[Dave_bsr]

Applications my man, applications. Usability is close enough that it doesn't matter any more. If you could get every windows game and every windows app for linux, we really wouldn't be having a "linux is good enough" debate. We'd be having a "linux vs. windows on the desktop: what is right for you" argument. And Linux would probably be "right for" most people if the apps were there. And they had broadband.

give it 3 years.

MS zealots

[Dave_bsr]

There are a lot of windows zealots. I just read something on securityfocus from one of them, about how it's the user's fault that there are security problems with MS. He's partially right, btw.

however, I kinda laugh because it seems like the linux zealots are getting lazy and the windows zealots are getting scared and desperate....

Lots of pratice

[Technician]

It's simple really. One team has lots of experiance and is in tip top shape from the massive training they received. The other team is slower. They get woken up once in a great while to fix a problem. It's simple to note the fully mobilized team would have a faster responce team. They have response finely honed by experiance now.

Re:For me, it's only about FREEDOM and INDEPENDANC

[Bert64]

Naive.
FUD tactics _DO_ Work... how do you think microsoft got their current marketshare, and held onto it in the face of superior competition (Mac, OS/2, BeOS)
It certainly wasn't by having a superior product, it is well accepted that given versions of OS/2 BeOS or MacOS have always been superior to the versions of windows available at the same time. OS/2 had the best chance, since at the time not only was it compatible and capable of running windows/dos programs, it was also considerably faster and more stable than windows.. How did microsoft beat them? they held them back with FUD and then changed their api for intentional incompatibility.

RedHat 6?

[oohp]

In the article they mention RedHat 6. Is Microsoft comparing vulns in @in2k3 server to ancient RedHat 6?

MOD parent up informative.

[guybarr]

The billparish link definately is.

Re:Oh don't kid yourself. There's tons of MS zealo

[LX.onesizebigger]

Yes, there are plenty of those, but not expressed as a fraction of the MS user base, and rather than promoting Windows, they are defending it. That alone should speak volumes.

Halloween, anyone?

[winchester]

I am seriously wondering if anyone at Microsoft actallu paid as much attention to the Halloween documents as the open source community does.

In the first document, the writer states: "OSS is long-term credible... FUD tactics can not be used to combat it."

Duh?

[hughk]

RH 9 locks down unrequested services and suggests medium level firewall out of the box. My biggest issue with RH security problems is turning things back on, or at least explaining that to people (no big deal).

If you install a workstation, you must explicitly request servers. You must punch holes in your firewall to run some software.

You are trying to run a program...

[jotaeleemeese]

... for one OS in another, without emulator.

In such a regime, Mandela knew the next step after the "they fight you" step, which is "you fight back" followed by "you go underground".

And then you win.

One big difference.

[jotaeleemeese]

The Mahatma knew his cause was just and that his supporters, and many in the side of his enemy, knew it. That was the context in which that saying was said.

Can SCO claim the same?

MS vs Linux

[Loconut1389]

I think a good portion of the problem is a mentality difference. Windows users are more set it and forget it, used to a certain level of separation from the workings of the OS whereas Unix folk are more traditionally involved in every aspect of the configuration of their system. Only recently has the abstraction come to Linux with the install-everything-in-one-go abilities of so many distributions, but still admins and older unix junkies still are aware they have to configure things and secure them. Unix people in general pay attention to security news and install patches right away. Windows people tend to click on "remind me in 2 weeks" if they even have the auto update feature installed. I know people that are years out of date on updates.

One concession about windows though, is there are so many things you cant turn off or uninstall. At least with linux you can have no open ports if you so desire.

Just in time...

[jav1231]

for the release of MS03-049 (i.e. Yet Another M$ OS Critical Patch!)

Re:logical follow-up question

[hany]

Don't be silly. 1.3 Billion of that R&D money was spent on DRM projects.

How can you possibly say they aren't serious about security?

Logical follow-up question is:

Security of who? And against what?

Re: cripling

[hany]

Wi-Fi equipment is also "cripled" in such a way. Reason? Realy "silly": So users of such equipment does not cook up their heads or heads of some neighbours.

What a shame. :)

Anyone mirrored it?

[AmbyVoc]

Freenet? Entropy? GNUnet?

Scope of the issue

[ohdotoh]

When we refer to a Microsoft vulnerability, we refer to software created by Microsoft, not just any software that runs under a Microsoft OS.

A vulnerability in WinAmp (for instance) would not not considered a Microsoft, or even a Windows vulnerability. It would be considered a vulnerability in an application that runs on Windows. Might also be a vulnerability in a version of that application that runs on other OS's.

A vulnerability in Apache is not a Linux vulnerability. A vulnerability in Apache is certainly not a RedHat, or SUSE, or Debian, or ... vulnerability. A vulnerability in the linux kernel version 2.4.5 is a linux vulnerability. A vulnerability in rpm is a RedHat vulnerability. A vulnerability in OpenOffice, etc.

On the other hand, a vulnerability in Windows2k, Exchange, Outlook, Internet Explorer, Windows Media Player, Word, Excel, Visual Basic, etc. are windows vulnerabilities.

Since most people don't bother to examine boundaries (hmmm, socially engineered wetware buffer overflows?) it is easy to send this entire discussion off into outer space.

Damn, I think I might have already exceeded my MTV attention span limit. No One is probably reading this anymore. They've all gone to check their E-Bay bids.

To recap:
It doesn't matter if they are lying or not, or if Bill lied, or George lied. LOOK!!! There's Elvis!!!

The issue is scope, and we have allowed the scope to be whimsically defined. The scope is self-referentially defined as Windows vs. Linux vulnerabilities but we all apparently have a problem following a train of thought without flying off to Vegas for a long weekend of drinking and gambling... I wonder if they use windows in those slot machines? Hmm. People in Vegas stay up all night a lot don't they? I heard George Bush stayed up all night once with Bill Clinton at a Whitewater development party.

Ultimately the whole thing is a convenient distraction from more important social issues that, because of the limitations of our collective intellect, we can't deal with either.

For those of you who made it this far, I will recap one more time:

Vulnerability in software created by X = vulnerability in software created by X.
Vulnerability in software created by Y that runs in, under, on or needs in some other way software created by X = vulnerabiity in software created by Y.

Vulnerability in Exchange = Microsoft vulnerability.
Vulnerability in sendmail = sendmail vulnerability.
Vulnerability in sendmail running on windows != windows vulnerability.
Vulnerability in sendmail running on linux != linux vulnerability.
Vulnerability in sendmail running on RedHat != RedHat vulnerability.
Vulnerability in RPM = RedHat vulnerability.
Vulnerability in RPM when run on Debian system = RedHat vulnerability.

Anti Microsoft

[Nessxp]

The only reason people make viruses for microcrap programs is their such a large target that im sorry is not at all hard to exploit (excuse spelling) and desides unless ur a idiot and trying to be malitious most people only use exploits/viruseses to gain more control over their systems and take it away from microsoft. lets face it microsoft loves it when people do this 1 it puts their products right front page of the news and 2 they learn their exact weakness and apply new patches because u know that all the computers in the company use "Windows" yea my ass it had to be created by something

Re:Bill Clinton also got caught lying...

[Vlad_the_Inhaler]

Pres. Clinton made a poor decision to have an affair when he thought no one was watching. Then, when he was in a crisis -pressure of the Ken Starr investigation - he tried to lie his way out of it. Those actions show more about his true character than all his years of political life!

You are missing a sense of proportion.

No matter what or who we are talking about, that statement of yours is ridiculous.