Slashdot Mirror
Microsoft Claims Linux Security a Myth
black hole sun writes "Microsoft bigwig Nick McGrath claims that Linux security is highly exaggerated, and that the open source development model is 'fundamentally flawed.' The gist of his argument appears to be his claim of lack of accountability among distributors, coupled with generic statements short on facts. 'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.' He goes on to say that 'Linux is not ready for mission-critical computing. There are fundamental things missing,' pointing out the lack of a development environment and no single 'sign-on system' giving reference to Microsoft's foundering .Net passport program." I guess Linux can only aspire to the greatness of Windows when it has such secure applications as Outlook and Internet Explorer. Historically those have been proven to be of a caliber all their own.
Twenty years of buffer overflows.
Questions?
In Soviet russia, only old Koreans profit from pictures of Natalie Portman stored on Beowulf Clusters.
Care to elaborate? Just what part of the software stack is missing?
fast as fast can be. you'll never catch me.
Fact: Much of what winders suffers from is incompetent users. Nothing is really stopping the developers from writing spam bots for windows because idiot users on Linux could run bad code just as easily as idiot users on windows.
OTOH, you don't have such dumbass tricks ass tying your browser right to the OS or ActiveX, so you make spyware and whatnot less of a factor.
On yet another hand, however, you have the problem of moron users running sendmail daemons that listen for connections from the Internet and other stupid things. Plus, Linux has security holes. If stupid people don't patch them just like they don't path winders, what good is the security?
Again: You can protect the stupid people from the world if you want, but you can't protect them from themselves.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
This is the classic case of a kettle calling the refrigerator black.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
If he was wrong, why would Red Hat et al sell service contracts and make money off of them? They accept that money in return for accountability, responsiblity, and SLAs - all of whicha major corporation will demand and which are not present in the pure open source model.
So, he's right, but he's also wrong in that Red Hat is no responsible for Linux kernal security, but they are responsible for getting patches out for issues discovered.
In other news, a representative from Yugo blasted BMW for not putting rear window heaters on their cars. "If you have to push it in the winter, your hands will get cold. What a crappy car."
Unknown host pong.
From Bruce Schneier "Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months. This means that a unpatched Linux system with commonly used configurations (such as server builds of RedHat 9.0 or Suse 6.2) have an online mean life expectancy of 3 months before being successfully compromised." I think the term is not "more secure" but "less vulnerable".
http://www.michel.eti.br
You see, it's called marketing. He is saying exactly what big wig CIO/CEO/C[A-Z]{2} understand and like to hear. Accountability. That's a big thing to most corporations.
Now, him saying that Redhat can't improve the kernel is simple BS, and could either be a fundamental lack of understanding on his part, or just a flat out lie. Given his position, I'm guessing it's a lie. Redhat ( as have most distributers ) patches the kernel with it's own magic, and will often update it on it's own.
Cliff notes: MS marketting with head in sand. News at 11.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
This is another example of Microsoft's marketing prowess. They know that IT managers want to hear about vendor accountability, single source solutions, etc. Those who still are using only Windows are probably not technically competent enough to see through the FUD. The truth is irrelevant here.
Move along, people. Nothing to see here. There's no point in getting pissed off about this; Microsoft shills are liars and exaggerators.
...
I will never forget -- seeing as how it happened only on 19 December just gone -- about my broadband installation. Not wanting to rock the boat nor confuse the cable installer guy, I rebooted into XP just prior to his arrival. He hooked my old beater celery up with DHCP and I surfed for about ten minutes. I thanked him and he left.
So I figured I'd do the decent thing and do the security updates.
Eight hours later, I cleaned off the last of the spyware, adware, malware horseshit.
To Nick McGrath: Fuck off and die, you wanker. How much you want to bet your router at home runs a Linux variant for firewalling purposes?
========================================
Death will come, and will have your eyes
-- Pavese
They take responsibility for their distribution. They will patch their kernel if anything seems wrong with it. From time to time they pay for an audit. Similarly the debian people vouch for their kernel, and so on. The vanilla kernel.org kernel is only accountable to the kernel.org people, true, but most "enterprise" distribution makers will stand up for every package they distribute.
