ESR's Halloween XI -- Get the FUD

dave writes "In the newest Halloween Document (mirror), Eric Raymond analyzes Microsoft's 'Get The Facts' road show. The anti-Linux arguments they are using now -- and, even more, the arguments they're *not* using -- reveal how desperate Microsoft is getting. He explains why he thinks we need to focus more on government adoptions, and predicts serious ugliness during the next year."

ESR: Expert on Spin

The Emperor Has No Clothes.

Hey, FUD-packer.

[numbski]

Let's pretend Linux DOES have that kind of userbase. You play the clueless user, I'll play the malicious h4xx0r.

I'm going to write up a painfullly malicious script that executes when you view an e-mail.

What, that's not possible? Okay...uh...

You're a pretty dumb user, and I'll name the file Brittney\ Spears\ Nekkid.jpg.sh.

So you double click the file, and it launches. You're a plain old user.

rm -rf /

Oops. Didn't work. Why not? No permissions.

rm -rf ~

Now that might, but I want to think that launching a shell script from an e-mail attachment has some sort of protections on linux. Right?

right?

Okay, so my argument is full of holes. Sue me. :P

Re:Hey, FUD-packer.

[garcia]

Let's play "everyone is now a clueless user" and needs to have superuser permissions to do everything because no one likes to have to switch to root to do anything important.

So what do the people start doing? Logging in as root. That's right, they will ignore the fact that we have users (like they do w/Windows, no one wants to be anything but the administrator) and they will run everything as root.

Re:Hey, FUD-packer.

[Enry]

So what do the people start doing? Logging in as root. That's right, they will ignore the fact that we have users (like they do w/Windows, no one wants to be anything but the administrator) and they will run everything as root.

Uhm. OS X already does this. As a normal user, you don't have write access to larger parts of the filesystem. To install applications or update the system, you have to give a password, which is then sent to sudo.

Under Windows, there's no easy way to go from "joe user" to "super user", so everyone stays as "super user". Linux and OS X make it pretty easy for the user to upgrade their priveleges temporarily.

Re:Hey, FUD-packer.

[akedia]

Are you even aware how most Windows viruses work?

Most Windows viruses will just need to be executed by Joe Clueless Luser. Upon execution, they will exploit some aspect of Windows or Office or another userland program (such as an ActiveX exploit in Outlook Express, for example.) It can then gain superuser-level priveladges and do whatever destruction it wants to the system (remove core files, modify registry entries, install keyloggers, etc.)

Now, going back to your scenario, say we have Joe Clueless Luser in front of a Linux box, logged in as a regular system user. He opens your Brittney\ Spears\ Nekkid.jpg.sh e-mail attachment, which executes and runs a rootkit that exploits a local hole in GNU screen. Now the virus has root-level access to the system and begins wreaking havoc, installing ircds and backdoor FTP daemons. Now we're screwed.

As someone who is responsible for the security of several thousand computer systems every day (in a Windows/Linux/Solaris/Netware mixed environment), I can tell you that just protecting the users from their own stupidity is not going to keep you safe. Any hacker worth his or her salt will tell you that every system can be exploited and used to whatever potential you have in mind.

Re:Hey, FUD-packer.

[general_re]

Under Windows, there's no easy way to go from "joe user" to "super user"...

Sure there is, but few people take advantage of it or understand why it's a good idea - runas /user:user_name program_name, where user_name is the local administrator. Enter the password and away you go. If you have a proggy that you regularly need to run with admin privs, create a shortcut and pull up the properties sheet for the shortcut - check the box marked "Run as different user". Enter the username and pw when prompted, and away you go.

Anyway, the point is, people who are confused by this, who don't understand it and why it's not a good idea to not run as root all the time, they are not suddenly going to grok the mysteries of sudo when switching to some other OS. People who are clueless will not become clueful just by switching wallpapers on them - unless and until people are better educated in safe computing practices, nothing is really going to change.

M$ vs. Linux "Roadshow"

[BigBadBus]

A friend at work attended one of these Linux vs. M$ roadshows in the UK a few weeks back. These are the basic points:

The basic messages about selecting MS/Linux for a system are governed by the following:
- Don't change for the sake of it
- Take into account what your people know (e.g. Linux possibly better if you have lots of Unix people)
- Much of the cost saving of Linux over Unix comes from hardware - i.e. using Intel over mainframe/AIX/zSeries etc.
- OS/Platform is just a tool - choose the right one for the job
- MS/Linux TCO's are nearly always within 10% for most projects by the time all costs are accounted for (this was from an independent solutions provider)
- Don't just focus on TCO - look at ROI (return on investment)
- MS is pretty well zero-development (no code or scripting)
- The People and Processes are more important than the technical solution
- Check licensing model of any platform (will any Linux development become your IP, or will it be open)
- Linux still does not have a really good desktop and the office suites available are still lagging
- security issues such as virus updates and patch management are more of an administration issue than a platform one
- Easier porting J2EE->.Net than the other way round (i.e. MS ties you in worse!!!)

