Security FUD On Linux

bobmatnyc writes "InfoWorld reports that Microsoft is planning an "security assault on Linux" by hyping results of a commissioned study pointing to the number of security holes in Linux vs. Windows, the number of days it takes to fill the patches, and by raising questions as to the reliability of code submitted throught the OS process. I suppose if they focus very narrowly on one measurement of security, completely ignore script-level vulnerabilities, default settings vulnerabilities (such as root access for all users), and the demographics of the user population, as well as a zillion other things I'm not clever enough to think of off the top of my head, they may have a point. "

Finally!

I've been waiting years for Security FUD to run on Linux. I'm glad someone was able to port this over from Windows.

Re:Finally!

[msh104]

if that would just be all, 100 dollar on it that they are going only going to compare limitations of redhat only (perhaps even an old version) with their microsoft product. why don't they just spend that money and time on fixing bugs in windows instead of finding them in linux. perhaps we should create a bugzilla for them so they can post the problems they find there, i am sure someone will fix them.

Re:Finally!

[Blikbok]

The biggest score Microsoft has had is convincing it's users that all of the rebooting and crashing and poorly-designed security features are to be expected in powerful software, and to expect to not only pay for such software, but buy extra software and pay consultants to work around these misfeatures.

I don't know if making "Redhat" a synonym of "Linux" is all MS's fault though.

Re:Finally!

Because they did that for a few weeks, that's when they discovered that marketing people do not have great coding skills...

Re:Finally!

[morleron]

I suspect that you're probably correct to a degree. However, I think that MS will probably dump all security problems, whether they're actually part of the Linux OS or not into the hopper and use that as their basis of comparison. For instance, problems with OpenOffice will be counted, but problems with MS Office won't because "MS Office is a separate product, while OO is distributed as part of the Linux system." This approach of counting Linux app problems against Linux, but not counting similar MS app problems against MS has been used before.

I'm not going to lose any sleep over a new MS offensive as the truth of the situation is obvious to anyone who looks at the situation with an unprejudiced eye. Yes, Linux has problems; yes, sometimes it takes a while to get patches out; yes, the Open SOurce process doesn't necessarily have a single point of contact when it comes to fixing a problem. The fact remains that, by any honest count, Linux has fewer problems, the problems get fixed faster, and the lack of a central contact means that a potential fix can come from anywhere. MS FUD notwithstanding I don't recall that Linux servers and workstations had problems with SOBIG, Blaster, etc. Let's approach this issue carefully and not fire until we see the whites of Microsoft's eyes.

Just my $.02,
Ron

Reward Program?

[BrynM]

From the article:

Last week, the company announced a $5 million reward program aimed at bringing virus writers to justice. Although it is unlikely to reap any tangible results, the message was clear: Microsoft is taking security seriously.

How seriously can they be taking it if all they did was start a $5Mil smoke and mirrors reward program? Tackling security problems with PR is not taking security seriously, it's being flippant with your solution. I wonder how much this program will eventually pay out. They didn't say that the reward was $5Mil, just that they allocated $5Mil to the program for creating rewards. Is that program in the marketing division or is it a real program?

Re:Reward Program?

[John+Allsup]

They're taking the appearance of security seriously: whether or not the security is real is effectively irrelevant to those who can't tell the difference. (It's a matter of who they listen to, and whether that 'who' is Micro$oft.)

Re:Reward Program?

[drooling-dog]

They'd probably be better off if they just shut up about the issue and hope it goes away. Drawing attention like this could easily backfire.

Re:Reward Program?

[Crimson+Midget]

Agreed. A realistic program might be something more like a reward for MS developers who take the time to dig through code and discover exploitable holes.

But really, with things like this, MS can simply release some statement with a lot of bluster, shouting random dollar figures and come out looking good. People will remember the original announcement and the high figure, but they'll never try and followup on it, find out if it's worked, find out if anyone's been paid.

I doubt there'll even be a /. followup on something like this. But even if there were, your average managerial unit wouldn't see it. They'd come away from all this with the thought, "Microsoft is taking security seriously." They'll believe it, they'll post it in memos, they'll repeat it at meetings with clients. Microsoft can say anything they want, put a dollar figure behind it and there will be people who believe it. And MS knows it.

The real virus writers here? Microsoft's marketing department.

Re:Reward Program?

[PierceLabs]

Microsoft's apparent idea of security is to sue people who expose vulnerabilities and to put out bounties so that others who might be encouraged to exploit those vulnerabilities would be afraid to do something. This doesn't suggest that Microsoft is taking security seriously, it suggests that they're pissed that people are exposing how Microsoft ISN'T taking security seriously. Microsoft can create as many initiatives as they want, but so long as they continue to live in the world where providing dancing paperclips on the screen in a single click is more important than making sure that users have to actually understand their machines before letting programs change system files - they aren't doing the world or themselves any favors.

Re:Reward Program?

[GooberToo]

Microsoft is taking security seriously.

LOL. The correct quote is, "Microsoft 's Marketing Group is taking security hype seriously."

I think it was a misprint. Seems Bill doesn't know anything about the security initative that his marketing group spoke of.

Re:Reward Program?

[kardar]

I just hope that they don't create FUD to the point that the situation becomes ripe for an "attack" - that is, insult Linux, stage a DDOS or something.

This complete and utter nonsense is almost designed to piss people off, so it's only a logical step that it might become an attempt to further discredit Linux and other free / open source software by portraying Linux developers and enthusiasts as untrustworthy, irresponsible, disrespectful, malicious individuals. As long as we make it through this PR thing (if the rumor is true) without any kind of DDOS on Microsoft's servers, it'll be relatively inane.

There's always a trade-off between being on the cutting edge and being totally stable and secure; people need to weigh the pros and cons before they make decisions about these kinds of things.

If Microsoft were taking security seriously then they wouldn't be busy bashing other OS'es about security; this kind of nonsense, provided that the article, or rumor, is correct, is just wasted breath, because Linux security is not that bad, and Linux in no way makes Microsoft products less secure - there's no correlation.

Or maybe, just maybe... Microsoft is embracing Linux? Maybe they want to help make it more secure? One thing is for sure, Linux is NOT a waste of time. Microsoft certainly has to resources to contribute things to Linux, don't they? Instead of bashing it, why not help make it better? Thing is, it's pretty darn secure already.

When I saw this headline I thought it was a joke, but I guess it isn't. Kind of hard to believe, though - it's just so wrong.

The only fair comparison would be between software that is in development at Microsoft - beta Longhorn, for instance, or something like that. Linux is a very broad term that encompasses all kinds of levels of done-ness of software. Some stuff is in alpha, some in beta, some is in pre-alpha stages. Of course there are going to be bugs. If you want to use Linux, and you don't want bugs, you can't use alpha and beta software, and you need to go with the tried and true, not the cutting edge. I don't trust Microsoft to make those distinctions - it's not fair to compare development versions of one OS with stable versions of another. If you compare stable, non-cutting-edge versions of Linux with MS's current offerings, Linux wins hands down. Software that is under development is always going to have bugs - it's a fact of life.

Remotely vs. locally exploitable

[winkydink]

As somebody pointed out to me not too long ago, as long as MS talks about security holes that are remotely exploitable, I don't think Linux has anything to worry about.

Re:Remotely vs. locally exploitable

[BrynM]

It's their report and their numbers. Do you think that they would highlight the areas in which they are weak? The report will probably focus on printer exploits or something just as inane. I think the original submitter was right in the idea that they will ignore Outlook/Script exploits and focus on the OS itself (I know - not a good track record there either, but it's better). Since they are presenting data on the time to a fix, I know that they are ignoring the time that the public doesn't know about an MS exploit and making it seem like they work coding miracles. They may have hit on a very subtle point with Linux security without addressing it directly: Linux exploits get reported sooner and OSS coders encourage others to report exploits quickly. MS obfuscates their exploit reports and would rather only know about them behind closed doors.