I am trolling
LIMITATION ON REMEDIES; NO CONSEQUENTIAL
OR OTHER DAMAGES. Your exclusive remedy for any breach
of this Limited Warranty is as set forth below. Except
for any refund elected by Microsoft, YOU ARE NOT ENTITLED
TO ANY DAMAGES, INCLUDING BUT NOT
LIMITED TO CONSEQUENTIAL DAMAGES, if
the Product does not meet Microsoft's Limited Warranty,
So, are we believe that if Windows crashes my data, that I can hold Microsoft accountable?
At least with Linux I have access to the source code, and can hire programmers to scratch my itches for me. Somehow, I don't think microsoft would give out source code if they went under.
McGrath is not making a technical argument, but a management/legal one. In business, security (ie peace of mind) is not defined by the tightness of a piece of code but by who you can make accountable for any failure.
Microsoft at least is the clear and sole owner of its product. Though any single customer's ability to make it responsible for product deficiencies is slight at best, a statement of "we're here and responsible for our stuff" is superficially reassuring.
a world in progress...
Linux is not Windows
Come now. This is rediculous:
I guess Linux can only aspire to the greatness of Windows when it has such secure applications as Outlook and Internet Explorer. Historically those have been proven to be of a caliber all their own.
This is true, I will agree.. in my humble opinion. Let's save the editorializing for the comments. This is 'News for Nerds' - this sort of snide comment has a place in an Op/Ed page, but certainly not the 'front page' of a news site. I suppose there are divergent ideas of what Slashdot really is, but I think that endeavouring to be unbiased would be great.
I'm not meaning to troll or to be 'flamebait' here, just to point out a disturbing trend I've noticed in biased story submissions.
"There's no success like failure, and failure's no success at all."
- Bob Dylan
Unfortunately, part of marketing, especially when your product is getting negative publicity, is pointing out perceived flaws in competing products. I believe the term often used is FUD, and it's nothing new or unique to MS. Heck, it's pretty much how GWB won a second term.
When it comes to this sort of thing, they have a wide lattitude of opinions they can express, especially when there is no Linux, Inc. to sue them for slander. The Linux community, however, has been quite good at spreading the word about MS badness; they're just trying to do the reverse because their feelings are hurt.
The CB App. What's your 20?
Spyware:
Windows: I run a spyware checker every week or two, and it almost consistently finds new spyware.
Linux: Is there a spyware checker for linux? Does there need to be? I know that my Linux box runs consistently fast, and has no search bars.
Edge: Linux
Default Habits:
Windows: The Windows XP install, by default, seems to create an Administrator account with no password, no User account, and no suggestion that there should be a user account. Also, there's many services that are on by default, that really shouldn't be.
Linux: All linux distros I've used require a root password, and strongly emphasize that root is not to be used for day-to-day computing. Depending on the distro, most unnecessary services are off by default.
Edge: Linux
Updating:
Windows: Use an insecure browser, tied to the OS itself, to browse to Windows Update, wherein the system is updated. Note that these updates have a nasty habit of breaking things, and this does not update third-party software which may be vulnerable.
Linux: sudo apt-get update; sudo apt-get OR upgrade
sudo emerge sync; sudo emerge --update world
Edge: Linux
Do I need to go on?
i really don't want to play down the problems linux has with its development model and i sure have heard great things about the microsoft development process!
but i'd rather have a more secure system now, which lacks in development stringency, then a provenly unsafe system which can prove exactly when, why and how their bugs came into the system...
microsoft is just far too lax concerning their outward security policy (like not caring about the blatant RC4 exploit). their "patch day" with all those patches that never quite close the exploits is just a farce!
well, gnu/linux with all its applications has had a bad streak of exploits as well recently and i would strongly recommend a stricter development process, but if i were microsoft i'd definitely tone down on the linux-is-insecure-and-lacks-accountability bashing and instead invest some serious effort in making my own product look a little more convincing and less like the bug-ridden security hole that it is!
jethr0
Mike Tyson accused Michael Jordan of being "violent and out of control."
