Slashdot Mirror
6 Months On, Vista Security Still Besting Linux
Martin writes "Great report on security vulnerabilities for MS/Linux/OS X. This is a revised version of the one Jeff Jones did back on March 21: Windows Vista — 90 Day Vulnerability Report. This time he did what the Linux community had asked. Everyone complained that he did the report based on a full Linux distro including optional components, not on just a base OS install. So this time he did both; Vista still came out on top. I was shocked that Apple was even on the list as I believed all those Mac commercials!"
Point me at the problems in Linux and I'll fix them.
What? Can't do that with Vista?
I'll take Linux, thank you.
I don't know the meaning of the word 'don't' - J
Jeff Jones ... This time he did what the Linux community had asked.
He went and f*cked himself?
I'm switching.
What build was it tested on, does it say? I would check, but am at work...
And I've forgotten my password too...
One comment and it's already dead - and not a cache link to be seen. Oh well, tune in tomorrow...
Full: http://216.239.51.104/search?q=cache:l2ZWLi31QdIJ: blogs.csoonline.com/node/218+http://blogs.csoonlin e.com/node/218&hl=en&ct=clnk&cd=1&gl=us&client=fir efox-a
: blogs.csoonline.com/node/218+http://blogs.csoonlin e.com/node/218&hl=en&client=firefox-a&gl=us&strip= 1
Text only:
http://216.239.51.104/search?q=cache:l2ZWLi31QdIJ
creation science book
Sure, if EVERY action you do prompts a "You are clicking your mouse, cancel or allow", or some other message, sure that is security, but then you are left with a crappy user experience. I think Linux and Mac have got a better balance between allowing actions in user mode without authorization and actions requiring authorization.
Sorry - the previous google cache link was to the 90 day writeup, not the 6 month writeup. Here's the text of the 6 month writeup... (site is very slow right now).
;-)
...
Windows Vista - 6 Month Vulnerability Report
Submitted by Jeff Jones on Thu, 2007-06-21 11:53. Topic(s): | Client | Corporate Management | Information Security | Operating Systems
I was somewhat surprised (but pleased) at the level of interest back when I published my Windows Vista - 90 Day Vulnerability Report. It was about the earliest span of time I thought might give us some indicators, and the indicators did look good. (Though, I did not give us an "A+", in spite of some of the attributions
Six months is a much more interesting time frame, and gives us the opportunity to see if the early trend indicators are holding up, or if the early signs of progress were a short-term gain. Also, I thought it was worth going a little deeper in the analysis to look at the total fixed and unfixed vulns as I did last time, plus these additional views:
* Include a comparison view of Linux distribution workstation builds that exclude vulnerabilities non-default optional components as well as OpenOffice and other applications that do not have equivalents on Windows XP.
* Include a comparison view that excludes Low and Medium severities to just focus on High severity vulnerabilities fixed and unfixed in the first 6 months, and
* A comparison view that combines both of these
For the full details, or to print the report, you can download the report in pdf.
For those that only want the executive summary, here is a key chart that shows the publicly disclosed High severity vulnerabilities during the first 90 days of availability, broken down by vulns fixed and vulns unfixed. Note that this chart is showing the reduced Linux builds that exclude non-default and optional components without equivalents on WIndows. (clicking the chart also gets you to the full report.)
High Severity Vulns, Fixed and Unfixed in First 6 Months of Windows, Red Hat, Novell SUSE, Ubuntu, Apple Mac
The results of the analysis show that Windows Vista continues to show a trend of fewer total and fewer High severity vulnerabilities at the 6 month mark compared to its predecessor product Windows XP (which did not benefit from the SDL) and compared to other modern competitive workstation OSes (which also did not benefit from an SDL-like process).
If you share the opinion that Windows and applications ported to Windows get a higher level of researcher scrutiny than other OSes, then the 6-month results are even more positive. If you don't share that opinion, then they still stand on their own
Read, Enjoy, Forward.
Best regards ~ Jeff
Full Disclosure: I work for Microsoft - read my previous blog post, Exactly how biased am I?.
Also, I'd like to make a shameless plug for my other blog, http://blogs.technet.com/security, where I sometimes post more personal entries such as The Saga of My Luggage & British Air and Building My Windows Vista Media Center - Part 1 - The System.
creation science book
...as popular as Linux, then it will be targeted, too. Or something like that.
http://www.microsoft-watch.com/content/security/mi crosoft_is_counting_bugs_again.html Updated response "Jeff Jones Vista security progress."
This should be a wakeup call to all those businesses holding back on Vista migration. Vista is clearly the better choice.
Greets
UbuntuBoy
This is stupid, Linux as a distro is a complete solution from A-Z ... Vista is a bit of a solution as its just an operating system with limited services. Why did he do it to Vista anyway? shouldn't he be doing it to a server edition of Windows?
When i see a windows system and linux system that do exactly the same things have the same purpose software installed on them i can see the viability of the test.
