Slashdot Mirror
Microsoft Claims Linux Security a Myth
black hole sun writes "Microsoft bigwig Nick McGrath claims that Linux security is highly exaggerated, and that the open source development model is 'fundamentally flawed.' The gist of his argument appears to be his claim of lack of accountability among distributors, coupled with generic statements short on facts. 'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.' He goes on to say that 'Linux is not ready for mission-critical computing. There are fundamental things missing,' pointing out the lack of a development environment and no single 'sign-on system' giving reference to Microsoft's foundering .Net passport program." I guess Linux can only aspire to the greatness of Windows when it has such secure applications as Outlook and Internet Explorer. Historically those have been proven to be of a caliber all their own.
Twenty years of buffer overflows.
Questions?
In Soviet russia, only old Koreans profit from pictures of Natalie Portman stored on Beowulf Clusters.
Care to elaborate? Just what part of the software stack is missing?
fast as fast can be. you'll never catch me.
Just wait until they roll out WinX, or is it Winux...
Fact: Much of what winders suffers from is incompetent users. Nothing is really stopping the developers from writing spam bots for windows because idiot users on Linux could run bad code just as easily as idiot users on windows.
OTOH, you don't have such dumbass tricks ass tying your browser right to the OS or ActiveX, so you make spyware and whatnot less of a factor.
On yet another hand, however, you have the problem of moron users running sendmail daemons that listen for connections from the Internet and other stupid things. Plus, Linux has security holes. If stupid people don't patch them just like they don't path winders, what good is the security?
Again: You can protect the stupid people from the world if you want, but you can't protect them from themselves.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
This is the classic case of a kettle calling the refrigerator black.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
MS is preparing the hype before Google announces their OS based on linux kernel.
If he was wrong, why would Red Hat et al sell service contracts and make money off of them? They accept that money in return for accountability, responsiblity, and SLAs - all of whicha major corporation will demand and which are not present in the pure open source model.
So, he's right, but he's also wrong in that Red Hat is no responsible for Linux kernal security, but they are responsible for getting patches out for issues discovered.
In other news, a representative from Yugo blasted BMW for not putting rear window heaters on their cars. "If you have to push it in the winter, your hands will get cold. What a crappy car."
Unknown host pong.
From Bruce Schneier "Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months. This means that a unpatched Linux system with commonly used configurations (such as server builds of RedHat 9.0 or Suse 6.2) have an online mean life expectancy of 3 months before being successfully compromised." I think the term is not "more secure" but "less vulnerable".
http://www.michel.eti.br
You see, it's called marketing. He is saying exactly what big wig CIO/CEO/C[A-Z]{2} understand and like to hear. Accountability. That's a big thing to most corporations.
Now, him saying that Redhat can't improve the kernel is simple BS, and could either be a fundamental lack of understanding on his part, or just a flat out lie. Given his position, I'm guessing it's a lie. Redhat ( as have most distributers ) patches the kernel with it's own magic, and will often update it on it's own.
Cliff notes: MS marketting with head in sand. News at 11.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Is he serious? Or is it some kind of joke?
eKlode your senses.
i honestly don't know who's responsible either.. maybe it's Linus?.. or how about that penguin dude! aah tux will save us wont you tux?
Should be:
Linux claims M$ security a Myth.
This is another example of Microsoft's marketing prowess. They know that IT managers want to hear about vendor accountability, single source solutions, etc. Those who still are using only Windows are probably not technically competent enough to see through the FUD. The truth is irrelevant here.
and emacs.
If anybody actually used Linux for anything, we could find out. As it is... we just don't know.
Who is accountable for the security of the NT kernel? Microsoft are so arrogant that they protest at being made accountable to the US government or the EU, so I doubt it's them. Windows is only ready for mission-critical computing if mission-critical means uptimes around 35 days.
Move along, people. Nothing to see here. There's no point in getting pissed off about this; Microsoft shills are liars and exaggerators.
...
I will never forget -- seeing as how it happened only on 19 December just gone -- about my broadband installation. Not wanting to rock the boat nor confuse the cable installer guy, I rebooted into XP just prior to his arrival. He hooked my old beater celery up with DHCP and I surfed for about ten minutes. I thanked him and he left.
So I figured I'd do the decent thing and do the security updates.
Eight hours later, I cleaned off the last of the spyware, adware, malware horseshit.
To Nick McGrath: Fuck off and die, you wanker. How much you want to bet your router at home runs a Linux variant for firewalling purposes?
========================================
Death will come, and will have your eyes
-- Pavese
They take responsibility for their distribution. They will patch their kernel if anything seems wrong with it. From time to time they pay for an audit. Similarly the debian people vouch for their kernel, and so on. The vanilla kernel.org kernel is only accountable to the kernel.org people, true, but most "enterprise" distribution makers will stand up for every package they distribute.
I am trolling
LIMITATION ON REMEDIES; NO CONSEQUENTIAL
OR OTHER DAMAGES. Your exclusive remedy for any breach
of this Limited Warranty is as set forth below. Except
for any refund elected by Microsoft, YOU ARE NOT ENTITLED
TO ANY DAMAGES, INCLUDING BUT NOT
LIMITED TO CONSEQUENTIAL DAMAGES, if
the Product does not meet Microsoft's Limited Warranty,
So, are we believe that if Windows crashes my data, that I can hold Microsoft accountable?
At least with Linux I have access to the source code, and can hire programmers to scratch my itches for me. Somehow, I don't think microsoft would give out source code if they went under.
I think he's referring to MS Active Directory and their Kerberos support, not the .NET Passport boondoggle.
Apparently it's well-known at Microsoft that Linux doesn't support Kerberos.
McGrath is not making a technical argument, but a management/legal one. In business, security (ie peace of mind) is not defined by the tightness of a piece of code but by who you can make accountable for any failure.
Microsoft at least is the clear and sole owner of its product. Though any single customer's ability to make it responsible for product deficiencies is slight at best, a statement of "we're here and responsible for our stuff" is superficially reassuring.
a world in progress...
Fud! Fud! FUD! Fudfudfudfud! FUUUUUUD!
There are fundamental things missing, ... no single 'sign-on system' giving reference to Microsoft's foundering .Net passport program.
Please, someone, tell him about kerberos...
"You mortals are so obtuse." -Q
the virus creators, not Microsoft.
Sure, there are linux viruses, you just have to be determined to run them:4 30222&from=rss
http://os.newsforge.com/article.pl?sid=05/01/25/1
I don't get it.
He's just pining for the fnords.
Sheesh, evil *and* a jerk. -- Jade
Linux is not Windows
So the Microsoft bigwig Nick McGrath says 'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel.."
Well Ok Nicky - you are implying then that MS DOES take responsibility for the security of its products? If tht is so then you are lying because the last time I read YOUR EULA it states that you guys will take our money but will not take responsibility for any defects etc in YOUR products.
Once again we have idiots making statements for none other than the idiots that are running the IT industry...
I use KDevelop and it works fine, thank you very much.
I am trolling
Come now. This is rediculous:
I guess Linux can only aspire to the greatness of Windows when it has such secure applications as Outlook and Internet Explorer. Historically those have been proven to be of a caliber all their own.
This is true, I will agree.. in my humble opinion. Let's save the editorializing for the comments. This is 'News for Nerds' - this sort of snide comment has a place in an Op/Ed page, but certainly not the 'front page' of a news site. I suppose there are divergent ideas of what Slashdot really is, but I think that endeavouring to be unbiased would be great.
I'm not meaning to troll or to be 'flamebait' here, just to point out a disturbing trend I've noticed in biased story submissions.
"There's no success like failure, and failure's no success at all."
- Bob Dylan
Great! Its nice to see someone challenging the Linux Way(tm).
:)
Prove it
Atleast with Microsoft you know Microsoft is accountable.
That really helps me a great deal, NOT.
I prefer the Linux model, where I can see the 3-line patch before applying (within ours or days).
Instead of the big service pack with the gazillion changes. Of which I have no idea of the impact on the system.
Yes, they have hotfixes to, but that doesn't mean I can see what they do/change.
The Microsoft way is russian roulette.
New things are always on the horizon
Unfortunately, part of marketing, especially when your product is getting negative publicity, is pointing out perceived flaws in competing products. I believe the term often used is FUD, and it's nothing new or unique to MS. Heck, it's pretty much how GWB won a second term.
When it comes to this sort of thing, they have a wide lattitude of opinions they can express, especially when there is no Linux, Inc. to sue them for slander. The Linux community, however, has been quite good at spreading the word about MS badness; they're just trying to do the reverse because their feelings are hurt.
The CB App. What's your 20?
Spyware:
Windows: I run a spyware checker every week or two, and it almost consistently finds new spyware.
Linux: Is there a spyware checker for linux? Does there need to be? I know that my Linux box runs consistently fast, and has no search bars.
Edge: Linux
Default Habits:
Windows: The Windows XP install, by default, seems to create an Administrator account with no password, no User account, and no suggestion that there should be a user account. Also, there's many services that are on by default, that really shouldn't be.
Linux: All linux distros I've used require a root password, and strongly emphasize that root is not to be used for day-to-day computing. Depending on the distro, most unnecessary services are off by default.
Edge: Linux
Updating:
Windows: Use an insecure browser, tied to the OS itself, to browse to Windows Update, wherein the system is updated. Note that these updates have a nasty habit of breaking things, and this does not update third-party software which may be vulnerable.
Linux: sudo apt-get update; sudo apt-get OR upgrade
sudo emerge sync; sudo emerge --update world
Edge: Linux
Do I need to go on?
The flaw in the argument is that Linux as a standalone entity does not exist - it is always an interpretation of a particular vendor, i.e. RedHat or SuSe or whoever. And those vendors do indeed claim responsibility for whatever pieces of code they decide to pack onto their CDs. That's what they ultimately get paid for.
And on a practical level, well, we all know the security statistics.
http://zero-to-enterprise.blogspot.com/
MS has this self imposed myopia when it comes to security, they won't and can't understand because if they do, it is game over for them.
That said what they won't allow themselves to admit is who is responsible for the kernel. The simple answer is everyone and anyone, that is the beauty of open source. If there is one entity that chooses not to do something, you can shoulder the responsibility.
In open source, there is no one throat to strangle, just 10, 100 or a million different paths, and you choose the right one or forge your own. If there is a flaw, someone will fix it, and they will be the new king. MS can't come to terms with this.
You don't need a single entity to decide for you, you can do right on your own. All the tools are there.
-Charlie
...especially because they claim they are explicitly not responsible for anything.
i really don't want to play down the problems linux has with its development model and i sure have heard great things about the microsoft development process!
but i'd rather have a more secure system now, which lacks in development stringency, then a provenly unsafe system which can prove exactly when, why and how their bugs came into the system...
microsoft is just far too lax concerning their outward security policy (like not caring about the blatant RC4 exploit). their "patch day" with all those patches that never quite close the exploits is just a farce!
well, gnu/linux with all its applications has had a bad streak of exploits as well recently and i would strongly recommend a stricter development process, but if i were microsoft i'd definitely tone down on the linux-is-insecure-and-lacks-accountability bashing and instead invest some serious effort in making my own product look a little more convincing and less like the bug-ridden security hole that it is!
jethr0
Apparently it's not about good design, algorithms and code. It's about "accountability" and "responsibility", i.e. who to blame when the crappy code finally hits the real-world fan.
Who needs a good product when we have someone to point finger at?
From "Microsoft's Longhorn Faces Antitrust Scrutiny":
One analyst opines that Microsoft is appearing to soften its image to become kinder and gentler. 'They don't want people to hate them anymore. They've learned from their mistakes.'
It's okay, we all suffer from schizophrenia every once in a while.
...their imagination knows no bounds...
Can this entire article be marked as flamebait?
I try to motivate myself into responding to that flunky, but I just can't. Please, there's no reason to state the obvious replies to this drivel.
This is so pathetic, so worthless, that I really feel some pity for Microsoft's utter inability to deal with Linux's threat to their business model, in any meaningful way.
They're totally reduced to thrashing around, looking for something, anything, negative they can throw against Linux, and make it stick.
I've seen better stuff on Usenet.
McGrath is playing on the major corporate IT fear "who do we sue when something goes wrong?". But it will backfire, if any of the (usually spineless MS lapdog) IT magazine press actually talk about the reality. Microsoft's hugeness and bad attitude towards its insecurity means that you *can't* sue MS when it screws you. Occasionally you can, and win, but the odds are much higher that you can't afford to start the battle, especially if the MS exploit has damaged your business substantially. Combined with the much higher odds that your MS SW will be exploited than your Linux SW, and MS is flirting with disaster. The inevitable dividend on their decades of investment in insecurity and not caring.
--
make install -not war
Mike Tyson accused Michael Jordan of being "violent and out of control."
And Richard Simmons accused Charlton Heston of being "way too gay."
Lawrence Person (lawrencepersonh@gmailh.com (remove all "h"s to mail)
http://www.lawrenceperson.com/
There are fundamental things missing,' pointing out the lack of a development environment and no single 'sign-on system' giving reference to Microsoft's foundering .Net passport program.
It should be floundering, not foundering!
"First they ignore you, then they laugh at you, then they fight you, then you win."
-Mahatma Gandhi
"In Microsoft's world customers are confidant that we take responsibility. They know that they will get their upgrades and patches."
OH! He's just talking about upgrades and patches? That's accountability??? Show me a major Linux distribution that doesn't provide upgrades and patches... next show me one that is slower than Microsoft at doing it.
The only one I can think of might be Slackware, but I'm not even sure about that.
Yeah... certainly having someone to blame in case something fucks up is more important than actually doing work.
teh google knows all
Believe me, I realized the absurdity of the statement before I got to the sarcastic editorial comment at the end. It's not necessary. Stop it.
This is my sig. There are many others like it, but this one is mine.
Sorry, I dont get why parent is flamebait? I thought it was an interesting comment.
I'd suggest that he was referring to Active Directory or NTLM and not as you think, Passport. No windows network uses passport for sign-on.
I haven't read their shrinkwrap agreement for a while, but IIRC they pretty much disclaimed all financial and liability responsibility for everything from minor bugs to malicious destruction.
At least with Linux, if software doesn't work the way I want it to I can try to get it to work myself.
No we are more sure that we have to work around thier problems.
They know that they will get their upgrades and patches."
I think he missed the word 'might' out from that sentence.
Since when has MS taken accountability for it's security flaws?
Shoot Pixels, Not People!
But there have been security vulnerabilities in Linux distros, and virii aren't absent from the landscape, either. As to which OS is more/less secure, it seems that the more important question would be "is Linux as secure as is perceived by the general public, and is Windows as insecure?" I would have to say that such levels of security/insecurity would be amazing.
Yes, what a good point. There are multiple DE's for linux. This is a bad thing, because it means developers have a choice. There should only be one piece of software for each category, and it should be manufactured by Microsoft. Choice is bad, people!
My Systems
What is the difference between Microsoft's Nick McGrath and Jeffrey Lee Parsons, the teen who got sentenced to 18 months in jail for releasing a variant of the Blaster worm? They look alike, use Microsoft operating systems for their evil deeds and they are both criminals, the only difference is that McGrath is not going to end up in jail for bogus claims and slander, at that level it's called marketing.
In a netowrking class I was obliged to take, the instructor's favorite rant about Linux was, "Who you gonna sue when something goes wrong? The penguin? The penguin!?!?" He would repeat this over and over; thought it was really witty. I pointed out to the yob that you can't really sue Microsoft either, because of their restrictive EULA, but it didn't make a dent in him. "You gonna sue the penguin?" he'd yell. Guys like him make me never want to take a course ever again. Just gimme the damn books, and let me work it out on my own, bozos.
Microsoft bigwig Nick McGrath claims that Linux security is highly exaggerated, and that the open source development model is 'fundamentally flawed.
Why, of course he does. That's his job.
In other stories, water's wet, sky is blue and women have secrets. More news at 10!
how about checking the bitkeeper logs and see who committed a certain portion of the kernel?
here's a question for microsoft. what happens when a major vulnerability comes out that none of microsoft's customers can do a damn thing about, and they have to wait days/weeks/months for a fix? shit out of luck, that's what. with linux i could hire a developer to fix it if it was causing me enough of a problem. or i could wait for one of several major companies with dozens of kernel hackors to fix it (who often have a much faster turnaround time for patches too! imagine that).
- tristan
If so, isn't a huge advantage of using ANY *nix in production that you don't have to have the overhead of running a graphical desktop environment if you don't need to?
Twenty years ago Unix was known for its lax security. You couldn't even dream of selling a unix box for enterprise software back then. Newbies think linux/unix is secure because in contrast to Windows 95/98 it is way better.
Let's not forget either that the first Internet virus ran on unix and took all of an hour to bring the network down. Just ten years ago, Berkeley grads got a hold of root password for every unix box on campus in a few hours.
Even today, compromising your user directory is rather trivial. The technique is the same as with windows: send an email that causes buffer overflow.
Getting a hold of root is a tad more difficult, but not by much. One could write a tool that systematically tests for vulnerabilities. Let's call it backGnurifice. It would try the standard sendmail/redcarpet/cgi scripts/NFS/password cracking techniques, and succeed as often as similar tools do in the windows world.
McGrath does have a point about a lack of single sign-on. Yes, patchwork, complex solutions exist in Linux, but where is a "Wizard"-based solution, making it ACCESSIBLE TO THE MASSES?
/usr/share/docs/* /var/log/* /etc/*)
a p
I've wrestled with this problem (trying to find an easy solution, that is worthy of recommendation to others on tight budgets, who are not necessarily as geeky as me) for a long time.
What combination of networked/ditributed filesystem and distributed authentication can anyone recommend that someone with a couple years experience in the world of Debian Linux can handle (ie. someone who knows about "man" "apt-get install"
There are a few close candidates it seems as far as I can tell:
-Kerberos + OpenAFS + OpenLDAP -> waaay to complex to set up. There is poor/none/intimidating documentation on all three, let alone any utilities/Wizards that ask you simple questions in plain English that would help you tie them all together.
-Samba + OpenLDAP + GNUTLS -> much better documented, however this documentation could use a non-trivial update to be relevant to Debian Sarge, not just Woody: http://aqua.subnet.at/~max/ldap/#configure-openld
-Plone, eGroupWare, and several other "all-singing, all-dancing" web-based systems: in time one of these could realistically develop into a web-based platform that "does it all". These are all relatively easy to install but slow in performance for serious usage.
Am I missing anything here that anyone wants to share?
