Slashdot Mirror
Microsoft, Monocultures, Security FUD & Other Fun
techiemac writes "Dan Geer, who has been mentioned on Slashdot before due to his warnings about Microsoft's "monoculture" has just been written up by AP for his warnings about the widespread use of Microsoft products and the serious security flaws that are being discovered. This story is quickly becomming big news (Yahoo is currently carrying it on their front page). For those who don't know, Dan Greer was fired from @Stake Inc for his criticism of Microsoft (they are a big client of @Stake Inc). " Somewhat related, there has been interesting reaction pieces on ORA and OSDN to a recent, some say ill-informed article run on DevX.
And they are wrong about "duoculture". Linux, having many parties behind it(many distros, different kernel versions) has much mure internal variety than all versions of Windows out there.
As much as I dislike the company, there are too many critical systems that are relying on Windows Servers. The release of a kernel crippling virus or worm could result in loss of human life.
A great example of what can/will happen with the Microsoft monoculture can be found in the potato blight of Ireland. For those that lack any historical reference here, Ireland had a booming population due to the introduction of a nice, hardy breed of potato. For years, everything was going great, everyone had food, the potato became the staple of the diet. Everyone ate potatos, it is estimated to have been between 20-40% of all food consumed during this period.
Then a viral attack that affected only this particular breed of potato struck. Within less than a year, whole crops failed, the economy collapsed as people literally starved to death.
Yet, other breed of potatos were completely unaffected. It wasn't the reliance on potatos that was to blame, it was the reliance of one strain of potatos that was Irelands achilles heel.
That is our economys achilles heel, Windows.
Karma Whoring for Fun and Profit.
It's not just monoculture that makes viruses spread so quickly. The fact that any computer can send something to any computer is bad. The fact that any computer can send something to so many computers is terrible.
Even if Linus drives Microsoft products into the minority, infections would still quickly reach Microsoft machines (or machines of any leading platform). Furthermore, under non-monoculture conditions, the dilution of virus writers on any one platform would probably be matched by the dilution of anti-virus resources on that platform. Even under non-monoculture conditions, we'll still have fast-spreading infections.
Connectivity is the real driver of infection.
Two wrongs don't make a right, but three lefts do.
Really. Look at all the Linux. BSD, and the other *nix distros and all the software that runs between them on different platforms with different packaging systems. I think it's messy at best, but in a world with more than one *major* operating system, the solution is standards.
Look at the automobile - tons of competing car companies making different cars, but they all have some standardized equipment customized in a little different way not to radically change the entire experience. Open standards would kill Microsoft (or at least knock them off their behemoth perch), and they know it.
It's sort of the idea that Federal action is better than State action - why worry about 50 different actors doing their own thing (hint: innovating) when the federal government can just fiat whatever they want.
Matt Fahrenbacher
James Tiberius Kirk: "Spock, the women on your planet are logical. No other planet in the galaxy can make that claim."
Yes, for example, a UDP worm that hit every infectable host withing 15 minutes of release would have been impossible.
Additionally, we would not have such robust technologies as "Intrusion Prevention Systems". as there would have been no demand for it.
and my skills as an information security professional would be less in demand if we all ran *BSD.
Diversity != incompatibility. One standard, many implementations. What the M$ guy says is pure FUD.
As is usual the US is slow at change. We are stuck in our was and that is especially true for the government. Were there are many places in the world that realize the problems with M$ and are migrating to alternatives it's big news here. We (US) are being slow to wake up and realize the truth. But, that is how the US works.
Evolution or ID?
This neglects that fact that Linux itself has internal diversity that makes it less vulnerable to "disease".
It's also not necessary to have "thousands of different operating systems" to gain some resilience. If (for example) half of all computers were Type A and the other half Type B, the rate of transmission of type-specific malware would be slowed dramatically. It wouldn't prevent pandemics, but it would slow them down.
http://alternatives.rzero.com/
You know, there was, at one time, a long running joke about Microsoft tech support. The answer to any problem, according to MS support (and I heard this directly from them on more than a few occasions) was "We suggest you reboot to fix this problem" OR, Shut up and re-install.
And now, here is the "Chief Security Strategist" for MS saying (regarding the monoculture analogy) "Another difference: computers can be unplugged from the network and rebooted; organisms cannot."
So, is he really implying (God I hope not) that most exploits can be solved by unplugging the computer from the network and rebooting???