Re:Remotely vs. locally exploitable

[Trepalium]

Chances are, they'll use raw number of published vulnerability reports. Say Windows 2000 versus Red Hat Linux 7.2. There would be a number of errors with this approach, such as the fact that nearly every distribution ships many different MTAs, FTP servers, etc, and they are generally mutually exclusive. Installing Sendmail and Postfix and QMail is probably technically possible, but highly unlikely, and usually completely impossible with official packages. There's also the fact that pretty much EVERY exploitable vulnerability gets a security advisory written up for it, unlike Windows, where Microsoft can slip a fix into the next service pack, and no one will ever really know about it. How many segfault bugs does Microsoft fix in their products that could be remotely exploitable if someone dig deep enough? I know I've seen advisories come out after someone dug up that a bugfix in an open source program actually fixed an exploitable hole.

The problem is, there's really no proof that either development process is better than the other. You can either accept the baseless claims from either side, or accept flaws conclusions from the public data that compares apples to oranges.

Re:Remotely vs. locally exploitable

[mindmaster064]

What is linux?

It's a kernel.. that's it..

At the "kernel level" neither Windows or Linux have very many problems.

Windows in its entirety is much more than a kernel. It's not even a fair comparison.

If you're comparing distros, well then.. You are much more likely to be exposed if you are running Red Hat/Debian/Whatever than simply running Windows due to the number of additional silent-ware installed that you probably do not know about. The only way you may be safer is running a stripped down or completely-customizable distro like Gentoo and for most WORKING people building kernels and packages all day is not practical at all.

Another fact that Linux geeks don't get. For every 1 person using linux, there are probably countless others running Windows. Bug frequency appears higher in number, but is lower as a ratio to the users. If there is one Linux user to every 100 Windows users and there are 10 Linux exploits a year vs. 20 for Windows then Linux would have much more vulnerability.

Let's assume that there are 1 million magic users in our comparison, that would mean that there are 10000 Linux users with 10 bugs one system exploit per 1000 users that leads to system comprimise.

Our Windows users are actually doing better because they're getting one exploit per 49500 users. Infact, the Windows people would have to get more than 400 bugs a year to even be competing with Linux on bugs. In our little example the numbers are fake, but it's not really that far-fetched if you put real user base numbers in the equation.

Real security is all about knowing this crap, even though the numbers are bullshit I'm mainly trying to prove the point that the bugs to user ratio is much more important. The chance of being exploited, the number of exploits, and the number of software packages are all factors. Just because Linux gets 10 bugs and Microsoft gets 40 doesn't mean "Linux Wins".. The Linux user base is much lower so the bug rate is exponentially higher than Windows.

Just some food for thought..

Talk about shooting yourself in the foot

[coolmacdude]

A good rule of thumb in competition is to only start wars you know you can win. Something is not clicking here...

Re:Talk about shooting yourself in the foot

[beacher]

There are 5 stages of denial - denial, anger, bargaining, depression, and acceptance. Wonder which stage this PR campaign fits?

Re:Talk about shooting yourself in the foot

[azzy]

There are 5 stages of denial.

* denial 1
* denial 2
* denial 3
* denial 4
* profit.. er.. denial 5

Easy Question to Ask

[toupsie]

How many Linux Security Threats have made me work over 24 hours straight? 0 in 2003

How many Windows Security Threats have made me work over 24 hours straight? 1 every 2 two months in 2003

Guess which OS I like to support?

Re:Easy Question to Ask

[Sqwubbsy]

It's called Job Security.
Hint: You don't have to like it.

Re:Easy Question to Ask

[zCyl]

It's called Job Security.

Job security like a janitor who runs around throwing dirt and trash on the floor?

Re:Easy Question to Ask

[TheRealSlimShady]

How many Windows Security Threats have made me work over 24 hours straight? 1 every 2 two months in 2003

Why did you have to work over 24 hours straight? Don't you have an automated patch management strategy in place? Surely that's part of supporting an OS? Surely after the first time you would have figured out that there's a better way to do it?

Re:Easy Question to Ask

If only applying patches were all one had to do to administer a Windows box! Due to Microsoft's delayed reaction times, it goes something more like this:

Wake up, day 1, to phone call saying "all our computers are shutting down randomly!" You grumble and go to work.

At work, you pop in your trusty f_prot or other comparable antivirus software and BAM! There's Blaster/SoBig/Klez/whatever staring you in the face. You yell at a random staffer for opening attachments at work.

You begin isolating and cleaning all infected machines. You run scans on a few other machines just to make sure.

You lecture the entire office once again on how it never really is a cool screensaver or neat program that their friend sends them in the e-mail.

Two hours later someone comes back to your room carrying a printout of an e-mail with an attachment. "Is this a virus?" They ask. You cringe. The printout contains the words "application/octet-stream." You manage to croak something and nod hoarsely.

You grab your antivirus disk again and go clean the Klez off all the machines in billing. For a second time. You curse Outlook violently at this point and time. You are probably becoming irrational and violent, like an enraged monkey.

You go home at the end of the day and dream of playing Russian roulette with a shotgun.

This continues for a week until Microsoft releases the patch, which you download and install. You think everything will be OK for a while.

You get a call the following morning. Some idiot brought his laptop up from home, and his kids had been using it. You now have 30 more viruses to clean! Fun!

You tell your boss that he could pay you 1/3 of the pay he does (minus overtime) if he'd just go buy some Macs or let you install Linux on the office computers. He strokes his pointy hair and laughs at you.

You die cold, bitter and alone, and Bill Gates torments your soul for all eternity.

Re:Easy Question to Ask

[muckdog]

You haven't "worked" in IT, have you? Part of that time is testing the patches to make sure they work and don't break something else worse that what the worm/virus/hole will do. Anyone who lets Windows update run fully automated on production servers is a fool.

Re:Easy Question to Ask

[nodwick]

How many Linux Security Threats have made me work over 24 hours straight? ... How many Windows Security Threats have made me work over 24 hours straight?

If you're like the sysadmin in our lab, Windows makes you spend more hours on it for two reasons: (1) more machines are running it, and (2) the ones running Windows tend to be have more non-savvy users.

Point #1 says that if there's an equal number of exploits, and each exploit takes a constant amount of time per machine to fix, then since around 90% of machines are Windows boxes, your total time spent fixing them is obviously going to be a lot higher.

Point #2 says that the less mainstream nature of Linux tends to self-select a userbase that knows what they're doing, security-wise. On the other hand, many Windows users just have it so they can write up their reports and check their email, and have no idea what a security update is or how to install it. The recent infamous RPC exploit, for example, had a patch out for a couple of months before exploits for it appeared in the wild, but was ignored by most Windows users. A hypothetical similar Linux root exploit would have been quickly adopted by most computer geeks, while our sysadmin was complaining that even a month after Blaster made the rounds, there were still people bringing laptops into lab that were unpatched and quickly hacked. Add to this that many of the same people were unhappy about anyone else having access to their machine, but didn't care enough to secure it, and patching security exploits was one big headache.

I've heard many good reasons why the Microsoft article about Linux security is pretty slanted in their favor, but hours of work to fix isn't a fair one. A better metric might be hours of work per Windows box versus Linux box.

Re:Easy Question to Ask

[TheRealSlimShady]

You haven't "worked" in IT, have you? Part of that time is testing the patches to make sure they work and don't break something else worse that what the worm/virus/hole will do. Anyone who lets Windows update run fully automated on production servers is a fool.

Eight years and counting, and most of that time in Windows environments. I didn't say that you didn't need to test, testing is a given. If you're not testing, you're a fool. However, the fact is that between the time the update comes out and the time an exploit is released there is generally a windows available for testing. Blaster is a case in point - the update was out for weeks. A good admin would have reviewed the update, seen that it was a remotely exploitable hole and started testing it. Then with the automated deployment tools it's a matter of releasing the update. For what it's worth, I don't recommend Windows Update on servers at all - I prefer to patch them in a more controller fashion. Of course, in some environments the volume of servers means you have to automate it in some way.