1. a) Can Microsoft run their own infastructure for both internet and intranet operations on their own software? ie: Would it make economic and technological sense rather than go with a more efficient and scalable system, like Linux? b) Would they want to? ie: Do they believe www.microsoft.com, as one example, to be safe running IIS? 2. a) Will Microsoft guarantee/certify/insure the integrety of .net passport services against compromise?
b) Would Bill Gates store the keys to the kingdom in .net?
how insecure would Windows be if you were able to remove IE and Outlook from the picture?
If Firefox becomes the great white hope for secure browsing on the Internet and the other one where it incorporates calendaring into Thunderbird has as much success as Firefox is getting(can't remember the name for the life of me), could this in itself slow Linux adoption? Windows has improved stability-wise over the last couple of years by leaps and bounds and supposedly they are looking at making it more secure (but I am not holding my breath too much).
Just a thought.
A delusional enemy is more vulnerable. Linux has gone too far for his words to carry much weight. The truth is already known in the industry.
"There a myth in the market that there are hundreds of thousands of people writing code for the Linux kernel. This is not the case; the number is hundreds, not thousands," he said. "If you look at the number of people who contribute to the kernel tree, you see that a significant amount of the work is just done by a handful.
I don't think the number of developers is really a point of contention. Several people contribute but not every patch is included in the kernel. In fact, those "handful" of people are part developer and part manager, really. They take all the code and decide what gets in and what doesn't, based on needed/wanted features and good coding. I'm sure this isn't much different than MS's development practice... I'd love to hear from MS on how their practices.
Nick McGrath has been out there on the anti-Linux campaign trail for almost a year. "Get the Facts" is a nasty and hostile pack of distortions put together by Microsoft's marketing machine. Any reasonable IT manager will get the facts by defining objectives and reviewing what everyone has to say. SD editors - stop fanning the flames and focus on more interesting stories about good stuff happening in FOSS. SD+MS=FUD
Guess that means it's time once again for your basic CmdrTaco/CowboyNeal Windows flamebaiting story of the week.
Nothing to see here folks, move along...
"Redmond has the best cannabis in the whole world".
Man, look at those "statements"... 'passport'? Pffffff.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former" - Albert Einstein.
aren't they? Name some in the wild viruses currently plaguing Linux. And no, not proof of concept rubbish thats never been seen and not worms.
This article is one of the most amuzing pieces I've read lately. I shows you how little Microsoft knows and understands about Linux and the open source movement. Of course they can't admit that their Windows OS is a sinking ship and just jump on the Linux bandwagen like everyone else so they are spreading confusion and FUD in the hope to save their asses. That's hillarious...
Hmm, I'd like to know if anyone here has created a Windows System that is totally runable off a CDROM, like I have with my Linux and BSD distros? I mean, I'd really like to see a hacker hack my CDROM firewall. Lets see them replace ls on a cd-r! Oh wait a minute you can't create a bootable cd-r with windows and make a dedicated firewall using only 32Megs of RAM and a cdrom.
Hmm My favorite security thing about windows lately is the new spy bots. Processes running in your process table that you can't delete. How secure is that?
So what is their defination of 'ready for the enterprise'? Evolution, OpenOffice aren't ready?
What's their defination of 'developer tools'? Perl, gtk+, qt, python, php, C, gcc, kdevelop, qt-developer, aren't developer tools?
You just gotta love that MS FUD!
Only 'flamers' flame!
Does slashdot hate my posts?
I wonder if he really believes his own bogus crap?
All of it is easily refuted. Yes, RedHat is accountable for the redhat distribution. RedHat will patch any security bugs it finds. Who is accountable for Microsoft bugs? Well, occasionally its the people who finally make public security flaws that microsoft was notified of months ago, forcing them to take action.
Its all a bunch of crap and its hard not to overreact, but the guy is just fishing. This is the kind of stuff you expect to hear from SCO, and its good to see their partner Microsoft has started it too.
Somewhere between .22 and BB, I'd say...
rj
First of all, I can't trust this article because it's not digitally signed!
Now, on to the point. If someone comes out and says: "the default Linux kernel released by most distributions is not secure." I'll say 'hell yes'. Note that this is not what TFA states, it is a much broader screed against open source in general.
The problem is that if Microsoft wanted to launch a rational attack on Linux's security they would also be attacking their own products. I'm not even talking about the differences between open and closed source here, I'm talking about the ways that Linux and Windows both are susceptible to security issues. Right now most default Linux distributions put out kernels and user-space utilities in a system that assumes every piece of software has to be perfect to ensure security! (especially anything running as root) Windows is basically the same way. Once a hole gets found, it is easily possible to hijack and entire system.
Now, at this point the arguments between Linux and Windows invariably devolve along the lines of: Linux gives you the source code so you can find the bugs yourself or Windows runs too many services and that's why its not secure. On the windows side we get arguments about how you 'can't trust unsigned open-source code!' (which actually does have some merit if you don't check source signatures you grab from some random mirror, but does not really speak to the OSS development model). The problem is that these arguments are more about which system is easier to band-aid than which system is innately more secure.
Let's really look at default Linux vs. Windows. Both have admin and user accounts, both follow a similar model of discretionary access controls, both can be hacked remotely although windows tends to get hit more because it runs too many standardized services.
The point of this very long rant is that Linux does indeed have security problems that are not of a nature much different than Windows. I would say the better track record of Linux so far is NOT due to it being open-source; that does help finding bugs, but plenty of Windows bugs are found and fixed before the Windows boxes are hacked. Instead it's because Linux (with some exceptions) does not install a bunch of stuff by default, Linux systems are not as homogeneous as Windows systems (software monoculture time), and Linux admins have historically been better than Windows admins (this is definitely something that will be subject to change in the next few years).
So is there a solution? Well, nothing is ever going to be perfect, but systems like SELinux and GRSec are big improvements because instead of saying "the whole system is perfect" they instead say "components in this system will be compromised, how to we isolate and protect it?"
There's a problem though, these systems require old-time Linux users to deal with new restrictions they might not want to deal with. I promise you that SELinux policies that work great on a production webserver would drive you insane on a development box, but you need to protect both machines, a hacker will target both.
I'll save my rant on Microsoft's security for when this story gets duped, it's another mess entirely. Just MS is foobarred should not be an excuse for not looking to find and fix problems in Linux.
AntiFA: An abbreviation for Anti First Amendment.
If Linux security is highly exaggerated, then perhaps Windows has none?
The difference between Linux security and Windows security is this:
while noone is specifically responsible for Linux' security, its developers, its users, and the open source community take ownership of it
meanwhile, someone may take responsiblity for Microsoft security, but not ownership
Now how is Microsoft, that's not even responceable for DEATH in their products going to tell linux developers their security model is screwed up?
"Linux is not ready for mission-critical computing" Don't tell IBM that. I believe they put Linux on their top-of-the-line Z series servers. Not ready, indeed.
"'Who is accountable for the security of the Windows kernel? Does Bill Gates, for example, take responsibility? He cannot, as he does not produce the Windows kernel.' 'Windows is not safe for mission-critical computing. There are fundamental things missing,' pointing out the lack of a open standards and no single sign-on implementation giving reference to Microsoft's foundering .Net passport program."
Surely what comes out of the mouths of the Redmonders is something other than PR. So discussing its merits is hardly a worthwhile endeavor. Discussing it's impact on PHB's and others who MIGHT believe them still would be more fruitful.
If it was someone other than Microsoft then evaluating its validity and technical merit would be the correct course of action. But, this is Microsoft we are getting this junk from.
These people need to be countered with the truth about its own systems. Then again, the virus and worm of the week seems to be doing a good job of this already. After all, why else would they feel they need to say this if the market were not accepting the fact that GNU/Linux ends up being more secure than Windows????
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
Maybe the OSS model doesn't produce the best software in the planet. Firefox has had its share of the vulnerabilities and Windows is catching up on usability and things. If the OSS model doesn't give the best results in terms of quality then maybe we should start promoting freedom, not the "superior" development model.
Ha, as last. I agree with Nick McGrath. Well done Nick. Linux is the crappiest OS ever!!, an OS that was built by PC nerds and potchers.
Linux CRAP!
Linux: Security through Difficulty
..Jump all over anything Microsoft says and rant and whine about how evil they are while intentionaly misspelling MS with a dollar sign in a pre pubesent attempt to look clever Dpt.
You can protect the stupid people from the world if you want, but you can't protect them from themselves.
Which OS is better at protecting the world from stupid people?
I recommend ScissorOS, the only OS that runs on a network cable, for stupid users.
paintball
Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?
Er... and who is accountable for the Security for Windows?
Microsoft?
Internet-swiss-cheese-security-Exlorer Microsoft?
And will Microsoft take responsiblity for their security holes? Will they pay for the damages caused by crashes and exploits for their buggy software?
Maybe if they get their software quality up to a reasonable level they can START asking questions, but as long as they are as bad as now, they better keep their mouths shut, or they'll have to stuff their own feet in them.
+++ MELON MELON MELON +++ Out of Cheese Error +++ redo from start +++
This is complete and utter bullshit. MS does NOT force anyone to run as administrator. It's the goddamn developers who cant see their nose to spite their face and then write their piece of shit apps that cause these problems and force people to run as administrator. Outlook does not force anyone to run as administrator; you only need to be admin to install it. Likewise, IE does not force you to be an administrator. Its the goddamn developers who dont spend a bit of cash that they reap from selling their wares and upgrade their development environments and are still using environments meant for win 3.1 or 95 and trying to make their code run on XP.
Get a grip!
Secure Internet Explorer, sounds like an oxymoron to me
"... There are more skilled developers writing for the Microsoft platform than for open source...."
Microsoft can and does employee very sharp and talented people. But with some of the constraints the Microsoft business model imposes on them, how much talent reaches the end user?
I just have to wonder if design decisions in the Windows architecture such as remote procedure calls, user land applications in kernel space, legacy compatibility and embedding code into e-mail and http clients were decisions that were made by young, talented people who didn't foresee how hostile of an environment the WWW would become.
I don't think script kiddies uses Microsoft SDK. They rather use "third party" rootkits and such.
And no, Linux wouldn't prove less secure with more applications due to better IDE, RAD, SDK... you name it. It doesn't have such flaws in security like ActiveX without sandbox, office suites requiring admin privileges and flawed DCOM.
Besides, you always have SELinux...
Windows has no Gates of Security, therefore any OS Security is a Myth!
I guess that the 80% of all web and web application servers that run linux must be wrong. Thanks for pointing that out to us. I am now going to shut down all of my servers and run out and get some Windows boxes. All kidding aside, how can this guy make statements like that and have any credibility with those who know. I guess that it must just be aimed at upper management personnel that while maybe good managers, do not have real world hands on experience. Most desktops run windows = most servers should too seems to be the equation that they are trying to convey.
My
Let's not forget that most of the work that has been done on the Linux kernel was done by people who did it simply because they wanted to. Not because anybody was paying them or holding a gun to their head, but because they had the passion for an open project. And nobody who puts his free time into open source is forcibly responsible for anything. If you don't want to be responsible for the kernel, you simply don't work on it. The people who do work on the kernel do it because they love it. And I have enough faith in the OSS community that anyone who wrote code with a security flaw in it that knows about it, would take responsibility and fix it. That's just the way open-source coders operate; it's the open-source idealism.
This "lack of accountability" argument is bullshit. Why does Microsoft have an EULA for its software? To cover their asses so they can't be held accountable for damages caused by their shitty software. When was the last time Microsoft was taken to court over losses due to poor software? If they could be held accountable, they'd get sued right out of business!
-kidlinux.
"Linux is not ready for mission-critical computing"
Yes... And we all know windows is...
I know you can run as a non-Administrator. I do & I force those on machines I manage to do as well. I also agree that the work needed to not run as Administrator is the fault of applications developers. However, when you install windows, your account is automatically an Administrator. Compare this to OS X or any commercial *nix where the first task during a default install is usually to create a non-root account. Applications developers should write better installers (the fault normally lies in the fact that they don't give read/execute privs to non-admins), but they don't feel accountable because most windows users DO run as Administrators, in part because that is what is default.
Any OS/app you install should have a reasonably secure config out of the box. You don't get that with Windows.
I haven't heard that particular flavour of FUD since, like, 2001. What a blast from the past, mang!
"Microsoft say's it's great; competition is crap." Big deal.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
I see They have Hired Mohammed Saeed al-Sahhaf (former Iraqi minister of information) to head their marketing department.
... Then Microsoft security is mysterious?
Or else...
I don't know what I'm talking about...?
When Microsoft reimburses users of lost time and aggravation with security problems, then it will have a legitimate point of competitive advantage against Linux. Current EULAs limit damages to the price of the software. But a truly secure company (secure in both its software and its confidence in the security of its systems) should be willing to reimburse users that adhere to basic security protocols but are attacked through faulty software. Obviously, users that get 0wned by using insecure passwords, deactivating security systems, or failing to apply patches in a timely manner would not be eligible. But a securely-configured user that is compromised due to holes in the software would be reimbursed some appropriate amount.
Unfortunately, nobody seems willing to take this sort of pledge because they know that most software is a house of cards, security-wise. Perhaps its time for software vendors to put their money where their mouth is when they make security claims.
Two wrongs don't make a right, but three lefts do.
I'm actually serious, you were moderated informative but I am really wondering where the superiority of the MS tools come from..?
We've always been at war with Eurasia.
...and goes on to get itself killed at the next zebra crossing.
Stick Men
I sincerely think Microsoft is turning all of its employees into trolls. If you take a peek at some of the MSDN blogs, you will see what I mean - They are engaged in drawing baseless conclusions and spreading FUD at any and all costs. Kind of shows how much they are hurt by Windows being insecure and Linux eating there market share. Its high time we stopped feeding the trolls and giving them undeserved publicity. I mean I would not mind a fair comparison on sound basis but this is complete BS.
But running as administrator isn't the same as running as root. I witnessed friend who managed to change the permissions on at NTFS file such that the Admin user could not delete it, or change the permissions to do so. I think it's kind of odd that there wouldn't be a user that could do anything thei wanted. But then, if you're running as that user all the time, then why should you.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
people seem to think
Accountability == Security
Which is just plain stupid imho
Accountability just gives you a "soft" place where to fall if anything bad happened
Or did I get something wrong?
errera hunamum ets
Hmm. They're off to a great start, aren't they?
My Greasemonkey scripts for Digg &
Also, a big, integrated IDE is really a matter of preference, and nothing more. You gain some initial ease-of-use, but you loose a great deal of flexibility. Windows developers will probably disagree because this is what they're used to, but why would I want my code editor to also be a compiler, build system, debugger, and GUI designer? Is it really that hard to press Alt-Tab? I'm not saying it's not cool to have your editor highlight the lines compile errors are on, but it's easy to do that, not only with one big IDE made by one company with one development paradigm, but also with a plugin to parse the output of "third-party," modular, independant tools. It's the Unix way, and it's nothing if not flexible.
Aside from the fact that there are no references to back up any of the claims that this McGrath fellow is making (I'd even settle for a research firm that was paid-off by Microsoft!), the 'author' of this article wrote a grand total of FIVE sentences. All five of those sentences paraphrase something else that McGrath says. The rest of the article simply quotes McGrath straight.
There's no discussion of the points, no consideration of other factors, and as far as I can tell, no fact-checking. There is simply no journalism happening here. I know I can simply move on, but it irritates me to know that some CIO out there (probably mine) will take this all in without a second-thought.
The shortcomings of the Windows OS are OBVIOUS to anyone who has to admin these systems in a real production environment, and even more apparent to those of us who have the pleasure of also running other systems. Just imagine what Windows might be like if they spent half of their propaganda budget on fixing the freaking software.
When he says, "Awww, who am I kiddin'!" and quits his job: Unless he's totally without conscience, it must be tough to fabricate such nonsense and sleep well at nights.
you had me at #!
Sorry to ask, but I've never had to look at this particular problem and was wondering if that was what you were suggesting. It seems like a good enough idea to me. Except I'm not familiar with how setuid-root works.
--grendel drago
Laws do not persuade just because they threaten. --Seneca
I work at a television station and we have many many win2k servers - the main automations server is sun, but the servers that playout the video are win2k. We didn't know that our workers would be browsing the internet, and one day, 7 million dollars worth of stuff & a s 12 TB server were mostly broke, because of Bonzai Buddy, Bargains.exe and other shit like FreeSexFinder.com toolbar.
In that case, if Linux isn't ready, I wouldn't say Windows is either. Now if they could finally remove IE, get rid of ActiveX then maybe it would be a little more acceptable.
From my brief experience with server 2003, they seem to have really limited what out of the box IE can do, so at least they are aware they are insecure.
Just the description is enough FUD. Seriously, just as everyone's saying, there are EULA's in all Microsoft's products that have that little disclaimer at the bottom saying they have no liability for bugs, hackers and other nasty suprises. The GPL has a similar liability clause.
But if we're going to talk about microsoft-style accountability, the group who actually made the software are "accountable". The kernel team are responsible for the bugs in the kernel, the kde team responsible for kde. Just because these groups aren't often companies doesn't mean there aren't people one can talk to about fixing the bugs.
I'm presuming this is some sort of weird troll, moderated "informative" for some odd reason (seriously moderator, "informative"? What derf?)
Seriously, if you think the Microsoft development tools are far superior to anything else in the world, then I can only presume you've never used anything else in the world :).
If they were running XP Pro, I think they should still be able to "take ownership" of it & then change permissions. If they were running XP Home, I know you actually have to boot into safe-mode to handle this.
You can actually do some very strange things with ACLs under Linux too.
> From these words I conclude that any business that lost time/money from Security Holes or Bugs in Windows they can go to Microsoft and present a bill which Microsoft will gladly pay.
I wonder if a business could invoke these words and similar drek from other MS execs in a lawsuit.
Sheesh, evil *and* a jerk. -- Jade
Hi, nice try M$ but nobody will believe you. my 2 cent
Yes, when Microsoft produces a product that breaks and causes you or your business material loss you have somewhere to point your finger. The only problem is, you have no recourse because Microsoft legally indeminfies itself from compensating you for any losses their products cause!
Reports like these are nothing more than marketing tools for Microsoft. Their targets are those organizations that incorrectly assume that by purchasing software from a large corporation they have legal recourse when it breaks and causes them large losses.