Further, malware runs rampet in Windows, nearly 50% of Vista's vulns were not patched, where regardless of how many Linux has they get fixed when found. More secure? You tell me is a nightclub more secure when the bouncer only kicks out half the troublemakers whole a tougher and meaner club down the street deals with all of them?
Contradict another post on the front page http://it.slashdot.org/article.pl?sid=07/06/27/001 8252/. If Vista is on top than how could Microsoft Security be one of the worst jobs? What are they doing too good of a job???
I eat Karma for breakfast, lunch, and dinner. That's why I don't have any.
Article seems to be slashdotted already. I think the real security test will be outside the lab in the hands of the common user. If one of the major factors in determining the security of Vista was based on Microsoft's allow/deny pop ups, then just how secure will Vista be in a year or less when the common user is tired of seeing those boxes and just starts clicking 'Allow' and lets everything through? The OS is as secure as its user is vigilant and when the user becomes apathetic to security concerns the OS loses whatever edge it had against trojans, root kits, backdoors, viruses, etc.
Look, Everybody! A company is trying to use statistics to make themselves look good, when that's not necessarily the case!
Nothing to see here, please move along...
http://www.microsoft-watch.com/content/security/mi crosoft_is_counting_bugs_again.html
Looks like there are several errors with the method the blogger used to evaluate security flaws
This has already been analysed at microsoft-watch, and several flaws are pointed out there, the most basic one being that counting flaws is not a good measure of security anyway.
I can explain it for you, but I can't understand it for you.
On the back of recent news that less than half of Vista "issues" have been patched, yet alone publicly announced, we get another article touting the merits of two things that can't be directly compared.
Sometimes I see Open Source kicking itself in the face with all the transparency it offers, yet I'm overwhelmed with a sense of pride and happiness that communities can develop such a transparent process in the public eye.
Discovering problems and exploiting them in a closed source product is quite a daunting task - I'd say almost 4 times as much work as exploiting a system where you can compile debug symbols into the binary, and nothing short of 1000 times harder than if you had the source code. What these "reports" and discoveries show is that layers of obfuscation act to confuse people as to the actual level of vulnerability you're exposed to.
There are many vulnerability hunters out there, now, employed by governments across the world simply to "dive in" at a deepend of closed applications looking for exploitable code - closed source simply means that only wealthy, bigger teams will be successful. Open Source means that anyone can help thwart these hunters, makes vulnerability research fair game, and most importantly, accepts community involvement into the fixing and pre-emptive policy that makes OS software better software.
Matt
One canard trotted out by MS defenders *used* to be "Windows has more vulnerabilities discovered because it's so popular, everyone attacks it!". Watch for that line to be modified in the coming months as more MS proponents switch to "it's more secure by design". Keeping the "only more vulnerabilities discovered because it's so widely installed" would imply that Vista is not widely installed/used, which is not good PR.
So, when Linux had fewer vulnerabilities, it was because it was obscure. When Vista has fewer vulnerabilities, it's because it's fundamentally more secure. I'm not trying to be sarcastic here - it may very well be *true*. It's just something to keep in mind as you watch the never-ending stream of these 'vulnerability/exploit' reports come out every few months.
creation science book
According to Netcraft it's running Linux ;)
64.28.79.84 Linux Apache/2.0.46 Unix PHP/4.3.3 13-Mar-2007
I guess you know you're trolling, and that why you posted AC. I'm going to bite anyhow, even though I know better.
m l
Yes, Linux is not entirely user friendly yet. No denying that. But maybe you mean 1%, as you said... It's not really a good troll your way.
And yes, apt-get is a -lot- easier. Why? Because you left the steps out on the Windows side where you search for some utility on the web and have to wade through search results that mean nothing and attempt to find what you want, or you could just apt-get install it. 1 step, not several.
As for your game installation example, maybe you should pick something actually made FOR Linux, instead of hacked onto it later. Darwinia, for example: http://www.darwinia.co.uk/downloads/demo_linux.ht
Check out those complicated instr... err, no. You just download and run the file. Okay, you have to make it executable first. Just a bit of security there. At least it didn't ask you 'cancel or allow?' about 5 times.
Including the steps to set up video properly is a bit disingenuous unless you include the steps for Windows as well. Including finding and downloading the proper drivers for sound, video, motherboard chipset, etc. Is it easier on Windows? A bit, yes. But the steps still exist.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
There are still a lot of problems with this 'comparison'. For instance:
- The 'reduced feature set' used for the comparison still contains a lot of software not include with windows
- All information is based on what the company behind the software discloses. I believe that not all holes in Vista that MS knows about are disclosed. It is also not unlikely that what Microsoft calls 'critical' is not the same as what Canonical calls 'critical'. In any case, different measures are used for the different OS's, and you can't compare things that are measured in different ways.
- The usual 'less known holes != safer' discussion...
I personally don't know which OS is safer, but based on these numbers, I am not going to draw any conclusions.