Re:Easy Question to Ask

[pompousjerk]

Damn straight.

Although, one thing needs to stay clear: Linux is only secure if you know what the hell you're doing. 51% of all known successful root compromises occur under Linux. (Linux has more than 51% of the market share, IIRC, so it's not a very fair comparison. If anybody has market share data, please provide it so we can look at ratios.)

I prefer running Linux, of course. At least I know I can secure it.

Re:Easy Question to Ask

[mahdi13]

I'm sorry, I work in IT in the U.S. What is this "overtime" of which you speak?

One of those foreign mythical events, very simular to a "bonus"

Re:Easy Question to Ask

[MadMirko]

Well, I admin about a 150 Windows servers since the days of the late NT 4 (SP 5 and upwards), and I can't remember a MS patch that actually broke anything.

Besides, of course you do not run Windows Update on servers at all, because they generally shouldn't have someone using a browser on them.

Try SMS for automated deployment of tested patches to any number of servers, anywhere on your network. When you want, how you want.

Re:Easy Question to Ask

[TheRealSlimShady]

Hmmm... so what do you do when you have a good 2-3k client machines to handle as well? If it were just servers that would be one thing - but when you have client applications all over the place and you have to go around installing and patching that's something entirely different.

When you're running that many client machines you can either use a distributed SUS architecture, or for most businesses of that size they have management software in place (be it Altiris, SMS, Unicenter,or even HFNetCheckPro) that can be used to deploy updates in a sensible fashion. Sure, as soon as you get over about 100 machines you start getting to the point where the interdependencies start to get complicated, but if you can get say 95% of your machines with no manual intervention then you're winning. If you've got good test procedures, you should be able to get even more.

Re:Easy Question to Ask

[PPGMD]

Anyone that actually believes that is a fool also.

Any modern OS can be both secure or insecure, it really depends on the user. Linux has had numerous security holes since I have been in IT, but the average admin is alert enough to patch them, not always true with Windows.

In fact I remember once a lower level admin was working on deploying a Linux server for a customer, at 5pm when he was done, he had it set up with RH 7.3, and put it on the network, leaving me with a note IP, root pass, and what the customer wanted. Unfortunate that admin accidentily hook that machine on our non-firewalled network (that company charged more for placing on the firewall network), well by the time I came it at 8pm that machine had been hacked and was DOSing some server.

Note default install of Linux, and non-firewalled network, in a honey pot book I read, the guys first honey pot Linux server hacked in 24 minutes flat (default install of Red Hat).

Being both a Linux and Windows consultant, I use both, but I make sure that both are deployed intelligently with patching systems and firewalls and gateways along with them if needed.

Re:Easy Question to Ask

[Qrlx]

You should put antivirus on your mail server. Or if you don't have a mail server, and users are using Outlook or OE for POP/IMAP access, put antivirus on your internet gateway.

Get fancy and put the laptop users on a separate segment with antivirus running on the gateway to the rest of the LAN.

Or you could add the Level1Add key to the registry at HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Ou tlook\Security and put .exe, .vbs, and .scr in the srting value.

There's many better options than trying to educate the (laregly uneducable) users.

Re:Easy Question to Ask

There are numerous problems with your rant. First, Blaster has nothing to do with email. The user doesn't have to take any action at all to be infected - he or she simply has to have an unpatched and unfirewalled system on the internet.

Second, Outlook doesn't play any role at all in the case of the two email viruses/worms you mentioned (Klez and SoBig). User stupidity and lack of proper antivirus protection are the only relevant factors.

Security patches are also not relevant to these email worms, since they don't use security exploits.

Finally, the patch for the RPC exploit was available well before Blaster appeared.

These are all nit-picks, but they point to an overall problem of incorrectly assigning blame. Is MS at fault in any way for an email virus that exploits no security holes (in MS products or otherwise), and can only infest and spread if the user is foolish enough to run it? No. The user is 100% at fault for running an untrusted program. The speed with which MS issues patches has absolutely no bearing on this situation - they can't patch against user ignorance or stupidity.

Likewise, is MS at fault in any way for a virus that exploits a security hole they've already fixed, but for which the user has not updated? No. They've done their part. The user has not.

You can argue that the hole should not have existed in the first place, but in the real world it happens. The only reasonable expectation we can have is that such holes are fixed in a timely manner. You are free to have your own opinion about whether or not MS meets this expectation, but the fact remains that many (most?) worms that exploit security holes exploit old, already patched security holes.

Another 'comissioned' report...

[Chicane-UK]

What frustrates me about these is that people actually BELIEVE them. Though given the recent security blunders by Microsoft (such as that little problem called 'Blaster') people might finally realise that this stuff is a load of BS.. or very very twisted fiction.

And I just wish that the comments & replies of key figures in the Open Source community made the headlines in the same way as these 'reports' do.

Re:Another 'comissioned' report...

[frodo+from+middle+ea]

Truth (Marketing definition) :- A blatant lie, told with utmost confidence, and backup up by forged yet sensational statistics and meaningless pie-charts, and bar graphs.

Re:Another 'comissioned' report...

[Brataccas]

It may not be that people actually believe them....they WANT to believe them. Many companies have invested millions of dollars and thousands of man-hours setting up and supporting Microsoft infrastructures throughout their organization. The people who recommended, funded, and built these networks aren't exactly looking to be first in line to admit it was a bad decision. As long as MS puts out millions of dollars of ads and studies claiming that "everything is fine" or "everything will get better" or "the other options are just as bad" many companies will try to convince themselves that the market-speak is true. Psych 101.

It's a delaying tactic, and a very effective one.

Moving weel on into stage 3...

[Space+cowboy]

First they ignore you
Then they laugh at you
Then they fight you
Then you win

Mohandas Gandhi

Re:Moving weel on into stage 3...

[znode]

You mean GandhiCon 3...

Re:Moving weel on into stage 3...

[geekee]

" First they ignore you Then they laugh at you Then they fight you Then you win Mohandas Gandhi"

This quote is meaningless, except in hindsight. For instance, if Ghandi had used the same tactics in Hussein controlled Iraq, insetad of British controlled India, the quote would go
First they ignore you Then they laugh at you
Then they fight you
Then you die.
He would have ended up in a mass grave with the other 300k people.

How about I point at one thing.

The number of major-collateral-damage internet worms that have struck becasue of unpatched or unfixed problems in Microsoft OSes in the last two to four years.

And then I point at the number of similar-scale linux worms that have occured in the same time period.

And then note that despite the fact nothing but Windows worms so much as *register* on the scale, Windows is not a majority in the server space.

uh... wtf? :)

[wo1verin3]

>> InfoWorld reports that Microsoft is planning
>> an "security assault on Linux"

Microsoft prefers marketing...
Linux prefers a solid product...

Perhaps Microsoft should spend some more money on fixing their own products instead of trying to bring down others, it's turned in to a politcal compaign for them.

Reaching towards the goal

[Ridgelift]

It's been said many times before, but it bears repeating:

First, they ignore you,

Then they laugh at you,

Then they fight you,

Then you win.

- Mahatma Ghandi

Re:Reaching towards the goal

[Zork+the+Almighty]

But what about all the other possibilities ? What else can happen ?

1) First they ignore you
2) Then you screw up and fail!

1) First they ignore you
2) Then they laugh at you
3) Then others laugh at you, and you fail!

1) first they ignore you
2) then they laugh at you
3) then they fight you
4) and they win !

Where are all those people ? I'd reckon they're still running OS/2.

Re:Reaching towards the goal

[IIH]

It's been said many times before, but it bears repeating:

The truthfullness of a statment is independent of the number of times it is repeated. (Is not! Is too!, is not! is too! is not times infinity!)

First, they ignore you,
Then they laugh at you,
Then they fight you,
Then you win.

