Slashdot Mirror
MS Security Chief Says Windows is Safer Than Linux
Kip Winger writes "Mike Nash, Microsoft's Chief Security Executive, has made claims that Windows is more secure than Linux. In a recent online chat, he staunchly defended Microsoft's record on security, basing part of his argument on how Windows Server 2003's 15 patches in the past year are far less than what RedHat or SuSE have had to endure." He also mentioned the recent purchase of Sybari and their Antivirus product.
the patched that they should have done?
...they do protest too much.
Did he inhale?
Microsoft is basing that claim by number of patch distributions, not by size for severity, cute. So, just because they (usually) wait up to a month to release a patch, somehow they are better FUD never had so much meaning. I'd be outraged, but words like this are so expected.
The force that blew the Big Bang continues to accelerate.
Do you *really* think he could one day admit the oposite ? :)
* when put behind a baffling series of hardware and software firewalls destroying all connectivity with said Windows machine. In addition, a 500 ib gorilla must be guarding the keyboard.
If anyone from Microsoft said anything to indicate that their software is in any way inferior to other software, it would hurt their marketing.
Knowing this, their only option is to claim that they have the best software.
We see these posts trumpeted by entities like Slashdot. It it warrented? Does Redmond have any credibility on things like this left? Should we be paying any more attention to this sort of behavior than to just consider what MS is doing? :\ I'm more interested in the well thought out comments all-y'all have.
Sam
FUD on the horizont, sirre ;-)
- if you compare RedHat/SuSE then you have to compare it to Windows Server + complete BackOffice + complete Visual Studio + complete MS Office and you still are not close enough...
- I'd be interested in average time to fix critical bugs...
- also number of known un-fixed cricital bugs will be interesting (incl. IE on Windows)
"Mike Nash, Microsoft's Chief Security Executive"
What does everyone think he's supposed to say? Windows security is inferior to linux? He'd lose his job.
My sig of choice is Marlboro
"Year-to-date for 2005, Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003. In the same time period, for just this year, Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities."
This actually brings up an interesting point. Does Windows have less bugs (I know, I know) than these Linux distros? Or are Red Hat and Novell more proactive to fix the bugs they do have? Unfortunately, my guess is most PHBs would think the former.
It's "no one," not "noone." Who the hell is noone anyway?
Microsoft's top security honcho insisted Thursday that Microsoft "is making progress on security using any reasonable metric."
What is a 'resonable metric'? Is that one that only provides the results that one wishes to see or is that a metric provided by a reputable security organization that is known for being extremely truthful and accurate in its results?
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
... patches to Exchange, IIS, MS-SQL, Office and the rest of their bug ridden software.
Linux might have more security holes within the release times but I feel the Linux patches are more proactive than reactive.
When Microsoft releases a patch it's usually because thousands of users have already been complaining about something and they have to address it in a reactive mode. In Linux, someone makes a discovery of a security flaw, contact's the vendor, and it's usually patched within a couple of days. Note that within that discovery, everyone is still happy as a clam because there haven't been 50,000 trojan's trying to exploit it.
If there's only 15 for 2003, then why does that secunia link list 44?
Notably, the RedHat and Suse links list a higher number of vulnerabilities, but also state that there are ZERO unpatched security holes.
Surprisingly, the Windows 2003 product still has unpatched holes.
Problem: MS's products are insecure.
Solution: Have your Security Chief claim that your products are more secure than the competition.
If you had super powers, would you use them for good, or for awesome?
People are funny.
Microsoft is a corporation. It needs a base of support to exist. Pausing in its creation of "new and improved!" products to backtrack and actually fix anything is not additive to the bottom line (profit).
Therefore, MS will never fix anything. They will merely use PR to promote their products. If falsehoods are created and spread, they will focus on the person who created that lie, not the legal individual Microsoft. (Corps. are equivalent to living people in most states but that's a rant for another time.)
Q.E.D., nothing to see here. Move along.
This post encoded with ROT26. If you can read it, you've violated the DMCA. Handcuffs please, sergeant.
IN the time it took you to write your post, you could have configured all of those things to not pop up every time you login. You suffer from the same thing alot of people suffer from that like to flame, laziness. Who's fault is it that you don't choose the option to not have something run in the tray?
My sig of choice is Marlboro
which patches fixed remote exploits and which patches fixed local exploits. I find Windows has a lot more holes that can be exploited remotely were Linux requires local access. In either case would the Security Chief of a company come out and say another product is superior to their own?
I say we just grow up, be adults and die.
Second, comparing Internet Explorer (IE) and Firefox indicates that Windows is likely more bug ridden than major open-source software like Linux. I have used both IE and Firefox. From my experience of visiting thousands of pornographic sites laden with naked women beckoning you to "enter" their site (and other things), I can definitely say that IE is chock full of security problems. After 1 week of pornographic surfing with IE, my entire system (browser and OS) becomes infected with malware -- to the point that I must reload Windows. I have yet to experience the same problem with Firefox.