Jan
Why should I care whether or not people run Linux, or Windows, or *BSD, or Mac OSX, or Novell, or freakin' Amigas? At home.
Run whatever the fuck you want.
The key to the enjoyment of pop music is to replace any instance of "love" with "C.H.U.D."
lets see a list of the vulnerabilities that make up those graphs so we can evaluate how accurate they are.
I'm a mac guy (which is why I post anonymously).
All the time I hear windows users say "Of course we have more security issues, we're a bigger target. No one wants to mess around with the handful of people that run macs."
So following that line of logic, does this mean Vista is so unpopular even hackers can't be bothered with it?
This actually looks like a fair comparison.
On the other hand, nobody's vetting the Vista source right now. And there's no indication of what the various vendors mean by "High Priority" -- is it something that only the locally logged in user could trigger? Is it a vulnerability that would allow for remote exploits? Is it a remote attack at all, or does it just open up the possibility for trojans?
What we'd need is an independent service listing the vulnerabilities and ranking them themselves using the same criteria for each operating system. Until that comes out, I'll say Vista is more secure for now. But as crackers become more familiar with the system, the rate at which new vulnerabilities in Vista are identified will increase.
He's not comparing vulnerabilities - he's comparing vulnerability disclosures.
It's not a measure of how secure the OSes are - it's a measure of how secretive the makers of the OSes are.
....
I installed quake 3 On my first day of Linux. Copied the files from the disk, ran the linux stuff for Id. IN all I had to use 3 maybe 4 commands total, and the only web site I went to was Ids site. It was basically the first thing I installed after doing my redhat installation. I never really got into using linux, but its not the quagmire you for believe it to be.
You mad
1. Vista isn't exactly in widespread use. The sort of people who poke holes in Windows and use it for spam bots etc will concentrate on XP for now as it is much easier. The anti-piracy and activation make pirating Vista a little harder, again this means the low life will not use it for a while.
2. Linux is easily available to all. Plus people identifying security holes are helping out, they do it to improve the product. They would do this for Windows too, but they don't have access to the code.
3. Mac OS uses a lot of open source tools, gcc, samba etc.. these have bugs and holes identified from time to time. So Apple naturally has to plug them.
"I was shocked"
/. so I am not the average user.
Perhaps you were and cue the trolls and me.
I got my first Mac 3 months ago( a macbook pro) and I am not going back to Windows, perhaps Linux(have replaced my windows desktop with ubuntu at work log time ago)
But of course this is
Microsoft must be happy with the huge userbase that happily has bought their products for years until the day they could finally get what they were promised. Of course I am now trolling here, I have not tried Vista so I don't know anything about how good it is, but the story seems to be repeating itself for every OS release.
Linux Apache/2.0.46 (Unix) PHP/4.3.3
lol
yea whats up with apache being such a ram memory hug? i recommend the author switches to lighttpd or nginx
Zealot: "Oh God, I had to install Quake 3 in Windoze for some lamer friend of mine! God, what a fucking mess! I put in the CD and it took about 3 minutes to copy everything, and then I had to reboot the fucking computer! Jesus Christ! What a retarded operating system!"
Wait a minute. You had to reboot because you installed a game? WTF. Now THAT is a retarded operating system.
Also, that "classic" troll really needs updating for this decade. Might as well include a flame about how you had to recompile your kernel to get your Soundblaster Pro to work.
A good way to reduce the possibility of malware affecting you in Linux is to run your browser as another user. It's easy to set-up, almost pain free, and means that, barring local root exploits, it can't delete/alter your data, modify your login scripts etc.
I'm sure it's possible to do in Windows - runas firefox.exe - but I haven't tried it.
Get your own free personal location tracker
Vista better be more secure than Linux. Windows is the 'McDonalds' of OS's....it caters to the lowest common denominator. Someone who was able to tune a Linux kernel is not going to download "Stephen Speilberg gets Hilarious Prank Call.mp3.vba" off Limewire. Even if Vista was more secure, its because the users need to be protected from themselves.
..finds out that Microsoft OS is the best OS out there. I must say, I'm shocked!
I'm still not buying Vista. I have an OS that does what I want and works well. I don't have to pay money for it, and all it requires in return is a bit of patience. It lets me run my applications, does so efficiently, without nag screen, cd keys, and other f'ing hassles.
Tom
Someday, I'll have a real sig.
Quidnam Latine loqui modo coepi?
I had to laugh, but funnily enough, as soon as I posted, the site loaded and I got to read the article, heh heh.
Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
I've been running Linux as my desktop exclusively now for about five years. No viruses. No worms. No adware. Oh yeah, and it's free as in beer. The security on it just works. My vendor sets up the firewall for the appropriate level of paranoia "out of the box". Tools for system auditing (chrootkit, nmap, etc...) are usually installed by default. When windows can do all this for free, I'll give it another go. But until then, any such study I see is largely theoretical.
