MS Security Chief Says Windows is Safer Than Linux

Kip Winger writes "Mike Nash, Microsoft's Chief Security Executive, has made claims that Windows is more secure than Linux. In a recent online chat, he staunchly defended Microsoft's record on security, basing part of his argument on how Windows Server 2003's 15 patches in the past year are far less than what RedHat or SuSE have had to endure." He also mentioned the recent purchase of Sybari and their Antivirus product.

What about

[beatdown]

the patched that they should have done?

Re:What about

[halivar]

Apparently, Microsoft policy is only to release patches for vulnerabilities that are currently being exploited.

And yes, this is flamebait. M$ can't (or won't) secure a paper sack, much less an operating system. More patches from Linux vendors means they're actually working on the freaking problem.

Re:What about

[networkBoy]

I saw the title of this while taking a sip of my morning Caffene, and nearly sprayed my notebook. As it is the dribble of soda from my nose is causing me great pain.
-nB

Re:What about

In the last ~2 years there have been no security vulnerabilities reported for IIS6.

The same cannot be said for apache which averages about 2 per month.

I would conclude that IIS6 is a secure product, from Microsoft.

Re:What about

Actually if you can read, in fairness he actually said:

"Even with the relatively large number of bulletins we released this week, we compare favorably," he said. "Year-to-date for 2005, Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003. In the same time period, for just this year, Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities."

Re:What about

[NoMoreNicksLeft]

Isn't this a bit like claiming you are more healthy than someone else, because you've been to the hospital 40 days this year for your last-ditch chemotherapy? "Look at linux, it hasn't seen a doctor in over 10 years!".

Re:What about

[Shkuey]

Apparently, Microsoft policy is only to release patches for vulnerabilities that are currently being exploited.

What about some of the biggest issues in recent history like blaster or code red? Both were patched by Microsoft well in advance of their outbreak. Irresponsible PC users cause a lot of the major security issues in this connected world; you can't put all the blame on Microsoft.

Re:What about

[halivar]

That analogy is much more appropriately applied to Windows. "Look at IE, it hasn't seen a patch in 10 months!"

Re:What about

[halivar]

Irresponsible PC users cause a lot of the major security issues in this connected world; you can't put all the blame on Microsoft.

You're absolutely right. However, I think we can at least claim that MS creates favorable conditions for the spread of virii both in the products themselves and user education associated with them.

What about some of the biggest issues in recent history like blaster or code red? Both were patched by Microsoft well in advance of their outbreak.

Those are two very good examples of MS breaking from normal behavior. That's just my opinion, however, so take it with a grain of salt.

Re:What about

[Dolda2000]

More patches from Linux vendors means they're actually working on the freaking problem.

While that's true, there's another implication as well.

While the patches for Windows includes faults in, precisely, Windows (which is what I'm guessing that he's referring to by saying "15 patches"), the patch count for Linux distros include patches for all programs in the distro. That includes not only the core parts of the operating system. In the @RISK newsletter I'm recieving from SANS, I see almost only patches for more seldomly used software, such as ncpfs, Konversation, Dillo, xdvizilla, mpg321, and so on.

Considering how a Linux distro probably contains at least 10 times as many software packages as a Windows installation (the vast majority of which are optional to install), I can't see how it would be in Microsoft's favor that they're issuing one third as many patches as Linux distributors do.

Re:What about

Apparently, Microsoft policy is only to release patches for vulnerabilities that are currently being exploited.

And the fortune at the bottom of the slashdot page as I read your comment: "A computer scientist is someone who fixes things that aren't broken." :-)

Re:What about

[Dolda2000]

Then again, there was the ASN.1 bug that Microsoft didn't patch until half-a-year or so after they discovered it.

Admittedly, they didn't release their knowledge of it to the rest of the world either, but who's to say that no crackers knew about it? I believe that security through obscurity has been said not to be the best solution.

Re:What about

[varmittang]

MS can only hope to hide the bugs they have, and they are doing it at all costs so they don't have to fix them. So what do you do, point the finger at someone else, and blame them.

Re:What about

[pbrammer]

How many of those 24 vulns for Red Hat were operating system specific?

Re:What about

[Feyr]

apples and oranges really. the 15 vulnerabilities for windows are to the core and system services. the 78 vulerabilities of suse include packages that aren't critical to system operation

a fair comparison would be only counting the patches to the kernel (~5 ?), critical software you can't remove (not sure), and i'd say apache (~ 2-3 ?), and then only the really critical ones (not in useless features that no one use and are disabled by default) (0)

don't get me wrong, i cringe every time there's a security bulletin for the linux kernel, it's a PAIN to fix. even worse than windows in my opinion (since linux servers aren't rebooted as often, you're never sure if the system will come back up properly due to changed lilo/kernel build options/little evil fairie)

Re:What about

[jimoc]

I would count myself among the responsible PC users but I have a query. Say I'm using XP and a firewall. I open up IE and my firewall asks me do I want to give this program access. I say Yes. Have I just negated the value of my firewall since I have no given access to the program with the most holes in it?

Re:What about

[dubl-u]

Irresponsible PC users cause a lot of the major security issues in this connected world; you can't put all the blame on Microsoft.

I can sure try.

Microsoft is allegedly selling an operating system for average consumers and nontechnical people. Much of their target audience knows absolutely nothing about computer security and will do nothing to maintain their boxes. If they produce a product that the vast majority of their chosen market is known to be incapable of using responsibly, they should take the blame for that.

If it were utterly impossible to solve the problem technically, then maybe I'd forgive Microsoft and say that the government should require a license to own and operate a network-connected computer, along the lines of a driver's license and car inspection, or perhaps more like a building permit. But I think the problem can be solved entirely in software once Microsoft fixes some internal wetware issues.

Re:What about

Thats a true assesment you made. But ...

when i installed a pretty Redhat fedora core 2 i was surprised that there were over 200 patches to install. And i had selected a very few packages.

Red hat FC2 is barely 1 years old. (rel. date feb24)

My point is that you will find there is no advantage to linux when it comes to vulnerability counts.

The advantage comes from the lack of it being a target.

Re:What about

[_Sprocket_]

In the last ~2 years there have been no security vulnerabilities reported for IIS6.

Secunia shows 3 vulnerabilities for IIS6.

The same cannot be said for apache which averages about 2 per month.

Which version of Apache? Secunia shows different stats for Apache 1.3 than Apache 2 with the later showing more regularity.

I would conclude that IIS6 is a secure product, from Microsoft.

Your numbers are off. And the numbers alone don't tell the whole story. You'd be better off doing a bit more digging before resting with that conclusion. Though, to be honest, I can see the argument being made.

Re:What about

and you are correct. however this is the business world where reason and truth do not apply.

Re:What about

[thenextpresident]

Yeah, and while I'll probably be modded down for this, the problem is that these programs, while not part of the OS, are part of the distribution. If mpg123 is included on the CD's for Red Hat or SuSE, then Fedora and SuSE are shipping these products. If the product turns out to be faulty, it means their's a problem with Red Hat or SuSE's distribution, regardless of whether it's located in the kernel or not.

And it's also not fair to say "It's only the default install" that counts. If I go to SuSE or Red Hat, I expect that the vendor has done the job of making sure what they are releasing is as stable and secure as possible.

Please, don't take this as me saying Windows is more secure than Linux. I am simply paiting a picture: If the software that makes up the Red Hat or SuSE distro has security holes, the distro has security holes, it's as simple as that.

Re:What about

[pjt33]

One also wonders what he counts as a patch. One of the links in the summary shows that Secunia list 24 advisories for Windows Server 2003 in 2004, of which 23 appear to be patched. One advisory contains 14 vulnerabilities, most of which appear to be unrelated. Does "15 patches" mean 15 patch releases, each potentially including a number of patches?

Re:What about

wait for the campaign where they'll try to convince us that the state is trying to steal their property, and that copyright and patents should be extended to forever.

It's all about exploiting ignorance. The way MS states thing sounds good, especially to those who don't understand the differences between open and closed source, between a MS operating system and a Linux distribution. How is this different from any other marketing strategy from MS?

Re:What about

> the patch count for Linux distros include patches for all programs in the distro.

Yes, because they ship all that shit in the distro.
Time and again people have complained about five fucking text editor RPMs but they still get shipped just like 5 years ago.

> the patch count for Linux distros include patches for all programs in the distro.

You ship it, you support it.

This whole thing one vs. another is pointless - both are quite secure if you're not a moron. Neither is fool proof.

Re:What about

[vadim_t]

Switch to grub.

It's got the great advantage of being able to boot any kernel you have, as long as it can access the partition. Screwed up configuration, kernel with a bad filename, etc, all don't matter when you can load any kernel you want from grub's command line.

It's a bit strange in some things, like that it counts disks starting at 0 and not 1, but overall it's quite nice when you get used to it, and it's definitely a lot better than LILO when something unexpected happens.

Re:What about

[rseuhs]

the problem is that these programs, while not part of the OS, are part of the distribution.

Why exactly is that a problem?

With Linux I get all patches for (almost) all programs from one source, with Windows I have to go hunting for every single application.

Re:What about

[SpaceLifeForm]

Not completely. But you didn't help yourself. Especially if you are using a software firewall on the same XP box. Even if you had a separate hardware firewall, you would still be allowing your XP box to pull stuff back and that stuff could be any kind of malware you can imagine. You need to use trusted software so that you can trust your machine.

Re:What about

[dgatwood]

Actually, the right comparison is the OpenBSD comparison---what security vulnerabilities are present on a default install in the default configuration.

By that count, assuming a Linux distro is doing the right thing and not enabling any daemons unless the user tells it to do so, the number of vulnerabilities in Linux distros should be pretty close to zero. The number of vulnerabilities in Windows would still be 15.

Re:What about

[dabraun]

Linux users LOVE to complain about how Microsoft bundles things with their OS - and how doing so adds additional security risks.

Windows may be compared fairly to a full Linux distribution - not to the Linux kernel alone. Compare in terms of features, bundled software, and security.

If Linux bundles (as you put it yourself) 10 times as many non-OS apps with their OS then they have to accept the security issues that come with those apps.

Re:What about

[cranktheguy]

yesterday i spent an hour fixing a windows 2000 pc. worst case of spyware i have ever seen. it wouldn't let me end the processes i knew were infected. they were running as system services. they reinstalled themselves before as windows finished booting (as in, when adaware runs before you get to windows)! the quote from my roommate: "i didnt install anything." he had been using ie and running as administrator. let's see them patch that.

Re:What about

[MrLint]

Well yes we do need to read what he actually said :

"Year-to-date for 2005, Microsoft has fixed 15 vulnerabilities"
"Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities"
"SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities"

Lets read these carefully, because MS are masters of spin. And we know that nothing they say on these topics arent carefully constructed to *sound* like they mean the same thing, but arent in fact the same thing.

MS says they have patched 15. This is not the same as the number that *need* to be patched, how many are still unpatched.

He says the other 'have had to patch' all this really says that the have been patches for 78 things. The only information we can glean (assuming the numbers are correct) is that that the number of things that have been fixed, also no info on what hasnt been fixed, or how many are outstanding.

So really MS isnt technically comparing the same things.

Please also see this comment for another shade of this, being OS patches vs app patches.

Re:What about

Well, isn't the same argument that Microsoft currently applies to Mozilla exploits, that it's only a matter of time as it becomes more popular, also applicable to Windows Server 2003? It's not like it's as widely deployed as...say...Windows 2000 server, NT, or all the installs of XP that get hacked within 2 minutes of hooking up to the 'Net (even over dialup...).

So, all I will say is... "it's just a matter of time". Since WinServer2003 is so dependent on .Net, and that is the "future" of Windows and its apps, there will probably be some wicked vulnerabilities waiting to be exposed, especially in the seams between managed and unmanaged C++ code (that .Net has to call to do some GUI things, among others), and that these vulnerabilities will have far more effect on Windows than what we've seen so far for systems, except for maybe the Morris Worm.

Re:What about

[FyRE666]

I just like the fact that Slashdot have published this story using their classy "babyshit" stylesheet.

Re:What about

> Yeah, and while I'll probably be modded down for this

mods ... please mod him down.

Re:What about

[Curtman]

Screwed up configuration, kernel with a bad filename, etc, all don't matter

It can also boot Windows on an IDE drive that isn't primary master too, something that Windows can't seem to manage by itself. :)

Re:What about

[networkBoy]

I only got to: "MS Security Chief Says Windows is Safer Than Linux" before the soda was coming out my nose. Didn't even have a chance to RTFA_summary.
-nB

Re:What about

[Aadain2001]

Not all patches are security patches. Some patches are version upgrades with new features or performance increases, etc. And even if it is a security update, you can't fault Suse or Redhat for releasing an unstable or unsecure distro since they didn't create all the software in the distro. Even though they didn't create the software, they will help their users by providing a single location to obtains patches, which is soooo much nicer than under Windows. If MS were to do the same and provide updates to all your programs through Windows Update, I guarentee you that their patch count would be 10,000 times higher than Linux's.

Re:What about

[Em+Adespoton]

This makes you think though, doesn't it?
I mean, you get a RedHat install, go online, apply the patches, and then get to work doing whatever it is you want to do.

Now let's go to Microsoft land.
You install XP (if it isn't pre-installed), plug it into a firewall, configure firewall, go online, install updates, and then... and then...
...Install Office, go online, install updates...
[repeat for x pieces of software by miscellaneous different software manufacturers]
And FINALLY get down to doing whatever work it was you wanted to do, hoping that the software patches for the myriad of products you've installed from isolated vendors work properly together, and have been fully vetted and tested with a configuration similar to yours.

Re:What about

[einhverfr]

YUM does not differentiate between security patches and new versions released for other reasons. Therefore these 200 updates could be 200 upgrades.

Also I think that Linux is more securable than Windows. It is not a matter of not being a target, it is a matter of having more modularization in your system so that it is more possible to reasonably secure the computer against attackers and protect critical data in the event that a service is compromised.

Re:What about

[fleaboy]

I bet you would defend the mouth that bites you, by saying ,"It's a mouth, that's what they do-bite"

Re:What about

[einhverfr]

You ship it, you support it.

I agree, but the point is that it is still like comparing apples and oranges.

Better, lets look at the sum of the security vulnerabilities in the following software (with Server 2003):

Server 2003
MS Office (often gets installed on servers)
Internet Explorer
SQL Server
MS Exchange
ISA Server
Etc.

Now we have a fair comparison. These are all shipped by Microsoft and are about as likely to be installed on Windows Servers as the parallel software is to be on Linux servers.

Additionally lets look at vulnerability counts and their severity rather than patches released. That may provide a better picture.

Re:What about

yeah, he'd be much better off if he was using linux and running as root.

Re:What about

[sg_oneill]

I'd say verry few of them.

What microsoft miss, is empirically and objectively your system is in a much higher danger of ACTUALLY getting hacked or virussed or whatever.

Lets see. Comparison time. When was the last virus outbreak that trashed linux systems world wide.

oh ...

Anyway, to be more fair, the other point is that most of these security bulletins for linux have been of the 'running nethack as root could break system' type pap that doesnt actually increase the chance of a break in in any sensible way. This is compared to the preponderance of serious worm inducing flaws in windows.

Microsoft can bleat as much as they like, and look I'll be honest, props for the fact that modern windows is probably safer than older windows, but this doesnt distract from a simple home truth:
Linux , Solaris and BSD is your best bet for a secure system. VMS if your a complete paranoid freak.

Statistics trumps rhetoric everytime

Re:What about

[jerroldr]

I'd argue the better analogy is the fat guy that never goes to the gym vs the "healthier" guy that goes often.

Re:What about

[MrResistor]

Until recently I was supporting some machines that we would do just about anything to avoid rebooting, mostly because the hard drives were old and sometimes we had to smack them around a little to get them to spin up. Once they spun up, they were fine though.

Of course, we didn't have to worry about patches, as they were running NT4 and not hooked up to a network (well, a video distribution network, but that's hardly the same). For those who care, product details can be found here. The easiest description is a $100k Tivo.

Re:What about

Yeah, they scan you to make sure you're not posting through a proxy. Without asking of course, which is pretty fucking rude.

Re:What about

[shufler]

Your numbers are off. And the numbers alone don't tell the whole story. You'd be better off doing a bit more digging before resting with that conclusion. Though, to be honest, I can see the argument being made.

Indeed, that is the very argument Microsoft gives. It seems Microsoft is including new versions of software in their list of bug patches. Granted, part of the new version may in fact be, but there are usually other fun things included.

Re:What about

[thenextpresident]

That's true, but that wasn't the problem I was refering to, and that isn't exactly the topic. I think it's definetly easier to get it from one source then many sources.

So, you have a point, it just doesn't relate to what I said.

Re:What about

[LnxAddct]

Also don't forget that often times,the OSS vulnerabilities are typically theoretical.For example, you see something like a strcpy to an unchecked char pointer somewhere deep in the code. You may not know when its called, why its called, and what series of events might set it off, but you fix it anyway and out goes the patch. Your system then gets patched whether or not that code could have ever even been exploited.

With Windows on the other hand, everything is a severe and serious vulnerability because if some company, or university, or just your typical hacker finds something, it definitly works and can be exploited simply because they found it. It couldn't have been found without them actually executing the exploit.

There are a million other things though to take into consideration, like what you said about how RH and Suse have tons of other software bundled with them. An interesting thing is that RH, Fedora, and Suse are all (according to secunia) patched from all known vulnerabilities. Windows XP Home and Pro both have 18 unpatched vulnerabilities, at least one of them being "highly critical", and Windows 2003 also has 5 unpatched (out of 44). Software will have bugs, we should try our best to code securely, but its never going to work 100%. What is more important is not how many patches were sent out, but how many haven't been taken care of yet. In RH and Suse's case, they seem to be just fine, but Windows has tons of open flaws. OSS also tends to get patches out way quicker. Whats even cooler is that if RH patches something, then Suse can just use that, and vice versa, talk about efficiency.
Regards,
Steve

Re:What about

[Rostin]

Hm. The computer I'm running now has (only) Win Xp on a primary slave and boots just fine.

Re:What about

[twzop]

haha that was funny. Great analogy though!

Re:What about

[McBeer]

"with Windows I have to go hunting for every single application"

http://windowsupdate.microsoft.com Yep, sure had to go hunting for that.

"Now let's go to Microsoft land. You install XP (if it isn't pre-installed), plug it into a firewall, configure firewall, go online, install updates, and then... and then... ...Install Office, go online, install updates... [repeat for x pieces of software by miscellaneous different software manufacturers]"

That's one way to do it. Or, if you don't like wasting time, just go with the straight microsoft ticket. Install all the software, run windows update once (ok probably twice as you need to install some things sepperatetly) and you are on your way. The SP2 firwall will configure itself as you attempt to use applications. You can go from a blank hard drive to a system capable of doing whatever you need it to in 1 to 3 hours depending on what all you purchase.

I see a lot of people here blaming Microsoft for the fact that lots of other vendors produce software for thier OS and making comparisons to a linux distro based on that. My point is that it is only a fair comparison if you compare the entire microsoft "distro" to the linux one of your choosing.

Re:What about

[The+Dobber]

statistics trumps rhetoric everytime

If you're gonna use that angle, then you have to provide the data, or at least point to a source.

Re:What about

[seminumerical]

You are right. I wrote half a dozen press releases for a company one year, which meant writing dozens of drafts of a 20 to 30 line press release. But the press release is boilerplate at the beginning and end. There are really only five to fifteen lines of new text.

So, here's how it goes: the writer goes back and forth to management and marketing for tweaks to get the "spin" just right. Basically, most people read a press release quickly and cursorily and so the intention is to be technically accurate but give the wrong impression.

Many people are in the habit of bullshit detecting company announcements (Having written them it becomes second nature). So putting out the deceptive info in a more natural* way (like an online chat session) might fool a few more people, but it doesn't make them any less deceitful. I can just see Mike Nash, sitting there at the terminal, or more likely looking over the shoulder of the flunky who is doing the typing, telling him, after consultation with the little crowd of marketing and legal people, what carefully prepared texts to cut and paste into the conversation.

*online chat is more natural, heh heh.

Re:What about

[Dolda2000]

If the product turns out to be faulty, it means their's a problem with Red Hat or SuSE's distribution, regardless of whether it's located in the kernel or not.

Yes. However, if it's a local non-root exploit in a program that noone ever uses, that means that it's not actually a threat to security.

It's still their problem, and that's why they issue patches. It's nothing to worry about, however.

Re:What about

Apparently, Microsoft policy is only to release patches for vulnerabilities that are currently being exploited.

As opposed to what linux does, which is releasing patches for vulnerabilities that have not yet been exploited? :rolleyes:

"Linus, set the Wayback Machine to before mySQL got pwned... again."

Re:What about

[PPGMD]

Irresponsible PC users cause a lot of the major security issues in this connected world

At a recent TS2 event, after the presenter said that they will shortly be cutting off Windows Update for users of the major pirate CD keys, I said, "What does it matter if they cut it off, users never patch anyways!"

Re:What about

[SenFo]

Actually, we did read it; and it's a moot point as he is comparing an Linux entire distrubtion (kernel + ALL software packages) to only the Windows operating system.

Re:What about

[SenFo]

Switch to grub. It's got the great advantage of being able to boot any kernel you have, as long as it can access the partition. Screwed up configuration, kernel with a bad filename, etc, all don't matter when you can load any kernel you want from grub's command line. LILO can boot any kernel on your system.

Re:What about

[V_Pundit]

IE has seen 5 patches everytime my windows update runs (which has been many times in the last 10 months). Oh how I long for the day when I can canvinve my wife to abandon Windows forever.

Re:What about

[MrResistor]

Or, if you don't like wasting time, just go with the straight microsoft ticket. Install all the software, run windows update once (ok probably twice as you need to install some things sepperatetly) and you are on your way.

Dream on! I have never gotten away with only running windows update once, or even twice, on a new Windows install, let alone a single reboot. And then you need to do it again for MS Office, since it has a seperate update service.

With a new install of Suse I run YOU once and EVERYTHING is updated, with no need to install some things seperately, and I only have to reboot if there's a kernel patch, which is quite rare (only 2 or 3 on Suse 9.1 since it was released 8 or 9 months ago).

You can go from a blank hard drive to a system capable of doing whatever you need it to in 1 to 3 hours depending on what all you purchase.

Or with Suse I could go from blank drive to an equivalently usable system in under an hour, regardless of what packages I choose to install.

I see a lot of people here blaming Microsoft for the fact that lots of other vendors produce software for thier OS and making comparisons to a linux distro based on that. My point is that it is only a fair comparison if you compare the entire microsoft "distro" to the linux one of your choosing.

That's because you have to install a bunch of third party stuff in order to have the functionality that's available to me in that same Suse install I've described above. In fact, it would probably add about 15 minutes for me to remove all the packages for which there isn't an equivalent in your MS only "distro".

Re:What about

[TheOldFart]

If you're gonna use that angle, then you have to provide the data, or at least point to a source

What about megabytes of log entries from infected IIS servers every day? I don't have a single entry from an infected UNIX system. Queries for "/default.ida" are so common that I long ago set it up for a redirect to www.microsoft.com.

Re:What about

Why is it odd that it counts disks starting at 0 instead of 1? I thought that was the norm.

Re:What about

[Phisbut]

http://windowsupdate.microsoft.com Yep, sure had to go hunting for that.

Didn't have to go hunting for that one, but then, you only patched one piece of software with it (ok, three, since IE and WMP are part of Windows).

But what about everything else that is installed on your system? When the GDI+ vulnerability was announced, how many programs did you have to update in different locations (are you even sure you updated them all?).

That's one way to do it. Or, if you don't like wasting time, just go with the straight microsoft ticket. Install all the software, run windows update once (ok probably twice as you need to install some things sepperatetly) and you are on your way

Once again, you'll only have updated Windows, none of the other applications. Even though MS-Office is from Microsoft, it's not updated through Windows Update, it's updated through Office Update. Same company, same website, yet they insist on making it two separate locations for you to get your updates.

The SP2 firwall will configure itself as you attempt to use applications. You can go from a blank hard drive to a system capable of doing whatever you need it to in 1 to 3 hours depending on what all you purchase.

That is only if you have a Windows CD that actually installs the SP2 directly. If you bought WinXP a couple of months ago, after installing, you do have to switch the firewall on yourself because it's off by default, and then get all the Windows Update, and install the other programs, and get Office Update and any patches for other applications... Even if it takes "only" 3 hours to go from a blank drive to a complete running system, it's 3 hours you have to stay in front of your computer, because the installation process requires information in the middle of the process (contrary to getting it all right at the beginning for most Linux distros), and Windows Update can't update everything at once, so you need several reboots to do the update again. Then you have to install Office... and do Office Update... You can hardly leave your computer for more than 10 minutes during that 3 hours, talk about a waste of time.

I see a lot of people here blaming Microsoft for the fact that lots of other vendors produce software for thier OS and making comparisons to a linux distro based on that. My point is that it is only a fair comparison if you compare the entire microsoft "distro" to the linux one of your choosing.

If you want a fair comparison, then we should consider a Linux install that has the same amount of features than a Microsoft "distro". So install Linux with only OpenOffice.org, Firefox and Totem, that covers a Microsoft "distro" that has Windows, Internet Explorer, Office and WMP. Then, count the number of patched vulnerabilities in each of those distros. IE alone will have more vulnerabilities than the whole Linux distro.

Re:What about

[Slime-dogg]

I'm no fan of MS, but I do know that Windows Server 2003 is shipped with all options off by default. I know this, partially because I've read it, but also because our support/configuration experts whine more about how long it takes to set up a server for one of our offices.

Re:What about

[aichpvee]

Man, let's compare the TCO for the entire microsoft "distro" to any Linux. You're looking at a couple grand just to install the system and you'll still be missing a lot of software that microsoft just doesn't make.

Re:What about

> a fair comparison would be only counting the patches to the kernel

Guess that excludes IE from MS patches then

Re:What about

[caino59]

dont forget to reboot.

and after you reboot - windows always manages to find more patches, prompting yet another reboot.

Re:What about

[theshowmecanuck]

Just remember that there is a corallary to that: " you can prove anything with statistics".

Don't get me wrong, I prefer the Linux/Unix system primarily because I believe it is less vulnerable to attack. Just remember to have some good statistics available in case the other guy trots out that he/she has statistics proving their point. :-)

Statistics are made up on the spot 42.89678% of the time. :-)

Re:What about

[StillaCoward]

Because your system using a different offset for HD numbering. Its not confusing really, but it is a bit disconcerting for lack of a better word....

Re:What about

Why are there so many morons on /. You can't have it both ways. If you're patching a system, it's not secure. Linux security sucks, and everyone knows it. When there is a profit motive, the holes will be exploited.

Re:What about

[initsix]

I highly doubt the redirect will do anything. The worms are trying to exploit your box, not read and parse http redirect headers.
Good idea on principle though. I award you 10 points.

Re:What about

[halivar]

As opposed to what linux does, which is releasing patches for vulnerabilities that have not yet been exploited?

I can't figure out what you mean.

Are you implying that vulnerabilities are not found on the Linux platform before they are exploited? That would be wrong; the vast majority of vulnerabilities are caught by other developers and hawk-eyed users (unlike Windows, where they are caught by MS employees and crackers only).

Or are you implying that patching unexploited vulnerabilities is a bad idea? That would be just plain dumb, so I'll assume that's not what you meant.

Re:What about

[rikkards]

True. Prior to Windows 2003, when you set up a share, the share permissions were Everyone full control. The easiest way to set up permissions on a share is put Everyone Full Control for the Share and limit access on the file level.

However in Win2K3, the default permissions on a share now are Everyone Read, this way an admin can set up the share ahead of time but ensure that no one can modify the data until he specifically sets it.

There are a couple other things that have changed. They seem to be trying to change their mindset with regards to security as well as stability and they have made it much easier to deploy patches to workstations with SUS server

(but they are still evil ;)

Re:What about

[LilMikey]

I've done this recently on the wife's computer. Here was the complete process:

1. Install XP and activate it.
1a. Optionally turn off blue and green crap
2. Windowsupdate it.
3. Install Firefox.
4. Find and install video driver.
5. Reboot
6. Find and install scanner driver. (optional reboot)
7. Find and install printer driver. (optional reboot)
8. Install Grisoft AVG. (antivirus)
*set up full scan and updates
8a. Optionally install ZoneAlarm or Sygate Personal Firewall
9. Reboot
10. Install Adaware.
11. Install Spybot.
12. Install Thunderbird.
13. Install OpenOffice.
14. Install Adobe PS Elements.
15. Install Gaim.
15a. Optionally install WinAMP or other non-intrusive media player.
16. Finally, full-scans on AVG, adaware, and spybot to get rid of the cruft that appeared after 3 minutes of IE usage. -- may require one more reboots
16a. Optionally install other software (DVDDecrypt/Shrink, VideoLAN Client, card games, etc)

Compared to a recent Fedora Core 3 install:
1. Install FC3.
2. Install atrpms apt-kickstart
3. apt-get dist-upgrade
4. apt-get install nvidia-graphics
5. Copy/modify xorg.conf
6. re-'init' or reboot
6a. (optinally install xine, mplayer, ogle, perl-videoDVDRip, madwifi, xmms... with a single command)

I tried to be fair here and not assign optional tasks their own task numbers.

Re:What about

[mattyrobinson69]

XP will run from any partition, afaik, but windows 98 had to be primary master iirc.

Re:What about

[legirons]

"assuming a Linux distro is doing the right thing and not enabling any daemons unless the user tells it to do so"

I'm not going to reenable them to check right now, but a portscan of a newly-installed Mandrake10 machine with default options includes about a dozen services, and would have installed more if I hadn't requested that it stop trying to install CUPS (for a nonexistant printer)

Most of those are the default "look what you can do" oneliners in xinetd, some of them are XDM (who knows whether it's okay to expose that?) and a few misc others. Interestingly, I don't remember being able to install SSH during the installation, the one thing that might be useful when installing a lot of machines. I

Re:What about

[Phleg]

Nobody's arguing this. However, they're only saying it's' somewhat of an unfair comparison: Windows consists of Explorer, the GUI, .NET, the APIs, etc., when youre average Linux distro comes with office applications, games, tons of utilities, compilers, etc. It's not making an accurate or fair comparison. If we were to compare security holes for Windows versus the bare-minimum install for most Linux distros, plus X, plus GDM and GNOME (or KDM and KDE), that would be a far fairer comparison. And one which Microsoft would probably have a hard time winning.

Re:What about

[Vancorps]

Now try again from safe-mode and watch it go away. The real nasty stuff reboots the comp when you try to get into safe mode, but once again, if you know what you're doing you can get around it with the recovery console.

Another poster said it best, you should only use trusted software then you don't have to worry about all that crap and you can continue on with your life without all the spyware/adware.

Firefox is a beautiful example, its not perfect, but you can trust it to do exactly what it says its doing.

Of course, education is the most powerful tool, any operating system can become downright useful when you know what you're doing.

Re:What about

[Hawke666]

Only if it's been specified in the config file.

Re:What about

[1lus10n]

No offense, but mandrake is not a server platform. Its like comparing windows ME or 98 (something pre XP/2k kernel).

Mandrake, Linspire and linux versions along those lines assume little or no knowledge from the user. They behave like microsoft in that respect and hence have similar issues (although still not quite as bad). I have long stated that microsoft's first step in the right direction would be assuming knowledge on the part of the user and disabling (or not installing) un-needed services and coming up with a more secure way to handle some of its mpre vulnerable services (file sharing).

Microsofts problems are not always crap code. No matter the project type or developer group crap code will ALWAYS exist. The need to focus on building a secure culture, not just patching the problems that are likely to be exploited, but actually looking for holes and patching them far ahead of time. Making sure their developers are doing things the right way and making sure marketing doesnt make any decisions that could influence security.

Re:What about

[Fulcrum+of+Evil]

the quote from my roommate: "i didnt install anything." he had been using ie and running as administrator. let's see them patch that.

Uh huh. They always say that. He just clicked on some annoying dialogs, the nforgot about the whole thing.