You're right about the administrator problem, but you've got it backwards with the exploits. If you look at the dates when Microsoft releases a major security update and when a worm/virus begins to exploit it (Blaster is a good example), you'll see that the worms come a few days after the patch. The most likely scenario is that virus writers reverse engineer the patch to figure out the problem and exploit it.
Contrast this to Linux: If you find an exploit, the culture is full discloser, including sample code that uses the exploit. Yes, it gets fixed soon after, but you still have the exploit before the patch.
Maybe you meant Windows users get exploited before they apply the patch, whereas Linux users generally apply the patch before anyone attempts to exploit them. That's just a factor of Linux users being better at updating their system when they're supposed to, and fewer people targetting Linux because of that very same reason.
A Windows machine with automatic download/installation of updates, that is reboot when its supposed to (yes, another fault that adds to the problem of users not updating when they should) has a tiny chance of being exploited - no more or less than a patched Linux box.
It's called Mac OS X Server.
...is M$ ever been held accountable for their security flawed operating system, IE, Outlook Express and alike?
Isn't it, that their EULA explicitly declines any kind of responsibility for damages caused by there software?
Well, for one thing, the '98 machine down the hall actually locks up, freezes, crashes when I try to copy things from a scratched CD, whereas a 2000 box may refuse to copy it, but at least it doesn't crash the whole system when I do it.
But from the standpoint of security, despite myriad changes in the basic architecture, it seems to have made very little difference where it counts---in the number of active remote exploits.
--grendel drago
Laws do not persuade just because they threaten. --Seneca
The new, kinder, gentler Microsoft that wants noone to hate them. Read all about it here...
I've been a windows-less user for almost a year now, sitting atop the warm, well-trimmed Gentoo hilltop.
Albeit it took me a lot of this year of useage to get my systeme exactly the way I want it, I did not have to deal with many other factors that I did when I had a Windows OS for several years before that.
I don't have to worry about installing some program which will magically root itself into the very core of my computer and will be forever irremovable, short of a format.
I don't have to worry about anything just ceasing from working if one day Windows decided to freeze during an installation.
I don't have to worry about keeping my software up to date. (Thanks to emerge)
I don't have to worry about finding cracks for all the updates for my software. (Thanks to open source and free software)
I don't have to worry about finding "work arounds" for any problems I have. If I have a problem, I fix it, because I can.
Now, I know that Gentoo's market is not the same as Windows', but I'm perfectly happy with that. I have my own little paradise on my computer, if everyone else wants to deal with the stresses of Windows, then they can.
The main thing that keeps me with linux is the whole "got a problem? fix it yourself (of course there is a huge community which will gladly help you do that)" mantra, instead of "got a problem? you can't do anything about it until the next service pack 2 years from now, and even then it's questionable."
- shazow
Hmm, so a senior microsoft exec claims that linux cannot be secure because noone stands to profit from its security? Somehow I understand how that can make sense to people like him.
Not a troll, just a code gnome :) There ARE, indeed, bits of the Linux software stack that are either missing or malfunctioning. Some of the 3lit gurus will argue it is useless software, but try convincing some corporate web designed to work with Quanta (or emacs!) instead of Dreamweaver. I have yet to find a robust IDE in Linux, one that does not crash when it feels like it, doesn't keep closing useful panels like Class List, has some syntax completion and context sensitive (or any kind of) help that does work. Most developers who are not enlightened enough to use emacs and grep seem to need these things. What are the alternatives to AutoCAD and 3D Studio? The list goes on.
You all know the problems with hardware support. We know it's mostly the companies' fault, but the guy who will deploy linux doesn't CARE whose fault it is. All these problems are seen as lack of Linux software, and they should be addressed and not shoved under the rug.
Seriously, why would such a smart guy say such stupid things?
It would be great if Microsoft could document all the security problems it finds. After all, the software is open source, and Microsoft has such great developers. This would help Microsoft prove to the world that Linux isn't secure!
:-)
Of course, the developers would be happy to get such information.
Welcome to the community, Microsoft. You've been assimilated.
Can You Say Linux? I Knew That You Could.
In my first university course in software engineering, a MS EULA for Windows was used to discuss "flawless software", something, as aspiring engineers, we should all strive to aim. This EULA said (paraphrased): "This software comes as-is with all flaws and MS cannot be held responsible or should expressly remediate to any flaws"
Sun java disclaimer: "The java technology should not be used in critical condition softwares, ex: airplane traffic control and medical context where lives of humans beign might be endangered"
the only flawless software case we could study was the NASA ones where they exuastively test ALL system possibilities in simulation, but these things cost and take at least 10 times the commercial software. In this case, BSD is stronger than Linux, with better development methodologies and a less commercial aim.
So, the point is moot, FUD, and hypocritical. The real secure software is used in critical condition environment and lack the features for desktops and small to mid business managemement, as they where designed for other aims.
Software engineering is a young discipline not recognised as true engineering compared to civil or mechanic. If bridges were to fail all around as often as we find bugs in software, the world would be in chaos, but bridges where built thousands of years ago and the discipline evolved. Same will happen with software. I see microsoft as the potential leader in the evolutionary process, but they took the corporate way and only care about revenue.
Researchers will take the role, and open-source is the way to go IMO. This is where open source is strong and MS is flawed.
We should have been
So much more by now
Too dead inside
To even know the guilt
I cannot believe the spokesman would dare ask, "who is responsible if something goes wrong...?". MS signed away any responsibility for Windows boo boo's a long time ago. What a bunch of damn hypocrits.
The worse part is that most people believe them. It reminds me of ITAA's claim that the US needs H1B's primarily because "there are not enough skilled Americans". I've seen companies toss citizens for H1B's and it had nothing to do with education level. Nor did ITAA offer any solid evidence. But people will believe the ITAA because of the reports that US students score lower on international tests.
Lies and FUD spread far and wide unless challenged with equal countermeasures. You have to fight fire with fire. Truth alone is not sufficient.
I propose we form GeekPAC, a geek political action organization to take on the corporate shills in areas such as open source, patents, DRM, visa claims, etc. The corporations have too much influence because they buy influence via bribery, favoritism, campaign donations, and paid shills who visit towns and newspapers.
We must counter this vast army of Corporate Storm Troopers or else they will crush geek values into disconnected carbon atoms.
Table-ized A.I.
Only vaguely on-topic, but I've never really found an answer to this question: are there any open-source Linux C++ IDE's that have good Intellisense/ Auto-completion and the ability to pause a program while it's running, edit the source, and resume with the new changes taking effect? Something like VC++ 6 would be cool.
:)
Thanks in advance
YHBT. YHL. HAND.
No, but seriously... this MS statement is nothing more than a troll and/or flamebait. Should we even react to this?
The comments make reference to the fact that there is no central organization on the hook for security in Linux. Software stability is a seperate issue, and is not mentioned as you imply.
There are significant advantages to having a corporate entity be responsible for resolving security issues. Since they're sales are on the line, they should be highly motivated to fix them.
Corporations also provide a target for lawsuits that might arise in order to recover damages that occur due to a security flaw.
You must be new here.
'Linux is not ready for mission-critical computing'
... while Linux "just works" (tm)
mmh... let's m$ show us where they use winXX as mission critical OS... mmh, why msn has squid proxy servers behind web servers ? I don't think squid runs on winblows...
oh, also... why bigger computers in the world (see earth simulator) or similar doesn't run winblow$ ?
mmmh...
the true sentence is: 'Windows is ready for making computing a critical mission'
I was there.
As we all know, Open Source Software development is structurally similar to the scientific method and evolution in terms of how "new things" are created by the these systems. Similarly, what Microsoft is claiming is that software can't be created well "at random" through emergent means (we know that's a crock) but needs "the Hand of an intelligent Creator" to control everything (Microsoft == God, apparently). Ergo: Microsoft is claiming that only "Creationist Software" is good software - "Evolutionary Software" is evil software.
I think this could be useful angle of attack against Microsoft FUD: they are advocating creationism and faith-based solutions to computer science.
If I made some open source program, and there was some security problem that, for whatever reason, I could not fix it, some one else can.
There is no accountability in the open source model, but it does not need it, because any one with the knowledge to fix a problem or add a feature or whatever not only can do so, but they are encouraged to.
Is that not the point of the open source model?
I like the related articles at the bottom of the page.
RELATED ARTICLES
* Microsoft to axe Windows 2000 security upgrades
* Microsoft enhances SQL 2005 security
* Viruses plague half of UK Windows users
* Linux fights off hackers
* Busy day for Linux administrators
* Industry giants offer Linux consumer boost
* Windows open to critical vulnerabilities
You know, it's easy for us, the enlightened, to laugh at stuff like this, but Microsoft isn't being stupid. They know that if they make enough pronouncements that instill FUD in enough of the right minds, the Linux marketshare will start to shrink.
CIOs of the companies that are pouring money into Linux and other opensource projects are taking risks. If they get nervous, they WILL stop taking them. The only way to fight FUD is for the companies that have a real stake in opensource (IBM, Novell, etc.) to turn their own marketing departments loose against Microsoft.
n/t
How many viruses and worms are written for Linux vs. Windows?
Argument over.
David
Without getting into a flame war, he does have a point, although not a conclusive point its insightful. However it kinda breaks down when he brings in Windows: Even if Linux was very insecure, there are still plenty of OS's (generally *nix) that are far more secure than Windows will ever be, even if the kernel implementation itself has issues, the actual POSIX base is a far superior idea than the mess that is Windows, and that's talking about modern NT based Windows, 9x etc... that's just a joke pretending to be an OS.
This comment does not represent the views or opinions of the user.
I am generally a UNIX programmer, but I have also used custom operating systems. Only twice have I had to use M$ tools. Both times I have found obnoxious stupidities that led me to the conclusion that M$ does not use their own tools in any reasonable fashion.
Around 1989, I had to use whatever Visual Studio was called then. In the debugger, while stepping thru some C code, I accidentally stepped into strcmp or some other function for which the source code was not available. It dropped into assembler mode, quite fine, just a matter of stepping until it exited back to C code. Except it then displayed the C debug screen without first clearing the assembler debug screen. Lots of pieces left over, register displays, hex codes for instructions, etc. Almost unreadable. It gradually cleared itself up as I continued to use it.
Around 2002, I had to use Visual Studio for some small project. You can click on an API and it automatically adds skeleton code to source files. It leaves those windows open, and I did not want so many windows open at once, so I tried to close them. Nothing under any menu I could see, but the X in the corner worked. Next time I used the skeleton code inserter, it complained that the file had been modified by an external program.
Now I suppose I was doing things the non-M$ way. There is probably some perfectly normal way of getting rid of excess windows. Maybe I should have iconized them instead, but that clutters up the task bar. I found two other similar bugs within the first half hour of using the beast.
These are the kind of bugs that anyone using the program would stumble across very quickly. How can the M$ deveopers take any pride in releasing such buggy code? How can they stand to even use such crap software? Is it so crappy that they don't use it themselves?
I have no respect for M$ programming skills.
Infuriate left and right
Please mod article as Flamebait.
clearly the proof is in the pudding to indicate otherwise. Compare open source products to commercial counterparts on cve.mitre.org Apache 1.3 to IIS Exchange to postfix/qmail (nobody still uses sendmail I hope) etc statistically Open source IS more secure despite market shares (apache vs IIS).
There is one very fundamentally true statement here.
If there IS a major security issue with a single distributation of Linux, the Open Source Community can sometimes be alot slower to react because of its design.
Distributations such as Red Hat don't apply because they are a single source of patch and have dev teams that would work on fixes and patches, BUT if companies use ones such as Slackware or Debian, they might find the patches don't roll in fast enough for their comfort.
Flame me all you want from your parents basement, but I am still a network engineer with experience implimenting all these things for MANY years. ps. CMDTaco you are a petty bastard for -1'ing me for not agreeing with GWB on Iraq.
I only have to wrap myself up in the warm and protective arms of a Microsoft EULA to feel the shielding umbrella of accountability.
McGrath slays me.
"He goes on to say that 'Linux is not ready for mission-critical computing.'" Not ready for misson-critical computing? My company sells a full-scale Air Traffic Control system that runs on Linux. We're operational in one country and currently deploying to two additional countries right now...
quote:
(XP Home EULA, Windows Serv2003 EULA was a bit hard to find on microsoft.com, i wonder why ;) )
P.S. i tried to copy and paste it from microsoft.com - but what tells me slashdot:
"Reason: Don't use so many caps. It's like YELLING." :))
SEO Test: TIGI und SEBASTIAN - Online Shop - V
Mind you don't step in the FUD.
--
bachiatari na torisetsu o yome!
In October 2004 it was discovered by MaxPatrol team that it is possible to defeat Microsoft® Windows® XP SP2 Heap protection and Data Execution Prevention mechanism. As a result it is possible to implement:
If they could do things like fix the Administrator-by-default problem (and, worse, the fact that many programs/dlls are run with escalated privs), turn off a lot of unneeded services, and improve their firewall, I'd be much more willing to agree with you that it wasn't significantly worse than most *nix boxes.
I just think MS isn't yet in the position to criticize Linux on this front. Perhaps with Longhorn or some other update, they can say that the insecurity of windows is a myth. I don't think they can make that claim now.
Microsoft has not only learned how insecure Linux is. They have also determined that Windows is the most stable and secure OS on the market today. Their extensive research is indisputable. But can not be released at this time. "Just trust us."
I don't see it happening. Relatively few companies have the sheer balls to face the army of lawyers MS pays. And a Microsoft lawyer could probably convince a court that the sky was pink and the judge could breathe underwater unaided.
IDEs are overrated. I've used Visual Studio, etc and wasn't all that impressed. Homesite is nice, although I use it less and less these days. Anymore, it's mostly vim/emacs/grep for me, thanks.
How many closed-source software companies are accountable for the quality of their code? Microsoft certainly isn't and neither are most other closed-source vendors who have teams of lawyers paid to do nothing other than write airtight EULAs with sections that absolve the software manufacturer from any responsibility for problems the result from buggy software.
Microsoft has no leg to stand on here, and won't until they write a EULA that specifically gives users the right to sue Microsoft for damages as a result of all those IE bugs.
Visual Studio is a good IDE; things like intellisense make me immensely more productive. But intellisense is not available only in VS; Eclipse has it too, for example. And AFAIC, the advantage of VS is offset by the problems we see debugging programs (IIS-hosted com components, specifically); since everything is tied in to everything else, it's *damn* hard to compartimentalize the problem and turn off irrelevant stuff to home in on the problem. From my perspective, developing for Linux is a lot easier.
The post was not meant as a troll, only to answer the usual anti-MS ./ BS. Certainly they cost money, and free software has that clear advantage, duh. As a language guy, having written many compilers, I am quite impressed by the pragmatic design of the C# language. It is greatness. Also, I personally don't want to write another line of DB access code; the fact that these tasks are automated, integrated, and yet flexible is one of the strengths of MS tools. All the fancy dialogs and wizards simply generate code that actually works, unlike something like Rose, that has to be tweaked to death. Yet, that code can be modified for flexibility; it isn't just a black box. Also, in MS, exceptions actually work, and I don't have to go back to the 80's technology of setjmp/longjmp. Templates work, and have for nearly a decade, and they compile down in very cleverly optimal ways. Typed collections rock. Duplicate-on-write strings rock. Some folks even write templates in such a way as to get better, more optimal code than without them. The debugger is truly integrated and just works. I can traverse the most god-awful data structures live without it crapping out on me the way Mac/GNU tools do. etc.
Six score characters.
Brevity being wit's soul
I have enough space.
In Microsoft's world customers are confidant that we take responsibility. They know that they will get their upgrades and patches.
Yes, you really do live in your own world, don't you?
... because no, Red Hat (for example) cannot take responsibility for 'the Linux kernel', because that is indeed separate from their distribution.
However, Red Hat is in no way dependant on 'the Linux kernel', because they have the source, and they have permission to modify it. They CAN and in fact DO take responsibility for the kernel as supplied with their distributions. RedHat issue their own kernel, and have been known to fix security issues (and even add features) before they make it into the main kernel tree on occasion.
The Microsoft veep is basically saying this:
1. RedHat is not responsible for the core Linux kernel distribution
2. RedHat make a Linux distribution
and trying to claim that these are related. They would be if the kernel was closed source, but it's not. RedHat could fork the kernel tomorrow if the core distribution didn't match up to their customers expectations. They probably would, too.
(Oh yeah, 'solution stack'. Bwhahahaa. Marketspeak gets worse every day... oh, and 'no single development environment'. Choice, apparently, is a bad thing. Just imagine all that taxing thinking you might have to do. No, far better not to think and choose Microsoft)
Typical MS FUD, interestingly, if you swap the place of Windows and Linux, you will find exactly what we have for Windows... Reflecting one weakness(es) upon your competition...
I've heard this from several corners. Sometimes, even from people I trust a bit. I still don't get it. I don't live in the MS world, so I don't have much of a reason to experiment, but I am honestly interested in what makes them so great.
I hear about the "tool tip" style reference checking, auto-library chain analysis, etc. The first would annoy the shit out of me, and the second I get from my make file (or ant, depending on what I'm building).
C# seems to be a slight step up over Java, but nowhere near enough to incur the cost of switching platforms. (I say this as someone who develops and maintains production apps in Java, and hates the language.)
As a sysadmin-cum-developer-cum-business-guy, I do everything in vi, make/ant, cscope, and custom tools using primitives like sed, awk, grep, perl, svn, RT, image-magick, [custom mailing list manager], etc (yeah, perl can replace sed and awk. I mean to, some day...). I think I have everything I need, but I'd love to hear about how it could be done better.
So, please, do tell- what makes MS dev tools so great? I'm really curious.
I forget what 8 was for.
Who is accountable for the security of the Linux kernel?
Who is accountable for the security of the windoze kernel? Doesn't seem to be M$.
Good point. That legacy support has got to be a thorn in Microsoft's foot. Supporting legacy code that was never designed with security in mind must drive the programmers a Microsoft nuts.
But like another post said, other design decisions in Microsoft's architecture appear not to be good ones when mixed with legacy code and the hostile environment of the WWW.
Far be it for me to agree with Windows... but I've run a bunch of Linux servers for years and the last six months I have spent more time fending off script kiddies, phpBB hackers and assorted other kinds of PHP, Linux and perl based hackes than I have serving my customers. Not that Windows doesn't suffer from the same problem - but the concept of linux being fundamentally more secure is a bit of a myth. You still need to take active countermeasures to ensure that your desktop or server isn't vulnerable.... a lesson I've learned the hardway on more than one occasion the last 6 months.
