Security FUD On Linux

bobmatnyc writes "InfoWorld reports that Microsoft is planning an "security assault on Linux" by hyping results of a commissioned study pointing to the number of security holes in Linux vs. Windows, the number of days it takes to fill the patches, and by raising questions as to the reliability of code submitted throught the OS process. I suppose if they focus very narrowly on one measurement of security, completely ignore script-level vulnerabilities, default settings vulnerabilities (such as root access for all users), and the demographics of the user population, as well as a zillion other things I'm not clever enough to think of off the top of my head, they may have a point. "

Finally!

I've been waiting years for Security FUD to run on Linux. I'm glad someone was able to port this over from Windows.

Re:Finally!

[msh104]

if that would just be all, 100 dollar on it that they are going only going to compare limitations of redhat only (perhaps even an old version) with their microsoft product. why don't they just spend that money and time on fixing bugs in windows instead of finding them in linux. perhaps we should create a bugzilla for them so they can post the problems they find there, i am sure someone will fix them.

Re:Finally!

[Blikbok]

The biggest score Microsoft has had is convincing it's users that all of the rebooting and crashing and poorly-designed security features are to be expected in powerful software, and to expect to not only pay for such software, but buy extra software and pay consultants to work around these misfeatures.

I don't know if making "Redhat" a synonym of "Linux" is all MS's fault though.

Reward Program?

[BrynM]

From the article:

Last week, the company announced a $5 million reward program aimed at bringing virus writers to justice. Although it is unlikely to reap any tangible results, the message was clear: Microsoft is taking security seriously.

How seriously can they be taking it if all they did was start a $5Mil smoke and mirrors reward program? Tackling security problems with PR is not taking security seriously, it's being flippant with your solution. I wonder how much this program will eventually pay out. They didn't say that the reward was $5Mil, just that they allocated $5Mil to the program for creating rewards. Is that program in the marketing division or is it a real program?

Re:Reward Program?

[John+Allsup]

They're taking the appearance of security seriously: whether or not the security is real is effectively irrelevant to those who can't tell the difference. (It's a matter of who they listen to, and whether that 'who' is Micro$oft.)

Re:Reward Program?

[PierceLabs]

Microsoft's apparent idea of security is to sue people who expose vulnerabilities and to put out bounties so that others who might be encouraged to exploit those vulnerabilities would be afraid to do something. This doesn't suggest that Microsoft is taking security seriously, it suggests that they're pissed that people are exposing how Microsoft ISN'T taking security seriously. Microsoft can create as many initiatives as they want, but so long as they continue to live in the world where providing dancing paperclips on the screen in a single click is more important than making sure that users have to actually understand their machines before letting programs change system files - they aren't doing the world or themselves any favors.

Remotely vs. locally exploitable

[winkydink]

As somebody pointed out to me not too long ago, as long as MS talks about security holes that are remotely exploitable, I don't think Linux has anything to worry about.

Re:Remotely vs. locally exploitable

[BrynM]

It's their report and their numbers. Do you think that they would highlight the areas in which they are weak? The report will probably focus on printer exploits or something just as inane. I think the original submitter was right in the idea that they will ignore Outlook/Script exploits and focus on the OS itself (I know - not a good track record there either, but it's better). Since they are presenting data on the time to a fix, I know that they are ignoring the time that the public doesn't know about an MS exploit and making it seem like they work coding miracles. They may have hit on a very subtle point with Linux security without addressing it directly: Linux exploits get reported sooner and OSS coders encourage others to report exploits quickly. MS obfuscates their exploit reports and would rather only know about them behind closed doors.

Talk about shooting yourself in the foot

[coolmacdude]

A good rule of thumb in competition is to only start wars you know you can win. Something is not clicking here...

Re:Talk about shooting yourself in the foot

[beacher]

There are 5 stages of denial - denial, anger, bargaining, depression, and acceptance. Wonder which stage this PR campaign fits?

