Microsoft Claims Linux Security a Myth

black hole sun writes "Microsoft bigwig Nick McGrath claims that Linux security is highly exaggerated, and that the open source development model is 'fundamentally flawed.' The gist of his argument appears to be his claim of lack of accountability among distributors, coupled with generic statements short on facts. 'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.' He goes on to say that 'Linux is not ready for mission-critical computing. There are fundamental things missing,' pointing out the lack of a development environment and no single 'sign-on system' giving reference to Microsoft's foundering .Net passport program." I guess Linux can only aspire to the greatness of Windows when it has such secure applications as Outlook and Internet Explorer. Historically those have been proven to be of a caliber all their own.

Red hat does take responsibility though

[m50d]

They take responsibility for their distribution. They will patch their kernel if anything seems wrong with it. From time to time they pay for an audit. Similarly the debian people vouch for their kernel, and so on. The vanilla kernel.org kernel is only accountable to the kernel.org people, true, but most "enterprise" distribution makers will stand up for every package they distribute.

Re:Not A Myth, Just Not Inherent

[Coryoth]

Fact: Much of what winders suffers from is incompetent users. Nothing is really stopping the developers from writing spam bots for windows because idiot users on Linux could run bad code just as easily as idiot users on windows.

For now, yes, but as SELinux, or RSBAC, or any of the Mandatory Access Control, role based systems gain popularity in mainstream Linux (and SELinux, for now, seems to be the best candidate on the popularity front), the ability for idiot users to run bad code goes down massively.

Yes, in theory an idiot user could run bad code, but under a well implemented SELinux policy, while the code may run, it wouldn't actually have rights to do much of anything. At worst it might be able to fill up the home partition with useless data, or something along those lines, but spam bots and zombies and mass mailing viruses would be a far more difficult task to write indeed. A sufficiently smart idiot could grant the process the rights to do what it wants, but really...

Yes, such a system is not a cure all. People can still do bad things to themselves, and no matter how well you build it, there's always an idiot who can break it. It does, however, significantly raise the security bar on what it is easy to trick a user into doing.

Jedidiah

Re:In other news...

[TubeSteak]

Need I remind everyone that Microsoft turned to Akamai's Linux servers when they got hammered?

Its as if some hotshot in his BMW 745i got a Yugo to tow him because some snow was on the ground.
:'o(

related articles

[Deanalator]

I like the related articles at the bottom of the page.

RELATED ARTICLES

* Microsoft to axe Windows 2000 security upgrades
* Microsoft enhances SQL 2005 security
* Viruses plague half of UK Windows users
* Linux fights off hackers
* Busy day for Linux administrators
* Industry giants offer Linux consumer boost
* Windows open to critical vulnerabilities

Re:Well..yeah..he would say this

[powdered+toast+dude]

Don't confuse accountability, responsibility, and liability.

1. Accountability means you can point your finger at me and I'll say "yep, my bad."
2. Responsibility means I then have to fix it.
3. Liability means that you then get to take my wallet.

$0.02,
ptd

Re:*COUGH* sendmail *COUGH*

[Saeed+al-Sahaf]

Well, according to this January 2001 article by Moshe Bar, Sendmail handles around 76% of all Internet e-mail.

A lot of things have changed since 2001, yes? It's 2005 now, correct? Qmail is in the process of overtaking Sendmail, and for good reason.

Re:You mean...

[Catiline]

Yes, mostly.

Set-uid works by changing the user ID of the program to that of its' owner; thus a program like passwd (which must have root privledges to write to the password/shadow file) has suid. Scripts which use suid have a few particular security concerns; since they inherit the PATH environment variable (and a few other particulars) from their calling user, you want to ALWAYS use the full path to commands. Thus, your script should look like:

#!/bin/bash
/sbin/insmod foobar1

and:

#!/bin/bash
/sbin/rmmod foobar1

since a user adding a malicious insmod or rmmod to their path could gain privledges. (There are other, more subtle, security issues with suid, but this is the easiest to understand.)Nevertheless, having a suid script is far preferable to idiots logging in as root for ordinary work!

Why are people fooled by marketing? MYTH?

[J_Omega]

From TFA:

"In Microsoft's world customers are confidant that we take responsibility. They know that they will get their upgrades and patches."

