Microsoft Claims Linux Security a Myth

black hole sun writes "Microsoft bigwig Nick McGrath claims that Linux security is highly exaggerated, and that the open source development model is 'fundamentally flawed.' The gist of his argument appears to be his claim of lack of accountability among distributors, coupled with generic statements short on facts. 'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.' He goes on to say that 'Linux is not ready for mission-critical computing. There are fundamental things missing,' pointing out the lack of a development environment and no single 'sign-on system' giving reference to Microsoft's foundering .Net passport program." I guess Linux can only aspire to the greatness of Windows when it has such secure applications as Outlook and Internet Explorer. Historically those have been proven to be of a caliber all their own.

*COUGH* sendmail *COUGH*

[Staos]

Twenty years of buffer overflows.

Questions?

Re:*COUGH* sendmail *COUGH*

[Afrosheen]

The only question is, who is still using sendmail? Major distros have moved on to postfix and qmail is always an option.

Re:*COUGH* sendmail *COUGH*

[Saeed+al-Sahaf]

Well, according to this January 2001 article by Moshe Bar, Sendmail handles around 76% of all Internet e-mail.

A lot of things have changed since 2001, yes? It's 2005 now, correct? Qmail is in the process of overtaking Sendmail, and for good reason.

Re:*COUGH* sendmail *COUGH*

even if it didn't do the same search replacing sendmail with the following and compare the counts:

sendmail counts: 54,800

windows counts: 193,000

now we know that windows hasn't been around nearly as long as sendmail, and yet it has nearly FOUR times the buffer overflow matches.

now let's do -

Internet Explorer: 349,000

Outlook Express: 57,700

Outlook Express has been in use for under 8 years and has 300 more matches for buffer overflow than sendmail.

according to your logic for deducing how secure something is, I'd still pick sendmail over anything microsoft makes.

Re:*COUGH* sendmail *COUGH*

[einhverfr]

A lot of things have changed since 2001, yes? It's 2005 now, correct? Qmail is in the process of overtaking Sendmail, and for good reason.

Sendmail is still the standard-bearing monster that everyone loves to hate. Mostly, I think because of the fact that everyone *knows* it. Even two years ago, it was still required on many Linux job apps.

Secondly, never underestimate the number of legacy systems out there. I have sendmail running on at least two of my legacy systems. Of course they only function as an MTA and don't actually listen on any exposed address.... Of course qmail is on my production systems.

Here is the issue. Open source or proprietary software re: security? Security a matter of design rather than something revealed by a simple litmus test. Open source and proprietary software can be secure or insecure. But the way we find this is by discussing the structure of the program and determining whether it is resistant to attack and fails gracefully without exposing the rest of the system. This is easier with open source software.

Oh, and anyone who trusts whatever Microsoft has to say re: security is going to get what is comming to them.

Re:*COUGH* sendmail *COUGH*

[Doctor+Crumb]

There's also exim. I'm amazed that anyone would bring up sendmail considering the shitheap that is Exchange. Which, incidentally, there are no alternatives for. And microsoft is somehow trying to pass that off as a feature, now. "but linux has so many *choices*! It can't be ready for the enterprise!"

Re:*COUGH* sendmail *COUGH*

[slavemowgli]

Yes, one. What does sendmail have to do with linux?

Re:*COUGH* sendmail *COUGH*

[Saeed+al-Sahaf]

Here is the issue. Open source or proprietary software re: security? Security a matter of design rather than something revealed by a simple litmus test. Open source and proprietary software can be secure or insecure. But the way we find this is by discussing the structure of the program and determining whether it is resistant to attack and fails gracefully without exposing the rest of the system. This is easier with open source software. (emphasis mine)

And this is what I find puzzling about Microsoft. There can be no question that they have just an enormous number of extremely competent, indeed smart, people working for them (yes, they do). They seem to have the kind of non-cube farm work environment that smart people want to work in. So with these simply huge numbers of people working for the Redmond Borg, why can they not have this "discussing the structure of the program and determining whether it is resistant to attack and fails gracefully without exposing the rest of the system"?

Re:*COUGH* sendmail *COUGH*

[racermd]

You're getting tons of replies already, but I'll fill in on another corner of the discussion that hasn't yet been revealed.

It's entirely possible that middle-management at MS doesn't have (or doesn't want) the type of directional control they need to get their workers to produce something that is "good".

The Upper Management/Directors/Execs/Chiefs have clearly shown themselves to be the puppeteers of the great MS show. We get laughable quotes like this new one every few weeks from these characters (literally and figuratively). And it's humorous in an, "I can't believe that you believe that" kind of way while being truely pathetic.

It's a pretty common theme among large companies, however. The people that steer the metaphorical ship don't have any real idea of what goes on at the lower levels of their organization. Nor would they want to. If we run with this metaphor, they don't really want to know how the engine produces power or the detailed physics behind why a rudder turned 15 degrees one way turns the ship at a certain rate. It doesn't help that they're typically shielded/buffered from reality by some butt-kissers looking to get a bigger slice of the pie.

Everyone from the bottom up to middle management (workers, their managers, and the managers' bosses) is where the real work is done at most companies. The directional control is usually handed down from on high by the execs, and it's up to the workers to get make it happen. The ones at the lower levels the ones with the greatest sense of reality, and can head off problems before they're really problems. It's only when the executives start meddling around the real work that things start becoming ugly.

This exact scenario is the case where I work right now. We're not an IT company, specifically, but we do rely heavily on IT to get our work done. As an IT worker, I'm forced to see the inefficiency, bureaucracy, and sheer stupidity of doing things as we currently are. This is a result of decisions from 3 levels higher in the corporate food-chain than the real worker. At some point in the past, the company needed a direction regarding a rather large software project. What we got was a level of detail that should have been left up to the workers. It wasn't as much WHAT to do that got us in this mess as the HOW that was mandated. As a result, things got much worse...

We now have many non-technical managers leading teams of VERY technical people. Decisions that determine IT's direction within the company are now made by people that have no place in IT at all, much less managing IT staff and making decisions about technology.

Things are starting to change here as the clued-in technical managers and staff realize what happened, so there is hope. But I suspect MS is caught up in the same type of situation where specifics are being decided by people that have no expertise on the matter. It would certainly explain things, anyway.

Re:*COUGH* sendmail *COUGH*

[dougmc]

The only question is, who is still using sendmail? Major distros have moved on to postfix and qmail is always an option.

I imagine that at least two `major distros' have moved on to Postfix, and so your statement would be correct, but certainly, not all have. I doubt even most.

Red Hat and now Fedora Core, for example, still ship with sendmail. I don't recall if FC3 had other mailer daemons as an option or not but sendmail was the default mailer.

Also, *nix does not only mean Linux. As far as I know, most other *nixes still come with sendmail rather than something else. Sure, you can replace them with postfix or qmail or whatever you want, but by default, it's sendmail. (Have qmail or postfix been ported to Windows yet? Wouldn't surprise me ...)

As far as I know, sendmail is still the most popular mail daemon out there, even more popular than Exchange.

As for `twenty years of buffer overflows', sendmail has a tricky job to do. It's a complicated program, extremely customizable, and a network daemon to boot. And twenty two years old! (That alone says something.)

Certain aspects of it's architecture (especially it's monolithicity) suggested that a rewrite may provide a more secure and faster product, and out of this came smail, qmail, postfix, exim and others. But sendmail is still the standard, and it's still under development. It's been quite some time since I've heard of a buffer overflow for sendmail ... (lat se

Re:*COUGH* sendmail *COUGH*

[Long-EZ]

A colleague of mine has a small business and is using an Exchange server. I've been trying to talk him into Linux, but he's pretty deep in the belly of the beast. For years he had been telling me that Linux may be theoretically better, but the de facto standard of Microsoft products made up for their insecurity, instability, etc. One example was that someone could email him a DOC file and he could double click it to launch Word. I told him that Linux had matured, and I could double click DOC files in Mozilla to launch OpenOffice. He fell back to the position that OpenOffice isn't 100% compatible. I responded that the formatting in OpenOffice is good, but not quite pixel by pixel compatible, and the biggest incompatibility was the wise choice not to allow macros to send email and other unauthorized execution in OpenOffice, which causes a lot of security problems in Word.

A bit over a year ago, he told me he was mad because, heh heh, he now had to save a DOC file from his email, run Word, and open the DOC file manually. I asked why. He said the latest version of Exchange prevented him from executing DOC files from within Outlook because it was too much of a security risk. I suggested that it was probably just a change in the default settings, and given his paranoid email scanning for malware, he could probably re-enable DOC file launches in Outlook. He said he spent almost a day trying and managed to eventually learn that there was no Exchange option that allowed Word execution from double clicking a DOC file in Outlook. This didn't sound right, but he's fairly technical, and he insisted it was an Exchange security issue. If so, it sure sounds like a stupid security decision was made a long time ago when Microsoft decided they wanted code to automatically execute, ostensibly for user convenience, and that ultimately lead to a lot less security and a lot less convenience.

I had to laugh. His company shells out a lot for MS licenses every year, plus a lot more money and aggravation for antivirus and anti-spyware software, and he still can't double click a DOC file to view it and my company can using Linux.

MS wins on usability? I'm not seeing it.

And you only need to read the weekly news releases of major Microsoft security problems, as well as the thriving market for Windows antivirus software, to know that Windows isn't winning on security.

The fact is, the tide has turned, and Windows is now on its way out. It's still early, but I don't see any possible reversal in the process. It's too much to expect them to go quietly, so we have all this whining and FUD. Good riddance. It can't happen fast enough for me. I'm tired of people I know getting me to support their Windows PCs. I'm very close to offering support only for Linux. My last freebie service call was to resolve an issue with Windows registration preventing operation of a legitimate system. I won't miss that. And I won't miss all the spam from the zombied Windows machines (currently about 80% of all US spam).

If you're on the fence, and looking for a good desktop Linux alternative to Windows, check out Xandros 3.0. It's easy to use and very powerful. It does Windows networking so well that Windows machines can't tell the difference. It has remote administration so you can lock down corporate PCs and remotely push updates any time you like. It has lots of nice convenience features like drag and drop CD and DVD burning. It's very stable. Other than the lack of virus issues, most corporate users probably wouldn't know it isn't XP. It's worth evaluating if you're looking for an alternative. I've been using Xandros for over two years and it's very good and just keeps getting better.

Indeed

[SilverspurG]

"Who is accountable for the security of the Linux kernel?"

Tell me. Of the 60,000 some (give or take whatever) viruses, worms, and trojans available for Windows, how many of them even needed kernel level access? I suppose he can simply blame that on others.

There are bits of the Linux software stack that are missing

Care to elaborate? Just what part of the software stack is missing?

Re:Indeed

Care to elaborate? Just what part of the software stack is missing?

The bit that lets Firefox adds new suid root system calls to Linux via .xpi files disguised as links to FREE BOOBIES.

Re:Indeed

[newr00tic]

[JOKE]

Oh, there's already a Bootable CD-Distro that does that, it's called BOOBIX. It has a special build of Wine, just for these purposes..

[/JOKE]

Re:Indeed

[had3l]

"Care to elaborate? Just what part of the software stack is missing?"

They don't know, it's missing.

Re:Indeed

[AKnightCowboy]

Care to elaborate? Just what part of the software stack is missing?

The entire .NET Framework is missing from the Linux kernel!!! My Visual Basic kernel modules won't even compile under Linux.

Re:Indeed

Trying to use logic and reasoning in the face of this style MS FUD is just going to make for a long winded argument.

Here, MS is starting out with claims that don't have a thing to do with reality. They're stating nothing more than equivalents to 'what if's. Making a reasonable sounding argument that in the absence of proof sounds like it could have some backing behind it.

When MS says "The biggest challenge we need to face centres on the myth and reality. There are lots of myths out there as to what Linux can do. One myth we see is that Linux is more secure than Windows." it's just an outright lie. It sounds like he's taking the position of a firm stand against a very real problem. "the open source development process creates fundamental security problems." furthers it, by attempting to put an explanation on just what's wrong with Linux.

