Slashdot Mirror
MS Security Chief Says Windows is Safer Than Linux
Kip Winger writes "Mike Nash, Microsoft's Chief Security Executive, has made claims that Windows is more secure than Linux. In a recent online chat, he staunchly defended Microsoft's record on security, basing part of his argument on how Windows Server 2003's 15 patches in the past year are far less than what RedHat or SuSE have had to endure." He also mentioned the recent purchase of Sybari and their Antivirus product.
the patched that they should have done?
Microsoft is basing that claim by number of patch distributions, not by size for severity, cute. So, just because they (usually) wait up to a month to release a patch, somehow they are better FUD never had so much meaning. I'd be outraged, but words like this are so expected.
The force that blew the Big Bang continues to accelerate.
If anyone from Microsoft said anything to indicate that their software is in any way inferior to other software, it would hurt their marketing.
Knowing this, their only option is to claim that they have the best software.
We see these posts trumpeted by entities like Slashdot. It it warrented? Does Redmond have any credibility on things like this left? Should we be paying any more attention to this sort of behavior than to just consider what MS is doing? :\ I'm more interested in the well thought out comments all-y'all have.
Sam
FUD on the horizont, sirre ;-)
- if you compare RedHat/SuSE then you have to compare it to Windows Server + complete BackOffice + complete Visual Studio + complete MS Office and you still are not close enough...
- I'd be interested in average time to fix critical bugs...
- also number of known un-fixed cricital bugs will be interesting (incl. IE on Windows)
"Mike Nash, Microsoft's Chief Security Executive"
What does everyone think he's supposed to say? Windows security is inferior to linux? He'd lose his job.
My sig of choice is Marlboro
"Year-to-date for 2005, Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003. In the same time period, for just this year, Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities."
This actually brings up an interesting point. Does Windows have less bugs (I know, I know) than these Linux distros? Or are Red Hat and Novell more proactive to fix the bugs they do have? Unfortunately, my guess is most PHBs would think the former.
It's "no one," not "noone." Who the hell is noone anyway?
Microsoft's top security honcho insisted Thursday that Microsoft "is making progress on security using any reasonable metric."
What is a 'resonable metric'? Is that one that only provides the results that one wishes to see or is that a metric provided by a reputable security organization that is known for being extremely truthful and accurate in its results?
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
Linux might have more security holes within the release times but I feel the Linux patches are more proactive than reactive.
When Microsoft releases a patch it's usually because thousands of users have already been complaining about something and they have to address it in a reactive mode. In Linux, someone makes a discovery of a security flaw, contact's the vendor, and it's usually patched within a couple of days. Note that within that discovery, everyone is still happy as a clam because there haven't been 50,000 trojan's trying to exploit it.
If there's only 15 for 2003, then why does that secunia link list 44?
Notably, the RedHat and Suse links list a higher number of vulnerabilities, but also state that there are ZERO unpatched security holes.
Surprisingly, the Windows 2003 product still has unpatched holes.
People are funny.
Microsoft is a corporation. It needs a base of support to exist. Pausing in its creation of "new and improved!" products to backtrack and actually fix anything is not additive to the bottom line (profit).
Therefore, MS will never fix anything. They will merely use PR to promote their products. If falsehoods are created and spread, they will focus on the person who created that lie, not the legal individual Microsoft. (Corps. are equivalent to living people in most states but that's a rant for another time.)
Q.E.D., nothing to see here. Move along.
This post encoded with ROT26. If you can read it, you've violated the DMCA. Handcuffs please, sergeant.
Second, comparing Internet Explorer (IE) and Firefox indicates that Windows is likely more bug ridden than major open-source software like Linux. I have used both IE and Firefox. From my experience of visiting thousands of pornographic sites laden with naked women beckoning you to "enter" their site (and other things), I can definitely say that IE is chock full of security problems. After 1 week of pornographic surfing with IE, my entire system (browser and OS) becomes infected with malware -- to the point that I must reload Windows. I have yet to experience the same problem with Firefox.
The only thing that I hate about Firefox is that it is very slow, probably due to the fact that my computer system has limited DRAM and that Firefox must swap to disk more often than IE. Such is the price that I must pay to enjoy porn.
Just think...If MS were to not release *any* security patches at all, they could use that figure as absolute proof that Windows is more secure than anything else out there!
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
The 95% of those out there that are 'unenlightened' when it comes to computers and technology probably wouldn't even question M$'s claims. "Oh, Microsoft say they've issued less patches for Windows than others did for Linux and thus Windows is safer. I'm glad to have someone trustworthy to tell me these things!". (-_-)
/.ers.
