Microsoft Claims Linux Security a Myth

black hole sun writes "Microsoft bigwig Nick McGrath claims that Linux security is highly exaggerated, and that the open source development model is 'fundamentally flawed.' The gist of his argument appears to be his claim of lack of accountability among distributors, coupled with generic statements short on facts. 'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.' He goes on to say that 'Linux is not ready for mission-critical computing. There are fundamental things missing,' pointing out the lack of a development environment and no single 'sign-on system' giving reference to Microsoft's foundering .Net passport program." I guess Linux can only aspire to the greatness of Windows when it has such secure applications as Outlook and Internet Explorer. Historically those have been proven to be of a caliber all their own.

Indeed

[SilverspurG]

"Who is accountable for the security of the Linux kernel?"

Tell me. Of the 60,000 some (give or take whatever) viruses, worms, and trojans available for Windows, how many of them even needed kernel level access? I suppose he can simply blame that on others.

There are bits of the Linux software stack that are missing

Care to elaborate? Just what part of the software stack is missing?

Re:Indeed

[had3l]

"Care to elaborate? Just what part of the software stack is missing?"

They don't know, it's missing.

Re:Indeed

Trying to use logic and reasoning in the face of this style MS FUD is just going to make for a long winded argument.

Here, MS is starting out with claims that don't have a thing to do with reality. They're stating nothing more than equivalents to 'what if's. Making a reasonable sounding argument that in the absence of proof sounds like it could have some backing behind it.

When MS says "The biggest challenge we need to face centres on the myth and reality. There are lots of myths out there as to what Linux can do. One myth we see is that Linux is more secure than Windows." it's just an outright lie. It sounds like he's taking the position of a firm stand against a very real problem. "the open source development process creates fundamental security problems." furthers it, by attempting to put an explanation on just what's wrong with Linux.

It's theorising, and it's the kind of logic a bunch of guys down the pub will bullshit on about for hours, talking about cars or government or whatever, things they really don't know about, but can sound knowledgeable about.

Sounding knowledgeable doesn't stand up to Reality though.

Microsoft's comments about Linux security in the face of the passing of their least secure year is the equivalent of them arguing that drink driving is actually safer, by stating "Alcohol slows you down. It would make you drive slower, therefore be safer. You'd be less likely to do anything silly cos you'd be trying to concentrate harder on driving well". On the surface to someone who knows no difference, it sounds like an argument that has merit.

But again, The Real World jumps up and gets in the road, and that's where real security issues for MS exist, and not in their false construct of marketingspeak.

Re:Indeed

Read the EULA for Windows.

Microsoft isnt responsible for the security of windows either!

Re:Indeed

[timeOday]

Accountability is a complete red herring in the first place. Microsoft explicitly disclaims any liability for whatever may go wrong with Windows. Just like everybody else - but then MS has the gall to slam others for lack of accountability!?

They can make accountability an issue right after they start taking the blame for virii and worms, and reimburse business for all the expense and inconvenience Windows holes cause.

Re:Indeed

[Jesus_666]

That's why water is not ready for mission-critical drinking, as it's development model is fundamentally flawed and it's lacking a single 'drink-on system'. Because of that Microsoft has been forcing it's employees to only drink Jack Daniel's Tennessee Whiskey since 1984.

Re:Indeed

[brianosaurus]

Even more basic,

accountability != security

When one of those 60,000 viruses, etc, attacks your Windows box, you know exactly who is accountable for the security hole: Microsoft.

But what good has that done any of us? I still see the worms trying to infect my system daily (fortunately I run Apache on FreeBSD, not IIS on Windows). When I visit my relatives with Windows boxes, I have to clean up hundreds of pieces of spyware and adware. Knowing who to point your finger at doesn't stop the thousands (or whatever) of compromised machines from constantly spamming us.

Not to mention M$'s latest announcements limiting security updates to only non-pirated copies. That's a tough call. On the one hand, the pirates get what they deserve; they didn't buy the product, so they are not entitled to support. That's fine.

The problem is that its not just the pirates who are penalized. Having thousands of unpatched Windows machines is bad for everyone. The worms and viruses don't care if its a legal copy or not. They'll infect and add the pirate machines into the spam-cluster. Who is accountable for those, now that MS has washed that one off their hands? I still say Microsoft.