It's theorising, and it's the kind of logic a bunch of guys down the pub will bullshit on about for hours, talking about cars or government or whatever, things they really don't know about, but can sound knowledgeable about.

Sounding knowledgeable doesn't stand up to Reality though.

Microsoft's comments about Linux security in the face of the passing of their least secure year is the equivalent of them arguing that drink driving is actually safer, by stating "Alcohol slows you down. It would make you drive slower, therefore be safer. You'd be less likely to do anything silly cos you'd be trying to concentrate harder on driving well". On the surface to someone who knows no difference, it sounds like an argument that has merit.

But again, The Real World jumps up and gets in the road, and that's where real security issues for MS exist, and not in their false construct of marketingspeak.

Re:Indeed

[tdemark]

'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.'

Who is accountable for the safety of drinking water? Does Evian, for example, take responsibility? It cannot, as it does not produce water. It packages one distribution of water.

Re:Indeed

[prandal]

Care to elaborate? Just what part of the software stack is missing?

DRM.

Re:Indeed

Read the EULA for Windows.

Microsoft isnt responsible for the security of windows either!

Re:Indeed

[timeOday]

Accountability is a complete red herring in the first place. Microsoft explicitly disclaims any liability for whatever may go wrong with Windows. Just like everybody else - but then MS has the gall to slam others for lack of accountability!?

They can make accountability an issue right after they start taking the blame for virii and worms, and reimburse business for all the expense and inconvenience Windows holes cause.

Re:Indeed

[BuilderBob]

Care to elaborate? Just what part of the software stack is missing?

The bit that lets Firefox adds new suid root system calls to Linux via .xpi files disguised as links to FREE BOOBIES.

Your link to FREE BOOBIES doesn't work. could you post again using the HTML tags.

Re:Indeed

[johannesg]

Here you go!

Gee, kids these days...

Re:Indeed

[Frankie70]

Care to elaborate? Just what part of the software stack is missing? The part, which makes Joe Sixpack want to buy it pre-installed from his local Best Buy.

Re:Indeed

[advocate_one]

There are bits of the Linux software stack that are missing

Care to elaborate? Just what part of the software stack is missing?

Anti-virus scanners and spyware removal tools... ;)

Re:Indeed

[Jesus_666]

That's why water is not ready for mission-critical drinking, as it's development model is fundamentally flawed and it's lacking a single 'drink-on system'. Because of that Microsoft has been forcing it's employees to only drink Jack Daniel's Tennessee Whiskey since 1984.

Re:Indeed

[iminplaya]

Just what part of the software stack is missing?

The part with the SCO code.

Re:Indeed

[spectecjr]

Who is accountable for the safety of drinking water? Does Evian, for example, take responsibility? It cannot, as it does not produce water. It packages one distribution of water.

Yes, Evian does take responsibility. As the producer of the food product - namely, bottled water - it is held responsible for its quality and safety to the consumer by the Food and Drug Administration.

But hey - way to go trying to make a lame analogy. And by the way, raising your hands and saying "who knows who is responsible" and passing the buck really isn't a good long term strategy.

Re:Indeed

[cowbutt]

I think you'll find that's exactly the point the OP (tdemark) was making.

Red Hat takes reponsibility for their distro in the same way Evian takes reponsibility for the safety of the water they sell. But neither take responsibility for all instances of the raw materials they package and sell.

Re:Indeed

[theCoder]

Actually, it was a great analogy. Just a Evian doesn't take responsibility for drinking water as a whole, but just it's bottled water product, Red Hat doesn't take responsibility for the Linux kernel downloaded from kernel.org or other places, but does for its particular version of the kernel (and the other software it includes).

At least as much as Microsoft does for Windows, anyway.

Re:Indeed

[hunterx11]

Actually, this is an excellent analogy, just not in the way the grandparent intended. As a producer of bottled water, Evian is held to lower standards than communities are for providing tap water. Tap water may not be free, but it's sure cheaper than bottled water, and the bottled water companies exist only because they convince people that their product is better, when in many cases it is objectively not.

Re:Indeed

[John+Allsup]

Red Hat are responsible for the Linux kernels that they distribute and no others. The Microsoft person argues that since there is no one body that takes responsibility for all Linux kernels, then there is nobody that takes reponsiblity for Linux and thus itself is unreliable. This is a strawman argument: the supplier of your Linux distro takes responsibliity and you should use a distro from a supplier that you trust. The supplier will take responsibility for this distro that you buy from them, but obviously not for any other distro that you may obtain by other means. Microsoft tries to assert that no such suppliers exist.

Also, only Microsoft takes responsiblity for security on Windows, and clearly they shirk those responsibilities and are untrustworthy when it comes to security. This nobody worth trusting takes responsiblity for windows.

Re:Indeed

[brianosaurus]

Even more basic,

accountability != security

When one of those 60,000 viruses, etc, attacks your Windows box, you know exactly who is accountable for the security hole: Microsoft.

But what good has that done any of us? I still see the worms trying to infect my system daily (fortunately I run Apache on FreeBSD, not IIS on Windows). When I visit my relatives with Windows boxes, I have to clean up hundreds of pieces of spyware and adware. Knowing who to point your finger at doesn't stop the thousands (or whatever) of compromised machines from constantly spamming us.

Not to mention M$'s latest announcements limiting security updates to only non-pirated copies. That's a tough call. On the one hand, the pirates get what they deserve; they didn't buy the product, so they are not entitled to support. That's fine.

The problem is that its not just the pirates who are penalized. Having thousands of unpatched Windows machines is bad for everyone. The worms and viruses don't care if its a legal copy or not. They'll infect and add the pirate machines into the spam-cluster. Who is accountable for those, now that MS has washed that one off their hands? I still say Microsoft.

Re:Indeed

[Master+of+Transhuman]

This reminds of the guy in the Bush administration that said something to the effect that "reality-based people" don't have any effect in the "real" world - just all those "faith-based people" in the administration.

Which is actually true. Even Seymour Hersh said it on the Daily Show interview I just watched a few minutes ago - that regardless of what he writes, or the NYT writes or anybody else - the administration is going to do whatever they want - including invading Iran and getting hundreds of thousands more people killed.

And that's true about Microsoft and anything Microsoft says - it's all going to be total bullshit and deliberate lies and that's the caliber of the people working there - but they're going to do it anyway.

Time to ignore them and just get on with it. As Abbie Hoffman once said, "Do Your Own Thing and Only Your Own Thing".

Or as William Burroughs said, "Never let the critic teach you the cloth" (as they say in bullfighting).

Re:Indeed

[Jesus_666]

This is a strawman argument: the supplier of your Linux distro takes responsibliity and you should use a distro from a supplier that you trust.

Yeah, but what about LFS? Think of all those businesses wanting to use LFS for their Linux desktops!

Re:Indeed

[Fembot]

I guess their idea of accountable is "who ignores emails about bugs you send them for months upon end?" in which case I can do a pretty good job filling that role for any software projects that need it :-)

Re:Indeed

[Evil+Pete]

That's why water is not ready for mission-critical drinking

Hence the need for Microsoft's new .WET architecture to solve these problems.

forcing it's employees to only drink Jack Daniel's Tennessee Whiskey since 1984

Truly, this explains so much.

Oh yeah?

[nocotigo]

Just wait until they roll out WinX, or is it Winux...

Not A Myth, Just Not Inherent

[the_mad_poster]

Fact: Much of what winders suffers from is incompetent users. Nothing is really stopping the developers from writing spam bots for windows because idiot users on Linux could run bad code just as easily as idiot users on windows.

OTOH, you don't have such dumbass tricks ass tying your browser right to the OS or ActiveX, so you make spyware and whatnot less of a factor.

On yet another hand, however, you have the problem of moron users running sendmail daemons that listen for connections from the Internet and other stupid things. Plus, Linux has security holes. If stupid people don't patch them just like they don't path winders, what good is the security?

Again: You can protect the stupid people from the world if you want, but you can't protect them from themselves.

Re:Not A Myth, Just Not Inherent

[ggvaidya]

IMHO, the biggest problem is that Windows has remained relatively unchanged since Win95. Win95 was a single-user application, only just beginning to explore the Internet. The biggest risk your computer could face - viruses - could be handled by being very careful about which floppy disks you used. People who used BBSes were competant enough to use antiviral programs.

With the coming of the Internet, all that changed. Windows needs to be secure enough to prevent web-based attacks, such as through badly created web application frameworks like ActiveX, as well as prevent attacks on vulnerabilities in the networking function of the OS. Stuff like using a restricted user mode, frequent updates, using a secure browser, etc. are necessary to stop such attacks.

A Windows computer is probably as secure as a Linux machine if adequate measures are taken: antivirus programs, firewalls (generally included in the former), secure passwords, not running as Admin and most importantly, frequent updates.

All this is new stuff that people have to learn. Atleast if you use Linux, somewhere down the line you *have* to learn the basics of stuff like this (I've found "rm -rf" is the best tool for teaching people to NEVER run as root!). With Windows, you can remain painfully oblivious to the most basic security techniques because the OS will *let* you - and your computer becomes the next hub for Joe Spamboss.

Hopefully, SP2 will improve things - I've found the firewall a real PITA, particularly on university-administered computers, but atleast it makes people a little more aware and careful.

I don't think branding everybody as "stupid" is the way to go about it. They're not stupid, they're just not aware. And I blame Microsoft as their enabler, atleast for these last few years.

Re:Not A Myth, Just Not Inherent

[Cthefuture]

Again: You can protect the stupid people from the world if you want, but you can't protect them from themselves.

Pffft, right. I'm as geeky as they come but I want my system to be secure without me having to think about it. I got code running through my head all day long, the last thing I need to think about is whether or not my system in secure. I do want my system to be secure and protect me though. The OS needs to do that for me because I don't want to care about that stuff.

Re:Not A Myth, Just Not Inherent

[Coryoth]

Fact: Much of what winders suffers from is incompetent users. Nothing is really stopping the developers from writing spam bots for windows because idiot users on Linux could run bad code just as easily as idiot users on windows.

For now, yes, but as SELinux, or RSBAC, or any of the Mandatory Access Control, role based systems gain popularity in mainstream Linux (and SELinux, for now, seems to be the best candidate on the popularity front), the ability for idiot users to run bad code goes down massively.

Yes, in theory an idiot user could run bad code, but under a well implemented SELinux policy, while the code may run, it wouldn't actually have rights to do much of anything. At worst it might be able to fill up the home partition with useless data, or something along those lines, but spam bots and zombies and mass mailing viruses would be a far more difficult task to write indeed. A sufficiently smart idiot could grant the process the rights to do what it wants, but really...

Yes, such a system is not a cure all. People can still do bad things to themselves, and no matter how well you build it, there's always an idiot who can break it. It does, however, significantly raise the security bar on what it is easy to trick a user into doing.

Jedidiah

Re:Not A Myth, Just Not Inherent

[nlinecomputers]

You can protect the stupid people from the world if you want, but you can't protect them from themselves.

Rather the reverse I would say. You can't protect stupid people from the world. Too many of them to protect. One can only protect onesself from the stupid people. Which is why I install firewalls, AV, programs and update patches. Depending of Microsoft to do it for you just is asking for someone to exploit you.

Re:Not A Myth, Just Not Inherent

Fact: Much of what winders suffers from is incompetent users.

NO! This is fiction. Let's look at the history:
1. Blaster - all you have to do is hook up an unfirewalled system to the Internet and you got it. Up until recently, all Windows systems were unprotected until patches were downloaded from the 'net which required... you guessed it! connection to the Internet.
2. SQLslammer - all you have to do is have SQLserver running on your machine and connected unfirewalled to the Internet. The biggest problem is that many people who didn't use SQLserver thought they were safe. Wrong! By defayult, Microsoft installed and started SQLserver whether it was needed or not by the end user. I saw many SBS users compromised by this who were mystified - "But we don't even use SQLserver! How did we get infected?"
3. Outlook viruses - many of them did not require you to even read the damned e-mail with a virus; just preview it!
4. Vulnerabilties in viewer - all you had to do was browse to a web-site and view a specially malformed picture and you get infected.
5. Vulnerabilities in IE - many of the vulnerabilties in IE do not reuire any user action. Just browse to specially crafted web-site and you get infected automatically!