I can't see a value in such a study:
- different software
- different models
- different life cycles
It's 90 days of a new product which uses closed software, at least partially newly written. Even considering the beta cycle it's totally different to products which are partially much older (with all their strengths _and_ weaknesses!), deployed for a long time and available to free analysis.
So there are less breaches in Vista? I hope so! Anything else would have been a disaster. But let's wait and see how it will come out eventually...
cb
THe problem is that he is like me; He does not know the enemies OS. So, what he did, was pick through the OS install and decided what sounds like it belongs and what does not.
What is needed is for a Linux distro guy who has good knowledge of Windows (or perhaps somebody from wine) to re-do this report. And if it shows that MS did a better job on addressing security, I would suggest that the distro's need to get their act together. For the last 5 years, the windows fanboys have ran around saying that the # of windows is the attraction for security problems, while those in the know, say it has to do with ease of cracking. If this report is real, then Linux just went below MS and that will attract the vermin to us. IOW, we MUST remain above MS in terms of security to prevent having the security attacks that MS has.
I prefer the "u" in honour as it seems to be missing these days.
I approach this as someone who does not know a tremendous amount about how to measure security flaws, or what various security flaws really mean...
But the survey listed also shows Windows XP as the second most secure operating system of the ones surveyed.
I can believe that Microsoft improved their security with Vista. But if they also tell me their security was great with Windows XP, I have to conclude that they're fudging the numbers.
Philip Sandifer's academic website
Since Open Source rigorously discloses every flaw known in it, what is the value of comparisons of one Vendor's chosen disclosures versus that which is 100% transparent?
None
Microsoft only discloses what it has to and is often at odds with security researchers about problems only to be proven wrong later. One claim from a blog was that Vista shipped with 60,000 bugs. How many of those are documented for the public?
I can say that on my test certified Vista machine, brand new from Dell, I've already seen the network card totally disappear from the system only to reappear again an hour later. The Broadcom diagnostic tool reported no hardware issues. The Explorer shell still crashes/stalls frequently. Files get locked with no way aside from a reboot to unlock them. Wifi fails to reconnect to the same network it was previously connected to when sspi broadcast for that network is disabled. I just tried restoring a hibernated laptop, previously connected to a domain. Black screen & hard reboot.
Beyond that, on this brand new machine, specced for Vista. Vista is SLOW.
MS, concentrate on making Vista better instead of having people do useless studies. kthnxbye
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
I've been intending to run firefox as another user for some time, so thanks for your guide.
.Xauthority file to ~ff instead of using xhost does not solve this, because processes running as ff still get access to X. Running Firefox on a separate X display (e.g. with Xvnc), or better still within a virtual machine, would do the trick - but at the cost of performance and some usability.
However, there is one security hole that I should point out to you: xhost 127.0.0.1 gives all processes on your system access to the X display, including Firefox and any malware it might execute. This is sufficient to run a keylogger, grab screenshots, etc.
I don't have a good solution for this. If you don't allow Firefox access to X, it can't appear on screen. Copying the
I keep hearing that Linux isn't user friendly. But people are so used to Windows that they find anything else pretty much alien to them.
But then you read stuff like this and realise it's not as hard as people think.
http://www.cio.com/article/120452
Sure, if stuff breaks it can be hard to put right, but the same is true if your Windows PC won't boot and you don't know much about computers.
As Windows' defenders are wont to say, "Windows only has more known defects because it is the most popular OS." In this case, Linux and OSX have more security defects because they have had more exposure, right?
Just sayin...
Because, most likely you cannot, more than likely someone else won't, and even then you might not apply the fix should it become available.
Its human nature. Its far easier to take an easy shot at someone else other than act. Oh sure I can say I will fix it, but fact is its easier to say so on some message board that take the action.
Look, with Vista they have a vested interest in correcting the bugs. For those in Linux I cannot overcome I can only hope someone else sees it as important enough to warrant a fix. Thats the crux of it. Sure I could do it, if I had time, if I had the knowledge, if I had the resources. Saying "with Linux you can just change it" is akin to handing someone a bunch of parts and telling them if they don't like the car they can fix it. Being able to use something, having an generalized knowledge of how it works, is all a far cry from being able to actually change it.
So while cheap shots at MS are the forte of many we can't forget that just because its open source, its linux, that we have the power. The opening is there, just don't expect someone to walk through it
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Why should I care whether or not people run Linux, or Windows, or *BSD, or Mac OSX, or Novell, or freakin' Amigas? At home.
Run whatever the fuck you want.
Because the spambots that have pretty much ruined email are running on window machines.
Cancel or allow?
Except for ending slavery, the Nazis, communism, & securing American independence, war has never solved anything.
This part has "PR shill" written all over it. No techie would ever write this.
Probably Microsoft has hired some more people to work on "guerilla marketing" techniques, just like they did with the People Ready campaign.