Not A Myth, Just Not Inherent

[the_mad_poster]

Fact: Much of what winders suffers from is incompetent users. Nothing is really stopping the developers from writing spam bots for windows because idiot users on Linux could run bad code just as easily as idiot users on windows.

OTOH, you don't have such dumbass tricks ass tying your browser right to the OS or ActiveX, so you make spyware and whatnot less of a factor.

On yet another hand, however, you have the problem of moron users running sendmail daemons that listen for connections from the Internet and other stupid things. Plus, Linux has security holes. If stupid people don't patch them just like they don't path winders, what good is the security?

Again: You can protect the stupid people from the world if you want, but you can't protect them from themselves.

Re:Not A Myth, Just Not Inherent

[ggvaidya]

IMHO, the biggest problem is that Windows has remained relatively unchanged since Win95. Win95 was a single-user application, only just beginning to explore the Internet. The biggest risk your computer could face - viruses - could be handled by being very careful about which floppy disks you used. People who used BBSes were competant enough to use antiviral programs.

With the coming of the Internet, all that changed. Windows needs to be secure enough to prevent web-based attacks, such as through badly created web application frameworks like ActiveX, as well as prevent attacks on vulnerabilities in the networking function of the OS. Stuff like using a restricted user mode, frequent updates, using a secure browser, etc. are necessary to stop such attacks.

A Windows computer is probably as secure as a Linux machine if adequate measures are taken: antivirus programs, firewalls (generally included in the former), secure passwords, not running as Admin and most importantly, frequent updates.

All this is new stuff that people have to learn. Atleast if you use Linux, somewhere down the line you *have* to learn the basics of stuff like this (I've found "rm -rf" is the best tool for teaching people to NEVER run as root!). With Windows, you can remain painfully oblivious to the most basic security techniques because the OS will *let* you - and your computer becomes the next hub for Joe Spamboss.

Hopefully, SP2 will improve things - I've found the firewall a real PITA, particularly on university-administered computers, but atleast it makes people a little more aware and careful.

I don't think branding everybody as "stupid" is the way to go about it. They're not stupid, they're just not aware. And I blame Microsoft as their enabler, atleast for these last few years.

Linux Security vs Microsoft AntiSecurity

[michelcultivo]

From Bruce Schneier "Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months. This means that a unpatched Linux system with commonly used configurations (such as server builds of RedHat 9.0 or Suse 6.2) have an online mean life expectancy of 3 months before being successfully compromised." I think the term is not "more secure" but "less vulnerable".

Well..yeah..he would say this

[grasshoppa]

You see, it's called marketing. He is saying exactly what big wig CIO/CEO/C[A-Z]{2} understand and like to hear. Accountability. That's a big thing to most corporations.

Now, him saying that Redhat can't improve the kernel is simple BS, and could either be a fundamental lack of understanding on his part, or just a flat out lie. Given his position, I'm guessing it's a lie. Redhat ( as have most distributers ) patches the kernel with it's own magic, and will often update it on it's own.

Cliff notes: MS marketting with head in sand. News at 11.

Re:Well..yeah..he would say this

[daviddennis]

How is Microsoft accountable when their own license agreements say clearly that they are not liable for any consequences resulting from use of their systems?

If they were genuinely accountable, they'd be bankrupt.

I have to say, this is a pet peeve of mine - pretending to take responsibility when there is, in fact, no responsibility taken is just plain wrong.

D

Re:Well..yeah..he would say this

[powdered+toast+dude]

Don't confuse accountability, responsibility, and liability.

1. Accountability means you can point your finger at me and I'll say "yep, my bad."
2. Responsibility means I then have to fix it.
3. Liability means that you then get to take my wallet.

$0.02,
ptd

Excellent marketing

[vijayiyer]

This is another example of Microsoft's marketing prowess. They know that IT managers want to hear about vendor accountability, single source solutions, etc. Those who still are using only Windows are probably not technically competent enough to see through the FUD. The truth is irrelevant here.

Ho-hum

[twilight30]

Move along, people. Nothing to see here. There's no point in getting pissed off about this; Microsoft shills are liars and exaggerators.

I will never forget -- seeing as how it happened only on 19 December just gone -- about my broadband installation. Not wanting to rock the boat nor confuse the cable installer guy, I rebooted into XP just prior to his arrival. He hooked my old beater celery up with DHCP and I surfed for about ten minutes. I thanked him and he left.

So I figured I'd do the decent thing and do the security updates. ...