Re:What about

[Kombat]

For example, you see something like a strcpy to an unchecked char pointer somewhere deep in the code.

The problem is, as a couple studies have shown, nobody is actually looking at that code except those that are trying to find exploits. It's not like the vast armies of Open Source coders (guffaw) are constantly combing and re-reading 10-year-old code looking for things they can randomly improve. How many of those coders are actually skilled, experienced, and intelligent enough to both fully understand the vast quantities of code they are reading, and competent enough to actually modify the code without breaking anything else?

I think you underestimate the sheer quantity of open source code that ships with a Linux install, while simultaneously vastly overestimating the frequency with which established, working Open Source libraries are inspected and reviewed for bugs.

The truth is, the overwhelming majority of Open Source contributers are working on new projects. Projects which, for the most part, will never be finished. In reality, nobody is looking at the old code that already works satisfactorily. Nobody is going through the C framework, looking for unchecked pointers and array overruns, except people who are looking for something to exploit. In all honesty, there aren't really that many people working on maintaining the existing Open Source codebase that comprises the bulk of a default Linux install. There's a very active kernel group, but aside from that, it's much more stagnant than you might expect.

Re:What about

[Rich0]

That's one way to do it. Or, if you don't like wasting time, just go with the straight microsoft ticket. Install all the software, run windows update once (ok probably twice as you need to install some things sepperatetly) and you are on your way.

Uh, windowsupdate only updates windows, and a few MS programs.

If I have a Quicken security problem, windowsupdate won't fix it.

If kmymoney has a security problem, Red Hat will distribute a patch for it.

So, we're comparing the number of patches to the MS Windows OS, to the number of patches for just about every free piece of software available for linux...

Re:What about

[AstroDrabb]

So what is on your primary master? With windows it is a hit-or-miss game. I tried to install a corporate version WinXP SP 2 on a disk that was the primary slave and WinXP puked. It installed on my "D:" drive and most of it was not working. This was an out of the box install using the Win XP SP 2 install disk. Nothing worked well at all. As soon as I did a re-install on my primary master "C:" drive, WinXP SP 2 worked fine. Though it did kill my Linux OS boot record.

It is funny that if I install MS Windows first and than Linux, everything works fine. However if I install Linux and than MS Windows, MS Windows kill ANYTHING that is not MS Windows. I just stick to installing MS Windows first and than installing Linux and I never have a problem. Grub boots MS Windows XP on any drive, even where MS Windows XP has never installed for me.

Re:What about

[Fulcrum+of+Evil]

don't get me wrong, i cringe every time there's a security bulletin for the linux kernel, it's a PAIN to fix. even worse than windows in my opinion (since linux servers aren't rebooted as often, you're never sure if the system will come back up properly due to changed lilo/kernel build options/little evil fairie)

That's an admin problem. Reboot your servers every month or so and you'll find all the gotchas on your own time.

Re:What about

[fupeg]

the 15 vulnerabilities for windows are to the core and system services

That's not totally accurate. Two of the patches that came out this week are not core/system patches. KB886903 is an ASP.NET bug, kinda like a patch to PHP. KB887472 is a bug in Windows/MSN Messenger and Windows Media Player.

Actually most of the bugs have to do with DHTML, ActiveX, hyperlinks, and the "core" parts of IE. These are core/system vulnerabilities because of IE's integration. And that's where the real weakness of Windows lies. There could be Mozilla vulnerabilities that are just as bad as these IE and IE-related ones, but patching them only requires patching Mozilla, not patching the Linux kernel or even Gnome/KDE.

Re:What about

[bitspotter]

Nonetheless, when you look at the included software from a feature standpoint, A linux distro has far more functionality than a Windows Distribution (Even if you include office). With that many more features, it stands to reason that there are more potential for bugs without having to resort to questions of quality.

This is interesting, considering that Microsoft claims to be competing on the basis of more features.

Re:What about

[jedidiah]

Last Unix worm? About 1988.

Last Win32 worm? About last week.

Re:What about

[Anonymous+Custard]

All you're saying is that you like the bundled applications in FC3's linux distribution better than Windows XP, right?

If you liked the the MS bundled apps (Windows Firewall,Wordpad,WMP,Outlook Express,Paint/Photo Editor,MSN Messenger), it'd look like this:

1. Install XP, answer a few easy questions (time zone, etc.) and activate it.
2. Windowsupdate it.
3. Find and install scanner driver - often automatically for non-bleeding edge products. (optional reboot)
4. Find and install printer driver - often automatically for non-bleeding edge products. (optional reboot)
5. Install Grisoft AVG. (antivirus)
5a. Add 3rd party apps to taste
6. Find and install video driver.
7. Reboot (deal with 800x600 until this reboot)

Compared to a recent Fedora Core 3 install:
1. Install FC3 (choose a config and/or customize it).
2. Install atrpms apt-kickstart
3. apt-get dist-upgrade
4. apt-get install nvidia-graphics
4a. Add 3rd party apps to taste
5. Copy/modify xorg.conf
6. re-'init' or reboot

7 vs 6 comparable steps isn't bad at all. And in the future Windows may come bundled with an anti-virus program.

Of course, my real point is that it's not fair to compare a vendor's distribution of Linux with a clean install of Windows XP.

If you bought from a windows vendor, like HP or Dell, they would do the latest OS updates, and you could purchase and have them install anti-virus, firewall, media software, cd burning software, adobe PS elements, etc, and they'd be ready to use when you boot it up.

I dare say if you had to install an empty version of Linux (OpenOffice, Firefox, etc, NOT bundled) vs. a Windows XP CD, you'd have a much easier time getting up and running with the Windows XP CD.

And yeah HP/Dell do charge money for their services and you have to buy a computer too, but there could be a business where someone sells Windows Installation, including all licenses for the extra apps you want. They might distribute/sell a versatile image that can handle varied hardware configurations, just like RedHat FC3 does.

Re:What about

[joeljkp]

I agree. Since we're comparing statistics here, and the grandparent hasn't pointed to any sources, let's get some facts on the table.

Since Microsoft brought up server operating systems, let's compare Microsoft Windows Server 2003 Enterprise Edition with IIS 6 and Red Hat Enterprise Linux 3 Advanced Server with its default suite of servers (apache, etc.)

For WS2003-EE, microsoft.com reveals 12 security bulletins for 2005:

MS05-001 - HTML Help ActiveX Control - Moderate (3)

MS05-002 - USER32.dll overflow, Kernel DDOS - Critical (1), Important (2)

MS05-003 - Indexing Service - Important (2)

MS05-004 - ASP .NET - Important (2)

MS05-008 - Internet Explorer - Moderate (3)

MS05-009 - libpng (Windows Messenger) - Moderate (3)

MS05-010 - License Logging service - Moderate (3)

MS05-011 - SMB - Critical (1)

MS05-012 - COM, OLE - Important (2), Critical (1)

MS05-013 - DHTML Editing ActiveX Control - Moderate (3)

MS05-014 - Internet Explorer (3 vulns) - Moderate(3), Critical (1), Low (4)

MS05-015 - Hyperlink Object Library - Critical (1)

In addition, Secunia lists 5 unpatched security holes and 1 partial fix:

SA8987 (09/2003) - certain device drivers - Less critical (4)

SA9720 (09/2003) - overflow detection bypass - Less critical (4)

SA9921 (10/2003) - local exploit - Less critical (4)

SA10066 (10/2003) - HTML Help ActiveX Control (local) - Less critical (4)

SA13645 (12/2004) - partial fix (MS05-002) - Highly critical (2)

SA14061 (01/2005) - local Registry vuln - Not critical (5)

So it looks like the WS2003-EE/IIS6 combination has been subject to 12 patches in 2005 caused by 16 vulnerabilities with an average criticality of 2, plus 6 unpatched or partially patched vulnerabilities with an average criticality of 4.

Since I'll be getting rid of KDE and Mozilla vulns with RHEL because they're not really used on back-room servers, I'll toss out the IE and HTML Help ones here. That leaves 8 updates patching 10 security holes and an average severity of 2, plus 5 unpatched holes of low severity (mostly local).

Now on to Red Hat Enterprise Linux 3 Advanced Server, for which redhat.com lists 22 advisories for 2005 (more abbreviated list format):

code # vulns component
RHSA-2005:010 - 1 - VIM (not core OS)
RHSA-2005:018 - 1 - Xpdf (not core OS)
RHSA-2005:013 - 5 - CUPS
RHSA-2005:038 - 1 - Mozilla (not core OS)
RHSA-2005:019 - 2 - libtiff
RHSA-2004:635 - 1 - Ruby
RHSA-2005:043 - 3 - kernel
RHSA-2005:012 - 2 - kerberos
RHSA-2005:068 - 1 - less
RHSA-2005:059 - 1 - Xpdf (not core OS)
RHSA-2005:069 - 1 - Perl-DBI
RHSA-2005:049 - 1 - CUPS
RHSA-2005:039 - 3 - enscript (not core OS)
RHSA-2005:011 - 9 - Ethereal
RHSA-2005:105 - 2 - Perl
RHSA-2005:136 - 1 - mailman
RHSA-2005:135 - 3 - Squirrelmail
RHSA-2005:134 - 1 - xemacs (not core OS)
RHSA-2005:112 - 1 - emacs (not core OS)
RHSA-2005:104 - 1 - mod_python
RHSA-2005:009 - 3 - KDE (not core OS)
RHSA-2005:061 - 9 - Squid

So so far in 2005, RHEL3-AS has been hit with 22 patches, consisting of 53 individual vulnerabilities of unknown criticality (they didn't say). Taking out the ones effecting packages that aren't part of the base system (that don't really have any match on a backroom Windows server), that still leaves 14 updates fixing 41 vulnerabilities. Secunia, however, shows none unpatched.

The Secunia site has some good comparative charts, showing that from 1993-today, WS2003 has been hit with fewer problems, with a fewer percentage remotely exploitable, but with a highe

Re:What about

If MS were to do the same and provide updates to all your programs through Windows Update, I guarentee you that their patch count would be 10,000 times higher than Linux's.

Well put! Mod parent up.

Re:What about

[feranick]

If you look at Secunia, in some cases the number of advisories for Micorosoft products (2003 Server in particular) may be lower than for RedHat Linux Enterprise or SuSE. However, while both RedHat and SuSe products are fully patched (0% unpathced), Microsoft has 11% unpathced for Win2003 and 24% for WinXP. This is what people should care about. A safer system is NOT necessarily the one with less advisories, but instead the one with NO UNPATCHED advisories. Saying the contrary is irresponsible and false.

Re:What about

[Feyr]

that's a nice position to be in, but you can't really apply that logic to remote servers where there is no one on-site to fix it if it breaks. some servers also serve customers in different timezones so you can't schedule them with the rest.

Re:What about

[NoUse]

The problem with Microsoft's patches (especially services packs) is they have a HORRIBLE reputation of breaking stuff.

Most companies cannot in their right mind apply patches to desktops blindly when they have half a dozen desktop applications that could potentially stop working when Microsoft decides to break binary compatibility.

The best they can do is put the patch into a very short life cycle test phase. Perhaps 2 weeks.

Just imagine:

You patch 3,000 desktops and then your in house developed claim filing application stops working. Now you get to sit back and watch the business grind to a hault.

Re:What about

[AstroDrabb]

The SP2 firewall will configure itself as you attempt to use applications.

Well, the SP2 "firewall" is not really a firewall. It is only a one-way firewall. I hope you know the importance of the difference between a one-way firewall and a _true_ two-way firewall? Also, the SP 2 firewall _does not_ "configure itself". The SP 2 firewall doesn't just open up ports willy-nilly. You need to manually go into the SP 2 firewall and open up ports. A one-way firewall obviously only protects your SP 2 computer ONE-WAY. So anything going out from your computer is _never_ stopped. That is not a very secure firewall IMO. That basically allows all those MS trojans that Joe User clicked on in their emails to continue to use their computer as a host.

Re:What about

[AstroDrabb]

And it's also not fair to say "It's only the default install" that counts. If I go to SuSE or Red Hat, I expect that the vendor has done the job of making sure what they are releasing is as stable and secure as possible.

So you expect MS to make _everything_ they release as "secure as possible"? You must really be let down than. Especially considering that the latest release of the MS AntiSpyware program has been totally destroyed by a trojan that just deactivates it and DELETES all of the files for MS AntiSpyware. MS has it pretty easy as far as security goes. The typical MS OS is pretty bare-bones as far as software goes. A typical Linux or Mac OS X OS comes with TONS more software than your typical MS OS. However, MS still seems to have tons of problems locking down their bare-bones OS with almost no software included out-of-the-box. Exactly _what_ is MS's problem? As far as their core OS goes, they have far less to secure than Linux or Mac OS, yet they continue to have plenty of security problems. Could it be bad policies at MS? Maybe pushing "features" over security or maybe ship-dates over a products readiness?

Re:What about

[Mortlath]

I see your point, but at the same time. Linux comes with the distribution, just like Windows comes with its "distribution" (ie. Games, system tools, Media Player, Internet Explorer, etc.)

True, Internet Explorer is integrated with Windows, but I fail to see how that makes a difference. You either use it (and the bugs) or you use another browser. On Linux, you use Mozilla (with any bugs therein), or you use another browser.

Re:What about

[puddpunk]

Hehe, I _Love_ this argument!

What about Apache (A great piece of Open Source Software if you didn't know) which is used in more than 60% OF THE ENTIRE INTERNETS WEBSITES. Why does IIS have far more security vunerabilities and patches? It runs on any Unix (incl. Mac OS X) and also Windows. Why isn't Apache being "Targeted more" considering "more people use it".

Re:What about

[MerlinTheWizard]

Oh wait, their so-called "metric" is hilarious. They claim Windows is more secure because they have released less fixes. How much funnier can it get? In the time it takes for this "interview", millions of Windows boxes get infected. ;-)

Re:What about

[OAB_X]

Only an hour? Couldn't have been that bad then. I Spent 7! hours fixing a windows XP system that had collected spyware for months just from having cable internet and using IE. She had installed nothing at all in months, this was all stuff that made it through the windows sp2 "firewall", spybot's immunize, and spyware blasters activeX.

Half ot that was user stupidity, but most was just windows crappieness (auto updates were enabled too)

Re:What about

[Trepalium]

No, the real nasty stuff hooks into Windows as a service, so you can't kill it, and also as a COM plugin for Explorer, so that even by the off chance you do erase the service, next boot-up it gets to reinstall itself. There are FAR TOO MANY ways to ensure your program runs on start-up in Windows, and a large number of those methods are extremely difficult to remove.

Note to spyware authors: no one considers your software 'permission-based' when it goes to such lengths to avoid being uninstalled, or has to hide itself in things like alternate data streams. If you can write programs to detect this tampering, and 'correct' it, you ought to be able to code a working uninstall routine, too.

Re:What about

[fatcat1111]

You have it backwards. There hasn't been an exploit yet that Microsoft didn't relase a patch for first. That bears repeating: Every single exploit of Microsoft software came out after a patch was released for it.

Indeed, most of the exploits were probably written based on system diffs of pre- and post-patched machines.

Re:What about

[Mishura]

Yes, but I don't need to reinstall lilo If I want to add another kernel. Editing grub is also easy.

Lilo had its place, years ago. Now it should die (or innovate? Why not; you think lilo is teh best, make it better than grub!).

Re:What about

[TWX]

Keep in mind too that most UN*X type OSes have everything plus the kitchen sink thrown in, which are a lot of individual projects to keep secure and up to date. If the vendor picks a patching model where every individual package is individually patched then this means that a lot of small things over a given time could be updated, while Microsoft's "Let's make one BIG patch that fixes things once everyone's been in the crapper for months" method only puts out huge omnibus type patches from time to time.

Additionally, the nature of the exploits (often down to the specific function or set of functions at fault) are much more widely published, so the user or sysop can decide whether or not to install the patch based on what they're using the utility or daemon for. Sometimes the exploit is so specific and obscure that only a few people are vulnerable, but everyone is encouraged anyway.

Re:What about

[korielgraculus]

No offense, but XP is not a server platform either, Windows 2003 Server is. Comparing Mandrake to XP is EXACTLY what you should be doing. In passing, I installed a FULL install of SUSE 9.1 the other day on a test bed machine (mainly to check for conflicts with other software), didn't alter any options and STILL had ~40 services running.

Re:What about

[necro2607]

Okay, here's what you do, if you really need your "data" and so on:

-Take ANY Linux distro install CD.
-Take ANY Windows install CD.
-Find two PCs of similar hardware makeup. Install the Linux distro on one, install Windows on the other.
-Give them each a direct connection to the internet.
-Go for a lunch break, do something else for 30 minutes.

When you come back, which computer is still working properly? Which one has viruses and spyware installed all over it, without you *ever even using the computer*?

I rest my case.

Re:What about

[Fulcrum+of+Evil]

that's a nice position to be in, but you can't really apply that logic to remote servers where there is no one on-site to fix it if it breaks. some servers also serve customers in different timezones so you can't schedule them with the rest.

What's the big deal? If there's nobody onsite, either arrange for failover or don't guarantee more than 99% uptime. All of your critical servers should be accessible to admins, especially during a maintenance window. Anything less is a time bomb.

Re:What about

[sl4shd0rk]

> let's get some facts on the table.

K... when was the last time someone instant messaged you some porn and trashed your Redhat box? Or maybe the last time your database had a worm? Oh, tell me about the time a piece of spyware crawled up Tux's ass and spit out your credit card number out on IRC?

Re:What about

Ethereal is the core OS? python is the core OS? Squid is the core OS? An average install would have only "kernel" there. That's one hole.

Moron.

Re:What about

[joeljkp]

I included python, squid, and ethereal because they're likely to be present on a server. Just like I included .NET Framework and ASP on the Windows side.

Re:What about

[joeljkp]

Um, none of those thing have happened to me. But my post was talking about pure numbers of vulnerabilities, not the risk of exploit. Notice that I mentioned the severity thing at the bottom.

The story mentioned numbers of vulnerabilities. So I laid them out. RHEL, like, had more.

Re:What about

The truth is, as a couple studies have shown, everybody is looking at that code.

See, I can pull stuff outta my ass aswell.

Re:What about

Backup to CD: 30 minutes.

Reinstall XP on a slow machine: 1 hour

Run Lavalys Everest and find appropriate drivers: 1 hour

Restore backups: 20 minutes.

Install Firefox: 10 minutes.

Start Windows Update, and leave the house.

3 hours? A better way, for sure.

Re:What about

Windows XP with SP2 - it enables the firewall by default. It should hold out most things.

Re:What about

[1lus10n]

You do understand that 40 processes is *NOT* 40 services, right ? If you really want to split hairs about this (2000 and XP are very similar - indeed they are about as much akin as suse and suse enterprise) then you shouldnt be checking the public version of SuSe, you should be checking the enterprise (aka production server) version of SuSe. The only 2 public distro's (aka downloadable for free) that are built with a true server environment in mind are Fedora Core 3 and Debian. Thats one of the major differences between suse and suse enterprise.

The only other option for having 40 services running on a default install is if you installed everything ... like the machine is a desktop. In which case you would have somewhere in the range of 70~100 process's running upon startup. Compare that with most of the server oriented platforms that will have about 40~50 process's running, the vast majority of which are not listening on a TCP/IP port.

Also worth noting is that your right about mandrake being compared to XP. The problem is the article compares 2003 to redhat and suse. Namely it compares the number of patches released as if thats an accurate indicator of security. Somewhere in the above thread a person mentioned portscanning a default mandrake install. I was merely pointing out that comparing mandrake to 2003 is not a fair comparison since one is built for end users and the other is built for admins. Desktop OS's will *always* have services running by default. The end users require it. Thats doesnt mean that they should install or enable everything, but simple baseling stuff like printing, filesharing, USB compat, sound, X related stuff etc etc should always be enabled at startup on a desktop. Otherwise all we ever hear about is how "windows works" and "linux doesnt". However there should also be a firewall running by default to block the incoming connections on those ports.

Re:What about

[korielgraculus]

The "40 services" was phrased in SUSE terms (from their install system), not mine, I am fairly positive that at any one time there is likely to be more than 40 processes running, just down to the way the machine is being used at the moment.

I agree that comparing number of patches is rather haphazard way of "measuring" security, unless of course you are comparing systems with identical software packages installed, in which case I am fairly sure that MS wouldn't have liked having all those "insecure" Apache patches applied against their count :)

Re:What about

[1lus10n]

" The "40 services" was phrased in SUSE terms (from their install system)"

Just goes to prove that you shouldnt believe everything you read. You can get a webserver running just html down to around 40 process's if it is only lightly used, or an ssh/ftp server; but your point is taken.

You right about the most accurate way patches could be counted. Although I also agree with an above poster who pointed out that the patches included in an assesment shouldnt count ones that patch non-standard services or odd-configurations. Only the default install.

Re:What about

[LilMikey]

All you're saying is that you like the bundled applications in FC3's linux distribution better than Windows XP, right?

No, I was detailing the process I must go through to set up each OS before handing it over to the end-user... in this case, my wife. That is the software she needed to function appropriately. But grandparent was talking about expediency of installation so I'm up for it.

If you liked the the MS bundled apps (Windows Firewall,Wordpad,WMP,Outlook Express,Paint/Photo Editor,MSN Messenger)...

Most of which are extremely deficient and insecure. It's not a matter of disliking Outlook Express, it's a matter of 'my wife will screw up her machine and I will have to fix it' if she uses OE. Most distros don't toss in just a single vendor-favored version of application x, they toss in every capable app they can find in the category and you make the call. You're argument would be a little more valid if they bundled 3 capable word processors, 4 capable email apps, 5 chat clients, etc. No doubt this may overwhelm the non-initiated and if that was the argument we were in, then fine, but were talking ease of installation and those are quite easy to install. Seriously, looking at the list I included only the most basic set of software everyone has (or should have). It's not like I was ragging on a bunch of arbitrary crap noone uses. I noticed you took off Adaware/Spybot. Are you honestly trying to tell me you'd drop spyware removal tools from the list of common software for Joe User?

it's not fair to compare a vendor's distribution of Linux with a clean install of Windows XP.

Why? It's what you get on the CD that you install from. Ok, let's not use Fedora... let's use any popular distribution... Suse? They include more software than Fedora. Mandrake, about the same. Debian, that's an odd animal but that disks my coworkers have seems to be full of various crap.

If you bought from a windows vendor, like HP or Dell, they would do the latest OS updates, and you could purchase and have them install anti-virus, firewall, media software, cd burning software, adobe PS elements, etc, and they'd be ready to use when you boot it up.

Not once in my life have I or my wife bought a system from any of those places. Besides, if you're talking about something someone else sets up for you then you're not talking about ease of installation.

I dare say if you had to install an empty version of Linux (OpenOffice, Firefox, etc, NOT bundled) vs. a Windows XP CD, you'd have a much easier time getting up and running with the Windows XP CD.

This statement says to me you haven't used Linux in any large capacity. Almost every distro comes with a way of installing software just by picking it from the list. You give me a Fedora with nothing on it, no apps, no office, I install apt/synaptic, check the shit I want, and hit apply. A few minutes later all of the software I want or need is installed. Mandrake? They use URPMI. Gentoo has emerge. Debian has the original apt. Synaptic even has the software sorted into categories with descriptions of every program. That's not a real scenario anyway. An 'empty version of Linux' would be a kernel that does nothing. There's a reason RMS is always shouting 'GNU' in front of Linux... you :) Give me a distro without any GNU tools and I'll give you a Windows without Explorer.

Re:What about

[SenFo]

Personallyl, I still prefer LILO over grub any day of the week. Of course, it's quite possible that I'm just stuck in my old ways ;-).

Re:What about

[Anonymous+Custard]

>it's not fair to compare a vendor's distribution of Linux with a clean install of Windows XP.

Why? It's what you get on the CD that you install from.

Then compare what you'd get on a well-made restore CD from a Windows vendor.

This statement says to me you haven't used Linux in any large capacity

True... I telnet to unix at work for web/oracle development, and use FC3 at home as a hobby, XP Pro as my main. I've only had root on FC3, on two PC's at home.

But I do understand that an OS is pretty useless without apps to do things on it. And the bundles you get with Linux are much more versatile than what you normally get bundled with Windows, and you'd have to search individually for many windows apps you want to match a linux bundle.

However:

Besides, if you're talking about something someone else sets up for you then you're not talking about ease of installation.

Isn't using a distro the equivalent of someone else setting it up for you, just not actually taking the last step of installing it? Someone had to package all those non-kernel apps together, test them, and create a convenient installer. Checking boxes in the distro installation routine is like checking the boxes for additional software when ordering a Dell online. It's just a difference in the process; you get a user-customizable distro from Red Hat/Fedora, or you pay for a customized WinXP distro and installation from Dell.

I noticed you took off Adaware/Spybot. Are you honestly trying to tell me you'd drop spyware removal tools from the list of common software for Joe User?

They're actually the first things I install, off a flash memory disk, before even connecting to windows update :-) I shouldn't have removed those, but perhaps you'd choose a package from McAffee or Norton that includes security/antispyware programs.

Viruses in Linux are rare, but shouldn't you still install a virus checker, like f-prot?

Re:What about

[LilMikey]

Then compare what you'd get on a well-made restore CD from a Windows vendor.

Isn't using a distro the equivalent of someone else setting it up for you, just not actually taking the last step of installing it?

... What? This whole damn conversation has been about 'ease of installation'! The "just not actually taking the last step of installing it" is exactly the part we're talking about! All of the software is already set up for your machine. That's why you only have to pop in a disk or 'apt-get install' stuff... it's *all* already set up to work with your crap but not installed.

I don't know where you're getting your restore disks but the ones I've seen haven't installed crap. The dozen Dells we got here at work only included original media... a disk for Windows XP SP2, a disk for NAV, a disk for MyDVD, a disk for PowerDVD, and a disk for MS Office SB. Not even disks for spyware, graphics editing, anything development, etc. My friend's Dell? Same story, original media. The Sony desktop system my wife's uncle bought ~1 year ago came with a restore disk that reinstalled the OS but came with seperate disks for NAV and WordPerfect. Methinks the Sony DVD player crap might've been in the restore though. Point is, no one gives out a 'customized WinXP distro' *at best* they give you a fairly vanilla XP restore with drivers and some disks.

On a seperate note, NO, it's not valid to compare a vendor supplied restore disk to a Linux distro first and foremost because it's locked to that hardware. Try running the restore disk after you've upgraded the hard drive? Oops, must've forgot about the secret 'restore partition'. Changed the CD-ROM, doh! Must be installed on factory CD-ROM. I can't think of a single tech that would say 'good thing they gave us a restore disk instead of the orginal media or this might've sucked'.

Viruses in Linux are rare, but shouldn't you still install a virus checker, like f-prot?

... riiight. Then let's go through the steps to uninstall Outlook Express to eliminate arbitrarly insignifigant threat X.

Re:What about

[Em+Adespoton]

Of course, my real point is that it's not fair to compare a vendor's distribution of Linux with a clean install of Windows XP.

I just thought I'd point out that, as the grandparent, my point was not to do with ease of use/installation -- it was to do with security and stability. In the original article, Microsoft was comparing a vendor's distribution of Linux with a clean install of Windows XP, and pointing out how XP has way fewer security patches required. I was pointing out that a Linux distribution is a complete package, with compatability testing and security testing done between all components -- this never happens on Windows XP; it is up to the end user/administrator to complete this task. However, one of the posts in this thread made a good point -- Companies like Dell do bundle extra apps in and do some compatability testing -- of course, the apps they add also often contain spyware etc. and generally have not been security tested -- after all, the same company does not have the ability to look at all the source code for all the software installed.

Methinks...

[KontinMonet]

...they do protest too much.

Re:Methinks...

[SpaceLifeForm]

Obviously, no one is buying it. The proof is that the site is not slashdotted.

I think that I can say for most people here...

[rednip]

rofl

Microsoft is basing that claim by number of patch distributions, not by size for severity, cute. So, just because they (usually) wait up to a month to release a patch, somehow they are better FUD never had so much meaning. I'd be outraged, but words like this are so expected.

Re:I think that I can say for most people here...

[Darkon06]

Microsoft is basing that claim by number of patch distributions, not by size for severity, cute. So, just because they (usually) wait up to a month to release a patch

I agree, at least my linux box *IS* patched and on time (for the most part). Let them claim what they want all they want, its one guy barking at the other.

*Nothing to see here, move along*

Re:I think that I can say for most people here...

Slashbot to a t.

Re:I think that I can say for most people here...

[robslimo]

Gee, they release 6 or 7 critical patches to XP SP2 earlier this week... they must be trying to make up for lost time.

Re:I think that I can say for most people here...

Ok lets negate the whole who has the most patches (surely that would be someone being pro active instead of reactive anyway) and right now at this moment in time. Which os has the most number of known vunerabilities ? And surely a proactive approach to security would be better than a reactive approach. And is he talking about the base packages or every package that goes on a linux distro if you just hit the install all button ?

Re:I think that I can say for most people here...

Microsoft are too used to making ridiculous statements with no basis in reality or logic.

See here

The disclaimer notice was supposedly needed because this satirical blog entry was picked up and put on linuxtoday, osdir.com, newsforge and several other places as real news.

Why? Because MS spew the most insane rubbish as press releases, and people have been sucking it up for so long that it seems just another day when they'll release something so stupid it's unbelievable... few question their blatant propaganda so they release more and more.

This logic that more patches = less secure is just more of the same.

Re:I think that I can say for most people here...

[Zab+UvWxy]

Ah, but you're missing an important part of the original posting; the reference was to Win2k3 only.

So, you state the words spoken between the lines, M$ is saying "forget our track record, forget what we said before, and ignore everything happening on our desktop systems; our server r0x0rs!", or something to that effect.

It's easy to say that one version of a server OS, that is becoming less and less like its' notoriously hole-ridden desktop bretheren, is so much better than *anything* the competition can offer. It's much harder to actually do something about it; considering they've been saying essentially the same thing for several years now, they're not much closer to achieving the goal of a "trusted, secure" OS.

Re:I think that I can say for most people here...

[spoonyfork]

ROFL all you want but what the MS spin doctor knows that you don't is that no one can effectively counter his claim in the media. Efforts to do so sound like complaining and whining, like they can't come up with any initiatives of their own. (Interestingly you can draw a parallel to the US democratic party.) Also the PHBs who put servers in data centers that read this crap and lets their opinion be formed by it cannot be told that the spin doctor is wrong no matter valid or correct your reasons are. Why? Because you're now telling the PHB that he's wrong for believing the spin doctor. People don't like being told they're wrong, they resist it. They also don't like their beliefs challenged even if it is in their best interests. The spin doctor leaves enough open for challenge knowing the opposing voices will come across like obstructionists.

The MS spin doctor is using time tested mass opinion manipulation effectively. This social engineering method has been used to colonize Iraq and will soon be used to bilk Social Security of billions of dollars. Those that disagree with me are part of the problem. Moderate me as flamebait and you're par for the course.

Re:I think that I can say for most people here...

People don't like being told they're wrong, they resist it. They also don't like their beliefs challenged even if it is in their best interests

Well, you see...

Those that disagree with me are part of the problem. Moderate me as flamebait and you're par for the course.

You said it all yourself.

Re:I think that I can say for most people here...

[whitespacedout]

What's the difference between Microsoft Corporation Security Chief Mike Nash and Iraqi Information Minister Muhammed Saeed al-Sahaf?

One spouts hilarious, barefaced lies with great conviction, contradicting the obvious facts and the other....um, hang on...

Al-Sahaf ... is that you?

Re:I think that I can say for most people here...

grrr. I read this yesterday and at our LUG last night we discussed it and prepared a response to microsoft. I've emailed the author asking for the article to be removed as a colossal waste of time. googling shows that the general thought is it is a joke article,

I don';t think it has any place online when we're trying to fight the good fight.

Re:I think that I can say for most people here...

[iminplaya]

...they're not much closer to achieving the goal of a "trusted, secure" OS.