Every expression is true, for a given value of 'true'
I read the post about the worst jobs for a couple of minutes before getting fed up with all the inane comments from people who didn't read the article. It's probably pertinent however:
Do you flinch when your inbox dings? The people manning secure@microsoft.com receive approximately 100,000 dings a year, each one a message that something in the Microsoft empire may have gone terribly wrong. Teams of Microsoft Security Response Center employees toil 365 days a year to fix the kinks in Windows, Internet Explorer, Office and all the behemoth's other products. It's tedious work. Each product can have multiple versions in multiple languages, and each needs its own repairs (by one estimate, Explorer alone has 300 different configurations). Plus, to most hackers, crippling Microsoft is the geek equivalent of taking down the Death Star, so the assault is relentless. According to the SANS Institute, a security research group, Microsoft products are among the top five targets of online attack. Meanwhile, faith in Microsoft security is ever-shakier--according to one estimate, 30 percent of corporate chief information officers have moved away from some Windows platforms in recent years. "Microsoft is between a rock and a hard place," says Marcus Sachs, the director of the SANS Internet Storm Center. "They have to patch so much software on a case-by-case basis. And all in a world that just doesn't have time to wait."
Rather than take his word for it why not just check at Secunia.
Vista
Ubuntu 6.06
"We are all geniuses when we dream"
- E.M. Cioran
I'd just like to say I'm thrilled to be able to say this.
If Vista was a bigger percentage of the PC market, there would be more exploits for it.
Pay back's a bitch, ain't it?
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
I hate these flipping biased "reports" (from any side). But as far as UAC/Vista goes... anyone who thinks that it actually is worth a d4mn, just go to the command prompt and try to delete that folder that forced UAC authentication. What? It works?? Security my ace.
TODO - Insert Creative/Witty Signature
Yes, because typing in "apt-get" or "emerge" makes so much more sense to new users than double-clicking an icon that says "setup".
There are many new users, more specifically the older ones, that are more comfortable with a keyboard. It looks to them like a high-tech typewriter, which they already are comfortable with. The mouse, on the other hand, often gets astonished looks. I have given up on being surprised when someone asks which is the left button.
It's blame shifting.
It's easy to implement some "security" that is based on asking the user a second time whenever he moves the mouse if he REALLY wanted to move the mouse, and blame him should something bad come out of this movement. So a user getting a rootkit slipped under his ass can be blamed on the user clicking yes, not that there is no distinct difference between user and system space. A trojan's success can be blamed on the user clicking ok, not on debug functions being available on a release system.
That's no security, that's bullshitting the user into thinking it's his fault.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Just like most users, the hackers can't find their way around the new OS, either. Just wait until Service Pack 1 comes out. I hear Vista gets ribbons! Now it will be *really* super-secure.
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
I looked at the user comments at the bottem of the article. One juicy tidbit was to this link..
i crosoft_is_counting_bugs_again.html
http://www.microsoft-watch.com/content/security/m
The biggest bug in Windows is between the chair and keyboard. The item in question is gullable, has admin privilages, and can run widely dispensed Windows specific code. As a sample of this, just look at the members of any botnet and the OS in use.
Anything that doesn't run Windows code and has the default of not running admin is more secure than patched Windows in most cases.
Vista still runs Windows code, it's biggest fault, but it seems to be driving towards better system security and user permissions.
The truth shall set you free!
Ah, the classic installing Quake 3 on Linux vs. Windows post.
That has been posted several times etc, now by MS fanbois, give or take a few variations.
Too much crap running at PL0 for either to ever be secure. But the false sense of security I get running Linux or OSX far outweigh the pain and slowness of running Windows after 6 months.
I run both, but have yet to try WoW on linux, is it even possible???
If so, then I may make the ever eternal switch and become a linux only user.
Only to idiots, are orders laws.
-- Henning von Tresckow
What he's doing is taking the OS as it is installed. Vista and XP have so few programs installed by default. Ubuntu and OS X give you a ton of applications with the OS, so there are more opportunities for security flaws. When it comes down to it, these reports, regardless of their outcome, say what the reporters want them to say. Security is a tricky thing, and every operating system is vulnerable. People should be focusing on better security practices rather than how many flaws there are. And companies should focus, not on how many flaws they have, but how quickly they can patch those flaws, expecially when they are the sole patchers in the case of proprietary operating systems.
That is the typical Linux community response whenever someone suggest MS might have down something right. To listen to the wails you'd think that taking a pc loaded with a fully patched XP onto the net is walking into a pit bull farm with meat hanging off you. Vista, well, it's just awful, the worst thing in the world. OSX, well it's better -because it is not MS. Google, well bless us all. If anyone can make Linux popular, it's them. None of that is true really. XP is not a jalopy about to fly apart, nor is Vista Hitler's OS.
Does Linux have vulnerabilities, sure it does, it was made by humans. It gets patched occasionally as required, when the community does it. Does XP or Vista have vulnerabilities, yes, and that's why patch Tuesday exists. Apple too does fixes.