I hope not, and maybe its just the way the AP story was written, but it sure sounds like a dismissal of most of the Windows security flaws.
"Our funds have never taken part in toxic or death spiral convertible financings of any sort" -BayStar's managing partne
You could imagine transforms that move code around in memory, so that while the buffer overflow is still there, it is hard to exploit -primarily because all the other interesting addresses are missing.
:(
Specifically, overflow attacks like to jump the program to the buffer they have written, or a copy thereof. And in that buffer the code needs to reuse existing imports (library calls) so that they can do bad things. If everything moved around during load, exploitation would be harder. Then again, so would processing a core dump
personally, I think there is a better solution, stop using 'buffer overflow' languages like C, C++. Anything else: perl, python, java, C# is more secure. Why are all our systems built on such a foundation of instability?
different operating systems, which would make integrating computer systems and networks virtually impossible.
... in the good ol' days, an "OS" was all you needed in order to get some basic work and programming done on some hardware.
...
This is such utter bollocks I can't even handle it.
The reason integration is difficult is because it is made difficult by those who do it.
It has nothing whatsoever to do with 'operating systems'. It seems to me that 'operating systems' don't mean what they used to mean
Nowadays, it seems that an "OS" == "all the crap I think I'm gonna need one day, bundled into a single directory structure".
If the OS is doing its job then integration is not impossible, it is 100% feasible and easy.
An OS which doesn't do its job, doesn't allow integration. Its very telling to me that Microsoft choose to redefine the task of an OS rather than actually make their OS do the job its supposed to do.
Integration between OS's is supposed to be easy. That is what an OS is all about, after all. Maybe someone should tell that to the 'gurus' from Redmond that mouth off about operating systems all day long
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
Start by Installing a stable, easy to use and secure Linux distro. So.. In order to be diverse, everyone must use Linux. Aparently your dictionary has a different definition of diverse than mine. Hackers are about to make it even easier for you to be flattened by a virii attack now that Microsoft source has been leaked to the entire world. Exactly how is "Windows Source available on the internet" more dangerous than "Linux source available on the internet" ? The problem isn't that Microsoft software has security issues. All the OS's have 'em to some degree. The problem is exactly "monoculture". One bullet kills all. I'm more of a mind that companies need three operating systems. ... Call them Alpha, Bravo and Charlie to avoid the existing OS arguments.
Alpha runs on the corporate web servers, ftp servers and in general anything hooked to the outside world.
Bravo runs on the intranet servers that provide file storage, user authentication, etc etc.
Charlie runs on the employee desktops.
Thus any virus that targets the public layer (Alpha) won't effect internal operations. Any virus that targets the workstations (Charlie) won't spread to the intranet servers (where important data should be stored, and regularly backed up) and any virus that targets the intranet servers (Bravo) needs to get past the other two (Alpha and Charlie) -- or introduced directly -- to be a threat.
If I remember my computer history, wasn't Microsoft the alternative to the IBM monoculture? Now that IBM has embraced FOSS, they're the alternative to the Microsoft monoculture...
I'm glad to see whistleblowers getting some press. This is EXACTLY what we need to advance the free & open source movement!
--
More whistleblowing in my sig.
Lindows Steals Copyrighted Art and Promotes Porn
As long as basic services are needed, I don't see any problem at all. Use NFS, use SAMBA, use CUPS -- use your protocol of choice where you get clients for all platforms. So far no problem.
We're running Macs, Windows, Linux, BSD, different incarnations of Solaris, Irix, HP-UX, yet even some embedded stuff like vxWorks. No problem to share drives or print to shared printers. No problem to send and receive emails, surf the web.
And all without nightmares.
I can deny it.
What has microsoft actually created that anyone is intested in?
The browser? no Netscape developed that.
Graphic interface? No Xerox and Apple developed that
digital music? no MP3 and Napster developed that
Plug and Play? no Apple developed that
desktop publishing? once again Apple
multitastking? Unix
desktop video? Amiga
DOS? bought from another company
Perhaps MS developed some business apps, but I suspect that eveything in the Office suite was developed by some one else first.
Please give me some examples of any tech, that is worthwhile, that MS pioneered. I think virii and adware are the only techs that MS truly owns.
Wonder how Slashdotians will feel when they fully explore the anti-monoculture philosophy and realize it means keeping Microsoft rather than eliminating it and creating a new monoculture?