I hate to burst his bubble about single sign on, but on my network we have single sign on to every service on the domain that you have permission to access once you have authenticated to the domain at your workstation, whether your workstation is windows or linux. Services are provided by windows, 4-5 different linux distros, and aix servers and are things like ftp, ssh, file sharing, concurrent versioning systems (not just cvs) and the like. This is accomplished with samba, ldap, nss, kerberos, sasl, ssh, proftpd, winbind, and possibly a few other pieces I'm forgetting at this moment. Unfortunately this was a pain to get it all working on both the windows and unix sides but it does work flawlessly. Well almost flawlessly - the windows boxes don't have ssh servers running. I don't know what he means by single development environment but if he means an ide he can keep his little tools like the visual studio hack. Unix annd unix-like systems give you the ability to use your whole operating system as your development environment.
'Linux is not ready for mission-critical computing. There are fundamental things missing,'
That's funny, the U.S. Army doesn't think so. It is currently using a flavor if linux to run mission critical software in our fighting vehicles.
I don't see the benefit of this so-called "accountability." If Microsoft fucks up and my computer crashes, do I get anything from them? I guess I could call customer support, but I could do that with redhat, gentoo/debian (irc chatrooms..). Also, for the lack of development environment, I use vim for all the development I can (java, c, c++, perl, php, html). The only time I use a "windows quality" ide is when I'm at work, because I have to use MS visual studio. I hate that big thing, too. I might be on the fringe when it comes to IDEs, but I don't see how this myth of accountability argument really holds up.
best college pickem site ever: pickem.terrbear.org
Longest... FUD... campaign.... ever.
And who's Microsoft to be some authority on security?
Pot, kettle, black...
fix your own shit first, etc
I wonder if dislexia is a pre-requisite to be hired at MS. Looks like any major employee is not able to fully understand what they read - even if it's MS EULAs - as they always make idiot statements in the media.
IIRC, the big downtime that happened in the UK after the airport system update was because the WINDOWS server had to be rebooted every 30 days. Why should such a system ever be rebooted to start with? If someone thinks that Windows will ever be ready to run for critical applications, they're smoking crack, or something they shouldn't. I would never trust my life with windows. Imagine if you had to reboot the plane's onboard OS while in flight because it crashed and put you in a downwards spiral and you can't control anything anymore? Can you afford to wait for the OS to reboot on the plane? Not if it's windows, not if it's linux or anything else that's not embedded. Linux embedded is ok, but not Windows, because it WILL crash, and cost lives. And can MS be held accountable? NO! Their EULA states that. How would anyone ever take a chance with Windows in critical environments with such terms?
/. before. /. articles and follow a bit of what was going on, then the Linux advocates like me would have less trouble trying to convince a College IT department that using firefox will reduce spyware on lab computers by almost 90% overnight. I find it ridiculous to have the IT head email me about not using facebook.com because it's not necessarily secure, when he promotes the use of IE on MACS! How much stupidity can you manage? I think he's reached the limit, and his department is divided on one hand by the consultant, on the other by the people that care, like me (nerdy student) and other IT staffers.
Repeat after me:
WINDOWS IS NOT READY FOR CRITICAL COMPUTING.
What, they don't know that NASA is using *NIX or OS X? It's been on
I wish that big IT heads would read
---- I am certain of only one thing : I know nothing else.
Well, what do you know, foundering IS a word...
And this is about where I stopped reading. There are no worries in this story, it's a combination of the delusional thinking that prevents Microsoft from improving their product (which, with the incredible "brain trust" that they have, is a perfectly reasonable possibility), and preaching to the converted. This story serves another purpose, and that is to cause *nix fanatics (or "evangelists" as Microsoft calls their fanatics) to froth and flap about, embarrassing themselves in public.
But what about this gem: "Linux is not ready for mission-critical computing. There are fundamental things missing." What exactly is Microsoft's market share for "mission-critical" computing? Most of these types of applications run on some proprietary Unix clone, but will soon be seen on Linux, not Microsoft OS. This is why Microsoft spreads this obviously untrue manure; they are scared.
I suspect they are starting to realize that "The Desktop" and browser market is not where they will lose the Microsoft / *nix war. It's in these "mission-critical" enterprise computing areas.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
"Most customers look for more than just a product from their vendors. They need a solution that comes with the appropriate levels of support and service. This is where Linux is becoming more challenged as people expect more from Linux."
If you ask me in this scenario it is Windows which is the Product and Linux which is the solution.
What people are realising is that they are better off tailoring their IT solution to meet their actual requirements rather than just dropping in a shrink wrapped product which address 70% of their requirements and needs cludgy workarounds and other bits and pieces bolted on top to be actually useful.
As far as requirements for on-going support and service are concerned I don't see how it is better to have to rely on one single company which can charge what it likes for it's support costs and has no competition to having a number of different support and service deals to choose from offered by different companies at competitive prices.
Finally, the last phrase about people expecting more from Linux is perhaps Linux's biggest advantage. If you want more from Windows you have to wait and hope for MS to provide it for you.
There is far more variety in the various types of Linux already available than there is in the MS world and if what you want isn't available but is crucial for you then you can pay someone to alter Linux to suit your requirements perfectly.
Let's see. Linux server 0 hacks, Windows server linux replaced 2 years ago, 12 hacks in 3 months.
Mr.McGrath also says: "In Microsoft's world customers are confidant that we take responsibility. They know that they will get their upgrades and patches."
Yeah right... how about this: "In hell customers are confident we take their money. They know that they will get their blue screens, viruses, warms, spyware, endless boot times and so much more."
Every shoe retailer has better sense of responsibility to its customers. Try to take a belly-up XP for warranty service!
FR33 B00BI3S
Etiquette is etiquette. He kills his mother but he can't wear grey trousers.
Microsoft is accountable to its shareholders. If they're products were so horrible that they caused other companies to lose enough money, their customers would leave and use one of the many other options available, right?
Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?
Hmmm, does this mean I should have right to a refund?
Lets be reasonable. I only demand 1 eurocent for each blue screen, each virus of spyware I ever have had.
It would still be enough to become a euromiljonaire.
Statements from a Microsoft bigwig make sense to people who know as much about computing as the Microsoft bigwig does.
Methinks that is just spreading more Microsoft misconceptions. Bill should take responsibility for his insecure stuff through obscurity, rather than dis Linux.
http://www.vnunet.com/news/1160588
I can manage to keep Microsoft products secure, but only with 3rd party software as MSFT doesn't seem to care since they don't have to make up for the business losses.
If they actually stood behind thier product, they would (but I think he knows it would bankrupt him.
Fancy Piper: http://www.myspace.com/philsexton
Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?
Who is accountable for the security of windows?
Can I bill last months lost work-hours due to spyware-/worm recovery on windows to Microsoft or - better - personally to you, Nickie?
In Microsoft's world customers are confidant that we take responsibility. They know that they will get their upgrades and patches.
Oh, let me rephrase that a little:
In Microsoft's world customers have learned that Microsoft has never taken responsibility for security problems. They know that it can take months for MS to release a patch for a critical issue and that often these patches will break other things (even open new security holes) completely unrelated to the initial problem. They also know that many major MS products like Internet Explorer are commonly banned from corporate network environments for exactly these reasons.
Linux is not ready for mission-critical computing. There are fundamental things missing. For example, there is no single development environment for Linux as there is for Microsoft, neither is there a single sign-on system.
First, you obviously have no idea what you're talking about as your requirements for "mission-critical computing" have nothing to do with it.
Anyways, there is not one but many capable "developement environments" for linux. I assume your definition of "developement environment" would be a pretty IDE like eclipse. Most real developers I've met prefer to just work on the powerful unix shell using their editor and toolchain of choice, though.
As for single signon, again I cannot see how this relates to "mission critical computing". But you can have it on linux.
There's kerberos, NIS+ and probably other options that I don't know about.
Also there's samba to emulate the windows crap if you have to.
These are factors that are holding back Linux.
Look, Nickie, nothing's really holding back linux.
It's fools like you writing ridiculous articles like the one I'm responding to that prove how helpless and jealous Microsoft is watching the steady growth
of linux.
...no single 'sign-on system' giving reference to Microsoft's foundering .Net passport program.
IMO I don't think they are referring to Microsoft's Passport technology, rather they are referring to the Microsoft mandate that the only point of sign-on to a workstation be the Ctrl-Alt-Delete login screen. After that point all applications trust the credential information given to them by the OS.
But doesn't Linux do the same damn thing?
Anyway, just my $.02, I could be wrong.
With linux there's no-one to sue if your project fails.
... a barf bag !
Novell's eDirectory on Linux
I've got an auto-complete plugin in vim (just hit tab!).
Zip your pants back up nerds
Who needs accountability when you get it right the first time?
Instead of offering updates (new versions?) for extra money, and having a bazillion updates, if you get it mostly right the first time, then you don't have to worry about who to blame if it breaks, because it won't break.
------
I've never gotten the blue screen of death in Linux. Even a fatal error still gives me a prompt.
And they said zombies weren't real!
Because the way they do it at MS, they're raking in about $40B:y. Good security would cost them more money than just talking about it. They're smart enough to know how to turn insecurity into a marketing triumph, without paying the cost.
--
make install -not war
"I guess Linux can only aspire to the greatness of Windows when it has such secure applications as Outlook and Internet Explorer. "
Yes, if GNU/Linux was as secure as those applications, we would really have a world class OS, now wouldn't we?
... they can go to Microsoft and present a bill which Microsoft will gladly pay ... Tuesday!
*rimshot*
It doesn't matter what the state of UNIX IDEs was in 1989. The point is they released shoddy code which they must have known was shoddy. Whether IDE or not, it was shoddy, the developers themselves surely must have been using it all the time every day, they could not have avoided noticing it was shoddy, and they released it anyway.
As for you having inserted skeleton code without problems, that also is not the point. No doubt you have had some kind of training on it. I had to jump into it and use it the best I could. It is supposed to be intuitive, is it not? It wasn't. Clicking the X is supposed to close the window, right? Should not the IDE have known that it had closed its own window?
I found three repeatable bugs within half an hour of just stumbling around trying to figure out how it worked for some little pissant project. Are their QA people so jaded they can't find these problems? Are their development teams so rigid in their practices that they never stumbled across these bugs themselves?
If the development teams can't be bothered to fix their own dog food, either they eat something else, or they have extreme tolerance for crap. It does not bode well for their work on projects they don't use as much, which is just about everything else.
It all speaks of shoddy practices from one end to the other. That's the point.
Infuriate left and right
This is a troll article; we've been over this subject material before.
The Register reports "Subscribers to the UK mailing list of Bang & Olufsen (B&O), the upmarket Hi-Fi firm, were bombarded with six million emails this week. List membes are hopping mad, but B&O blames the problem on flaws with some of its customers' email systems, rather than any security breach on its part.
"An email plugging an integrated TV/DVD sent out to the list on Monday (24 January) generated a message storm when it hit buggy Small Business Server 2003 servers. The well-known glitch in email systems of three of the recipients of the message generated a blitz of replicated emails.
"In the resulting chaos, the 20,000 recipients of list received between a handful and hundreds of messages apiece, according to B&O staffer Stephen Anderson, who looks after the list. Up to six million messages were generated in the spam blizzard before the plug was pulled on the offending servers."
The positive side is, M$ must be scared or they wouldn't be dissing Linux.
Your point still stands, yes - but I think it's sort of off-topic from the intent of Microsoft's original statements.
They were primarily trying to make claims about the lack of security in Linux based on missing components, plus a lack of accountability for bug fixes.
You're addressing an issue of availability of software applications for both platforms.
I do agree with you though. Linux is still pretty much an OS that's best used by application developers or as a server platform of some sort. The attempts to "hammer it into shape" as a general-use desktop environment are still "half-baked", and that's largely due to a lack of variety of applications to run on it.
After all, you can have the most elegant, powerful operating system on the planet - but if nobody writes apps to run on it, what good is it?
People can (and in the case of Windows, certainly DO) put up with a lot of problems and deficiencies in an OS as long as it allows them to use the software apps they want/need to run. Linux is sorely lacking in the games dept., the music editing/creation dept., and in some aspects of graphics design and editing. It also comes up a little short for people needing to do accounting work. (Peachtree for Linux? Quickbooks for Linux? DAC Easy Accounting for Linux, even? Perhaps a version of M.Y.O.B. for Linux? Nope.... none of 'em. And accountants like standardization. Even if you write a cool new accounting package for Linux - you better at least support imports/exports to some of these Windows packages or it won't gain much traction.)
"Who is accountable for the security of the Linux kernel?"
This is the strength of the Open Source development model. Every piece of code is transparent and available for audit by anyone from you and your IT staff all the way up to trusted governmental and academic bodies.
Who's accountable? You are!
and that the open source development model is 'fundamentally flawed.'
Yea more fundamentally flawed then the windows model right?
GMAFB.
Paying attention to what Microsoft says about Linux considered harmful.
In making a business decision, it's unlikely for anyone to take responsibility. The larger the business, the smaller the likelyhood. It's not an issue of cowardice; the risks simply don't outweigh the rewards.
So, the question "who do you blame" is a legitimate question. System fails, Clients sue company, company pays clients, insurance company pays company; insurance company sues vendor.
In business, those who take chances are the people who create the great successes and the great failures. These people exist. They are not the norm.
"Nobody ever got fired for buying IBM." The point is not that this is true. The point is that people say (or said) this. They're saying that if you're working for someone and you want to keep your job, you make the safe decision.
"Reality is that which, when you stop believing in it, it doesn't go away." - Philip K. Dick
Most folks have the take that Microsoft McGrath is throwing bricks from the glass house. But let me take a different view. Does Red Hat take responsibility? And the answer is, yes, or else. Because since you can get a Linux kernel from many sources any distributor that behaves irresponsibly (or insensitively) will lose the business end of their business, and, poof, they're gone. And this concept extends beyond the kernel to other aspects of doing business.
A few of us (call me a semi-pro minus or hobbyist plus) left the RedHat tent with the way they handled the transition from 9.0 -> Fedora, and, in retrospect, I'm happier and it seems from the financial results that RedHat is happier.
Now McGrath's comments are not meant to be part of a serious debate about how us users may get the most safe, seamless, fuss-free, and satisfactory experience with the kit we own, but are the equivalent to the flip side of preaching to the choir, which I suggest is reminding the congregation of damnation should they even think of leaving the church. Remember the Flintstones, how much of the "technology" was powered by a purposed, humiliated animal who would look up and say to the audience, "It's a living." I suppose it is.
At least soem people believe in myths.
All that we see or seem is but a dream within a dream.
'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.'
And who, pray tell, is accountable for the thousands of holes that have left Windows users open to viruses, trojans, and other malicious uses of their hardware? Billions of dollars in money throw into the toilet fixing the results of nonexistant to pathetic securty in Windows, with an EULA that specifically absolves Microsoft of all blame if anything goes wrong using their software, and they have the gall to claim that they are accountable for Windows?
Should I be submitting my bills to Microsoft instead of my clients when their poorly designed, poorly implemented software causes them to need my services for hours on end, making them unable to do work, let alone pay my fees?
Microsoft doesn't exactly operate from a firmly credibile foundation when it comes to operating system security, so can we take what they say seriously? That's the question.
- IP
From TFA:Okay, he identifies one "myth". So, in the next statement, you would expect him to provide support for that statement with facts, right? But what do you get instead?You get QUESTIONS.
Suppose it went like this, instead.
"There's a myth that the world is not flat, that it is round."
"Well, what happens to the ships that sail over the horizon and NEVER COME BACK?"Actually, they don't know that. How many years has it been since ServicePack 6a for NT and NT's "end of life"?
Microsoft has a history of dropping support for all but the most extreme problems on their "legacy" systems.
And even on their current systems, Microsoft waits MONTHS AND MONTHS without publishing a patch:
http://www.eeye.com/html/research/upcoming/index.
And the article continues like that. It isn't about illustrating the specifics of problems with Linux.....
It's political. It's about getting the IDEA that Linux's security is a myth into general acceptance.
The way to do that is to have your people and "journalists" repeat it endlessly. Stay on message.
Don't address the facts or real issues.
Keep repeating that there are "myths" and that these "myths" are not true and that the smarter people are starting to see through the "myths".Smart people KNOW what the myths are.
Don't you want to be smart, too?
If you were smart, you'd see the fabric. You'd see how beautiful it is.
If you were smart, you see the clothes made from that fabric. You'd see how nice they looked on the king.
Only dumb people cannot see the clothes on the king.
Oh, sorry. I seem to have wandered into an old fairy tale for children. I did not mean to imply in any way that Nick is playing the same part as the "tailors" in that story.
Anyway, back to the article. Smart people see the "myth" in Linux. Only dumb people cannot see it.
a very-locked-down linux box > a very-locked-down windows box > a standard or slightly-locked-down linux box > a standard windows box. i would trust a locked down, security-minded-owned windows box on a secure network over a standard linux box that someone put out on the internet. problem being that it's extremely hard to lock down both windows and linux to the point that it's fully functional and practical.
Who is accountable for the security of the Linux kernel?
And Microsoft takes the blame for their OS's security, but they are hardly ever held accountable for it.
He can talk when he has as many eyes
Auditing his source code as we have
looking at ours.
Ballmer, Publish your code for the world to see
then talk.
This is more smoke and noise to hide ongoing anti-trust problems MS has been making. Not only are there new violations, MS hasn't yet made good on the remedies for the old ones. That and the smoke and noise should also hide current attempts to leverage the desktop monopoly into content and delivery via HD DVD, HD TV, cable TV and BD-ROM.
Why is Microsoft complaining about security liablity of Linux when they're writing and selling a desktop for it?
It's clear that MS is feeling the pressure of OSS creeping up on their corporate software stronghold. With Apache dominating the web server market and Firefox steadily gaining a foothold on the browser front, MS is lashing out at anyone they can, for whatever reason pops into their heads.
Next, they'll claim Linux is wrong for the corporate desktop market because they have a penguin for a mascot. (beats the hell out of a paperclip, though.)
GET FREE APPLE STUFF!
Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?
.Net passport program."
I dunno. Who is accountable for the security of Windows? Nobody it seems.
Linux is not ready for mission-critical computing. There are fundamental things missing,' pointing out the lack of a development environment
Except for the dozen or so development environments that do exist, foremost, Eclipse, which beats the shit out of anything Microsoft has produced.
and no single 'sign-on system' giving reference to Microsoft's foundering
Probably, he means Kerberos and NIS. Oh, by the way, those were ported to Windows from UNIX (and, by extension, Linux).