Eight hours later, I cleaned off the last of the spyware, adware, malware horseshit.

To Nick McGrath: Fuck off and die, you wanker. How much you want to bet your router at home runs a Linux variant for firewalling purposes?

Red hat does take responsibility though

[m50d]

They take responsibility for their distribution. They will patch their kernel if anything seems wrong with it. From time to time they pay for an audit. Similarly the debian people vouch for their kernel, and so on. The vanilla kernel.org kernel is only accountable to the kernel.org people, true, but most "enterprise" distribution makers will stand up for every package they distribute.

Who is accountable for Windows?

[nharmon]

From Windows XP's EULA:

LIMITATION ON REMEDIES; NO CONSEQUENTIAL

OR OTHER DAMAGES. Your exclusive remedy for any breach

of this Limited Warranty is as set forth below. Except

for any refund elected by Microsoft, YOU ARE NOT ENTITLED

TO ANY DAMAGES, INCLUDING BUT NOT

LIMITED TO CONSEQUENTIAL DAMAGES, if

the Product does not meet Microsoft's Limited Warranty,

So, are we believe that if Windows crashes my data, that I can hold Microsoft accountable?

At least with Linux I have access to the source code, and can hire programmers to scratch my itches for me. Somehow, I don't think microsoft would give out source code if they went under.

A bird in the hand is worth two in the bush.

[jonastullus]

i really don't want to play down the problems linux has with its development model and i sure have heard great things about the microsoft development process!

but i'd rather have a more secure system now, which lacks in development stringency, then a provenly unsafe system which can prove exactly when, why and how their bugs came into the system...

microsoft is just far too lax concerning their outward security policy (like not caring about the blatant RC4 exploit). their "patch day" with all those patches that never quite close the exploits is just a farce!

well, gnu/linux with all its applications has had a bad streak of exploits as well recently and i would strongly recommend a stricter development process, but if i were microsoft i'd definitely tone down on the linux-is-insecure-and-lacks-accountability bashing and instead invest some serious effort in making my own product look a little more convincing and less like the bug-ridden security hole that it is!

jethr0

Lack of what?

[kidlinux]

This "lack of accountability" argument is bullshit. Why does Microsoft have an EULA for its software? To cover their asses so they can't be held accountable for damages caused by their shitty software. When was the last time Microsoft was taken to court over losses due to poor software? If they could be held accountable, they'd get sued right out of business!

Re:*COUGH* sendmail *COUGH*

even if it didn't do the same search replacing sendmail with the following and compare the counts:

sendmail counts: 54,800

windows counts: 193,000

now we know that windows hasn't been around nearly as long as sendmail, and yet it has nearly FOUR times the buffer overflow matches.

now let's do -

Internet Explorer: 349,000

Outlook Express: 57,700

Outlook Express has been in use for under 8 years and has 300 more matches for buffer overflow than sendmail.

according to your logic for deducing how secure something is, I'd still pick sendmail over anything microsoft makes.

Who is accountable for Windows?

[analog_line]

'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.'

And who, pray tell, is accountable for the thousands of holes that have left Windows users open to viruses, trojans, and other malicious uses of their hardware? Billions of dollars in money throw into the toilet fixing the results of nonexistant to pathetic securty in Windows, with an EULA that specifically absolves Microsoft of all blame if anything goes wrong using their software, and they have the gall to claim that they are accountable for Windows?

Should I be submitting my bills to Microsoft instead of my clients when their poorly designed, poorly implemented software causes them to need my services for hours on end, making them unable to do work, let alone pay my fees?

Re:Profitable Insecurity

[einhverfr]

Because the way they do it at MS, they're raking in about $40B:y. Good security would cost them more money than just talking about it. They're smart enough to know how to turn insecurity into a marketing triumph, without paying the cost.

I think that this is present in the minds of program managers at Microsoft to some extent and has been an issue that has needed to be dealt with. But it is not the only one, nor is it the most glaring.

Microsoft suffers from an inferiority complex when it comes to performance and computing. So often the design compromises which occur in the name of performance are more damaging than the ones which happen in the name of cutting costs and making release schedules. This is speaking as a former insider.

For example, early NT systems (through 3.x) used a microkernel architecture with the drivers running in ring 1 on Intel and ring 0 on alpha. GDI.exe was a user-mode program.