But reading the EULA, MS clearly states that they are not responsilble. I expect WindowsUpdate to change my system through patches, but I don't expect upgrades. I'm still running Win2kPro on my tri-boot system (Debian and Gentoo.) I KNOW that I will not get my UPGRADE to XP. I also hated hearing MS discuss XP SP2, and calling it an "upgrade." Also, I am CONFIDANT that MS would not take responsibility for data loss. ~ FUD

"There a myth in the market that there are hundreds of thousands of people writing code for the Linux kernel. This is not the case; the number is hundreds, not thousands," he said.

so it is hundreds of hundreds, then? :p

"If you look at the number of people who contribute to the kernel tree, you see that a significant amount of the work is just done by a handful.
"There are very few of the improvements that come through the wider community. There are more skilled developers writing for the Microsoft platform than for open source."

My guess is that only a "handful" of MS employees work on windows' micro-kernel as well. Though it might be true that there are more developers writing for the MS platform, this is because it is the world's most widely used OS. He's done a bait-and-swtich almost... Discussing the kernel development and relating it to the wide base of application software?

"The way that 2004 started off there were a lot of myths in the marketplace around the cost and capability of Linux. But now a lot of the ideology has been replaced with commercial reality."

He uses the word "myth" quite often here. So let us look at a few select definitions of the noun:
* a traditional story accepted as history; serves to explain the world view of a people
* A popular belief or story that has become associated with a person, institution, or occurrence, especially one considered to illustrate a cultural ideal

So a myth doesn't necessarily mean make-believe. We could interpret his quote to have meant this : "The world-view and cultural IDEALS of Linux have made themselves a concrete REALITY over the past year!"

"[Customers] need a solution that comes with the appropriate levels of support and service. This is where Linux is becoming more challenged as people expect more from Linux."

Well, uh... DUH! If you expect more out of something, that something will be more challenged to perform. Water is wet. The Pope is Catholic. If I expect my automobile to drive 200 mph, the manufacturer will have a bigger challenge designing it. Go figure.

"Linux is not ready for mission-critical computing. There are fundamental things missing. For example, there is no single development environment for Linux as there is for Microsoft, neither is there a single sign-on system."

OK, I'll admit, I'm not a software guy. But aren't these unrelated statements? ie, What does a development environment have to do with mission-critical computing??

/. recently had the story of the Ohio power-plant being crippled because Windows systems were compromised. Did that mission-critical application even DO development?? Plenty of mission-critical situation use Linux that do no development, right? Server uptime, information distribution, stable communications?

The Linux Desktop (and kernel?) may have certain things missing, that's a given. That doesn't mean that it isn't ready for SOME mission critical computing. I'd be more inclined to use a kernel/OS that allows inspection of it's source for any mission-critical apps. Ask NASA why the Mars rovers are using Linux instead of Windows.

FUD FUD FUD, is all I got out of the article.

Please explain where I'm incorrect here. I admit that I'm not as knowledgable on some of these points as many of you, and would prefer to know why/how I might be incorrect.

Mission Critical

[sparkz]

He goes on to say that 'Linux is not ready for mission-critical computing.

In general, I agree with him on this (I have not RTFA yet). Nor is Windows, of course, but that's taken for granted. Of course, it depends how critical your mission is. "Mission-Critical" is one of these phrases which is bandied around, but let's consider what it means....

"The mission depends on this system".

That still does not define the extent to which the mission depends on it - 80%? 90%? 100%? Nobody offers 100% availability, if that's what you're referring to.
The phrase also ignores the mission involved. For NASA, the Mission might be to send a man to Mars and back, but what if my "mission" is to run a website which expects to get 3 hits a month with a 60% expectation of success? An Atari could cope with that - my mobile phone could probably cope with that!

Taking the phrase in the way it's normally meant (running systems which are responsible for a significant amount of the user's business, and the failure of which would cause significant disruption of the business process and/or profit), then the whole discussion still depends entirely on the "mission" involved.
What tradeoffs is the mission prepared to make for uptime, for example? Serving read-only webpages, I care little for data integrity (I've been serving the same data for years, I've got it on tape, CD, DVD, onsite and offsite), and only care about uptime.
If I'm running a database which is updated many times a minute, then uptime still matters to me, but I also need to know which transactions have been fully processed, and which have failed (given Failure Scenario N, which may or may not have been predictable). That is much more difficult.