They could and the would. They would "Embrace and extort.. er extend" Linux into one big shitpot.
Their worst enemy is themselves. Let them develop Windows to death. Long live Linux.
INSERT INTO comment VALUE('Doh!') WHERE user='you';
Am I the only one who thinks these two claims next to each other look funny?
My 2 cents : I did use several computing system on a daily basis for more than 15 years both for work and at home. I got a ms-dos virus once 12 years ago on Windows 3.1. I switched to Linux completely ten years ago, since then I haven't got even *one* virus even if all of my systems are connected to the net 24/24... I have collegues who are very professional windows administrators and developpers : all of them, despite a terrific combination of antivirus, firewalls, antispyware, and prudence, have got viruses several times.
I should be living in a myth.
have they heard of secunia they are a non-partisan security group that alerts software companies of security flaws in their products they said it takes a month to even penetrate a linux box while it takes like 20 min for a windows one beat that!!!!!!!!!!!!!!!!!!!!!!!
Competent users leave Windows and move to Linux.
If by "incompetent" you mean "does not update a 3rd party app to kill viruses the the original software does not try to prevent", then you could be correct.No. Outlook used to automatically run certain executables sent to it.
So, no, users of Linux have not had the same ease-of-infection that Windows users have had.
Microsoft is just now waking up to the problems and is now trying to deal with them.
But that leaves a LOT of machines out there that are infected because of Microsoft's decisions and will remain infected.That's one of the key points against TFA. Microsoft has made bad technological decisions to further their marketing ambitions.Huh? Isn't that what sendmail is supposed to do?The security system is what prevents a minor flaw from compromising the whole system.
Running named in a chroot jail is an example. One flaw in one system will not result in a 100% compromised machine.
Windows USED to run services that the average home user would never use and it ran them as the system account and it ran them with access to everything else.
So, a flaw in DCOM resulted in your entire machine being compromised.
That is the difference between a good security model running an app with a hole and
a bad security model running an app with a hole.Sure you can. Just make the default install (stupid people always take the default, right) as secure as possible.
Microsoft is getting better with XP, but they still have years of flaws to deal with.
And their recent decisions to NOT offer patches to "illegal" machines is also a problem. If they make it harder for people to get patches, more people will be running unpatched machines.
Therefore, Microsoft is making it harder for their systems to be patched.
Bad move.
...they are always coming up with different and highly original arguments for why you should not run Linux. I mean "lack of accountability"? BRILLIANT!
=-Joey
It's not like Microsoft's taking any sort of responsibility for their code. GNU code also comes with a disclaimer, but at least with Linux+ you have both the right and the ability to fix any bugs you find if your distributor isn't in the mood to fix it right now (or properly).
Free Software: Like love, it grows best when given away.
But don'tchya think that it is high time to put that effort into making their software secure?
They spend alot of time and money attempting to put a spin onto the security of Linux, but not enough into their own software.
I, for one, am very tired of this company plodding their way through complaining about others but not taking care of their own.
"I'm not ashamed I can't function in society like I'm supposed to." - Paul Westerberg
Once it was brought to the attention of the right people, it was incorporated.Are you saying that Linus is not putting enough effort into it?
Is that what you're saying?
If it isn't, then would you please identify exactly which of the "maintainers" you believe is not putting in enough "effort".
After all, you did say that "it actually requires effort on the part of maintainers to make it happen."
Some Microsoft shill released another statement devoid of facts or other useful information, designed to sow fear and doubt in an ignorant audience. Film at 11.
In related news, the Alexis de Toqueville Institution has released a study conclusively linking use of open source software with erectile disfunction. Who knew?
Well, i can say pretty easily more people are using windows based systems over Linux. I can also probably say that most of the people who use Linux are more proficient with computers and maintaining a secure enviroment. Many people who dont know what they are doing use windows. Or a mac (but they dont count). There is also the fact that so many more viruses and exploits exist for windows- probably because more people are targetting this larger and older demographic of computers. If the same amount of people suddenly tried to find holes in Linux security, in sure they could...
Accountability, based on your definition, doesn't "do" anything that anyone cares about.
I think McGrath's point is that there's no difference between responsibility and liability so long as both hit your pocketbook. If you'll lose sales because of bugs, you might as well have been sued. In that sense, the liability disclaimer is irrelevant.
That's not to say McGrath is right. As the sub post points out, Red Hat will lose sales if it distributes a shoddy product, no matter who made it. If it's open source, they have control over product quality. What's more, the fundamental premise that there has to be a risk of someone losing their own money for them to fix a problem is totally unfounded. Not only are there other things motivating "responsibility", but open source ensures the person most affected by the problem can assume some responsibility for fixing it--the end-user.
So essentially Microsoft is back to taking the approach that if they close their eyes tight enough, everything will be OK?
'Super-Linux' Cluster Declared Third-Fastest Computer On Earth
fastest computer system in the US
NCSA Linux Cluster Among Fastest Computers in the World
Two Linux clusters on Top 10 list of fastest computers
If someone says he and his monkey have nothing to hide, they almost certainly do.
"First they ignore you then they laugh at you then they fight you then you win" I think that for the MS vs. Linux thing, the latter would be at either the 2nd or 3rd part.
Linux has a primitive "all or nothing" style security infrastructure.
The only reason Linux is a safer system to run today is because nobody uses it, so 1 - Linux isn't a target and 2 - no commercial software is written for it. The few Linux users that are out there are computer hobbyists with enough experience to know not to run arbitrary, unknown code. Computer literate Windows users also have no problems with viruses/etc because they know not to run arbitrary untrusted code.
If you had a shotgun, and saw a fish in a barrel, you'd shoot it.
-russ
Don't piss off The Angry Economist
Many comments that good security costs more than - what ?? Good security is not code or usage - they are part of the security. Good security is planning / design / practice and on these areas good doesn't cost more than bad (IMHO - show me different). However - incompetent / missing requirements from management can and does cause a lot of problems in security, performance, etc. There are different levels/skills on programmers/users/and so on but if the basic requirements are wrong nothing they can do, just use what is there (is it requirement or a product.)
It's ALL facts.
Mods on crack again...
No signle sign on? I thought Kerberos was available for Linux before it was available for Windows (Active Directory)
i think slashdot should have a spell checker and dictionary to check over posts.
'Linux is not ready for mission-critical computing.' neither is windows...
We all know Linux isn't secure. The only reason it isn't attacked more is there's no incentive. It's simple economics. Attacking Windows attacks the vast majority of computers, and makes it more likely that your method of spreading the attack finds targets. It certainly has been shown that motivated people can break into Linux boxes. Yet people pretend their more secure and rely on obscurity, whether they'll admit it or not, even to themselves.
While there are some features that make it easier to code for novice programmers, I certainly cannot agree they are far superior to everything else. Have you ever tried some serious debugging? One basic feature I use with gdb is break point commands. I can associate commands with breakpoints. And this command language can handle most of the operations, so much so that I can give out a debugger script to my customer, ask him to just run gdb with my _closed source_ application and I get traces of whatever I want. Can you even imagine doing such a thing with VS?
I'm much more funny, interesting and insightful than the moderators think
how strange I see alot of those same features in Eclipse and even KDevelop. I'm sure Anjuta has them too although I haven't tinkered with it much yet. Debugging in GNU is easy with KDevelop and Eclipse. Can't say much about templates since I've never had a use for them but I'm sure when there is demand the GNU tool to handle them will arrive. One really interesting thing about OSS tools is they are driven by real demand not "we think you'll like this" demand.
If you see spelling or grammatical errors don't blame me. I tried to preview but IE here at work borked the CSS
"In Microsoft's world customers are confidant that we take responsibility. They know that they will get their upgrades and patches."
.NET? The thing microsoft keeps promoting their pants off at? The base that requires you to download some stupid runtime, where using 1.0 versions of software on the 1.1 runtime will cause calculation errors because it adds decimals suddenly to calculations when the program was never written to handle that etc.. ?
They also no it's not fixed in a day, like it is in the opensource community, it's sometimes fixed after months and months of waiting
"There a myth in the market that there are hundreds of thousands of people writing code for the Linux kernel. This is not the case; the number is hundreds, not thousands,"
don't play with words, people say "linux" as in various distributions of linux, not specifically the kernel.
"There are very few of the improvements that come through the wider community. There are more skilled developers writing for the Microsoft platform than for open source."
I wounder how they made this demographic.
"A lot of the percentage growth figures mask the fact that Linux is coming from a very small base. There are more Unix servers than Linux servers in the UK. There are more Windows servers than Linux servers in the UK."
what the hell, there are huge data centers of linux servers which have more computers than the entire of london, and the "a lot" of percentage growth figures come from stuff that Microsoft has sponsored and possibly rigged?
"Most customers look for more than just a product from their vendors. They need a solution that comes with the appropriate levels of support and service. This is where Linux is becoming more challenged as people expect more from Linux."
All buisness linux distributions provide better support for their products and integration with 3rd party products hell of alot better than microsoft's support does.
"Linux is not ready for mission-critical computing. There are fundamental things missing. For example, there is no single development environment for Linux as there is for Microsoft, neither is there a single sign-on system."
Linux is used in mission critical computing in routers, broadcasting, millitary etc.. and there is one standardised development system for linux called LSB (linux standard base). As for windows.. Where is it and what is called?
Change is certain; progress is not obligatory.
I'm new to all this, but isn't that a typo above? .Net..."?
Shouldn't that read
"...Microsoft's floundering
I didn't desert Windows; Windows deserted me: BSOD
OK can you clarify how SELinux prevents spam bots? I understand you can block BSD socket connect() / sendto() /etc for a process but how do you run your web browser in that case?
I don't see how SELinux helps beyond what a good firewall can do. The browser MUST be allowed to talk to the outside world. You can rate limit that, or maybe restrict it to certain hosts and ports, but overall it seems incredibly difficult to prevent spam from an exploited browser. The OS can't tell the difference between a good TCP connection and an evil one. Neither can most users.
I think we really need a secure browser. It doesn't seem viable to compensate for an insecure one using the kernel.
The gist of his argument appears to be his claim of lack of accountability among distributors,
:D Okay, now we all are convinced how superior Microsoft products are :D My world changed from ground up after reading this sentence, really :D These guys really have to be working hard to make such arguments :)
Mmkay, M$'s could be held accountable for Windows' lackings in security and loads of holes and bugs in their software. But it doesn't change anything, does it. Don't start cleaning somebody else's porch until yours is the biggest mess.
Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.
Yet, even redhat has provided countless app. and security fixes over the years. And, for the record, accountable for the security of the Linux kernel ? Well, that is a question, isn't it. Didn't know that was such a problem even M$ cares about. Oh, and by the way, who can be held accountable for the nt series kernel (about which nobody can have a clue what it contains) ? No, don't mention any names please, my prayers already contain a quite long list of names.
Linux is not ready for mission-critical computing. There are fundamental things missing. For example, there is no single development environment for Linux as there is for Microsoft, neither is there a single sign-on system.
I need to take my pills to stop my laughing spasms. Okay, let's educate ourselves. For one, would be a good homework assingment for some student to find out what o.s.'s were used in the first let's say 10 years of computer controlled systems which could be labeled mission critical. Then, Kylix and Kdevelop are both fully R&D envorinments (I deliberately don't mention "smaller" stuff) from hello world to gui development all integrated. Then regarding Passport thing, that's really awkward to reference, since everybody and the neighbor's dog is dumping it all over the place it being good for nothing useful on this earth.
There a myth in the market that there are hundreds of thousands of people writing code for the Linux kernel. This is not the case; the number is hundreds, not thousands
There are very few of the improvements that come through the wider community. There are more skilled developers writing for the Microsoft platform than for open source
Now that's it. When you don't know anything else to do, go offend openly every developer who dares to do FOSS work.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Response to item 1:
A user can nerf his/her own files, not other peoples. They cannot (short of exploits which do exist) nerf the OS or other users files. Linux is a multiuser OS. The system will not protect idiots from nerfing their own system. No well written system will
Response to item 2:
A virus/worm/spyware will only nerf a users files if executed as that user or root. In the former case see response 1. The latter is bound to happen (in any OS), however I'd be willing to bet it wouldnt take 3+ months for the kernel developers to patch it (or someone at least).
Response to item 3:
Linux applications (as a general guideline) will not practice this unsafe procedure. I'm not familiar with any applications that do, but I certainly wouldnt allow for it. ActiveX has little to do with it other than it allows for so much destructive execution. No internet application for linux (that i'm aware of) has this built in potential disaster.
Response to item 4:
I guess I have to agree.
Response to NTFS:
What security? Being able to read/write to the file system? What does this statement mean?
Your statement that "Linux is a safer system because nobody uses it" is based on what data exactly? Is the percentage less, sure.
Linux is safer because its harder to write effective virii, etc for. A virus might impact a certain small % of linux users, but would hardly be as universally devestating as windows virii are.
"I have great faith in fools: Self confidence my friends call it." ~Edgar Allan Poe
Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?
I applaud Microsoft's recognition of the importance of accountability. I look forward to reading Microsoft's revised license agreement, in which Microsoft will presumably accept liability for consequential damages resulting from security flaws of Microsoft products.
Most software is buggy and has security flaws - what is important is the time between the discovery of security flaws and bug fixes. Anyone who isn't a gullible fool knows that OS software has a much better track record here, just compare Linux and Mozilla/Firefox to Windows and MSIE (MSIE still has some holes that were discovered years ago).
"I love my job, but I hate talking to people like you" (Freddie Mercury)
I'm sorry, but who exactly takes responsibility for the flaws in Microsoft software?
They post patches and Red Hat post patches. Some might argue Red Hat is faster/better at it, but that's irrelevant.
Read some Microsoft EULAs, they all disclaim all responsibility for the product just like Open Source licenses do. If your vital webserver crashes you *DO NOT* get to go and get a refund from Microsoft because it's bad, they'll offer to sell you support or give you a patch, just like Red Hat will.
So, the jist of my point is, what the fuck are Microsoft talking about?!
Chris "Ng" Jones
cmsj@tenshu.net
www.tenshu.net
I entered the address of a website, it wasnt a particularly nasty site, just something resulting from a google search.
And it automatically installed a spyware application. No YES/NO dialogues just installed it. After that I saw attempts at outbound port 6667 to various external servers.
Now I do manage servers that hold financial data, and servers with ERP software that run the company.
I ask you, Microsoft, can you be held accountable if our company melts down should malicious spyware enter the system with their authors intending to corrupt our backups and bring everything down?
Will you pay us the millions that we lose as we lose our customers?
Will you as a result of such a catastrophe give us an OS that does NOT allow such breaches of security?
I understand IE in Windows 2003 is more secured, and we should never browse for anything on the server itself... etc. However Windows2003 has not been matured enough to bring out the bugs while Windows2000 has issues even after SP4, and after Microsoft will cease to provide bugfixes for it.
We replaced our firewall with OpenBSD. We simple cannot find a reason to upgrade it from the 3.4 version, since the older version is so secure. Hell yeah we've had attacks of all kinds, to almost all ports, syn cookies even ddos type attacks that slowed the Internet connection, but we're still up, and without ever having an issue for over two years of OpenBSD operation.
Coming back to Linux, which is also a UNIX clone, and which has more eyeballs on it, and more companies taking responsibility for it, tell me, should I pay for a crappy OS with someone behind it you can point fingers to, or a nice OS with no person behind it simply because youll never have to point fingers?
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
And Microsoft will say "Look, it's our fault".
Bingo, instant scapegoat.
Merely being responsible isn't enough; since finger pointing can't be employed if they aren't accountable. You can be responsible for fixing something without it being remotely your fault and without anyone blaming you. A mechanic to fix your car is responsible for fixing it, but they probably weren't accountable for it going wrong, unless they messed up a previous repair or something.
I think McGrath's point is that there's no difference between responsibility and liability so long as both hit your pocketbook.
No, that isn't his point and isn't true either, since the liability means it hits *their* pocketbook- they pay for your lost business. That's what liable means.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"- If everyone was going 140 in the same direction, we'd have less car accidents than we do now.
Since car accidents is plural and quantifiable, the proper reduction modifier should be fewer and not less (regardless of what the sign over the express lane at your local Wal-Mart might say).I present this simple Google Search as confirmation.
We now return you to your regularly scheduled, righteously indignant, Microsoft bashing :-)
And yes, C# is (a) pretty cool, and (b) different from C++. That's why we have Mono :-). As for debugging, I don't do that much (usually stack traces are enough), and my "IDE" is kwrite and a command line, but KDevelop, Eclipse, and many others do indeed have integrated debugging - if it craps out, file a bug report, don't just bitch on Slashdot.
I've had my webserver/firewall/sendmail/imap server up for just about 7 years now. No hacks. And yes there were hack attempts. You have to be be a good admin. sure Sendmail has holes, but if you configure correctly your system can not be breached.
You know it's easy to say, "Who's responsible?" Yet, Microsoft takes little responsibility tangeably. If Windows crashes and you lose your data, what recourse do you have with Microsoft? None. There isn't a damn thing you can do about it. If you're lucky, they'll help you rebuild, debug the code, maybe offer a patch when YOU get your data from backup and get rolling but are they going to pay for downtime? Nope! So with Microsoft you get someone to point the finger at. You get someone to deliver some bad press to. In real-world dollars and time you get very little other than that.
EOM
sendmail buffer overflow gives about 57000 results.
windows buffer overflow, otoh, gives 186000 results.
Omry.
Microsoft are so bankrupt that their only recourse, these days, seems to be complete denial. I mean, come on, M$ aren't even on the map when it comes to security. The closest analogy I can think of when it comes to M$ spouting about security is Hitler preaching Christianity. This is so ridiculous it isn't worth the fart that set the thought in motion.
I guess Linux can only aspire to the greatness of Windows when it has such secure applications as Outlook and Internet Explorer. Historically those have been proven to be of a caliber all their own.
Damn, I had to take a break and go get something to settle my nerves after that one. Its too fscking hilarious for real life.
What the hell do these people smoke that write this stuff anyway? Its got to be some of the best stuff ever grown. And no, I don't want any, whatever that is, it takes them way too far from reality.
Is there a Darwin Award for such stupidity? If not, there should be, and of course we are assuming it was terminal else the Darwin Award doesn't apply.