Now, I expect lots of flaming on this; use a firewall, don't enable ActiveX, etc, etc. But, damnit, this lead was about responsibility! and the fact is, that until recently, Windows shipped with all the hole needed to infect a machine automatically enabled/open/vulnerable. No one eems to think that Microsoft is responsible for this. No, instead, it is all stupid user's fault for taking a system that Microsoft bills as "Internet ready" and connecting it to the Internet! As the above examples illustrate, it doesn't take any user action to corrupt a Windows machine; just one that trusts Microsoft!

Re:Not A Myth, Just Not Inherent

[StormReaver]

"Much of what winders suffers from is incompetent users."

That's only partly true. The vast majority of the problem with Windows is that it demands that its users do stupid things, and frequently does stupid things automatically on the user's behalf -- usually without giving any indication that it's doing those stupid things.

Writing malware for Linux is no different from writing malware for Windows, except for one crucial detail: Windows will automatically install and run the malware, while Linux requires its users to go through multiple manual steps to run malware and will still protect users from a system meltdown even when that malware is finally installed and run (provided the user isn't running as root, but running non-root is the default Linux behavior).

Linux requires users, even the incompetent users, to explicitly authorize software to run. Windows just assumes it has that authorization, even when its so-called protections are supposed to prevent that.

Linux is great protection for the incompetent users, because those users are probably not bright enough to allow malware to be installed even if the malware presents step-by-step instructions.

What that guy is smoking?

[KiloByte]

This is the classic case of a kettle calling the refrigerator black.

He has a point, you know

If he was wrong, why would Red Hat et al sell service contracts and make money off of them? They accept that money in return for accountability, responsiblity, and SLAs - all of whicha major corporation will demand and which are not present in the pure open source model.

So, he's right, but he's also wrong in that Red Hat is no responsible for Linux kernal security, but they are responsible for getting patches out for issues discovered.

In other news...

[k4_pacific]

In other news, a representative from Yugo blasted BMW for not putting rear window heaters on their cars. "If you have to push it in the winter, your hands will get cold. What a crappy car."

Re:In other news...

[TubeSteak]

Need I remind everyone that Microsoft turned to Akamai's Linux servers when they got hammered?

Its as if some hotshot in his BMW 745i got a Yugo to tow him because some snow was on the ground.
:'o(

Linux Security vs Microsoft AntiSecurity

[michelcultivo]

From Bruce Schneier "Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months. This means that a unpatched Linux system with commonly used configurations (such as server builds of RedHat 9.0 or Suse 6.2) have an online mean life expectancy of 3 months before being successfully compromised." I think the term is not "more secure" but "less vulnerable".

Re:Linux Security vs Microsoft AntiSecurity

[Omnifarious]

*nod* Judging from the number of ssh attempted login scans, there are a fair number of comprimised Linux boxes out there. :-(

I'm starting to get really annoyed with Open Source people patting themselves on the back over security when stuff like that last thing where the people tried to get someone responsible for Linux kernel development to accept a security related patch, and ended up having to get an article on Slashdot before it happened.

Security doesn't just magically happen. The Open Source development model is the only way to go if you want real security, but it actually requires effort on the part of maintainers to make it happen.

Re: Linux Security vs Microsoft AntiSecurity

[Black+Parrot]

> I'm starting to get really annoyed with Open Source people patting themselves on the back over security when stuff like that last thing where the people tried to get someone responsible for Linux kernel development to accept a security related patch, and ended up having to get an article on Slashdot before it happened.

Hey - maybe if Slashdot carried an article about Windows security problems now and then, they would get fixed too!

Re:Linux Security vs Microsoft AntiSecurity

[AdrianG]

There's another important point that I haven't seen anyone mention: There's an important difference between exploitable design flaws and exploitable implementation flaws. When implementation flaws are exploited, those flaws can usually be fixed without removing essential functionality upon which legitimate users may have come to depend. When design flaws are exploited, the design must be changed to correct those flaws, and to do this, is often necessary to frustrate the legitimate expectations of real customers.

I've seen a number of people repeat the naive argument that when there are more Linux users, we will have the same problems with viruses that Windows users have. This argument only makes sense if we ignore MicroSoft's irresponsibility in the design of their software. MicroSoft has knowingly and repeatedly committed to designs that are fundamentally flawed. These design flaws include things like adding powerful, general purpose programming languages and macro languages for applications like word processors, and then adding automatic processing of these files in Mail User Agents. Keep in mind that during the '80s, MicroSoft, along with the rest of the computer industry, faced repeated hoaxes of email viruses, and had to offer again and again to customers the explanation that email could not carry viruses because it did not carry executable content. When MicroSoft made the decision to add automatic handling of executable content to their email systems, they could not have been ignorant of the fact that easy proliferation of viruses would be a consequence of their decision.

MicroSoft has generally been reluctant to fix the design flaws in their software, because they are committed to some level of backward compatibility. Of course, responsible designs, up front, might have made this commitment less problematic. The result has been a florishing industry for anti-virus software. We now go to third party vendors to make up for the poor quality of MicroSoft software and for their unwillingness to take responsibility for their own mistakes.

My experience with widely used Linux software is that the stuff that becomes popular is usually designed much more thoughtfully that is typical of MicroSoft's products. Serious security design flaws are denounced quickly, and perhaps more rudely than is really required. While the vetting process for Linux based software is far from perfect, it has clearly been much more successful than MicroSoft's persistent irresponsibility. I regularly follow email lists about security flaws in Unix/Linux systems, and the vast majority of those flaws are implementation flaws rather than design flaws. The flaws for Linux in particular are quickly address, and patches are released. While I'm aware of virus scanners that run on Unix and Linux systems, to me they seem focussed on scanning email and files for Windows viruses. There are Unix and Linux based because Unix/Linux machines are often file servers and email gateways for Windows systems, and not because there is any problem with viruses that attack Unix/Linux systems.

Finally, Linux developers have not been required to cover for their perjury in the courts and have not been nearly so tempted to violate that maxim of software development that every Computer Science student learns in school: Software should be modular. It should be divided into separate modules, where each module does its job. The interfaces between modules should be clean and simple. Applications should not ever be integrated into the core of operating system. A consequence of rational design in the Unix/Linux world is that software upgrades are far less problematic. I routinely tell my Linux systems to go grab all the relevent updates at SuSE's web site and apply them automatically, and while I have face occasional, minor problems, I have never once had a serious problem with any such update. Every Windows administrator knows that each new update carries with it a substantial risk of rendering his systems inoperab

Well..yeah..he would say this

[grasshoppa]

You see, it's called marketing. He is saying exactly what big wig CIO/CEO/C[A-Z]{2} understand and like to hear. Accountability. That's a big thing to most corporations.

Now, him saying that Redhat can't improve the kernel is simple BS, and could either be a fundamental lack of understanding on his part, or just a flat out lie. Given his position, I'm guessing it's a lie. Redhat ( as have most distributers ) patches the kernel with it's own magic, and will often update it on it's own.

Cliff notes: MS marketting with head in sand. News at 11.

Re:Well..yeah..he would say this

[Jeff+DeMaagd]

My biggest objection is whether Microsoft takes accountability for their own products? They should shut up, because they aren't ready for the enterprise.

Re:Well..yeah..he would say this

[daviddennis]

How is Microsoft accountable when their own license agreements say clearly that they are not liable for any consequences resulting from use of their systems?

If they were genuinely accountable, they'd be bankrupt.

I have to say, this is a pet peeve of mine - pretending to take responsibility when there is, in fact, no responsibility taken is just plain wrong.

D

Re:Well..yeah..he would say this

[powdered+toast+dude]

Don't confuse accountability, responsibility, and liability.

1. Accountability means you can point your finger at me and I'll say "yep, my bad."
2. Responsibility means I then have to fix it.
3. Liability means that you then get to take my wallet.

$0.02,
ptd

Re:Well..yeah..he would say this

[Srin+Tuar]

1. Accountability means you can point your finger at me and I'll say "yep, my bad."


With Free software you can actually find out which individual programmer created the security problem in question. (He doesnt have to admit or deny it, because its all a matter of public record)

With Microsoft you have a big faceless corporation.

Tell me again, even by your stretched definition, how can anyone think Microsoft has better "Accountability" ?

Excellent marketing

[vijayiyer]

This is another example of Microsoft's marketing prowess. They know that IT managers want to hear about vendor accountability, single source solutions, etc. Those who still are using only Windows are probably not technically competent enough to see through the FUD. The truth is irrelevant here.

Re:Excellent marketing

[meisenst]

Any IT manager worth their salt will look past this FUD and look towards things like... this, where Microsoft's single sign-on program fails them utterly. Oh, wait, isn't that one of the key points this guy tried to make, even though Passport has basically begun to circle the drain?

Ho-hum

[twilight30]

Move along, people. Nothing to see here. There's no point in getting pissed off about this; Microsoft shills are liars and exaggerators.

I will never forget -- seeing as how it happened only on 19 December just gone -- about my broadband installation. Not wanting to rock the boat nor confuse the cable installer guy, I rebooted into XP just prior to his arrival. He hooked my old beater celery up with DHCP and I surfed for about ten minutes. I thanked him and he left.

So I figured I'd do the decent thing and do the security updates. ...

Eight hours later, I cleaned off the last of the spyware, adware, malware horseshit.

To Nick McGrath: Fuck off and die, you wanker. How much you want to bet your router at home runs a Linux variant for firewalling purposes?

Re:Ho-hum

[steve_stern]

So I figured I'd do the decent thing and do the security updates. ... Eight hours later, I cleaned off the last of the spyware, adware, malware horseshit.

And if you didn't boot into Linux for many months resulting in lots of unpatched security holes, and there were a ton of people trying to attack Linux boxes because Linux controlled 95% of the market, you'd have the same experience there.

What's your point?

A security hole is a security hole is a security hole. Windows and Linux both have them. The fact that more people target Windows does not make it less secure.

Red hat does take responsibility though

[m50d]

They take responsibility for their distribution. They will patch their kernel if anything seems wrong with it. From time to time they pay for an audit. Similarly the debian people vouch for their kernel, and so on. The vanilla kernel.org kernel is only accountable to the kernel.org people, true, but most "enterprise" distribution makers will stand up for every package they distribute.

Who is accountable for Windows?

[nharmon]

From Windows XP's EULA:

LIMITATION ON REMEDIES; NO CONSEQUENTIAL

OR OTHER DAMAGES. Your exclusive remedy for any breach

of this Limited Warranty is as set forth below. Except

for any refund elected by Microsoft, YOU ARE NOT ENTITLED

TO ANY DAMAGES, INCLUDING BUT NOT

LIMITED TO CONSEQUENTIAL DAMAGES, if

the Product does not meet Microsoft's Limited Warranty,

So, are we believe that if Windows crashes my data, that I can hold Microsoft accountable?

At least with Linux I have access to the source code, and can hire programmers to scratch my itches for me. Somehow, I don't think microsoft would give out source code if they went under.

Re:Who is accountable for Windows?

[ggvaidya]

Everybody does that: even Red Hat (see point 7). IANAL, but basically what this means is that if Windows (or Red Hat) screws up your comp, you can't hold Microsoft or Red Hat accountable. Why? Because as any geek knows, there's about a thousand things which can cause a computer screw-up, from script kiddies to accidently hitting the 'del' button, and they don't think they should be responsible, which is a perfectly reasonable position to take IMHO.

What the guy is saying is that if Windows turns out to have a problem, you can rely on Microsoft to provide updates. You *can't* legally rely on Linus Torvalds or any of the other developers to provide a solution to the problem. However, if you have an agreement with Red Hat, you can rely on them in the same way, AFAIK.

Shit, that's a lot of acronyms for one post :|.