And that's something we already have with our live CD's. They'll get the needed security when they produce a read only OS.

Re:I think that I can say for most people here...

[Tablizer]

You gotta love corporate spin. Reminds me of the story (possibly fake) about the programming shop that was paid in lines-of-code. One day a programmer discovered a simpler algorithm for something, and reduced reams of code. He had a negative line-count number and was called onto the carpet to explain himself to confused PHB's.

Re:I think that I can say for most people here...

MS is REALLY trying now: "Note that this is just one measure, and doesn't take into consideration all of the other progress we're making..."

Hey. They're making progress, ok? Leave em alone.

Re:I think that I can say for most people here...

[jschottm]

They'll get the needed security when they produce a read only OS.

Real only doesn't equate to secure. A vulnerable knoppix system can be owned just as easily as a vulnerable hard drive installed system of any flavour. The long term damage is mitigated by ease of recovery, but rebooting will only take you back to where you were - in a vulnerable state. Doing forensics on an owned live CD is harder than a standard installation because there's not as much information that can be gleaned from the hard drive. And even after finding the vulnerability, most users don't have the knowhow to master their own patched version of the live disc. Lastly, the slow development of the live CDs means that you're more likely to have vulnerable software...

Re:I think that I can say for most people here...

[ConceptJunkie]

Good old Mr. al-Sahaf was more eloquent...

Re:I think that I can say for most people here...

[legirons]

"Ah, but you're missing an important part of the original posting; the reference was to Win2k3 only."

So to be consistant, we should compare the popularity of Linux with that of Windows 2003 server...?

Might make the numbers look rather too skewed if you pick and choose just like that!

Re:I think that I can say for most people here...

The MickeySoft(r)(tm) security officer couldn't tell his ass from the cleft in his chin.

Sure!

[obzidian]

Right and I have a lovely bridge you can buy...

Re:Sure!

[KingPunk]

careful, i'll go SCO-style on your ass if you try to sell MY brooklyn bridge! ;)

Is it just me...

[Paolo+DF]

Or is M$ really flooding the media with a lot of their fantasies? also, they are not very funny any more...

Re:Is it just me...

[TheWGP]

That is, unfortunately, about all M$ does. You've seen the "studies" they advertise about TCO, which have been largely debunked. You've seen the dismissive attitude. So what's new here? M$ has a very well-funded, well-oiled PR machine, and it's just working as normal here.

Re:Is it just me...

[Husgaard]

Recently I saw a Forrester study on the TCO of J2EE/Linux compared to M$ products. One reason for the TCO of J2EE/Linux being higher was the high cost of commercial J2EE servers. The study did not mention that Open Source J2EE servers exists.

Then I saw another Forrester study on the TCO of commercial support services for JBoss, a high quality Open Source J2EE server.

It is sad how big money can make "independent" research companies distort their findings.

Of course it is....

[beamz]

when the machine is turned off.

Re:Of course it is....

[Technician]

when the machine is turned off.

So how is a Windows machine turned off more secure than a Linux machine turned off?

Oh, Oh.. I get it. If you use a boot disk, you can get into a Linux partition, but it's harder to get into a NTFS directroy!

Ducks...

Re:Of course it is....

Our company still reboots their NT servers at midnight for the old memory leak problem. This brings everything down connected to them, so yes, it might make things more secure.

Come on ...

[Jimpqfly]

Do you *really* think he could one day admit the oposite ? :)

Re:Come on ...

You know, this reminds me of...

The americans are not on the streets of Baghdad.
*American tank rolls behind camera*

Microsoft is indeed safter than Linux*

* when put behind a baffling series of hardware and software firewalls destroying all connectivity with said Windows machine. In addition, a 500 ib gorilla must be guarding the keyboard.

Re:Microsoft is indeed safter than Linux*

[Rosco+P.+Coltrane]

when put behind a baffling series of hardware and software firewalls destroying all connectivity with said Windows machine

There's nothing baffling about pulling the ethernet plug.

No Real Surprise...

[wasted]

If anyone from Microsoft said anything to indicate that their software is in any way inferior to other software, it would hurt their marketing.

Knowing this, their only option is to claim that they have the best software.

Re:No Real Surprise...

[BobWeiner]

and here's the obligatory PC Weenies cartoon on the subject.

Re:No Real Surprise...

And Slashdot's only option is to post it every time, apparently. Hey editors: if I wanted to read MS press releases 24/7, I'd read MS press releases.

This isn't news, and it doesn't matter. 0/2, yet again.

Re:No Real Surprise...

[freemacmini]

MS like most corporations know that the truth does not matter to Americans. Americans believe what they want to believe no matter what the facts are.

History also shows that any lie that is repeated enough becomes indistinguishable from the truth.

This is true in politics, it's true in entertainment and it's true in business.

Re:No Real Surprise...

Microsoft covers more than America you fucking retard.

Re:No Real Surprise...

[megarich]

THANK YOU

I'm not going to get into any debate on security but all I'm going to say, I would not trust anyone at MS saying there product is safer as much as I would trust someone at RedHat claiming their product is safer. It's their company, of course they're gonna say what people want to hear.....

Re:No Real Surprise...

[isometrick]

"(http://www.pcweenies.org/)"

"obligatory PC Weenies cartoon"

"The PC Weenies [pcweenies.org]: Tech toons for tech enthusaists"

I sense that ... you like PC Weenies?

Re:No Real Surprise...

[EspressoMachine]

Americans believe what they want to believe no matter what the facts are.

Silly me, I thought that was a worldwide problem =P

Re:No Real Surprise...

[natrius]

Yay! America bashing!

Team Anti-America: America?! Fuck no!

Re:No Real Surprise...

[Procrastin8er]

Sorry to break the news to you, the problem you describe isn't exclusive to Americans.

Re:No Real Surprise...

[rhizome]

The truth certainly does matter to Americans, but they'll (we'll? hmmm) believe what they're told. What other basis can you derive something that feels like the truth besides through the information you know? America is running high on belief these days, and Truth is very important to the world of belief.

That said, I noticed your "freemacmini" link in your .sig. You know they're the same as the freeipod people, right? Well, they just had their TrustE membership cancelled for misusing private data. So good luck on that.

Re:No Real Surprise...

[miu]

Americans believe what they want to believe no matter what the facts are.

History also shows that any lie that is repeated enough becomes indistinguishable from the truth.

The Big Lie was invented by the French in the 12th century and made infamous in modern times by the Germans. I don't think the problem is uniquely American.

Re:No Real Surprise...

> MS like most corporations know that the truth does not matter to Americans. Americans believe what they want to believe no matter what the facts are.

s/Americans/people/g

Re:No Real Surprise...

"Americans believe what they want to believe no matter what the facts are."

You believe what you want to as well. There is no evidence to show Linux is secure, yet there is a strong belief here that it's true. I've seen plenty of Linux boxes hacked, andknow Linux security is no better than Windows.

Re:No Real Surprise...

i am an american and i don't buy into microsoft's lies. i use ubuntu gnu/linux as my primary os. anyways, shouldnt it be people from the united states? i think you are buying into a lie that all people from the america are citizens of the united states. unless you are bashing mexico, canada, brazil, chile and many other countless countries in america.

Re:No Real Surprise...

mexico, canada, brazil, chile and many other countless countries in america.

No way! If those countries were in America, they'd get to compete in the World Series.

Re:No Real Surprise...

[freemacmini]

I have not given them any private information. I set up a spamgourmet email address and gave them that. They can do whatever they want with it.

Re:No Real Surprise...

replacing american bashing with france and germany bashing.... go eat some freedom fries

Re:No Real Surprise...

[miu]

replacing american bashing with france and germany bashing.... go eat some freedom fries

Uhm, no - I was making the point that the tactic has been commonly used in the West since there have been institutions large enough and sophisticated enough to benefit. It has probably been used in Rome, China, Persia, Greece, and so on. The flaw that causes us to accept an agreeable big lie is part of human nature - not part of some fundamental flaw in Americans.

Not the right time

He should have refrained making that statement this week. Wasn't it only Tuesday that MS had another bunch of its endless patches?

Re:Not the right time

[sparkster812]

Fat Patch Tuesday!

Saying things makes them true.

[bigtallmofo]

If you can just manage to say something that gets picked up by major news organizations, then it might make it come true.

Or at the very least, you might at least fool some people enough to continue to give you money.

Re:Saying things makes them true.

[Citizen+of+Earth]

If you can just manage to say something that gets picked up by major news organizations, then it might make it come true.

I think it's a case of a corporate whore saying what he is paid to say, but the reason it got published is that the reporter heard a "Man bites dog" story. I.e., the reason it got picked up is that it is well known that the claims are false.

"You know that something is well known when even journalists get it."

Re:Saying things makes them true.

[OldManAndTheC++]

Saying things makes them true.

Really?! That's great! Let's try that ...

(ahem)

"I have a really, really big Johnson."

(looks down)

Whoa! It works! Say, let's try something else...

"Windows is a secure operating system"

(scratches head) That's weird, my nose got longer...

All true

[ArsonSmith]

My linux computer is so over run with spyware and viruses that it is completely unusable and it is firewalled.

I connect my fresh installed XP system directly to the internet and I can go months before I get any malicous programs on my computer.

hmm, or do I have that backwards?

Re:All true

[skraps]

What brilliant logic! I've had my C64 system on the net for years with absolutely zero infections. It must be the most secure system in the world!

Re:All true

[spindley]

I've yet to have any malicious program show up on my linux machine.

Re:All true

[berzerke]

...that the huge amount of spyware/viruses/etc available for windows is in fact due to it's popularity...

While Windows popularity does increase it's attractiveness for malware writers, I don't think that is the only reason. Look at Apache vs. IIS. Apache has something like 69% of the market while IIS has about 21% (Feb 2005 Netcraft numbers). Better than a three to one ratio. Yet look how many viruses/worms there are from each. Hint: my (really quick) research showed about 14-16 (depends on how you count them) for IIS and 1-2 for Apache.

Market share alone does not guarantee more attacks!

Re:All true

[dextroz]

The logic used behind coding windows... sure explains a lot!

Re:All true

Posting AC, 'cause I'd like to mod you down. Why ? Because I just can not believe my eyes when the "popularity argmuent" comes out again... Every time it comes up we try to explain, and every time it just goes up puff in smoke.

Once again: popularity can not be an excuse for spreading by many means insecure software while constantly stating everyplace+dog that it is the most secure in the world. In short: don't blatter on it, just do it.

Re:All true

Nope, you have it correctly.

Connect a fresh RedHat box and a fresh Windows Box, and see which one last the longest.

Truth is neither one will go more than an hour.

Now let's patch em up - Windows Click, reboot, click, reboot, click, reboot.

Linux - ?? Don't know; I HAVE NEVER SEEN IT ACCOMPLISHED siuccessfully IN 15 YEARS. It is different for every flavour. And there is no accurate source of what needs to be updated on my system. I spend days trying to figure out what I need then Click, compile, Error, Click, compile, Error, Click, compile, reboot, error, restore, error, click, compile repeat.

Once you assholes take off your blinders and actually address linux's huge problems, it might actually penetrate more than .0001% of the desktops, and then be a target for viruses - wouldn't that be an accomplishment?

Re:All true

Don't spread FUD: IIS 6 is extremely secure out of the box, only one security problem (DoS) since it was released and that wasn't really in IIS itself (WEBDAV which is not installed by default)
IIS 5 can be reasonably secure if you configure it with some expertise - ok too much to ask from the standard windows administrator ;-)

Re:All true

Never used 6, but I'll believe it when I see it (no offense)

Re:All true

Uhm ... click up2date, click, click, click.
Done.
No reboot unless it's a new kernel.

Re:All true

Maybe you should learn how to manage your windows computer more effectively :)

Re:All true

"apt-get dist-upgrade"

No need to click anything.

Also unpatched Linux installs now average 3 months before they are 'pwned', Windows is inside the hours range (or was it minutes?). You should read the report from the findings using Honeypots of various OSes.

Re:All true

hmm, or do I have that backwards?

Nah, I think you're just living in the universe where Linux is the dominating operating system.

Re:All true

command not found.

but thanks for helping make my point about lack of commonality among the flavours.

Re:All true

SSL Error [(blah blah INVALID CERTIFICATE)]
really inspires confidence, but a few clicks later and ..
"error creating account"

Translation: buy support.

Again, thanks for making my point about blinders.

Re:All true

[lakeland]

I heard a clever argument against this yesterday on groklaw, let me know what you think: There are very approximately 10M linux desktops[1]. There were approximately 10M windows desktops in 1994[2]. In 1994, viruses came out more often than once a month, Good News was released in 1994. Spyware was rare, but modem dialers were fairly common.

If the number of viruses and spyware programs were depenent on popularity, then linux would be as heavily attacked as windows was in 1994. That is, anti-virus software would be commonplace and people wouldn't want to leave the computer plugged into the modem when they weren't sitting at it. Actually, more linux attacks would be happening since we're hundreds of times better connected than we were in 1994. Yet, they're not. Why?

1: I just checked on google and that number was exceeded about a year ago, but I couldn't find a more up-to-date figure.

2: Actually, I think 1994 was too late and we'd have to include linux servers if we wanted as many machines as windows had in 1994. From an annual report:

To be sure, the PC has yet to evolve to the point where its appeal is universal. Only 13 percent of the world's office workers use PCs. And a mere four percent of the world's households own PCs. In the U.S. alone, more than 60 million homes remain PC-less.

I realise I've essentially ignored your 'dumb users' argument. Partially this is because I don't think it is true: I just put my mother-in-law on linux (linspire) because I didn't trust her with windows. It is also partially because I wanted to see how you'd react to the different argument :)

Re:All true

No, being Microsoft guarantees more attacks.
It's much more cool to write a worm for IIS than it is to write one for Apache.
I also wonder if microsoft makes it to easy for server admins to do their job, to the point of some places letting just anybody fiddle with the boxes.

That reminds me ...

[graphicartist82]

... I need to approve the new MS patches on the SUS server.

Credibility and Redmond?

[basking2]

We see these posts trumpeted by entities like Slashdot. It it warrented? Does Redmond have any credibility on things like this left? Should we be paying any more attention to this sort of behavior than to just consider what MS is doing? :\ I'm more interested in the well thought out comments all-y'all have.

Re:Credibility and Redmond?

[CrankyFool]

Redmond has significant credibility within the sector that actually gives purchasing approval (rather than, perhaps, purchasing recommendations). When they come up with something like "look, we only released 15 patches instead of Linux's 1028426," that's a very simple message that many people will have problems seeing through. These people will go away from reading this story believing, simply, that Microsoft is right. Sadly, some of them will likely be influenced by their unwillingness to believe a company representative would utter such a bald faced lie (and of course, in some respects he's not lying. Linux has had a ton of patches; WS2003 has not. Those are the facts. What they mean, of course, is exactly the opposite from what he claims they mean).

Worst of all, though, is that if Information Week or any other "I'm an important IT person and I read industry publications" magazine carries a story on the front page that says "Microsoft Security Chief: Windows More Secure Than Windows," than 3-4 days after they saw the story (and maybe not even read it), your average PHB will just remember the "You know, I seem to remember recently that someone came out and said Windows was more secure than Linux. I don't remember how they proved it or where I saw it, but I distinctly remember it..."

Which is why I do think there's value in a vigorous response and a careful analysis of the claims in an effort to make sure we're ready to vehemently argue against this insanity.

Re:Credibility and Redmond?

Blow me!

Biatch!!!!!!!!!

Yo Mama!

Re:Credibility and Redmond?

[SharpFang]

Oh, the editor confused the icons. Not this but this .

Re:Credibility and Redmond?

all-y'all? Forgive my ignorance, but what dialect is that? I always thought "y'all" was a sufficient plural 2nd person in many Southern dialects. This isn't a troll, but a legitimately curious linguist question.

Re:Credibility and Redmond?

[IceAgeComing]

There are new users on Slashdot every day who probably need to read this.

Thankfully, Slashdot has a feature that hides the Microsoft threads if you're not interested any more. So people for whom Microsoft has no credibility left don't have to bother reading.

Re:Credibility and Redmond?

I've understood it now.
The most secure system is the one with the least patches.
So, if everyone stops releasing bug fixes and security updates for Linux, it will become more secure!

Re:Credibility and Redmond?

[Rudeboy777]

When they come up with something like "look, we only released 15 patches instead of Linux's 1028426,"

Well Linux actually had LESS than 15 security patches in that time. That's why the marketing schmoe had to mention Red Hat and SUSE's distributions by name, since when you talk about Linux you're talking about the kernel only. The astronomical number of patches includes plenty of application software, while the 15 2K3 patches doesn't include Office, Project, Visio, etc. Apples and oranges.

Re:Credibility and Redmond?

[bwy]

We see these posts trumpeted by entities like Slashdot. It it warrented? Does Redmond have any credibility on things like this left?

We see that every time Slashdot posts a story about Microsoft, they post a picture of a borg version of Bill Gates, or a shattered Window icon. Does Slashdot have any credibility or objectivity when this is the first thing they show you?

Clearly, the editors have already made up their minds and are trying to make up our minds before we have a chance to decide for ourselves. Not to mention, it is just childish. People talk about the bias of CBS, Fox News, CNN, etc. What if, behind the anchor person, they put up icons like the ones Slashdot uses for Microsoft stories? Gimme a break.

Re:Credibility and Redmond?

[basking2]

Rofl! I could not agree more. :)

Re:Credibility and Redmond?

[podperson]

It's actually worse than that.

It's not a question of needing to persuade folks not to use MS so much as denying them excuses for sticking with MS. After all, they're still claiming Macs are more expensive (based on sticker price) when they know perfectly well that a Mac's TCO is lower.

FUD

[Libor+Vanek]

FUD on the horizont, sirre ;-)

- if you compare RedHat/SuSE then you have to compare it to Windows Server + complete BackOffice + complete Visual Studio + complete MS Office and you still are not close enough...
- I'd be interested in average time to fix critical bugs...
- also number of known un-fixed cricital bugs will be interesting (incl. IE on Windows)

Re:FUD

[drew]

- if you compare RedHat/SuSE then you have to compare it to Windows Server + complete BackOffice + complete Visual Studio + complete MS Office and you still are not close enough...

+ windows media player (is this in windows server 2003 by default? not sure.) + photoshop + illustrator + acrobat + quicken + instant messenging + putty + ...

and then to top it all off, through in two competing versions of all the above. that should get you close.

Re:FUD

[hattig]

Maybe somebody should actually retort to things like this with the data presented in a different way, instead of just whining about it on a website ...

If RedHat / SUSE / etc came out and said "10 patches in the server installation of our Linux, fixed within days, compared to ..."

Re:FUD

For a good bit of all those you could easily have a 3rd or even a 4th version (think of browsers, Mozilla, Firefox, Galeon, and Konqueror).

Request new Slashdot Section

[Neil+Watson]

I think we need a new section for these stories. I propose we call it 'Flamebait'.

Re:Request new Slashdot Section

[tickleboy2]

Actually I though it would be appropriate if the logo for it was a crack pipe....

Re:Request new Slashdot Section

Thought we did, it has the foot icon and says "It's funny, Laugh!"

maybe if it applies to MS you can add a borg wire poking out of the ankle and laser pointing out of the toe.

Re:Request new Slashdot Section

Really? I thought it was called "Your Rights Online."

Re:Request new Slashdot Section

[Jane_Dozey]

Can't we just extend the foot upwards and have steve ballmer?

Re:Request new Slashdot Section

[Technician]

I think we need a new section for these stories. I propose we call it 'Flamebait'.

We do already. It's the icon of a bare foot.

Re:Request new Slashdot Section

and lets not forget "SCO/Caldera"

Hell, lets just call the place "Trolls and Nerds. Flamebait bonanza"

Re:Request new Slashdot Section

[Andrewkov]

Aren't *all* the articles intended as flame bait?

Not Surprised

[PhreakinPenguin]

"Mike Nash, Microsoft's Chief Security Executive"

What does everyone think he's supposed to say? Windows security is inferior to linux? He'd lose his job.

Re:Not Surprised

[Libor+Vanek]

There are many ways of telling the truth - other then lying....

Re:Not Surprised

[gmuslera]

What about joking? Because is what they must be doing with that claim.

Re:Not Surprised

He should lose his job.

Re:Not Surprised

[saskboy]

I've heard that if you don't have anything true to say, you should say nothing at all. It must pain him to have to lie to keep his job.

Re:Not Surprised

[_Sprocket_]

What does everyone think he's supposed to say? Windows security is inferior to linux?

There's plenty of other things he could say. He could talk about Microsoft's increased awareness for security issues. This includes MS' relatively recent history of providing security fixes at a faster rate. MS' championing of "responsible disclosure", giving them the ability to provide patch clusters at scheduled times to take some of the pressure off of sysadmins having to deal with them. He could go on about Microsoft's contuing effort of "trusted computing."

Granted - each of these also have their collection of side issues. But they would be easier to defend than the dubious argument generated by comparing themselves to Linux. Heck - the argument used to be that mentioning Linux at all was unwise.

Re:Not Surprised

[Monoman]

So he is like the Iraqi Minister of Information.

Re:Not Surprised

you can't just throw any old adjective into a cliche, you know.

it's: "If you don't have anything nice to say, you should say nothing at all."

Re:Not Surprised

[BC+Guy]

What does everyone think he's supposed to say? Windows security is inferior to linux? He'd lose his job.

Why are you so sure?
He's the asshat responsible for the sorry state of windows security in the first place. If that distinction isn't enough to get him fired, then it's doubtful that anything he might say would make a difference.

Re:Not Surprised

my cubemate's response:

"Do they mean the guy who's reponsible for making sure the doors are locked at night?"

Re:Not Surprised

[Kwil]

I guess this means we're at the stage:

"Then they fight you"

Re:Not Surprised

[saskboy]

I may know that, and you may know that, and so should everyone else, which is what makes the second part of the comment insightful, with a bit of a joke thrown in.

Microsoft employees lying to keep their job.

And the pope says

There is only one god!

:shock: :awe:

From TFA...

[jskiff]

"Year-to-date for 2005, Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003. In the same time period, for just this year, Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities."

This actually brings up an interesting point. Does Windows have less bugs (I know, I know) than these Linux distros? Or are Red Hat and Novell more proactive to fix the bugs they do have? Unfortunately, my guess is most PHBs would think the former.

Re:From TFA...

[MarkGriz]

This actually brings up an interesting point. Does Windows have less bugs (I know, I know) than these Linux distros? Or are Red Hat and Novell more proactive to fix the bugs they do have?

Actually, I think a more important question is, how significant of a security risk are the respective bugs?

The claim is that MS had less vulnerabilities than various Linux distros. Yet, I'd be willing to bet many of the Windows security holes are big enough to drive a truck through. Remote exploits and the like. If the Linux vulnerabilities were rather obscure and difficult to exploit (especiallly remotely), then the comparison is apple to oranges and clearly FUD (surprise surprise)

Re:From TFA...

[Trigun]

I have yet to view a listing for the bugfixes for Suse and Red Hat, but history shows that a majority of the patches are for applications, not the core OS.

The fact that you can break linux down into kernel, library, and application bugs, and with Windows you really can't.

Also, did MS also include patches to WinAmp, mIRC, etc? Of course not. They package one window manager, one filesystem, one kernel, one webserver, one sql server, one browser. Even at a patch per package ratio, they are losing.

Re:From TFA...

[Enry]

A better comparison would be to compare all of MSFT's offerings that run under W2k3 server: MTA, web server, compilers, etc. These items (or their equivalents) are included in RHEL and SuSE.

RHEL 3 comes on 4 CDs. AFAIK, W2k3 comes on 1 CD. That would equate to 15 bugs/CD for Windows and 8.5 bugs/CD for RHEL. I don't know how many CDs SuSE comes on, but it's probably more than 4.

Re:From TFA...

[johnhennessy]

A more interest point from the figures is why RHEL 3 had 34 patches and SuSe had 78 !

Does that make RHEL 3 two times more secure than SuSe (I doubt it !).

This is like comparing the performance of sports cars by how often you get a flat tyre.

I can't believe that people like this still get the press they don't deserve.

At this stage I'm nearly thinking - it might nearly be better if people were to believe these little gems. When they get burned later on we can always just say two things to them - (1) told you so and (2) go get a linux distro.

Even PBHs have some amount of intelligence - they won't stick with something that doesn't work UNLESS people give them a reason.

If you oppose their stance (for example: "Don't adopt Windows, its rubbish. We'll pay dearly in the long run.") it only gives a reason not to switch back. They don't want to look like idiots (which they will) and will be determined to try and prove you wrong by saying things like "Well, it produces all these nice graphs for me".

By taking a more neutral stance (but still making sure that your own rear is covered) they'll learn this all for themselves -

"Project came in 1 week late. Of which we had two weeks of downtime because IT spent the time fixing the Exchange servers (again)."

I'm sure the accounts department will do the sums and let them know that they need to "fix this".

Re:From TFA...

>Are we comparing apples to oranges here?
>And no, I'm not referring to OSX, so don't try the play on words.

No, that would be comparing apples to lemons ^_^

Re:From TFA...

I don't know about 15, but my Windows 2003 servers said they needed 12 critical updates since I updated them last, which was about a month ago. This was according to the Microsoft Windows update site.

Re:From TFA...

[Seriman]

It's also useful to note that the Redhat distros are maintaining updates for software they didn't write. The battle of Linux vs Windows where security updates are concerned is more appropriately Open Source vs Windows. MS patches software they produce, but open source as an entity is significantly larger and has a wider variety of solutions. If RH is publishing twice the bugfixes, it's because they provide 20 times the software.

Re:From TFA...

[tehshen]

Does Windows have less bugs than these Linux distros?

Who knows? Microsoft control the source - they decide what constitutes a bug or not, and whether or not to disclose it.
It is possible that Windows is absolutely crawling with little-known bugs and vulnerabilities, and Microsoft only discloses the ones it is going to fix. Then they can say "Look, 97% of our bugs are fixed! Now take a look at the list of RedHat bugs, it's huge!" and we would be none the wiser.

Re:From TFA...

Does Windows have less bugs (I know, I know)

You mean you know you should have said "fewer bugs" since bugs are discrete? So why didn't you?

Re:From TFA...

[miyako]

While I am certainly much to lazy to actually look at the recent 78 patches for Suse, based on my memory, most of the patches as of late have been for some pretty obscure bugs with no known exploits.
The other big thing about the difference in the number of patches is that a windows patch may actually patch a number of libraries, where as with Linux each would be a different patch.
I do agree that overall Linux distributions do tend to have more patches than windows, but that's largely because Linux distributions tend to have a lot more packages. I'd like to see the actual patch:package ratio for windows vs linux.
All that said, as others have mentioned before, a system is really only as secure as the administrator. I have a friend with a WinXP system that's been running like a champ with no virus/malware/crapware for a couple years now. On the other hand, one of my Linux using friends was rooted not too long ago (though it wasn't because of a security vunrability as much as his complete lack of sense, his home directory was world-writable, and he'd put ./ in his path, plus he had an anonymous ftp server running), someone was apparently using his machine to download warez off bittorrent then using FTP to pull them off his machine.
In the end the reason MS is less secure than Linux on average is because humans are the weakest link in the seurity chain, and the weakest links tend toward windows, and while having an OS designed with security in mind can help to mitigate some problems, in the end people will always find a way to get themselves pwned.

Re:From TFA...

[slapout]

"Microsoft has fixed 15"

"Red Hat Enterprise Linux 3 users have had to"

"SuSE Enterprise Linux 9 users have had"

Seems to imply that Microsoft doesn't have to fix bugs. They just fixed these because they wanted to.

Re:From TFA...

[Stinking+Pig]

A lot of people are confused by the fact that the Windows OS is one CD worth of basic stuff, while a Linux distribution is 5 CDs worth of everything under the sun.

The guy does have a point though, which in typical Slashbot fashion is being completely missed: Server 2003 is not as bad as its predecessors, and the "Linux" that most American IT people think of, Red Hat, is not as good as its companions.

Sure, an XP Workstation held up against Mandrake or Gentoo is going to be shredded from a security standpoint. But put default installs of a Server 2003 box and a RHEL3 box online and I'll bet it's even money which one gets hacked first.

Re:From TFA...

[Klivian]

>Are we comparing apples to oranges here? Yes, and probably to bananas too.

But let's be serious for a moment, and take a look at what kinds of bugs we are talking about.

Many of the recent bugs in RH are in the kind of applications which MS don't bundle with any version of windows, like the recent bugs found in xpdf.

Those bugs in xpdf actually affected several applications, and the result several patches. For windows this kind of bugs result in only one patch, even if several parts is affected.

Another common category of bugs in Linux systems are the kind making it possible for local users to gain root access. Since administrator mode is more or less the default on windows this is not comparable either.

Having this in mind and removing the bugs who don't have a comparable parts, making it apples to apples. Then I think the number of bugs in Linux would bee close to windows 15. And then you can sort the bugs after how easy they are to exploit, and see which is really more secure.

Re:From TFA...

Does Windows have less bugs (I know, I know) than these Linux distros?

You obviously do not know. It's "fewer bugs."

Re:From TFA...

[_Sprocket_]

In the end the reason MS is less secure than Linux on average is because humans are the weakest link in the seurity chain, and the weakest links tend toward windows, and while having an OS designed with security in mind can help to mitigate some problems, in the end people will always find a way to get themselves pwned.

That's a very good point. But I would point out that there are other issues.

A big point is the modularity of Linux. I can rip out almost any Linux subsystem - what's not installed can't be exploited. Linux patches tend to be fairly benign with little impact to the overall function of the system. And, combining the two, the patches are very specific to the particular subsystem being patched - patching Widget X doesn't affect Widget Y or it's configuration.

Another major issue is the software involved. Common architectures available on Linux systems tend to be based on lessons learned from Unix's early Internet crucable years as well as Microsoft's faults. In short, there is an apparent effort to avoid fundimental architectural flaws previously found in other systems (not that this has to be limited to "Linux"). Linux also comes out-of-box with some very powerfull functionality - IP Tables for example. And while simular capabilities can be found on Windows, it often requires additional software purchases.

Re:From TFA...

[jez9999]

how significant of a security risk

The 'of' is superfluous and an annoyance. Please don't use it.

Re:From TFA...

[tomstdenis]

I think many "patches" aren't for actual vul's but just fixing things [e.g. making it better]. There are many "gotchas" in win32 software that we just put up with [explorer.exe being a big one...].

But shh, why let "facts" destroy an otherwise nice argument.

Re:From TFA...

[houghi]

I don't know how many CDs SuSE comes on, but it's probably more than 4.

SUSE LINUX 9.2 Pro comes on 5 CD's and then there is a LOT of software that is not included and no source codes. The rest is on the DVD. The list is here

For God sake...

[REBloomfield]

Is anyone else sick of this 'my dad is bigger than your dad'? Just let the informed admins make their own decisions about what's best for their networks, and quit bitching. All of you.

Re:For God sake...

[zr-rifle]

No, it's more akin to the "my penis is bigger than your penis", except his is infected with syphilis and he doesn't know it.

Re:For God sake...

[Silver+Sloth]

If only it were the informed admins. I work for a major international IT business and our security team read and beleive stuff like this. So when the people with the money are making decisions will they listen to the informed admins or the security team on security issues.....?

Re:For God sake...

[REBloomfield]

that's um, worrying. really? wow.....

Re:For God sake...

[dAzED1]

yes, really. All they read are certs. They don't understand that XYZ application is disabled on your box, or that the exploit only occurs when someone is logged in locally and running X, or...whatever else. All they see is a cert advisory.

I work for a very large corp, and we're constantly getting notified by the security teams that we need to do XYZ patches. Patches for packages that aren't even installed...and we don't even run linux. We run Solaris and AIX, yet the security team here is absolutely certain that Win2000 is more secure.

Yes, really. Sad, no?

So what? It's his job

[Dancin_Santa]

Sounds more like someone was baiting him in the chat log.