And Richard Simmons accused Charlton Heston of being "way too gay."
Lawrence Person (lawrencepersonh@gmailh.com (remove all "h"s to mail)
http://www.lawrenceperson.com/
Yes, what a good point. There are multiple DE's for linux. This is a bad thing, because it means developers have a choice. There should only be one piece of software for each category, and it should be manufactured by Microsoft. Choice is bad, people!
My Systems
Microsoft bigwig Nick McGrath claims that Linux security is highly exaggerated, and that the open source development model is 'fundamentally flawed.
Why, of course he does. That's his job.
In other stories, water's wet, sky is blue and women have secrets. More news at 10!
Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?
Er... and who is accountable for the Security for Windows?
Microsoft?
Internet-swiss-cheese-security-Exlorer Microsoft?
And will Microsoft take responsiblity for their security holes? Will they pay for the damages caused by crashes and exploits for their buggy software?
Maybe if they get their software quality up to a reasonable level they can START asking questions, but as long as they are as bad as now, they better keep their mouths shut, or they'll have to stuff their own feet in them.
+++ MELON MELON MELON +++ Out of Cheese Error +++ redo from start +++
This "lack of accountability" argument is bullshit. Why does Microsoft have an EULA for its software? To cover their asses so they can't be held accountable for damages caused by their shitty software. When was the last time Microsoft was taken to court over losses due to poor software? If they could be held accountable, they'd get sued right out of business!
-kidlinux.
I'm actually serious, you were moderated informative but I am really wondering where the superiority of the MS tools come from..?
We've always been at war with Eurasia.
As we all know, Open Source Software development is structurally similar to the scientific method and evolution in terms of how "new things" are created by the these systems. Similarly, what Microsoft is claiming is that software can't be created well "at random" through emergent means (we know that's a crock) but needs "the Hand of an intelligent Creator" to control everything (Microsoft == God, apparently). Ergo: Microsoft is claiming that only "Creationist Software" is good software - "Evolutionary Software" is evil software.
I think this could be useful angle of attack against Microsoft FUD: they are advocating creationism and faith-based solutions to computer science.
I like the related articles at the bottom of the page.
RELATED ARTICLES
* Microsoft to axe Windows 2000 security upgrades
* Microsoft enhances SQL 2005 security
* Viruses plague half of UK Windows users
* Linux fights off hackers
* Busy day for Linux administrators
* Industry giants offer Linux consumer boost
* Windows open to critical vulnerabilities
I am generally a UNIX programmer, but I have also used custom operating systems. Only twice have I had to use M$ tools. Both times I have found obnoxious stupidities that led me to the conclusion that M$ does not use their own tools in any reasonable fashion.
Around 1989, I had to use whatever Visual Studio was called then. In the debugger, while stepping thru some C code, I accidentally stepped into strcmp or some other function for which the source code was not available. It dropped into assembler mode, quite fine, just a matter of stepping until it exited back to C code. Except it then displayed the C debug screen without first clearing the assembler debug screen. Lots of pieces left over, register displays, hex codes for instructions, etc. Almost unreadable. It gradually cleared itself up as I continued to use it.
Around 2002, I had to use Visual Studio for some small project. You can click on an API and it automatically adds skeleton code to source files. It leaves those windows open, and I did not want so many windows open at once, so I tried to close them. Nothing under any menu I could see, but the X in the corner worked. Next time I used the skeleton code inserter, it complained that the file had been modified by an external program.
Now I suppose I was doing things the non-M$ way. There is probably some perfectly normal way of getting rid of excess windows. Maybe I should have iconized them instead, but that clutters up the task bar. I found two other similar bugs within the first half hour of using the beast.
These are the kind of bugs that anyone using the program would stumble across very quickly. How can the M$ deveopers take any pride in releasing such buggy code? How can they stand to even use such crap software? Is it so crappy that they don't use it themselves?
I have no respect for M$ programming skills.