Not a technical argument

[Malfourmed]

McGrath is not making a technical argument, but a management/legal one. In business, security (ie peace of mind) is not defined by the tightness of a piece of code but by who you can make accountable for any failure.

Microsoft at least is the clear and sole owner of its product. Though any single customer's ability to make it responsible for product deficiencies is slight at best, a statement of "we're here and responsible for our stuff" is superficially reassuring.

Re:Not a technical argument

[Coryoth]

I think the difference doesn't actually look good for Microsoft really. Yes they say

"we're here and responsible for our stuff"

but phrased a little differently, what they're really saying is that in all the world there's only one company that has sufficient faith in Microsoft OS software that they're willing to be responsible for it (and if you read the EULA they're not responsible anyway). In contrast Linux has many companies who are all sufficiently confident in Linux that they're willing to stand up and actually take responsibility for it. Why are they so confident? Because they know that even if a problem is found they can fix it themselves and provide that fix to their customers.

Personally I'd be more willing to trust the system that has lots of companies wanting to step up and offer to be responsible. If I wanted accountability I'd pay one those comanies to be responsible for any issues, rather than Microsoft, standing alone, claiming they are responsible "sort of, in a way, maybe".

Jedidiah.

Re:Not a technical argument

[Linker3000]

Fair point - in which case as the IT manager for over 26 networked and interconnected offices **I** am responsible for security - for all our boxes regardless of whether they run Windows or Linux (we have 26 Windows servers and 4 Linux servers in our empire).

Microsoft's products are just tools we use to run the business and if the tool's broken it is *MY* job to ensure we get it fixed - 'getting it fixed' in this case might be to refer to the manufacturer (ie: M$) to see whether they have fixed it and if not, perhaps look for an alternative tool that will do the job. Microsoft should take care to note the latter option.

More FUD

[slobber]

There are fundamental things missing, ... no single 'sign-on system' giving reference to Microsoft's foundering .Net passport program.

Please, someone, tell him about kerberos...

Microsoft takes responsibility for Windows Bugs?

[Taladar]

Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?

From these words I conclude that any business that lost time/money from Security Holes or Bugs in Windows they can go to Microsoft and present a bill which Microsoft will gladly pay.

Now is your chance to backrupt M$S

So the Microsoft bigwig Nick McGrath says 'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel.."
Well Ok Nicky - you are implying then that MS DOES take responsibility for the security of its products? If tht is so then you are lying because the last time I read YOUR EULA it states that you guys will take our money but will not take responsibility for any defects etc in YOUR products.

Once again we have idiots making statements for none other than the idiots that are running the IT industry...

Let's keep the bias out of the submission..

[Staplerh]

Come now. This is rediculous:

I guess Linux can only aspire to the greatness of Windows when it has such secure applications as Outlook and Internet Explorer. Historically those have been proven to be of a caliber all their own.

This is true, I will agree.. in my humble opinion. Let's save the editorializing for the comments. This is 'News for Nerds' - this sort of snide comment has a place in an Op/Ed page, but certainly not the 'front page' of a news site. I suppose there are divergent ideas of what Slashdot really is, but I think that endeavouring to be unbiased would be great.

I'm not meaning to troll or to be 'flamebait' here, just to point out a disturbing trend I've noticed in biased story submissions.

Re:Let's keep the bias out of the submission..

[Jerf]

I'm not meaning to troll or to be 'flamebait' here, just to point out a disturbing trend I've noticed in biased story submissions.

I tend to agree that there is a trend problem, though it isn't the mere presence of editorializing; that's always been there. It's the breathtaking inanity of the editorials of late, both from submitters and the editors. One good way of measuring the information value of a piece of information is the extent to which it is a surprise; I see a surprising editorial comment about once a week now (like "this wasn't really Microsoft's fault, you have to blame the user for giving his password out to a stranger"), the rest are total Slash-think that can and have had Perl scripts written to replace them. ("Go away, or I shall replace you with a very small shell script.")

The only thing maintaining Slashdot's reputation is Slashdot's reputation, and that's a formula for a dangerous and sudden collapse. Were I economically dependant on Slashdot, that would concern me.

But this particular editorial does have the virtue of being almost empirically true. Microsoft, as the current owner of the least secure software in common use, just isn't in a position to be criticizing others about security. Evidentally, whatever things they are trumpeting about themselves must not be important, because they are clearly not being reflected in actual results. Something that, if provided, most IT managers will prefer even over the ever-popular empty platitudes, and most IT managers are hardly able to ignore the results of Microsoft security.

This totally makes sense.

[bennomatic]

Microsoft isn't a software company. They're a marketing company. They do what it takes to sell whatever they've got. I used to say that MS could pipe all their employee toilets into a packaging facility and sell Microsoft Excrement at a profit. With their marketing muscle, they could find an audience for just about any product.

Unfortunately, part of marketing, especially when your product is getting negative publicity, is pointing out perceived flaws in competing products. I believe the term often used is FUD, and it's nothing new or unique to MS. Heck, it's pretty much how GWB won a second term.

When it comes to this sort of thing, they have a wide lattitude of opinions they can express, especially when there is no Linux, Inc. to sue them for slander. The Linux community, however, has been quite good at spreading the word about MS badness; they're just trying to do the reverse because their feelings are hurt.

Re:This totally makes sense.

[Stevyn]

If you want to compare GWB to Microsoft, fine. But this implies John Kerry is then on the same side as Linux.

Just personal experience

[agraupe]

Here's my personal evaluations of security differences:

Spyware:
Windows: I run a spyware checker every week or two, and it almost consistently finds new spyware.
Linux: Is there a spyware checker for linux? Does there need to be? I know that my Linux box runs consistently fast, and has no search bars.
Edge: Linux

Default Habits:
Windows: The Windows XP install, by default, seems to create an Administrator account with no password, no User account, and no suggestion that there should be a user account. Also, there's many services that are on by default, that really shouldn't be.
Linux: All linux distros I've used require a root password, and strongly emphasize that root is not to be used for day-to-day computing. Depending on the distro, most unnecessary services are off by default.
Edge: Linux

Updating:
Windows: Use an insecure browser, tied to the OS itself, to browse to Windows Update, wherein the system is updated. Note that these updates have a nasty habit of breaking things, and this does not update third-party software which may be vulnerable.
Linux: sudo apt-get update; sudo apt-get OR upgrade
sudo emerge sync; sudo emerge --update world
Edge: Linux

Do I need to go on?

Re:Just personal experience

[The_Spud]

The linux installers still have major issues. It's total head in the sand stuff to claim that installing linux is as easy as windows. The main distro I've used are mandrake, redhat and fedora and the installers have all caused problems with partition tables. In particular FC2 had that great bug which fucked the partition table geometery and made other OS's installed unbootable. FC3 installer has a bug which causes the installer to fail if you have used disk management tools such as Norton Ghost or Drive image.

I use linux for work every day and it really anoys me when I have to read the same crap on slashdot about how linux is better in all ways compared to windows. If we don't acknowledge the many problems that exist with linux how are they ever going to be fixed?

Like using an ATI graphics card for 3D acceleration. On windows click - click-restart done.

Linux : Linux download latest version of drivers
install rpm
Switch to run level 3
run configuration prog.
Manually edit X config files because they forked the fucker and your distro now uses xorg and the config files aren't compatible. Restart X
CRASH!
Wait 3 months for ATI to fix the bloody drivers.

When they can make installing your graphics drivers as simple as on windows we are getting somewhere.

Re:Just personal experience

[The_Spud]

I'm not denying that for many people it goes smoothly but its still a really common experience to have hardware, e.g. wireless cards, not work. Also you haven't commented on the problem I highlighted that installing graphics drivers is a complete pain in the arse even if it works as intended. When I had an NVIDIA card, and their linux drivers are much better than ATI's, it still involved much command line use to get the drivers installed. If you upgraded the kernel then you had to compile a new kernel module. There are many things which are better about linux, the windows command line is woeful, really poor but there a good deal more things which are better on windows.

The installer issues I mentioned are software based and affect you no matter which brand of HD you use. Having a bug in a final release which renders most of the software on your multi boot system useless is increadibly poor and if the evil empire had done this we would all be laying in to them and rightly so. I have to say that critising MS for problems with their software but then completely ignoring the huge problems that exist with much open source stuff seems hypocritical and counter productive. How can OS software ever compete with proprietry if we all pretend there are no problems. It worked fine on my computer isn't going to cut it if you want linux to become mainstream.

Superficial...

[rhsanborn]

...especially because they claim they are explicitly not responsible for anything.

A bird in the hand is worth two in the bush.

[jonastullus]

i really don't want to play down the problems linux has with its development model and i sure have heard great things about the microsoft development process!

but i'd rather have a more secure system now, which lacks in development stringency, then a provenly unsafe system which can prove exactly when, why and how their bugs came into the system...

microsoft is just far too lax concerning their outward security policy (like not caring about the blatant RC4 exploit). their "patch day" with all those patches that never quite close the exploits is just a farce!

well, gnu/linux with all its applications has had a bad streak of exploits as well recently and i would strongly recommend a stricter development process, but if i were microsoft i'd definitely tone down on the linux-is-insecure-and-lacks-accountability bashing and instead invest some serious effort in making my own product look a little more convincing and less like the bug-ridden security hole that it is!

jethr0

In other news...

[Nova+Express]

Michasel Moore accused Paris Hilton of being "too fat."

Mike Tyson accused Michael Jordan of being "violent and out of control."

And Richard Simmons accused Charlton Heston of being "way too gay."

Re:Single sign-on

I corrected it for you: Apparently it's well-known at Microsoft that Linux doesn't support **Microsoft's deliberately incompatible version of** Kerberos.

Development Environment?

[Roguelazer]

"there is no single Development Environment for Linux as there is for Microsoft"

Yes, what a good point. There are multiple DE's for linux. This is a bad thing, because it means developers have a choice. There should only be one piece of software for each category, and it should be manufactured by Microsoft. Choice is bad, people!

Re:Development Environment?

[yamla]

I'm not sure that's what he meant. Because, after all, there are multiple development environments for Windows as well. Borland, Microsoft, heck you can even get emacs, kdevelop, etc. running in Windows.

I agree with you that multiple options for development environments are good, I'm just not sure that's what he was implying.

Hm

[Lisandro]

Microsoft bigwig Nick McGrath claims that Linux security is highly exaggerated, and that the open source development model is 'fundamentally flawed.

Why, of course he does. That's his job.

In other stories, water's wet, sky is blue and women have secrets. More news at 10!

Does he mean "desktop environment?"

[Noksagt]

Linux is not ready for mission-critical computing. There are fundamental things missing. For example, there is no single development environment for Linux as there is for Microsoft

What does this mean? Sure, there is Anjuta, KDevelop, Eclipse, GNU/X-Emacs, etc. But there are a ton of development environments on windows too. Is this supposed to be the age-old KDE/gnome debate?

If so, isn't a huge advantage of using ANY *nix in production that you don't have to have the overhead of running a graphical desktop environment if you don't need to?

Re:Is he serious

[WhiplashII]

This is not a recent strategy... in marketing you commonly look at your strengths and weaknesses - and then see how you are perceived by your customers. If your customers already know your strengths, your marketing strategy is to convince them that your weaknesses are also strong.

It just sounds silly to those who know. But it does work in most cases...

The question is

[rikkards]

how insecure would Windows be if you were able to remove IE and Outlook from the picture?
If Firefox becomes the great white hope for secure browsing on the Internet and the other one where it incorporates calendaring into Thunderbird has as much success as Firefox is getting(can't remember the name for the life of me), could this in itself slow Linux adoption? Windows has improved stability-wise over the last couple of years by leaps and bounds and supposedly they are looking at making it more secure (but I am not holding my breath too much).

Just a thought.

Let the flames begin!