Q: When did you stop beating your wife?
A: Well, I ... I've never beat my wife.
Q: We know you are lying. Liar.
A: I can only defend my record as far as I have one. I am not a wife beater.
Q: Liar liar pants on fire!

Why do these people even come to these online chats?

Ha!

[AltGrendel]

Go ahead.

Try and prove it!

I dare ya.

And later..

[salvorHardin]

...when the world stopped laughing, it was revealed this person might have some sort of conflict of interest, being that he works for MS and all....

Re:And later..

[Jeff+Hornby]

...when we have stopped laughing, it was revealed that most ofthe people on Slashdot had some sort of conflict of interest, being that Linux and OSS is their religion and all...

Re:And later..

Laughing? MS is the one laughing - they just extrapolated the recent election win....

Re:And later..

...and in other news, Linus Torvold today claimed that Linux is more secure than Windows.

Re:And later..

feck.. I really should have used PREVIEW... that should have been Linus Torvalds

Quoted from the article...

[cnelzie]

Microsoft's top security honcho insisted Thursday that Microsoft "is making progress on security using any reasonable metric."

What is a 'resonable metric'? Is that one that only provides the results that one wishes to see or is that a metric provided by a reputable security organization that is known for being extremely truthful and accurate in its results?

Re:Quoted from the article...

[Joey7F]

What is a 'resonable metric'?

I heard they are using an unpatched public Windows ME terminal with desktop links to various websites offering free items as their base line.

I for one look forward to these improvements. I hope Longhorn is loaded with the application I can't live without...PrecisionTime (tm)

--Joey

Outright FUD? Give me a break..

[Gr8Apes]

Too bad we can't mod the story as a troll....

How many fixes in wondows were for vulnerabilities that allowed the machine to be remotely owned, vs how many for Suse or RH? How many for local vulnerabilities?

Windows and Red Hat

[bruceleekick]

Windows 2003 Currently, 5 out of 44 Secunia advisories, is marked as "Unpatched" in the Secunia database. Red Hat rrently, 0 out of 133 Secunia advisories, is marked as "Unpatched" in the Secunia database. I think I would rather take a system that is all patched then one that is Unpatchable.

Re:Windows and Red Hat

Currently, 5 out of 44 Secunia advisories, is marked as "Unpatched" in the Secunia database

Um, how reliable is their data? This one's definitely been fixed, for example.

Re:Windows and Red Hat

[blanks]

Yes they have 44 advisories, but how many of these are really a threat?

An IE exploit is (or should not) be a thread on your server. If your doing web browsing on your server then you sould expect nothing but bad things to happen.

I looked though many of these advisories and most of them are local exploites or are related to a local user needing direct access to the OS.

If you have so many people accessing your server directly/locally, then you have alot more problems then any advisories listed in their database.

Re:Windows and Red Hat

[pHDNgell]

An IE exploit is (or should not) be a thread[sic] on your server.

Isn't this the OS that doesn't allow you to remove IE? I don't run it, so I don't know for sure, but my casual observation would show that it's required at least if you want to keep it patched.

If your[sic] doing web browsing on your server then you sould[sic] expect nothing but bad things to happen.

That's just silly. We used to run Netscape from our Solaris servers occasionally to get big downloads over the fast connection for patches or whatever. There wasn't much of a chance of that being a risk then.

I looked though many of these advisories and most of them are local exploites or are related to a local user needing direct access to the OS.

Well then, good thing the applications you run on these boxes are written by people who would never have a bug that allowed unauthorized access, right? When I did break into the Solaris boxes as described above, I did it through a bug in a CGI I found. I.e. *our* application let us in, not the OS. Now it's the OS' job to limit the damage.

If you have so many people accessing your server directly/locally, then you have alot[sic] more problems then any advisories listed in their database.

One could see it that way. One could also look to systems that have lots of direct users with few security problems. sourceforge shell servers come to mind. I don't hear about those getting rooted too often, but you can't give people much more direct access.

Re:Windows and Red Hat

[KiltedKnight]

There's also 21 out of 87 marked as Unpatched for Windows XP Professional... at least one of them is marked as "highly critical"

View them here

Re:Windows and Red Hat

Yes, Secunia rocks as long as it considers my windows farting a vulnerability..

Of course the don't include...

... patches to Exchange, IIS, MS-SQL, Office and the rest of their bug ridden software.

Re:Of course the don't include...

[aug24]

2005-to-date appears to be a unique time in history that he can make this claim vaguely valid, but when you just look at the totals for the systems you get different into.

Secunia totals are...

Server 2003; 5 unpatched of 44
Office; 2 unpatched of 7
Exchange 2003; 1 unpatched of 3
IIS 6; 1 unpatched of 3
SQL Server 2000; 1 unpatched of 10
Total; 10 unpatched of 67

Justin.
Apologies for the crap formatting, /. should let me use tabs. So there.

Re:Of course the don't include...

[electroniceric]

One of the things I've always wondered is why Microsoft has put out so much buggy software. I mean on the coding side, they hire pretty smart people (e.g. Waterloo), and their biz devs obviously know a thing or 42 billion. So why are there such persistent problems with their software? Solaris or AIX, for example, have bugs, but have they ever had a period like this where there were just vast bugs found all the time?

When you think about there really is kind of a paradox there - obviously talented programmers, obviously talented business people, plenty of money. So why are they shipping systems with excessive bugginess? I really don't know the answer. I've found that as a company it has a huge ego - most Microsofties I've met really think on some level they're leading the world to new places, and certainly that's the kind of cheerleading that goes on within the company. The only other thing I can think of is that their strategies of acquiring and integrating lot of software, plus running competing teams and cherry-picking what they like best lead to a lot of quick deployments but fractured designs. Anyone know anything more about this?

Re:Of course the don't include...

[Mr.+No+Skills]

I have no insight outside of having been a customer of theirs for 20 years.

My speculation has always been that the foundation of Microsoft is sand. There's such a strong need to be backward compatible with new products that they're not able to make the "System 9 to OS X" kind of leap that others do. Part of this might be that its got to be career suicide to point out any mistakes that Bill might make, and his hand is (supposedly) on all the technical decisions.

Another part is that the whole split of software to hardware makes it difficult to create good design, since you have to cater to the least common denominator and you have technology being advanced by hardware guys outside your direct control. Apple obviously has a huge advantage in this area and it accounts for the tremendously advanced style of their machines compared to the Windows based bland things produced by everyone else.

The employee angle is the one I can't figure out. They obviously are hiring all the smart people they can, as they have the cash to throw at people (how does an MIT grad take that MS position without thinking they're selling their soul? Maybe people don't care about that anymore). But if they have so many smart people how come they seem to be wasting so much time producing uninteresting, uncreative, buggy stuff? I know there's a lot of dumb people creating problems on their machines everyday (customers), but how come they can't figure out how to isolate and protect critical parts of their products from that? Why do they think that every product should have a million icons and functions that confuse or don't work?

How come PowerPoint hasn't changed substantially since 1997? Seems to be a real "Physics Olympics" kind of question to figure out how many mind-numbing PowerPoint slides of bullet points are created every day. Or the IE rendering weaknesses. Or MS Project inability to product usable output? Etc. etc. etc.

Turned into kind of a rant, I know, but these aren't shareware products, these are $400, $500, $600 products bought in the millions of copies. It's either the arrogance of the employees that squeezes all the real creativity out of them (or they don't care), or it really is a technically impossible task to create high quality software that runs universally on other people's hardware.

(In the interest of disclosure, I bought my first Apple product three weeks ago. I no longer understand how people rationally decide to purchase a Microsoft product for personal use).

15 patches. Hmmm

[robslimo]

Earlier this week, they released a slew of patches... 6 or 7 of them that affected XP SP2 and were rated critical. Perhaps they feel inadequate in comparision to Red Hat, et al and have some catching up to do?

--
iBill not paying it's custumers. This guy says for almost 4 months since ww.com has been paid.

Microsoft Security Claims

[rssrss]

Yeah, Whatever. Next.

Proactive vs. Reactive

[Mr.+BS]

Linux might have more security holes within the release times but I feel the Linux patches are more proactive than reactive.

When Microsoft releases a patch it's usually because thousands of users have already been complaining about something and they have to address it in a reactive mode. In Linux, someone makes a discovery of a security flaw, contact's the vendor, and it's usually patched within a couple of days. Note that within that discovery, everyone is still happy as a clam because there haven't been 50,000 trojan's trying to exploit it.

What did you expect from MS security chief?

If I were in that position, I'd probably say the same thing too... he's just trying to keep his job (despite the fact that he's not very good at what he does).

Hahahahaa...

[Drexus]

Oh my gut hurts from laughing too much! I guess MS forgot to mention that it's main security feature supporting that claim - is a dead NIC.

he maybe forgot

he maybe forgot that both distributions he mention comes with tons of software that windows does not, so comparison is at least stupid...

Hmmm this reminds me of a videogame.

[Spy+der+Mann]

It went something like this:

"Round 1. FIGHT!" ;-)

Automatically update your computer here worms:

[essreenim]

Download MS secrity update here

no patches available?

[RealityMogul]

If there's only 15 for 2003, then why does that secunia link list 44?

Notably, the RedHat and Suse links list a higher number of vulnerabilities, but also state that there are ZERO unpatched security holes.

Surprisingly, the Windows 2003 product still has unpatched holes.

Re:no patches available?

[OblongPlatypus]

You mistyped "Unsurprisingly".

Re:no patches available?

[pl1ght]

Zero unpatched KNOWN security holes. But knowing how linux is, there will be about 500 of them over the next month to keep the OSS community working. Its a conspiracy.

Re:no patches available?

[bogado]

It is important to note that linux bundle much, much more then windows in a single distribution. It has several server software, more then one office suite, several development tools and many other stuff.

Even with the bundle with the os to conquer strategy, MS carries much less. The fair comparisson would to compare the security of MS Office + all MS Servers + MSDN + other things.

Re:no patches available?

Sarcasm allows such a mistype.

typical MS solution

[j0nb0y]

Problem: MS's products are insecure.

Solution: Have your Security Chief claim that your products are more secure than the competition.

Mod Parent Down

[mjspinks]

This is nothing but Flamebait. (move it along, nothing to see here)

Encased in concrete....

[AltGrendel]

...at the bottom of the Marianas trench.

Then maybe it's safe.

Re:Encased in concrete....

[eatmywake]

...and still inside its shrinkwrap packaging.

Re:Encased in concrete....

[Jane_Dozey]

You forgot the locked 3" thick reinforced steel box!

Yeah, Safer

SO much safer that their one line of defense on spyware has already been voided.

See http://it.slashdot.org/it/05/02/10/2325205.shtml?t id=201&tid=172&tid=218

Perhaps less time making bullshit PR about how awesome their OS is, and more time in developement making it better.

Just an idea maybe.

User experience

[Matey-O]

(This is not a rant, merely a description of what happened to me receintly:)
1. reboot computer - It'd hung running something the rhymes with Titborrent.
2. Login prompt -log in
3. Get a start button, click on it to start a browser
3a. lose focus as MS is saying AVG isn't turned on. (It's not?)
4. Hit start again to get a browser
4a. Lose focus again as AVG says it's not working.
5. Press start to start a browser.
5a. Lose focus as the UPS monitoring tool adversises that it's HERE! PRESENT! ACCOUNTED FOR!
6. Press Start to get a browser.
6a. Lose focus AGAIN as MS spyware gives me a status update.
7. go over to the iBook, it doesn't Constantly Interrupt Your Train of Thought At Every Opportunity!

Re:User experience

[PhreakinPenguin]

IN the time it took you to write your post, you could have configured all of those things to not pop up every time you login. You suffer from the same thing alot of people suffer from that like to flame, laziness. Who's fault is it that you don't choose the option to not have something run in the tray?

Re:User experience

Why obviously it's Microsoft's fault for providing a platform that allows such things to happen!

Re:User experience

[pavera]

Linux and Mac OS manage to get these settings "right" by default.. Why should I pay more for an OS and then have to work harder to make it behave the way I want? That's like paying extra for a house that's a fixer-upper.

Here, you can buy this house that has everything working, looks nice, great house, 300k, or you can buy this house right next door, the plumbing is shot, the kitchen needs to be redone, the flooring is 15 years old and needs to be replaced, and you can have it today for the bargain basement price of 450k!

We're actually charging extra because with this house once you're done with it, it will be exactly what you want, not what the people who are selling the house next door want you to have.

Re:User experience

[Trigun]

Haven't you been reading? It's Bill's fault.

Re:User experience

[gnuLNX]

While you are right toa degree. I would like to say that I don't want to have to configure something to not bother me. It should leave me alone by default.

Re:User experience

[NeoSkandranon]

And what does that have to do with the OS? Seems like it ought be on application developers to fix that sort of thing.

Re:User experience

[Matey-O]

What percentage of your user experience do you spend 'setting it right'? I don't WANT to spend 20% of my computer time telling my computer how to do this stuff. I USED to do that, I no longer wish to.

Re:User experience

[Quiet_Desperation]

3. Get a start button, click on it to start a browser

The quick launch bar is your friend. :-)

Re:User experience

[PhreakinPenguin]

Well, first of all the symptoms he's describing have nothing to do with Windows. It's the applications themselves popping up the messages. Something to ponder?

Re:User experience

[digitalchinky]

Yep, it might be lazyness, but why does every little windows based software vendor think his or her application is so great that it requires a tray icon, startup scripts, and stupid notifications that require user intervention at random intervals.

Download software - waste 30 minutes figuring out how to turn off all the annoying crud that should not even be there anyway. Nothing should have the ability to steal focus. Besides, hitting the start menu just after login on windows will result in the start menu disappearing for no logical reason anyway. Makes no difference. The parent makes some valid points.

On topic, the head security dude is definitely going to have his fingers on a few pulses down at the grass roots level - when he lay down at night to sleep, there can be no doubt that in his quiet times he knows it's simply about attracting a couple more idiots into the microsoft cycle, these people cannot be that shut off to real world opinion.

Re:User experience

[pavera]

granted most of these are programs, but 1 of them is an MS program, and I have the same problem with windows messenger, by default it starts whenever you log in and takes focus as it pops up windows about email, buddies, etc, etc... These 2 programs (spyware and messenger) are MS apps, so they don't get excused.

If I was getting paid a lot

I would say that to.

Re:If I was getting paid a lot

[mrjb]

Me too, except they can't afford to pay that kind of money.

Even going by numbers

Even going by the numbers... without making claims of severity of each security hole, most distros include a full featured desktop with MANY applications. I dont believe win2k3 does, or any windows for that matter.

unless they want to start counting word pad as an office program etc.

Granted win2k3 is a server environmnet so less stuff is there,but how useful is xp to begin with? very useless.

Comparison of patches...

[PornMaster]

I've seen patches coming through for RHEL which are for things like "If you use movemail in xemacs, a malformed message might cause a malicious user to execute commands as the xemacs user"... contrast that oh-so-likely scenario with the type of RPC remote user executing code which runs with administrative priveleges, and the numbers really mean very little.

ok, boys and girl...

[zxnos]

...time to put on your asbestos suits! time for the wars to begin... is linux more secure intrinsically? or because its user base is more knowledgable technology wise? for the record i use xp without a problem, my coworker on the other hand is always having problems. i think the biggest problem is the user, not the softare.

In other news....

[drgonzo59]

In other news: North Korea announced it will cooperate with US and destroy its nuclear warheads as well as open access to inspectors from the West.

Re:In other news....

You are a retard : Tell me where on their own Press Agency web site the DRNK announced they had such weapons ? Of course, you might have read it on cnn, like Condi did. Please, fuck off and die.

Re:In other news....

[drgonzo59]

Irony:1 You:0

Re:In other news....

[jaoswald]

from your link

We had already taken the resolute action of pulling out of the NPT and have manufactured nukes for self-defence

Re:In other news....

[jaoswald]

oh, and for Spanish speakers, from your link again

Frente a la recrudescente politica de la administracion Bush encaminada a aislar y aplastar a la RPDC, ya hemos retirado sin vacilacion del Tratado de No Proliferacion de Armas Nucleares y fabricamos armas nucleares con fines auto-defensivos.
Nuestras armas nucleares siempre serviran para la fuerza de detencion nuclear auto-defensiva.

In other news

[Pan+T.+Hose]

Ford Security Chief Says Ford Safer Than Lexus. Film at 11.

Seriously, do we have to post here every single lie said by Micro$oft? If so, then could we at least have an option to moderate such articles as -1, Troll?

wha?

[Neuropol]

every few months, or some times as frequently as monthly, windows releases some sort of major security hole patch.

about every year or so, perhaps more often than that but not nearly as much as windows, *nix, in some form, releases a security fix. most of these deal with a real issue like ssh. Contrary to some overlooked flaw in a 'NEW - MORE MS SPAM' Media Player or some frequently used mail program.

Oh come on

[mattmentecky]

Doesnt there seem to be something fundamentally fuzzy and improbable about comparing 15 patches to what "Red Hat and SuSe has had to endure"?

Isn't that like, a friend and I comparing our cars, and me braging that I only changed my oil once in the lifetime of the car, while he has changed it every 3 months, therefore I must have a better engine?

Just because Microsoft has dished out fewer patches doesnt mean it is more secure...infact, the knee jerk reaction is that they are probably just missing something(s) really big...

Normal Activities

[tilleyrw]

People are funny.

Microsoft is a corporation. It needs a base of support to exist. Pausing in its creation of "new and improved!" products to backtrack and actually fix anything is not additive to the bottom line (profit).

Therefore, MS will never fix anything. They will merely use PR to promote their products. If falsehoods are created and spread, they will focus on the person who created that lie, not the legal individual Microsoft. (Corps. are equivalent to living people in most states but that's a rant for another time.)

Q.E.D., nothing to see here. Move along.

Do the number of patches really matter?

[Joshua53077]

Apple, for example, comes out with security fixes virtually every month, and many times they fix multiple security problems. So the sheer number of patches matter very little. If we're judging security strictly on the number of patches, then Microsoft should come out with one patch each year that addresses every issue that is known, this way they've "only" needed to release one security patch for the year. The more security patches released, the better I feel about my OS of choice. It means they're keeping up with all known vulnerabilities. If I were Microsoft, given all the bad press about their poor security record these days, I wouldn't be bragging about releasing only 15 patches, IMO

Less bug fixes = less bugs, or less bugs fixed?

[halber_mensch]

"Even with the relatively large number of bulletins we released this week, we compare favorably," he said. "Year-to-date for 2005, Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003. In the same time period, for just this year, Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities." He's taken this as a sign that Windows is more secure. I don't see that it does.. because really he is saying that MS doesn't fix as many vulnerabilities that do exist. I say, Red Hat and SuSE are on top of bugfixes for 2005, and MS is way behind.

Re:Less bug fixes = less bugs, or less bugs fixed?

[OneSmartFellow]

Exactly it's a sensless argument. Why did they ONLY fix 15 vulnerabilities, while Some Linux distros were able to fix 6 times that number.

Are we really supposed to believe that Microsoft has managed to produce a lower bug ratio than Linux ? Has he every read any software testing manuals which predict quite uniformly that the bug rate is based almost entirely upon the number of lines and almost nothing else.

YES.

No, just kidding. What a moroon.
This is why the internet is ran by *Nix.

Can you imagine the internet being ran by Windows?! lmao.

News?

[vinlud]

How is this news? It would only be news if Mike would say the opposite, why is it news when a company says its products are the best? I see dozens of commercials everyday which do exactly the same but probably are based on the same marketing farts.

Is it just me...

[musawilliams]

Or didn't M$ consider that 11% of those bugs have remained unpatched versus the 0% for RH and Suse?

Damn those inquiring minds

Let's see....

[clausiam]

1. Decide to patch a maximum of once per month
2. Distribute 12 patches over a year
3. Claim superiority by only having 12 patches in a year
4. Profit

Cool, for once, didn't even need a ??? for item 3 - that's why MS is doing so well :-)

Re:Let's see....

[Jerf]

You obviously don't care about security, as that is twelve times more vulnerable than it should be. Distribute one patch a year.

Come to think of it, let's make Windows infinitely more secure, and not distribute any patches at all! The cool thing about this is you can test this theory by simply pretending no patches are ever released and not downloading them, thus ending up with the most secure Windows installation ever.

Let me know how that goes; this "simply declaring Windows secure" strategy will probably reduce the workload of a lot of Windows admins, foolishly running around and installing patches, and will probably have application in many other admin domains as well. ("The printer is out of paper? That's impossible, we haven't had to put more paper in it this year and therefore it is clearly not out of paper now. No, we will not come take a look as you are clearly a raving lunatic. Bye!" See? Way easier than committing the grievous error of actually putting paper in... if you do it today, you'll only have to do it again later.)

Re:Let's see....

[clausiam]

Hmm - security by declaration, now there's an idea... so much better than security by obscurity I think and we all know that that is pretty darn secure to begin with. :)

$company says $their_product is good

[shish]

How is this news? *All* companies put out the message that their product is best, there's really nothing special about it.

Is this even newsworthy anymore?

[killeena]

They say this like every other day now. Not a big suprise.

Death is safer than life!

In related news, the Funerals and Undertakers Defense League released a study proving that death is safer than life, as dead people have far fewer accidents than live people.

Given the right methodology and assumptions, one can prove almost anything. Sigh...

What I'd like to know is

[spidereyes]

which patches fixed remote exploits and which patches fixed local exploits. I find Windows has a lot more holes that can be exploited remotely were Linux requires local access. In either case would the Security Chief of a company come out and say another product is superior to their own?

That's what they all say

[JTorres176]

Microsoft says they're safer than linux This email says that these pills will make my johnson grow to twice it's size. This TV commercial says that this product will make my hair grow back. This car dealer says I can buy a brand new car for less than I'm paying a month now. People say a lot of things. That doesn't make them true. That makes them salesmen. (salespersons?)

Re:That's what they all say

[Ucklak]

Brilliant!

Comment removed

[account_deleted]

Comment removed based on user account deletion

If Internet Explorer is any indication ...

[reporter]

For 2 reasons, I doubt the veracity of Mike Nash's claims that Windows is more secure than Linux. First, due to the open nature of Linux development, Linux enjoys far more testers than Windows. More eyeballs means that more bugs will be found and fixed.

Second, comparing Internet Explorer (IE) and Firefox indicates that Windows is likely more bug ridden than major open-source software like Linux. I have used both IE and Firefox. From my experience of visiting thousands of pornographic sites laden with naked women beckoning you to "enter" their site (and other things), I can definitely say that IE is chock full of security problems. After 1 week of pornographic surfing with IE, my entire system (browser and OS) becomes infected with malware -- to the point that I must reload Windows. I have yet to experience the same problem with Firefox.

The only thing that I hate about Firefox is that it is very slow, probably due to the fact that my computer system has limited DRAM and that Firefox must swap to disk more often than IE. Such is the price that I must pay to enjoy porn.

Re:If Internet Explorer is any indication ...

[PepeGSay]

yeah, respond to this post if *you* or *someone you know* is actually engaged in testing Linux software at the code level.

You have your logic all screwed up: "due to the open nature of Linux development, Linux enjoys far more testers than Windows."

The open nature of Linux means there is the theoretical potential for more testers, eyeballs and such. This does not in any way speak to the quality of that testing. Quantity (even massive theoretical quantity) does not make quality.

You could also make the argument that as far as free testing goes (on the functional side of things not the code level) Windows knocks the crap out of Linux because of its installed based of users.

Re:If Internet Explorer is any indication ...

[stinky+wizzleteats]

The only thing that I hate about Firefox is that it is very slow, probably due to the fact that my computer system has limited DRAM and that Firefox must swap to disk more often than IE.

Slow on startup, or slow while actually surfing? My experience is that Firefox is generally faster than anything else in actually rendering web pages, but it does take a lot longer to load up when you start it. This is because IE loads into memory when the PC boots up. Part of the interminably long time you spend waiting for Windows to come up includes the time it takes to load IE and all of its supporting libraries into RAM. When you click the button, BAM, you get IE, ready to go. It looks faster, but that is because MS is hiding the time it really takes to load it.

If you want this functionality, Mozilla includes a quickstarter app that can fire up on boot up just like IE (with the commensurate delays). I don't think this is even an option with Firefox, but it is a pretty silly option after all, when you really think about it.

Re:If Internet Explorer is any indication ...

Hey come on, now, MS IE is the most secure browser, and has been for over a year. Microsoft says so right here.

We all trust Microsoft.

Microsoft is mother, Microsoft is father. Protect the family, Trust Microsoft

Re:If Internet Explorer is any indication ...

[Blnky]

yeah, respond to this post if *you* or *someone you know* is actually engaged in testing Linux software at the code level.

You rang? Shall I take a message for the five others that I can think of faster than I can remember when my wife's birthday is? It exists as more than a theoretical potential as well.

Re:If Internet Explorer is any indication ...

[PepeGSay]

The original poster said Linux enjoys far more testers and Windows. At the code level I would have to say that is most likely theoretical potential. And that the quality is probably nearly abysmal.

Re:If Internet Explorer is any indication ...

[PepeGSay]

I'm not saying that that the end result is not a well tested piece of software. Linux is obviously well tested in the end.

Antivirus

[Husgaard]

So if their software is so secure, why do they have to recommend antivirus software to stop their systems from being infected?

Re:Antivirus

[harley_frog]

From the article: "In related news, Microsoft's anti-spyware product has been targeted by virus writers, in what experts believe is the beginning of what will be a salvo of malware attacks on Microsoft security products.

Hmmm, security programs that have security problems of their own? How safe do you feel now?

Well, not exactly

[hey!]

It's the strategy called the Big Lie. If you say something often enough and with enough conviction, and can get enough of your flunkies to repeat it, then most people will begin to act as if it were true, and some will actually believe it.

Unfortunately, it works very well.

in other news, Steve Jobs says.....

....that the iPod is better than anything from Creative or Rio.

just think

[justforaday]

Just think...If MS were to not release *any* security patches at all, they could use that figure as absolute proof that Windows is more secure than anything else out there!

I think I'll just ignore that statement...

[mrjb]

...let the facts speak for themselves, and keep running a virus free, spyware free, adware free system.

stupid comparison

[varkman]

i mean : when you are designing your spyware/virus program, you try to get them installed on as much computers possible. Now, what OS should i write em for? ... Ergo, if there should be a competor to windows that is equally in user size, only then should you be able to make a decent comparison on what is the safest OS currentely available. ps : Sorry for the akward spelling/grammar, i'm in a hurry!

random spew

[ChoGGi]

"Year-to-date for 2005, Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003. In the same time period, for just this year, Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities."

just because MS has only released 15 patches doesnt mean they only had 15 vulnerabilities to patch.
i cant see how Mike Nash can put that forth as a useful comparison, unless of course hes trying to say MS devs are lazy when it comes to bug fixing.

Perhaps Apples to Apples

[WoodSmoke]

I cannot seem to find a good list of the vulerabilites found in SuSe Enterprise Linux 9, which he is comparing to Win2003. I wonder how many vulerabilites are in non-core applications, which would make comparing Windows 2003, the OS, with SuSE EL 9.0 a little unbalanced. Does anyone have a link to the SEL 9.0 vuln list so that we can compare for ourselves?

In Other News...

[__aaasvk1266]

OpenBSD has experienced "Only one remote hole in the default install, in more than 8 years!"

http://openbsd.org/

Move along people. Nothing to see here.

Apples/Oranges

[pedestrian+crossing]

A Linux distribution contains hundreds to thousands of programs.

A Windows distribution contains a handful of programs.

Re:Apples/Oranges

[afd8856]

That's true. But in a server environment, there should be a limited number of applications installed.

Of course, by default, a Linux server can cover a lot more tasks than the Windows counterpart.

Don't forget that the default windows server has a lot command line applications, also.

Re:Apples/Oranges

[drew]

regardless of how many programs you install on your server, comparing the number of patches realeased by redhat/suse in a given time frame, which covers all applications in the entire distribution regardless of whether you have them installed, to the number of patches released for windows server 2003, which pretty much only covers the os, web browser, and web server, is beyond ridiculous.

not to mention microsofts tendency to roll up multiple patches into one, something redhat/suse can't do because they don't know which packages you have installed, so bugs that affect different packages can't be compbined.

Re:Apples/Oranges

[Daengbo]

From here: http://www.honeynet.org/papers/trends/life-linux.p df:

Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months. This means that a unpatched Linux system with commonly used configurations (such as server builds of RedHat 9.0 or Suse 6.2) have an online mean life expectancy of 3 months before being successfully compromised.

Compared to unpatched Windows boxes with life expectancies of minutes.

Re:Apples/Oranges

[rongten]

Not to mention that some "studies" count
the same patch multiple times since
issued by different distributions...

If this is not being in mala fide I do not
know what it is.

Re:Apples/Oranges

[Bastian]

But a Windows tends to roll a lot of stuff into single programs, whereas the Unix world has a culture of heavy factoring of software tools.

With all of these different tools, and the admin's freedom to install only the tools he/she feels are needed, the Linux world ends up having to create separate security updates for separate tools, where Microsoft tends to release gargantuan security packs that are really a whole mess of patches rolled into one package.

On a similar note, most of the Linux tools come from all sorts of sources operating more or less independently. This would make it all but impossible for you to find a file that includes security updates for both, say, wu-ftpd and Apache.

And the list goes on. The reality is, the model for releasing seucurity updates in Windows is vastly different from the model for releasing them in Linux, and one is natually going to create at least one order of magnitude more discrete security updates. (If I started seeing updates for my software on Linux only as often as I was seeing security updates from Windows, I would think that something is seriously wrong.) What Mr. Nash really needs to be comparing is the relative advantages of the two different models of releasing security updates.

But of course, you're not going to see that since such an analysis can't be plotted in an Excel spreadsheet.

Re:Apples/Oranges

[Mornelithe]

Exactly. If you look at the secunia pages, you'll notice that all of the advisories are from things bundled in Windows or MS Office.

The Red Hat advisories include vulnerabilities for Perl, emacs, xpdf, vim, PHP, acroread, ruby, etc.

Red Hat has vulnerabilities for multiple programming languages, multiple mail servers, multiple PDF viewers, and so on. Many of the Linux vulnerabilities are for programs that have Windows versions, but aren't reported as such. Many other Linux vulnerabilities are for programs that aren't included on Windows at all, and are therefore not reported (I don't see any Adobe Acrobat vulnerabilities for Windows).

So comparing the two pages as if they represent equal things is ridiculous.

Re:Apples/Oranges

[3Suns]

Not to mention the fact that Windows bundles their bugfixes in a few patches, whereas Linux fixes each problem separately. You could argue that the former option makes it easier for administrators, but with a proper Linux system, most patches will be applied automatically (or at least effortlessly). MS patches tend to require a system reboot, while security upgrades in Linux usually only require a restart of the program being patched. Besides, patching each bug individually allows for much faster response, and makes tracking easier.

Re:Apples/Oranges

[rcamera]

you slashfolks should make up your minds... does a windows distribution contain a "handful" of programs? or do they bundle too many programs? please clarify

-- confused

Re:Apples/Oranges

[oliverthered]

Well, if your going to be like that
the kernel has had hundreds of patches * go in and a lot of them could potentially lead to an exploit.

DOS: Fix kernel data leak to user space in private handler handling

Execute arbitrary code in an application that can't cope with literal names: This is a fix for the "Addi%d" device name reported literally due to the switch from init_fddidev() to alloc_fddidev().

Another DOS: USB: corrected digi_acceleport 2.6.9-rc1 fix for hang on disconnect

It's even had the +5 insightful
[PKT_SCHED]: Trivial spelling fix in net/sched/Kconfig drivers patch.

*This link is to a 1.5mb changelog please don't hog kernel.orgs bandwidth.

Which beggs the question: How many of those kind of bugs arn't fixed in Windows?