Easy Question to Ask

[toupsie]

How many Linux Security Threats have made me work over 24 hours straight? 0 in 2003

How many Windows Security Threats have made me work over 24 hours straight? 1 every 2 two months in 2003

Guess which OS I like to support?

Re:Easy Question to Ask

If only applying patches were all one had to do to administer a Windows box! Due to Microsoft's delayed reaction times, it goes something more like this:

Wake up, day 1, to phone call saying "all our computers are shutting down randomly!" You grumble and go to work.

At work, you pop in your trusty f_prot or other comparable antivirus software and BAM! There's Blaster/SoBig/Klez/whatever staring you in the face. You yell at a random staffer for opening attachments at work.

You begin isolating and cleaning all infected machines. You run scans on a few other machines just to make sure.

You lecture the entire office once again on how it never really is a cool screensaver or neat program that their friend sends them in the e-mail.

Two hours later someone comes back to your room carrying a printout of an e-mail with an attachment. "Is this a virus?" They ask. You cringe. The printout contains the words "application/octet-stream." You manage to croak something and nod hoarsely.

You grab your antivirus disk again and go clean the Klez off all the machines in billing. For a second time. You curse Outlook violently at this point and time. You are probably becoming irrational and violent, like an enraged monkey.

You go home at the end of the day and dream of playing Russian roulette with a shotgun.

This continues for a week until Microsoft releases the patch, which you download and install. You think everything will be OK for a while.

You get a call the following morning. Some idiot brought his laptop up from home, and his kids had been using it. You now have 30 more viruses to clean! Fun!

You tell your boss that he could pay you 1/3 of the pay he does (minus overtime) if he'd just go buy some Macs or let you install Linux on the office computers. He strokes his pointy hair and laughs at you.

You die cold, bitter and alone, and Bill Gates torments your soul for all eternity.

Re:Easy Question to Ask

[muckdog]

You haven't "worked" in IT, have you? Part of that time is testing the patches to make sure they work and don't break something else worse that what the worm/virus/hole will do. Anyone who lets Windows update run fully automated on production servers is a fool.

Another 'comissioned' report...

[Chicane-UK]

What frustrates me about these is that people actually BELIEVE them. Though given the recent security blunders by Microsoft (such as that little problem called 'Blaster') people might finally realise that this stuff is a load of BS.. or very very twisted fiction.

And I just wish that the comments & replies of key figures in the Open Source community made the headlines in the same way as these 'reports' do.

Moving weel on into stage 3...

[Space+cowboy]

First they ignore you
Then they laugh at you
Then they fight you
Then you win

Mohandas Gandhi

Reaching towards the goal

[Ridgelift]

It's been said many times before, but it bears repeating:

First, they ignore you,

Then they laugh at you,

Then they fight you,

Then you win.

- Mahatma Ghandi

Re:Reaching towards the goal

[IIH]

It's been said many times before, but it bears repeating:

The truthfullness of a statment is independent of the number of times it is repeated. (Is not! Is too!, is not! is too! is not times infinity!)

First, they ignore you,
Then they laugh at you,
Then they fight you,
Then you win.

SCO have been ignored, laughed at, are being fought at the moment, so do you expect them to win too?

Linux isn't perfect

[nuggz]

Linux isn't perfect. By design, the implementation, or the way people admin their machines.

There is an understanding that MS is also not perfect. People expect security holes, and bugs and crashes.

I think it is good that this might result in a nice list of where linux has gone wrong in the past, and what hurdles to overcome in the future.

If the competition wants to make you the "Build a better OS HOWTO" I think they should be as free as anyone to add to the LDP.

Hardly suprising

[DG]

Given that Microsoft got caught lying to a Federal judge (during the antitrust case) why is anyone suprised that they'll lie to their customers?

Isn't that a given?

Anybody looking to a vendor to provide accurate data about its products or the products of its competitors deserves the crap they get.