[CajunArson]

First of all, I can't trust this article because it's not digitally signed!
Now, on to the point. If someone comes out and says: "the default Linux kernel released by most distributions is not secure." I'll say 'hell yes'. Note that this is not what TFA states, it is a much broader screed against open source in general.
The problem is that if Microsoft wanted to launch a rational attack on Linux's security they would also be attacking their own products. I'm not even talking about the differences between open and closed source here, I'm talking about the ways that Linux and Windows both are susceptible to security issues. Right now most default Linux distributions put out kernels and user-space utilities in a system that assumes every piece of software has to be perfect to ensure security! (especially anything running as root) Windows is basically the same way. Once a hole gets found, it is easily possible to hijack and entire system.
Now, at this point the arguments between Linux and Windows invariably devolve along the lines of: Linux gives you the source code so you can find the bugs yourself or Windows runs too many services and that's why its not secure. On the windows side we get arguments about how you 'can't trust unsigned open-source code!' (which actually does have some merit if you don't check source signatures you grab from some random mirror, but does not really speak to the OSS development model). The problem is that these arguments are more about which system is easier to band-aid than which system is innately more secure.
Let's really look at default Linux vs. Windows. Both have admin and user accounts, both follow a similar model of discretionary access controls, both can be hacked remotely although windows tends to get hit more because it runs too many standardized services.
The point of this very long rant is that Linux does indeed have security problems that are not of a nature much different than Windows. I would say the better track record of Linux so far is NOT due to it being open-source; that does help finding bugs, but plenty of Windows bugs are found and fixed before the Windows boxes are hacked. Instead it's because Linux (with some exceptions) does not install a bunch of stuff by default, Linux systems are not as homogeneous as Windows systems (software monoculture time), and Linux admins have historically been better than Windows admins (this is definitely something that will be subject to change in the next few years).

So is there a solution? Well, nothing is ever going to be perfect, but systems like SELinux and GRSec are big improvements because instead of saying "the whole system is perfect" they instead say "components in this system will be compromised, how to we isolate and protect it?"
There's a problem though, these systems require old-time Linux users to deal with new restrictions they might not want to deal with. I promise you that SELinux policies that work great on a production webserver would drive you insane on a development box, but you need to protect both machines, a hacker will target both.
I'll save my rant on Microsoft's security for when this story gets duped, it's another mess entirely. Just MS is foobarred should not be an excuse for not looking to find and fix problems in Linux.

Who is accountable for the security of the Windows

[CharonX]

Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?
Er... and who is accountable for the Security for Windows?
Microsoft?
Internet-swiss-cheese-security-Exlorer Microsoft?
And will Microsoft take responsiblity for their security holes? Will they pay for the damages caused by crashes and exploits for their buggy software?
Maybe if they get their software quality up to a reasonable level they can START asking questions, but as long as they are as bad as now, they better keep their mouths shut, or they'll have to stuff their own feet in them.

Lack of what?

[kidlinux]

This "lack of accountability" argument is bullshit. Why does Microsoft have an EULA for its software? To cover their asses so they can't be held accountable for damages caused by their shitty software. When was the last time Microsoft was taken to court over losses due to poor software? If they could be held accountable, they'd get sued right out of business!

Re:MS Development tools pwn everyone

[NamShubCMX]

Please elaborate HOW they are superior, because I always found them to be quite equivalent...

I'm actually serious, you were moderated informative but I am really wondering where the superiority of the MS tools come from..?

This is a terrible article!

[raddan]

Aside from the fact that there are no references to back up any of the claims that this McGrath fellow is making (I'd even settle for a research firm that was paid-off by Microsoft!), the 'author' of this article wrote a grand total of FIVE sentences. All five of those sentences paraphrase something else that McGrath says. The rest of the article simply quotes McGrath straight.

There's no discussion of the points, no consideration of other factors, and as far as I can tell, no fact-checking. There is simply no journalism happening here. I know I can simply move on, but it irritates me to know that some CIO out there (probably mine) will take this all in without a second-thought.

The shortcomings of the Windows OS are OBVIOUS to anyone who has to admin these systems in a real production environment, and even more apparent to those of us who have the pleasure of also running other systems. Just imagine what Windows might be like if they spent half of their propaganda budget on fixing the freaking software.

Re:MS Development tools pwn everyone

[Pete]

I'm presuming this is some sort of weird troll, moderated "informative" for some odd reason (seriously moderator, "informative"? What derf?)

Seriously, if you think the Microsoft development tools are far superior to anything else in the world, then I can only presume you've never used anything else in the world :).

Microsoft Argument == Creationism

[JGski]

Microsoft is using pretty much the same arguments that creationists use against evolution.

As we all know, Open Source Software development is structurally similar to the scientific method and evolution in terms of how "new things" are created by the these systems. Similarly, what Microsoft is claiming is that software can't be created well "at random" through emergent means (we know that's a crock) but needs "the Hand of an intelligent Creator" to control everything (Microsoft == God, apparently). Ergo: Microsoft is claiming that only "Creationist Software" is good software - "Evolutionary Software" is evil software.

I think this could be useful angle of attack against Microsoft FUD: they are advocating creationism and faith-based solutions to computer science.

related articles

[Deanalator]

I like the related articles at the bottom of the page.

RELATED ARTICLES

* Microsoft to axe Windows 2000 security upgrades
* Microsoft enhances SQL 2005 security
* Viruses plague half of UK Windows users
* Linux fights off hackers
* Busy day for Linux administrators
* Industry giants offer Linux consumer boost
* Windows open to critical vulnerabilities

Re:You mean...

[Welsh+Dwarf]

You're on the right track, but that still wouldn't cut it, due to the crackability of this kind of solution, setuid has no effect on scripts, you'd have to write a small c program to do it, or use sudo, which is much better all round.

HTH

David

Why I spit on M$ programming skills

[A+nonymous+Coward]

I am generally a UNIX programmer, but I have also used custom operating systems. Only twice have I had to use M$ tools. Both times I have found obnoxious stupidities that led me to the conclusion that M$ does not use their own tools in any reasonable fashion.

Around 1989, I had to use whatever Visual Studio was called then. In the debugger, while stepping thru some C code, I accidentally stepped into strcmp or some other function for which the source code was not available. It dropped into assembler mode, quite fine, just a matter of stepping until it exited back to C code. Except it then displayed the C debug screen without first clearing the assembler debug screen. Lots of pieces left over, register displays, hex codes for instructions, etc. Almost unreadable. It gradually cleared itself up as I continued to use it.

Around 2002, I had to use Visual Studio for some small project. You can click on an API and it automatically adds skeleton code to source files. It leaves those windows open, and I did not want so many windows open at once, so I tried to close them. Nothing under any menu I could see, but the X in the corner worked. Next time I used the skeleton code inserter, it complained that the file had been modified by an external program.

Now I suppose I was doing things the non-M$ way. There is probably some perfectly normal way of getting rid of excess windows. Maybe I should have iconized them instead, but that clutters up the task bar. I found two other similar bugs within the first half hour of using the beast.

These are the kind of bugs that anyone using the program would stumble across very quickly. How can the M$ deveopers take any pride in releasing such buggy code? How can they stand to even use such crap software? Is it so crappy that they don't use it themselves?

I have no respect for M$ programming skills.

Re:Why I spit on M$ programming skills

[JohnFluxx]

I also did a coding competition thing, but for Barclays Bank. They put us up in nice hotels with free drinks and gave us all ipaqs (nice ones too).

But they made some bad judgements. Stuff like repeatedly emphasising that you don't need to be the brightest, in fact they take on 2.1 and 2.2 grade students. While this is great, it's not quite what you say to recruit the guys that won the coding competition... Also while they had linux servers, they downplayed them heavily and talked about the windows machines. ( I got the feeling the management didn't actually know they had linux machines).

But what annoyed me most.. is they told us this story about how one of the security guards saw smoke coming from the servers in the server farm. He hit the emergency stop, which turned off all the machines. Turned out it was just dust. but they fired the poor guy. I asked what measures they put in place to stop that happening again, and they said uh none.

Heh, Heh. Yeah

[smchris]

I only have to wrap myself up in the warm and protective arms of a Microsoft EULA to feel the shielding umbrella of accountability.

McGrath slays me.

Re:You mean...

[Catiline]

Yes, mostly.

Set-uid works by changing the user ID of the program to that of its' owner; thus a program like passwd (which must have root privledges to write to the password/shadow file) has suid. Scripts which use suid have a few particular security concerns; since they inherit the PATH environment variable (and a few other particulars) from their calling user, you want to ALWAYS use the full path to commands. Thus, your script should look like:

#!/bin/bash
/sbin/insmod foobar1

and:

#!/bin/bash
/sbin/rmmod foobar1

since a user adding a malicious insmod or rmmod to their path could gain privledges. (There are other, more subtle, security issues with suid, but this is the easiest to understand.)Nevertheless, having a suid script is far preferable to idiots logging in as root for ordinary work!

Re:MS Development tools pwn everyone

[elhaf]

The post was not meant as a troll, only to answer the usual anti-MS ./ BS. Certainly they cost money, and free software has that clear advantage, duh. As a language guy, having written many compilers, I am quite impressed by the pragmatic design of the C# language. It is greatness. Also, I personally don't want to write another line of DB access code; the fact that these tasks are automated, integrated, and yet flexible is one of the strengths of MS tools. All the fancy dialogs and wizards simply generate code that actually works, unlike something like Rose, that has to be tweaked to death. Yet, that code can be modified for flexibility; it isn't just a black box. Also, in MS, exceptions actually work, and I don't have to go back to the 80's technology of setjmp/longjmp. Templates work, and have for nearly a decade, and they compile down in very cleverly optimal ways. Typed collections rock. Duplicate-on-write strings rock. Some folks even write templates in such a way as to get better, more optimal code than without them. The debugger is truly integrated and just works. I can traverse the most god-awful data structures live without it crapping out on me the way Mac/GNU tools do. etc.

Really?

[abulafia]

The MS tools are far superior to anything else in the world at the moment. They are more robust and easier to use.

I've heard this from several corners. Sometimes, even from people I trust a bit. I still don't get it. I don't live in the MS world, so I don't have much of a reason to experiment, but I am honestly interested in what makes them so great.

I hear about the "tool tip" style reference checking, auto-library chain analysis, etc. The first would annoy the shit out of me, and the second I get from my make file (or ant, depending on what I'm building).

C# seems to be a slight step up over Java, but nowhere near enough to incur the cost of switching platforms. (I say this as someone who develops and maintains production apps in Java, and hates the language.)

As a sysadmin-cum-developer-cum-business-guy, I do everything in vi, make/ant, cscope, and custom tools using primitives like sed, awk, grep, perl, svn, RT, image-magick, [custom mailing list manager], etc (yeah, perl can replace sed and awk. I mean to, some day...). I think I have everything I need, but I'd love to hear about how it could be done better.

So, please, do tell- what makes MS dev tools so great? I'm really curious.

Re:Really?

[elhaf]

To be honest, what's really great is MS with Whole Tomato on top. See that website for some of the greatest features ever. It's like crack; when I have to develop without these features, like autocomplete, I feel crippled. Whenever you type something like Obj obj = getObj(); and then obj. on the next line, it then pops up a list of valid functions on the Obj class. Of course, you can just keep typing, and it will let you, but as you type it narrows the list to those that match (or if you misspell, none match). If you just hit enter it takes the current match and spells it out. It gives you the ease of typing short names while actually using longer, more descriptive names for functions without burdening the programmer. Also, if you type something like obj.fun( it will then list the parameters in a tooltip for that function. A click will give you all the variant signatures of that function, if any. Then, of course, the MS part of the whole thing is just robust and clean. After 20 years, they've gotten most things right by now.

linux has single sign on

[tlahoda]

I hate to burst his bubble about single sign on, but on my network we have single sign on to every service on the domain that you have permission to access once you have authenticated to the domain at your workstation, whether your workstation is windows or linux. Services are provided by windows, 4-5 different linux distros, and aix servers and are things like ftp, ssh, file sharing, concurrent versioning systems (not just cvs) and the like. This is accomplished with samba, ldap, nss, kerberos, sasl, ssh, proftpd, winbind, and possibly a few other pieces I'm forgetting at this moment. Unfortunately this was a pain to get it all working on both the windows and unix sides but it does work flawlessly. Well almost flawlessly - the windows boxes don't have ssh servers running. I don't know what he means by single development environment but if he means an ide he can keep his little tools like the visual studio hack. Unix annd unix-like systems give you the ability to use your whole operating system as your development environment.