Re:Apples/Oranges

[Bert64]

It does contain a handfull of programs, and they do bundle too many programs. The difference here is the reason WHY..
MS bundle their own programs because that way an inferior ms app can compete more effectively with superior alternatives, since most users won't spend the time looking for a program if they already have one which is adequate. Thus MS apps need not be superior to the competition, they only need to be adequate/mediocre.
Linux distributions on the other hand, have nothing to gain from bundling particular apps, neither do the authors of those apps have anything to gain from their apps being bundled. And finally a given linux distribution will usually bundle multiple apps which perform the same function, instead of just the single app theyre trying to push. For instance, most distributions come with konqueror, mozilla, lynx and possibly even more browsers.

Re:Apples/Oranges

[Deagol]

A Windows distribution contains a handful of programs.

So why the hell does a fresh install of Windows XP take up over 1GB out of the box?!?

Talk about bloat.

I use VMware on my home machines (which run Linux). I have at least one version of every Windows release from WfWg 3.11 to ME, from NT 3.51 (anyone know were to get 3.1 these days?) to XP and 2003. These are for testing scenarios and playing around for nolstalgia's sake (sometimes it's fun to fire up DESQView on DOS 6.22, for example).

But the progression of bloat as you progress up the version path amazes me. DOS 6.22 w/ WfWG 3.11 takes up like 12MB. A full install of the original Win95 retail distribution takes about 30MB, which is what I use most of the time in VMWare because it's so lean and fast compared to newer versions, even after installing IE5.5, the last version you can get for Win95.

Yes, a full install of a modern Linux distro is approaching 6GB (a full Fedora Core 3 install), but you have everything and the kitchen sink, so you can't complain. Plus it's possible to trim the fat and take out what you don't need, as the GUIs, browsers, etc. are not intimately tied to the OS itself.

Re:Apples/Oranges

[PitaBred]

The issue isn't that it contains the programs. It's that they integrate the programs into the monolith. You can't replace Windows Media Player or Internet Explorer with something that does the same job. With most Linux distros, there are very few things you can't just get rid of, and there's nothing as user-level as a web/file browser or media player that is a required component in any Linux distro I know of. Starting to make sense?

Re:Apples/Oranges

[Taladar]

And how many aren't fixed in the Windows 3rd Party Drivers that aren't bundled with the Windows Kerne l but are with Linux Kernel.

Re:Apples/Oranges

[boinger]

They're up to minutes, now? SWEET!

Re:Apples/Oranges

[oliverthered]

Exactly, Redhat isn't linux, and the 'linux' community needs to make sure the rest of the world doesn't buy Microsofts' line.

My set-top box, dvd player and watch don't run RedHat but they all run Linux.

Re:Apples/Oranges

[pimpimpim]

BTW: apples and oranges are experimentally proven to be pretty similar, maybe you'd better use another terminology: http://www.improb.com/airchives/paperair/volume1/v 1i3/air-1-3-apples.html

Re:Apples/Oranges

It's one of the reasons NT sucks so much, you can't replace a file that it's being opened by other process. That means that if a dll is being used by (say) explorer.exe and by ISS the one way of replacing the file is rebooting the system. In Unix you'd replace the file and restart ISS and ISS would use the new copy while explorer.exe would still use the old copy. And they probably wonder why linux is selling more than windows on servers...

Re:Apples/Oranges

That's very true, which actually strengthens Linux's argument: the majority of those patches probably don't even apply to most server machines in use, since those apps aren't even installed.

Re:Apples/Oranges

Irrelevent. The relevent question is how long will a fully patched version of each last. No OS vendor should be held responsible for someone who puts a box with known weeknesses online.

Re:Apples/Oranges

[Slipped_Disk]

So, at the risk of my karma:

> The Red Hat advisories include vulnerabilities for
> Perl,
Show me ONE RedHat machine, Hell show me *ANY* *NIX machine without Perl. If it isn't there by default, chances are someone installed it because quite frankly it's pretty hard to live without (At least IMHO).

> emacs,
The editor of choice in the Linux community? I havent seen a machine installed by anyone other than myself that doesn't have emacs, either by default or added in later.

> xpdf,
Something I can live without, although it is inconvenient if it isn't there on a desktop workstation.

> vim,
My editor of choice? And pretty much the defacto standard (I can sit down at ANY *NIX machine and type "vi" and get an editor - it is expected).
Again I've yet to see a *NIX machine that doesn't have vim or some other vi clone on it.

> PHP,
Happily provided for you with many "default" prepackaged apache installs. If you're gonna count Apache vulnerabilities as OS holes (which I personally don't - I have several machines that don't have any httpd running b/c they aren't web servers) you need to count PHP holes too.

> acroread,
something else I can live without, subject to the same caveat as xpdf.

> ruby,
another thing I can live without (entirely).

> etc.
gcc, make, et. al.? Even though RedHat Enterprise AS3 doesn't install them by default, *I* sure as hell consider development tools a MUST-HAVE on *NIX systems.

I cant think of any more stuff that's "standard" (i.e. people will be upset if it isn't there), but you should *ALL* be aware that we can't ignore things just because they are "optional" in the installer, unless you intend to sit down in front of a console-only machine where the only text editor is "cat > filename" and the only shell/interpreted language is /bin/sh and a few system-configuring commands.

Sometimes the flaws in the creature comforts are just as critical and just as unavoidable as the flaws in the kernel.

--------------
Now, having said that, Yea I do think we can ignore security holes in OpenOffice, the Weather Widget, etc. -- Things that you really can live without, which you may (as a normal, ordinary user) install for your own convenience that aren't part of the "standard" set of things you EXPECT to have.
People using those features should obviously keep up with patches, but that's the equivalent of "Download the latest patch for SimCity 450000 so your system doesn't hang!"

The great weakness of Windows is that you can't get rid of many of the things that you could live without (MSN Messenger?), so for all intents and purposes those patches *ARE* part of the core OS patch list.

Re:Apples/Oranges

[ICECommander]

Don't forget about the severity of holes on WS2k3.

Re:Apples/Oranges

[Mornelithe]

> emacs,
The editor of choice in the Linux community? I havent seen a machine installed by anyone other than myself that doesn't have emacs, either by default or added in later. ...
> vim,
My editor of choice? And pretty much the defacto standard (I can sit down at ANY *NIX machine and type "vi" and get an editor - it is expected).
Again I've yet to see a *NIX machine that doesn't have vim or some other vi clone on it.


I didn't have emacs installed until I finally decided to learn it recently, and I don't have either vi or vim at all. If I'm not going to use something, there's no reason to have it around, so I don't. In fact, as Linux goes more mainstream, there will be less and less people who will need either of these, because they won't be programming.

> ruby,
another thing I can live without (entirely).

Try it out. You can get rid of perl then (well, not really. There will still be plenty of heathens out there writing stuff that forces you to use perl). :)

> PHP,
Happily provided for you with many "default" prepackaged apache installs. If you're gonna count Apache vulnerabilities as OS holes (which I personally don't - I have several machines that don't have any httpd running b/c they aren't web servers) you need to count PHP holes too.

If we're going to count php and apache holes on Linux, we need to count them on Windows, too. You can install both of them there, yet they're not listed as security vulnerabilities.

gcc, make, et. al.? Even though RedHat Enterprise AS3 doesn't install them by default, *I* sure as hell consider development tools a MUST-HAVE on *NIX systems.

It's only necessary if you're either a programmer or installing stuff from source. Only on Linux are most users (currently) programmers, and you can get anything that's not particularly obscure as a compiled package. So strictly speaking, no, there's no need to have gcc installed by default any more than there is on Windows.

And I can argue just as I did above that you can run gcc and make and so on on Windows as well, yet they're only listed as Linux vulnerabilities.

Anyhow, I'm not saying we should stop patching external apps, or ignore vulnerabilities. I'm saying that the statement being made here: "The number of security advisories in Windows' core products is less than the number of security advisories in a core Linux system + 1000 packages, therefore Windows is more secure," is ridiculous.

Re:Apples/Oranges

[Cyhawkalewagee]

I can testify to that fact. Day in and day out, i goto peoples houses and fix their computers. Alot of the time the infestation of adware/virus/trojans is so intense, i flatly recommend reinstalling windows, both to save time, their money and a headache (me). On several occasions, when i do this in their house and they have no hardware firewall, Ive begun the 'windows update' crap, only to find out, the system has ALREADY been comprimised. (Sasser/Code red). This is after a complete format/reinstall. Since this is my bread and butter, i tend to get alot of callbacks. I can tell you, even with all the possible security i can stack into windows XP, its life span is about 2-3 weeks. (Granted the users are morons too {ooo lets open this attachment} ;) On the few Linux/FreeBSD (my choice) installations, i do the same rhetoric with them about security, and i have yet to have to come back to their houses, and theyre much happyier. If only more Websurfers/Email Readers would switch to a linux system, the world would be safer.

Mandatory Access Controls

[Coryoth]

Hopefully the Linux community can move forward with SELinux, or some other system that has mandatory access controls. Once that is properly in place Linux will have a significant tangible security advantage over Windows.

Yes Fedora currently has SELinux in the default install. Unfortunately they have had to use a fairly permissive policy because too many applications and libraries don't properly respect the sort of security bounds that ought to be in place. Right now SELinux on Fedora is like user account permissions on Windows. While it is technically there, the majority of applications simply aren't written with it in mind (eg. all those Windows apps that need to run as Administrator), so in practice it doesn't do much.

SELinux is done though, and Fedora has integrated it in nicely (including into the rpm system). What is needed now is for all those open source developers out there to realise that there is a new level of security, other than just filem permissions, that they need to consider and respect. If they can just restrict where they write files to, and what files they want to access to the minimum required that would be great. If they can compartmentalize operations so that each can run as a seperate process with least privilege all the better. This is work that needs to be done though.

Once such things are seriously in place all this harping by Microsoft about "Windows being more secure" will be so obviously the hot air that it is that we won't even have to worry about it anymore.

Jedidiah.

Re:Mandatory Access Controls

[argent]

Yes Fedora currently has SELinux in the default install. Unfortunately they have had to use a fairly permissive policy because too many applications and libraries don't properly respect the sort of security bounds that ought to be in place.

Immutable files on BSD require the same kind of care... but remember, Windows has this problem in a far worse way, because Microsoft's need to remain compatible with apps that ran on the old DOS-based Windows means that they have to accomodate programs that assumed they were effectively root!

Re:Mandatory Access Controls

[jsebrech]

Microsoft's need to remain compatible with apps that ran on the old DOS-based Windows means that they have to accomodate programs that assumed they were effectively root!

There's no reason you couldn't build a virtual machine or emulation layer to run those apps inside of that completely blocks an app from messing up your system. Wine does that exact same thing (though admittedly, they haven't focused much on security).

Well, ok, so it would cost a lot of developer time without paying itself back in added revenue, which is why they wouldn't do it, but still...

Re:Mandatory Access Controls

[argent]

There's no reason you couldn't build a virtual machine or emulation layer to run those apps inside of that completely blocks an app from messing up your system.

They'd have to do that for the entire HTML control and any application that used the HTML control, including Windows Explorer. You'd end up with the whole OS in a sandbox.

Not that this is a bad thing, necessarily, but it does kind of defeta the purpose.

Re:Mandatory Access Controls

[jsebrech]

They'd have to do that for the entire HTML control and any application that used the HTML control, including Windows Explorer. You'd end up with the whole OS in a sandbox.

Not that this is a bad thing, necessarily, but it does kind of defeta the purpose.

No, you'd end up with a compartmentalized OS, with every process having its own sandbox, regulating what it can and cannot do, but fooling the program into thinking it can do it all, unless it uses the new security api to discover its true permissions. See the linux program fakeroot for an example, which fools programs into thinking they're running as root, while they are not, and makes it so they can't truly access the things they think they can access. There's no reason something comparable couldn't be done on windows, except that it would be a lot of engineering.

Re:Mandatory Access Controls

[argent]

There's no reason something comparable couldn't be done on windows, except that it would be a lot of engineering.

That's the problem. They'd have to completely redesign the way the HTML control works to make it viable: Microsoft considers the ability of the HTML control to break out of its sandbox so important a feature that they risked having the company broken up rather than let it be merely another component in the system.

And, ironically, just doing that would make the system so much more secure that Microsoft's security boasts could be made true... even without adding MAC. But they'd lose so much face that if it hasn't happened by now it never will.

One of the problems with the Linux name.

[nberardi]

This is one of the problems with "Linux", people compare Windows, the OS, to Linux, the kernel. I bet most of the patches from Red Hat were non-kernel related patches. However this is the beast that will have to be dealt with soon, because as soon as a company like Red Hat or Suse or who ever has a bad patch year it is going to bring down the whole Linux community, economically. It's just like Martha Stewart and how her company went in the tank because her name was attached to it. The name Linux is tied to closely to the OS's, that is my point.

Re:One of the problems with the Linux name.

[mrjb]

Actually the whole comparison is flawed because they're comparing apples with oranges. They're comparing 'Windows' with 'Linux'. Now which part of windows is compared to which part of linux? If 'an out of the box windows' was compared to 'a fresh linux install with a comparable set of functionality' it might be fair, but as they're just counting patches, I'm sure they're comparing things that really can't be compared.

Re:One of the problems with the Linux name.

[Obiwan+Kenobi]

Ding, ding. Catch the cluetrain from here:

"While prison life has been making Stewart leaner, her net worth has been bulking up thanks to a surging stock price at Martha Stewart Living Omnimedia. Stewart last week sold $8 million worth of shares in Martha Stewart Living (up $0.68 to $27.92, Research), the company she founded and built into a mini-retail and media empire."

Oh, and she's going to have her own Apprentice soon as well. On a national network. On a show that takes millions of dollars to pull off and will make her more rich and powerful.

I think she's doing just fine. Please come up with a better analogy next time (and research it too).

Re:One of the problems with the Linux name.

[nberardi]

If you could actually read, and I really doubt you read my whole post. I was saying that Martha Stweart Inc., was the one that took the brunt of all the bad press, because there stock dropped heavily. This was because they shared the same name and when Martha Stweart the person got in trouble the company with her name sake also took the heat. Just like what is going to happen to Linux, if one distro has a bad year it will drag the rest of the OS's down with it. The name sake is too close because they all carry around the same name.

But you went off on some tangent about a TV show.

A better metric

[saddino]

Nash also said that the number of patches shouldn't be the only criteria users apply to tell if Microsoft's doing its job.

How about:
(# installations w/ active malware, spyware, trojans or viruses) /
(# installations)

This seems a much fairer criteria with respect to the notion of being "more secure." And one, IMHO, I imagine isn't very favorable to MS.

Oh wow, MS if funny

[pavera]

Ok, so they are more secure because they have less patches? So now all MS has to do to be "secure" is not release patches for vulnerabilities, as is obviously their strategy, as the secunia links state that there are 0 unpatched vulns in redhat and suse, yet there are 4 unpatched vulns in Server 2k3... out of 44 errate, 4 unpatched.

And granted 15 in 2k5 is less than 30 or whatever redhat had, but those 30 include patches for web browsers, office suites, database software, programming languages, web servers, all sorts of software. Obviously this has been said before, so I'll probably get modded redundant, but comparing windows to linux wrt patches is like comparing a 50cc motorbike to a v8 super-charged sports car. Is the motorbike easier to fix? yes. Does that mean it's "better" no. and once you get all the cludges and hacks onto that 50cc motorbike to make it go half the speed of the car, you've got so much complexity, it will never run reliably... and that is windows.

Unreliable numbers?

[bmwatm]

All that shows is Microsoft rolls tons of updates into one patch, where as the Linux community is bound to patch as needed. When you roll the updates together, of course you will have less patches. I would rather more patches and know that security holes are patched as they are found.

Comment removed

[account_deleted]

Comment removed based on user account deletion

MS criteria for bugs/flaws and OSS not comparable

How many of MS' patches for flaws include remote exploits?

Frequently, as I follow Linux-Kernel mailing list and others, I see that many of the patches for flaws are for crazy exploits that are merely theoretical.

MS is usually trying to paper over that big whole in their brick wall.

Meaning, of course, that trying to compare just a plain count of "patches" doesn't mean squat!

And in Other News

[serutan]

Iran's security chief says Iran is safer than Iraq.

Re:And in Other News

[bergwitz]

Shouldn't that be the other way around?

The sad thing is...

[RootsLINUX]

The 95% of those out there that are 'unenlightened' when it comes to computers and technology probably wouldn't even question M$'s claims. "Oh, Microsoft say they've issued less patches for Windows than others did for Linux and thus Windows is safer. I'm glad to have someone trustworthy to tell me these things!". (-_-)

Because M$ is more reputatable than Red Hat or Novell, the general public will much more likely consider their claims to be true. Oh well. At least it makes for a good laugh for us /.ers.

Linux Vs Windows

[KingBahamut]

This is an argument that can largely be debated on a variety of levels. Honestly? Linux and ultimately unix of any flavor has just as many vulnerabilities as Windows does. Difference -- typically most of those vulnerabilities are patched and assessed before they take affect.

Just do a search for Sendmail Vulnerabilities on google.

Result =
Results 1 - 10 of about 143,000 for Sendmail Vulnerabilities. (0.39 seconds).

for Microsoft
Result =
Results 1 - 10 of about 364,000 for Microsoft Exchange Vulnerabilities. (0.18 seconds).

You can have this discussion for days on end, and really, what the *nix community has up on the M$ community is knowledge and ability. No, there arent any viruses that are successfully written for *nix. Spyware isnt even remotely a concept to a linux user. And most vulnerabilities get patched as quickly as they are given POC. Does this mean that linux users patch any more or less than Windows users, no. But we do it more effeciently and with greater success.

Stability wise , come on. Ive got a redhat 7.3 box that baring powerfailures hasnt been rebooted in over a year. Its a good box, it would probably take an Arkady Rossovich low yeild nuke on its head and still live, and I dont know of any windows box thats able to admit that.

Just who are they kidding here?

[kilodelta]

Lets see - at the current moment there are how many patches for Windows XP floating around out there. Meanwhile - the MacOS is based on a Unix kernel and does just fine. This is precisely why I'm moving away from the Microsoft camp.

That's exactly how the Bush administration works

"If you can just manage to say something that gets picked up by major news organizations, then it might make it come true.

Or at the very least, you might at least fool some people enough to continue to give you money."

Correct. It's called PR, and it works. Microsoft does it all the time, spewing out completely false or misleading statements knowing those will get the headlines. Corrections get buried on page 17.

The Bush administration has carried this out to a fine art. They make a grandiose announcement they know is completely false at the time ("the cost of the Medicare drug program will be X billion.") knowing that by the time the real number gets out it will get buried in the news. They even use fear to get what they want ("Social Security is broken.") as does Microsoft ("Linux is not as safe.")

The Big Lie

[Infonaut]

If you tell a lie that is big enough for a long enough period of time, people will start to believe it. Perhaps Microsoft thinks that the strategy of grudgingly admitting to previous mistakes hasn't worked, so they're shifting to The Big Lie strategy.

Re:The Big Lie

[rongten]

"You can fool everybody once, or somebody everytime. But You cannot fool everybody everytime".

Is this the stampede of angry share-holders that I hear going towards Redmond? Because, you know,
I think the end is approching, maybe sooner than we could expect.

There were 8 alone this week

[abrotman]

There were sonmething like 8 or 10 this week. Every "Patch Tuesday" there is at least one IIRC.

And of course Win2k3 has fewer, they include the total sum of all apps in RH,etc when they do those totals. Win2k3 comes with what? .. They need some kind of full comparison, such as Win2k/Office/Websphere,etc against a comprable linux system.

If the original NT design had survived...

[argent]

If the original development path of NT, with a new object-oriented shell and API that would have come out somewhere around the time of NT4 or Windows 2000, had been followed... he might have a point.

But by merging the Windows 95 shell and the execrable HTML control and its associated APIs, Microsoft doomed any chance of Windows ever having a secure code base. Unless they back out or radically redesign the shell and security model they will never be able to honestly claim that Windows is more secure than (or even as secure as) any other protected-mode operating system.

No....mike....stop.....

[theVP]

staunchly defended Microsoft's record on security, basing part of his argument on how Windows Server 2003's 15 patches in the past year are far less than what RedHat or SuSE have had to endure."

No....mike....you're not helping your case.....people are upset with your company because they don't give out patches for the numerous bugs and security holes your software has....stop while you're slightly ahead mike......MIIIIIIKE!!!!!!!

MS Security Chief, isn't that an Oxymoron

[big-giant-head]

Like Army Intelligence

Re:MS Security Chief, isn't that an Oxymoron

Like Army Intelligence

or Sysadmin's Suntan

Haven't they still learned?

[Freggy]

It's unbelievable that big MS managers still are tempted to tell such things, haven't they still learned that bashing does not work? And that less than one week after MS sent out one of its biggest bunch of critical security patches of the last year...

Windows safer than Linux

Windows makes a lovely NAT-router-firewall for Linux

http://home.btconnect.com/chrisandcarolyn/ubuntu-h oary/virtual-warty.png Ubuntu-warty for Windows.

Torrents here http://home.btconnect.com/chrisandcarolyn/torrents /

Enjoy

So?

This is news?

M$ does this sort of thing on a daily bases. There probley have been over 100 different articles on slashdot saying basically the same thing.

At this point who cares what M$ thinks. Give it a rest already.

Yet another example

[DarkMantle]

Here's another example of making stats say what you want.

Sure, WINDOWS only had 15 patches in the last year however. IE6 had how many (at least anotehr 18-24), Remote desktop connection on 2k3 Server had 2 security fixes, IIS had about 6 patches....

Need I continue?

Fact is, yes, Windows had 12 updates in a year, but it's components had many more.

And also looking at the time from exploit discovery to fix, not lookin good for them there either.

What happened to ethics and credibility

If secunia lists 44 and a microsucks vp lists 15 as the number of vunerabilities, how is it that big execs are getting away with such blatant lies, and how does one go about to hold such accountable. Why is it that other than slashdot, everything you read today needs to be taken with a sack full of salt. (okay so I lied about slashdot)

In other news...

[spare.dave]

In other news, Iraq had WMD's and Saddam and Osama played golf every weekend. In addition, Social Security will self-destruct this weekend in a massive explosion and kill the baby Jesus.

There's not a chance of being safer...

[jimfrost]

...until the standard configuration does not give (or applications require) normal users to run as administrators, or leave the filesystem and registry wide open to modification.

So long as installers run without requiring passwords, and I have to give my daughter administrator privileges to run Disney games, Windows is in for a lot of hurt in the security domain because there's really no way to control what users, and by proxy the programs they run, muck with.

I mean, it's so bad right now that whole markets spawned to supply band-aids for the lack of basic protections (anti-virus, anti-spyware), and to rebuild broken systems as quickly as possible (ghost). That's pathetic, particularly since Microsoft had the ability to do a much better job of securing their systems since the release of Windows NT in 1993, and it's been mainstream since XP. It's not that they couldn't do it, it's that they didn't.

The numbers game: thanks Microsoft!

[Morganth]

Perfect, let's start rating the security of our products by how many patches have been written and applied. What does this kind of numbers game encourage?

(1) Don't write a patch, since that admits failure or insecure products.

or

(2) Wait a long time before writing and committing a patch, so you can do it as "one big patch" (otherwise known as, haha, a Service Pack!).

Thanks Microsoft! Just your STATEMENTS make systems less secure (nevermind your engineering).

Re:The numbers game: thanks Microsoft!

[wandernotlost]

Thanks Microsoft! Just your STATEMENTS make systems less secure (nevermind your engineering).

You know, funny though that statement may be, it's really pretty insightful. That Microsoft's public stance is like this reflects their lack of concern and realization about the real issues surrounding security. This may be simple marketing FUD, but a smart IT purchaser would take into account the lack of gravity implicit in Microsoft's statements when evaluating future purchases.

There's something fundamentally wrong with the way Microsoft thinks about security, as evidenced perhaps most dramatically by the fact that they made the long-time hoax of the email virus possible, followed by many similar gaffes since then.

Not fair

[Stunning+Tard]

It's not fair to consider this a black mark on Microsoft's anti-spyware app. It's not an expliot with their anti-spyware, just another trojan that happens to target it.
If anything it's a good thing for their app because it shows spyware authors are pissed.
Maybe(probably) trogans are easier to fall for on windows, but that's a separate issue/discussion.

In other news

Pope recommends Catholicism

There's a story about...

[david.given]

...a lecture at a computer risks conference.

The lecturer was, apparently, talking about the problems in writing mission-critical embedded devices, and at one point he asks his audience: "You all write embedded systems software. Tell me honestly; if your company wrote the software for a 747, how many of you would actually feel comfortable on board one?"

One hand goes up.

"You, sir! You're so confident in your software you'd trust your life to it?"

"Hell, no," comes the reply. "But any plane running my team's software would never crash, because it'd never get off the ground..."

I am confident in the level of safety given by running Windows on a mission-critical device.

GNU/Linux != Windows

[s-orbital]

Linux Distributions incorporate many packages and utilities, Windows is only an operating system, with a minimal amount of anything included with it. And seriously doubt our mircrosoftie included any patches for WMP, and MSIE, which come with the OS, but are riddled with holes

Put your money where your mouth is: DISCLOSE!

[Noksagt]

If Windows needs fewer patches, why don't they offer disclosure of known but unpatched bugs? We've seen several stories of MS not fixing poor implementations after researches have disclosed. What other bugs does MS not find a sufficient business reason to fix?

If they really had a case, I'd at least expect to hear more numbers in their favor. We patch X% of bugs in Y days. Fewer than Z% of our bugs are reopened. The number of bugs that could allow for Administrator/root access in the default install was N.

Any company who uses private issue tracking will always have an easier time criticizing those who use public issue tracking than vice versa.

In other news

Korea has nuclear weapons. Iraq is WMD free. Fire is hot.

Details at your non-shock news source....

You're surprised?

[scottking]

Why do we act surprised when MS claims their stuff is better than Linux based stuff?

Did you expect them to say, "Crap, you got us. Our stuff is, in fact, less secure than the competition... You win we lose. Good game"?

Isn't bigger better? :-)

[kkovach]

"Year-to-date for 2005, Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003. In the same time period, for just this year, Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities."

Inorder for this to be received as a good thing for MS, you have to assume that there are a smaller number of vulnerabilities in Windows. :-)

- Kevin

This security guy reminds me of Comical Ali

no text

In other news....

[Microsift]

Pope says Jesus is better than Mohammed!

Going to work for MS

[dlawson]

... since I grew up in the sixties, I can tell these guys are filling the medicine cabinet with acid. ...far out, man.

15 vulnerabilities, but 100K's of viruses...

...and untold thousands of spywares and other malwares directly targeting Windows, compared to Linux's seven viruses (lumping viruses trojans and worms under the generic term of "viruses")

No News

[CmdrGravy]

Honestly what do we expect Microsoft to say ?

What company has anyone ever known who has said that they acknowledge their comeptition is better in the key areas they are competing on.

That's true

Provided -
1) It works - meaning it doesn't stop booting with that goddamnawful STOP: c000021a {Fatal System Error } message which I swear got just now for no apparent reason.

2) You put it behind atleast 3 overlapping firewalls

3) You do not browse any site with Internet Exploder - just love the blue icon sitting on the desktop - if you trouble it by clicking - it will trouble you.

4) Add remaining clauses from M$ EULA

Now M$ marketing machinery will argue that whatever you say it is in fact secure - if it works it is secure, if it doesn't, well you know - it is even more secure.

Well, I don't know about you..

.. but I'm just shocked! Next thing we'll hear Linus say good things about Linux, or god forbid RMS say good things about GNU! This is not the world I was brought up in, this is just not.. right..

as long as...

[dentar]

as long as you have three spyware and a couple of adware packages and a virus scanner, then windows is almost safe.

MS FUD

Does Mike Nash remind anyone else of the former Iraqi Information Minister Muhammed Saeed al-Sahaf? He knows how to put a positive spin on any and all news regarding MicroSoft.

More patches...

[elmegil]

More patches can actually be BETTER, because it means that problems are being found AND FIXED. Now, if there are more issues to begin with, then it's not better, but I'd say a stock linux box on the net without patches will run a lot longer than a stock windows box in the same situation.

Does MS actually beleive their own hype?

[gwait]

Last time they were preaching a view that was so far out of touch Bill Gates turned on a dime and went from claiming the internet was only for geeks, pornographers and terrorists - to announcing they were going to rewrite everything they had to take over the internet. They almost succeeded.

This time, I think they are cornered, and even more out of touch with reality!

Mean Time Between Failure - that's the real difference.

A metaphor for what we've learned today:

[Zutfen]

1) The dam that gets constantly maintained is obviously the most leak prone.

2) The dam that is only repaired when a major leak occurs is clearly a superior implement of water retention.

Everyone thank Microsoft for pointing out an obvious mistake in our logic! THANK YOU MICROSOFT!!!
*sigh*

Breaking News!

[poot_rootbeer]

I hear the president of Coca-Cola has also issued a press release declaring Coke to be more delicious than Pepsi.

Also, what's with Microsoft buying an antivirus product? Haven't they already had one since DOS 6.0, or was MSAV.EXE merely licensed temporarily from another company?

It depends on how you define secure:

[Progman3K]

If by Windows 2003 containing 500% more unpatched vulnerabilities (5) than Redhat (0) or Suse (0) you mean secure, then yes, Windows 2003 is more secure.

But mind you, you aren't really defining secure that way, you're defining un-secure.

But I suppose in Microsoft's bizarro-universe, where left is right and up is down there is no contradiction.

Re:It depends on how you define secure:

[pizza_milkshake]

please explain this new math, it is intriguing

Re:It depends on how you define secure:

[Progman3K]

Pizza, your last two comments, that were moderated as trolls and flamebaits deserved insightful and funny instead...

You can never understand why mods moderate as they do...

About the new math; it's simple, you only need to rework the underlying assumptions -

First create something revolutionary whose fabric is that of freedom (like Linux) and the worms (established players, people with the most to lose; Microsoft) come right of the woodwork with their own "new math" that flies against empirical knowledge and logical thought.

I'd go on, but I think you're trolling again ;-)

What really matters

[ad0gg]

What are the exploits. Since we are talking about servers, most of important thing is the amount of remote exploits. No one is going to "own" a corporate SMTP server, web server or even an application server by priviledge escalation by logging into the local system. Lets look at the percentages of the types of exploits.

Red Hat AS 3
Windows 2003 Standard

66% of the Redhat vunerabilities are Remote compared to 59% for Windows 2003.

Now lets compare standard services on servers. like web servers.

IIS 6.0
Apache 2.0.x

IIS has only 3 known exploits compared to 26 exploits that apache has.

Re:What really matters

[C0deM0nkey]

What are the exploits. Since we are talking about servers, most of important thing is the amount of remote exploits.

The exploits are not all that matters: What exploits are in the wild? What exploits are unpatched? What exploits are self-reported (found by the developers themselves)? What services are affected by the exploit? What is the exploit's payload and how does it impact the use of the machine?

When trying to determine whether one OS is more secure than another, I think you need to look at a lot more information than just the number of remote exploits available. The big two are: how many of those exploits remain unpatched (i.e. are still a threat) and how many of those exploits were reported by the development team itself so that administrators could take appropriate action (as opposed to hidden or ignored so that administrators could not even take precautions to prevent their systems from being exploited). Let's be real: it is much more likely that we know the truth about the state of the software in an open system (like RH, Suse, Debian, etc.) than we do in a closed system (like MS) i.e. the number of exploits reported for MS are likely the number of exploits currently being exploited - we do not know how many exploits the MS-folks know about but are not reporting. While there may be some exploits unreported in open-source software, the likelihood is considerably less because of the number of people looking at the code. Proaction (Open-Source) versus Reaction (Closed-Source).

Finally, what matters in the end to most of us is: how much time do I need to spend making sure my system is protected from exploitation, cleaning up infestations, etc. ? You can claim your OS is more secure than my OS but if I'm spending less time protecting against or recovering from exploitation than you are, you are going to have a really hard time convincing anyone who follows this type of stuff. If I am not the target audience (because I know better) than what you are engaging in is FUD - aimed at the gullible or uninformed managers and masses who are expected to take your word for it because you are Microsoft and the Press has picked up your sound-bite.