SCO have been ignored, laughed at, are being fought at the moment, so do you expect them to win too?

Re:Reaching towards the goal

[NTmatter]

Actually, the Linux community didn't ignore SCO. The Linux community repeatedly asked for proof of the existance of alleged code. SCO of course ignored these requests repeatedly. They laughed as people sent in their $699 "don't sue me" slips. Then they started fighting IBM. And Redhat. And Hollywood. All that's left is for SCO to lose.

Re:Reaching towards the goal

[slimy_dude]

First, they ignore you, Then they laugh at you, Then they fight you, Then you win.

SCO have been ignored, laughed at, are being fought at the moment, so do you expect them to win too?

I think it's worthwhile clarifying Gandhi's statement. He intends to say that when the opponent chooses to fight, you have already won. The "then" in the last line is deceptive. The message is that when the enemy attacks unfairly (fights), it is an admission of failure. At that very moment, you have won.

In this regard, it is unfair to say SCO has been "fought" against. With the exception of the unfortunate DOS attack a while ago, the attacks on SCO are justified, reasoned arguments. Thus Gandhi's aphorism doesn't apply.

Linux isn't perfect

[nuggz]

Linux isn't perfect. By design, the implementation, or the way people admin their machines.

There is an understanding that MS is also not perfect. People expect security holes, and bugs and crashes.

I think it is good that this might result in a nice list of where linux has gone wrong in the past, and what hurdles to overcome in the future.

If the competition wants to make you the "Build a better OS HOWTO" I think they should be as free as anyone to add to the LDP.

Free publicity

[LittleBigScript]

Since there is no such thing as bad publicity this has to be considered a good thing.

Think about it, the article mentions Red Hat and lets them discuss what think of the whole matter.

Hardly suprising

[DG]

Given that Microsoft got caught lying to a Federal judge (during the antitrust case) why is anyone suprised that they'll lie to their customers?

Isn't that a given?

Anybody looking to a vendor to provide accurate data about its products or the products of its competitors deserves the crap they get.

DG

Re:Spreading FUD in a submission about FUD

[tomstdenis]

Actually no. Those users are part of the Administrators [re: root] group. Check yer users settings sometime :-)

Tom

Root access? No.

[shrikel]

Not to be inflammatory, but ...

such as root access for all users

On Windows, even the Administrator account (which is the level that lots of people log in to) is not really root access. The Local System account is comparable to root. The Administrator has control over all user-controllable parts of the OS but there are parts that are not user-controllable.

Re:Root access? No.

[foniksonik]

This is true... Windows gives just enough access to really mess things up and not enough access to do anything about it.

Re:Root access? No.

[caluml]

Actually, I had a thought. Log in to your favourite Linux box as root, and edit /etc/fstab so that / is mounted from a non-existent partition ( e.g. /dev/hda13 ). Reboot.
Now, to fix it is a cinch. Boot from favourite recovery CD ( Gentoo LiveCD for me), mount /, and edit /etc/fstab. Simple.

On Windows 2K, right click My Computer, Manage, and go into the Disk Management. Change the C drive letter to X and reboot. What steps do you have to take to fix it then? (And it's a genuine question.)

What about doing similar stupidness via lilo.conf, and boot.ini (i.e. changing the boot partition to something that doesn't exist).

Re:Root access? No.

[gbjbaanb]

well, changing boot.ini is easy - press F8 while booting, choose the 'command line' option (in XP at least). edit and fix. reboot.

Or.. for other versions (NT or W2k), boot from the OS CD you installed from, choose R for repair, then C for Recovery Console. correct boot.ini.

If you change the drive letter from C: to X: the OS will still load (you mean, you thought you had to load Windows on primary partition called C:? shame). Some apps won't run properly though (fair enough really, they were coded to read absolute paths). Go back to Disk Management and change it back to C:. And that's a genuine answer.

Isn't that procedure quite like what you'd do with Linux?
See, windows isn't as bad as people think (no, really!), though I should say that that statement is qualified by a) windows being the NT-based kernels (not 95/98/ME), b) 'people' being Linux enthusiasts who aren't really that that knowledgeable about Windows.

Re:Spreading FUD in a submission about FUD

[Coward+the+Anonymous]

" Heck the XP install even asks you for an administrator password and then the names of user accounts to make. Those user accounts default to non-root" Maybe in the Warez copy of XP you have, but the OEM XP Dell Disc that came with my laptop creates all users as Administrators.

Great news!

[DaHat]

This is such good news for me, and here I was, ready to throw windows out of my life and become a linux guru, thanks microsoft for showing me what a mistake that would be!!!

Re:Spreading FUD in a submission about FUD

[EVuL_C]

umm. no. new users in XP and XP SP1 hall have administrative access to the system. just like ALL previous versions of windows.

Just because their name is not Administrator does not mean they don't have admin rights on the system.

Re:Spreading FUD in a submission about FUD

[Derek+Pomery]

That's no help at all if arbitrary users can elevate themselves to administrator priveleges. NT-XP is fundamentally broken. Maybe the next version of Windows will solve this design problem, but I doubt it.

This hole exists and actually has working exploits.

China distributes Linux code?

[mahdi13]

"Why should code submitted randomly by some hacker in China and distributed by some open source project, why is that, by definition, better?"

Ummm, because we can look at it before we install it instead of just 'trusting' someone that it is good?
And just how much code comes out of China anyway!?

It would not come as a shock

[Progman3K]

It would not come as a shock if we found out MS was behind the attempt to add a root exploit to the Linux kernel that happened last week...

http://slashdot.org/article.pl?sid=03/11/06/0582 49 &mode=thread&tid=106&tid=185

Just what lows are they willing to sink to?

Or am I just paranoid?

Let's see, a corporation that stands to lose hundreds of millions of dollars in revenue to an open-source collective effort...

If I were MS, I know I'd be afraid and might even do something like that....

Has there been any new information on the security breach?

Ballmer comment...

[Chicane-UK]

I just noticed this :


And at the end of October, Ballmer gave the audience at Gartner's autumn symposium a taster of what was to come when he attacked Linux's assumed security superiority. "In the first 150 days after the release of Windows 2000," he said, "there were 17 critical vulnerabilities. For Windows Server 2003, there were four. For Red Hat Linux 6, they were five to ten times higher."


Yes.. some more classic FUD. But something did strike me about this comment. If they were to talk purely about the core operating system, i'd be willing to be that Linux fared equally or better than Windows.

Red Hat 6 is a distribution, and as such comes with a whole host of applications & suites when you do a full install. Windows Server 2003 is just the OS. If you were to bolt Microsoft Office, and all of the other comparable applications onto Windows that a Linux distribution includes, I am sure the security patch figures would not be in Microsofts favour.

It just shows that Microsoft are worried about Linux.. if their product was so damn good, they could sit back and let it sell itself. But its obviously not, and they have to resort to this slander to try and win over the more gullible people to their side.

Drives me crackers!

Agreed

[ttyp0]

Period ending June '03, Micrsoft spent 1.336 Billion in R&D. Five million isn't even half of one percent of research spending. Serious security? Doubtful.

Re:Agreed

If you lost your dog and offered up a 100$ reward yet you made 100,000$ salary, would you not be serious about getting your dog back?

No. You wouldn't be.

Whatever you may think, 5 million is still a lot of money.

Sure. It is. But for the type of marketing work it did for MS it was a bargain... even if they had to actually pay it all out.

I mean come on... X-Box marketing budget was something like $500mil! I'd say MS is 100 times more serious about selling X-Box than about Windows security.

Ob "security through obscurity" post

[Jetson]

It's not the amount of holes in your software, is whether or not the typical cracker knows how to exploit them.

That's why Microsoft is so committed to solving security through obscurity -- they believe that keeping the flaws secret will keep crackers from developing exploits.

The "study" will also no doubt find that Microsoft fixes their bugs much faster than open source programmers since the Windows bug and downloadable fix are often announced on the same day.