DG

Re:Spreading FUD in a submission about FUD

[tomstdenis]

Actually no. Those users are part of the Administrators [re: root] group. Check yer users settings sometime :-)

Tom

Root access? No.

[shrikel]

Not to be inflammatory, but ...

such as root access for all users

On Windows, even the Administrator account (which is the level that lots of people log in to) is not really root access. The Local System account is comparable to root. The Administrator has control over all user-controllable parts of the OS but there are parts that are not user-controllable.

Re:Root access? No.

[foniksonik]

This is true... Windows gives just enough access to really mess things up and not enough access to do anything about it.

Great news!

[DaHat]

This is such good news for me, and here I was, ready to throw windows out of my life and become a linux guru, thanks microsoft for showing me what a mistake that would be!!!

Re:Spreading FUD in a submission about FUD

[Derek+Pomery]

That's no help at all if arbitrary users can elevate themselves to administrator priveleges. NT-XP is fundamentally broken. Maybe the next version of Windows will solve this design problem, but I doubt it.

This hole exists and actually has working exploits.

Agreed

[ttyp0]

Period ending June '03, Micrsoft spent 1.336 Billion in R&D. Five million isn't even half of one percent of research spending. Serious security? Doubtful.

An evil play??

[markxsd]

Unless we're missing something... Who's to say that Microsft haven't been doing a little unpublished research, looking for buffer overflows and other vulnerabilities that they're soon going to demonstrate? There are still bright people at Microsft. There are certainly people bright enough to find bugs in software (maybe they won't find much wrong with the Linux kernel, but it's not going to be too difficult to find bugs in myriad GNU and other packages that come with a typical distro). They might view finding and making public security holes in the competition as a more valuable and profitable exercise than securing their own OS and software.

If they like many of us see Linux as the biggest credible threat out there, they might resort to fighting dirty. Linux does have the potential to shift the paradigm of the whole IT industry in the same way that Microsoft themselves did through the 80s and 90s. Sun et al are already feeling the heat in the server market. I'm certain that Bill and co are getting twitchy about how things are developing.

We all know Microsoft is pretty cold and calculated when it comes to competitors. If Linux is next in the firing line, the open source community needs to be ready for this battle and the wars that will follow...

Re:An evil play??

[Captain+Beefheart]

"If they like many of us see Linux as the biggest credible threat out there, they might resort to fighting dirty."

This has been a long time coming, from the looks of it--Many of you are probably familiar with the Halloween documents, "an internal strategy memorandum on Microsoft's possible responses to the Linux/Open Source phenomenon." This was back in 1998. MS verified the documents as authentic but claimed it was "a mere engineering study that does not define Microsoft policy."

They've probably been building up a case for a long time. But as Linux is systematically sound, they've apparently been forced to find specific, technical problems since their Ominously Vague Murmurs don't seem to be taking. The problem for them is whatever they pick is, by definition, fixable and not an element that defines Linux as Linux. Additionally, if you find 50 holes in Linux and 25 in, say, Windows Server 2003, that's not nearly as relevant as the average lifespan of the hole. With all the Linux distros, there may be dozens of holes at any given time, but there is only one Windows Server 2003. I challenge them to focus on one major distro.

Lastly, MS is has been coming off increasingly hostile and banging the "Linux BAD!" drum so obsessively, that they run the risk of sounding like they're accusing corporate Linux licensees of incompetence, rather than trying to merely educate them.

The Chinese know....

[i_want_you_to_throw_]

First the Chinese get the Source Code for Windows then they decide to back Linux?

Sounds more like our government had better look at who is more secure.

Users are the security problem

[rudy_wayne]

Today, I was talking to a friend of mine who bought his first computer about 4 years ago. He wanted to back up every thing on his computer, so he dragged all the icons from the desktop over to his CD burning program. When I tried to explain to him that the only thing he burned onto the CD was a dozen shortcuts, and not the actual programs/data itself, he just looked at me with this totally blank stare and had absolutely no clue what I was talking about.