Infuriate left and right
Set-uid works by changing the user ID of the program to that of its' owner; thus a program like passwd (which must have root privledges to write to the password/shadow file) has suid. Scripts which use suid have a few particular security concerns; since they inherit the PATH environment variable (and a few other particulars) from their calling user, you want to ALWAYS use the full path to commands. Thus, your script should look like:
and:since a user adding a malicious insmod or rmmod to their path could gain privledges. (There are other, more subtle, security issues with suid, but this is the easiest to understand.)Nevertheless, having a suid script is far preferable to idiots logging in as root for ordinary work!Do you like Japanese imports?
I've heard this from several corners. Sometimes, even from people I trust a bit. I still don't get it. I don't live in the MS world, so I don't have much of a reason to experiment, but I am honestly interested in what makes them so great.
I hear about the "tool tip" style reference checking, auto-library chain analysis, etc. The first would annoy the shit out of me, and the second I get from my make file (or ant, depending on what I'm building).
C# seems to be a slight step up over Java, but nowhere near enough to incur the cost of switching platforms. (I say this as someone who develops and maintains production apps in Java, and hates the language.)
As a sysadmin-cum-developer-cum-business-guy, I do everything in vi, make/ant, cscope, and custom tools using primitives like sed, awk, grep, perl, svn, RT, image-magick, [custom mailing list manager], etc (yeah, perl can replace sed and awk. I mean to, some day...). I think I have everything I need, but I'd love to hear about how it could be done better.
So, please, do tell- what makes MS dev tools so great? I'm really curious.
I forget what 8 was for.
Because the way they do it at MS, they're raking in about $40B:y. Good security would cost them more money than just talking about it. They're smart enough to know how to turn insecurity into a marketing triumph, without paying the cost.
--
make install -not war
In making a business decision, it's unlikely for anyone to take responsibility. The larger the business, the smaller the likelyhood. It's not an issue of cowardice; the risks simply don't outweigh the rewards.
So, the question "who do you blame" is a legitimate question. System fails, Clients sue company, company pays clients, insurance company pays company; insurance company sues vendor.
In business, those who take chances are the people who create the great successes and the great failures. These people exist. They are not the norm.
"Nobody ever got fired for buying IBM." The point is not that this is true. The point is that people say (or said) this. They're saying that if you're working for someone and you want to keep your job, you make the safe decision.
"Reality is that which, when you stop believing in it, it doesn't go away." - Philip K. Dick
'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.'
And who, pray tell, is accountable for the thousands of holes that have left Windows users open to viruses, trojans, and other malicious uses of their hardware? Billions of dollars in money throw into the toilet fixing the results of nonexistant to pathetic securty in Windows, with an EULA that specifically absolves Microsoft of all blame if anything goes wrong using their software, and they have the gall to claim that they are accountable for Windows?
Should I be submitting my bills to Microsoft instead of my clients when their poorly designed, poorly implemented software causes them to need my services for hours on end, making them unable to do work, let alone pay my fees?
Why is Microsoft complaining about security liablity of Linux when they're writing and selling a desktop for it?
Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?
I applaud Microsoft's recognition of the importance of accountability. I look forward to reading Microsoft's revised license agreement, in which Microsoft will presumably accept liability for consequential damages resulting from security flaws of Microsoft products.
I entered the address of a website, it wasnt a particularly nasty site, just something resulting from a google search.
And it automatically installed a spyware application. No YES/NO dialogues just installed it. After that I saw attempts at outbound port 6667 to various external servers.
Now I do manage servers that hold financial data, and servers with ERP software that run the company.
I ask you, Microsoft, can you be held accountable if our company melts down should malicious spyware enter the system with their authors intending to corrupt our backups and bring everything down?
Will you pay us the millions that we lose as we lose our customers?
Will you as a result of such a catastrophe give us an OS that does NOT allow such breaches of security?
I understand IE in Windows 2003 is more secured, and we should never browse for anything on the server itself... etc. However Windows2003 has not been matured enough to bring out the bugs while Windows2000 has issues even after SP4, and after Microsoft will cease to provide bugfixes for it.