Solaris, AIX, HP-UX, BSD, FreeBSD, OpenBSD, NetBSD, SCO Unixware, Tru64, Linux etc. running on PCs, SPARCS, DEC PDPs and other vendor-specific server hardware...
Still looking for that "UNIX monoculture" in there...
Gentoo Linux - another day, another USE flag.
In the long run (think the next 10-25 years), Microsoft will be forced to go along with open standards or get left behind as Open Source picks up more momentum. As IBM, Novell, large countries, and other big gorillas put their weight behind Linux and Open Source, the standards they use could become "the standard". This isn't going to happen likely anytime soon, but it definately has to start with the corporate world. If XYZ Inc. decides to use Open Office and Linux to save money (and we know businesses aren't doing anything radical to save money these days), and suddenly their employees must use it, guess what software package could end up on their home computers? As I said, it's not going to be a fast process, but it is possible.
ce n'est pas un Sig.
Diversity can help keep viruses and such from spreading, but it can also be a hindrance. If linux had some standardization where all of the distros all used the same directory structure, package management, etc, it would be a lot easier for companies to write software for it. Now the best they can do is write the software and hope someone else will port it over, or spend time porting it to .RPM, .DEB, etc etc. With windows you don't ever run across cascading dependency nightmares, and every software company knows how to write their software for it. Yes, you should be able to compile linux packages from source without any problems, but when you're talking about trying to get home users to accept linux more, making them compile packages from source definately isn't the way to do it.
slashdot, news for crazed liberal socialist zealots
When writing for the then upcoming NT5, we were supposed to assume that there would be very limited access by non-OS software to anything n the \windows\ directories. Judging by the ease that some VB scripts running in the IE browser use ActiveX to overwrite stuff there, I bet that restriction got lost before shipping. (Yeah yeah, "IE is now part of the OS". Bah!)
One line blog. I hear that they're called Twitters now.
For that matter, nonfunctional code should have been optimized away.
What's nonfunctional code doing in there in the first place? I've lost count of the number of times someone has posted on LKML, "I'm removing frobnicate_foo() because I just rewrote the last place that calls it and it's not needed anymore," or, "I just realized that nothing calls x() anymore, so here's a patch to remove it."
Yeah, and we all know how many awful hardware vulnerabilities there have been in recent decades... :p
dropped floppies and non-USB interfaces much later, only after they were not that useful anymoreExcept that you're ignoring the chicken-v-egg problem. USB did not become ubiquitous until after Apple forced the issue. No one else had the balls to say "screw dumb serial ports, USB is better". GUI, 3.5", CD-ROM, PnP, etc... Apple intentionally drives technology forward, even when many people are kicking and screaming to stay behind.
Meanwhile, none of this has anything to do with security and monocultures.Blaster. Welchia. Beagle. MyDoom. Swen. Without the support of a microsoft monoculture, none of these important systems could have been developed, nor would they have enjoyed the popularity they do today.
My favorite quote on the topic came from Wired. Marcus Ranum thinks Geer's message would have been mostly ignored by the public at large, except for @stake's "brilliant surgical marketing strike on its left foot by firing Dan".
Friend, it ain't just laziness. Some of us have been urging and working on fundamental security advancements for decades now. But there's a huge *regulatory* problem, preventing fundamental data authentication and encryption in the US, and it's been crippling developers for years. Yes, it's unconstitutional, but the last time it got slapped down it got moved from Customs to Commerce, where it is now a looming brick over the head of every security developer.
That brick helps prevent *funding* or release of new products that would provide basic security for VPN use, built-in Ethernet encryption to protect us from packet sniffing, SSH instead of unencrypted telnet for programming routers safely, etc.
OTOH, with any closed source system, you have no code review. You have no chance to spot a security hole, purposeful or not. With CS, you simply have no chance.
Let's review: with OS, you have the opportunity for exposure, but also the opportunity to catch it. With CS, you have no opportunity to know anything. Sounds like the old free markets argument to me. The only person who would really support the CS position is an uniformed tool.
...tizzyd
OpenBSD, FreeBSD, NetBSD, OS X, varients of Linux so dissimilar they are just barely the same operating system, revived BeOS, the HURD, and the continuing divergence of existing operating systems and potential availability of new ones (Plan 9 may have largely failed but where it failed others can succeed (hint: driver support)) is an odd definition of "new monoculture".