The point is this: When it comes to programmer-related problems (buffer overflows, etc) Windows and Linux seem about equal. The big problem with Windows is that Microsoft's focus has been entirely on "ease of use" for people who know little or nothing about computers. That's how you sell lots of computers (and lots of copies of Windows). They created all sorts of nifty features (scripting, etc.) and turned them all on by default -- never giving a moments thought to the harmful ways that these features could be used

Windows, in the hands of a knowledgeable person, can be just as secure as Linux.
But, "right out of the box" it's a security mightmare -- a disater waiting to happen.

Re:Users are the security problem

[the_mad_poster]

Windows, in the hands of a knowledgeable person, can be just as secure as Linux.

In another dimension...

Tell me - can I not install any vbScript? Can I not install IE or Outlook Express? Can I UNINSTALL IE once it's installed? Can I skip RPC? What about messenger? What about the GUI? What about any of those dozens of services that run by default on my XP box?

Can I install JUST a linux kernel and the absolute bare bones minimum of tools for my box if I'm so inclined?

It's possible to tweak Windows down to help shrink your liability, but never as far as you can go with Linux.

Otherwise, I agree with most of what you said - especially about the users. It might helpful to look at it the OTHER way: in the hands of an idiot, Linux is just as dangerous as Windows. In fact, probably more-so because it's faaaaarrrrr more powerful.

Re:Easy Answer

[Vlad_the_Inhaler]

They also have the cash to pursue security problems, their problem appears to be design flaws that can only be 'corrected around'.

An obvious example is integrating their Web Browser into their OS to screw Netscape, a political decision taken by his Billship. Bugs in IE lead to the equivalent of root exploits, bugs in Mozilla mean that one user account can be compromised.

Another political decision has been to install software to offer all kinds of services, basically to keep third party vendors out. This software defaults to being active. What was that database port vulnerability again? Another consequence of this is that a virus/worm writer has reliable idea as to what components will be running/active.

They have the cash for PR *and* fixes, but political decisions have led to a situation where this does not help. Having said that, if as many computers ran Linux as the various Win versions, we would also be seeing more problems that at present - they just would not be as serious.

Re:Good Call!

[ppanon]

This will prompt "virus writers" to further cloak their sources, making it even harder to bust anyone, while the MS platform remains unsecure.

Well, I don't know about that, but I think it will change the makeup of the virus-writing community. If Microsoft had done this 10 years ago, it might have made a small effect. I have gotten the impression that, back then, virus writers mainly did it for exposure and bragging rights. If you could no longer brag about it because it increased the odds that someone you bragged to would turn you in for $$$, it might have dissuaded a fair number of virus writers.

However now, a substantial number of virus/trojan/worm writers seem to write cyber-parasites to get zombie machines to play core wars-style turf games on the Internet (such as DDOSing the people they don't like) or to spam for money.

The motivation is no longer the same and these bounties are likely to have much less of an effect. It's too little, way too late.

Linux and Security Holes

[jd]

Inspired by this research, I sought to find other examples of security holes in Linux which do not occur in Windows.

• Linux is more stable, thereby giving crackers more time to break passwords.
  
• By not fixing things, Microsoft Windows causes crackers to become lazy and slothful, so when a patch does arrive, the cracker won't be expecting it.
  
• Many Linux distros use MD5 hashing for passwords, which is much slower than just storing in plain text, making it possible to run a denial-of-service against a Linux box.
  
• By renaming COMMAND.COM to CMD.EXE, Windows is secure against DOS attacks. At least, those up to 6.22.
  
• Windows cannot trigger world chaos in safe mode. It's disabled.
  
• By using all available memory, Windows cannot run additional viruses.
  

Microsoft IS FASTER

[jridley]

From the time that they acknowledge a bug until it's patched is VERY FAST.

The problem is that they won't acknowledge a bug until they already have a fix for it. Often bugs are known about by the world for months, and MS says there's no such bug. When they do acknowlege it, then yeah, there's a fix out within hours or a day or two at most.

