Slashdot Mirror
MS Security Chief Says Windows is Safer Than Linux
Kip Winger writes "Mike Nash, Microsoft's Chief Security Executive, has made claims that Windows is more secure than Linux. In a recent online chat, he staunchly defended Microsoft's record on security, basing part of his argument on how Windows Server 2003's 15 patches in the past year are far less than what RedHat or SuSE have had to endure." He also mentioned the recent purchase of Sybari and their Antivirus product.
the patched that they should have done?
Microsoft is basing that claim by number of patch distributions, not by size for severity, cute. So, just because they (usually) wait up to a month to release a patch, somehow they are better FUD never had so much meaning. I'd be outraged, but words like this are so expected.
The force that blew the Big Bang continues to accelerate.
when the machine is turned off.
If anyone from Microsoft said anything to indicate that their software is in any way inferior to other software, it would hurt their marketing.
Knowing this, their only option is to claim that they have the best software.
If you can just manage to say something that gets picked up by major news organizations, then it might make it come true.
Or at the very least, you might at least fool some people enough to continue to give you money.
I'm a big tall mofo.
My linux computer is so over run with spyware and viruses that it is completely unusable and it is firewalled.
I connect my fresh installed XP system directly to the internet and I can go months before I get any malicous programs on my computer.
hmm, or do I have that backwards?
Paying taxes to buy civilization is like paying a hooker to buy love.
We see these posts trumpeted by entities like Slashdot. It it warrented? Does Redmond have any credibility on things like this left? Should we be paying any more attention to this sort of behavior than to just consider what MS is doing? :\ I'm more interested in the well thought out comments all-y'all have.
Sam
FUD on the horizont, sirre ;-)
- if you compare RedHat/SuSE then you have to compare it to Windows Server + complete BackOffice + complete Visual Studio + complete MS Office and you still are not close enough...
- I'd be interested in average time to fix critical bugs...
- also number of known un-fixed cricital bugs will be interesting (incl. IE on Windows)
I think we need a new section for these stories. I propose we call it 'Flamebait'.
UNIX/Linux Consulting
"Mike Nash, Microsoft's Chief Security Executive"
What does everyone think he's supposed to say? Windows security is inferior to linux? He'd lose his job.
My sig of choice is Marlboro
"Year-to-date for 2005, Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003. In the same time period, for just this year, Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities."
This actually brings up an interesting point. Does Windows have less bugs (I know, I know) than these Linux distros? Or are Red Hat and Novell more proactive to fix the bugs they do have? Unfortunately, my guess is most PHBs would think the former.
It's "no one," not "noone." Who the hell is noone anyway?
...when the world stopped laughing, it was revealed this person might have some sort of conflict of interest, being that he works for MS and all....
Microsoft's top security honcho insisted Thursday that Microsoft "is making progress on security using any reasonable metric."
What is a 'resonable metric'? Is that one that only provides the results that one wishes to see or is that a metric provided by a reputable security organization that is known for being extremely truthful and accurate in its results?
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
Windows 2003 Currently, 5 out of 44 Secunia advisories, is marked as "Unpatched" in the Secunia database. Red Hat rrently, 0 out of 133 Secunia advisories, is marked as "Unpatched" in the Secunia database. I think I would rather take a system that is all patched then one that is Unpatchable.
Linux might have more security holes within the release times but I feel the Linux patches are more proactive than reactive.
When Microsoft releases a patch it's usually because thousands of users have already been complaining about something and they have to address it in a reactive mode. In Linux, someone makes a discovery of a security flaw, contact's the vendor, and it's usually patched within a couple of days. Note that within that discovery, everyone is still happy as a clam because there haven't been 50,000 trojan's trying to exploit it.
If there's only 15 for 2003, then why does that secunia link list 44?
Notably, the RedHat and Suse links list a higher number of vulnerabilities, but also state that there are ZERO unpatched security holes.
Surprisingly, the Windows 2003 product still has unpatched holes.
(This is not a rant, merely a description of what happened to me receintly:)
1. reboot computer - It'd hung running something the rhymes with Titborrent.
2. Login prompt -log in
3. Get a start button, click on it to start a browser
3a. lose focus as MS is saying AVG isn't turned on. (It's not?)
4. Hit start again to get a browser
4a. Lose focus again as AVG says it's not working.
5. Press start to start a browser.
5a. Lose focus as the UPS monitoring tool adversises that it's HERE! PRESENT! ACCOUNTED FOR!
6. Press Start to get a browser.
6a. Lose focus AGAIN as MS spyware gives me a status update.
7. go over to the iBook, it doesn't Constantly Interrupt Your Train of Thought At Every Opportunity!
"Draco dormiens nunquam titillandus."
People are funny.
Microsoft is a corporation. It needs a base of support to exist. Pausing in its creation of "new and improved!" products to backtrack and actually fix anything is not additive to the bottom line (profit).