Re:M$ vs. Linux "Roadshow"

[Creepy+Crawler]

----Any company that relies on its employees to keep current with AntiVirus updates and patches is a fool. Hence such things MUST be an administration issue. The platform does not matter, patches etc still need to be applied.

Not quite. How about that small 4 person financial business... Are they suppsoed to know how to support their computers and network? Thats where I come in. I assess threats and judge how to exterminate them. And they dont want to buy new software every year, as it does cost a bunch. I can supply answers on how to avoid the upgrade merry-go-round.

----The bottom line? A computer is as secure as the person thats using/administering it, not matter what the O/S.

Wrong. Its only as secure as the admin admin'ning it AND the ceiling amount of security preseint on that platform. How do you turn off RPC on MS OS'es without killing the machine? I can turn off any service on Linux....

----I am NOT trying to spread Microsoft FUD; I am a linux advocate. I do believe, however, that linux advocates are going to have a shock when linux does reach 50% market penetration - yes viruses will be written, exploits will be used, people will install dumb shit on their computers and open the door for spyware. Linux is, after all, just another operating system. Its just as good as the person that secures it

I expect that too. Ive already seen XPI's for Mozilla that were trojans/spyware. However, if you can provide a clean way to reset (considering how easy it is for files to be overritten in Linux) like MS safe mode does, it's a lot easier on admin types. Or better yet, just pop a cd in the drive and let the system take cae of it for you. Stupid users have to be dealt with stupidly.

----A hell of a lot of people dont patch systems because doing so will break compatability between products. That mindset will still continue when working with linux and so systems will still go unpatched (along with other reasons such as under-funding, indifference, lack of time etc). I know this because my home gentoo box has a couple of vulnerabilities I need to sort out. But I havent.

Exactly.. Some cases happen where thats the case. However most programs that dont depend on certain kernel features WILL work almost regardles of environment. Ones that dont are statically compiled ;)

----I'm the kind of person that linux is going to have to deal with. I browse the web from root! Try explaining to your boss that, no, infact he cant do X because it violates the security policy, or that he has to change users to install stuff.

Ouch, you browse as root? Damn, go adduser and make an account ;P Just add a sudo entry for you (and of course, deny SU and sudo from unpriv'ed accounts). Wheel is on every other unix system... Too bad Linux'ers dont use it much.

Re:WTF is FUD?

[lsoth]

Fear Uncertainty and Doubt

Re:As always

"Offer good until June 1, 2004"

Re:As always

[vk2]

No need to register.!!

Offer already expired.!! Don't waste your disposable email address.

From the linked page:
Offer good until June 1, 2004 or while supplies last.

Re:As always

[norculf]

You know if you use a real email address Microsoft might give you more free stuff in the future. No guarantees but it's happened before.

Re:As always

[greechneb]

I just ordered a copy yesterday, and I got a confirmation email saying it had shipped via 2nd day air. So they still had copies as of yesterday.

Re:ESR, again.

[RLiegh]

Oh, good Lord, you are sniffing glue, right? Microsoft is alive and well., and the only vanilla box you can get for below $350 is a used piece of shit that has Windows ME installed. Get out of your basement, your parents need the space.

Well, strictly looking for new and under $350, I found this at Walmart's site right off the bat. They also have a 2.4gzh one for $398.

I'm sure I could have found even better deals, but I don't really have a lot of time to spend looking (and I'm happy getting a used box from retrobox).

Why did it do that?

[SuperKendall]

You're a pretty dumb user, and I'll name the file Brittney\ Spears\ Nekkid.jpg.sh.

So you double click the file, and it launches. You're a plain old user.

And just how did the file launch? It's not executable yet...

Re:ESR, again.

[Mr_Silver]

What has ESR brought to the Open Source community?

A few things although I agree with you that predicting the future is not his strong point.

Re:ESR, again.

[mirko]

Not sure whether it has been posted here before but here's an interesting point of view on ESR : It's about things he claims and things he obviously has not done : "The Emperor Has No Clothes"

Re:WTF is FUD?