I am getting as tired of the Vista is bad hype as much as the iPhone hype.
Reality is, the OS is only as secure as the user. If the user is a dummy, they will screw up anything. Linux is dangerous to some of these people because they will dick with stuff they don't understand and bugger the system sideways. OSX is more secure because Apple does all it can to make you colour inside the lines. XP began going down that path after SP2, but still isn't that bad.
Vista is MS further down that path. I don't doubt it is more secure. Not because of the UAC (which is a non-issue about a week after ownership and you've set your permission), but because they have locked down the kernel. Screw Google and Symantec about the lock down. People wanted security and that is how you do it. No other way. Try getting Jobs to open Apple's. You'll see how cool Gramps Jobs gets them. Symantec, if anyone can put hooks into a system to bugger it up, it's them. Google, see how evil they are in five years. They are heading towards being the next MS that way. The "don't be evil" thing reminds me of commercials that say banks are your friend.
That all said, I don't doubt Vista is highly secure, it is new, and out there in relatively low numbers. I hope it stay secure. Time will tell. For now, there is no compelling reason to go there. XP is just as good if not better.
In the meantime, some of the Linux community better grow up and start selling the OS on it's merits and not selling it on the basis that it is not MS. To most people out there, MS really is a selling point.
Security, that ultimately lies in the users hands in a consumer OS.
Can't they get an impartial and respected analyst like Rob Enderle or Maureen O'Gara to publish their foregone conclusions for them any more? They have to rely on an employee's blog entries?
Help stamp out iliturcy.
Jeff Jones is "strategy directory at Mirosoft's Trustworthy Computing group".
What that report and its blatant misuse of statistics shows is only one thing: Microsoft's Trustworthy Computing group employs morons.
Yes, the OpenOffice code base is complex. Show me another application as functionally complex with a similar architecture that's easy to fix.
You also sweep away all of the *many* other ways to participate in a project to help it along.
Finally, nearly all OSS projects are driven by one or two people coding with other contributions (testing, bug reports, documentation, packaging, translations) kicking the projects into high-gear. There are a few that are so big the leaders code contribution is a small part, but that's the rare exception.
OT Rant: OO.org team: please move to GTK+.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
If you've ever programmed a Win32 apps then you have contributed to the Windows platform. Just because Linux has the luxury of packaging all it's platform software into one distro doesn't actually mean that all that software is really PART of the OS. So, the only fair comparison is to say that any development for the PLATFORM is contribution of code and/or ideas.
So, sorry, but you can contribute to the platform and realistically you can contribute almost as much as you can in Linux since you ARE FREE to develop most any software for WIN32 you can think of. There is really very little difference AND patching your own security holes is probably a bigger security threat than leaving them open since you are probably not really qualified to either patch or test the patch you make. Chances are you would patch it wrong and provide yourself with a false sense of security since YOU are not a team, but merely one person.
Interestingly enough, I had to reinstall Feisty yesterday after playing with Fedora Core 7. Feisty was release 70 days ago and in that time there have been 72 security related updates. For the most part the updates are for important (read: often used) applications (Firefox, Thunderbird, Evolution, etc...).
Does anyone know how many equivelent updates have been made to Vista?
G++
After reading this report I've decided to abandon my 11 years of Unix experience and head back over to Windows. Clearly when I made the switch to Unix/Linux/BSD systems back in the 1990's I was misinformed by my years of experience working on windows and suffering with viruses and vulnerabilities. I must have just jumped on the whole Intarweb band wagon. Silly me.
Clearly it is all just about security and nothing to do with lighter faster operating systems tailored to specific purposes. Nobody cares about focused tool sets. Nobody cares about vendor independence. Nobody needs to have a system open enough that you can get at every aspect of the OS because nobody develops software that could possibly need that level of understanding. Nobody cares about a free, open, and stable software development suites... Nobody really cares about precisely tuned servers in clusters... or embedded systems... or monotonic scheduling...
I certainly don't. Not after this study. No sir. I'm making the switch now. Yep. Don't try and talk me out of it.
[signature]
Kind of a funny story considering some security venders claim Vista is less secure than XP: http://www.zdnet.com.au/news/software/soa/Microsof t-partner-Vista-less-secure-than-XP/0,130061733,33 9274261,00.htm
Based on my early experiences with Vista in our Beta roll out users are generally annoyed with Vista's security features and will likely turn them off once they are saavy enough to do so.
The VPN compatability problems they are having with major vendors such as Juniper's VPN solutions also give me reason for pause. Some users will basically start taking files home with him and emailing them to co-workers since they cannot use the VPN. This is a major concern when it involves personal data. Vista may be an improvement on the home front, but it is plain not ready for business.