The only thing that I hate about Firefox is that it is very slow, probably due to the fact that my computer system has limited DRAM and that Firefox must swap to disk more often than IE. Such is the price that I must pay to enjoy porn.
So if their software is so secure, why do they have to recommend antivirus software to stop their systems from being infected?
Just think...If MS were to not release *any* security patches at all, they could use that figure as absolute proof that Windows is more secure than anything else out there!
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
OpenBSD has experienced "Only one remote hole in the default install, in more than 8 years!"
http://openbsd.org/
Move along people. Nothing to see here.
A Linux distribution contains hundreds to thousands of programs.
A Windows distribution contains a handful of programs.
A house divided against itself cannot stand.
Nash also said that the number of patches shouldn't be the only criteria users apply to tell if Microsoft's doing its job.
/
How about:
(# installations w/ active malware, spyware, trojans or viruses)
(# installations)
This seems a much fairer criteria with respect to the notion of being "more secure." And one, IMHO, I imagine isn't very favorable to MS.
The 95% of those out there that are 'unenlightened' when it comes to computers and technology probably wouldn't even question M$'s claims. "Oh, Microsoft say they've issued less patches for Windows than others did for Linux and thus Windows is safer. I'm glad to have someone trustworthy to tell me these things!". (-_-)
/.ers.
Because M$ is more reputatable than Red Hat or Novell, the general public will much more likely consider their claims to be true. Oh well. At least it makes for a good laugh for us
Hero of Allacrost, a FOSS RPG for *NIX/*BSD/OS X/Win
This is an argument that can largely be debated on a variety of levels. Honestly? Linux and ultimately unix of any flavor has just as many vulnerabilities as Windows does. Difference -- typically most of those vulnerabilities are patched and assessed before they take affect.
Just do a search for Sendmail Vulnerabilities on google.
Result =
Results 1 - 10 of about 143,000 for Sendmail Vulnerabilities. (0.39 seconds).
for Microsoft
Result =
Results 1 - 10 of about 364,000 for Microsoft Exchange Vulnerabilities. (0.18 seconds).
You can have this discussion for days on end, and really, what the *nix community has up on the M$ community is knowledge and ability. No, there arent any viruses that are successfully written for *nix. Spyware isnt even remotely a concept to a linux user. And most vulnerabilities get patched as quickly as they are given POC. Does this mean that linux users patch any more or less than Windows users, no. But we do it more effeciently and with greater success.
Stability wise , come on. Ive got a redhat 7.3 box that baring powerfailures hasnt been rebooted in over a year. Its a good box, it would probably take an Arkady Rossovich low yeild nuke on its head and still live, and I dont know of any windows box thats able to admit that.
"God of Rock, thank you for this chance to kick ass. "
"If you can just manage to say something that gets picked up by major news organizations, then it might make it come true.
Or at the very least, you might at least fool some people enough to continue to give you money."
Correct. It's called PR, and it works. Microsoft does it all the time, spewing out completely false or misleading statements knowing those will get the headlines. Corrections get buried on page 17.
The Bush administration has carried this out to a fine art. They make a grandiose announcement they know is completely false at the time ("the cost of the Medicare drug program will be X billion.") knowing that by the time the real number gets out it will get buried in the news. They even use fear to get what they want ("Social Security is broken.") as does Microsoft ("Linux is not as safe.")
Linux and Mac OS manage to get these settings "right" by default.. Why should I pay more for an OS and then have to work harder to make it behave the way I want? That's like paying extra for a house that's a fixer-upper.
Here, you can buy this house that has everything working, looks nice, great house, 300k, or you can buy this house right next door, the plumbing is shot, the kitchen needs to be redone, the flooring is 15 years old and needs to be replaced, and you can have it today for the bargain basement price of 450k!
We're actually charging extra because with this house once you're done with it, it will be exactly what you want, not what the people who are selling the house next door want you to have.
While you are right toa degree. I would like to say that I don't want to have to configure something to not bother me. It should leave me alone by default.
what?
Yes Fedora currently has SELinux in the default install. Unfortunately they have had to use a fairly permissive policy because too many applications and libraries don't properly respect the sort of security bounds that ought to be in place.
Immutable files on BSD require the same kind of care... but remember, Windows has this problem in a far worse way, because Microsoft's need to remain compatible with apps that ran on the old DOS-based Windows means that they have to accomodate programs that assumed they were effectively root!