Easy Answer

[missing000]

MS can win a PR battle, because they have an endless amount of cash to pursue the cause.

On the other hand, OS can win the desktop domination war by creating better systems that are less vulnerable in real world situations if we focus on grass roots marketing.

Re:Easy Answer

[Vlad_the_Inhaler]

They also have the cash to pursue security problems, their problem appears to be design flaws that can only be 'corrected around'.

An obvious example is integrating their Web Browser into their OS to screw Netscape, a political decision taken by his Billship. Bugs in IE lead to the equivalent of root exploits, bugs in Mozilla mean that one user account can be compromised.

Another political decision has been to install software to offer all kinds of services, basically to keep third party vendors out. This software defaults to being active. What was that database port vulnerability again? Another consequence of this is that a virus/worm writer has reliable idea as to what components will be running/active.

They have the cash for PR *and* fixes, but political decisions have led to a situation where this does not help. Having said that, if as many computers ran Linux as the various Win versions, we would also be seeing more problems that at present - they just would not be as serious.

Re:Easy Answer

[k12linux]

Having said that, if as many computers ran Linux as the various Win versions, we would also be seeing more problems that at present - they just would not be as serious.

One very telling fact, IMHO, is that currently Apache holds over 3x the market share for web servers compared to MS's IIS. (Source November Web Server Survey - 67% vs 21%.) Yet look at the number and type of security alerts for each over the past year or two.

first time SCARE to connect to the net...

[imbert]

Hey Guys, For the first time after a decade on the net I was scare to connect to the net.. Do you know why? I just moved to a new house and I had to transfer my SBC/yahoo DSL account to there. They gave me 10 days for complete the moving so, I am without dsl connection on my house... I had to use dial-up (I forgot was slow it was) but the only machine I had available with modem was a station with Windows 2K professional that my wife use... To be sincere, I was too lazy to install a modem on my linux desktop that I use was a firewall for my home too. So, I looked to the Windows Desktop connected by dial-up and I start thinking... Jesus, I am connected to the internet using Windows and without a firewall or anti-virus (I don't like any anti-virus...I don't think I need one till I see my M$ windows connected to the net)!!!! As soon as I connected I got that SPAM using the the message service! Windows is a hell! Microsoft is a hell!

You have to admit...

[tdk2fe]

You have to admit that the entire fiasco between microsoft, a multi-billion dollar a year company is being so shaken by a community of rogue hobbyists is really quite amusing. Microsoft should have a superior product. After all, they've been doing this for over a decade, pretty much have access to unlimited resources, and in the face of all that there are rival products out there that cost next to nothing to use. I think that in the next few years we are going to see some major economic shifting in the IT world. I think that the market is going to move towards supporting various services, and not charging for the actual software itself. Thats the glory of the internet - it gives power and recognition to those who earn it and not to those who buy it.

An evil play??

[markxsd]

Unless we're missing something... Who's to say that Microsft haven't been doing a little unpublished research, looking for buffer overflows and other vulnerabilities that they're soon going to demonstrate? There are still bright people at Microsft. There are certainly people bright enough to find bugs in software (maybe they won't find much wrong with the Linux kernel, but it's not going to be too difficult to find bugs in myriad GNU and other packages that come with a typical distro). They might view finding and making public security holes in the competition as a more valuable and profitable exercise than securing their own OS and software.

If they like many of us see Linux as the biggest credible threat out there, they might resort to fighting dirty. Linux does have the potential to shift the paradigm of the whole IT industry in the same way that Microsoft themselves did through the 80s and 90s. Sun et al are already feeling the heat in the server market. I'm certain that Bill and co are getting twitchy about how things are developing.

We all know Microsoft is pretty cold and calculated when it comes to competitors. If Linux is next in the firing line, the open source community needs to be ready for this battle and the wars that will follow...

Re:An evil play??

[Captain+Beefheart]

"If they like many of us see Linux as the biggest credible threat out there, they might resort to fighting dirty."

This has been a long time coming, from the looks of it--Many of you are probably familiar with the Halloween documents, "an internal strategy memorandum on Microsoft's possible responses to the Linux/Open Source phenomenon." This was back in 1998. MS verified the documents as authentic but claimed it was "a mere engineering study that does not define Microsoft policy."

They've probably been building up a case for a long time. But as Linux is systematically sound, they've apparently been forced to find specific, technical problems since their Ominously Vague Murmurs don't seem to be taking. The problem for them is whatever they pick is, by definition, fixable and not an element that defines Linux as Linux. Additionally, if you find 50 holes in Linux and 25 in, say, Windows Server 2003, that's not nearly as relevant as the average lifespan of the hole. With all the Linux distros, there may be dozens of holes at any given time, but there is only one Windows Server 2003. I challenge them to focus on one major distro.

Lastly, MS is has been coming off increasingly hostile and banging the "Linux BAD!" drum so obsessively, that they run the risk of sounding like they're accusing corporate Linux licensees of incompetence, rather than trying to merely educate them.

The Chinese know....

[i_want_you_to_throw_]

First the Chinese get the Source Code for Windows then they decide to back Linux?

Sounds more like our government had better look at who is more secure.

Please respond to this post Microsoft

[aws4y]

They may pull out all the stops, but they still have to explain why there is no memory protection built into the Windows Kernel, why the default user has install privleges, why they are now relasing patches on a monthly basis and not when the vulnerability is discovered.

My first point is the one I want answered, why can't Microsoft build a kernel that polices the processes that it runs?

Uuuh

[JawFunk]

"In the first 150 days after the release of Windows 2000," he said, "there were 17 critical vulnerabilities. For Windows Server 2003, there were four. For Red Hat Linux 6, they were five to ten times higher."

Uuh...We're at 9 now buddy.

OpenFUD

[iCoach]

Ok, so M$'s FUD machine is gearing up. What option do we have other than bitch on the /. forums? I know donate to the EFF, write open code, blah blah - bullshit.

I want to know what I CAN DO. From writing a senator, to going postal at M$. What are our options as Open Source advocates to beat the M$ FUD machine? An OpenFUD project? Because despite flame wars on /., despite arguements in IRC, despite all our efforts sooner or later the M$ FUD will find something that sticks in the back of the minds of all our PHBs. At which point OS security will be M$'s triumph instead of ours.

-Coach

Projection

[heironymouscoward]

Ancient Chinese Proverb:

"We are fastest to attack others for the weaknesses we most fear in ourselves".

OK, I just made it up, but it's true anyhow.

Good Call!

[JawFunk]

...just that they allocated $5Mil to the program...

This will prompt "virus writers" to further cloak their sources, making it even harder to bust anyone, while the MS platform remains unsecure.

Re:Good Call!

[ppanon]

This will prompt "virus writers" to further cloak their sources, making it even harder to bust anyone, while the MS platform remains unsecure.

Well, I don't know about that, but I think it will change the makeup of the virus-writing community. If Microsoft had done this 10 years ago, it might have made a small effect. I have gotten the impression that, back then, virus writers mainly did it for exposure and bragging rights. If you could no longer brag about it because it increased the odds that someone you bragged to would turn you in for $$$, it might have dissuaded a fair number of virus writers.

However now, a substantial number of virus/trojan/worm writers seem to write cyber-parasites to get zombie machines to play core wars-style turf games on the Internet (such as DDOSing the people they don't like) or to spam for money.

The motivation is no longer the same and these bounties are likely to have much less of an effect. It's too little, way too late.

Users are the security problem

[rudy_wayne]

Today, I was talking to a friend of mine who bought his first computer about 4 years ago. He wanted to back up every thing on his computer, so he dragged all the icons from the desktop over to his CD burning program. When I tried to explain to him that the only thing he burned onto the CD was a dozen shortcuts, and not the actual programs/data itself, he just looked at me with this totally blank stare and had absolutely no clue what I was talking about.