Therefore, MS will never fix anything. They will merely use PR to promote their products. If falsehoods are created and spread, they will focus on the person who created that lie, not the legal individual Microsoft. (Corps. are equivalent to living people in most states but that's a rant for another time.)
Q.E.D., nothing to see here. Move along.
This post encoded with ROT26. If you can read it, you've violated the DMCA. Handcuffs please, sergeant.
Second, comparing Internet Explorer (IE) and Firefox indicates that Windows is likely more bug ridden than major open-source software like Linux. I have used both IE and Firefox. From my experience of visiting thousands of pornographic sites laden with naked women beckoning you to "enter" their site (and other things), I can definitely say that IE is chock full of security problems. After 1 week of pornographic surfing with IE, my entire system (browser and OS) becomes infected with malware -- to the point that I must reload Windows. I have yet to experience the same problem with Firefox.
The only thing that I hate about Firefox is that it is very slow, probably due to the fact that my computer system has limited DRAM and that Firefox must swap to disk more often than IE. Such is the price that I must pay to enjoy porn.
Just think...If MS were to not release *any* security patches at all, they could use that figure as absolute proof that Windows is more secure than anything else out there!
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
Hopefully the Linux community can move forward with SELinux, or some other system that has mandatory access controls. Once that is properly in place Linux will have a significant tangible security advantage over Windows.
Yes Fedora currently has SELinux in the default install. Unfortunately they have had to use a fairly permissive policy because too many applications and libraries don't properly respect the sort of security bounds that ought to be in place. Right now SELinux on Fedora is like user account permissions on Windows. While it is technically there, the majority of applications simply aren't written with it in mind (eg. all those Windows apps that need to run as Administrator), so in practice it doesn't do much.
SELinux is done though, and Fedora has integrated it in nicely (including into the rpm system). What is needed now is for all those open source developers out there to realise that there is a new level of security, other than just filem permissions, that they need to consider and respect. If they can just restrict where they write files to, and what files they want to access to the minimum required that would be great. If they can compartmentalize operations so that each can run as a seperate process with least privilege all the better. This is work that needs to be done though.
Once such things are seriously in place all this harping by Microsoft about "Windows being more secure" will be so obviously the hot air that it is that we won't even have to worry about it anymore.
Jedidiah.
Craft Beer Programming T-shirts
The 95% of those out there that are 'unenlightened' when it comes to computers and technology probably wouldn't even question M$'s claims. "Oh, Microsoft say they've issued less patches for Windows than others did for Linux and thus Windows is safer. I'm glad to have someone trustworthy to tell me these things!". (-_-)
/.ers.
Because M$ is more reputatable than Red Hat or Novell, the general public will much more likely consider their claims to be true. Oh well. At least it makes for a good laugh for us
Hero of Allacrost, a FOSS RPG for *NIX/*BSD/OS X/Win
This is an argument that can largely be debated on a variety of levels. Honestly? Linux and ultimately unix of any flavor has just as many vulnerabilities as Windows does. Difference -- typically most of those vulnerabilities are patched and assessed before they take affect.
Just do a search for Sendmail Vulnerabilities on google.
Result =
Results 1 - 10 of about 143,000 for Sendmail Vulnerabilities. (0.39 seconds).
for Microsoft
Result =
Results 1 - 10 of about 364,000 for Microsoft Exchange Vulnerabilities. (0.18 seconds).
You can have this discussion for days on end, and really, what the *nix community has up on the M$ community is knowledge and ability. No, there arent any viruses that are successfully written for *nix. Spyware isnt even remotely a concept to a linux user. And most vulnerabilities get patched as quickly as they are given POC. Does this mean that linux users patch any more or less than Windows users, no. But we do it more effeciently and with greater success.
Stability wise , come on. Ive got a redhat 7.3 box that baring powerfailures hasnt been rebooted in over a year. Its a good box, it would probably take an Arkady Rossovich low yeild nuke on its head and still live, and I dont know of any windows box thats able to admit that.
"God of Rock, thank you for this chance to kick ass. "
"If you can just manage to say something that gets picked up by major news organizations, then it might make it come true.
Or at the very least, you might at least fool some people enough to continue to give you money."
Correct. It's called PR, and it works. Microsoft does it all the time, spewing out completely false or misleading statements knowing those will get the headlines. Corrections get buried on page 17.
The Bush administration has carried this out to a fine art. They make a grandiose announcement they know is completely false at the time ("the cost of the Medicare drug program will be X billion.") knowing that by the time the real number gets out it will get buried in the news. They even use fear to get what they want ("Social Security is broken.") as does Microsoft ("Linux is not as safe.")
Here's another example of making stats say what you want.
Sure, WINDOWS only had 15 patches in the last year however. IE6 had how many (at least anotehr 18-24), Remote desktop connection on 2k3 Server had 2 security fixes, IIS had about 6 patches....
Need I continue?
Fact is, yes, Windows had 12 updates in a year, but it's components had many more.
And also looking at the time from exploit discovery to fix, not lookin good for them there either.
DarkMantle I been bored, so I started a blog.