I guess this thread is about a comparison of Linux vs. Windows security which, of course, is obvious. But what I think isn't being noticed is that the Windows security situation is in a crisis. Now, I know, it's easy to laugh at Windows and say well, sure, Micrsoft was stupid enough to implement stuff like the COM 'Browser Helper Objects,' the unprotected scripting engines, the IE Active-X controls, etc. and so, 'of course', the Windows security sucks. But consider that a major portion of the world uses Windows now for email, the internet, and document exchange and these people are hurting. Yes, the big enterprises have double redundant hardware and software firewalls, virus scanning, spyware extraction, and large staffs of experts to roam around and put out the fires. But the little users don't have any of that stuff and they are finding it increasingly difficult just to keep Windows going day-to-day. Basically, there seems to be a worldwide cyber war going on in which the holes in Windows are being cracked so wide and so frequently that the anti-virus/spyware/trojan software cannot keep up and users are left with systems that barely function, even when they run the latest anti-virus software with the latest downloaded updates. The purveyors of viruses, spyware, trojans, and spam are winning here and there are bad consequences for all of us, even if we don't use Windows. If you are able to help, consider donating a little of your time to helping a neighbor, small business, school, or church with their Windows problems. Maybe you can even help them migrate their system off of Windows. They are probably going to be interested.
Using that logic, Microsoft outlook is far more secure than Novell Evolution because patches are coming out all the time for Outlook.
What really matters in the end is:
1) The seriousness of exploits
2) The quantity of exploits
3) The imposition placed on IT people in applying patches to fix exploits
If you release a lot of patches but they are readily applied without causing downtime, etc, then that's not a big problem. If a few exploits are found but the exploits are huge gaping holes, that's bad for everybody. This is another one of those cases of trying to measure a qualitative problem using quantitative means. It means nothing but it looks good in a press release.
Is it truly more secure than Linux? The real measure is hacks per capita. How many boxes are out there, and how many are getting exploited?
Frankly, I think Linux is more secure for one simple reason: I can more readily control what's running. Linux is much easier to trim down to a minimal system, shutting down services, and making it very difficult for an exploit to do anything if it can even get on there. If I have a box that's a Linux webserver, I can trim it down to Apache and SSH, and that's it. If I just watch for exploits of those two things and the kernel itself, I'm golden. With Windows, I have these service packs and updates that change mysterious things without my knowledge. I'm at much greater risk of unexpected consequences of a security fix.
This sig has been temporarily disconnected or is no longer in service
Humor aside, counting patches is about as good of a way to determine security as counting car crashes to determine what is the safest car.
People who think they know everything really piss off those of us that actually do.
Windows is as secure as you make it. Same with Linux.
The big difference between the two is that most of the exploits available for windows requires uneducated users to have some type of interaction to infect their system or to have an exploit run.
For example, I do not believe it's the fault of Microsoft if an end user installs spyware when the visit a website. Or an even better example is how an end user will install an application like kazaa on their system, even knowing that it has spyware installed.
Windows 2003 is very secure, and I believe that comparing XP home edition to Linux is very unfair simply because the majority of people who would be running home edition will have no idea how to protect them selves online. A better comparison would be Linux to 2003.
What are the biggest insecurities that people complain about with windows?
Spyware, which in most cases is installed by an end user full well knowing what they are doing, or being tricked, virus's installed via Email (mostly related to end users (latest version of outlook has a lot of default features turned on to remove the use of images to track users (spam) and to not allow attachments)).
And IE exploits run from non trusted sites, again the end user going to sites that they should not be going to if they do not trust them (I think we all know which types of sites run a lot of these types of exploits).
Yes windows is not secure, in the same sense that Linux is not secure, OSX is not secure etc. It's the people who use the OS that make the big difference.
p.s. Yes I know full well about the various worms and exploits like the messaging service and RPC, which had nothing to do with end user interaction, these were big fuckup's on Microsoft side, but with a updated/ patched system Microsoft has been able to make a stable, POPULAR, and secure enough OS that is capable of being user friendly but powerful when needed.
TruePunk | Games
I'm so tired of this argument "Our software is more secure than their software". It's ridiculous. What they're really saying is "Our programmers and development processes are better than your programmers and processes." These security debates, whitepapers, and arguments are always subjective, never solve anything, and only prove that someone has time to waste.
Any given OS, in the hands of an expert, is just as stable or secure as the next. There's just no way to effectively prove otherwise. The test domain to definitively prove which OS is truly the most secure is incredibly huge. As long as human beings code it, it's insecure. There is no version of Unix or Linux that has a higher Evaluation Assurance Level than Windows 2000. That doesn't necessarily mean that any novice could actually secure it either.
Reality is that Windows has a huge number of desktop installations and it's used by a large number of people that can't even open up Notepad or a command prompt if you asked them to. Those same people couldn't even install Linux so it's not reasonable to even suggest. So, how are they supposed to have any idea about security? Most of them can barely get online. It's no fluke that AOL and Windows are as popular as they are - they're easy to use and they have a small learning curve.