Re:What really matters

[ad0gg]

Finally, what matters in the end to most of us is: how much time do I need to spend making sure my system is protected from exploitation, cleaning up infestations, etc. ? You can claim your OS is more secure than my OS but if I'm spending less time protecting against or recovering from exploitation than you are, you are going to have a really hard time convincing anyone who follows this type of stuff. If I am not the target audience (because I know better) than what you are engaging in is FUD - aimed at the gullible or uninformed managers and masses who are expected to take your word for it because you are Microsoft and the Press has picked up your sound-bite.

Vunerability known only by the company isn't a problem. Every piece of software has undiscovered vunerabilities, we just don't know about them. When it comes to whether not something is open source or closed source, ask you this. Would you feel safer if government published their source code for their defense software? So anyone can find bugs? In a utopian world 1000s of eyes viewing source is a wonderful thing if all their intent was for good. But in the real world their are people looking to do malicous acts. Before you even respond. Ask yourself, have you ever seen a root kit for NT? When I view processes, or run netstat, i know i'm seeing the actual information. And that these applications are not some hacked up and recompiled version that some script kiddie wrote in 5 minutes to hide his trail.

Re:What really matters

[C0deM0nkey]

Vunerability known only by the company isn't a problem. Every piece of software has undiscovered vunerabilities, we just don't know about them.

This is the essence of the "Full Disclosure" debate. The problem, obviously, is that we don't know how many vulnerabilities have been found - and are currently being developed into exploits - because the company believes they are the only ones who know said vulnerability exists. If they published the fact that the vulnerability existed, admins could react appropriately. If they open-sourced the code, other programmers could get to work solving the problem (if it matters to them).

Would you feel safer if government published their source code for their defense software?

Its funny you should offer *this* as your "ponder this" question. Why? Because I develop software for the US Department of Defense (specifically for the Joint Forces).

To answer your question: yes, I would feel safer if the government published their source code. Not the code that has been obfuscated for years, but new source code presently under development. Why? Because then we would be forced to write better code that was thoroughly peer-reviewed, thoroughly tested and did not rely upon eggshells to protect things that should be behind walls of iron a mile thick.

NASA is known for clean-room engineering and for having insanely low numbers of bugs per KLOC. They do detailed designs with lots of peer reviews, etc. I think it would be great if we could see the same kind of effort put into the software that runs our defense systems. FWIW, some of the defense systems may undergo this type of rigorous process.

Releasing current code that hasn't been scrubbed? No way. Developing new systems with the understanding that they were going to be open-sourced? Hell, yeah!

Obfuscation is not security (if you've been around here for a while you should no that). Just think about it: what you are afraid of is that other people would discover vulnerabilities in our code. You shouldn't be afraid of that. Every bug found is one more we can eradicate before it is exploited; more than just the "bad guys" would be looking at that code. Researchers, Patriots, Grad Students, the curious, the thrill-seekers, the recognition seekers, etc. Heck, I'd be willing to bet that open-sourced DOD software programs would have an easier time attracting eyeballs than most other OS projects out there - by the time the "bad guys" developed an exploit, the code base would likely be changed or the threat identified and the system taken down.

In a utopian world 1000s of eyes viewing source is a wonderful thing if all their intent was for good.

The point you are missing is, as I stated above, this: if you know your code will be released into the wild, you will take greater precautions during the design and development of that code i.e. there will likely be fewer bugs per KLOC merely because you know the code will be opened.

Ask yourself, have you ever seen a root kit for NT?

No, I haven't...but that is because I've never used Windows NT. I have avoided Microsoft software for years - and will continue to do so until they have a proven track record in developing systems that are as secure as you can get them by default [1] - and when other people talk about the woes of their infected systems and come to me with their problems they are amazed that I don't have the same problems. What's the difference? I run Linux and they do not. I am a software developer and a Linux user - I use Win2K at work because that is what is on my company laptop and that laptop does not belong to me.

On my home computer, I have never had to deal with spyware/adware infestations, viruses, trojans, etc., remote exploits *so far*. Could it happen? Sure. Will it happen as easily as it does on Windows systems? Not likely. Why? Because if it was that easy, it would have already happened. :)

[1] Lots of definitions as to wh

Re:What really matters

[_Sprocket_]

Ask yourself, have you ever seen a root kit for NT? When I view processes, or run netstat, i know i'm seeing the actual information.

You might want to do a simple search before you feel so confident in what "netstat" is showing you.

And that these applications are not some hacked up and recompiled version that some script kiddie wrote in 5 minutes to hide his trail.

You don't need source to modify a system's behavior.

Antispyware

[brentcastle]

Is it just me or was the story about 10 stories down about how spyware can disable Microsoft's Antispyware and take your cc #s, passwords, etc. I have been using a copy of linux on one of my exposed servers for several years without patching and without any significant security configuration at boot and it runs like a dream! [Although I like my OpenBSD machines better :-D]

Re:Antispyware

Nothing against Linux, but good luck with your no patching policy.

Re:Antispyware

[sisukapalli1]

I have been using a copy of linux on one of my exposed servers for several years without patching and without any significant security configuration at boot and it runs like a dream!

Most likely the machine will get rooted fairly quickly (or was rooted long ago and you didn't notice). Unless, by exposed, you mean "exposed port 80 to the outside world," or "most services are off". If you have had sshd and sendmail running for several years, you would have been rooted quite easily.

I know that you were making a point in favor of Linux, but the "I don't patch my system because it is good" is similar to a parent's approach of "I don't ask my kid where he is at 11pm, because he is a good kid", or someone never having a medical checkup.

To quote an old saying, an ounce of prevention is better than a pound of cure.

S

Re:Antispyware

[brentcastle]

Hit the nail on the head. The services are limited (just as Windows [any home edition] should be). Now granted that luxury isn't available for Server 2003, but yes, I was just making the blanket point that I'm more comfortable with an old version of linux than Windows. For pre 2.4 kernels though thats probably somewhat of a security through obscurity.

In other news...

[throx]

...Kim Jong Il says that North Korea is more democratic than the United States.

(Seriously, did anyone here expect someone in this guy's position to say anything different?)

Let's examine the logic there...

[surfingmarmot]

By analogy then, a patient who has had 5 quadruple by-pass operations and 4 stints is much healthier than one who has had a couple of stints?
I don't know what's more scary: 1) Microsoft's continuing cavalier "if we cannot fix Window security adequately (shown by the volume of patches) we'll just mount a huge propaganda campaign to herald its safety instead" or 2) the fact that the Chief of Microsoft Security has such poor logic skills.

Safer just as it's safer overseas

[WillAffleckUW]

ignore the reality staring us in the face.

Do "patches" count non-core packages?

[nathan+s]

I run a Debian system and haven't had to make too many patches. The ones I've made tended to be around things that aren't really core OS stuff, like patching my media player or some other random additional package that I've added. Granted, MS makes a media player, but do these counts include only the actual OS, or everything? I'm just wondering if Linux gets bashed because the non-core packages are included in the patch count, while MS gets to update mainly core stuff and comes out looking better. Thoughts?

Another point of view

[prestonmichaelh]

Have you ever seen this report

Huh? Lies!

I look at my windows update...

SIX Security updates for windows + 1 for messanger and 1 for IE (Which I don't use anyway HA!). And that's just since the last time I rebooted.

Windows and Red Hat - some statistics

[tjwhaynes]

Red Hat currently, 0 out of 133 Secunia advisories

Based on flaws in 64 different packages out of a total of 477 packages.

11 red hat update for kernel
6 red hat update for ethereal
5 red hat update for httpd
4 red hat update for samba
4 red hat update for mozilla
4 red hat update for cvs
4 red hat update for cups
etc.

Lets compare that against the Windows Server 2003 Enterprise edition. All of these defects are against the core Windows operating system. You have to go to the other Microsoft products to find out the numbers for those.

Lets pick another Microsoft release - say Microsoft Windows 2000 Advanced Server. Oh dear - currently, 16 out of 79 Secunia advisories are marked as "Unpatched" in the Secunia database.

Or say Microsoft Office XP. Currently, 2 out of 14 Secunia advisories are marked as "Unpatched" in the Secunia database.

Another - lets try Microsoft Internet Explorer 6 - surely there must be a fully patched MS product out there! Currently, 18 out of 77 Secunia advisories are marked as "Unpatched" in the Secunia database.

Pick something enterprise critical - say SQL Server 2000. Currently, 1 out of 10 Secunia advisories is marked as "Unpatched" in the Secunia database.

Doesn't really look good.

Cheers,
Toby Haynes

Safer?

[catdevnull]

I suppose a computer with Windows installed really is safer if you:

• cover it with aluminum foil (shiny side out--just in case)
• dip it in liquid latex (to keep the MS spores from getting out)
• add a 1-inch think lead jacket
• seal it in a re-inforced concrete sarcophagus
• drop in the Marianas Trench
• and don't forget to remove the network card first!! (You can't be too careful!)

This should keep you virus, spyware, and cracker free. Mostly.

lies, damned lies, and....

[famous+actress]

Hilarious. I love that MS thinks that "Our product is more stable because we've fixed less bugs than our competitors" is a valid argument. Perhaps their next tactic will be to impress us with the fact that those 15 patches were hundreds of mbs, cumulatively.

Anyone remember the Iraq war and the inf.minister?

There was a information guy from the Iraque defence, claming that all american forces was outnumbered while bombs fell in the background...

Just in!

[clambake]

CEO of Nabisco says that Oeros are awesome!

Article is missing the last half of the quote

[Gruneun]

"Of course, we didn't evaluate them with the network cables plugged in. We didn't want the Internet to skew our results. There's some dangerous shit out there."

Windows security is a crisis situation...

[dtjohnson]

I guess this thread is about a comparison of Linux vs. Windows security which, of course, is obvious. But what I think isn't being noticed is that the Windows security situation is in a crisis. Now, I know, it's easy to laugh at Windows and say well, sure, Micrsoft was stupid enough to implement stuff like the COM 'Browser Helper Objects,' the unprotected scripting engines, the IE Active-X controls, etc. and so, 'of course', the Windows security sucks. But consider that a major portion of the world uses Windows now for email, the internet, and document exchange and these people are hurting. Yes, the big enterprises have double redundant hardware and software firewalls, virus scanning, spyware extraction, and large staffs of experts to roam around and put out the fires. But the little users don't have any of that stuff and they are finding it increasingly difficult just to keep Windows going day-to-day. Basically, there seems to be a worldwide cyber war going on in which the holes in Windows are being cracked so wide and so frequently that the anti-virus/spyware/trojan software cannot keep up and users are left with systems that barely function, even when they run the latest anti-virus software with the latest downloaded updates. The purveyors of viruses, spyware, trojans, and spam are winning here and there are bad consequences for all of us, even if we don't use Windows. If you are able to help, consider donating a little of your time to helping a neighbor, small business, school, or church with their Windows problems. Maybe you can even help them migrate their system off of Windows. They are probably going to be interested.

MS should learn from Detroit & Enron/Worldcom

[metoc]

Once upon a time Detroit didn't put any new safety features into it's cars because it would imply that their cars were unsafe or that the competion was safer. As a result metal "face breaking" dashboards, "scalping" metal glove compartment doors, and "chest puncturing" steering wheels killed and maimed thousands before Ralph Nader wrote "Unsafe at Any Speed!" and forced Detroit to admit they had a problem and take action to fix it.

Detroit tried to dismiss Ralph Nader as a fear monger, liar, etc.

So how much longer before a major IT crisis cripples a Fortune 500 company and puts thousands out of work. Remember that the Enron/Worldcom fiasco pretty much put Anderson out of business.

It only matters what auditors say.

[gelfling]

Flacks and partisans' opinions are worthless. The only metrics that matter are security audits and compiance to legislative standards like Sarbanes-Oxley.

When MS's 'Man-Ho de Jure' can point to specific audited results that back up his claim then I'll believe him. Until then he's just another pretty boy on the garbage strewn beach of security.

Safer my arse

[xQuarkDS9x]

Safer? Pfft very unlikely when you look at the sheer number of patches for all versions of Windows and their various software like Internet Explorer, Office Suit, IIS, Outlook, you name it.

Internet explorer especially for being so damn un-secure that spyware authors just love to infect via Internet Explorer if a person doesn't know what he or she is doing (namely most AOL users).

What you say?

[djSpinMonkey]

Microsoft says Windows is better than Linux?

Shocking!

Re:What you say?

[ndtechnologies]

I love the MS guys statement that MS recent purchase of an Anti-Virus company helps prove that MS is more secure than Linux, I mean really...if Symantec (which is one of the most widely used AV software makers) has flaws in it's virus detection software, then how can MS say that theirs is any more secure? Also, RedHat and Suse didn't release that many security updates for their OS releases, simply due to the fact that, and here's a new one, there aren't that many security holes to plug. I guess I mainly grow tired of the MS vs. Linux arguments, mainly for the fact that it almost sounds like a bunch of political adds "well Linux is bad because they kill poor defenseless animals to make their software"...see what I'm saying? Anyone else feel that way?

In other news

Linux vendors include a whole load of `crap' in a distro. Very few of those vulnerabilities have anything to do with the core system, whereas almost all of Microsoft's do.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Let's not forget

[Segosa]

Let's not forget how many of those Linux security patches needed a reboot. Although, to be fair Windows only needs a reboot when a patch makes significant changes to the system... or should I say, Internet Explorer.

He's right...but he's comparing apples with pears.

[tomma]

He is using another security model. At least if you can call it that. They realize security through obscurity. GNU realizes security through openness. The availability of the source code allows people to look for vulnerabilities, which will in the long term result in a better product. The flipside is that there are more security fixes. If you hide your source code, less security holes will be revealed, hence less fixes are required. But anyway... I guess every sane thinking person realized this already... ;)

Personally I feel more comfortable with the free/open source approach. Much more people identifying and fixing security issues, and security issues are immediately out in the public, which is pretty much a better incentive of actually solving the problem.

15 fixed, what about the others?

[scudderfish]

It doesn't matter how many are fixed, it is the number of unfixed that are important. I'd be happier with 45 out of 50 fixed than 15 out of 600.

Re:15 fixed, what about the others?

[Ziviyr]

Amen.

mmmm... That's probably why I was asked ...

[Jerry]

to replace XP with SUSE Pro 9.2 on a computer that a couple used to do work at home. They needed to get work done and with the bugs, viruses, adware, popups, etc., they were getting overwhelmed just trying to keep their XP 'clean'.

Last night all those troubles went away.

Now we know what happened to winger

[packslash]

I just thought their music blew. Turns out Kip went to work for microsoft!

Re:Now we know what happened to winger

[packslash]

oops I mean went to work for slashdot!

You're speaking for most people everywhere

[RealAlaskan]

At Information Week, their poll shows that 84% of their voters are of the same opinion: Mike Nash is full of crap.

By this logic...

[sterno]

Using that logic, Microsoft outlook is far more secure than Novell Evolution because patches are coming out all the time for Outlook.

What really matters in the end is:

1) The seriousness of exploits
2) The quantity of exploits
3) The imposition placed on IT people in applying patches to fix exploits

If you release a lot of patches but they are readily applied without causing downtime, etc, then that's not a big problem. If a few exploits are found but the exploits are huge gaping holes, that's bad for everybody. This is another one of those cases of trying to measure a qualitative problem using quantitative means. It means nothing but it looks good in a press release.

Is it truly more secure than Linux? The real measure is hacks per capita. How many boxes are out there, and how many are getting exploited?

Frankly, I think Linux is more secure for one simple reason: I can more readily control what's running. Linux is much easier to trim down to a minimal system, shutting down services, and making it very difficult for an exploit to do anything if it can even get on there. If I have a box that's a Linux webserver, I can trim it down to Apache and SSH, and that's it. If I just watch for exploits of those two things and the kernel itself, I'm golden. With Windows, I have these service packs and updates that change mysterious things without my knowledge. I'm at much greater risk of unexpected consequences of a security fix.

The Popularity Argument

[KiltedKnight]

In the case of infecting individual computers, the popularity argument, as you called it, is merely a way of saying that you're getting the best bang for your buck. You're far more likely to infect a greater number of machines. Once those machines are infected, they spread it to other machines.

In terms of market share of Apache vs IIS, the problem here is that your success rate of infecting a machine is generally going to be higher with IIS because of the discussion we've had in other threads... IIS is most likely going to be run with Administrator privileges on that machine. Apache, at least on Unix/Linux systems, runs as its own user/group, so it never has root privileges on the machine.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Need a new icon...

...for stories that are likely to make someone spit a mouthful of coffee on their monitor, keyboard, plush Tux, etc.

Discussion is pointless, both are insecure

[grumbel]

Discussions about "my OS is more secure then yours" are completly pointless if both OSs have buffer overflows every few days and remote root exploids every few weeks or month in either the kernel or an important and widespread application. Neither OS is secure and requires regular patching, if you don't then its just a matter of weeks before your computer gets some new owners.

The only thing that might be worth to discuss is maybe which OS is easier to patch, but I don't see any clear winner there either, while some Linuxs have apt-get, in practice one often ends up compiling software oneself, so byebye apt-get and hello manually reading bugtrack. Windows has its update service too, but that basically fails for the same reason, since a bunch of software isn't tracked by it.

Talking about patch frequency, well, OSS might be a little bit faster here sometimes and a bit slower at other times, but so far for each worms that widespread used a leak for which a patch was already available weeks or month ago, so patch frequency doesn't seem to matter that much.
And when talking about targetted attacks neither OS seems to be much good either, a whole bunch of popular Linux (Debian, Savannah, Gentoo-mirror, lots of PHPBB sites, etc.) and Windows server got cracked in the past.

So well, wake me up when there is an OS out there that really is secure and doesn't instantly give root to everyone just because a programmer made a tiny mistake. grsecurity at default on all distros, every app written in Java and running on a VM or whatever might be something worth to reconsider the question which OS is more secure, but for now both are insecure if you like it or not. After all there is a reason why truely sensitive data isn't connected to the internet at all most of the time.

Re:Discussion is pointless, both are insecure

...OS/390 or OS/400 ? ...and last time i checked the smallest AS/400 was even smaller than a PC... it fitted nicly under my table... :-)

and now you see why

[geekoid]

MS went to a 'patch once a month' methodology.

ethics and credibility???

[jimbro2k]

ethics? credibility? I think you geeks are just making up your own words, (when you are not trying to recycle these obsolete ones). If you are going to use these strange and arcane bits of vocabulary, you really should explain what they mean. ;)

What's funnier? Where is the /. humor foot?

[Qbertino]

I started to chuckle when I read the headline, then I realised that I had a difficulty figuring out why I was laughing. Is it the fact that somebody who's professionally into computers states this or the fact that a MS guy saying this is considered news?

Even the mere fact that they keep repeating it is hilarious in itself and has it's own twist of humor. *grin*

This actually shows that MS Windows is worse off than I thought.

As Many Rice-Davies so Aptly Put It

[tom's+a-cold]

In a recent online chat, he staunchly defended Microsoft's record on security

Well, he would, wouldn't he?

I think he is right...

But then, I think the Bears are a better football team then the Patriots, the Cubs have a good chance of going all the way this year, and since Brad Pitt left her, I have a shot at Jennifer Aniston.

A perfect marriage?

[monoqlith]

Mike Nash and Condoleeza Rice?

This is insightfull?

[geekoid]

Using a google search to support your arguments? are you kidding?
Alls this proves is there are more sights with those words in them. Nothing else.

what does exchange and send mail have to do with linux and Windows? Nothing.

look at the opporating systems. Since MS as declared the IE is a core part of the OS, then you need to count those for windows as well.

Look at the exploits, how many of each cn be done remotly? If you need to be sitting at the computer to exploit the bug, then it is not very sever.

what do you do with your OS? I've seen windows boxes with over a year of uptime.

Re:This is insightfull?

[mormop]

what do you do with your OS? I've seen windows boxes with over a year of uptime. Meaning that all the patches that required a reboot weren't installed or are installed but not having any effect?

Re:This is insightfull?

[KingBahamut]

Here let me translate this so you can understand it it more defined terms...

Using uh google search ta support yo' arguments? iz ya kidding?
Alls dis here proves iz dere iz mo' sights wiff those werdz in dem. Nothing else.

what do exchange an' send mail gots ta do wiff linux an' Windows? Nothing.

peep at da opporating systems. Since MS as declared da IE iz uh core part o' da OS, then ya need ta count those fo' windows as well.

Look at da exploits, how many o' each cn be done remotly? If ya need ta be sitting at da geekbox ta exploit da bug, then it iz not very sever.

what do ya do wiff yo' OS? I've seen windows boxes wiff over uh year o' uptime. sho 'nuff, jes like mammy.

----------------------

Now then, back to the semantics of this post.
Exchange and Sendmail are just examples, If I attacked as a whole all of Windows vs All of Linux , it would be astronomically larger in scope. So here you go......

Results 1 - 10 of about 1,480,000 for windows vulnerabilities. (0.22 seconds)

Results 1 - 10 of about 1,530,000 for linux vulnerabilities. (0.07 seconds)

My argument wasnt that one system over another has vulnerabilities more than the other. My argument was that Linux is a more stablely maintained system, patches are more timely and with a lot less ramification than Windows.

Back to stability , who here has a windows box they havent rebooted in over a year?

Re:This is insightfull?

[KingBahamut]

I have to aggree with mormop, a year of uptime means updates that cant possibly be applied. I never have to reboot my systems after they are updated. I never have to reboot my systems after software is installed. As a matter of fact, I run CrossOver Office on my wifes systems and theres that nifty little button that says "Simlute a Windows Reboot" just to fake the system into believing its been rebooted. Im sorry, Windows is a Joke with the way it functions somtimes.

Its a box, you have to spend 500 dollars on top of the 200 you pay to get the OS, just to get an adequate Office Suite, Office Productivity, and Sensible Operating system addons, just to keep it safe. Which is total bullshit in my opinion. I buy and OS, then I have to pay more money to get the stuff I need to run it properly.

Go cut down an ISO of Fedora or Mandrake, its free, it comes with all the productivity software you need, and it doesnt cost any extra.

Its not rocket science people, its COST EFFECTIVENESS that makes linux desireable, on top of its STABILITY.

Re:This is insightfull?

I have in fact two windows boxes that haven't been rebooted in over a year. Actually they're both approaching 18 months now. Granted they've been unplugged and packed in a storage bin, but they haven't needed a reboot.

There are no security flaws in Microsoft

Looks like our good buddy Comical Ali has found a new job. I, for one, am happy for him.

This Sounds Familiar

I vaguely recall another PR battle that was waged much the same way... "We have destroyed 2 tanks, fighter planes, 2 helicopters and their shovels - We have driven them back." - Iraqi Information Minister

Microsoft always says this...

[judgecorp]

Every year, Microsoft has made this claim (read more at Techworld). Usually after a major Windows security issue, or a big PR campaign about security.

This year's one is not as good as last year's classic, Days of Risk.

Windows Security Chief

[Pfhreak]

How completely shocking that Microsoft's Security Chief would publicly declare that his company makes a more secure product that its competitors!

Core Patches

[nurb432]

Were these '15 patches' to the core OS of Windows, or with applications?

I can count on one hand how many *core* issues with both Linux and FBSD have appeared in the last year.

Need to compare the same sorts of numbers to be accurate. But then again, facts always hurt PR jobs..

I Agree

[FlipSideXp]

Yes Windows is much safer than Linux when shutdown

Wait a minute

[baggins2002]

Okay I'd like to play devils advocate today (I don't really want to have my a%% torched, but I expect it). Everytime the security issue is brought up the number of patches is brought in as an argument (I agree this is ridiculous for a number of reasons already pointed out, basically I don't think the number of patches has anything to do with how secure a system is). But the real FUD line which keeps bring brought up is, if 50% of the computers on the internet were Linux, would linux users have the same problems as Windows users. If linux was targeted more often would linux users have the same problem.
I have some concerns that Firefox is going to be used as the test for this argument. Currently the argument is that Firefox is a more secure browser. The counter argument is that currently the reason it is a more secure browser is nobody targets it. My big concern being that once Firefox is targeted it starts displaying a lot of problems. From then on the argument would be, see as long as nobody uses Open Source they are secure. But once they gain in popularity and become targets they fail.
So can someone point me to the simple golden bullet argument that says Linux is and will continue to be more secure than Windows?

Re:Wait a minute

[RobertLTux]

try this on for size 1 many of the base programs are written by geeks that don't have the need to release by X Date 2 F/OSS code tends to be more secure 3 because the source is availible it can be audited (and compiled from audited source) 4 the linux community talks

Microsoft Information Minister?

[Sideshow+Coward]

Hey.... when was this guy hired my Microsoft?

You're all doing the math wrong...

[briancnorton]

Ok, so by some metric we determine that linux is 2x as secure as windows. Well windows systems are down more than half the time, and thus less vulnerable to compromise.

Humor aside, counting patches is about as good of a way to determine security as counting car crashes to determine what is the safest car.

Anti-Virus engine = active ice

[dr_leviathan]

Since MiroSoft is planning on incorporating this new-fangled AV (anti virus) engine into their operating system it appears that they are not planning on securing their interfaces and API's so much as running constant scans of what is being fed to the system. This sounds like more process overhead, something which already makes Windows servers top-heavy ==> more streamlined OS's will continue to have the advantage of being able to do more on the same hardware.

Go MircoSoft! Yeah, keep running in that direction... *whispers* Ok guys, lets ditch'm!

There IS security at the village of Redmond!

[LifesABeach]

Known Facts:

Bill Gates has security.

The founders of that third party closed source solution are secure.

Even the head of security is secure.

I believe that the rest of us fear the night.

A Good Thing

[ObsessiveMathsFreak]

Hopefully all this FUD from MicroSoft will spur FOSS developers into adopting more security measures.

It's just talk

[paranerd]

I know Microsoft is expert at talking their competitors (and good ideas) into a premature death but I find it difficult to believe these kind of statements are going to convince anyone living in the real world. My Boss' home pc has been hacked, our work machine's have been hacked, my daughter's window box had a trojan, every window user I know (and there's a ton of them) is badgering me to help them clean the adware off of their system. All that time my linux box is as stable and happy as a 14th century tahitian prince and my two apple loving friends just sit behind their fancy sceens and grin.

Microsoft just can't talk that away.

Its as secure as you make it.

[blanks]

Windows is as secure as you make it. Same with Linux.

The big difference between the two is that most of the exploits available for windows requires uneducated users to have some type of interaction to infect their system or to have an exploit run.

For example, I do not believe it's the fault of Microsoft if an end user installs spyware when the visit a website. Or an even better example is how an end user will install an application like kazaa on their system, even knowing that it has spyware installed.

Windows 2003 is very secure, and I believe that comparing XP home edition to Linux is very unfair simply because the majority of people who would be running home edition will have no idea how to protect them selves online. A better comparison would be Linux to 2003.

What are the biggest insecurities that people complain about with windows?

Spyware, which in most cases is installed by an end user full well knowing what they are doing, or being tricked, virus's installed via Email (mostly related to end users (latest version of outlook has a lot of default features turned on to remove the use of images to track users (spam) and to not allow attachments)).

And IE exploits run from non trusted sites, again the end user going to sites that they should not be going to if they do not trust them (I think we all know which types of sites run a lot of these types of exploits).

Yes windows is not secure, in the same sense that Linux is not secure, OSX is not secure etc. It's the people who use the OS that make the big difference.

p.s. Yes I know full well about the various worms and exploits like the messaging service and RPC, which had nothing to do with end user interaction, these were big fuckup's on Microsoft side, but with a updated/ patched system Microsoft has been able to make a stable, POPULAR, and secure enough OS that is capable of being user friendly but powerful when needed.

Re:Its as secure as you make it.

[vadim_t]

Let me politely diagree here: bullshit.

I can install Debian, or Gentoo, or whatever else is popular this week, on a machine with a direct internet connection, without worrying about crap getting into it.

However, if I try to do that with a Windows box, it gets broken into in minutes! And I know because I tried, several times to install Win2K on a friend's computer and get the patches before the virus got to me. I failed. It was infected each time, between 1 to 5 minutes from booting. That's completely unacceptable.

Finally, we ended bringing his box to my home, and set it up behind my Linux firewall.

Yes he was smoking at the time.

He, he, he...

I am Mr Big and I sold him the crack he smoked (for way over market rate too)

Fraud!

[Nom+du+Keyboard]

So he only compares it to Windows Server 2003 patches. Not IE, not WMP, not other versions of Windows. What a fraud! He has probably picked the least used current product MS sells, and tried to use that as proof that all Windows users are better off.

That would be like Apple saying they're better than everyone else because the iPod has had less patches than any other OS.

Why does this guy even get press time?

In the same new report ......

[onlyjoking]

... it was revealed that Aronld Schwarzeneger is a woman and Afghanistan is the leading world economy.

Micrsoft's formula for press releases lately seems to:
1. Take a flaw in a M$ product
2. Compare with Linux/OSS
3. Assert the opposite of what you find
4. Profit

Yup!

[MightyMartian]

And in other news, it's been discovered that motorbikes are safer than cars because they have fewer wheels.

Re:Patch Distributions

I had done a quick analysis of this issue back in Janurary (My Blog) and you can get some very interesting stats over there (thanks Secunia!).

One of the FUD items here is that Microsoft buries numerous patches with *multiple* vulnerabilites. While this is true some times with Linux, often times this is not the case.

Secunia lists 38 issues in Windows 2003 server with 11% of them unpached. I wonder what he would have said if the reporter had been able to give him those stats.

Secunia also has this to say about Linux, it's 99% to 100% patched. Windows on average has about 13% unpached.

This FUD is documented as being outrageous if you just know where to look.

Thanks!

So how many bugs are fixed in each patch?

[greed]

While a number of posters have been pointing out the differences between patching the Windows OS vs. patching the 1000s of optional packages available with most Linux distributions, I have a different question.

How many bugs are fixed by a typical Windows security patch? On the W2K machines where I work, the Software Update thing will quite often show up with 5-7 patches, all of which contain something like the following description:

A flaw in Windows may allow an attacker to take full control of your system.

There could be dozens of bugs fixed in one of those patches. Or there could be just one--you have no way of knowing. I don't even know which files were changed.

Whereas, at least the Red Hat errata I've dealt with, Red Hat lists the all the bugs resolved in a single update (relative the the prior update for that package).

So counting patches is just useless, for many reasons. You need to count the number of open exploits--and how can you count the unknown ones?

Yes he was smoking.at the time...

He, he, he....

Yes I am Mr. Big and yes he was smoking crack at the time. I know 'cause I sold it him (at way above market rates too)

In other news

BeOS and OS/2 were found to have the highest security of any operating system as no patches have been released in years.

4, insightful? I think not..

[coronaride]

"forget our track record, forget what we said before, and ignore everything happening on our desktop systems; our server r0x0rs!"

apparently you are ignoring everything happening on the desktop systems. If you haven't noticed, Windows XP SP2 is rather good. I just got in an argument with someone yesterday about this: when it comes to software development, you can't dwell in the past for TOO long..any software developer will tell you that a project is a continuous work in progress. There is a constant tug-of-war between meeting the deadlines and addressing the implementation of new features.

At it's time, Windows 95 was decent..a big change from what the public had seen before. Windows 98 was a big improvement over that. Windows 2000 was an even bigger improvement. Windows XP was even bigger than that. In retrospect, however, they are all looked back in with disdain. Why is this? Because Microsoft was trying to build an OS that was easy to use and maintain - something that only Mac has been able to do with OSX. Unfortunately, the human factor got in the way and started ruining the day for everyone in the form of virii, spyware, etc.

Since the commercial explosion of the internet (1998-2000) Microsoft recognized that there was a need for a change and they gradually started moving in that direction. It's a work in progress..you live and you learn..that's life. So don't judge them too harshly..they are starting to get the picture. If Microsoft was still hiding behind a product like Windows 98 and calling it safe, stable, and secure, then I could see where one might have some distrust.

Anyhow, bring on the "he's a microsoft fan-bois" comments..

Re:4, insightful? I think not..

Yep. And I'll still take Win2K Pro for a workstation over XP, if able to excercise that choice.