Profitable Insecurity

[Doc+Ruby]

Because the way they do it at MS, they're raking in about $40B:y. Good security would cost them more money than just talking about it. They're smart enough to know how to turn insecurity into a marketing triumph, without paying the cost.

Re:Profitable Insecurity

[Saeed+al-Sahaf]

No, I don't think so. I think they are very much like a cult and at high levels have deluded themselves into thinking that these issues don't really exist if they don't talk about them. I think at lower levels, there are Probibly many who do want to talk about it, but like their jobs more.

Re:Profitable Insecurity

[einhverfr]

Because the way they do it at MS, they're raking in about $40B:y. Good security would cost them more money than just talking about it. They're smart enough to know how to turn insecurity into a marketing triumph, without paying the cost.

I think that this is present in the minds of program managers at Microsoft to some extent and has been an issue that has needed to be dealt with. But it is not the only one, nor is it the most glaring.

Microsoft suffers from an inferiority complex when it comes to performance and computing. So often the design compromises which occur in the name of performance are more damaging than the ones which happen in the name of cutting costs and making release schedules. This is speaking as a former insider.

For example, early NT systems (through 3.x) used a microkernel architecture with the drivers running in ring 1 on Intel and ring 0 on alpha. GDI.exe was a user-mode program.

Well, it was decided that NT 3.x did not perform well enough, so when NT4 was designed, the essential elements of the microkernel architecture were abandoned in favor of a system where the drivers and GDI ran in ring 0. In other words, the though that stability and security were not marketable but performance was and so chose performance over the other two.

Then the TUX webserver came out, I looked at the architecture, and my first thought was "I am NOT running network services as part of my kernel! I don't want those l33t h4x0rz exploiting Ring 0!" I even pointed this out in several discussions regarding the competitive landscape at Microsoft. In general the technicians, support managers, etc. all agreed with me. But not the program managers whose job it was to steer Windows development, because parts of IIS6 run in kernel mode. Again, compromising security and stability for performance (just as TUX does). Again this decision was made to counter Linux publicity re: performance rather than to try to offer a compelling alternative.

In other words, Microsoft still is not really driven by making secure software. Or at least it wasn't when I worked there (up until shortly after Server 2003 launched). Instead, they have a whach-a-mole marketing attitude where their new products must beat their competitors' in terms of publicity based on whatever market fad is happenig at the time.

So these words are a threat but seem to indicate that they are really worried about Linux and all the free publicity that they are getting.

But when was the last time anyone trusted Microsoft re: security anyway?

Re:Profitable Insecurity

[einhverfr]

The MS attitude towards insecurity would change quickly, if people in the market were more interested in it. Rather than prioritizing TPS counts for SQLServer, or how cheap is an Exchange admin per head with a mail account. As usual, the people in the market get the leaders we deserve - who screw us as much as we allow.

I actually don't think so, having worked there. Yes, the outward attitude might change and it has, but the corporate culture is not focused on security, and neither is the product development process. Furthermore, making Windows secure is a lot like integrating Sendmail 3.0 into the Linux kernel and then trying to make it secure two years later. It would be a monumental challenge.

Re:Profitable Insecurity

[dougmc]

Last time I compiled the kernel I saw an option (which I left off of course) for a kernel level web server.

The kernel level web server was written many years ago, and the goal was basically to do well at artificial `see how many static pages this OS can serve' benchmarks. These benchmarks are very artificial because 1) even a slow box can serve a huge slew of static pages, and 2) the vast majority of time spent serving web pages is spent generating non static pages.

I seriously doubt anybody actually uses it. In fact, it wouldn't surprise me if it doesn't even work anymore. But then again, merely having it as an option doesn't hurt anything, so it's just ignored rather than removed. (And even if it were removed, anybody could re-implement it as a kernel module.)

Re:Profitable Insecurity

[einhverfr]

so why did you leave?

Aside from the politics which were eay over the top in my opinion, I had a few family issues that could not be adequately addressed while I worked there. Now that my year has passed and I am no longer bound by any non-compete clauses, I can be a little freer with who I am and what I am doing now.

BTW, for those that do work at Microsoft, I was deeply involved in competitive discussions which lead to:

1) Pop3 server bundled with Windows Server 2003 (so that the SMTP/POP3 server combination can compete with Sendmail).

2) The decision to take Services for UNIX to Linuxworld was based on my suggestion though I had no power or leverage to make it happen (and others carried the torch).

3) I was the first to my knowledge to suggest the bundling of SFU with Windows Server. I made many other suggestions but I feel that it would be unwise to mention any which have not been announced either way due to NDA's.

After I left Microsoft, I began to develop a set of software tools designed to help complete the Linux software stack (and just simple utilities to make my life easier). I began a software consulting business which helps people make the most of Linux and Windows.

To tell you the truth, there are pieces missing from the Linux software stack. ANyone who tells you otherwise does not deal with the range of customers necessary to see it but it si there and includes a lot of vertically targetted software for small businesses and line of business software. Most of the software in these markets is not very mature and will take time to develop. So Linux is not for everyone in every capacity but it is getting there.

On the other hand, Windows security is a horrible myth. Windows will never be as securable as Linux is. There are fundamental problems in its design and I have no problem saying this.

Now I did not say that Windows is less secure than Linux, only that it is less securable. If you really want to, you can configure your Linux system to be less secure than Windows 95. It is not that easy to do but it can be done. On the other hand, it will be next to impossible to achieve the same securability on Windows that you have on Linux without breaking a lot of important crap.

Re:Profitable Insecurity

[einhverfr]

Do you have any facts to support your assertion that IIS6 is in any way less stable/secure because of its kernel-mode component?

When I look at the relative security of a software package, the questions I ask (going back to design) are:

1) How exposed is this to attack? How necessary is that exposure?

2) If it is compromised, how deep is the compromise?

Now, the inclusion of http.sys affects question 2 in the following way:

If a compromise occurs in http.sys (which is directly exposed to the network), then the exposure level is deeper than any usermode program running as any user. I.e. the fact that the exploit occurs in the kernel (ring 0) means that the system is fundamentally compromised in a way that it would not be if it were in usermode (ring 1 or 4 usually depending on the processor architecture).

There have been no explots to date in either http.sys or TUX but that does not mean that they are secure by design. More likely, they have not been directly targetted yet due to people sensibly not running them.

Missed the point

[A+nonymous+Coward]

It doesn't matter what the state of UNIX IDEs was in 1989. The point is they released shoddy code which they must have known was shoddy. Whether IDE or not, it was shoddy, the developers themselves surely must have been using it all the time every day, they could not have avoided noticing it was shoddy, and they released it anyway.

As for you having inserted skeleton code without problems, that also is not the point. No doubt you have had some kind of training on it. I had to jump into it and use it the best I could. It is supposed to be intuitive, is it not? It wasn't. Clicking the X is supposed to close the window, right? Should not the IDE have known that it had closed its own window?

I found three repeatable bugs within half an hour of just stumbling around trying to figure out how it worked for some little pissant project. Are their QA people so jaded they can't find these problems? Are their development teams so rigid in their practices that they never stumbled across these bugs themselves?

If the development teams can't be bothered to fix their own dog food, either they eat something else, or they have extreme tolerance for crap. It does not bode well for their work on projects they don't use as much, which is just about everything else.

It all speaks of shoddy practices from one end to the other. That's the point.

Your point....

[King_TJ]

Your point still stands, yes - but I think it's sort of off-topic from the intent of Microsoft's original statements.

They were primarily trying to make claims about the lack of security in Linux based on missing components, plus a lack of accountability for bug fixes.

You're addressing an issue of availability of software applications for both platforms.

I do agree with you though. Linux is still pretty much an OS that's best used by application developers or as a server platform of some sort. The attempts to "hammer it into shape" as a general-use desktop environment are still "half-baked", and that's largely due to a lack of variety of applications to run on it.

After all, you can have the most elegant, powerful operating system on the planet - but if nobody writes apps to run on it, what good is it?

People can (and in the case of Windows, certainly DO) put up with a lot of problems and deficiencies in an OS as long as it allows them to use the software apps they want/need to run. Linux is sorely lacking in the games dept., the music editing/creation dept., and in some aspects of graphics design and editing. It also comes up a little short for people needing to do accounting work. (Peachtree for Linux? Quickbooks for Linux? DAC Easy Accounting for Linux, even? Perhaps a version of M.Y.O.B. for Linux? Nope.... none of 'em. And accountants like standardization. Even if you write a cool new accounting package for Linux - you better at least support imports/exports to some of these Windows packages or it won't gain much traction.)

In business, this is a legitimate question

[karlandtanya]

CYA is the name of the game.

In making a business decision, it's unlikely for anyone to take responsibility. The larger the business, the smaller the likelyhood. It's not an issue of cowardice; the risks simply don't outweigh the rewards.

So, the question "who do you blame" is a legitimate question. System fails, Clients sue company, company pays clients, insurance company pays company; insurance company sues vendor.

In business, those who take chances are the people who create the great successes and the great failures. These people exist. They are not the norm.

"Nobody ever got fired for buying IBM." The point is not that this is true. The point is that people say (or said) this. They're saying that if you're working for someone and you want to keep your job, you make the safe decision.

Flipping The Question

[DannyO152]

Most folks have the take that Microsoft McGrath is throwing bricks from the glass house. But let me take a different view. Does Red Hat take responsibility? And the answer is, yes, or else. Because since you can get a Linux kernel from many sources any distributor that behaves irresponsibly (or insensitively) will lose the business end of their business, and, poof, they're gone. And this concept extends beyond the kernel to other aspects of doing business.

A few of us (call me a semi-pro minus or hobbyist plus) left the RedHat tent with the way they handled the transition from 9.0 -> Fedora, and, in retrospect, I'm happier and it seems from the financial results that RedHat is happier.

Now McGrath's comments are not meant to be part of a serious debate about how us users may get the most safe, seamless, fuss-free, and satisfactory experience with the kit we own, but are the equivalent to the flip side of preaching to the choir, which I suggest is reminding the congregation of damnation should they even think of leaving the church. Remember the Flintstones, how much of the "technology" was powered by a purposed, humiliated animal who would look up and say to the audience, "It's a living." I suppose it is.

Who is accountable for Windows?

[analog_line]

'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.'

And who, pray tell, is accountable for the thousands of holes that have left Windows users open to viruses, trojans, and other malicious uses of their hardware? Billions of dollars in money throw into the toilet fixing the results of nonexistant to pathetic securty in Windows, with an EULA that specifically absolves Microsoft of all blame if anything goes wrong using their software, and they have the gall to claim that they are accountable for Windows?

Should I be submitting my bills to Microsoft instead of my clients when their poorly designed, poorly implemented software causes them to need my services for hours on end, making them unable to do work, let alone pay my fees?

Accountability?

[ayeco]

Who is accountable for the security of the Linux kernel?

And Microsoft takes the blame for their OS's security, but they are hardly ever held accountable for it.

What about WinX?

[Gary+Destruction]

Why is Microsoft complaining about security liablity of Linux when they're writing and selling a desktop for it?

Linux is not ready for mission-critical computing?

[Anita+Coney]

So essentially Microsoft is back to taking the approach that if they close their eyes tight enough, everything will be OK?

'Super-Linux' Cluster Declared Third-Fastest Computer On Earth

fastest computer system in the US

NCSA Linux Cluster Among Fastest Computers in the World

Two Linux clusters on Top 10 list of fastest computers

This article has flaws.

[Ash-Fox]

"In Microsoft's world customers are confidant that we take responsibility. They know that they will get their upgrades and patches."