Admittedly, the rapid rate with which we fix linux security holes seems to have made the hackers go elsewhere recently (read "to attacking winderz boxes") to find boxes to exploit, the last time I had to clean up a linux box was a RH6.2 box with the original, and known hackable, bind in it. That took one reboot when we realized someone was screwing around, with an instant change of root password, installing the new bind, then 3 days of surveying nearly every file on it to find the ones he fiddled with and replaceing those he had with the latest versions available, but we did not re-install, and that mail server is still up to this day. Maybe 3 more reboots in the ensueing 5-6 years, and a new motherboard due to e-caps problems, but I do not believe the os itself has been updated. No use fixing something that Just Works(tm), is there?
Now I need to go take some pain killers for the sore ribs and diaphram from laughing my head off and rolling on the floor.
--
Cheers, Gene
Good thing we know who is accountable for the security of the Microsoft products.
Microsoft could be sued for all their insecure products.
I always knew Linux was insecure. I just switched to OpenBSD in 2000, never had a problem since.
With vim, I have tab expansion for method calls, but only when I want it - not some distracting thing that tries to second guess me. I have syntax highlighting, brace balancing, way better keyboard navigation (at the cost of being warped into the vi world, but that was done to me years ago). Method variants are a function of tab expansion. Pop up crap would distract me from what I'm doing. And arcane as it may be, s/(.*)re?gex$/somethingelse($1)/g is extremely powerful. My fingers just work that way, and I'm only 32. Don't get me started on the cool things one can do with ex commands.(god, did I just say I'm *only* 32?)
I suspect this is an old-school-new-school thing. I don't like IM, either - email me or go away. If I don't know how the object is called, I need to read the public declaration, or I have no business writing code against that interface.If assisted coding actually didn't become a distraction, and actually inferred intent, I might take the time to learn it. But now I'm just being grouchy. Thanks for the explanation of what you like. I know I'm a little bit purist; I didn't use the syntax highlighting for quite a while, because it (a) didn't work in edge cases well, and (b) well, can't you indent properly? What's the problem?
Maybe developing that way is be faster, but I do think I understand, and can troubleshoot, things better with my coding suite and style. So I'm still not swayed.
And I'll hit you with my cane, whippersnapper, if you bug me while I'm feeding the ducks.
I forget what 8 was for.
...someone doesn't believe in tagging things NSFW (not safe for work)
If Microsoft is so concerned about responsibility for security flaws, why is it that they don't offer indemnification for users hurt by their software?
GCC, emacs, JavaSDK's from Sun, IBM, GNU, Metrowerks, ...
Or to put it another way: What the hell is he smoking and is it available over the counter?
don't trumpet out that tired old, disproven "Apache is more popular than IIS" bullshit
IIS is more popular?
The poster should read up on enterprise architecture before spouting off about single-signon. They're not referring to Passport (which would be laughable in a "mission critical" scenario. They're probably referring to enterprise single-signon solutions, like the one offered by BizTalk server (reference here).
I've been using Solaris for 4 years, and I've never had any of my systems compromised. Yes, there was that lame telnet vulnerbility a few years ago, but who the hell uses telnet, anyways?
With Linux, I've been hacked 3-4 times. WuFTPD was the culprit several years ago, and now it's a combination of OpenSSH/ptrace vulnerbilities. I don't run Linux anymore.
Linux is more secure than Windows, but it's illogical to say it's the most secure OS. That's plain wrong. I'd use OpenBSD, but I'd still like to have some functionality out of my systems.
There's pissing contests all over. OSS is just another one.
Linux does have problems when it comes to security accountability in the kernel. Sometimes it is hard to figure out who you are suppose to submit important security patches/information to.
However, the linux security on a hardened system is VERY good.
Securing a linux box is pretty simple.
1. Use a kernel with grsecurity patches installed.
2. Don't EVER EVER EVER run server daemons as the root user. Each server should get it's own user/group to run under and that user/group should have no permissions on anything that isn't 100% neccesary for running the server daemon it needs to run.
3. Use 077 as a umask and use ACL's for finer grain permission controls.
4. Use a iptables firewall and DROP everything that you don't use.
You do those things and even if there is a security hole in one particular server application the attacker can't get root access, nor can they see any of your important files.
Well, this artical really gave no proof that Windows is more secure than Linux, but it sure does raise doubt, that being its purpose. The idea being that if we can scare one person to thinking there is a problem and make them buy a Windows product than the aritical was successful. I wouldn't be surprised if in future articals more attacks will be done trying to put further doubt into the peoples mind. This in attemp to assimalate the mass to thinking there is only one source for OS.
http://vnuuk.typepad.com/silicon_valley_sleuth/200 5/01/microsoft_gives.html
I'm a concientious
I don't find Linux to be very secure, either.
He linked to his examples ?!? what are you, dense? There's this "world wide web" thingy where people can make so-called "hypertext links" (later shortened to "hyperlinks", then in the late 90s "links"...).
I know the old corporate dinosaurs would _love_ to outlaw linking, and are having some measure of success, but right now, you can still use it!
Idiot.
kind of ontopic.. just wondering... anyone know why the RPC service on windows nt/xp/2000 has to be running?
Windows 2000 would let you kill the service and restart it, but XP complains and reboots within a minute... made it a pain in the ass to patch my laptop... because I needed the patches off the net, but a worm would hit me within a minute of being on the net, exploiting the RPC and causing a reboot in a minute.
I now have all the patches on cd, but for joe blow who doesn't have another computer already patched to get them with, or who just doesn't know better, this was/IS* a serious problem.
* I say IS because if you buy alot of new computers, they have a pre-patch OS installed, when I got my laptop this exploit had been known about for months, yet the venders kept selling the computers with a vulnerable OS. Which I have a big problem with... when I bought the machine.. the sales man said NOTHING about this... they probably think mentioning that it is CRITICAL to patch your machine as soon as possible would scare their clients away.
I'd imagine that the RPC service is used to remote administration but even if RPC is needed, which I assume it is, why does it need to have access to the internet? The average user does NOT use remote administration, and if they do, they should be competent enough to turn on a service, or configure it to use whatever adapter (and maybe have an access list??). MS should have disabled that by default.
If I can't smoke and swear I'm fucked.
One complaint that I have had for quite some time is that Visual Studio (even up to version 6 at least) does not support a scroll wheel!! This seems like a minor thing, but it really hinders productivity when an editor is missing such a simple thing.
Like pi? Try 10,000 digits.
sysadmin-cum-developer-cum-business-guy
Be careful how you insert your Latin into your English these days.
If you have a problem with the "community", then identify the person who was or would have been responsible and who failed.Why not just look at the patch log for the system that the patch was for?
That would tell them who submitted the stuff with the flaw. Which should also tell them who the maintainer is.They are in place. Because someone doesn't want to bother to look doesn't mean that they aren't.Again, it is. http://www.kernel.org/pub/linux/kernel/v2.6/Chang
Just click on "Changelog" next to the kernel version and you get a list of name and addresses of who submitted what.
Suppose you found a flaw in the hostraid system for the aic79xx series?
You'd find out who submitted a patch for that and who signed off on that patch.
So you'd have the names and email addresses of two specific people who definately have something to do with that particular subsystem and who have had patches successfully submitted to the kernel.
It doesn't get any easier than that.
And that level of definition (talking to the person who actually wrote the subsystem) is why Linux's security is so much better than Windows'.
You find a flaw...
You go to kernel.org...
You look up who submitted that code...
You talk to that person...
You both work on the patch...
The flaw gets fixed...
It's just that easy. As long as you aren't burdened by an ego that demands that Linus himself accept and praise your contribution.
And voila! The analogy is flipped around.
But reading the EULA, MS clearly states that they are not responsilble. I expect WindowsUpdate to change my system through patches, but I don't expect upgrades. I'm still running Win2kPro on my tri-boot system (Debian and Gentoo.) I KNOW that I will not get my UPGRADE to XP. I also hated hearing MS discuss XP SP2, and calling it an "upgrade." Also, I am CONFIDANT that MS would not take responsibility for data loss. ~ FUD
so it is hundreds of hundreds, then?
My guess is that only a "handful" of MS employees work on windows' micro-kernel as well. Though it might be true that there are more developers writing for the MS platform, this is because it is the world's most widely used OS. He's done a bait-and-swtich almost... Discussing the kernel development and relating it to the wide base of application software?
He uses the word "myth" quite often here. So let us look at a few select definitions of the noun:
* a traditional story accepted as history; serves to explain the world view of a people
* A popular belief or story that has become associated with a person, institution, or occurrence, especially one considered to illustrate a cultural ideal
So a myth doesn't necessarily mean make-believe. We could interpret his quote to have meant this : "The world-view and cultural IDEALS of Linux have made themselves a concrete REALITY over the past year!"
Well, uh... DUH! If you expect more out of something, that something will be more challenged to perform. Water is wet. The Pope is Catholic. If I expect my automobile to drive 200 mph, the manufacturer will have a bigger challenge designing it. Go figure.
OK, I'll admit, I'm not a software guy. But aren't these unrelated statements? ie, What does a development environment have to do with mission-critical computing??
The Linux Desktop (and kernel?) may have certain things missing, that's a given. That doesn't mean that it isn't ready for SOME mission critical computing. I'd be more inclined to use a kernel/OS that allows inspection of it's source for any mission-critical apps. Ask NASA why the Mars rovers are using Linux instead of Windows.
FUD FUD FUD, is all I got out of the article.
Please explain where I'm incorrect here. I admit that I'm not as knowledgable on some of these points as many of you, and would prefer to know why/how I might be incorrect.
... libel?
free as in beer not speech????
I think the point is that Windows security is so derided because so many people try so hard to break it. Not to say that the Linux kernel is insecure, but if as many people spent all their free time (or even their jobs) doing their best to create virii, spyware and exploit glitches etc, then we could make a fair comparison between the two.
Or, more succintly, Linux is so secure thanks to the hacker's favourite - security by obscurity. People are unfair to Microsoft.
Ahem:
1 15 09139
http://slashdot.org/comments.pl?sid=137637&cid=
~hylas
You're talking about Microsofts compiler? The one that fails more standards compliancy tests then almost any other compiler which claims to be standards compliant? That compiler?
Go ask on comp.lang.c or comp.lang.c++ if you don't believe me.
Don't make me laugh...please. If i wander down to my local PC world and buy a copy of windows xp how much support do i actualy get? I certainly don't get any more or less thean i do if i download and install any of the major (or most minor) linux distributions. The same is true if i bought MS office and open/star office. And thats just at a persoanl level. I helped start an IT business and four years in I'm in the process of moving from an entirely Microsoft environment to an open source environment. I have paid an awfull lot of money for microsft licensinces over the last four years. The products i have purchased on the whole have been excellant (office, visio, exchange etc) but having sampled open source alternatives i have two major gripes: 1) Cost - everyting is far too expensive (i won't labour as i know you all know this), 2) Support - When i pay 300 quid for office per user i stilldon't get to phone microsoft up when i get a prblem (i know there is a 90 day support period but you knowwhat i mean). So my support path is the web, be it microsoft knowledge base or one of the miriad of geek sites. My point is that unless we pay microsoft for support, none of us get supported really. For Mr McGrath to claim that an apropriae level of support isn't available to Linux users is frankly ridiculous. As a Linux novice i have found more than enough support to get me through any situation. I suspect this is another back-foot defense from a deeply couple worried company.
Thanks for the laughs, slashdot.
Like Microsoft knows anything about security... give me a break.
The worst kind of troll is definitely when you argue your point, post, then take a walk and change your mind about the topic and discover that your post makes the perfect troll..
I'm still trying to figure out what people mean by 'social skills' here.
Just STFU! Your products are total garbage, and anyone with any shred of intelligence knows it. It's sad that you can't see this yourselves. I suppose that says something about your level of intelligence.
Myself, my family and my business (19 computers total) have never seen a Microsoft app or emulator and never will.
I take pride in knowing that you will never have 100% of the desktop, home computer and server markets.
Sincerely, A Linux User
You mean back when MS made decent software?
Though it's shoud not be said that "Linux secerity is a mtyh" but raher just "Secerity is a myth". The largest pro that MAC OS, Linux, and any other alternative OS has over Windows is the small market share. The hackers (the prick kind not the cool kind) wont give up just cuz MS died and once any alternative OS goes mainstream it will become the big secerity problem in the media. For every 1 way to lock something theres 10 ways to break in.
I am not sure if that's what you want...
Apple called that "Fix and Continue" in their's Xcode IDE.
Xcode
It's all about what OTHER PEOPLE should do to make YOUR life easier.
Looking up a name in a list is TOO HARD for YOU!
There should be a link on kernel.org so YOU can send something to some OTHER PERSON who will spend the time and effort to determine what it is and who's responsible for that and then make sure it gets to that person.Not obvious? It's where you go to get the source for the latest kernel.
I can't write patches for the kernel and even I can find it.Right. It's all about how to make YOUR life easier by having OTHER PEOPLE do it for you.
Rather than you spending 20 seconds to find the email addresses, you expect someone else to be able to read the patches, find out who maintains that subsystem and get the patches to that person.No. The fact is that many hundreds of people manage to get patches submitted in the current structure.
Yet there was one example of one person who couldn't understand that structure...
So the whole structure is wrong and has to be replaced.
Rather, it seems that that one person has a problem and your "solution" would only make MORE work for someone(s) who had to be the single point of failure (do you know that term) for processing patches.
The current system has so many ways to get a patch submitted that even the dumbest individual will eventually stumble across one. As was shown with your example.
Why switch from such a distributed, de-centralized system to one with a single point of failure?
Just to make life easier for the dumb people? I don't think so.
A bird in the hand is worth two in the bush. (Score:5, Insightful)
Why does a post comparing handjobs to double penetration gets modded as Score:5, Insightful instead of Score:-1, Offtopic?
Too bad it's not ready. Ready or not it IS being used for those applications and will continue to be.
. Quit playing Monopoly with Bill. Switch to one of many non-Microsoft products today.
And no single sign on system? What like? M$ passport? You're asking everyone to trust in that, and everyone is saying no, maybe its something people don't want, you know, a monopoly.
Its just another publicity stunt giving facts and figures from unreal situations. Seen this? And more precisely this? . Maybe this is true, if you're server is working on an intranet that has no communications with anything from outside, be it CD's, flash sticks etc. Otherwise it'll get infected, and damned fast too.What I know about servers is little, and linux even less, but i tried M$ server 2003 as I thought it would be easier for me to set up, well yes true, keeping it up however was pointless, a linux box however is much nicer, I don't know anything in linux (I struggle to remember how to change the root password at times) but KDE suffices for a simple webserver and doesn't nearly explode every 5 mins as it auto updates its self with virii or crashes due to dodgy CGI support or similar.
So as ever, rather than M$ delivering, they merely having to make it look like they can, or make it look like others can't."I may be full of crap about this game, and I may be wrong, and that's fine." -Jack Thompson
Modern Linux distributions install sendmail as a Mail Submission Program, not listening on port 25. Then they firewall it off.
.exe files will definitely enhance security. By applying security measures to .msi files through username and password, users can be restricted from installing unwanted software.
Portscan a RHEL box. Then portscan a Windows 2003 Service Pack 1 machine. Both have a firewall turned on. But the 2003 box lets through six or seven ports, including ones used for various windows worms. If you can't be bothered portscanning them, just connect them to the internet and wait...
Linux also disables execute access for new files created by users. In Windows, new files inherit their permission from their parent directories, which, in most cases, grant execute permission. In either case, execute permission is unnecessary to install software - users should download a read-only package file (rpm/msi)that's associated with their package management app.
Apparently MS thinks thats be a good idea too - here's the feedback from MS where I suggested this to them:
Dear Mike,
I am Jay, a member of the Windows Server Feedback Response Team and I just reviewed the feedback you submitted on www.windowsserverfeedback.com.
The suggestion you have made in your feedback is a good one. I do understand that with the default execute permission a user can run all executable files. This could lead to serious network threats and may result in loss of data. In this regard, your suggestion of limiting the user from running
I am forwarding your suggestion to the Product Development Team at Microsoft and I am sure they will find it interesting.
Thank you for taking time to share your idea with us. Hope to see your continued participation in this forum.
Sincerely
Jay
Windows Server Feedback Response Team
I think the term is not "more secure" but "less vulnerable".
Security is defined as protecting assets from threats (yes, backups and power issues are security issues).
If you're less vulnerable to the threat, then you're better protected, and more secure.
Linux is not ready for mission-critical computing. There are fundamental things missing,' pointing out the lack of a development environment and no single 'sign-on system' giving reference to Microsoft's foundering .Net passport program.
Oh, shit! They could have said it before! We've just bought the forth most-powerful computer in the world from IBM with Linux and we won't even get MSN Messenger accounts!?
-- Ne me laissez pas tellement triste: écrivez-moi vite qu'il est revenu...
The article refers to another vunet article, Linux Fights Off Hackers by Iain Thomson, which refers a whitepaper published by the Honeynet Project. It really looks as though McGrath is claiming that the Honeynet Project's data has been falsified.
From the Honeynet white paper,
"By combining the data from all of the Linuxsystems deployed, we see a mean life expectancy of 3.0 months for systems that were compromised. For systems still uncompromised, we see a mean of 4.46 months. Finally, for the entire population of machines, we see a mean time of survival,including those still uncompromised: 4.1 months. The longest surviving Linux honeypot was an unpatched Red Hat 7.3 system that was online (and never compromised) for over 9 months. This is a dramatic increase from the life expectancy for default Linux systems of 72 hours seen in 2001/2002.",
as well as
"This life expectancy is all the more surprisingwhen compared to vulnerable Win32 systems.Data from the Symantec Deepsight ThreatManagement System indicates a vulnerableWin32 system has life expectancy notmeasured in months, but merely hours. Thelimited number of Win32 honeypots we havedeployed support this, several beingcompromised in mere minutes. However, wedid have two Win32 honeypots in Brazil onlinefor several months before being compromisedby worms."
and
"Meanwhile, the time to live for unpatchedWin32 systems appears to continues todecrease. Such observations have beenreported by various organizations, includingSymantec [1], Internet Storm Center[2] andeven USAToday[3]. "
Example:
Firefox uses a "block everything except that which is specifically allowed" scheme for installing extensions.
IE uses a "allow everything except that which is specifically forbidden".
Now, a "competent" user could configure both so that they have the same level of protection.
But the reality is that IE has a really bad security model and to become "competent" would require lots of very specific training on that application, MS's security model (including "zones"), ActiveX, etc.