Re:4, insightful? I think not..

[coronaride]

um, yes it was..if Windows XP was simply a "skinning" of Windows2k, why is there an option to go back to the traditional Windows feel? That would, I guess, make it exactly the same. No, there was a lot more than that:

1) Firewall
2) Enhanced driver support
3) Enhanced Stability
4) Improved boot times
5) Program recovery
6) Better/easier networking
and the big one:

The first real OS that could be used for either home or office. People tried to use Windows 98 for their office and that didn't work very well. Windows 2000 is not really a great home PC (slow boot times, etc). That, in my opinion, is what made XP so big at the time.

Re:4, insightful? I think not..

[Too+Much+Noise]

4) Improved boot times

When this is what one boasts for a workstation OS then you know there's trouble. Or Windows.

Re:4, insightful? I think not..

[coronaride]

don't be an idiot..i live in california, land of already-high-and-increasing energy bills. i turn my desktop pc off at night. additionally, my main work computer is a laptop and i can't really leave that on all the time now, can i? which reminds me of a couple other big features standard in XP: hibernation and remote desktop

Re:4, insightful? I think not..

[MrResistor]

If you haven't noticed, Windows XP SP2 is rather good.

I hadn't noticed that, actually. My wifes XPSP2 system requires a lot more of my time to keep it clean, updated, and running smoothly than my Suse 9.1 system does.

It may[1] be better than previous versions of Windows, but it's still a long ways away from "rather good."

[1] Personally, I like Win2k better, but I'm hardly a Windows security expert, so for the purposes of this discussion I'll concede the point.

Re:4, insightful? I think not..

[Trepalium]

1) Windows 2000 had firewall capabilities, but it wasn't a simple on/off switch.
2) Windows XP encouraged people to finally write NT drivers, however, most XP drivers are perfectly compatible with Windows 2000
3) This is debatable. In most cases, the stability of Windows XP is identical to Windows 2000.
4) Most of the improved boot times are cosmetic, like showing your desktop even if it's not ready to be used. (How many people have ended up opening something two or three times because despite the fact that Windows was showing your desktop with a regular arrow pointer, clicking on anything did nothing for several seconds/minutes)
5) I have no idea what you mean by this.
6) Debatable. I would argue that certain things have become far more difficult with WinXP. "Simple File Sharing" hides a lot of stuff that can be the cause of several SMB sharing problems. You can't enable guest account with the automated wizard without also going creating the "Shared Documents", which you may not want.

On the other hand, Windows XP has brought with it a bunch of junk that some people don't want. Have you ever tried to get rid of .NET Messenger on XP, without it coming back? Have you tried deleting the Shared Documents directory after the Home Network setup wizard has created it? Have you ever tried to find the User Rights Assignment on XP Home so that a Limited Account will work with some particular program? Ever want to use the new XP group policies on a Windows 2000-based active directory (it's a mess)? What about the auto-grouping taskbar that frightens people the first time it happens because they think their programs have been closed, or the intellimenu on the start menu that makes people think that their less frequently used programs may have been uninstalled? And what about System Restore which gobbles up 12% of every drive by default, regardless of the drive size (add to that the 10% per user that Internet Explorer wants to use, plus an unrestricted dllcache growth, and a modest system partition can become quite cramped quickly)? Then there's the bubble windows. Some are click to dismiss, others are click for more info.

Re:4, insightful? I think not..

[tidge]

What do people do to their machines?
I just don't understand it.
I have my wife set up with Windows XP pro. Firewall on, Anti-virus installed, Automatic updates, and it's been running great for years.

Re:4, insightful? I think not..

[Too+Much+Noise]

Hibernation is what you should be doing normally. That's NOT THE SAME THING as a reboot. Unfortunately, if you try this with Windows you'll see the need for an actual reboot soon enough and that's a problem.

My point? hibernation is the feature that you should have listed instead of "faster boot times" for a stable OS able to withstand uptimes longer than a few days. The mere thing that boot times matter on a workstation is wrong - I should only use the instant-on from hibernation, unless I'm patching the OS core and I need to reboot.

yeah, and calling names won't add weight to your argument. But you knew that already.

Re:4, insightful? I think not..

[coronaride]

you know..it's really a matter of preference..hibernation is a very handy feature. It's a big advancement, however, as I mentioned in a previous post, software is a always considered "work in progress". The hibernation feature is great, but sometimes, with Windows XP you do need to reboot occasionally.

Also, with various updates and patches being the way that they are, it is necessary to reboot. This is something that Linux advocates have whined about for a very long time and, if you know anything about Microsoft's .NET certification for ISV's, then you know that it's an issue that is being addressed.

secondly, i wasn't trying to add weight to my argument by using the term idiot..a remark was made that was short-sighted and narrow-minded, and i was addressing that.

Re:4, insightful? I think not..

[jschottm]

Wow, I make a disagreement on which step was the biggest improvement and I'm flamebait (not aimed at you, just the clueless mods)...

1) Firewall
Not a great firewall or a huge improvement. The fact that it's built in is a very good thing for users, particularly hobbiests and home users, but it's not a major advance in OS design.

2) Enhanced driver support
3) Enhanced Stability
I've never written a device driver for Windows, so perhaps it was a big change between W2K and XP from the developer standpoint, but on the ~50 Windows boxes I admin (about a 3/2 ration of XP to W2K), I don't tell much of a difference between the two as far as driver availability and stability. My W2K desktop stays up for months, generally until the next patch that requires a reboot.

4) Improved boot times
As someone else pointed out, displaying the desktop before it's usable isn't a great leap forward. And again, it's a nice thing, not a groundbreaking change. I'll grant you that *some* machines take forever to boot W2K for whatever reason, but the majority of them I've only seen about a 5 second difference, and that could be explained away by faster processors.

6) Better/easier networking
Other than the wireless setup, I'm not sure what you're refering to here. I set up interfaces pretty much the same between the two.

The first real OS that could be used for either home or office. ... That, in my opinion, is what made XP so big at the time.

We have different priorities, so we'll just agree to disagree. I've been running Linux at home for years now - what I care about Windows-wise is whether it's stable enough to use at work. NT->W2K was a far bigger change as far as that. It saw the kernel/system mature into something stable. It was their first OS that really took this internet thing into account. It was the first OS to really work with Active Directory. Those are the changes that are important to me. XP may have gotten into the home, but it brought Blaster and Sasser with it. It's a double edged sword, and one that SP2 has only begun to blunt, years after XP was released.

Dizzy from the Spin Doctoring

[Ridgelift]

This reminds me of the days when Novell NetWare has C2 Redbook certification. Microsoft came out with the same claim, that Windows NT 4.0 was C2 Redbook certified as well, except in the fine print it said "provided it was not connected to a network"! That was like buying a boat that was capsize-proof provided you didn't put it in the water. Of course the whole claim was a "me too" campaign to confuse and fool people, and it worked.

But people are no longer fooled by what the folks at Redmond say. Even my mom knows Windows is horribly broken, and she knows nothing of computers. The fact that such statements are being made are not just funny, they appear downright desperate.

Pigs can fly...

[NoSuchGuy]

nothing more to say

This is so 90's

[blueforce]

I'm so tired of this argument "Our software is more secure than their software". It's ridiculous. What they're really saying is "Our programmers and development processes are better than your programmers and processes." These security debates, whitepapers, and arguments are always subjective, never solve anything, and only prove that someone has time to waste.

Any given OS, in the hands of an expert, is just as stable or secure as the next. There's just no way to effectively prove otherwise. The test domain to definitively prove which OS is truly the most secure is incredibly huge. As long as human beings code it, it's insecure. There is no version of Unix or Linux that has a higher Evaluation Assurance Level than Windows 2000. That doesn't necessarily mean that any novice could actually secure it either.

Reality is that Windows has a huge number of desktop installations and it's used by a large number of people that can't even open up Notepad or a command prompt if you asked them to. Those same people couldn't even install Linux so it's not reasonable to even suggest. So, how are they supposed to have any idea about security? Most of them can barely get online. It's no fluke that AOL and Windows are as popular as they are - they're easy to use and they have a small learning curve.

Furthermore, Linux and Windows are so different that's almost ridiculous to even compare them. They solve different problems, they both have their strengths and weaknesses, and other than the fact that they're both operating systems they don't have much else in common. In many ways comparing those two systems is like comparing an F-16 to a Leer jet - they both fly; they both have wings; they both have cockpits, throttles, and tails; they're both airplanes but they don't look the same; they don't have the same internal components; they aren't operated the same; and they aren't made for the same purpose.

Security arguments are out of style. It's safe to say that no major software maker is intentionally designing insecure software. Move on. Innovate. Come up with something original.

Re:This is so 90's

[argent]

What they're really saying is "Our programmers and development processes are better than your programmers and processes."

It doesn't matter. Windows problems are fundamental to the design, particularly Active Desktop and all that involves. Best programmers in the world couldn't make that secure, not if they couldn't back out most of the design and do it over.

Re:This is so 90's

[jmkrtyuio]

Happens to be you are wrong.

With top notch admin on both systems you are still far more likely to get nailed on windows than linux.

Just repeat above statement but substitute openbsd for linux and now the entire premise of your post looks ridiculous.

Software development methodology makes all the difference, all else being equal. Including admin expertise.

All admins know this. A sows ear only go so far in creating silk purses.

Re:This is so 90's

[NatteringNabob]

And here I just posted elsewhere that Win Server security was getting to be almost OK. You contradict yourself in this post. First you state that all OSes are alike from a security point of view, and then you state that Linux and Windows are so different, they can't be compared. Which is it? The problem is that both statements are false.

There are certainly difference in the ability to secure an operating system, and in fact there are reams of US military documents devoted to classifying systems by security capabilities. According to you, they are all equally secure.

W/R/T the functionality of Windows vs Linux, they both run databases, they both run mail servers, they both run identity services, they both run file services, and on, and on, and on. The internal implementations are completely different, but the systems are used for largely the same purposes, and in the case of Java programs, even the code is the same.

The reality is that for better or worse, primairly because of the success of TCP/IP, every server operating system is essentially a Unix variant. Microsoft is still playing the Unix fragmentation game by trying to introduce gratuitously incompatible features, and this is a game that they will eventual lose just as all the other proprietary Unix vendors are losing.

"Working on making Windows secure "

Further in the news:

In the bold move of enhancing users experience and
security MS announces that from now on MS will not realeas any security patches. In this way Windows
will become the most secure OS ever.

A Good Laugh

[Efialtis]

Hmmm, lets see...

WINDOWS XP PRO
Secunia advisories rated Highly critical
Currently, 21 out of 87 Secunia advisories, is marked as "Unpatched" in the Secunia database.

RH LINUX
0 Secunia advisories
Currently, 0 out of 133 Secunia advisories

So, is Windows more secure than Linux?
The answer is right in front of you...

What kills me is, with Linux, you can have a patch in days, with Windows, you get your patch in weeks, or months...

Remember "Hogan's Heros"?

[Tablizer]

"We have zero escapes!"

Why so negative?

[rseuhs]

Unfortunately, my guess is most PHBs would think the former.

Why is it that everybody is so pessimistic about that?

Everytime Microsoft badmouths Linux, more PHBs realize that this Linux-thing can't be so bad when it's such a huge threat to Windows.

Nothing better than...

[MisterMoney]

...an article posted on Slashdot allowing an opportunity to bash Microsoft. We really don't hear enough MS bashing on /.

yawn

Nothing to see here.

Microsoft Comment Moderation

[cyberwiz01]

(+5 Funny)

Microsoft's Chief Security Executive

"Mike Nash, Microsoft's Chief Security Executive" aka "Mike Nash, MCSE". 'nuff said.

Trail by fire

[fdicostanzo]

ok so his comments might be taken with a grain of salt. but, it does give me an idea that may have implications for Linux/ other OSs.

Windows is currently getting attacked more because it is more popular. There are many people searching for ways to get at it. As they are successful, Windows (eventually) patches the problem and (theoretically) learns a little bit more about security.

Linux et al is not facing the same level of attack and therefore is not getting the same "education" about security. Granted, people are reviewing the code, but not as many as are attacking Windows and not, I would bet, with the same motivation as the Windows miscreants.

What happens when/if Linux gains the same popularity and suddenly is found to be suffering from the same set of problems that Windows worked through years before? Perhaps, at that point, Windows might be considered more battle-hardened and thereby more "secure"

fdc

Re:Trail by fire

[gobbo]

Windows is currently getting attacked more because it is more popular.

Most of us who actually have to support such machines think that it is getting attacked more because it comes out of the box screaming "oh please, violate me!"--instead of gracefully starting services and opening ports only when really needed and with an element of real user control and caution. cf. OS X.

It's all about patch management

[zerofoo]

I don't care if a system has 10 patches a year or 10,000 patches a year. I need a way to distribute those patches easily.

Redhat has an OK system, but Microsoft has a nice tool (software update services) that allows me to download the patches in one place and push them out to all the machines on my network. This will only get better when MS releases the next update to this tool (windows update services).

I haven't seen a similar thing from any of the linux vendors.

Sure, there are tons of third party products to add this feature to Linux, but that's a pain - and it's another product to buy. Each distribution needs to find a way to centrally automate patch management and installation. This should be part of ANY linux distribution by default.

-ted

Re:It's all about patch management

[asuffield]

Redhat has an OK system, but Microsoft has a nice tool (software update services) that allows me to download the patches in one place and push them out to all the machines on my network. This will only get better when MS releases the next update to this tool (windows update services).

I haven't seen a similar thing from any of the linux vendors.

You tell your sysadmin, and he sets it up. This sort of thing is utterly trivial for a unix sysadmin. That's what you're paying him for. The vendors don't bother to include useless fluff like that.

Re:It's all about patch management

[thinkninja]

Yeah, it's a piece of piss to setup a local repository on a server and then point all the other machines to update from that, and you'll find the tools (e.g. apt-move) to do this in your favourite distro :)

GP is Yet Another Silly Windows Cluebie (YASWC).

Re:It's all about patch management

[MikeBabcock]

Please read the other responses before mine -- but this is one of the things that pisses me off about Windows Server. Microsoft makes an attempt to make serious decisions about your network or server trivial to do by an untrained employee.

If you can't figure out how to script a remote update, you shouldn't be making the decisions about which updates to apply.

For an example of triviality, run an hourly cron on a remote machine that does "rpm -Fvh /var/spool/updateonly/*.rpm" and then when you decide to send along an update, do "scp blah.rpm remote:/var/spool/updateonly/"

(I recommend a seperate directory for installations from updates -- some machines don't have an RPM installed and you don't want to -Uvh it and install it for no reason, also, make sure your configuration checks signatures).

Re:It's all about patch management

[Oriumpor]

ssh trustixbox.localnet -lnonroot
su
swup --upgrade --silent;swup --install swupcron

ssh debianbox.localnet -lnonroot
su
echo apt-get upgrade>>/etc/cron.daily/aptupdate

yeah so it's not ideal, but it's automatic.

Re:It's all about patch management

You can buy this from Red Hat. You've been able to buy it from Red Hat for years. It's called Red Hat Network and it's part of all their commercial Linux offerings (might be optional on the cheap stuff). You will need to pay extra if you want to manage all this locally (ie without client machines having Internet access).

It lets you tell individual machines, groups of machines or all the machines to install the patches, allows you to schedule the install (so you can do 5000 workstations during an at-risk period) and you control all this from any machine with a web browser.

Click... "Hmm, all 500 workstations have oustanding security fixes", click "Looks like there's an upgrade to the PDF viewer", click "I'll schedule that for tonight", click "Yes, I really want do that", click, "Great, now back to some real work", close browser tab.

It also manages hardware inventory, does rollbacks, and has lots of other sweet features.

Re:It's all about patch management

[Jon+Howard]

Jesus H Christ, man! Read the damn dox for Apt, sometime! I'm not posting flamebait ot trolling, this guy posted some massive ignorance. Think about this: It's as easy as adding a single option line to the /etc/apt/apt.conf file on the "update server" and putting a link to your apt repository (in /etc/apt/sources.list) on all the client machines that will feed from it! No more, no less. One line on the server, one line on the host. You might want to schedule an update/download task on the clients, to keep them synced to the server (presuming you test on a testbed platform before updating the server, that is; and that would be good practice for Windows as well)... that's one more line added to root's crontab. So, at most we're talking 2 lines for each client pc. I've written more than you will need to type on them in this message - they'll all use the same 2 lines!

HAHA

[Daytona955i]

What did you expect? Microsofts security chief to say that linux is more secure?

Re:This is why I use Linux..

[Creedo]

If your doing web browsing on your server then you sould expect nothing but bad things to happen.

That is so screwed up, I can hardly understand it. Are you REALLY so conditioned to security holes that this is an expected outcome?

Roll call, sound off....

[MarkusQ]

yeah, respond to this post if *you* or *someone you know* is actually engaged in testing Linux software at the code level.

One (me).

And at least two others that I know in meatspace...

--MarkusQ

I'm not sure what impresses me the most...

[automatic_jack]

1. That every time anyone says anything about one OS being more secure than another, especially Windows vs. Linux, Slashdot thinks this is front-page news.
2. That every time such a story MAKES the front page, thousands of people post comments.
3. That many of those those comments obviously took more than five minutes to write.

Who the christ cares what so and so says about the security of one OS over another? Particularly when the two are Windows and Linux, and particularly when the party making the statement is completely biased! This isn't news for nerds! This isn't "what IT is!" This is stupid FUD that no one should care about!

Of course, my statement isn't any more original than the ones the original post is referring to. Isn't irony fun?

but seriously...

[krayfx]

... can any MS product be connected to a dsl connection - without any third party firewall, anti-spyware, or antivirus ? this is the important question.

Rhetorical question

What network services are turned on in the default install?

Re:Rhetorical question

[Coryoth]

I've always wanted to see a Linux distribution that doesn't include network or modem drivers in its default kernel. It can then happily proclaim "No remote holes in the default install EVER. period."

Jedidiah.

Oh Come On, Moderators!

This guy is a troll! A very good one, perhaps, but nonetheless a troll.

OS .vs. Apps

[bitswapper]

Hmm..

When counting vulnerabilities and patches for its software, the OS and the Apps are counted separately.

When in front of a federal judge, some of the Apps and the OS are counted as being together.

Hmm..

Re:OS .vs. Apps

[SenFo]

No, when counting Microsoft products, they're seperate. When counting open source software, together.

Slackers!!!

Maybe if they patch more often, I wouldnt have to run the virus checker that much often! Amazing how they are trying to get credit for slacking off!

Very True! But get rid of this guy...

The wording is true, Windows 2003 does have fewer security bugs than a linux distro like redhat or suse. But you never got an education if you think you can compare the two. Apparently MS's own security chief is one who didn't get educated, evidenced by the fact that he cannot count, his own site reveals the lie:

There are 35 security advisories on their site for the last year in 2003 server gold.
http://www.microsoft.com/technet/security/c urrent. aspx

What about the count of bugs fixed in all the other microsoft products that install on Win2003? And all the other products in existence that other companies provide for 2003 server with Windows 2003 certification. And add in those that are undisclosed, or found internally by Microsoft. You would have to include those in a windows vs. linux "distro" comparison.

Then we get the truth, and find that popular linux distro's have fewer security bugs, and they didn't have to send out a dummy to lie to us in the press.

Nash

[chuckw]

"No one fucks with de Nash!"

For the homor impaired, check here.

Big difference

[Andy+Dodd]

We can choose which of the "bundled" apps to install.

Windows users can't without jumping through MAJOR hoops. (Microsoft claims it is not possible at all, but software like Win98Lite showed people otherwise).

Windows - We cannot install Windows without installing IE.

RedHat, Gentoo, whatever - Lynx, Galeon, Firefox, Mozilla - What browser do you want to use today? Or maybe you don't want any at all! You can make that choice.

Yes, it's apples and oranges - not that simple

[Craig+Ringer]

Many here have happily pointed out the 'apples/oranges' comparison between a large Linux distro and Windows. The differing nature of most of the holes - largely theoretical local exploits vs largely gaping remote holes - has also been pointed out.

One thing that nobody seems to realize is that the fact that Windows is small and that other functionality is in separate products may, from a security point of view, be a good thing. It certainly makes it easier to keep track of what you're using (though it'd be nice if the "other products" would integrate with the OS's security update mechanism - grr).

In a large outfit, I could see real advantages to having a cut-down desktop-only build of a distro for exactly this reason.

Similarly, a server distro where the "tasks" were packaged separately might be useful. This server "isn't a database server" so you don't have to worry about the DB related stuff, etc.

Taking a Debian-like install-less-by-default idea is probably also wise.

That said, half the security advisories I get from Debian are for tiny utilities I've never even heard of, and for games. Usually they're local exploits for things like race conditions and temporary file issues. Yes, they should be patched. Yes, they probably merit a security notice. No, they're not the same as (another) remote root hole in sendmail.

Perhaps distributors could start making it easier to evaluate security issues by sorting them based on whether the package is installed by default or not, whether it's widely used or not and whether the exploit is remote or local. It wouldn't hurt to clearly show whether the hole may lead to a root compromise, normal user account compromise, data leak, etc. This information is usually all there already ... but providing it in a computer readable, standardized form wouldn't hurt when compiling statistics, and might reduce the use of "blah patches".

Re:Yes, it's apples and oranges - not that simple

[twistedcubic]

One thing that nobody seems to realize is that the fact that Windows is small and that other functionality is in separate products may, from a security point of view, be a good thing.

Actually, Linux is small, and the rest of a Linux operating system is provided by other small utilities. The problem is that what you mention, that Linux is seen as all the tools that people might run on it, while Windows Server is just kernel+gui+webserver. The MS guys know this-- they're just not saying. The OS people scream this, but nobody listens to them.

Re:Yes, it's apples and oranges - not that simple

[pe1chl]

On a database server, you can install a quite small set of Linux packages, and keep it uptodate for only those packages. This will reduce the number of unpatched vulnerabilities.

On a Windows server, the first thing you need to install to download updates is Internet Explorer, and that also happens to be the source of the largest number of vulnerabilities on Windows (and is not counted in the 15).
You also need many other things that you can omit on Linux, like the GUI.

Well, as for me...

[RicardoStaudt]

I'm using Slackware here and guess when I ever needed to patch my system

well no shit.

Come on, what the hell else is the guy going to say?

He WORKS for microsoft, he's going to defend the company (and its products) that puts food on his table.

Didn't RTFA.

Operating System vs. Everything

[SenFo]

This guy is showing just how stupid or ignorant he is. He failed to point out the most important fact of the entire study --he's counting only OS updates for Windows yet couting everythig patched for Linux. I can remember one or two security updates to the linux kernel last year. I say compare apples to apples next time or don't bother talking.

Yesterday

[DrXym]

Yesterday I received 7 email viruses. And a similar number the day before that and the day before, etc. going back two years or more. I have to install a firewall on my machine before plugging it into the internet because I could be instantly rooted. I have to buy and run anti-virus software all the time and anti-spyware tools weekly to ensure that I haven't picked up something nasty. I can't use the MS supplied tools for email or web browsing because they are basically attack vectors.

In short, if I used Microsoft Windows without protecting it with a whole a bunch of 3rd party products and lots of diligence, it would be a steaming spyware infested heap at this moment. Which is clearly what a great number of machines are.

Even protecting yourself is not perfect. First it costs money - maybe as much as the OS itself to protect it properly. And having to run all that software impacts machine performance. I would not be surprised if the anti-virus scanner alone eats up 5-15% of file performance all by itself.

Anyone who claims Windows is safer than *any* other operating system clearly isn't living in the real world.

Sybari Purchase

[r00td43m0n]

Why are they touting their purchase of Sybari? Linux has no need for a virusscan program and that is one of the biggest reasons it has better security.

Dilbert

[Shamashmuddamiq]

It reminds me of the dilbert cartoon I saw where someone asked evil Catbert if he had heard any complaints about his department. He said, "I haven't listened to a single complaint."

That's what I think of when I hear Micros~1 say, "but we've only patched 15 vulnerabilities!"

Laughs out loud

[Jugalator]

"Windows Server 2003's 15 patches in the past year are far less than what RedHat or SuSE have had to endure."

:-D

Microsoft Windows Server 2003 Edition
Currently, 5 out of 44 Secunia advisories, is marked as "Unpatched" in the Secunia database.

Apple Macintosh OS X
Currently, 3 out of 45 Secunia advisories, is marked as "Unpatched" in the Secunia database.

Red Hat Enterprise Linux ES 3
Currently, 0 out of 133 Secunia advisories, is marked as "Unpatched" in the Secunia database.

SUSE Linux Enterprise Server 9
Currently, 0 out of 21 Secunia advisories, is marked as "Unpatched" in the Secunia database.

This is almost too funny. Yeah, he's probably right, but talk about focusing on the wrong thing! When will Microsoft learn. It's the number of open exploits that matter for fucks sake. And no, the common "but Windows is so much more used so people don't report as much problems on Linux" defense apparently just malfunctioned as well. Sure, I use Windows XP at home, dual booted with Mepis Linux, but that's because I don't use it as a server and don't require the same kind of security.

PROVE IT....

I'd like to see any one of you losers break IIS6 in a hosting environment and PROVE IT WAS YOU. Then tell my its not secure.

It is not LILO....

[einhverfr]

Usually the make install of a new kernel reruns LILO anyway. I use LILO on some servers and GRUB on others.

Usually a bigger issue is that you installed some critical service but forgot to enable it either by dropping symlinks into /etc/rc.d/ or using chkconfig.

When one of my servers needs any new services installed or kernels patched, I actually schedule reboot testing. In fact essentially all of my reboots are due to this testing. It does cut into uptime but it means that when I need it, it will be up.

Re:It is not LILO....

[wolf31o2]

When one of my servers needs any new services installed or kernels patched, I actually schedule reboot testing. In fact essentially all of my reboots are due to this testing. It does cut into uptime but it means that when I need it, it will be up.

Doesn't everyone do this? Are people really so adamant about having that stupid 300 day uptime that they don't bother doing any testing?

I found the secret long ago that to maintain maximum customer-facing uptime, you never have a single server perform any task. Instead, you use multiple load-balanced servers, with enough redundancy and survivability to handle one server going down for a scheduled reboot. Th euptime on the individual servers becomes nearly meaningless, as the service uptime is what is really important.

Re:It is not LILO....

[einhverfr]

Doesn't everyone do this? Are people really so adamant about having that stupid 300 day uptime that they don't bother doing any testing?

I think it is laziness more than "l00k 4t my 1337 up7t1m3."

The main reason to do the testing is that if you have, say a hardware failure which requires downtime to fix, and the system does not come up properly when you boot it, it is harder to troubleshoot when many things may have been changed, but the change that caused the problem occurred six months ago and has long been forgotten. If you test immediately with the changes fresh in your mind then it is easy to find and fix any problems.

Re:It is not LILO....

[Xeleema]

"l00k 4t my 1337 up7t1m3."

Wtf is "up7t1m3"? Oh, where is the spelling nazi when he's needed most? :)

Re:It is not LILO....

[s0m3body]

i'd phrase it differently

service uptime is what your customers pay for ;-)

Security is in the eye of the beholder

[punkrokk]

If you know what is running in your corporate infrastructure and you are able to quantify this with tools to make you life easier, you will be fine. If you let your users go out and do whatever they want on the web, (free ipod, download music) then it's your own fault. There are so many layers to the network and so many ways to update and prevent 90% of spyware, anti-virus and exploits from happening it's sickening to just hear people just bitch about the state of things instead of taking that time and using it to make thier current systems better secure, virus resistant, etc. Why is this so hard? If you are a network admin and you are intimate with your network like you should be, then all the discussion about patch management is moot because it's just another tool to help you do your job. If you whine about the tools out there, instead of using the best stuff you can get your hands on, then you'll lose. Take what you have and use it. I'm not really sure what the "most secure" OS that's out there is, but I do know, faced with my currect infrastructure, that I know what's going on within my network, and have put the neccessary tools in place to make sure that my patching is done, my AV is up to date, and have reports of suspicious activities. Now that I automated most of this for free.... I can spend my time on other problems that haven't been solved yet. What frustrates me is that just because windows isn't 100% secure, people complain, instead of using their knowledge and skills to make it better with what's available now.

prehyping

[j1bb3rj4bb3r]

This could just be rhetoric to boost Bill Gates' upcoming speech at the RSA Conference next week... called "Security: Raising the Bar".

Honestly, I almost spat my coffee out when I read it.

No f'ing way!

[EmagGeek]

MS says MS is safer than Linux? I never would have guessed that in a million years...

You need to configure this option...

[PenguiN42]

See screenshot: here

HTH.

Let them keep talking

[Luscious868]

It only helps open source and alternative platforms (like Macs). MS can spout on all day long about how secure their products are, meanwhile the average user who is stuck using their products is having an entirely different experience. Sooner or later, people will begin to ask, isn't there a better way?

People still don't get it

[novakane007]

There is this classic confusion about classifying bugs. There is a fundamental difference between "linux" patches, as they call them, and kernel patches. The linux core has a relatively low number of security flaws. Even when they do, the severity of the patch is far lower since most bugs won't give you root level access. Unlike the windows bugs that typically will give you root/administrator rights. The distrobutions may have a lot more bugs, but they also include thousands of open source applications.
If you want to compare bug numbers, it's only realistic when you count the number of bugs in the kernel compared to the windows base OS.

Thanks be to Microsoft

[RayDude]

For without Microsoft we would have been ignorant of how bad it could be. Think about it. If Microsoft security weren't as easily exploited as it is, developers would never have started thinking about security in the way that they now do. The internet was naive. EMAIL and TCP/IP weren't designed to be secure or trace-able because no one considered the possibility that someone would want to harm others. Because Microsoft was the first to get big, they became the first target for the nasties. And because they were the first to get whacked, the security of Linux, OSX, and other opperating systems are being greatly improved before it becomes an issue for them. It could be argued that linux, OSX or FreeBSD would never have as many security issues as Windows did in the beginning, and that may be true, but Java, for example, is a universal application and I'm certain it is more secure now because of Microsoft's example of what not to do with system security. I honestly believe that Microsoft's growing pains have greatly benefitted us all and thank god they have the deep pockets to pay for it. So here's to Microsoft! Salute! Raydude

Lots of good comments but does anybody know this?

[Tired+and+Emotional]

There's been lots of comments about not comparing like with like and the question of finding problems by code review or test versus actual failures.

But one could also look at the trend lines. That will allow to estimate what percentage of vulnerabilities have been fixed for each platform. Then one could compare those two numbers. That will somewhat reduce the effect of not comparing like with like, although you could get an artifact due to Microsoft bundling increasing numbers of patches in order to meet a patch release schedule (I don't know what their policy on bundling is)

"He also mentioned...

[rnturn]

``... the recent purchase of Sybari and their Antivirus product.''

Which is important because, as everyone knows, security is a product. And now Microsoft offers more security than other vendors.

(Now excuse me while I go and gouge out my eyes after having read this article.)

Re:This is why I use Linux..

[blanks]

My point being was that if your servers are so accessible where people are browsing the net. Or that you are using your servers for your own personal activities then you deserve what happens to you.

Or more to the point, WTF are you doing browsing websites on your server(s) anyways. This is the same as saying that your server is exploitable to an outlook exploit because your check your mail on your server.

Now if your talking about home servers, or non "mission critical" servers, then who cares, I'm talking about servers in a work/business environment.

From my experience from anyone who takes their jobs seriously, they would never use their servers to browse random websites, in fact they log onto their severs as little as possible. But then again they also don't use their servers to play games, check email, etc.

Already done

Dude, where have you been since this occurred?

It wasn't THAT long ago, so I won't really hold it against you.

Microsoft is using open source technologies.

[sylware]

What we should care about, is Microsoft communication department. Anybody that has computer skills and knowledge knows that Microsoft is technically *out*... but not the average joe. So the only ways Microsoft has left in order to be not too much ridiculous, are dishonnest communication, demagogy and legal attacks. Microsoft is improving because it's using/copying open source technologies. For instance download the Microsoft Platform SDK of februrary 2003, and in the objbase.h header you will find some perl code! This kind of declaration is an insult to intelligence.