(Heck, every Linux install has the potential to be a potentially new OS; my kernel is most likely the only kernel exactly like it in the world, as as I use gentoo, even a lot of the support programs are customized and potentially unique. I've tried five or six binary vulnerabilities that Linux programs are vulnerable to, and while several managed to crash my computer, not a single one of them has resulted in privilege escalation or anything meaningful, because my system is so different at the binary level from anybody else's. Even to the extent that Linux is a monoculture I've not suffered the price of living in a monoculture.)
Linux/Unix hardly runs a risk of becoming a monoculture, it's too easy to specialize. Regardless, talking about eliminating Microsoft is meaningless. If they get knocked back to 50% marketshare then their quality will improve and we won't need to hate them so much. The problem is the monopoly, the symptom is the software.
Q:What is the single protocol used by all computers
connected to Internet in the world?
A: IPV4
Q:What is the single mail protocol used by all
computers connected to the internet?
A: SMTP
Q:What is the single protocol used to search the
Internet and exchange most information over the
Internet?
A: HTTP
According to evolution, diversity is the
consequence of adaptation.
Specialization, Mutation, Adaptation.
Adaptation is the
consequence of a changing environment. A
changing environment is the consequence of a
finite amount of resources and competition.
The Internet in it's current stage resources are
plenty and competition is little.
Internet is currently in the specialization
stage. The Internet has not being forced(YET) to
depart from it's standard protocols (mutate) to
survive an attack.
Forcing diversity (by mandate rather of natural
competition) not only makes the system less
robust, it slows down evolution.
- these are not the droids you are looking for -
- Samba
- FreeDOS
- WINE
- The XBOX Linux Project
- Ximian Evolution
- Open Office
- Mozilla
- etc...
Think about it: If Microsoft produced superior products and didn't try to "0WN" you, a lot of those wouldn't exist.I know it's a stupid thing to /. yourself, but here we go:
My paper on worm propagation from last year (just updated with some more data) shows very clearly what a monoculture does.
I assumed 40 mio. vulnerable systems in it and showed how a malicious worm can wipe them out in minutes.
Some of the advisories that eeyes still has on the unpublished list estimate 300 mio. vulnerable systems.
We've been talking about flash and warhol worms for years now. With each passing day I'm more surprised that it hasn't happened, again.
Assorted stuff I do sometimes: Lemuria.org
And Microsoft's goal (gaol) of backwards compatibility ensures that these misfeatures will stay in the infrastructure indefinitely. I realized this yesterday when cleaning spyware off a friend's Windoze box.
Windows has so many legacy interfaces for loading programs at boot like win.ini, autoexec.bat, ect. that no longer have a pratical purpose, are easily exploitable, are are in a word, "cruft". Their OS is full of this cruft, and it will continue to become more so, as long as Microsoft continues their indiscrimate adding of features without regard to security.
as long as they make sure they replace the things they phase out with generally superior technologies, and they have (floppy > email, legacy ports > USB).
USB is not "Generally superior" for many things. Printers, for example. Stuff prints out the same on your typical inkjet whether or not it is plugged in through a Centronix port or USB.
> USB did not become ubiquitous until after Apple forced the issue.
Given the number of users, it's much more likely that USB only became ubiquitous because Win98 finally provided decent support for it.
Yes, and there are thousands of utilities that run on all those versions of Windows as a few binaries and libraries that are put on the PC at installation time.
Try finding a single compiled binary or library that runs on all UNIXes across all the hardware that UNIX runs on. (Surely someone with 20 years UNIX experience would know this?)
I'm tired of all this let's kill windows bullshit.
Fine, in which case you've responded to the wrong posting - I implied "let's kill those Windows users who are too lazy to learn how their PCs work", a big difference.
I've been a unix and now linux person for almost 20 years.
I'm tired of the elitist shit that goes on in our community.
So you have a problem with people learning to better themselves, do you? Then you're no different to those lazy users that cause these problems in the first place.
Gentoo Linux - another day, another USE flag.
Apache is much less a monoculture than windos.
While the core product is the same, the fact that it runs on dozens of OSs alone makes for a lot of difference. For many low-level attacks, offsets will be different, or compiler flaws exist on one system, but not another.
This is partly true for the windos world as well. Some of the attacks we've seen recently require slightly different code for XP and NT, for example.