[squiggleslash]

FUD is a technique started by IBM in the sixties and seventies aimed at undermining their competitors. It stands for "Fear, Uncertainty, and Doubt". The idea is to sow these into the minds of potential customers. Instead of saying: "Our all-new ACME Widgetmaster 2000 has these fantastic features", or even "Our all-new ACME Widgetmaster 2000 has these fantastic features unlike our competitor", you say:

"Well, yes, I can understand you liking the new BlogsCo Gadgetwhiz 3000, but between you and I, I'm hearing a lot of problems about their reliability. I suspect it probably will not be on the market before 2008, assuming they don't go bankrupt beforehand."

You'll note nobody's competing on merits, it's essentially a slime campaign. Make the potential customer feel uncomfortable with the competitor, make the potential customer assume trouble is ahead if they go with that competitor.

You could argue that most political campaigns in the US are FUD campaigns.

ESR, a factual case is the best case.

[e.m.rainey]

There's lots of compelling arguments in your case here, but I think you could use some edits.

1.) " Like the dog that didn't bark in the night-time, these omissions are significant, because Microsoft marketing is thorough and ruthlessly opportunistic." The first part of this statement is rather confounding. I assume that you mean that that fact that they have dropped these arguments should be indicative of the thoroughness of the marketers.

2.) "Do I even need to point out that most of the factual claims are blatant lies brought to you by the same people who got caught faking video evidence in their Federal antitrust trial?". Unless you can show that the actual forger is at work here, refrain from painting all MS employees with the brush of a criminal. This only serves to undermine your objectivity.

3.) "Hammer them without mercy -- but do it in a quiet, reasonable voice and keep control of the terms of argument. " Do it "ruthlessly" perhaps? This also serves to undermine you credibility as it shows you too are playing the word game. Ruthless is a "charged word" even though it used to mean "without emotion" it implies some bitter, hateful vengence now. You used it to describe MS Marketing before but you don't use it now, but just be consistent. The rest of the statement is good though, stick to the facts and definitions, and keep the argument in your favor.

4.) "...higher Windows TCO is forever" Please quantify "higher" with a number.

5.) "Shared source is a poison pill." Shared Source may be a misnomer but calling it a "posion" pill is just imflamitory.

6.) "Can you explain why Windows IIS websites are cracked or defaced more often than Apache ones, despite the fact that IIS runs less than a third the number of sites Apache does?" Please quantify "more often". Also, attempt to separate this into 2 questions, as the answer will undoubtably be "Hackers hate Windows, hackers attack Windows" which will only be to their advantage because it implies that they are top dog. The top dog is perpetually being challenged. Saying that they are attacked often is handing them the opportunity to say that they are top dog.

Otherwise, this is good article and it's got some great questions for MS PR about the Shared Source == Open Source nonsense.

Re:ESR, again.

[black+mariah]

sarcasm
n.

1. A cutting, often ironic remark intended to wound.
2. A form of wit that is marked by the use of sarcastic language and is intended to make its victim the butt of contempt or ridicule.
3. The use of sarcasm. See Synonyms at wit1.

ahem

[linuxislandsucks]

so what have you brought to CLosed source programming such as MS windows?

Did u bother to read ESR's project page listing his projects? NO?

Read before leaping..it might save a you a big first step into the boid

Re:The clueless userbase to propagates the worms.

You actually think that there's no worms at all for Linux?

I don't think anyone (outside of the fanatical fringe) here has claimed that there are NO worms for linux. As a matter of fact, the Linux exploits I have heard about were all reported here on Slashdot, many with detailed forensic analysis of exactly how they did it.

But I really have to take exception with the whole notion that Linux is only protected by its relative scarcity of use. The detailed forensic analyses of Linux worms, contrasted with detailed forensics of Windows worms (I mean beyond the simple "click this attachment" type) show that the level of effort expended to compromise a Windows box is about 3 orders of magnitude less than the typical effort expended to compromise Linux. Your description just reinforces that.

Re:The clueless userbase to propagates the worms.

[Knuckles]

The well respected German computer magazine c't had a spreadsheet shootout a few weeks ago (issue 12/04). Overall, OO.org Calc came out head-to-head with Excel, with particular tasks being easier on one or the other.

Sherlock Holmes

[bstadil]

Like the dog that didn't bark

Inspector Gregory:

"Is there any other point to which you would wish to draw my attention?"

Holmes: "To the curious incident of the dog in the night-time."

"The dog did nothing in the night-time."

"That was the curious incident," remarked Sherlock Holmes.