Bottom Line

Windows + Lusers = Garbage
Linux + Lusers = Garbage

Windows is MORE DIFFICULT for any user to patch because it isn't as secure or well-built out of the box, but an idiot with a Linux distro can still create a mess.

"(Atomic) bombs are nothing. Give an ape enough uranium and you will get a bomb." -- unknown from Los Alamos

And in other news

Satan has announced that Hell is really much nicer than Heaven.

Windows is definitely more secure

[IBeatUpNerds]

Windows is definitely more secure. I patch whenever necessary and have never had a problem! I love Microso

Reboot Now or I will taunt you again!

[ps_inkling]

Speaking of windows losing focus...

This week's set of Windows patches requires the machine to reboot. I'm about to give a presentation, so I click on the 'Reboot Later' button. Ten minutes into the presentation, the full-screen presentation reverts to window-sized, and the 'You need to reboot' message pops up again.

Yes, you can drag the window off to the left or right of the screen so that it doesn't annoy, but how many users know to do that? Clicking 'Later' makes the box go away for a while (or click 'Now' and lose what you were doing, oops). There is no preference to make the delay longer, or not pop up at all.

The issues addressed in the parent are easily solved. The 'Reboot Now' message is not. I'll reboot when I'm good and ready, and not a moment before, so stop bothering me!

And in other news....

[Wangstas]

HP's CIO declared that HP's product were better than IBM's.... What do you really expect the Chief Security Exec to say... another well picked story by the ./ group.

Re:And in other news....

[Lisandro]

I was just going to post the same, even though it'd end up burried at the bottom of the page.

Can we *please* drop these stories? "Bill Gates said Windows is good, how dares he!". Sorry, but it's not different of Linus defending Linux, RMS defending Hurd, Steve Jobs defending OSX, of the BSD guys defending their OS.
Microsoft is doing marketing. That's what they're best at. Don't like it? Fine, look the other way instead of scandalizing yourself every week with a similar story (not you, Wangstas :) ).

Please, let's just drop it. The anti-Microsoft bias of some people here is becoming annoying.

Doesn't this remind you of...

[splerdu]

...one of our old friends?

Pre-emptive mod: -1 Redundant (no i didnt bother reading any previous posts)

patches != security

Sad, very sad. The number of patches is not a measure of security, the actual exploits over a given time is. These guys are seriously deluded.

Day late, different topic

This entry would be better placed here.

In other news.....

DeMaurier declares smoking is not hazardous to your health.

McDonalds says their food is not bad for you, will not cause obesity.

Other completely-biased research shows that corporation that funded their research is indeed a good company.

You get the idea...

I don't want to get political, but...

[Glowing+Fish]

I don't like to get political, but this reminds me so much of the Bush administration. Its not the politics of the Bush administration that bothers me (I don't like their politics, but I can disagree with people without thinking they are corrupt), its the fact that they can have repeated failures, and still with a straight face claim that they have a success. How big does the debt have to get, and how many people in Iraq have to die, before Bush & Co. admit that perhaps they made some mistakes?

Same thing with Microsoft. If they can say with a straight face that Windows is more secure than Linux, how big of a disaster has to happen before they realize the real situation?

A big difference

[einhverfr]

IANAL, IAAFMSE (I am a former Microsoft Employee), etc... Microsoft has been shown in court (in the EU at least, iirc) to bundle software with their system in order to damage competitors, especially those which threaten their monopoly or in areas where they want to extend their monopoly. For example, Internet Explorer to kill Netscape, Media Player to kill Real. If they can control these core areas, then people will be locked into their system.

This was NOT the case with the Windows Firewall (which is poorly designed anyway and will never be a real firewall product-- even though it is stateful, ipchains was far superior to it). But many of us questioned it simply because of Microsoft's anticompetitive track record.

Now, compare that to the pro-competitive nature of Linux app bundling.... With Fedora, I can install KDE, GNOME, and/or KDE if I want. Which browser do I want today? Do I want any? Which email program do I want today? Should I use elvis, vim, or emacs? This bundled software encourages competition between the external communities and drives all the distros forward.

I don't have a complaint with bundling as such. What I and many others complain about is how Microsoft tries to lock users into their system. Such a lock-in does not exist in the Linux world among distros composed entirely of Free Software.

Not News

What else would the MS Security Chief say?

If he said that Linux is more secure than Windows, that would be news!

Wow.. Unbelievable

[twzop]

Of course he will say that Microsoft's OS's are more secure. He works for the company and is in charge of that part of it. He would be crazy to say otherwise. On a personal note, none of the OS's are airtight with security. If you can make it, you can break it.

Re:This is why I use Linux..

oh, browsing on a mission critical microsoft server in an enterprise environment...

hmmm.. well, what if youre running microsofts terminal server (i think thats what its called), or citrix, where /everything/ is in fact running on the server (web browsing, mail clients, office suite, etc) -- not on the workstation...

to me, it sounds like youd be absolutely stuffed in this situation -- but then maybe i am missing something here....

thanks!

(apologies for lack of single quotes and question marks, this damn pc has a spanish keyboard mapping with a uk keyboard)

SCO is even better

SCO has fixed 0 vulnerabilities in the last year

Microsoft has fixed 15.

SCO is flawless...

Yeah...but...

[xeon4life]

Windows XP is four years old.

Yes.

[rhizome]

MS is making progress on security using any reasonable metric, so if you don't think Windows is secure then you're being unreasonable.

happened before!

[x_codingmonkey_x]

Agreed. Windows comes with less software and provides patches for only a few of them (mainly the core OS, IE, ect) while Linux distros usually come with tons of software packages and provide patches for all of them. But this isn't a new claim. In M$'s Get The Facts campaign they had one article done by Forrester about Windows being more secure than Linux based on patch counts.

My question is how do they get away with this? Isn't this considered false advertisement in a sense? And how does the Linux community react to this FUD (I have seen some reaction from Novel but nothing to the extent of M$)?

ViruSpyware?

Let's see, to keep my Windows system safe I have to install:
1. Anti-virus software.
2. Anti-spyware software.
3. An 'alternative' web-browser.
4. An 'alternative' e-mail client.

To keep my Linux system safe I have to install:
1. No anti-virus software.
2. No anti-spyware software.
3. No additional web-browser (whatever is installed is typically safe to surf the web with).
4. No additional e-mail client (whatever is installed is typically safe to read e-mail with).

Re:This is why I use Linux..

[Creedo]

And my point is, it is pathetic to have to assume that your machine will be compromised for running a user-space application. I routinely download patches for applications from the server they are going on. That requires firing up a web browser. The difference, perhaps, is that I do that from Mac OSX and Linux machines. Provided I am not doing something like running the browser as root, I do not fear a compromise.
Call me lax, but I've never had a compromise in 10+ years.

Yep. Reboots are faster now

It's not like you need to reboot windows very often.

How about Unpatched Vulnerabilities?

[jmkrtyuio]

According to secunia NT4, XP Pro, Win2k, Win2k3 ALL have unpatched vulns. SLES9 RHES3 have 0.

And check this out. Debian Linux 3 (woody)
"Currently, 3 out of 488 Secunia advisories, is marked as "Unpatched" in the Secunia database."

Everybody can patch better than microsoft it seems. Even a 3 year old distro with almost every piece of software under the sun.

And they dont make you wait up to a month for the patches either. And the patches are open source. And you could have patched the software yourself even earlier then your vendor. Try doing that with MS junk. And all these numbers dont take into account the high probability that more open source bugs are uncovered quicker than closed source counterparts.

You dont really expect us to believe that MS code quality is so much higher than FOSS do you? Tell it to Coverity.

That means that if they code quality is about equal, there are X more UNKNOWN vulns out there for closed source wincrap than for FOSS. Unknown to you and I, but possibly well known to many of the nasties out there and likely MS as well.

The simple conclusion is that not only does open source have a much higher potential for security, it actually has higher security.

This is the rule of thumb. Whatever MS says about its linux should be deemed as credible as what Mr. Iraqi information Minister had to say.

In fact they should just shut up. Let me hear from coverity about studies done on MS code before I hear any more patch number quotes.

You are incorrect.

The patch for the vulnerability that the blaster worm exploited came within 24 hours of the worms analysis. Not before.

You are thinking of Sasser, which exploited a vulnerability which had a patch 25-30 days before the first variation of Sasser was written.

Re:You are incorrect.

[Shkuey]

Microsoft patched the blaster vulnerability on July 17th, 2003. Link: here

Blaster security bulletin was posted on August 11th, 2003. Link: here

By my calculations, that puts the patch almost four weeks ahead of the worm.

What?...

[fudgefactor7]

...No mention of the C2 Orange Book certifications that Windows has and no Linux version does? I'm ashamed of you MS, you're slipping.

challenge

Ok smart boy from microsoft... you harden a windows server 2003, I'll harden linux.

Put a webserver and a database on each, and hang them both naked on the internet, with nothing but a router in front of them, in the same ISP, announce it to the world, and lets see which one lasts longer. That will show which is more secure.

Until this happens, I think I'll keep my linux boxes, TYVM.

l8,
AC

I installed 10 security updates today on XP - NT-

-NT-

They are the most secure?

[natedgreat]

Ok, Microsoft in all their brilliant dreams claims to release fewer patches than Linux... Now let's even the playing field. Let's take a look at all the patches for the Linux O/S versus Win2k3, 0 vs 15. When we take a look at all the patches that MS deployed for all their products in cluding Office, IIS, and Win2k3 and the like and MS has a release of about 4 to 1 over Linux. I guess some people have a price tag on their credibility. On another note, MS is on a monthly patch release schedule. How many months are in a year? What calendar are they looking at?

Frustrating

Statements like this are frustrating, not for people who have followed the long, yet secure history of using MS products, but to the people who actually administer these systems (this on top of the burden of HAVING to administer Windows systems). Whenever something like this is spewed, historically there is an influx of people out to "prove" him wrong and creates more work for us. I just think making statements like this is incredibly irresponsible. Let the product speak for itself!

sure

[suezz]

sure it is and sco has evidence.

amazing

[cenobyte40k]

How much people want to bitch about the big guy. We run hundreds and hundreds of MS servers here at work, all of our expernal facing servers are MS (Mostly win2k) with a little bit of time and effort we have mannaged to never be hacked in the 8 years I have been working here while getting several million hits a day. As to patch numbers, it was silly for MS to do apples to peachs like that but lets be honest. Linux destros release as many crittical patches as MS does each year. As to those that love to pull out the 'security through obfuscation' line seem to always forget that the biggest target is the one that gets attacked. So when speaking of Linux maybe we could call it 'security through being unused' or 'security through being a small target'. What are they going to do when Linux really does become a big player and the hackers and script kiddies really go after linux? Why can't you guys just settle with the idea that MS has improved their security and stability to the point where they easily match or beat just about any OS out there? Sure it took them longer than it should have but you really should stop bashing on MS for products no one uses anymore and is totally out of date. (Last I checked the Ford T was not much of a car in todays market)

This Just in

[NatteringNabob]

Dog bites Man! Details at 11. Really, what does anybody expect the guy to say? There was bound to be some metric out there that could be twisted to show that Windows is more secure than Linux, and it is Mike Nash's job to find it and promote it. Nobody likes Windows less than I do, but the server version has made a lot of progress w/r/t to security. It still isn't good, but it is better than it used to be.

You would still have to be a complete idiot to think that Windows Server represents a good IT investment. Even if it was just as secure as Linux , and it isn't, it is wildly more expensive and feature poor. Desktop Windows has the advantage of driver and application availability over Linux. Both are valid, though over rated points. That isn't true on the server side. The application availability is roughly the same, and the number of wierd devices is low.

There are good reasons that Linux has a much higher growth rate than Windows in the server market, so Mr. Nash has his work cut out for him.

trusted sites infected...

[Frogg]

>> And IE exploits run from non trusted sites

not necessarily the case...
http://www.eweek.com/article2/0,1759,1617 233,00.as p

at the time, there was some dispute as to which 'high traffic sites' had been infected, as nobody who knew the names of these sites would actually come forward to name-and-shame them.

unsurprisingly, there was a discussion right here about it:
http://it.slashdot.org/article.pl?sid=04/07/2 0/225 6242&tid=172&tid=95

Another lawsuit needed...

We'll see how their song changes, when someone sues them for blatant misrepresentation and false advertizing.
To the people it actually matters, PFFFT; who else are they trying to pull the wool over their eyes for? PHBs?
Probably. It's still wrong. Sue.
See SCO suit.. they can't prove their claims, now we're just awaiting the damage is.

Companies should not be allowed to mislead people with false claims, just because they, somehow in their own twisted way, believe it so.

AC

Let's Be Clear About This

[Master+of+Transhuman]

Microsoft is composed of a bunch of lying sacks of shit. ANY public - or blog - statement made by ANY Microsoft employee is about as reliable as something coming out of the mouth of Bush. It's not only a falsehood, it's a deliberate lie made by people who don't give a damn what anybody else thinks about them or the messes they've made because they are personally profiting from those messes.

NO ONE at Microsoft gives a RAT'S ASS about security. Period.

Bill Gates has NEVER cared about ANYTHING except sucking as much money out of other people's pockets (since his poker days at Harvard) as he can. He learned this from his lawyer father (the same one that runs his "charitable foundation" which exists for the sole purpose of concentrating influence over various corporations through investments.)

The dweebs he has working (and speaking - including on /.) for him don't care about anything but their high salaries, stock options and bowing down to the richest guy in the world.

The CIOs who buy his crap aren't concerned about anything but covering their asses to their bosses.
"Nobody ever got fired for buying IBM^H^H^HMicrosoft."

The /. trolls who praise Microsoft are incompetent punks who are indistinguishable from Microsoft employees - except they don't have the brains to even work for Microsoft (except for the actual Microsoft shills.)

The bottom line is this: you're either a free man working for yourself, or you're a punk working for Microsoft.

An ABC News article yesterday actually dared to raise the concept that Microsoft is dying. They have nothing left except a bloated, unfinishable OS called Longhorn - on which they're about to get shafted.

And it's about time, too.

Mod this troll, mod this flamebait! Is that all you got, huh? Are you nuts? Come at me!

Size matters

[lewi]

Which is more secure an OS with more small holes or an OS with large holes but fewer of them?

Making progress...

[cnelzie]

...and then stating "By any 'reasonabl metric'" sort of clouds things to me.

That is very similar to the Bush Administration talking about 'Sound Science' which is viewed, by many people, to mean Science that meets the predetermined policies envisioned by the Bush Administration.

Therefor, it is important to determine what the definition of 'Reasonable Metric' actually means when being spoken by speaker taken from the original article. Just as it is important to know exactly what the Bush Administration means when it says 'Sound Science'.

Questions for Mr Nash

[petrus4]

Mr Nash, it's interesting that you claim Windows is more secure than Linux. Tell me, does Windows have...

1) The ability to have the entire operating system compiled with the propolice buffer overflow protections, as well as libsafe, to guard against stack-smashing attacks?

2) The ability to install the OpenBSD Project's OpenSSL directly into the system for both local and remote system logins, as well as password shadowing even if a person doesn't install OpenSSL as well?

3) Close to a dozen different encryption algorhythms optionally supported by the kernel?

4) The ability, if a person is a software developer or programmer themselves, to personally audit *any* of the source code for security vulnerabilities?

5) An extremely robust multi-user implementation built fundamentally into the operating system?

6) Application configuration files whose format is completely transparent, plain text, rather than an obscure, binary-only database which is a virus-writer's dream with regards to hiding rogue processes, and which grows exponentially to the point where a user is forced to reinstall the entire system?

Of course, I'm being cruel. These questions are rhetorical...I don't need to ask them really, because I already know the answer. Windows does not provide for any of these things. I would *never* personally install any product from Microsoft for use in commercial server-side networking, and I believe very emphatically that nobody else should either. Windows is good for client-side networking, graphical applications, and games...and for those uses, XP is reasonably decent. As far as server side networking and network security are concerned however, ALL of Microsoft's operating systems are critically flawed at a fundamental level. Microsoft initially specialised in developing a single-user operating system, and have, comparitively speaking, virtually no experience with the Internet whatsoever.

Any claim that Windows is more secure at the network level than virtually *any* other operating system on the planet is a complete lie. It's that simple.

Re:Questions for Mr Nash

[superpulpsicle]

That's some hardcore questions. Why don't you keep it simple.

Where would your OS be without Antivirus help?

Re:Questions for Mr Nash

[petrus4]

Right...In other words, remove focus from things Windows can't deal with, and move it to something which (Microsoft claims) it can...something which in 98% of cases is completely irrelevant to Linux anyway.

You're a good little minion, aren't you?

Nope

[m50d]

I'm sorry, no, saying "you should not go to that site" is not good enough. For a start, it makes your security equal to the worst of every random web admin for any site you use, not a good situation to be in. But even then, I should be able to visit untrusted sites. Because it's the whole internet out there. The whole point of it is to connect me to people I don't know. A web browser should be safe, and certainly can be safe. Using konqueror on linux I have no need to worry about whether I trust the sites I'm visiting. There is no way for them to affect my actual computer without explicit permission from me, just what is temporally displayed on my screen and played through my speakers. Why can't windows be the same?

Firefox Insecure

[munchy]

Although I use Firefox for 95% of my browsing because I consider it more secure for everyday browsing and more resilient against spyware, I do not use Firefox for my Internet banking. I use IE instead as it is more secure and bug free in that regard.

I use use Internet banking sites one for a regular bank and one for Internet only bank. For one of them however, Firefox has a ugly bug where using the keypad and double clicking the button results in 3 of the same number being input. Although not a security risk it has caused a number of invalid logins. The keypad was implemented as a security feature against key loggers more than a year ago.

The other one has a serious security bug, where after logging out, all I have to do is press the back button enough times and Firefox will prompt me to resubmit POST data(the login) and it will log me right back into Internet banking without having to type in my account number or password. This happens even though I am accessing a secure site, and despite the fact that Firefox was instructed to not cache passwords.

In addition numerous rendering bugs causes some features of my banking to be unusable.

Testing only shows the existence...

[xRelisH]

Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003...
... Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities

You can't really claim that one piece of software is more stable or secure than another by using the number of vunerabilities fixed as the only argument. According to this flawed logic, I could write a large piece of software, run one test, work fine for that one test, and claim that mine is more stable than another piece of software that has been thoroughly tested and has had bugfixes.
I guess Nash has also forgotten the old saying that testing can only show the existence of bugs, not the absense.

Not just off, removable.

[khasim]

I'm running Linux servers at work that do not have Apache installed. Not at all.

So they will never be affected by any exploit that might be found for Apache.

Now, it is possible for a local exploit on a Windows system to activate a service that is currently de-activated.

To be safe, that code has to be removed. 100% off the system. Gone.

That's why I prefer Debian. It's easy to build it with just the features I need.

um....

hahaahahahahahahahahahahahahaha ...oh I needed that.

my $0.02

[compro01]

well, IMO, MS users are still only more likely to be hacked for a few reasons... 1. it's popular! pretty much everyone and their momma, and their 5th cousin, twice removed runs it. i run windows. keep an anti-virus handy, along with a firewall, practise inteligence with email attachments from people i don't know and most that i do. i visit windows update every week. i also run linux, though i don't use it on the net, mainly as my main use for the net (online MMORPG) doesn't have a linux version and i have failed to get it to work on linux. 2. staff. even as massive as microsoft is, it pales in compairison to how many programers there are in the OSS community. 3. most vulnribilities are only taken advantage of after the patch is released. there's that lag time always there from when the patch is released and when so many people have it, it's no longer worth looking for. i'm no MS zealot, just a realist. go ahead. mod me as you will.

I don't.

[khasim]

Doesn't everyone do this? Are people really so adamant about having that stupid 300 day uptime that they don't bother doing any testing?

The testing happens on the test server. The test server gets re-boot'ed. That is what test servers are for.

Why would I need to shut down a production server because I applied an update to Exim?

I found the secret long ago that to maintain maximum customer-facing uptime, you never have a single server perform any task.

This isn't about what the customer sees.

This is about the system itself.

If you feel the need to re-boot your system after anything other than a kernel patch, you need to either:

#1. Get yourself some education so you can maintain a decent system. ...or...
#2. Switch to a stable system that doesn't corrupt itself.

When the systems are stable and maintained correctly, the customers will see nice uptime. Don't confuse one of the results with the primary goal.

Re:I don't.

[wolf31o2]

The testing happens on the test server. The test server gets re-boot'ed. That is what test servers are for.

Why would I need to shut down a production server because I applied an update to Exim?

Wow. Thanks for the complete asinine response. Nobody said that you should reboot the server for every change. You did restart exim, right? Would that not be the testing required? Did you bother to check your runlevel to ensure the service is set to start on reboot?

If you feel the need to re-boot your system after anything other than a kernel patch, you need to either:

#1. Get yourself some education so you can maintain a decent system. ...or...
#2. Switch to a stable system that doesn't corrupt itself.

When the systems are stable and maintained correctly, the customers will see nice uptime. Don't confuse one of the results with the primary goal.

I'm not confused, at all. I have enough sense to know that there are many more changes than a kernel update that can stop a system from booting. Filesystems that are supposed to mount at boot but were never added to fstab, or a broken init script can stop a server dead in its tracks. There's also the issue of upstream vendor patch sets that implement multiple patches simultaneously. In cases such as this it is infinitely easier and quicker to simply reboot the server than to stop and restart every affected service in the proper order. I have better things to do with my time than sit around babysitting a patch process that could be tested much quicker via a reboot. This is after running through the development environment, of course.

I am really starting to think that we are talking about completely different styles of systems management here. I am speaking of very large systems with expendable nodes. A system large enough that you expect failures on a daily basis. When you have more than a handful of servers performing the same function in a clustered environment, having one or two reboot is not only non-catastrophic, but expected to retain functionality in such a large mixed environment.

Have you ever had a server not come back up to full functionality because a network filesystem failed to mount for any reason?

Rather than waste the time to fix these things when they happen, a simple reboot while the machine is already within its scheduled downtime is much simpler to prevent this sort of thing and saves the company time, which to any large company quickly equates to money.

Service Pack 2

Is that 300MB Service Pack 2 file one patch or 300 million patches?

Win2003's far fewer than RedHat, well... Duh!!!

[Dark+Coder]

Sure Win2003 has far fewer patches than Redhat...

Win2003 has far fewer market share than RedHat (by an order of magnitude of 10.)

(Smile).

Is this a case of a "too Late in the game?" This VERY RECENT Slashdot story stated that Windows 2003 lost a market opportunity of 560 WinTel (compared to 30 Solaris) to just one RedHat mainframe for a huge Bank.

Hold on there...

[HaveNoMouth]

Microsoft's Chief Security Executive

Wait... Microsoft has a Chief Security Executive?

Now that's what I wanna see when I type "define: oxymoron" into Google!

stating the obvious

[ShadeEagle]

> MS Security Chief Says Windows is Safer Than Linux

umm... yeah. BIG SURPRISE, FOLKS.

Operating System -versus- Application Suite

[PhYrE2k2]

Cripes- why does this same statement come up.

Microsoft:
OS Kernel, GUI, web browser. networking
- been around a while, and they have secured entry points

Linux:
OS Kernel, GUI (X), Frontend to GUI (KDE, Gnome, etc), web browser (Mozilla, Konqeror), networking (Samba)

Fine- now lets add to Linux: SSH client, graphics libraries, multiple shells, web servers, mail clients, chat clients, etc.

So what's been updated in Linux? Well probably many non-critical security updates, followed by updates to many applications most users don't need or run. Probably 3 of those updates are to Apache2 (which keeps coming out with Patches).

This is silly- Combine office and hundreds of applications into Windows and watch the updates fly.

The open source also means that we catch these bugs and fix them, because people can find out how to exploit them. With M$ it's usually not as simple- so they just patch what they feel is a threat.

-M

Who is he kidding?

[jrosales]

This guy has to be kidding!! I do not complain about how vulnerable ALL M$ products are because I make a living cleaning up the mess on M$ customers' computers. And I live well. :) Of course, my office, my home, all my computers are vulnerable because I only use Linux. :-D

hmm

[mattyrobinson69]

these patches, were they all of the same rating?

were these all highly critical patches?

what about ones ms missed

what about patches for software for which microsoft does not provide an equivalent (or at least include IIS's patches if your going to include apache, for example)?

also, there's open source antivirus software for linux, and there's NO spyware that targets linux (that i know of, and im sure there isn't any) so whats the point in anti-spyware software for linux?

FOR ME TO POOP ON!!!

YEAS, YEAS. Much Safer! FOR ME TO POOP ON!!!

To anyone who believes this...

... I'd like to have some of whatever it is you're smoking.

Microsoft is no where near as safe as Linux... never has been... never will be. Dream on Microsoft.

Don't fix your bugs ...

[camba]

Buy an antivirus company and make money from them!!

MS employee says Windows is safer because...

[LoverOfJoy]

MS employee says Windows is safer because using Linux puts him in danger of being fired.

Re:MS employee says Windows is safer because...

[IO+ERROR]

MS employee says Windows is safer because using Linux puts him in danger of being fired.

Yes, but he's got a great future in sales and marketing! Actually, he probably IS in sales and marketing.

MSFT Secure

[volinaz]

Yet they always fail to mention that "ALL" of the Linux holes are 100% patched quickly, the majority are non-critical, and they are not all related to the OS, unlike the MSFT patches that they seperate into OS, application, but wait isn't IE a part of thier OS? According to them it is! Down with MSFT, pezzo de merda!

Re:Linux isn't secure

[The+MESMERIC]

I bet that was written by Jorge Lopez from Division Two
hehe!

Truth and the source.

[DigitalEntropy]

No matter who or what you are talking about, when there is interest involved, you cannot believe or take directly to heart, the statements of those who can benefit from such statements. Ever. Even if RedHat were to say something so crass as "We're safer than Windows" you could not place credible value in their statements alone.
Third parties which are completely objective, and have nothing to gain from the truth, are the only trustworthy source. Everybody is caught up in this dramatic bullshit that makes it analagous to a presidential debate. The fact is, that you MUST require the view points of many sources outside of Linux, Windows, and Macs altogether to know which, if any, are safer than the others.

Such views exist. And the only ones, with facts and data and evidence, that cheer for M$... are the ones that get paid by them. That alone should be enough to make any analytical intelligence give pause to joining a bandwagon.

Choose ye this day which OS shall serve you, but for me and my house, we shall run Debian.

(This also means you should tollerate the ignorance and free-will of others, regardless of whether or not YOU or I think ill of their choices.)

You gotta be kidding.

Does Microsoft really think anyone one will believe this statement?

Which OS gets all the news with virus attacks crippling systems worldwide?

Given a Choice of an OS to serve Information onto the Internet which would you choose?

The best Microsoft Security software on a PC...

[Lodragandraoidh]

...is Linux.

Seriously though, the local churches must do a brisk business at the confessional on Sundays in Redmond Washington.

I would almost believe their message, if it wasn't for the "I really don't like you but will pretend that I do" grins Balmer and Gates manage to eek out during public appearances. You can see it in their eyes - they don't believe what they are saying, they just want you to buy it.

Tell me honestly, if those guys weren't rich and in charge of Microsoft, would anyone listen to them at all? I don't know many used car salesmen I would enjoy spending the evening with - and that's what high level Microsoft employees remind me of.

Puff Puff.. SECURE!

[Vampyre_Dark]

he staunchly defended Microsoft's record on security

Get off the pipe.

Re:Fuck Off Microsoft-Haters

[colinrichardday]

And users like you are keeping Microsoft in business, so you get what you deserve.

or hasnt had a brain transplant

[cheekyboy]

While windows has had a few total lobotomys

Windows is as secure as the Pope is healthy

[gnushell]

And both are swimming in pools of denial. Amazing how folks spin reality.

Sounds like an obsessive attitude...

[MerlinTheWizard]

Microsoft seems totally obsessive about claiming Windows is more secure than Linux. They just keep saying that. It's getting old. Don't they have anything else to say?

Of course, not only is that claim not true, but it also doesn't mean squat when you know what Microsoft means when they say "security". Maybe what they need, after all, is a dictionary.

I can't understand how windows users get by...

My polite and nice debian stable box just sits there. I receive almost daily a mail or two telling me that I have a security problem or there is a new version of some of the packages installed. I run "apt-get update", "apt-get dist-upgrade" and everything just keeps working. No reboots, no nothing.

Of course the software in the stable branch is quite old, but still I'd like to see MS telling me what's wrong in the product they are about to push to me.

In other news ...

[GrandNord]

Iran's grand Ayatollah says Islamic Republic grants more freedom than US democracy ... Come on, this kind of statment will be news when MS security chief says Linux is safer; but he wouldn't hold his position for long.

MSFT IT Security Officer trying to distract coders

[WillAffleckUW]

so they won't spend more time improving Linux instead of reading about how (cough LIES cough) secure Windows is.

The best way to win at this game is submit code.

Yes, but remember...

[eremitic]

"A vulnerability is not a vulnerability till somebody discovers it..."

Better colours

http://shit.slashdot.org/article.pl?sid=05/02/11/1 413208

other software

[hyperfusion]

can't ms notice that those patches are not only for the os itself, but also for the thousands of other packages in rh/suse's software databases? these guys are idiots.

Is this some kind of joke?

[necro2607]

What? Is this guy seriously trying to claim that you can gauge a product's level of security by how many security flaws have been FIXED?

Holy crap, someone needs to lay off the drugs... seriously.

Same Old Grind.....

[carney1979]

Oh, look!

There goes Micro$oft trying to plug some more holes!

How's life in a seive, Mike Nash? They don't float very well, do they?

David

Are Visual Studio and ASP bugs counted?

[tepples]

Holes in Apache and PHP for Linux. are often also holes in Apache and PHP for Windows. In addition, they're analogous to holes in IIS and ASP. Are those included?

Likewise, gcc and make don't count because I didn't see Microsoft including Visual Studio bugs in its count.

Xpdf doesn't really count because most Windows users use acroread instead. Acroread doesn't count because it's an Adobe product, not a Microsoft product, and this is a count only of holes in specific Microsoft products.

HAHAHAHAHAHA

[StormKrow]

...if microsoft is so much safer than linux. Why did I spend 5 hours tracking down and eliminating a virus (actually 5 viri) that I aquired by visiting a site with malicious code in their scripting 2 days ago?

It was rather nasty too. Made my taskmanager so I couldn't kill processes unless I was tricky about it. Hijacked my desktop and displayed adverts from crap I didn't want. Installed 3 bits of adware that were pesky buggers to eliminate. Nothing that really killed my system, but it definatly made browsing an system usage not as it was intended.

go to the same site with my linux box, it doesn't miss a beat.

Oh yeah, Microsoft is much safer than Linux. (/sarcasm off)

True for a given value of true

[dbIII]

When I was running a beta of server 2003 it was far more secure than linux on the same machine. I achieved this by the simple action of not installing the ethernet drivers and by not letting anyone else into the same room as the machine.

I'm not letting a windows machine onto the net without adult supervison (eg. hardware firewall running embedded linux with decent filtering rules).

LOL

[cillasri]

X-D

They must be kidding, mustn't they?

Slackware linux

http://secunia.com/product/4368/ :D

Win2k3

[anonymous22]

If Win2k3 is so much more secure than Linux, why doesn't M$ let us have it for free? Oh, I get it, giving stuff away is too much like the open source community, the same one that is bashing them right now.

Why not sue the guy?

[tesseldamage]

Why would the outcome be if this M$ security officer would be brought to court for this claims since they can't be justified by any measure?

M$ and safe????

[pearce25]

The notion coming from MS that it's prducts are secure is stupid to say the least. What does anyone expect them to say!..."our products are crap"? If one finds patchware acceptale then rock on...SUCKER!!!

Debian Sarge

Wow, I guess I should stop using Debian Sarge, as I get over 10 updates every day

Comment removed

[account_deleted]

Comment removed based on user account deletion