Slashdot Mirror
MS Security Chief Says Windows is Safer Than Linux
Kip Winger writes "Mike Nash, Microsoft's Chief Security Executive, has made claims that Windows is more secure than Linux. In a recent online chat, he staunchly defended Microsoft's record on security, basing part of his argument on how Windows Server 2003's 15 patches in the past year are far less than what RedHat or SuSE have had to endure." He also mentioned the recent purchase of Sybari and their Antivirus product.
the patched that they should have done?
Microsoft is basing that claim by number of patch distributions, not by size for severity, cute. So, just because they (usually) wait up to a month to release a patch, somehow they are better FUD never had so much meaning. I'd be outraged, but words like this are so expected.
The force that blew the Big Bang continues to accelerate.
We see these posts trumpeted by entities like Slashdot. It it warrented? Does Redmond have any credibility on things like this left? Should we be paying any more attention to this sort of behavior than to just consider what MS is doing? :\ I'm more interested in the well thought out comments all-y'all have.
Sam
FUD on the horizont, sirre ;-)
- if you compare RedHat/SuSE then you have to compare it to Windows Server + complete BackOffice + complete Visual Studio + complete MS Office and you still are not close enough...
- I'd be interested in average time to fix critical bugs...
- also number of known un-fixed cricital bugs will be interesting (incl. IE on Windows)
"Mike Nash, Microsoft's Chief Security Executive"
What does everyone think he's supposed to say? Windows security is inferior to linux? He'd lose his job.
My sig of choice is Marlboro
"Year-to-date for 2005, Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003. In the same time period, for just this year, Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities."
This actually brings up an interesting point. Does Windows have less bugs (I know, I know) than these Linux distros? Or are Red Hat and Novell more proactive to fix the bugs they do have? Unfortunately, my guess is most PHBs would think the former.
It's "no one," not "noone." Who the hell is noone anyway?
If there's only 15 for 2003, then why does that secunia link list 44?
Notably, the RedHat and Suse links list a higher number of vulnerabilities, but also state that there are ZERO unpatched security holes.
Surprisingly, the Windows 2003 product still has unpatched holes.
Second, comparing Internet Explorer (IE) and Firefox indicates that Windows is likely more bug ridden than major open-source software like Linux. I have used both IE and Firefox. From my experience of visiting thousands of pornographic sites laden with naked women beckoning you to "enter" their site (and other things), I can definitely say that IE is chock full of security problems. After 1 week of pornographic surfing with IE, my entire system (browser and OS) becomes infected with malware -- to the point that I must reload Windows. I have yet to experience the same problem with Firefox.
The only thing that I hate about Firefox is that it is very slow, probably due to the fact that my computer system has limited DRAM and that Firefox must swap to disk more often than IE. Such is the price that I must pay to enjoy porn.
Just think...If MS were to not release *any* security patches at all, they could use that figure as absolute proof that Windows is more secure than anything else out there!
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
This is an argument that can largely be debated on a variety of levels. Honestly? Linux and ultimately unix of any flavor has just as many vulnerabilities as Windows does. Difference -- typically most of those vulnerabilities are patched and assessed before they take affect.
Just do a search for Sendmail Vulnerabilities on google.
Result =
Results 1 - 10 of about 143,000 for Sendmail Vulnerabilities. (0.39 seconds).
for Microsoft
Result =
Results 1 - 10 of about 364,000 for Microsoft Exchange Vulnerabilities. (0.18 seconds).
You can have this discussion for days on end, and really, what the *nix community has up on the M$ community is knowledge and ability. No, there arent any viruses that are successfully written for *nix. Spyware isnt even remotely a concept to a linux user. And most vulnerabilities get patched as quickly as they are given POC. Does this mean that linux users patch any more or less than Windows users, no. But we do it more effeciently and with greater success.
Stability wise , come on. Ive got a redhat 7.3 box that baring powerfailures hasnt been rebooted in over a year. Its a good box, it would probably take an Arkady Rossovich low yeild nuke on its head and still live, and I dont know of any windows box thats able to admit that.
"God of Rock, thank you for this chance to kick ass. "
regardless of how many programs you install on your server, comparing the number of patches realeased by redhat/suse in a given time frame, which covers all applications in the entire distribution regardless of whether you have them installed, to the number of patches released for windows server 2003, which pretty much only covers the os, web browser, and web server, is beyond ridiculous.
not to mention microsofts tendency to roll up multiple patches into one, something redhat/suse can't do because they don't know which packages you have installed, so bugs that affect different packages can't be compbined.
If I don't put anything here, will anyone recognize me anymore?
But a Windows tends to roll a lot of stuff into single programs, whereas the Unix world has a culture of heavy factoring of software tools.
With all of these different tools, and the admin's freedom to install only the tools he/she feels are needed, the Linux world ends up having to create separate security updates for separate tools, where Microsoft tends to release gargantuan security packs that are really a whole mess of patches rolled into one package.
On a similar note, most of the Linux tools come from all sorts of sources operating more or less independently. This would make it all but impossible for you to find a file that includes security updates for both, say, wu-ftpd and Apache.
And the list goes on. The reality is, the model for releasing seucurity updates in Windows is vastly different from the model for releasing them in Linux, and one is natually going to create at least one order of magnitude more discrete security updates. (If I started seeing updates for my software on Linux only as often as I was seeing security updates from Windows, I would think that something is seriously wrong.) What Mr. Nash really needs to be comparing is the relative advantages of the two different models of releasing security updates.
But of course, you're not going to see that since such an analysis can't be plotted in an Excel spreadsheet.
Exactly. If you look at the secunia pages, you'll notice that all of the advisories are from things bundled in Windows or MS Office.
The Red Hat advisories include vulnerabilities for Perl, emacs, xpdf, vim, PHP, acroread, ruby, etc.
Red Hat has vulnerabilities for multiple programming languages, multiple mail servers, multiple PDF viewers, and so on. Many of the Linux vulnerabilities are for programs that have Windows versions, but aren't reported as such. Many other Linux vulnerabilities are for programs that aren't included on Windows at all, and are therefore not reported (I don't see any Adobe Acrobat vulnerabilities for Windows).
So comparing the two pages as if they represent equal things is ridiculous.
I've come for the woman, and your head.
MS like most corporations know that the truth does not matter to Americans. Americans believe what they want to believe no matter what the facts are.
History also shows that any lie that is repeated enough becomes indistinguishable from the truth.
This is true in politics, it's true in entertainment and it's true in business.
Get a free Mac Mini
We can choose which of the "bundled" apps to install.
Windows users can't without jumping through MAJOR hoops. (Microsoft claims it is not possible at all, but software like Win98Lite showed people otherwise).
Windows - We cannot install Windows without installing IE.
RedHat, Gentoo, whatever - Lynx, Galeon, Firefox, Mozilla - What browser do you want to use today? Or maybe you don't want any at all! You can make that choice.
retrorocket.o not found, launch anyway?
Doesn't everyone do this? Are people really so adamant about having that stupid 300 day uptime that they don't bother doing any testing?
I found the secret long ago that to maintain maximum customer-facing uptime, you never have a single server perform any task. Instead, you use multiple load-balanced servers, with enough redundancy and survivability to handle one server going down for a scheduled reboot. Th euptime on the individual servers becomes nearly meaningless, as the service uptime is what is really important.