Well, it was decided that NT 3.x did not perform well enough, so when NT4 was designed, the essential elements of the microkernel architecture were abandoned in favor of a system where the drivers and GDI ran in ring 0. In other words, the though that stability and security were not marketable but performance was and so chose performance over the other two.

Then the TUX webserver came out, I looked at the architecture, and my first thought was "I am NOT running network services as part of my kernel! I don't want those l33t h4x0rz exploiting Ring 0!" I even pointed this out in several discussions regarding the competitive landscape at Microsoft. In general the technicians, support managers, etc. all agreed with me. But not the program managers whose job it was to steer Windows development, because parts of IIS6 run in kernel mode. Again, compromising security and stability for performance (just as TUX does). Again this decision was made to counter Linux publicity re: performance rather than to try to offer a compelling alternative.

In other words, Microsoft still is not really driven by making secure software. Or at least it wasn't when I worked there (up until shortly after Server 2003 launched). Instead, they have a whach-a-mole marketing attitude where their new products must beat their competitors' in terms of publicity based on whatever market fad is happenig at the time.

So these words are a threat but seem to indicate that they are really worried about Linux and all the free publicity that they are getting.

But when was the last time anyone trusted Microsoft re: security anyway?

Microsoft are you Accountable?

[mnmn]

I entered the address of a website, it wasnt a particularly nasty site, just something resulting from a google search.

And it automatically installed a spyware application. No YES/NO dialogues just installed it. After that I saw attempts at outbound port 6667 to various external servers.

Now I do manage servers that hold financial data, and servers with ERP software that run the company.

I ask you, Microsoft, can you be held accountable if our company melts down should malicious spyware enter the system with their authors intending to corrupt our backups and bring everything down?

Will you pay us the millions that we lose as we lose our customers?

Will you as a result of such a catastrophe give us an OS that does NOT allow such breaches of security?

I understand IE in Windows 2003 is more secured, and we should never browse for anything on the server itself... etc. However Windows2003 has not been matured enough to bring out the bugs while Windows2000 has issues even after SP4, and after Microsoft will cease to provide bugfixes for it.

We replaced our firewall with OpenBSD. We simple cannot find a reason to upgrade it from the 3.4 version, since the older version is so secure. Hell yeah we've had attacks of all kinds, to almost all ports, syn cookies even ddos type attacks that slowed the Internet connection, but we're still up, and without ever having an issue for over two years of OpenBSD operation.

Coming back to Linux, which is also a UNIX clone, and which has more eyeballs on it, and more companies taking responsibility for it, tell me, should I pay for a crappy OS with someone behind it you can point fingers to, or a nice OS with no person behind it simply because youll never have to point fingers?

Re:Profitable Insecurity

[einhverfr]

so why did you leave?

Aside from the politics which were eay over the top in my opinion, I had a few family issues that could not be adequately addressed while I worked there. Now that my year has passed and I am no longer bound by any non-compete clauses, I can be a little freer with who I am and what I am doing now.

BTW, for those that do work at Microsoft, I was deeply involved in competitive discussions which lead to:

1) Pop3 server bundled with Windows Server 2003 (so that the SMTP/POP3 server combination can compete with Sendmail).

2) The decision to take Services for UNIX to Linuxworld was based on my suggestion though I had no power or leverage to make it happen (and others carried the torch).

3) I was the first to my knowledge to suggest the bundling of SFU with Windows Server. I made many other suggestions but I feel that it would be unwise to mention any which have not been announced either way due to NDA's.

After I left Microsoft, I began to develop a set of software tools designed to help complete the Linux software stack (and just simple utilities to make my life easier). I began a software consulting business which helps people make the most of Linux and Windows.

To tell you the truth, there are pieces missing from the Linux software stack. ANyone who tells you otherwise does not deal with the range of customers necessary to see it but it si there and includes a lot of vertically targetted software for small businesses and line of business software. Most of the software in these markets is not very mature and will take time to develop. So Linux is not for everyone in every capacity but it is getting there.

On the other hand, Windows security is a horrible myth. Windows will never be as securable as Linux is. There are fundamental problems in its design and I have no problem saying this.

Now I did not say that Windows is less secure than Linux, only that it is less securable. If you really want to, you can configure your Linux system to be less secure than Windows 95. It is not that easy to do but it can be done. On the other hand, it will be next to impossible to achieve the same securability on Windows that you have on Linux without breaking a lot of important crap.