The point is this: When it comes to programmer-related problems (buffer overflows, etc) Windows and Linux seem about equal. The big problem with Windows is that Microsoft's focus has been entirely on "ease of use" for people who know little or nothing about computers. That's how you sell lots of computers (and lots of copies of Windows). They created all sorts of nifty features (scripting, etc.) and turned them all on by default -- never giving a moments thought to the harmful ways that these features could be used

Windows, in the hands of a knowledgeable person, can be just as secure as Linux.
But, "right out of the box" it's a security mightmare -- a disater waiting to happen.

Re:Users are the security problem

[the_mad_poster]

Windows, in the hands of a knowledgeable person, can be just as secure as Linux.

In another dimension...

Tell me - can I not install any vbScript? Can I not install IE or Outlook Express? Can I UNINSTALL IE once it's installed? Can I skip RPC? What about messenger? What about the GUI? What about any of those dozens of services that run by default on my XP box?

Can I install JUST a linux kernel and the absolute bare bones minimum of tools for my box if I'm so inclined?

It's possible to tweak Windows down to help shrink your liability, but never as far as you can go with Linux.

Otherwise, I agree with most of what you said - especially about the users. It might helpful to look at it the OTHER way: in the hands of an idiot, Linux is just as dangerous as Windows. In fact, probably more-so because it's faaaaarrrrr more powerful.

Apples and Oranges

[Supp0rtLinux]

The Steve Ballmer quote shows their errored way of thinking: "...And at the end of October, Ballmer gave the audience at Gartner's autumn symposium a taster of what was to come when he attacked Linux's assumed security superiority. 'In the first 150 days after the release of Windows 2000,' he said, "there were 17 critical vulnerabilities. For Windows Server 2003, there were four. For Red Hat Linux 6, they were five to ten times higher." Where's the RH9 comparison? He's comparing an operating system (Windows 2000 Server) to an OS *AND* applications (Linux). If he were to simply compare Windows 2000 Server to the Linux kernel in RH 6, there were no Linux vulnerabilities. Instead he compares simple Windows 2000 Server to Linux which includes Sendmail, Apache, BIND, Netscape, mySQL, etc. If we apply the same rules to his test and compare RH6 to Windows 2000 Server with IE, Exchange, MSSQL, Windows Media Player, etc... the results will be much different.

What about the DMCA ?

[Simon+Lyngshede]

Is this even legal in the USA, pointing out security hole I mean. I though the DMCA made that illegal, or was it some other silly law?

Anyway, strip down a Gnu/Linux distribution to a minimal and you'll see that the base OS has not had any major security issues. Strip down Windows and you'll still have one buggy browser to deal with, a GUI in the kernel (Pretty stupid when you think about it) and of cause you got the whole range of open ports, which of cause doesn't really do much, but still manages to pose a security risk.

Linux and Unix software isn't that much better than the Windows equivalent, but the basic operating system does have less security issues. This isn't because Linux developers are more skilled than Microsoft developers (It would be kind of weird if they where). Linux has the advantage of being just a kernel, everything else is an addon. Windows is huge and complex, even in a minimal installation, if such a thing even exists.

Microsoft can bash Linux all they want, I really don't care, it won't make me go back to Windows. I think Linux is a much better product in general, not just security wise and if Microsoft want me to think otherwise they will need to make some serious changes to Windows.

Balmer's PR mistake

[ortholattice]

[Balmer] questioned the notion that the open source's community approach to fixing problems was superior to Microsoft's. "Why should code submitted randomly by some hacker in China and distributed by some open source project, why is that, by definition, better?"

That should have been, "terrorist hacker in China."

Re:Root access for all users??

[LadyLucky]

Replying to my own post, but still..

Windows has many levels of user access. The administrators group is closest to the concept of 'root' in the world of unix, but it isn't identical. Local System is the real 'root' user, which you cannot log in as.

It's perfectly permissable to run Windows not as a root user. And like Linux, this causes problems, and will require you to escalate priveleges to do certain operations (think: mounting a network share which requires elevated access in linux, or binding to ports I'm not claiming that it's got perfect security or that local escalation exploits don't exist, they do (Shatter attacks in particular!), but they also exist on all platforms. Time to take blinkers off, SlashBots.

Lets have a go at this, then...

[angst7]

Unfortunately the article does little more than play the part of OS-War Meteorologist, but there was one quote we can sink our teeth into, according to Steve Ballmer:

"In the first 150 days after the release of Windows 2000," he said, "there were 17 critical vulnerabilities. For Windows Server 2003, there were four. For Red Hat Linux 6, they were five to ten times higher."

Now I'm going to figure that he's saying there were somewhere between 20-40 'critical' vunerabilities in Redhat 6 in the first 150 days post release.

I assume that the reason he's picked Redhat Linux 6 for this comparison is that it was the release which moved to glibc 2.1, and migrated to the 2.0 kernel. So he's picked a big move for Redhat, instead of a point release. This isn't entirely fair (in fact its hard to draw a close comparison on security issues) due to the fact that Redhat 6.0 was released in April of 1999, whereas windows 2000 wasnt released until February of the following year. Furthermore Microsoft (wisely) relied heavily on a certain "Break into Windows 2000" campaign to test the hell out of that OS. (remember the guestbook on that server? what a riot)

Finally, comparing Redhat 6 to Windows 2003 is outright foolish. We may as well compare a freshly patched Redhat 7.3 to NT Service Pack 2 (though even this is an unfair analogy, 7.3 is far more stable than Win3k server).

In sum: Bah.

99.9% of all viruses in wild - Microsoft only

[Netlink]

More than 99.9% of all viruses in the wild will only work with Microsoft software.

Sobig, Mimail, Sircam, Lovebug, Nimda, Code Red the list goes on.

Microsoft will say that this is because most computers on the Internet run Windows, but a look at netcraft.com shows that more than 2 thirds of web servers run Apache, and only about 20% run IIS.

Windows has more than 90% of desktops, but not more than 99.9%. I run Linux on my desktop, and don't even bother to run the Sophos antivirus client I have a license for, no point, no one could infect my desktop with any of the 80,000+ viruses sophos detects.

If Microsoft are going to try this one then they will have to tell lies and pay for carefully run studies.

I bet they will not compare Windows and Linux viruses!!

MS is like politicians.

[bs_02_06_02]

MS can release "news" as a press release, and the newspapers eat it up. The public believes it. The hardware manufacturers "sell" this crap because they sell MS to consumers for Microsoft at a profit. Wall Street helps the process. Analysts hype the latest "features" for the latest vapor product from MS, due in 2012.
MS sells themselves to the public by issuing press releases. They can say whatever they want, as long as they make a claim that they're doing something. There is no accountability. No one holds them responsible. Consumers keep throwing money at MS. Occasionally, someone points a finger, but MS then releases more press releases about vaporware due in 200x.

Politicians do the same thing, "We need to spend more money on _____. We've been spending money on _____ for ___ years, and we've not solved the problem. We are renewing our effort."
In other words, "We're going to light some money on fire, pose for a few photos with the underprivileged, and then waste a lot of money on cigars, dinner, and entertainment."

Microsoft has excellent people playing the press release game. Everyone sells Microsoft products for MS.
How many people have actually met a Microsoft employee? Yet 1/2 of the planet owns or uses something with Microsoft products in it.

Re:hypocrits

[superchkn]

I see you subscribe to the MS FUD newsletter. ;-)

Here's a little reality for you:

1. RH6 !== Windows 2003 Server
2. Applications !== OS
3. Remote Root Exploit !== Every security patch

Instead of reading the comments, you blindly replied with a canned response. I've listed the most common subject of the postings I've read so far so you'll know what to look for when reading the posts yourself.

If you'd like to respond to these issues point-by-point and explain how this is an objective scientific study and not (at the very least) an ignorant and misleading article, I'd be happy to join in a discussion.

Linux and Security Holes

[jd]

Inspired by this research, I sought to find other examples of security holes in Linux which do not occur in Windows.