Perfect, let's start rating the security of our products by how many patches have been written and applied. What does this kind of numbers game encourage?
(1) Don't write a patch, since that admits failure or insecure products.
or
(2) Wait a long time before writing and committing a patch, so you can do it as "one big patch" (otherwise known as, haha, a Service Pack!).
Thanks Microsoft! Just your STATEMENTS make systems less secure (nevermind your engineering).
Secunia totals are...
Server 2003; 5 unpatched of 44
Office; 2 unpatched of 7
Exchange 2003; 1 unpatched of 3
IIS 6; 1 unpatched of 3
SQL Server 2000; 1 unpatched of 10
Total; 10 unpatched of 67
Justin. /. should let me use tabs. So there.
Apologies for the crap formatting,
You're only jealous cos the little penguins are talking to me.
regardless of how many programs you install on your server, comparing the number of patches realeased by redhat/suse in a given time frame, which covers all applications in the entire distribution regardless of whether you have them installed, to the number of patches released for windows server 2003, which pretty much only covers the os, web browser, and web server, is beyond ridiculous.
not to mention microsofts tendency to roll up multiple patches into one, something redhat/suse can't do because they don't know which packages you have installed, so bugs that affect different packages can't be compbined.
If I don't put anything here, will anyone recognize me anymore?
Put identity in the browser.
But a Windows tends to roll a lot of stuff into single programs, whereas the Unix world has a culture of heavy factoring of software tools.
With all of these different tools, and the admin's freedom to install only the tools he/she feels are needed, the Linux world ends up having to create separate security updates for separate tools, where Microsoft tends to release gargantuan security packs that are really a whole mess of patches rolled into one package.
On a similar note, most of the Linux tools come from all sorts of sources operating more or less independently. This would make it all but impossible for you to find a file that includes security updates for both, say, wu-ftpd and Apache.
And the list goes on. The reality is, the model for releasing seucurity updates in Windows is vastly different from the model for releasing them in Linux, and one is natually going to create at least one order of magnitude more discrete security updates. (If I started seeing updates for my software on Linux only as often as I was seeing security updates from Windows, I would think that something is seriously wrong.) What Mr. Nash really needs to be comparing is the relative advantages of the two different models of releasing security updates.
But of course, you're not going to see that since such an analysis can't be plotted in an Excel spreadsheet.
Exactly. If you look at the secunia pages, you'll notice that all of the advisories are from things bundled in Windows or MS Office.
The Red Hat advisories include vulnerabilities for Perl, emacs, xpdf, vim, PHP, acroread, ruby, etc.
Red Hat has vulnerabilities for multiple programming languages, multiple mail servers, multiple PDF viewers, and so on. Many of the Linux vulnerabilities are for programs that have Windows versions, but aren't reported as such. Many other Linux vulnerabilities are for programs that aren't included on Windows at all, and are therefore not reported (I don't see any Adobe Acrobat vulnerabilities for Windows).
So comparing the two pages as if they represent equal things is ridiculous.
I've come for the woman, and your head.
Is it just me or was the story about 10 stories down about how spyware can disable Microsoft's Antispyware and take your cc #s, passwords, etc. I have been using a copy of linux on one of my exposed servers for several years without patching and without any significant security configuration at boot and it runs like a dream! [Although I like my OpenBSD machines better :-D]
http://www.brentcastle.com
"Of course, we didn't evaluate them with the network cables plugged in. We didn't want the Internet to skew our results. There's some dangerous shit out there."
Not to mention the fact that Windows bundles their bugfixes in a few patches, whereas Linux fixes each problem separately. You could argue that the former option makes it easier for administrators, but with a proper Linux system, most patches will be applied automatically (or at least effortlessly). MS patches tend to require a system reboot, while security upgrades in Linux usually only require a restart of the program being patched. Besides, patching each bug individually allows for much faster response, and makes tracking easier.
-3Suns
~~~~
The Revolution will be Slashdotted
We can choose which of the "bundled" apps to install.
Windows users can't without jumping through MAJOR hoops. (Microsoft claims it is not possible at all, but software like Win98Lite showed people otherwise).
Windows - We cannot install Windows without installing IE.
RedHat, Gentoo, whatever - Lynx, Galeon, Firefox, Mozilla - What browser do you want to use today? Or maybe you don't want any at all! You can make that choice.
retrorocket.o not found, launch anyway?
Usually the make install of a new kernel reruns LILO anyway. I use LILO on some servers and GRUB on others.
/etc/rc.d/ or using chkconfig.
Usually a bigger issue is that you installed some critical service but forgot to enable it either by dropping symlinks into
When one of my servers needs any new services installed or kernels patched, I actually schedule reboot testing. In fact essentially all of my reboots are due to this testing. It does cut into uptime but it means that when I need it, it will be up.
LedgerSMB: Open source Accounting/ERP
See screenshot: here
HTH.
The following sentence is true. The preceding sentence was false.
MS employee says Windows is safer because using Linux puts him in danger of being fired.