They also no it's not fixed in a day, like it is in the opensource community, it's sometimes fixed after months and months of waiting

"There a myth in the market that there are hundreds of thousands of people writing code for the Linux kernel. This is not the case; the number is hundreds, not thousands,"

don't play with words, people say "linux" as in various distributions of linux, not specifically the kernel.

"There are very few of the improvements that come through the wider community. There are more skilled developers writing for the Microsoft platform than for open source."

I wounder how they made this demographic.

"A lot of the percentage growth figures mask the fact that Linux is coming from a very small base. There are more Unix servers than Linux servers in the UK. There are more Windows servers than Linux servers in the UK."

what the hell, there are huge data centers of linux servers which have more computers than the entire of london, and the "a lot" of percentage growth figures come from stuff that Microsoft has sponsored and possibly rigged?

"Most customers look for more than just a product from their vendors. They need a solution that comes with the appropriate levels of support and service. This is where Linux is becoming more challenged as people expect more from Linux."

All buisness linux distributions provide better support for their products and integration with 3rd party products hell of alot better than microsoft's support does.

"Linux is not ready for mission-critical computing. There are fundamental things missing. For example, there is no single development environment for Linux as there is for Microsoft, neither is there a single sign-on system."

Linux is used in mission critical computing in routers, broadcasting, millitary etc.. and there is one standardised development system for linux called LSB (linux standard base). As for windows.. Where is it and what is called? .NET? The thing microsoft keeps promoting their pants off at? The base that requires you to download some stupid runtime, where using 1.0 versions of software on the 1.1 runtime will cause calculation errors because it adds decimals suddenly to calculations when the program was never written to handle that etc.. ?

ok, let's go over this together

[l3v1]

The gist of his argument appears to be his claim of lack of accountability among distributors,

Mmkay, M$'s could be held accountable for Windows' lackings in security and loads of holes and bugs in their software. But it doesn't change anything, does it. Don't start cleaning somebody else's porch until yours is the biggest mess.

Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.

Yet, even redhat has provided countless app. and security fixes over the years. And, for the record, accountable for the security of the Linux kernel ? Well, that is a question, isn't it. Didn't know that was such a problem even M$ cares about. Oh, and by the way, who can be held accountable for the nt series kernel (about which nobody can have a clue what it contains) ? No, don't mention any names please, my prayers already contain a quite long list of names.

Linux is not ready for mission-critical computing. There are fundamental things missing. For example, there is no single development environment for Linux as there is for Microsoft, neither is there a single sign-on system.

I need to take my pills to stop my laughing spasms. Okay, let's educate ourselves. For one, would be a good homework assingment for some student to find out what o.s.'s were used in the first let's say 10 years of computer controlled systems which could be labeled mission critical. Then, Kylix and Kdevelop are both fully R&D envorinments (I deliberately don't mention "smaller" stuff) from hello world to gui development all integrated. Then regarding Passport thing, that's really awkward to reference, since everybody and the neighbor's dog is dumping it all over the place it being good for nothing useful on this earth.

There a myth in the market that there are hundreds of thousands of people writing code for the Linux kernel. This is not the case; the number is hundreds, not thousands

:D Okay, now we all are convinced how superior Microsoft products are :D My world changed from ground up after reading this sentence, really :D These guys really have to be working hard to make such arguments :)

There are very few of the improvements that come through the wider community. There are more skilled developers writing for the Microsoft platform than for open source

Now that's it. When you don't know anything else to do, go offend openly every developer who dares to do FOSS work.

new Microsoft user agreement?

[tgibbs]

Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?

I applaud Microsoft's recognition of the importance of accountability. I look forward to reading Microsoft's revised license agreement, in which Microsoft will presumably accept liability for consequential damages resulting from security flaws of Microsoft products.

Just a few changes, for modern systems

[temojen]

Capitalization:
Linux: none^H^H^H^H Incalculable
Windows: $250 billion
Edge: Linux

Home desktop user base:
Linux: 1%
Windows: 97%
Edge: Windows

Server user base:
Linux: 60%
Windows: 10%
Edge: Linux

Ease of use (Novice user):
Linux: simple to use
Windows: simple to use
Edge: None

Ease of use (Intermediate user):
Linux: simple to use
Windows: hard to use
Edge: Linux

Ease of use (Expert user):
Linux: simple to use
Windows: Very awkward, some tasks impossible
Edge: Linux

Design:
Linux: Your choice of pretty colours
Windows: Pretty colors
Edge: Linux

Installation (basic):
Linux: Next->Next->Done
Windows: Next-->Next-->Done
Edge: None

Installation (custom requirements):
Linux: <a href="http://www.gentoo.org/doc/en/handbook/index. xml">Do-able</a>
Windows: Impossible
Edge: Linux

Installation (identical mass installation):
Linux: Hard drive image
Windows: Hard drive image, needs activation & serial number, pay for every copy
Edge: Linux

Apps (image editing)
Linux: Photoshop under WINE, Gimp, Imagemagick
Windows: Photoshop, Gimp
Edge: Linux

Apps (Games -- commercial)
Linux: Many run under Cedega
Windows: Most just work (if your computer meets the specs)
Edge: Windows

User rights:
Linux: default install sets up administrator account and user account. must log in as or su to administrator to do administrator tasks.
Windows: Default install sets up user as administrator and hides the existance of file ACLs.
MacOS X: Default install sets up a non-administrator user who may be in the administrator group, but must authenticate before doing administration tasks.
Edge: MacOS X

Need I go on?

Microsoft are you Accountable?

[mnmn]

I entered the address of a website, it wasnt a particularly nasty site, just something resulting from a google search.

And it automatically installed a spyware application. No YES/NO dialogues just installed it. After that I saw attempts at outbound port 6667 to various external servers.

Now I do manage servers that hold financial data, and servers with ERP software that run the company.

I ask you, Microsoft, can you be held accountable if our company melts down should malicious spyware enter the system with their authors intending to corrupt our backups and bring everything down?

Will you pay us the millions that we lose as we lose our customers?

Will you as a result of such a catastrophe give us an OS that does NOT allow such breaches of security?

I understand IE in Windows 2003 is more secured, and we should never browse for anything on the server itself... etc. However Windows2003 has not been matured enough to bring out the bugs while Windows2000 has issues even after SP4, and after Microsoft will cease to provide bugfixes for it.

We replaced our firewall with OpenBSD. We simple cannot find a reason to upgrade it from the 3.4 version, since the older version is so secure. Hell yeah we've had attacks of all kinds, to almost all ports, syn cookies even ddos type attacks that slowed the Internet connection, but we're still up, and without ever having an issue for over two years of OpenBSD operation.

Coming back to Linux, which is also a UNIX clone, and which has more eyeballs on it, and more companies taking responsibility for it, tell me, should I pay for a crappy OS with someone behind it you can point fingers to, or a nice OS with no person behind it simply because youll never have to point fingers?

Re:MS Development tools pwn everyone

[BillyBlaze]

You seem to imply that GCC's C++ exceptions don't actually work, that we have to resort to setjmp()/longjmp(), that templates don't work, that GCC's STL strings aren't copy-on-write, etc. All of these implications are, to put it bluntly, false. (If you didn't mean this, no offense, but you did imply it.)

And yes, C# is (a) pretty cool, and (b) different from C++. That's why we have Mono :-). As for debugging, I don't do that much (usually stack traces are enough), and my "IDE" is kwrite and a command line, but KDevelop, Eclipse, and many others do indeed have integrated debugging - if it craps out, file a bug report, don't just bitch on Slashdot.

Fair enough.

[abulafia]

I looked over that website, and most of it falls in the category of "that would bug the crap out of me". I see how it could be useful. I just don't develop that way. Interactive popups distract me from what I was trying to do.

With vim, I have tab expansion for method calls, but only when I want it - not some distracting thing that tries to second guess me. I have syntax highlighting, brace balancing, way better keyboard navigation (at the cost of being warped into the vi world, but that was done to me years ago). Method variants are a function of tab expansion. Pop up crap would distract me from what I'm doing. And arcane as it may be, s/(.*)re?gex$/somethingelse($1)/g is extremely powerful. My fingers just work that way, and I'm only 32. Don't get me started on the cool things one can do with ex commands.(god, did I just say I'm *only* 32?)

I suspect this is an old-school-new-school thing. I don't like IM, either - email me or go away. If I don't know how the object is called, I need to read the public declaration, or I have no business writing code against that interface.If assisted coding actually didn't become a distraction, and actually inferred intent, I might take the time to learn it. But now I'm just being grouchy. Thanks for the explanation of what you like. I know I'm a little bit purist; I didn't use the syntax highlighting for quite a while, because it (a) didn't work in edge cases well, and (b) well, can't you indent properly? What's the problem?

Maybe developing that way is be faster, but I do think I understand, and can troubleshoot, things better with my coding suite and style. So I'm still not swayed.

And I'll hit you with my cane, whippersnapper, if you bug me while I'm feeding the ducks.

responsibility

[belmolis]

If Microsoft is so concerned about responsibility for security flaws, why is it that they don't offer indemnification for users hurt by their software?

Why are people fooled by marketing? MYTH?

[J_Omega]

From TFA:

"In Microsoft's world customers are confidant that we take responsibility. They know that they will get their upgrades and patches."

But reading the EULA, MS clearly states that they are not responsilble. I expect WindowsUpdate to change my system through patches, but I don't expect upgrades. I'm still running Win2kPro on my tri-boot system (Debian and Gentoo.) I KNOW that I will not get my UPGRADE to XP. I also hated hearing MS discuss XP SP2, and calling it an "upgrade." Also, I am CONFIDANT that MS would not take responsibility for data loss. ~ FUD

"There a myth in the market that there are hundreds of thousands of people writing code for the Linux kernel. This is not the case; the number is hundreds, not thousands," he said.

so it is hundreds of hundreds, then? :p

"If you look at the number of people who contribute to the kernel tree, you see that a significant amount of the work is just done by a handful.
"There are very few of the improvements that come through the wider community. There are more skilled developers writing for the Microsoft platform than for open source."

My guess is that only a "handful" of MS employees work on windows' micro-kernel as well. Though it might be true that there are more developers writing for the MS platform, this is because it is the world's most widely used OS. He's done a bait-and-swtich almost... Discussing the kernel development and relating it to the wide base of application software?

"The way that 2004 started off there were a lot of myths in the marketplace around the cost and capability of Linux. But now a lot of the ideology has been replaced with commercial reality."

He uses the word "myth" quite often here. So let us look at a few select definitions of the noun:
* a traditional story accepted as history; serves to explain the world view of a people
* A popular belief or story that has become associated with a person, institution, or occurrence, especially one considered to illustrate a cultural ideal

So a myth doesn't necessarily mean make-believe. We could interpret his quote to have meant this : "The world-view and cultural IDEALS of Linux have made themselves a concrete REALITY over the past year!"

"[Customers] need a solution that comes with the appropriate levels of support and service. This is where Linux is becoming more challenged as people expect more from Linux."

Well, uh... DUH! If you expect more out of something, that something will be more challenged to perform. Water is wet. The Pope is Catholic. If I expect my automobile to drive 200 mph, the manufacturer will have a bigger challenge designing it. Go figure.

"Linux is not ready for mission-critical computing. There are fundamental things missing. For example, there is no single development environment for Linux as there is for Microsoft, neither is there a single sign-on system."

OK, I'll admit, I'm not a software guy. But aren't these unrelated statements? ie, What does a development environment have to do with mission-critical computing??

/. recently had the story of the Ohio power-plant being crippled because Windows systems were compromised. Did that mission-critical application even DO development?? Plenty of mission-critical situation use Linux that do no development, right? Server uptime, information distribution, stable communications?

The Linux Desktop (and kernel?) may have certain things missing, that's a given. That doesn't mean that it isn't ready for SOME mission critical computing. I'd be more inclined to use a kernel/OS that allows inspection of it's source for any mission-critical apps. Ask NASA why the Mars rovers are using Linux instead of Windows.

FUD FUD FUD, is all I got out of the article.

Please explain where I'm incorrect here. I admit that I'm not as knowledgable on some of these points as many of you, and would prefer to know why/how I might be incorrect.