• Linux is more stable, thereby giving crackers more time to break passwords.
  
• By not fixing things, Microsoft Windows causes crackers to become lazy and slothful, so when a patch does arrive, the cracker won't be expecting it.
  
• Many Linux distros use MD5 hashing for passwords, which is much slower than just storing in plain text, making it possible to run a denial-of-service against a Linux box.
  
• By renaming COMMAND.COM to CMD.EXE, Windows is secure against DOS attacks. At least, those up to 6.22.
  
• Windows cannot trigger world chaos in safe mode. It's disabled.
  
• By using all available memory, Windows cannot run additional viruses.
  

Re:They still don't get it ....

[MarkusQ]

No. It makes it better for YOU. 0.5% of people who use a computer. How is that BETTER?

Nuts. It makes it better for everyone. Look at it this way: would you rather take a drug that has been tested by hundereds or thousands of independent testing labs around the world, who published their results for all to see, or one that was produced by some big company who assured you that theirs was safe and effective, but wouldn't tell anyone what was in it?

You don't have to be an independent testing lab to benefit from the existence of independent testing labs. Likewise, you don't have to be a coder to benefit from open source software.

-- MarkusQ

The major security problem...

[Kindaian]

Is that will everyone can audit every line of code of open source OS's, nobody (apart from microsoft) can audit windows... Who can say that windows don't have backdoors to FBI or worse?

Can you keep a secret?

[A+nonymous+Coward]

So can I. But two people can't.

If you are saying nudge, nudge wink, wink that Microsoft has programmers looking thru FLOSS source for vulnerabilities, well, it wouldn't stay secret for long. They would be overheard bragging to each other, or misdirect a memo or email, or have second thoughts.

In addition, if these Microsofties are as good and hard working as the propoganda mills claim, then good that someone is finding more bugs for us.

Plus, these Microsofties won't be doing anything evil for the evil empire, but instead doing good for the rebels. This is like the FBI undercover agents in peace marches, great!

Microsoft IS FASTER

[jridley]

From the time that they acknowledge a bug until it's patched is VERY FAST.

The problem is that they won't acknowledge a bug until they already have a fix for it. Often bugs are known about by the world for months, and MS says there's no such bug. When they do acknowlege it, then yeah, there's a fix out within hours or a day or two at most.

So, apples and oranges. If Linux takes 4 days to patch a bug as soon as it's known, and Windows takes 4 months to acknowlege a bug's existance, then 2 days to patch, which is better?

Re:Root access for all users??

[GoneGaryT]

Yes but...

Windows exploits that '0wn' your machine go in at System privilege level. That's one above Administrator; you can be logged in as such while someone 'sploits your box and there's *nothing* you can do to defend it (apart from introducing sudden air-gap security). On a GNU/Linux box, you can at least try to defend it during an attack if you wish.

As if...

[Overly+Critical+Guy]

I love the biased nature of the summary.

As if Linux people don't "hype" things against Windows, either.

Meanwhile, the rational, quiet people whose opinions aren't voiced in boisterous +5 posts all the time just watch from the sidelines, shake their heads, and use the right tool for the job, whatever that may be.

Re:As if...

[amcnabb]

Meanwhile, the rational, quiet people whose opinions aren't voiced in boisterous +5 posts all the time just watch from the sidelines, shake their heads, and use the right tool for the job, whatever that may be.

Are you implying that Windows is the right tool for the job? For any job? Whoa.

For non-techies, Apple is the way to go. For corporate and/or programming environments, Linux/UNIX is the way to go. Not much room for Microsoft in the middle.

Re:As if...

[Lodragandraoidh]

I started out as a Dos/Windows user from day 1 (actually I really started out as a TI 99a user - but that is another story). I have also managed and used all of the windows operating systems from Win 3.1 up to the present Win XP. When I didn't know any better, I used to think the DOS command line was the best thing since sliced bread, and batch files were my scripting nirvana.

Then I started using *nix. I loaded Linux for the first time in 1992, and have been using it ever since. I was also a Unix system administrator during my career, and was using Sun systems in college before that. I learned the tool building paradigm of Unix, and absorbed awk, sed, perl, python, lisp, java, and a host of tools unheard of in the Microsoft world. Things that I spent hours accomplishing with Windows and DOS, I was accomplishing in minutes with Linux.

From my vantage point, it is plain to see that the Microsoft products are not up to the task of being a general purpose workstation/server operating system. When compared to industrial strength Unix and Linux distributions, it is a toy - and should be advertised as such.

I think the key distinction we need to understand is the ability of an end user to ameliorate security problems and other bugs when they manifest themselves. In *nix, usually the source code is available for modification, or a work around can be accomplished quickly with a scripting language because of the clear text interprocess communication mechanisms available. On the Microsoft side of the house, we are clearly dependent upon the good will and scheduling of Microsoft to get the fix implemented - and there is not much we can do to alter the outcome. So, the choices are independent ability to fix things, as needed - or Big Brother Knows Best; I know what I prefer.

Given the above, Microsoft is never the 'right tool for the job', unless your job is a toy application that is expected to be obsolete within a few years. The simple measure of this is to look at all the DOS applications that are currently being used by end users, versus *nix applications (albeit in GNU form) - *nix wins hands down. Don't believe I haven't tried using various DOS and Windows tools - but they just don't have the overall flexibility and usefulness that can be plentifully found under *nix.

What really boggles me about this whole issue is how people can be screwed by MS a thousand times over (non backwards compatible file formats, blecherous incomplete implementation of java, a malformed central configuration repository that causes complete system meltdowns when corrupted - that end users are not shown how to backup out of the box, etc...the list goes on and on), and yet come back smiling for more! What is really amusing (sad, really) is how I see some people rationalize that they were the ones at fault: "It was silly of me to build my spreadsheets in MS Works 1.4 back in '85 - what was I thinking! I should have copied all those entries across to Excell back in '95". To me this is a red flag that I am being taken for a ride. I woke up. I hope you do too.

Re:As if...

[LX.onesizebigger]

People favour the things they favour. That should hardly be surprising.

The interesting question is why, given its relative user base, is Linux favoured so strongly by so many?

I hear very little subjective promotion of Microsoft (except where subjective == for profit), especially given its large user base (I hear a lot of complaints from their users, though). Isn't the relative intensity of voluntary, subjective lauding of software an assessment as objective as any at the end of the day?

Re:As if...

[Afrosheen]

In the same vein as the Visa adverts..

'For industrial strength linux applications, there's Linux. For everything else, there's VMWare.' Vmware, bridging the gap between you and your company's proprietary apps.

Ok now VMWare, pay up.

Re:As if...

[Dave_bsr]

being most popular doesn't make it the best tool...For your average office+ie+mail desktop, Linux is getting ever closer to not just matching Windows, but being BETTER. Especially in a biz environment where security and managability is important.

What in Heck nowhere near as bad as 5 years

The Blaster worm defect 5 year+ in age. Now in most cases you have 2 years for a virus writer to find and use bug or 4 months for a data thief. Linux is staying inside the safe space note I would like it better but nothing is perfect. But the blaster flaw was know for sure in 1995. I found it then on a data thiefs howto site(know you enemy). The reason for not patch was user want network conections out the box. Ok why in hell did it allow the port through dial up connections and why in hell could you not disable it on network cards.

That is right you have to install a firewall third party. Here is microsofts bigest problem no good default firewall. Most linux faults can be blocked out by the default firewall. The next verion will target programs if everything goes to plan what will make linux even harder to attack.

Note the one in windows XP is a poor firewall a free one shiped with the OS would have been better.

The other defence of linux is in most cases we do not have one program to do just that task. Ie mult ftp servers, different versions of appache and removal modules, mult email server.

Basicly linux defence is patch or swap out of operation. Swap out of operation stuff has patchs that are slower because there is no need to rush the patch. Ie if everyone has swap out as directed there will be no problem. Basicly a swap out directive better be called a full patch at the directive or microsoft has stuffed up it report.