Assorted stuff I do sometimes: Lemuria.org
True diversity, Charney said, would require thousands of different operating systems, which would make integrating computer systems and networks virtually impossible
I think the appropriate analogy here would be the early days of railroad. It used to be that each train company had their own standard for the width of the rails. The train engines and cars from one company could not fit on the rails from a competing railway.
Obviously, it would be *impossible* to connect the entire country by rails unless a single company owned all of the tracks.
Maybe Lotus, Wordperfect and Borland? I remember an ad from Wordperfect that listed the "whats new" of Office 95 or 97, and on the side they put the year since WordPerfect had it, all several of years before, even a lot in the 80's.
Most of their "innovations" were copying (good examples above), licensing (i.e. ms sql->sybase) or buying (vbasic, frontpage) technology from others.
But of course, we can deny the hand of MS in all their derived products. Now we can be hacked/infected reading email, having a database accesible thru internet or opening a spreadsheet, things that before was calified as impossible or a joke.
No one is hacking windows with NERO (a great product). No one is hacking Linux with xroast, or cdbakeoven or cdrecord.
No one is hacking a Linux or Windows box with Java. However, Windows boxes are being hacked with ActiveX.
Why, because by the above definition of crappy software, Nero, Java, cdbakeoven, xroast and cdrecord are not crappy software. Whereas ActiveX ,Outlook, IISS, Exchange Server, and Internet Explorer are crappy (read insecure) software.
vi +
A) I will make no value judgement. Good or bad is up to the individual to decide.
B) Evolution is specifically designed to "be like Outlook" It has a look/feel about it that mimics Outlook. Basically, Open Office, Mozilla, and Evolution (and a number of other apps) simply try to be a better widget than Microsoft's version. If Microsoft had chosen to release Office for platforms other than Windows & Mac, and had chosen to play nicely instead of trying lock-in via file-format (and the 3 Es), most of these products wouldn't exist now or would be much less developed because there'd be much less motivation to have them.
All that aside, I was simply attempting to be witty through the clever use of irony. Microsoft says basically, "If not for us, we wouldn't have so much innovation..." and I agree. If not for their sub-optimal products, draconian licensing, underhanded tricks, etc., many of the really awesome and cool technologies we enjoy *wouldn't* exist...but that's not because Microsoft made them. Microsoft just made them possible and (by their own actions) inevitable.
And I find that ironic, and funny...but this needn't be mod'ed as such.
but you forget to mention that apache is much more secure than IIS.
This is an assertion that cannot be backed up. I've had NT 4.0 webserver that have run years without compromise, and I've seen poorly-run Apache systems that were hacked within 30 minutes of going live. You can say that Apache is much more secure than IIS by default, but an experienced administrator can secure any box, even an IIS one.
It all comes down to knowing what you're doing and which platform you're more familiar with. I'd rather have an IIS box run by a guru-level administrator than a Linux/Apache box run by a newbie anyday.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
no security built into TCP/IP because there was no need for them. TCP/IP was not developed for academics, it's development was paid for by the Department of Defense, thus security was a consideration in the design of TCP/IP from day one. That is why TCP/IP was designed to dynamically reconfigure routing to work around failures, as opposed to SNA, in which the network was statically configured.
"Freedom means freedom for everybody" -- Dick Cheney
[Disclaimer: For the record, I'm a Solaris bigot and a Linux zealot.]
That being said, I don't have that much of an issue with the Windows OS itself. Including it as another tool in IT's belt to be used in specific situations is a good thing to have.
The problem I have is the predisposition of Windows' advocates to have tunnel vision with respect to the use of said tools. IMHO, Windows is a square peg and every problem is a hole of varying shape that possibly needs to be modified to fit that peg. Couple this with a marketing engine that is second to none in the IT world, and you end up with the situation that Geer describes in which 95% of the desktops and perhaps 50% of the servers in the world are vulnerable to individual bugs and attacks. IOW, just one nasty bug can wipe out nearly the world's entire IT infrastructure because of the lack of genetic diversity.
Please note -- I'm not knocking Windows itself as an OS. As I mentioned before, it fits in certain situations. I am specifically targetting the misguided directions of our IT management, programmers, and the Microsoft marketing departments that have put us in this situation. This is yet another human problem -- not a technological one -- and one that could have been, and can yet be fixed.