Good grief! It's been YEARS!!! since we first heard about the superior nature of Linux/UNIX security, and we still see a crapflood of articles about it every time there is a slow news day, like when all the information about the first generation iPhone finally emerges and there are no more iPhone stories in the queue, then BAMMO! Right on schedule, another story about LINUX vs. Windows security. This story is even a TROLL, all on with a headline about Vista besting Linux. What crap! ENOUGH with these LINUX/Windows security shootout stories, already!
If you mod me down, I shall become more powerful than you could possibly imagine.
These comparisons are a joke. The number of bugs or vulnerabilities itself is completely meaningless because of the wide variety of issues you can have. For example, would you rather have 10 vulnerabilities that each enable a malicious Web site to crash your browser, or 1 vulnerability that enables a malicious Web site to browse your local disk?
Vista still encourages users to run with higher privileges than necessary, and the platform is still host to over 99% of the viruses and malware ever created. It is not even recommended to run Windows without third-party security enhancements such as anti-virus. Many will tell you to run it only in a virtualizer, not on bare hardware, so you can wipe the Windows "disk" every night and start fresh the next day. In fact, Microsoft will tell you to do that, it's what VirtualPC is for.
Anyone who believes this crap deserves Vista. Enjoy.
The fundamental failure with the phrase "Vista is still more secure..." starts with the incontrovertible fact that Windows is shipped as a black box.
The temporary absence of security issues with Vista means nothing because neither the scope nor the scale of exploits is known. That is commonly described by the phrase "security through obscurity."
History has shown that Microsoft's approach to security is to talk a good game. Period. While I do not doubt Microsoft has hired excellent security programmers, their contributions don't make it through the management gauntlet.
Another way to highlight my point:
When you buy a windows-equipped box will you:
1: Use email on win32 without an antivirus application?
2. Go on the internet on win32 without a firewall?
3. Run win32 without a NAT?
I propose the following experiment instead:
Computer 1: Linux desktop distro immediately after install with no firewall script.
Computer 2: Vista equipped PC straight out of the box with the windows supplied firewall disabled.
Computer 3: Mac OSX straight out of the box.
Run tripwire on all three machines and put them directly on the internet. (aka no NAT)
That might be a better way to compare default security of OS's.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
I know what you mean there...I have a customer that double clicks "everything" including hyperlinks on a web page. No matter how many times I mention that the double click isn't always necessary it never takes.
Aside from that, when using Windows I am actually much faster with the keyboard. I'm still learning all the keyboard shortcuts for Gnome...
"I am not convinced, next please Mr Jones." - by b1ufox (987621) on Wednesday June 27, @08:44AM (#19661667)
I don't work for Microsoft (though I have been interviewed by they, & they came to me, not I to they):
Will a test, head-to-head, *NIX vs. Windows Server 2003 SP #2 fully patched, convince you? Try this, the CIS Tool 1.x, & see if you can beat my score of 84.735 on it (with you guys using SELinux or BSD variants even vs. my setup, since this test is "multi-platform" & runs across BSD variants, Solaris, Linux variants, & yes, Windows variants)):
http://www.cisecurity.org/bench.html
I think for all the *NIX 'braggadocio' of "Windows is less secure than (insert *NIX variant here)" I see/hear online? No one is willing to put their money where their mouth is, and I have made challenge, but with reason - so we ALL learn by it.
(In essence, in a Windows-based OS, like any other? To get security, you have to work @ it. In Windows 2000/XP/Server 2003/VISTA, you have to do these "12 steps", about 1 hour of an experienced user's time):
http://forums.techpowerup.com/showthread.php?s=378 52b3b0b2148fe282a73c1e688efc1&p=375355#post375355
To get this score (on the multi-platform CIS Tool 1.x test, by the "center for internet security"):
http://img.techpowerup.org/070618/APK14SecurityPoi ntsCISToolResult84735.jpg
An 84.735 score on it...
Secured operations online, on Windows no less, is quite easily doable (& to levels that FAR EXCEED VISTA, with just a wee bit of work, and plenty to gain/learn!)
I wish some folks from the *NIX world would take this challenge, & possibly exceed my score (since the "control method" in the test? IS THE CIS TOOL 1.x TEST ITSELF, & download url's links for it are inside the 1st url noted above!)
If they could do that? I would ask how & where they did not fail things on that test, & attempt to emulate them on Windows, getting an even HIGHER score (and, still be able to go online & do things of course).
We'd ALL gain & grow by it, but, unfortunately/again - no takers to my challenge! Perhaps the Linux mascot ought to be a chicken, instead of a penguin, eh?
LOL! Take that as a "good natured rib", because I really WISH we had Os' like today, 10-15 years ago, & I respect what Linux REALLY is: A 'socio-cultural technological phenomenon' that is a decent OS, created mostly by freely donated time, from a lot of talented people!
(The nice part is, it IS possible you guys CAN beat my score on this tool, because it literally HELPS YOU TO DO SO, but it is NOT "perfect" & definitely makes some errors imo & yes, I can prove it, & it does not account for things like hardware "NAT" (or true stateful inspection type) firewalling routers for instance, but it IS the BEST overall multiplatform test I could find @ least, from a reputable organization!)