Great! You find, we fix.

[Rex+Code]

Unless we're missing something... Who's to say that Microsft haven't been doing a little unpublished research, looking for buffer overflows and other vulnerabilities that they're soon going to demonstrate?

[...]

If they like many of us see Linux as the biggest credible threat out there, they might resort to fighting dirty.

The thing is, most OSS developers I know (myself included) welcome public review and full disclosure. If I get advance notice of a security problem, I look at that as a luxury, and have no problem with finding out along with the public. Once problems are pointed out, it's usually easy enough to fix them quickly. Having Microsoft auditing open source code for free would actually be quite beneficial.

The reason full disclosure is so important is that without it, these holes still exist, circulating among the black-hats. Unlike Microsoft who'd rather sweep problems under the rug. Disclosing problems isn't "playing dirty"; it's step one in getting them fixed.

Meet 'tu quoque'

[inkswamp]

Microsoft needs to learn the Latin phrase tu quoque which translates as "you're another." The term is used in the study of formal logic and refers to a logical fallacy, that is, defending oneself by pointing out the weaknesses of another. Of course, if I own a company that produces a shoddy operating system with consistently lousy security and a puzzling number of thoughtless or bad decisions in terms of general design, pointing out the same in a competitor does absolutely nothing about my own shortcomings. However, this is a wonderfully effective rhetorical technique for throwing the attention off my problems and on to yours.

So, even if Linux was the most bug-ridden operating system with massive security holes, it wouldn't even matter. It certainly doesn't excuse one of the largest and most powerful software companies on the planet, i.e., one that can marshal a massive amount of resources and money to produce respectable software, from the ridiculous numbers of security issues and bugs that arise in almost every product they release.

Politicians love tu quoque, by the way.

Re:Bill Clinton also got caught lying...

[dougnaka]

"The British Government has learned that Saddam Hussein recently sought significant quantities of uranium from Africa." Saddam Hussein DID try to get significant quantities of Uranium out of Africa. The current problem is the Intelligence community can't find his supplier, Francis Sonto Mbomam. Seems the only contact between him and Saddam was via email. But he did say he had $20.5M (TWENTY MILLION FIVE HUNDRED THOUSAND POUNDS OF URANIUM) for transfer to Saddams Uranium account.

Re:ha ha...

[KD5YPT]

Windows is awesome, Microsoft are nice people. Linux are the OS for the Communists and written by a bunch of hackers.

Now Bill Gates, pay up.

Thank you MS

[salesgeek]

The people at MS truly don't get it with respect to Open Source. All that the strategy of highlighting problems with Linux will do is:

1) Make developers aware of bugs.
2) Encourage developers to fix said bugs
3) Ulitmately, Linux will get more reliable and secure.

MS should learn from their attempt to beat Apache - Open Source is a force of nature.

Difference in ways of responding to security holes

[Kolinar]

There is a difference in the ways of responding to security holes.

On discovery of a security hole, Linux's and other Open Source way is to announce publicly that there is security hole that need people's attention, ways to safeguard oneself against the security holes is first discussed. A patch is then quickly produced and distributed.

On the other hand, on discovery of a security hole, Microsoft do *NOT* announce the security hole, fearing wide-spread exploitation would lead to catastrophie. A patch is produced in the mean time (when the general public have no awareness that a security hole even exists). At about the same time of annoucement of a security hole, a patch is release to the general public.

Microsoft might take advantage of this difference in the patching process to tip the scale in their favor. The public perception of "speed" of patching would be faster, because the patch is provided at around the same time as the annoucement, when the actual time between discovery and completion of patch may (or may not) be longer.

This is a dangerous strategy

[One+Louder]

This could backfire on Microsoft.

Pointing out that a some other, "free", product has flaws is hardly a good defense for flaws in an expensive one.

A customer who takes this advice and removes Linux simply makes any Linux problems irrelevant - it doesn't make the past, present, and future Windows security problems magically go away.

Linux vs. Windows

[Sheepdot]

Default install of RedHat 9 compromise time: 10 days.

Default install of Windows 98 compromise time: 4 years and counting...

I'm going to get modded down for this, but if I click the default crap on any Linux distro I'm more than likely going to install some god-forsaken client (in the case above, an ftp service) that will sit on an open port and eventually be scanned and compromised.

How is this any better than the RPC exploits?

I'd feel a lot safer if installations of *nix had easy to understand installation options.

Sure, someone can brag that you can get infected by Nachi in 6 seconds with an XP machine, but how often do you get rooted? How quickly do you notice? Is Linux as "fire-and-forget" as /.'rs seem to claim it is? No.

Stick with Apache on *dows. :)

Re:Linux vs. Windows - wha?

[dougnaka]

I'm confused... "Default install of RedHat 9 compromise time: 10 days. Default install of Windows 98 compromise time: 4 years and counting..."

Are you stating these as times since you did an install until you got compromised?
Becuase if you have a Windows 98 default install and give it an unfirewalled connection to the Internet with a real IP address you've got 5 maybe 10 minutes before you're compromised.

I'm assuming you meant ftp server and not client, as for your box to get 0wn3d through a client requires your participation to some level.

The Nachi virus *does* root you. That's what's amazing about Windows. Many Linux vulnerabilities allow some types of access, but full remote root vulns in Linux itself are rare. Windows just doesn't seem as infected becuase most virus writers aren't out to wreck your machine and delete your data. Nachi, or any of the other ones, could have easily deleted your files, or read them and mailed the goods to the bad guys.

I'd stake money that one day in the next couple of years some malicious virus writer will strike, and all Windows users will realize that every virus since Melissa has had full control of their computers. Unfortunately, until it happens, nobody will think that virus' are more than minor nuissances.

Wait a moment...

[Catiline]

Last time I checked, Jim Allchin (VP at MS) talked about "unfixable security flaws" on the stand at the antitrust trial. That alone has made me laugh any time Microsoft starts talking about their security measures. Therefore, I'll take any talk on security Microsoft makes seriously only after they announce a fix for their unfixable flaws -- things like shatter attacks.

Re:ha ha...

[Dwonis]

What's funny is that Linux zealots spread Windows FUD in the same manner ezcept for free.

"FUD" is typically reserved for unjustified fear, uncertainty, and doubt. The truth is generally not called "FUD"...

;-)

Re:For me, it's only about FREEDOM and INDEPENDANC

[Bert64]

Naive.
FUD tactics _DO_ Work... how do you think microsoft got their current marketshare, and held onto it in the face of superior competition (Mac, OS/2, BeOS)
It certainly wasn't by having a superior product, it is well accepted that given versions of OS/2 BeOS or MacOS have always been superior to the versions of windows available at the same time. OS/2 had the best chance, since at the time not only was it compatible and capable of running windows/dos programs, it was also considerably faster and more stable than windows.. How did microsoft beat them? they held them back with FUD and then changed their api for intentional incompatibility.

Duh?

[hughk]

RH 9 locks down unrequested services and suggests medium level firewall out of the box. My biggest issue with RH security problems is turning things back on, or at least explaining that to people (no big deal).

If you install a workstation, you must explicitly request servers. You must punch holes in your firewall to run some software.

MS vs Linux

[Loconut1389]

I think a good portion of the problem is a mentality difference. Windows users are more set it and forget it, used to a certain level of separation from the workings of the OS whereas Unix folk are more traditionally involved in every aspect of the configuration of their system. Only recently has the abstraction come to Linux with the install-everything-in-one-go abilities of so many distributions, but still admins and older unix junkies still are aware they have to configure things and secure them. Unix people in general pay attention to security news and install patches right away. Windows people tend to click on "remind me in 2 weeks" if they even have the auto update feature installed. I know people that are years out of date on updates.

One concession about windows though, is there are so many things you cant turn off or uninstall. At least with linux you can have no open ports if you so desire.