We replaced our firewall with OpenBSD. We simple cannot find a reason to upgrade it from the 3.4 version, since the older version is so secure. Hell yeah we've had attacks of all kinds, to almost all ports, syn cookies even ddos type attacks that slowed the Internet connection, but we're still up, and without ever having an issue for over two years of OpenBSD operation.
Coming back to Linux, which is also a UNIX clone, and which has more eyeballs on it, and more companies taking responsibility for it, tell me, should I pay for a crappy OS with someone behind it you can point fingers to, or a nice OS with no person behind it simply because youll never have to point fingers?
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
If Microsoft is so concerned about responsibility for security flaws, why is it that they don't offer indemnification for users hurt by their software?
But reading the EULA, MS clearly states that they are not responsilble. I expect WindowsUpdate to change my system through patches, but I don't expect upgrades. I'm still running Win2kPro on my tri-boot system (Debian and Gentoo.) I KNOW that I will not get my UPGRADE to XP. I also hated hearing MS discuss XP SP2, and calling it an "upgrade." Also, I am CONFIDANT that MS would not take responsibility for data loss. ~ FUD
so it is hundreds of hundreds, then?
My guess is that only a "handful" of MS employees work on windows' micro-kernel as well. Though it might be true that there are more developers writing for the MS platform, this is because it is the world's most widely used OS. He's done a bait-and-swtich almost... Discussing the kernel development and relating it to the wide base of application software?
He uses the word "myth" quite often here. So let us look at a few select definitions of the noun:
* a traditional story accepted as history; serves to explain the world view of a people
* A popular belief or story that has become associated with a person, institution, or occurrence, especially one considered to illustrate a cultural ideal
So a myth doesn't necessarily mean make-believe. We could interpret his quote to have meant this : "The world-view and cultural IDEALS of Linux have made themselves a concrete REALITY over the past year!"
Well, uh... DUH! If you expect more out of something, that something will be more challenged to perform. Water is wet. The Pope is Catholic. If I expect my automobile to drive 200 mph, the manufacturer will have a bigger challenge designing it. Go figure.
OK, I'll admit, I'm not a software guy. But aren't these unrelated statements? ie, What does a development environment have to do with mission-critical computing??
The Linux Desktop (and kernel?) may have certain things missing, that's a given. That doesn't mean that it isn't ready for SOME mission critical computing. I'd be more inclined to use a kernel/OS that allows inspection of it's source for any mission-critical apps. Ask NASA why the Mars rovers are using Linux instead of Windows.
FUD FUD FUD, is all I got out of the article.
Please explain where I'm incorrect here. I admit that I'm not as knowledgable on some of these points as many of you, and would prefer to know why/how I might be incorrect.
In general, I agree with him on this (I have not RTFA yet). Nor is Windows, of course, but that's taken for granted. Of course, it depends how critical your mission is. "Mission-Critical" is one of these phrases which is bandied around, but let's consider what it means....
"The mission depends on this system".
That still does not define the extent to which the mission depends on it - 80%? 90%? 100%? Nobody offers 100% availability, if that's what you're referring to.
The phrase also ignores the mission involved. For NASA, the Mission might be to send a man to Mars and back, but what if my "mission" is to run a website which expects to get 3 hits a month with a 60% expectation of success? An Atari could cope with that - my mobile phone could probably cope with that!
Taking the phrase in the way it's normally meant (running systems which are responsible for a significant amount of the user's business, and the failure of which would cause significant disruption of the business process and/or profit), then the whole discussion still depends entirely on the "mission" involved.
What tradeoffs is the mission prepared to make for uptime, for example? Serving read-only webpages, I care little for data integrity (I've been serving the same data for years, I've got it on tape, CD, DVD, onsite and offsite), and only care about uptime.
If I'm running a database which is updated many times a minute, then uptime still matters to me, but I also need to know which transactions have been fully processed, and which have failed (given Failure Scenario N, which may or may not have been predictable). That is much more difficult.
Author, Shell Scripting : Expert Re