Because M$ is more reputatable than Red Hat or Novell, the general public will much more likely consider their claims to be true. Oh well. At least it makes for a good laugh for us
Hero of Allacrost, a FOSS RPG for *NIX/*BSD/OS X/Win
This is an argument that can largely be debated on a variety of levels. Honestly? Linux and ultimately unix of any flavor has just as many vulnerabilities as Windows does. Difference -- typically most of those vulnerabilities are patched and assessed before they take affect.
Just do a search for Sendmail Vulnerabilities on google.
Result =
Results 1 - 10 of about 143,000 for Sendmail Vulnerabilities. (0.39 seconds).
for Microsoft
Result =
Results 1 - 10 of about 364,000 for Microsoft Exchange Vulnerabilities. (0.18 seconds).
You can have this discussion for days on end, and really, what the *nix community has up on the M$ community is knowledge and ability. No, there arent any viruses that are successfully written for *nix. Spyware isnt even remotely a concept to a linux user. And most vulnerabilities get patched as quickly as they are given POC. Does this mean that linux users patch any more or less than Windows users, no. But we do it more effeciently and with greater success.
Stability wise , come on. Ive got a redhat 7.3 box that baring powerfailures hasnt been rebooted in over a year. Its a good box, it would probably take an Arkady Rossovich low yeild nuke on its head and still live, and I dont know of any windows box thats able to admit that.
"God of Rock, thank you for this chance to kick ass. "
"If you can just manage to say something that gets picked up by major news organizations, then it might make it come true.
Or at the very least, you might at least fool some people enough to continue to give you money."
Correct. It's called PR, and it works. Microsoft does it all the time, spewing out completely false or misleading statements knowing those will get the headlines. Corrections get buried on page 17.
The Bush administration has carried this out to a fine art. They make a grandiose announcement they know is completely false at the time ("the cost of the Medicare drug program will be X billion.") knowing that by the time the real number gets out it will get buried in the news. They even use fear to get what they want ("Social Security is broken.") as does Microsoft ("Linux is not as safe.")
regardless of how many programs you install on your server, comparing the number of patches realeased by redhat/suse in a given time frame, which covers all applications in the entire distribution regardless of whether you have them installed, to the number of patches released for windows server 2003, which pretty much only covers the os, web browser, and web server, is beyond ridiculous.
not to mention microsofts tendency to roll up multiple patches into one, something redhat/suse can't do because they don't know which packages you have installed, so bugs that affect different packages can't be compbined.
If I don't put anything here, will anyone recognize me anymore?
But a Windows tends to roll a lot of stuff into single programs, whereas the Unix world has a culture of heavy factoring of software tools.
With all of these different tools, and the admin's freedom to install only the tools he/she feels are needed, the Linux world ends up having to create separate security updates for separate tools, where Microsoft tends to release gargantuan security packs that are really a whole mess of patches rolled into one package.
On a similar note, most of the Linux tools come from all sorts of sources operating more or less independently. This would make it all but impossible for you to find a file that includes security updates for both, say, wu-ftpd and Apache.
And the list goes on. The reality is, the model for releasing seucurity updates in Windows is vastly different from the model for releasing them in Linux, and one is natually going to create at least one order of magnitude more discrete security updates. (If I started seeing updates for my software on Linux only as often as I was seeing security updates from Windows, I would think that something is seriously wrong.) What Mr. Nash really needs to be comparing is the relative advantages of the two different models of releasing security updates.
But of course, you're not going to see that since such an analysis can't be plotted in an Excel spreadsheet.
Exactly. If you look at the secunia pages, you'll notice that all of the advisories are from things bundled in Windows or MS Office.
The Red Hat advisories include vulnerabilities for Perl, emacs, xpdf, vim, PHP, acroread, ruby, etc.
Red Hat has vulnerabilities for multiple programming languages, multiple mail servers, multiple PDF viewers, and so on. Many of the Linux vulnerabilities are for programs that have Windows versions, but aren't reported as such. Many other Linux vulnerabilities are for programs that aren't included on Windows at all, and are therefore not reported (I don't see any Adobe Acrobat vulnerabilities for Windows).
So comparing the two pages as if they represent equal things is ridiculous.
I've come for the woman, and your head.
We can choose which of the "bundled" apps to install.
Windows users can't without jumping through MAJOR hoops. (Microsoft claims it is not possible at all, but software like Win98Lite showed people otherwise).
Windows - We cannot install Windows without installing IE.
RedHat, Gentoo, whatever - Lynx, Galeon, Firefox, Mozilla - What browser do you want to use today? Or maybe you don't want any at all! You can make that choice.
retrorocket.o not found, launch anyway?
Doesn't everyone do this? Are people really so adamant about having that stupid 300 day uptime that they don't bother doing any testing?
I found the secret long ago that to maintain maximum customer-facing uptime, you never have a single server perform any task. Instead, you use multiple load-balanced servers, with enough redundancy and survivability to handle one server going down for a scheduled reboot. Th euptime on the individual servers becomes nearly meaningless, as the service uptime is what is really important.