So, apples and oranges. If Linux takes 4 days to patch a bug as soon as it's known, and Windows takes 4 months to acknowlege a bug's existance, then 2 days to patch, which is better?

Meet 'tu quoque'

[inkswamp]

Microsoft needs to learn the Latin phrase tu quoque which translates as "you're another." The term is used in the study of formal logic and refers to a logical fallacy, that is, defending oneself by pointing out the weaknesses of another. Of course, if I own a company that produces a shoddy operating system with consistently lousy security and a puzzling number of thoughtless or bad decisions in terms of general design, pointing out the same in a competitor does absolutely nothing about my own shortcomings. However, this is a wonderfully effective rhetorical technique for throwing the attention off my problems and on to yours.

So, even if Linux was the most bug-ridden operating system with massive security holes, it wouldn't even matter. It certainly doesn't excuse one of the largest and most powerful software companies on the planet, i.e., one that can marshal a massive amount of resources and money to produce respectable software, from the ridiculous numbers of security issues and bugs that arise in almost every product they release.

Politicians love tu quoque, by the way.

This is a dangerous strategy

[One+Louder]

This could backfire on Microsoft.

Pointing out that a some other, "free", product has flaws is hardly a good defense for flaws in an expensive one.

A customer who takes this advice and removes Linux simply makes any Linux problems irrelevant - it doesn't make the past, present, and future Windows security problems magically go away.

Re:As if...

[Lodragandraoidh]

I started out as a Dos/Windows user from day 1 (actually I really started out as a TI 99a user - but that is another story). I have also managed and used all of the windows operating systems from Win 3.1 up to the present Win XP. When I didn't know any better, I used to think the DOS command line was the best thing since sliced bread, and batch files were my scripting nirvana.

Then I started using *nix. I loaded Linux for the first time in 1992, and have been using it ever since. I was also a Unix system administrator during my career, and was using Sun systems in college before that. I learned the tool building paradigm of Unix, and absorbed awk, sed, perl, python, lisp, java, and a host of tools unheard of in the Microsoft world. Things that I spent hours accomplishing with Windows and DOS, I was accomplishing in minutes with Linux.

From my vantage point, it is plain to see that the Microsoft products are not up to the task of being a general purpose workstation/server operating system. When compared to industrial strength Unix and Linux distributions, it is a toy - and should be advertised as such.

I think the key distinction we need to understand is the ability of an end user to ameliorate security problems and other bugs when they manifest themselves. In *nix, usually the source code is available for modification, or a work around can be accomplished quickly with a scripting language because of the clear text interprocess communication mechanisms available. On the Microsoft side of the house, we are clearly dependent upon the good will and scheduling of Microsoft to get the fix implemented - and there is not much we can do to alter the outcome. So, the choices are independent ability to fix things, as needed - or Big Brother Knows Best; I know what I prefer.

Given the above, Microsoft is never the 'right tool for the job', unless your job is a toy application that is expected to be obsolete within a few years. The simple measure of this is to look at all the DOS applications that are currently being used by end users, versus *nix applications (albeit in GNU form) - *nix wins hands down. Don't believe I haven't tried using various DOS and Windows tools - but they just don't have the overall flexibility and usefulness that can be plentifully found under *nix.

What really boggles me about this whole issue is how people can be screwed by MS a thousand times over (non backwards compatible file formats, blecherous incomplete implementation of java, a malformed central configuration repository that causes complete system meltdowns when corrupted - that end users are not shown how to backup out of the box, etc...the list goes on and on), and yet come back smiling for more! What is really amusing (sad, really) is how I see some people rationalize that they were the ones at fault: "It was silly of me to build my spreadsheets in MS Works 1.4 back in '85 - what was I thinking! I should have copied all those entries across to Excell back in '95". To me this is a red flag that I am being taken for a ride. I woke up. I hope you do too.