From "The Adventure of Silver Blaze" by Arthur Conan Doyle

Re:You're missing the point of gov't adoptions

[cayenne8]

"Good luck. The generals and admirals want their Exchange/Outlook combo and Active Directory. At least in the Air Force there is a huge push to make Outlook the standard with a truly global address book and all the stupid little "features" it adds that I just turn off because they are annoying. Sigh. This will be an uphill battle. I hope open source can make inroads into the U.S. government, especially the DOD, but it will be a battle fiercer than any we have fought."

Yup...and another problem I've seen first hand with this is NMCI.....the new Navy computer network forced down our throats by EDS. Aside from the cluster f*ck description of the system...it is near impossible to get any Open Source applications to be allowed on this network. It is locked down windoze....and you cannot run any programs/applications that are not approved. Trouble is...you have to be a company with $$'s to be able to submit your products for evaluation to NMCI for security tests...AND you have to pay for them yourself (the company does).

I fear this isn't quite much of an option for Linux and open source products in most cases.

It is getting harder and harder to keep the 'legacy' computer systems on our desks...that many admins actually have to use to connect to and admin our systems. Many have Linux as their OS of choice on these boxes....but, EDS is after blood to remove them....

Aunt Tillie mods you down

[j1m+5n0w]

what has ESR brought to the Open Source community ?

The Jargon File comes to mind. I owe quite a bit of my knowledge of computer history to its print form, the New Hacker's Dictionary.

He also brought us the infamous Aunt Tillie Builds a Kernel lkml thread.

-jim

Re:ESR, again.

the only vanilla box you can get for below $350 is a used piece of shit that has Windows ME installed.

The last Dell we ordered was $349; no monitor but everything else; 2.8G Celeron, 256M RAM, 40G HD, a very respectable machine. It came with XP Home.

BUT we had pony up more money to get XP Pro since XP Home will not even log onto a Windows domain. We also needed Office 2003 Pro since we are standardized on Word, Excel and Access. Total: $748!

This, I suspect, is what ESR was talking about. It more than doubles the cost of a system just for the Microsoft software! Does it make a difference to us? Hell, yes! We are looking at a Linux workstation running Open Office for the next new employee. I haven't worked out the database issues yet, but I can put in one helluva lotta work for $400 per workstation.

Get out of your basement, your parents need the space.

When are you moving out?

Re:The clueless userbase to propagates the worms.

[bob+dobalina]

If you would be equally proficient with both MS Office and OO.org, that would be telling something. However, I am pretty sure you are not. With that assumption, the only conclusion I can draw ATM is that using software you are not familiar with take more time, especially for advanced stuff like data validation. Duh.

If anything, I am more proficient with openoffice because I use linux at work, OS X at home and I'm too cheap to shell for the MS version. Like I said, I'm not a spreadsheet guru, but after reading an excel book and searching online for what I wanted to do, I found it much easier to do it with Excel, and in some cases (as in setting a list context for cells) impossible in openoffice. But then, I'm sure this was painfully obvious to someone like you.

My point is that openoffice is not a precise clone of MS Office, and as a more astute reader pointed out, it's pretty rare to find someone equally adept at using the two application suites. There will always be retraining and migration costs.

Re:Please cite examples

[SWroclawski]

I don't know why I have to cite examples, but ESR has always been clever- he claims that Open Source is different than Free Software, less ideological, etc. Then he says all Free Software users should change the words they use:

We suggest that everywhere we as a culture have previously talked about "free software", the label should be changed to "open source". Open-source software. The open-source model. The open source culture. The Debian Open Source Guidelines. (In pitching this to the corporate world I'm also going to be invoking the idea of "peer review" a lot.)

http://www.catb.org/~esr/open-source.html

This was a long, long time ago.

Since then, his attacks have always been subtle. He attacks RMS openly, and in his Unix Philosophy book, he attacks Free Software as a bad way to get people involved.

But that's not all there is to it! You see- Open Source is born out of the idea of being apolitical.

This isn't about popularity alone. Popularity is nice, but rights are why those of us who use the term Free Software are so ferverent about it.

He dances around the issue by talking in third person here:

There was one exception: Richard Stallman and the Free Software Movement. "Open source" was explicitly intended to replace Stallman's preferred "free software" with a public label that was ideologically neutral, acceptable both to historically opposed groups like the BSD hackers and those who did not wish to take a position in the GPL/anti-GPL debate. Stallman flirted with adopting the term, then rejected it on the grounds that it failed to represent the moral position that was central to his thinking. The Free Software Movement has since insisted on its separateness from "open source", creating perhaps the most significant political fissure in the hacker culture of 2003.

http://www.faqs.org/docs/artu/ch02s03.html

Re:The beauty of government adoption of open sourc

[krgallagher]

From the original document:

"I also expect a serious effort, backed by several billion dollars in bribe money (oops, excuse me, campaign contributions), to get open-source software outlawed on some kind of theory that it aids terrorists."
"But in the next year, I think we need to focus more on government adoptions, in order to protect our political and legislative flanks."