Rule #1 -- Politics always trumps technology.
I always wondered why Microsoft didn't decide to abstract the older windows versions into some VMware alike virtual machine environment. So old windows 'cruft' can only affect old windows programs.
like my dad. i forced him to stop using ie, he uses opera now. he's a typical windows user (probably wouldn't userstant outlook if i let him use it anyway).
he's a typical windows user. he does think of security. he doesn't do anything stupid outright. he insists on running a virus scanner, although he doesn't know how or why to update it, so he never does. he runs a firewall but again, does'nt update.
he's a typical home windows user. typical people are scared of virus's (because of the news coverage) but do not now how to protect themselves, nor know where to find information. He doesn't ever update windows because he doesn't have time / doesn't know how. he runs windows 98 because it 'just works'.
no matter how fast microsoft patch things, if they dont release a product thats secure upon release, whats the point to home users? thats a good reason why people should use alternatives.
"Daniel DuVarney and R. Sekar of the State University of New York-Stony Brook are exploring 'benign mutations' that would diversify software, preserving the functional portions of code but shaking up the nonfunctional portions that are often targeted by viruses."
If there is non-functional code that can be modified without causing problems, shouldn't that code be removed?
As such, the best way to protect oneself from copyright violations is complete ignorance of anything one might potentially infringe.
...) is a way to increase the overall quality of intellectual work. Human imagination is limited, no one can invent everything from scratch, reading/watching/listening to several (as much as possible !) other works, taking a few ideas, adding your own, mixing all this, ... is the only way to do.
So, novel writers shouldn't read work done by authors in the same field, movies makers shoudln't watch other movies, musicians shouldn't listen to music, and so on ?
Reading what other people did in the same area (same kind of novels, movies, music,
There is no mystery why most sci-fi writers were sci-fi readers during their teens, why most musicians were music lovers and why most movies makers where movies addict. The same goes for programmers: reading other people's source code to get ideas you can use (adding your own idea in the mixture) in your programs is the only way to make better and better programs. That's why patents are so bad in the computing field: because program writing is, in some aspects, more akin to book writing than to classical engineering.
Plagiarism is what I could call "search and replace copy and paste", like, you copy and paste and then rename all the variables... this si still copy and paste. A true rewrite of the same global ideas isn't plagiarism.
In an age where the world is becoming ever increasingly dependent on computers, we must take a step back and formulate a strategy to make sure history does not repeat itself in the most disaterous way. It was not too long ago that Ireland suffered its infamous "potato famine" that devistated its population that was, in its day, dependent on the crop. One of the key reasons why the famine was so intense was the fact that the Irish were repeatedly planting the same type of potato throughout the country. By doing this, and not realizing that nature provided diversification in the form of hundreds of varieties of potatos to make sure that one set of circumstances could never decimate the potato population, the Irish learned a very valuable, if not painful, lesson indeed. In the land of computers, this form of "biodiversity" only makes sense. If 90% of all nodes on the network are of one kind of "potato" (namely Microsoft) than it's very easy for one plague (or virus) to have incredibly devestating results. We have already seen the damage caused by recent Windows viruses. Each of these have been relatively small and harmless annoyances compared to what a committed and intelligent person could create should such a someone be so inclined and motivated. However, if the world's computers were not so heavily tilted towards a single OS, such attacks wouldn't stand nearly as much of a chance in succeeding to harm a large section of the world's network population. In conclusion, not only do operating systems such as Mac and Linux (as well as Solaris, Unix, etc) represent an excellent freedom of choice for consumers, they represent an enlightened strategy to prevent a cataclysmic disaster to our networks that we've come so dependent on.
Sugapablo
Good stuff, but remember:
1. Both Unix and Linux came out of unstressed environments.
2. The PC market has led to hysterical commercialism.
Today we see a planned obsolescence that even the US automotive industry would be ashamed of. As Mark Minasi found when interviewing marketing suits for his book 'The Software Conspiracy', the suits know about security and bugs, but they deliberately prioritise them down.
They need to get to market instead.
Unix had its exploits in the beginning. It was dead easy to install a trojan at the login screen. Heck, I devised a hack that worked on all SVR4 machines to take over root. It's just that Unix and Linux have both had a chance to mature without all this hysterical going-on plaguing the market Microsoft is in.
Plus, and this is a no-brainer: there are a lot more talented people working at Bell Labs and with Linus.