That's your problem.

[khasim]

I don't care who looks at it, I just want a single email I can send a security flaw to no matter what system it's in.

That's your problem.

It's all about what OTHER PEOPLE should do to make YOUR life easier.

Looking up a name in a list is TOO HARD for YOU!

There should be a link on kernel.org so YOU can send something to some OTHER PERSON who will spend the time and effort to determine what it is and who's responsible for that and then make sure it gets to that person.

I, personally, wouldn't have had any idea how to figure out who to send the patch to without you having just outlined the process right here. That process is not obvious and too complicated.

Not obvious? It's where you go to get the source for the latest kernel.

I can't write patches for the kernel and even I can find it.

There needs to be one single email address listed in a prominent place where you can send such things to.

Right. It's all about how to make YOUR life easier by having OTHER PEOPLE do it for you.

Rather than you spending 20 seconds to find the email addresses, you expect someone else to be able to read the patches, find out who maintains that subsystem and get the patches to that person.

...but the process you outline is not a tenable process for a kernel used by millions of people, some who are programmers who may have no familiarity with the Linux kernel development process, but are none-the-less capable of finding and fixing a security flaw all by themselves.

No. The fact is that many hundreds of people manage to get patches submitted in the current structure.

Yet there was one example of one person who couldn't understand that structure...

So the whole structure is wrong and has to be replaced.

Rather, it seems that that one person has a problem and your "solution" would only make MORE work for someone(s) who had to be the single point of failure (do you know that term) for processing patches.

The current system has so many ways to get a patch submitted that even the dumbest individual will eventually stumble across one. As was shown with your example.

Why switch from such a distributed, de-centralized system to one with a single point of failure?

Just to make life easier for the dumb people? I don't think so.

Re:That's your problem.

[imroy]

Look it's very simple for the Linux kernel. In the base of the kernel directory (usually at /usr/src/linux) there are three files. The CREDITS file lists almost every person who has contributed to the Linux kernel. It contains names, email addresses, a description of their contribution, and even street addresses in some cases. There's also MAINTAINERS which lists in the same format the people responsible for the various sections of the kernel. At the beginning of the file there's even a long description of how to get your patches into the kernel. Lastly, there is the REPORTING-BUGS file. It contains instructions on how to report bugs to the LKML (Linux kernel mailing list, in case you didn't know).

Is that not enough for you? Or do you really think the real solution is a single email address that will be spammed to hell and have newbies asking for help getting their nVidia graphics card working with Fedora?

Re:Desktop security vs Server security

[f16c]

"The Linux community has its security head in the sand. Linux isn't secure. It is just that it is only run by a few computer literate people who know how to keep their insecure systems safe."

And most of us also use the system for work, school and play. We know more about computing and the threats to our systems than most windows users because the system is teaching us. You don't learn how things work with a mouse. You learn them by breaking the system, messing with it, building software and installing from source code. The best security in the world is learning and reacting to the real world. By sheilding us from it Microsoft has insulated us not from the threats of the world but from the tools to protect ourselves and educate ourselves about the system.

To say that Microsoft or linux is better for security is a red herring in either case. I like the basic simplicity of the *NIX model. My stuff works. My systems do what I want.

SSO != Passport

[Nailer]

The article mentions single sign on as being an issue under Linux.

Single sign on is the ability to have a user log on to the network fron a centralizaed authentication server and not prompt them for credentials when they access applications servers.

In Windows speak, that's not Passport, that's AD and AD aware apps.

In Linux, it's pam_krb5 when you log on, and kerberized apps.

* Evolution / Dovecot
* Firefox / Apache HTTPd
* CVS (client and server)
* SVN (client and server)

etc.

Re:Linux isn't really more secure.

[dotlin]

The only reason Linux doesn't have thousands of viruses written for it is because nobody runs it. Same with macs.

This meme refuses to die. It sounds credible that more usage would lead to a more attractive target for malware but ignores other factors like:

• monoculture
• ActiveX
• Microsoft's decision to "integrate" their web browser into Windows

An excellent article refuting this meme, which doesn't even mention ActiveX, can be found here:

http://www.theregister.co.uk/2003/10/06/linux_vs_w indows_viruses/ Your later point about how someone may write an ActiveX equivalent for Linux in the future does not strengthen your case in comparing Linux vs. Windows security today.

Windows XP has a better security infrastructure than any UNIX knock off.

Care to cite any references to support that statement? Using loaded terms like "...UNIX knock off." doesn't add weight to your opinion.

Here's my opinion, with references to support it.

Only a criminal monopoly(1), with no consideration of their customer's interests, could embed into their web browser "application" (2) the security sink-hole of ActiveX vulnerabilities(3) to achieve vendor lock-in(4). This has resulted in the mess that is "security" in Microsoft(R) Windows(R) today.

References:

1. Criminal is strong language but Microsoft has a judgement against them regarding unlawful monopoly conduct: http://www.microsoft-antitrust.gov/
2. To everyone but Microsoft, Internet Explorer is an application called a "web browser". MicroSoft testified in their anti-trust trial that IE is not an application but an integrated part of their Microsoft(R) Windows(R) operating system and there is no way to allow users to not have it installed. http://news.bbc.co.uk/1/hi/special_report/1998/04/ 98/microsoft/275248.stm
3. Concern over ActiveX vulnerabilities have been in the media for over 6 years. The issue has gotten more attention migrating from IT trade press to mainstream media and in that time we've gone from viruses (which have not gone away) to Phishing and Spyware infestations:
   • Feb 19, 1998 IT trade press article: http://digitalcity.com.com/A+question+of+safety/20 09-1001_3-208208.html
   • Nov 9 2004 Mainstream Media article: http://www.usatoday.com/money/industries/technolog y/2004-11-09-firefox-sidebar_x.htm
4. 36 page academic paper in PDF format. Network Effects and Microsoft: http://www.stanford.edu/~tbres/Microsoft/Network_T heory_and_Microsoft.pdf

Mission Critical

[sparkz]

He goes on to say that 'Linux is not ready for mission-critical computing.

In general, I agree with him on this (I have not RTFA yet). Nor is Windows, of course, but that's taken for granted. Of course, it depends how critical your mission is. "Mission-Critical" is one of these phrases which is bandied around, but let's consider what it means....

"The mission depends on this system".

That still does not define the extent to which the mission depends on it - 80%? 90%? 100%? Nobody offers 100% availability, if that's what you're referring to.
The phrase also ignores the mission involved. For NASA, the Mission might be to send a man to Mars and back, but what if my "mission" is to run a website which expects to get 3 hits a month with a 60% expectation of success? An Atari could cope with that - my mobile phone could probably cope with that!

Taking the phrase in the way it's normally meant (running systems which are responsible for a significant amount of the user's business, and the failure of which would cause significant disruption of the business process and/or profit), then the whole discussion still depends entirely on the "mission" involved.
What tradeoffs is the mission prepared to make for uptime, for example? Serving read-only webpages, I care little for data integrity (I've been serving the same data for years, I've got it on tape, CD, DVD, onsite and offsite), and only care about uptime.
If I'm running a database which is updated many times a minute, then uptime still matters to me, but I also need to know which transactions have been fully processed, and which have failed (given Failure Scenario N, which may or may not have been predictable). That is much more difficult.

Re:NSFW

[Tenareth]

So, you clicked a link called Free Boobies, explicitely on the .nl domain where porn is look at differently (so safesearch works differently) and you expected it to be safe?

Open source software is the biggest thing ever:

[master_p]

I haven't read a sillier comment than those of Microsoft on open source software, and Especially Linux. Simply put, open source software, is the biggest invention ever.

Linux security is highly exaggerated

Windows security is too complicated to be taken seriously. On Unix, you have user, group and public security bits. It is a simple model, yet proven enough for all tasks. On Windows, you may have ACLs based on time, on type of access, inheritable security attributes, etc etc, but Windows is still the most vulnerable O/S by the long shot.

and that the open source development model is 'fundamentally flawed.'

Thanks to open source software, there are thousands of programs to use for every possible task, the scientific knowledge on computers spreads around much faster, it helps low economies ride the computer revolution bandwagon, it helps children in poor countries get in touch with computers...imagine a world without open source software! computers would not be as widespread as they are now.

'Who is accountable for the security of the Linux kernel?'

Who is accountable for the security of Windows, given that the installation disclaimer says that Microsoft has no responsibility whatsoever on the effects of working with their O/S?

Furthermore, OSS does not need accountability: if your app does not run and does stupid things, people will not run it, your reputation will be hurt, and you will be forced afterwards to do a better job.

'Linux is not ready for mission-critical computing.

Last time I heard, the US army plans on replacing Lynx and other real-time O/Ses with Linux on their radar and defense systems. How's that for 'mission-critical'? I know several companies that produce defense applications for Linux. And Linux is actually better for this kind of software, because the source code can be audited by these companies at no charge.

the lack of a development environment

They couldn't have made a funnier and more absurd statement. Hey MS, does GCC ring a bell? it comes with every Linux distro, remember? what's the development environment of Windows out of the box? none. There is none. MS users have to spend another $300 on getting the MS Visual Studio.

and no single 'sign-on system' giving reference to Microsoft's foundering .Net passport program.

A single sign-on system is actually unimportant. I have registered myself at many many sites, but since the browser remembers my password, I don't even sign on. Furthermore, wasn't there a story about the .NET passport system security having been hacked for a week or so? and hackers having access to ALL of users' data?

I guess Linux can only aspire to the greatness of Windows

What greatness? Win32 is the single most badly-designed API, right after MFC. Microsoft actually needed to develop a whole new platform in order to get it right. There is simply no architecture behind Win32. It is a random accumulation of functions over time, with many semantic problems, no clear separation between concepts (for example, asynchronous sockets are implemented through the win32 message queue).

As for the plethora of software, it was a matter of economics that Windows has so much software: the hardware platform that it run on was the cheapest (and the dumbest!), the available functionality was OK (but second to best), and more importanly, Microsoft let Windows spread by don't caring about piracy!

And what can one say about their flagship products? Internet Explorer is full of security problems, Outlook too, Word 2003 has become a bitch to use from so much bloat, .NET has 2 million layers of abstraction and a couple of thousands of classes that it happens not to fit exactly to your problems...

Microsoft is also responsible for giving C/C++ a bad name; their software practices are truly evil. They changed some of

Re:Desktop security vs Server security

[cecom]

You make valid points and much of it is a matter of opinion anyway. I will address only the matter of ACLs.

It is true that a typical Linux installation doesn't have ACLs. However ACLs do not make a system more secure. On the contrary. Try administering dozens of nested directories with dozens of different permissions (some granted, some revoked, depending on their relative order), users, nested groups, owners, attributes, some inherited, some not.
It is a nightmare. Often it is impossible to fit it in one's head. It is too easy to get it wrong by accident. I have on more than one occasion.

By comparison Unix permissions seem really primitive, however they are really easy to comprehend and verify, especially for people who have more important work than administering their systems.

A major security lapse in Windows is the lack of the SUID bit. It is extremely difficult to allow a regular user to execute a trusted piece of code - one has to resort to IPC and write mountains of code - that is why few people do it.

The net result of all this is - it is simply more technically difficult to write secure software for Windows.

Remember who he is talking to...

[spagetti_code]

Technical brilliance doesn't sell software. (see VHS vs Beta). Marketing sells software.

He is talking to the people out there who are buying MS software, or who have already bought MS software. These statements are about selling software.

These comments are not directed at technical people, their accuracy is irrelevant.

The first rule of marketing: ***its all marketing***. Everything you do and say and deliver is focused on getting s/w out the door and revenue in the door. Everything else is secondary, and that includes quality, truth, bugs.

If the customers want security, give something to make them think they have it. Which is why MS have never really needed security till now (and maybe not even now). And they still dont, not *really*. If MS *really really* needed security or they would lose market share - you can bet they would have darn good security.

I suggest you ready "Crossing the Chasm" or "Inside the Tornado". Get the early adopters on board, the move product as fast as you can and ignore the customer.