We need to beat them to the punch. Open Source is a matter of national security! It only takes one back door in a closed source OS or application to put our nations security at risk. All applications critical to national security should be running on OS' where the people are able to read the source and thus be positive no terrorist has planted a back door.

Write your congressman! Now, before anyone else has a chance to beat you to it. Here are some important things to remeber when you are trying to influence government:

1. Email makes little impact. It is very easy to send a congressman email. As a result most congressmen are flooded with emails, and actually read very little of it. Send Snail Mail Instead!
2. One petition is the equivalent of only one letter. A lot of people will sign your petition just to get rid of you. Your congressman knows this. Therefore you petittion only counts for the person who mailed it in, not for every signer.
3. Form letters don't work. Congressmen do not open their own mail. A staffer opens it instead. If there are 300 copies of the same form letter, the congressman will only see one copy and be told that 300 copies came in. It just does not have the impact of 300 seperate letters with different wording making the same point.
4. Vote! I cannot stress this enough. The list of registered voters is public record and whether you voted in the last election is part of that record. If you are not a voter, your congressman does not care what you think. You will not vote for his opponent in the next election anyway.
5. Send Money. Yeah I know, It feels kind of dirty and you may not actually like your congressman. Still, Microsoft donates to both political parties and many individual politicians. We have to in some way counter this. Even a five dollar check will make an impression on the politician. It proves you are serious. An alternative to donations to the politician himself is a donation to his party. Just send a photocopy of the check to your congressman with your letter. Even better if he votes wrong, send him a photocopy of your donation to his opponent!

We have been lied to and misled. They have convinced us our vote does not count and we cannot make a difference. As a result we do not act. As long as we buy in to this and do not hold the goverment accountable, the government will not be accountable.

Re:You're clueless--here's why

[Archie+Steel]

OK, I'm talking to a guy who will nitpick Google's 1% to death

Why do you feel the need to exaggerate to make a point? I didn't "nitpick" to death, I just noted that I don't feel that Google's Zeitgeist is an accurate representation of Market Share.

but then thinks it's perfectly OK throw out a number like "2.5%" with no source whatsoever and then claim it's "generally accepted"

Is IDC a good enough source for you? This , by Paul Thurrott no less, gives a 2.3% market share in 2002. Are you going to call IDC a dubious source, and Thurrott an irrational Linux zealot as well? Oh, and those are desktop figures, according to the article.

But wait a minute - it seems I was too conservative in my assessment: for 2003, IDC gives Linux on the desktop 2.8 percent, not 2.5!

You see, contrary to what your knee-jerk reaction has led you to believe, I didn't start by saying: "Google Zeitgeist puts Linux at 1%? That's way too low! I'm sure I can find reasons to justify my biased views!" What really happened is that I already knew that IDC and others put Linux at approximately 2.5% of the desktop market, so when I saw Google's figures I thought "Hmmm...there seems to be a discrepancy between Google's index, which does not profess to represent accurate market share figures, and the numbers of respected research firms. I wonder what could cause that difference..."

See the problem with your argument?? Maybe, just maybe, that's why people think you are an irrational zealot.

In light of this it seems you shouldn't be so quick in calling other people zealots. You'd look less like one yourself.

By the way, right now I'm a Windows user. So please, do suck on it.

Re:You're missing the point of gov't adoptions

[killjoe]

First of all it's not like the entire govt has one giant deal with MS. Each unit probably has their own contract. Secondly I don't know of any entity no matter how large paying $10.00. Thirdly MS has no real incentive to offer the US govt any kind of a discount because the US govt has already standardized on MS software and has no bargaining leverage.

Most likely they have a pretty high level select license which means they are paying somewhere around $40.00. They are also probably paying at least one full time equivalent employee to keeping in compliance. Once you add the overhead of accounting for all the "license points" it's probably back up to around $100.00.

Re:TCO

[codefool]

The higher TCO for Linux lies in people like yourself. As your comments demonstrate, you have a highly detailed understanding of Linux and its applications, and because of that knowledge and experience you keep things running smoothly. In your situation, the overall CTO to your company is limited pretty much to your salary and the electricity to run the boxes (and any service contracts, leases, etc.)

TCO also comes in the form of lost productivity as people learn to use the new OS, etc.