While a user of Firefox wouldn't need any of that to achieve the same level of protection.
At which point, it isn't "competency", it's "design flaws".
Sure, you can depend upon the user to compensate for the design flaws, but that doesn't mean the flaws aren't there.
And that has been Microsoft's approach for years.
#1. Ship the product full of holes.
#2. Have the default installation turn on everything even if it isn't needed and even if it can be used to attack the machine.
#3. Expect the user to use 3rd party virus protection as a band-aid to some of those holes.
#4. Expect the user to train to become an expert at work-arounds to protect those holes.
#5. Claim that your product has more "ease-of-use" than the competion's.
In other words, the difference between your usage of "competent" and what would be "expert" is practically non-existant.
I know MCSE's who were hit by slammer and blaster. And these people were certified by Microsoft. Microsoft certified them as "competent".
Sorry, kid. But in the Real World, depending upon the users to become experts in the systems they're using just so they can keep them from being compromised isn't a viable option. The system defaults need to be secure enough for the way the average user will use the system.
Remember this, the computer is there to make your job easier. Not to give you something else to worry about. Not to give you something else to become an expert at.
Now that was so funny I can't stop laughing. ;-)
You are more than likely 100% correct though.
Are you sure? I bet they have licensed code they can compile and sell but not distribute the source. I bet they also have some GPL code in many of their products that someone has lifted.
I say that some of the $40 billion in profit should go toward an audit of MS code. Now we will see how clean they are...
Your Average Joe
Next paragraph from the article you quote: "It's also important to remember that this paper focuses on vulnerable systems. The Honeynet researchers deployed almost 20 vulnerable systems to monitor hacker tactics, and found that no one was hacking the systems. That's the real story: the hackers aren't bothering with Linux. Two years ago, a vulnerable Linux system would be hacked in less than three days; now it takes three months." [emphasis added] This is irrelevant to your argument. It shows that Linux is less likely to be targetted, not that it is more secure or less vulnerable, but only less popular.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
And we all know that anything spelled backwards is of the devil.
For instance - god=dog devil=lived evil=live
The time has come, time for some pain, in the wallet. All those people who use Windows but really don't quite understand it should upgrade. This is the year that possibly millions of clueless Windows users will upgrade to the Mac Mini.
Vote with your wallet and quit working for free. Working for free fixing Bill's operating system that gets full of viruses, spyware, adware, malware and trojans. Quit helping friends fix their machine when Windows Update mucks it up.
Your Average Joe
The article mentions single sign on as being an issue under Linux.
Single sign on is the ability to have a user log on to the network fron a centralizaed authentication server and not prompt them for credentials when they access applications servers.
In Windows speak, that's not Passport, that's AD and AD aware apps.
In Linux, it's pam_krb5 when you log on, and kerberized apps.
* Evolution / Dovecot
* Firefox / Apache HTTPd
* CVS (client and server)
* SVN (client and server)
etc.
Good job Nick, well researched, truthfully written, and explained. You fucking moron. I wonder how much you get paid to say bullshit like that.
I realize this is a bit OT, but Saeed al-Sahaf spake thus:
They seem to have the kind of non-cube farm work environment that smart people want to work in
Sorry, I'll have to ask for data to support that. I had a friend visit MS while escalating a bug (right into their laps, so to speak). His report of their layout and offices seemed to speak to solitary geeks working in seclusion. He didn't like their environment (coming from a cube-farm background) and I don't think I would have either.
I've had both an office and a bunch of cubes... as long as I'm not on a main arterial, I'll take the cube farm anyday. It is a more social, less isolating place. You can still tune out with a set of headphones or a bit of mental focus. But you can also interact more easily with your fellow workers which makes the job feel a bit more human.
Of course, I may not be most people nor smart. That has always been open to debate... :)
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
Who is accountable for the security of the linux kernel?
When was the last time Microsoft took responsibility for damage done by what they call security? How many billions of dollars of virus damage have you been held accountable for?
The several thousand people whose names are written in GPL licenses are responsible for making it so secure.
Don't ask about accountability from us when you, who would rather pay attention to IP infringement than damage done by your software's flaws, doesn't have it. Bitch.
Direct away from face when opening.
"In Microsoft's world customers are confidant that we take responsibility. They know that they will get their upgrades and patches."
For example-if the customers_know_about it we will patch it. And in the future we will charge the customer for the very important service.
"If you look at the number of people who contribute to the kernel tree, you see that a significant amount of the work is just done by a handful."
Does the meaning "Too many cooks in the Kitchen come into mind?
"There are very few of the improvements that come through the wider community. There are more skilled developers writing for the Microsoft platform than for open source."
I call Bullshit! There are many programmers that are even between the ages of 15-20 with out the College and corperate stench that can churn out some amazing stuff.
"The way that 2004 started off there were a lot of myths in the marketplace around the cost and capability of Linux. But now a lot of the ideology has been replaced with commercial reality."
Meaning: We duped the customers in thinkning they will have to pay so much money for support because they are to stupid to do it themselves.
"A lot of the percentage growth figures mask the fact that Linux is coming from a very small base. There are more Unix servers than Linux servers in the UK. There are more Windows servers than Linux servers in the UK."
Hmmm for needing comparisons, WITF take stats outside the country?
"Linux is not ready for mission-critical computing. There are fundamental things missing. For example, there is no single development environment for Linux as there is for Microsoft, neither is there a single sign-on system."
Don't tell that to NASA, and the DOD! And no sigle sign-on cuz there isn't one or at least there is not a trapping agreement.
Folks this comes down to one thing-BS. Just cuz this guy has a college degree and studied linux does not make him the expert. Hell phD still argue about with the hell the standards are. Any how another peice of lovely MS FUD trying to increase that damn share price.
This SIG pulled due to lack of funding. (This damn war is costing too much!)
If you want something secure, just use something no one else is using like Amiga. It doesn't matter if it's secure or not if only in Soviet russia and old people in Korea use it.
Is MicroSoft really accountable for their flaws in the kernel? I remember their EULA telling me I cannot sue them if in windows something does not work and destroys my data as a result...
So in real life... Who cares? For me is good if it works... Because that I've switched completely of Microsoft software 2 or so years ago... I cannot pay for something I cannot sue somebody for, I rather use it for free and legally (opensource). :))
In general, I agree with him on this (I have not RTFA yet). Nor is Windows, of course, but that's taken for granted. Of course, it depends how critical your mission is. "Mission-Critical" is one of these phrases which is bandied around, but let's consider what it means....
"The mission depends on this system".
That still does not define the extent to which the mission depends on it - 80%? 90%? 100%? Nobody offers 100% availability, if that's what you're referring to.
The phrase also ignores the mission involved. For NASA, the Mission might be to send a man to Mars and back, but what if my "mission" is to run a website which expects to get 3 hits a month with a 60% expectation of success? An Atari could cope with that - my mobile phone could probably cope with that!
Taking the phrase in the way it's normally meant (running systems which are responsible for a significant amount of the user's business, and the failure of which would cause significant disruption of the business process and/or profit), then the whole discussion still depends entirely on the "mission" involved.
What tradeoffs is the mission prepared to make for uptime, for example? Serving read-only webpages, I care little for data integrity (I've been serving the same data for years, I've got it on tape, CD, DVD, onsite and offsite), and only care about uptime.
If I'm running a database which is updated many times a minute, then uptime still matters to me, but I also need to know which transactions have been fully processed, and which have failed (given Failure Scenario N, which may or may not have been predictable). That is much more difficult.
Author, Shell Scripting : Expert Re
Who is repsonsible if Linux has a security breach??? So if MS has one (which is far more frequent), they will compensate us? Nuh uh, they aren't accountable for their horrible security record in the slightest, and are far slower to respond to security issues than the open source community.
Arrrrgh. Insantiy.
Love many, trust a few, do harm to none.
I help people migrate to Linux. There are missing and immature portions of the software stack on Linux which present an obstacle for small to midsize businesses. THey include:
1) Line of business tools, especially vertically targetted ones.
2) High quality visual HTML editors. I prefer vim myself, but for a graphics designer, this is important.
3) Business to business tools by major players. For example Safeco's web site for insurance agents requires IE.
4) Interop tools such as rdesktop are still not up to snuff when it comes to hosted terminal services.
Now, in many cases there is software out there that can do 90% of what needs to be done, but small businesses can't pay each for the other 10%. So you don't have a magic answer. But these are areas which are developing and within a few years it will be solved.
Also in many cases most of the software runs on Windows too so by moving customers to the software that does 99% of what they need to do but it is cross-platform you make the migration easier down the road and create a situation where they get to pay just a little for the features that are critical to them and add others later as needed.
Within a few years, the Linux software stack will actually supercede that of Windows, I think.
LedgerSMB: Open source Accounting/ERP
Everyone knows that this story http://www.vnunet.com/news/1160853 is just pure FUD. So do not feed these trollz.
I have watched the slashdot topics and stories for the last couple of weeks and i am not amused. Slashdot "Administrators" like CowboyNeal , CmdrTaco and others should know better.
Next i see slashdot polls like My money is on: The Eagles, The Patriot or The Insurgents. This just makes my stomach feel sick. Has slashdot slipped into a rats whoore house of opinions which really no-one cares about?
Robert
Now as for security, sure, hundreds of script kiddies use those development tools to create virii for the windows vulnerabilities; if those same script kiddies had as big and dumb an audience, linux would be just as riddled with trouble.
What the heck does Window's development tools have to do with Windows security? It seems like you're talking about the cargo versus the truck.
It's tax time, so today I visited the Windows partition to install the tax software. I'm proactive (I love that word) about this stuff, so I already have SP2 installed (from a CD burned under Linux) a couple of months ago. The tax software installs, but I notice a lot of network traffic that doesn't stop. Update Manager finally pops up a window saying something "Powered by Sonic" wants to be updated. I say no, but the traffic continues.
I service a Fortune 1000 client that is running a global single instance of the Oracle E-Business Suite and does so using Linux for the application server tier. It runs ERP, HR, CRM, and SCM systems. Linux isn't ready for the datacenter? Puh-lease.
I haven't read a sillier comment than those of Microsoft on open source software, and Especially Linux. Simply put, open source software, is the biggest invention ever.
Linux security is highly exaggerated
Windows security is too complicated to be taken seriously. On Unix, you have user, group and public security bits. It is a simple model, yet proven enough for all tasks. On Windows, you may have ACLs based on time, on type of access, inheritable security attributes, etc etc, but Windows is still the most vulnerable O/S by the long shot.
and that the open source development model is 'fundamentally flawed.'
Thanks to open source software, there are thousands of programs to use for every possible task, the scientific knowledge on computers spreads around much faster, it helps low economies ride the computer revolution bandwagon, it helps children in poor countries get in touch with computers...imagine a world without open source software! computers would not be as widespread as they are now.
'Who is accountable for the security of the Linux kernel?'
Who is accountable for the security of Windows, given that the installation disclaimer says that Microsoft has no responsibility whatsoever on the effects of working with their O/S?
Furthermore, OSS does not need accountability: if your app does not run and does stupid things, people will not run it, your reputation will be hurt, and you will be forced afterwards to do a better job.
'Linux is not ready for mission-critical computing.
Last time I heard, the US army plans on replacing Lynx and other real-time O/Ses with Linux on their radar and defense systems. How's that for 'mission-critical'? I know several companies that produce defense applications for Linux. And Linux is actually better for this kind of software, because the source code can be audited by these companies at no charge.
the lack of a development environment
They couldn't have made a funnier and more absurd statement. Hey MS, does GCC ring a bell? it comes with every Linux distro, remember? what's the development environment of Windows out of the box? none. There is none. MS users have to spend another $300 on getting the MS Visual Studio.
and no single 'sign-on system' giving reference to Microsoft's foundering .Net passport program.
A single sign-on system is actually unimportant. I have registered myself at many many sites, but since the browser remembers my password, I don't even sign on. Furthermore, wasn't there a story about the .NET passport system security having been hacked for a week or so? and hackers having access to ALL of users' data?
I guess Linux can only aspire to the greatness of Windows
What greatness? Win32 is the single most badly-designed API, right after MFC. Microsoft actually needed to develop a whole new platform in order to get it right. There is simply no architecture behind Win32. It is a random accumulation of functions over time, with many semantic problems, no clear separation between concepts (for example, asynchronous sockets are implemented through the win32 message queue).
As for the plethora of software, it was a matter of economics that Windows has so much software: the hardware platform that it run on was the cheapest (and the dumbest!), the available functionality was OK (but second to best), and more importanly, Microsoft let Windows spread by don't caring about piracy!
And what can one say about their flagship products? Internet Explorer is full of security problems, Outlook too, Word 2003 has become a bitch to use from so much bloat, .NET has 2 million layers of abstraction and a couple of thousands of classes that it happens not to fit exactly to your problems...
Microsoft is also responsible for giving C/C++ a bad name; their software practices are truly evil. They changed some of
If you understand the benefits of software engineering, as opposed to programming (by which I mean the use of some design methodology), then what is it about about Visual Studio that makes you go straight to coding? Either you know how to design code or you don't. Use paper, UMl tools, whatever you like, but simply using MSVC as an IDE shouldn't make anyone slack! That is a piss poor argument... Obviously using vi encourages a more rigorous approach!
In theory, theory and practice are the same. In practice, they're not.
In other news, Linux users & developers claim that "Microsoft Securtity a Myth". A lot of people make a lot of claims. Then there are the facts.
I, for one (and there's many more like me), will listen to the claims, research the facts, and use the correct solution. And that solution rarely, if ever, involves the marketing company known as Microsoft. Microsoft can preach to the choir till the cows come home, but in the end, that's all they're doing.
In closing, it is not surprising to see MS resort to these tactics. What I mean is, if you can't provide a working, secure, flexible solution and you want to stay in business, you have to lie to your customers.
By your calculations, as Visual Studio 2002 was on 3 CDs, that would mean Visual Studio 2003 would have been on 9 CDs and Visual Studio 2005 will be on 27 CDs. Visual Studio 2003 actually comes on the same number of cds as 2002 and appears to use less harddisk space.
Nothing like an anti-Microsoft thread to bring out the idiots.
I do however agree that 3CDs by itself is actually rather large and something could be done to reduce that size.
-JD
My blog [.net, rants, general IT]
"Microsoft Claims Linux Security a Myth"
That's similar to "Prostitutes claim virginity is a myth."
The idea that Linux is more secure than Windows is wrong. All software has bugs and exploits in it waiting to be discovered. It is because we use crappy software development languages like C.
Linux has had less exploits than Windows so far because less people use it therefore less virus writers make virus's for it. Same goes for Outlook/Office. Everyone uses those so there are heaps of exploits for them.
Diversity is more secure than lack of diversity - no single product is greatly more secure than any other.
Translation: "You must be smart enough to read one of the email addresses attached to the changelog attached to the code you're reading."
Like I said, I'm not a developer yet I can find the addresses without any problem."out-of-date"? They were just submitted in the last update.
Go ahead, show that I'm wrong. What address did you send to and when?
You know you didn't. I know you didn't. So who are you trying to fool?
The simple fact is that there are LOTS of different ways to get a patch into the kernel. Listing the person's address on the changelog is one of the ways to support distributed development.
The guy you're talking about had an ego problem when Linus himself didn't congratulate him on finding a flaw in Linus's kernel. That's an ego problem, not a problem with the patch submission process.
secure applications as Outlook and Internet Explorer
Secure should not be in the same sentence as Outlook and IE.
Linux is secure because it not widely used. If your going to make a virus you go for the big target and right now that windows.
Seriously, I would have thought trolling to be beneath Microsoft. :)
Without ownership, it's difficult to assign culpability when a security flaw is found. Far more flaws have been revealed in MS software than in Linux, but part of the reason is that Microsoft's market share makes them the far bigger target. It should be interesting to see how security plays out as Linux distros gain greater market penetration.
You can sign-on to your Linux system with LDAP and even MS's Active Directory if you wanted to (and plenty of other means).
If this ninny is talking about some other type of sign-on, then I have news for him. We have 140,000+ employees where I work and we have rolled out Netegrity's corporate single sign-on product corporate wide. We are running Netegrity sign-on agents on Solaris, Linux and MS Windows servers. We can single sign-on _all_ 140,000+ employees across Linux, Solaris and MS Windows systems. There is honestly no issues what-so-ever.
So honestly, where is this "missing" a "'sign-on system'"? A proprietary MS-to-MS "single-signon" system doesn't sound much use to me, especially in a bigger corporation. The 3 fortune 500 companies I have worked for would certainly not benefit from having their server systems locked into MS-to-MS-ONLY communications.
I think it is time MS pulled their head out of their @ss. The MS marketing machine can only push so many lies before it gets annoying.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
"Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux."
I cant belive somone has the guts to say something like this in public. In cases like this it is indeed better to keep your mouth shut and let people think you are stupid than to open it and remove all doubt.
No, RedHat does not and cannot take responsibility for the kernel in general. What they can do is make sure the kernels they ship is as secure as possible. And this they do. Rather well if you ask me. As do most other distros.
Gee, some of these MS guys doesnt seem to have a clue at all. And to think that most of them are probablyh highly eduacated people.
When in danger, whewn in doubt! Run in circles, scream and shout!
Linux bigwig J. Random Hacker claims that Windows security is highly exaggerated, and that the cathedral development model is 'fundamentally flawed.' The gist of his argument appears to be his claim of lack of accountability at Microsoft, coupled with generic statements short on facts. 'Who is accountable for the security of the Windows kernel? Does Microsoft, for example, take responsibility? It cannot, as it does not produce any competent software. It produces one hell of a mess.' He goes on to say that 'Windows is not ready for mission-critical computing. There are fundamental things missing,' pointing out the lack of a peer-reviewed development environment and no secure 'sign-on system' giving reference to Microsoft's foundering .Net passport program.
It's just too easy...
Hey Microsoft...It's all fine and dandy to make accusations about Linux security via Sendmail or some other basic factor, but let's get something straight. When a security hole is found under Windows, what's the average time between fixes, compared to the response time between fixes under the Linux platform?
Just some random speculation here but I'd bet the average response time from the Linux community is MUCH faster to perceived bugs. I have yet to see Microsoft come up with a much better response time to Kernel problems than the typical "within the week of discovery" (and sometimes within a few hours) response time.
"Love is like pi - natural, irrational, and very important." (Lisa Hoffman)
And what OS(es) were they running?