Furthermore, Linux and Windows are so different that's almost ridiculous to even compare them. They solve different problems, they both have their strengths and weaknesses, and other than the fact that they're both operating systems they don't have much else in common. In many ways comparing those two systems is like comparing an F-16 to a Leer jet - they both fly; they both have wings; they both have cockpits, throttles, and tails; they're both airplanes but they don't look the same; they don't have the same internal components; they aren't operated the same; and they aren't made for the same purpose.
Security arguments are out of style. It's safe to say that no major software maker is intentionally designing insecure software. Move on. Innovate. Come up with something original.
If you do what you always did, you get what you always got.
The exploits are not all that matters: What exploits are in the wild? What exploits are unpatched? What exploits are self-reported (found by the developers themselves)? What services are affected by the exploit? What is the exploit's payload and how does it impact the use of the machine?
When trying to determine whether one OS is more secure than another, I think you need to look at a lot more information than just the number of remote exploits available. The big two are: how many of those exploits remain unpatched (i.e. are still a threat) and how many of those exploits were reported by the development team itself so that administrators could take appropriate action (as opposed to hidden or ignored so that administrators could not even take precautions to prevent their systems from being exploited). Let's be real: it is much more likely that we know the truth about the state of the software in an open system (like RH, Suse, Debian, etc.) than we do in a closed system (like MS) i.e. the number of exploits reported for MS are likely the number of exploits currently being exploited - we do not know how many exploits the MS-folks know about but are not reporting. While there may be some exploits unreported in open-source software, the likelihood is considerably less because of the number of people looking at the code. Proaction (Open-Source) versus Reaction (Closed-Source).
Finally, what matters in the end to most of us is: how much time do I need to spend making sure my system is protected from exploitation, cleaning up infestations, etc. ? You can claim your OS is more secure than my OS but if I'm spending less time protecting against or recovering from exploitation than you are, you are going to have a really hard time convincing anyone who follows this type of stuff. If I am not the target audience (because I know better) than what you are engaging in is FUD - aimed at the gullible or uninformed managers and masses who are expected to take your word for it because you are Microsoft and the Press has picked up your sound-bite.
I don't care if a system has 10 patches a year or 10,000 patches a year. I need a way to distribute those patches easily.
Redhat has an OK system, but Microsoft has a nice tool (software update services) that allows me to download the patches in one place and push them out to all the machines on my network. This will only get better when MS releases the next update to this tool (windows update services).
I haven't seen a similar thing from any of the linux vendors.
Sure, there are tons of third party products to add this feature to Linux, but that's a pain - and it's another product to buy. Each distribution needs to find a way to centrally automate patch management and installation. This should be part of ANY linux distribution by default.
-ted
We can choose which of the "bundled" apps to install.
Windows users can't without jumping through MAJOR hoops. (Microsoft claims it is not possible at all, but software like Win98Lite showed people otherwise).
Windows - We cannot install Windows without installing IE.
RedHat, Gentoo, whatever - Lynx, Galeon, Firefox, Mozilla - What browser do you want to use today? Or maybe you don't want any at all! You can make that choice.
retrorocket.o not found, launch anyway?
Doesn't everyone do this? Are people really so adamant about having that stupid 300 day uptime that they don't bother doing any testing?
I found the secret long ago that to maintain maximum customer-facing uptime, you never have a single server perform any task. Instead, you use multiple load-balanced servers, with enough redundancy and survivability to handle one server going down for a scheduled reboot. Th euptime on the individual servers becomes nearly meaningless, as the service uptime is what is really important.
You can't really claim that one piece of software is more stable or secure than another by using the number of vunerabilities fixed as the only argument. According to this flawed logic, I could write a large piece of software, run one test, work fine for that one test, and claim that mine is more stable than another piece of software that has been thoroughly tested and has had bugfixes.
I guess Nash has also forgotten the old saying that testing can only show the existence of bugs, not the absense.
> MS Security Chief Says Windows is Safer Than Linux
umm... yeah. BIG SURPRISE, FOLKS.
Buy an antivirus company and make money from them!!
...is Linux.
Seriously though, the local churches must do a brisk business at the confessional on Sundays in Redmond Washington.
I would almost believe their message, if it wasn't for the "I really don't like you but will pretend that I do" grins Balmer and Gates manage to eek out during public appearances. You can see it in their eyes - they don't believe what they are saying, they just want you to buy it.
Tell me honestly, if those guys weren't rich and in charge of Microsoft, would anyone listen to them at all? I don't know many used car salesmen I would enjoy spending the evening with - and that's what high level Microsoft employees remind me of.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
i'd phrase it differently
;-)
service uptime is what your customers pay for