I've been using Visual Studio for six months and I can say with 100% certainty that Microsoft's operating systems are completely lacking a Microsoft provided development environment.
The simple truth is that for the price of hiring a kernel hacker, you are accountable. Not some third party vendor, with gawdawful rates and hours. You.
If you don't like a security feature, you can implement a new one. If a heap overflow is discovered, you can fix it. Not only that, but you can fix it now.
Microsoft will never be able to touch that.
This post expresses my opinion, not that of my employer. And yes, IAAL.
I suggested Xandros and handed him an install CD. He took it home and installed it on his home PC. The next time I saw him he was raving about it. He said it did everything he needed it to do out of the box (they use a PS2 for gaming) and that he never had to download and compile a single program to get it working. He is now seriously trying to get it implemented on as many systems as he can where he works.
Xandros is truly the first Linux distro I've seen that I'd honestly feel comfortable handing a CD to my mom and having her install and run it (and I wouldn't even do that with a windows CD). Everything I've seen on it "just works" and installing new software is a simple as "select software from the list of categorized choices" -> enter admin password -> (wait, there is no step 3).
Now, I can apt-get/yum with the best of them and I frequently download source and compile myself. That's fine and dandy for me, but not for my mom. But even Microsoft doesn't come with a pretty comprehensive list of software that you can install with a click.
I haven't switched my Fedora desktop at work to Xandros yet (mostly due to lack of time and years worth of customization on it), but I'm seriously leaning in that direction.
"terrorism" and "pedophilia" are the root passwords to the Constitution
There are no living viruses on upto date linux systems. Ie they die most viruses depend on a system weakness that is removed. This also apply to windows doors in many programs on windows are not shut and are still open come on Microsoft don't throw stones until you own house is in order.
"Who is accountable for the security of the Linux kernel?" Linus and the mantainers for a non moded Kernel. Distros are responcable for any extentions they decide to ship ie extra feature equal to extra drivers for windows ship on oem versions of windows(hmm does microsoft support theses extra drivers no they don't). Nvidia are also responable for there own drivers.
Also the system admin that adds stuff like lids are responsable just like the developers who create stuff like lids.
He is right that the core developers number in the hundreds. But many times faults are located by developers like me who just report the fault and sometime submit code that is rejected(all mine have been because the code was not good enough due to lack of knollage with multi processor machines) So someone of the core rewrote. Please note there are over 1000 side projects mantained by extra developers ie proto modules not in the linux kernel yet so there are over 1000 developers directly working with the linux kernel.
There are more skilled developers. Nop there are just bad tools that let lower skilled developers create working code.
Single development environment for Linux?? Why does there have to be a Single development enviroment?? Windows does not have a Single development enviroment.
single sign-on system. Same question why does there have to be a single one. This is a important one. A single sign-on system gives hackers just one target to break ie windows system will be using X system of projection good. Linux system hmm what one are they using. And we are talking about Security or are we talking about look and feel.
"There are bits of the Linux software stack that are missing. These are factors that are holding back Linux." Yep Linux person says this is true.
Linux as a Webserver rules other roles are great but if the tools you need are missing sorry you are stuck. Most cases just like windows there are commerical fixs. Ie SAP for accounting.
Please note the lack of shiped software with windows is starting to hold windows back too and out of date software shiped with windows.
1: I'm not sure what you concider a business tool but all the major business tools I can think of run on linux. Many of them started on unix long before windows was around. examples: autocad, wordperfect, oracle come to mind off the top of my head.
n =projects&Go.x=0&Go.y=0/
2: http://freshmeat.net/search/?q=html+editor§io
3: I'm not sure how a website designed to work only with IE is a business to business tool but ok, You can design an apache website to use only IE too.
4: linux terminal servers have been around longer than windows has had that ability. The GUI, http://x.org/, was designed with that very thing in mind.
Now you say that with the linux solution, the small business can't afford to pay for the 10% that linux doesn't offer. How are you going to afford the windows solution for which they would have to pay 100% for? I think you also have the wrong idea about what a software stack is.
With a simple interface.
Yep I want.
lack of accountability? lack of accountability? oh the irony. What a tangled web you weave Microsoft.
There are very few of the improvements that come through the wider community. There are more skilled developers writing for the Microsoft platform than for open source.
God I hate it when people say things like this. Where is the proof? Has he conducted a study on the skill level of OSS developers compared to Microsoft employees? What is his determination of a skilled developer anyway? I would say that these days there would be more people writing for OSS than for Microsoft.
But then again I'm just pulling numbers out of the air as well.
-- main(s){printf(s="main(s){printf(s=%c%s%c,34,s,34
Debugging. I'm a hardcore UNIX/Linux developer who never uses Windows, but I've watched folks do it, and I'm jealous of debuggers that handle threads properly, give integrated displays of state, and are easy to navigate. Maybe Eclipse is there now, but it wasn't 6 months ago when I last tried it. Nothing I'm aware of for C even comes close.
Of course, if you're going to be writing C++ against the APIs of mystery, you darn well better have a first-class debugger.
I never said that Windows was easy to set up correctly, or that it was appropriate for the average stupid user. It's not.
This doesn't mean that the system is hopelessly broken or unusable.
All the bad things you've mentioned about Windows so far are poor defaults, not design flaws. Defaults can be changed. Design flaws are unfixable without a major overhaul.
I submit that the kernel and system are well designed. The shell has some ugly stuff, but nothing that can't be sandboxed or replaced if really necessary.
1. What do you want them to do? Wait until the software is provably correct? It's not like they ship it with known flaws.
2. I have a problem with this too. Still, it's just the default and can be changed. Also, Server2003 and XP SP2 are better about this (finally). Back in the old days, NT 3.51 had all that stuff optional.
3,4. Windows doesn't need extra virus or spyware protection if you know what you are doing. Still, MS markets to the general public, so there are people who need this to try and compensate for being unable to use the OS properly.
If the users have to be experts in order to use the system correctly, so be it. Do you really expect stupid users to be able to properly admin a UNIX box if they can't handle Windows?Need? The defaults can be just about anything as long as they can be changed and as long as the audience consists of competent individuals.
Secure defaults... like the everything-runs-as-root policy that Linspire has?That's what I tell myself when I'm pulling my hair out over something that should be trivial on my debian box. I feel like I have to be an expert with it to get it to do many of the things I want it to. Still, that's half the fun sometimes.
And I bet you wish someone would give you +1 insightful for being able to count.
Since you are so smart, I'll tell you at least 1 out of the 200 software M$ makes do triple in size. I'll let u figure out which one. Fucking M$ fanboys.
I didn't say it was Visual Studio. It was whatever was in use back then. It ran on a CGA monitor and graphics system IIRC. I am fully aware there was no Windows then, they hadn't copied anyone else yet.
I just love these anecdotal comments about something unknown. Hell every time I use slashdot some damn poster assumes he knows more about what I saw than I do and knows more about what I posted than is on the screen.
Infuriate left and right
Technical brilliance doesn't sell software. (see VHS vs Beta). Marketing sells software.
He is talking to the people out there who are buying MS software, or who have already bought MS software. These statements are about selling software.
These comments are not directed at technical people, their accuracy is irrelevant.
The first rule of marketing: ***its all marketing***. Everything you do and say and deliver is focused on getting s/w out the door and revenue in the door. Everything else is secondary, and that includes quality, truth, bugs.
If the customers want security, give something to make them think they have it. Which is why MS have never really needed security till now (and maybe not even now). And they still dont, not *really*. If MS *really really* needed security or they would lose market share - you can bet they would have darn good security.
I suggest you ready "Crossing the Chasm" or "Inside the Tornado". Get the early adopters on board, the move product as fast as you can and ignore the customer.
Heh... I still prefer the one, that goes "Windows is not real... It's a myth, that was created to scare kids"...
sendmail has nothing to do with Linux kernel security (about which the thread was, so despite your "first post" luck you're way off-topic). And I think nobody with half a brain would knowingly use sendmail today, considering more secure alternatives like Qmail and Postfix. Open source, mate, is not about using software that has a bad security track record, it is about having the choice of using something better, a choice that Microsoft doesn't want us to have.
open (SIG, "</dev/zero"); $sig = <SIG>; close SIG;
Sounds like a software opportunity. When is MS going to start their GPL compliant department?
fast as fast can be. you'll never catch me.
... Linux security being a myth is better than Windows security being non-existant.
i wonder.. how many times does Microsoft have to claim that open-source development is fundamentally flawed.... everything is flawed... thats pretty obvious with Microsoft and their products... so i dont see how they can be the type to spread FUD of that flavour
Since "competent" and "expert" have the same definition, they are the same.
Too bad. You lose.Again, that gets back to the definition of being "competent" being the same as the definition for being "expert".
That is because Windows is packed full of flaws that just aren't there in better designed OS's (Linux and Mac).
With those, you can be "competent" without having to be an "expert".
Does this mean that Microsoft is finally ready to release that raft of "Linux viruses" that they have been working on for the last five years?
I hear they've had thousand script kiddies on the payroll, racing to produce the "Linux-killer" virus ever since Red Hat incorporated...
"The Internet is made of cats."
The paper may seem a little dated, but it is still taught as guiding principles in some Universities (MIT, Berkley, UCLA). The 4th Principle of Security is "Open Design". This is summarized as "The protection mechanism should not depend on attackers being ignorant of its design to succeed. It may however be based on the attacker's ignorance of specific information such as passwords or cipher keys."
Oh, I agree that there are lots of things that need to be developed to run on Linux in order to match the availability of vertical market solutions on Windows.
However, as you point out, this is not an insurmountable task and will be addressed over time just like it was on Windows. After all, Windows didn't spring full-blown with scores of thousands of applications. All of those business apps had to be converted from DOS to use the GUI and that was done in the usual manner - somebody contracted to do it, then it was resold to everybody else. That is happening in Linux as well.
I have a client who is a sign-making shop who is still running a sign-cutting machine on Windows 95 because the company that made the software went out of business and no one has converted the software to a later version of Windows. So the same problem can happen even within Windows.
It's not a show-stopper for conversion. It just has to be planned for, either by budgeting the funds for converting software over time, or by retaining a Windows machine to run unconvertable software until a Linux equivalent exists.
Meanwhile, as someone said, it's a business opportunity for anyone who can convert software to run on Linux. Pick something and do it. Looks like the 80,000 or so SourceForge projects are a result.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
I think it's you that is the whippersnapper. Back in my day, we didn't have all the fancy line-level debuggers, and we didn't like it that way! In my old age (42), I have seen it all come and go, and I've just gotten too lazy to type the whole damn function name and remember every function interface I've ever used. After about the 15th API I had to learn, I got tired of memorizing all the details of what order the four booleans come in, and so, while I may have used a function many times before, I don't necessarily remember without at least a quick refresher what the exact parameters are. But as you said, to each his own. Auto-complete is my cane.
Six score characters.
Brevity being wit's soul
I have enough space.
I wasn't quite finished...
Microsoft and the Bush Administration seem to be using similar tactics to achieve (or attepmt) their goals: FUD and distraction.
Distract all the people with side issues to keep them from discussing the real issues. Linux security doesn't have accountability. Perhaps. But that's irrelevant. There aren't thousands of compromised Linux machines delivering millions of spam emails every day.
Accountability is nice for pointing fingers and lawyers, but that kind of stuff is after the fact. If your company secrets are stolen because of a flaw in the OS or Browser or Media Player or Service Pack or whatever, accountability won't get them back. Maybe you can sue M$ for damages, and hope the DoJ will slap Bill's wrist a little harder next time, but your secrets are still out there.
See, I'm already wasting my time on this bull, while the M$ developers are still cranking out their code, adding plenty of new "technology" to Longhorn. New code, new bugs. That's just how it goes.
All software has bugs. Developers aren't perfect. Complex systems interact in complex ways. Myth or not, Linux insecurity (since that's really what we're talking about) has yet to cause as much damage worldwide than Windows insecurity.
That is not a myth. That is reality.
Linux code is availble for review; you can read it and see what you're getting (assuming you know how to read code, obviously). If there's a flaw, you can fix it. With Windows, you have to just take their word on it, and look where that's gotten us.
blog
I agree that usually you can have a complete Linux solution, but sometimes interacting with the Windows world can be painful. Specifically I am talking about the ability of a small business with, maybe 10 employees, to run Linux on all their systems. At the moment, many such businesses cannot. So for example, I was specifically discussing interop tools for services provided on Windows, or the ability to access (for example) Safeco's web based agents' tools on a Linux desktop.
Regarding paying, on Windows, everyone pays for a very small amount of the development that goes into the software they use. With open source software, if the functionality is missing and you want to add it, you pay 100% of the cost of development to add that feature. In some cases (partner tools) it may not be possible to run a Free Software solution because they may not have designed their tools with that in mind. So the cost of adding a large number of features (for example, a Simplify Printing client to rdesktop) would be expensive and for 10 desktops, it would be less expensive in the short run ot keep using Windows.
Also, I think I laid out a plan for mitigating this issue. You make the migration slowly and start at the top of the software stack. As you can move down the stack you do. You can then afford to add the features you need slowly and without paying a huge up-front cost.
LedgerSMB: Open source Accounting/ERP
His analysis actually probably makes sense to someone who is in business. A business is usually more comfortable paying for a service than getting one for free: when they pay for something, they explicitly can expect for it to work and know who to sue when it stops working (the people cashing the checks). Being ruthless capitalists themselves, MBA types just can't conceieve of a paradigm where a service is offered gratis. The idea of getting something for free just boggles the mind and they get all uncomfortable. (Wait... if we're not PAYING anyone... how do we know it will work? No free lunch! Everything I learned to get my MBA would be proven wrong!) Someone who sets up a for-pay Linux troubleshooting service could make a killing if Linux ever takes off in the enterprise market.
for bad built security leak programs. make me think microcrap will be thinking something more like " you had a choice to chose Linux.
here's where I stop waving my balls. Honestly, I don't care. You might be older and more expierienced than I am, and great. I don't care. I've got my life, you've got yours, and I would be really surprised if they collided. Please have fun in the mean time. I will.
I forget what 8 was for.
did this retard just say ie was secure?
... for this black duck ... is the list of related links at the bottom of the page. Sometimes the best chuckles come from RTFA!
Given that 90-95% of computers run some version of Microsoft Windows, that other 5-10% appear to be rather worse at spreading spam, eh?
RTFP... 'e said that Zombie Windows boxes contribute 80% of spam, and that implies the bulk of the rest are due to abuse of services which people have otherwise legitimate access to - SPAMmers' own boxes - some probably running Linux because the OS is free and they'd tackle the job of sending SPAM very effectively, but nothing stopping SPAM software running on any platform in particular because it's your box!
I'll not say anything for or against the percentage stated, but that level certainly wouldn't surprise me. I am however sorry to say that there are probably a few open relays still out there in *nix world. This is very different to being owned by a hacker/script kiddie, but it is a result of poor (not insecure!) configuration.
You'll probably find that something like 80% of SPAM comes from Zombied Windows PCs, and almost of all the rest from the SPAMmers own PCs, whether they run Windows, Linux or OS X. Maybe a very small fraction of a percent would be poorly administered Linux/Unix systems that have been rootkitted for the purpose. It's generally just too hard to bother trying (check out the links at the bottom of the article).
they need to start backing up thier claims instead of making conjecture.
1. Accountability means you can point your finger at me and I'll say "yep, my bad."
2. Responsibility means I then have to fix it.
Clearly stated. What customers typically overlook, too, is how a vendor will release some fixes for free as part of your initial purchase price, but that, eventually, I'll encourage you to upgrade to a new product for a price to eliminate all those inconveniences you've been experiencing, including the wait times for the next patch to the old version of software.
The anxieties and headaches of your average CIO are played like a fiddle by MSFT.
"Provided by the management for your protection."
no single sign on? okay - I guess NDS doesn't count? along with openldap. this just goes to show how much this guys knows. I would take a linux server any day over his crappy os. I wish Microsoft would just shut up and start producing something that is credible - the only thing their good at is spreading FUD. NDS blows away anything they have and always have and is more rubust and stable and is CROSSPLATFORM (you know - can work on other os's besides your own - just wanted to spell that out for him because I know that is a foreign word to them). The same goes with openldap - and you know what I can have both exist on the network because NDS is standards compliant. Not like the crap he and microsoft produces. Which locks their cusotmers in and produces nothing but a rats nest of code. Okay thats all - this guy is nothing but fud.
Microsoft bigwig Nick McGrath is quoted as saying 'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?
So, I suggest the question be asked, 'Who is accountable for the security of the Windows OSes? Does Microsoft, for example, take responsibility?'
If Microsoft would like to go on record as admitting liability for the susceptibility of its software to intrusions, then it can start talking about the failures of other software. That is, until and unless I can send Microsoft a bill for damages (loss of time, loss of data, loss of business reputation, costs to repair and costs for third-party fix-MS-ware) and be paid, I don't need to hear anything from MS about responsibility, accountability, professionalism, compassion, care, you name it.
Nobody who works IN the industry would ever say that MS has anything over *nix for security, or for that matter, a "development environment". Unless they work for, or get money from MS.
I like to point out that if Bill had to spend time with users fixing the problems they had with his software in the early days, he would never have become prosperous. The M.O. is to outsource the drudge labor on a margin and then try to convince people they can make money servicing the stuff. MS is unhappy because Linux doesn't need servicing of things that are supposed to work. MS machines fail for no reason at all. I'd just as soon see the end of teaching MS to anyone as an example of what computers do - because computers do not "crash a lot and give unexpected behaviors"; they are deteministic little beasts, and if you program them properly - they work as well as *nix machines visibly do.
I also heard somewhere that Gates said open-source proponents are communists, or something like that ... when in doubt and covered with fear, use any last appeal to stupidity and brutality you can. Should we expect next to hear from Gate$ that using Linux can cause AIDS?
I give these jokers until 2015 before they are washed up (sold off) and until 2010 for MS OSes to be clearly on their way out. Let Ballmer sell used cars.
-sam hedron-
good commentary in response to the article. tear's MSFT's claims apart:
3 76 9,39179296,00.htm
http://www.zdnet.com.au/insight/software/0,3902
I was going to write some long article about why I think that this guy is full of sh*t. But I read this article this morning and it really speaks
0 7. html
http://www.novell.com/coolsolutions/feature/115
IS LINUX REALLY FUNDAMENTALLY FLAWED?
xnosyde
http://www.novell.com/coolsolutions/feature/11507. html