APK
P.S.=> I wonder if anyone from the Linux (especially SELinux bearing distros), or BSD variants camps can get a better score on that test, than that...
In fact, I have repeatedly challenged anyone who uses those OS' to do so, here @ this site:
http://it.slashdot.org/comments.pl?sid=237507&thre shold=-1&commentsort=0&mode=thread&cid=19408273
&
http://it.slashdot.org/comments.pl?sid=240571&cid= 19630923
&
http://slashdot
Sure, you can build the world's safest car. Bulletproof. Bombproof. Able to withstand missile attacks. But at the end of the day you've got something that's so bulky, heavy and hideously ugly that nobody can move the thing.
Sorta reminds me of Vista.
--
Dave!
We give up, we'll go home now, and install Norton Antivirus and Windows Defender with the rest of the lemmings.
The *only* way to "measure" security is to "measure" breakins. You can talk about technological advances in architecture, but abstracting security to bug counting is goofy. Linux systems don't get broken into, because there simply aren't ways to get at them, particularly on the desktop. With things like AppArmor and SELinux your browser is isolated from other processes, every distro ships with the "desktop" version locked down (100% firewalled) by default, and samba, cups, and the other common network daemons (ntp? ssh?) are mature suites with excellent security histories.
I can't get the article to open, but I'm curious as to the vulnerabilities which he counted. How many of them actually have real world applications?
Here is how I would come up with a synthetic benchmark of security:
1. Admit that it will be synthetic, and is ultimately an exercise in mental masturbation
2. Count the bugs.
3. Remove all bugs that have no possibility to be exploited, and all "fixed" bugs.
4. Separate bugs into "server" and "desktop" bugs.
5. Multiple bugs by an index number between 0 and 1, with 0 being harmless bugs, and 1 being bugs that give you "root".
6. Total up bug indexes.
7. Now, count all fixed bugs (excluding impossible to exploit ones), multiple by a "damage index" (see #5), then multiple by (Time to fix bug, measured from release of software)/(Time software has been released). Add this to your result from #6.
8. Voila! You've now posted something that will most likely compete favorably with MS's bug number. It will also still be totally useless.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Lets give Jobs, et al time to produce their own twisted statistics to prove exactly the same thing for their own OS's.
just remember there are 3 types of lies, "lies, damn lies and statistics".
Not that im claiming he's wrong mind you, just that history has proven to be a battle of seemingly erroneous statistics stacked on top of one another that seem to claim totally different things.
Is it going to make me switch to vista? no... But i cant say i really care either, probably the most insecure part of my home server is the code i've written for it!
I work at the Tech Desk at the University I attend. We've already had vista computers coming in with viruses on them. I'll get back to you when I have to fix a linux box with a virus....
you remember seeing are malware definition updates for Windows Defender.
I've started a few small projects, none of which has gone much beyond 100 downloads a day. In every case there have been outside contributors who have learned the code and made contributions that obviously required understanding it fairly well. I even retired from one of those projects about 8 years ago, and the community keeps maintaining it today.
I don't know if it helps that these projects are written in Java.
A good way to reduce the possibility of malware affecting you in Linux is to run your browser as another user. It's easy to set-up, almost pain free, and means that, barring local root exploits, it can't delete/alter your data, modify your login scripts etc.
Instead of messing around xhost, sudo, wrapper-scripts (as one of the comments suggests), etc, and opening up the security holes that entails, just launch Firefox like so:
ssh -X ff@localhost firefox
(You might want to create some keys, change ~ff/.ssh/authorized_keys, etc, to make this a bit easier, but I'm sure you get the idea. You might also need to make sure X forwarding is enabled, but it typically is by default these days.)
I'm sure it's possible to do in Windows - runas firefox.exe - but I haven't tried it.
Works fine. Easier than it is in Linux as well ;).
Windows Security is such a boring job, all you do is sit around watching the computers on the network run flawlessly. Look at the sad sack Maytag repairman in all those commercials and ask yourself, 'Is this how I want to end up?'
Think global, act loco
You can't win, Moderator. If you strike me down, I shall become more powerful through meta-moderation and Excellent karma than you could possibly imagine.
If you mod me down, I shall become more powerful than you could possibly imagine.
Default installs should BOOT INTO FSCKING VGA MODE.
I solve 99% of Linux installation problems by rebooting and editing the X config file to say "vesa". Why can't this be the default?
Ubuntu is a zillion times worse because it sets some weird 32-bit graphics mode for the install process. What's up? 256 colors not enough for an installer?
Madness.
No sig today...
If you actually believe any of that crap you just posted, then you're a moron.
How do you install Quake 3 on Linux? Well, the Linux version doesn't come on the Windows Q3 CD. So you download it. It's an installer script. For security reasons, you have to make it executable first, and because id were being extremely lazy when they built the install script, you have to run it from a command line. Run it, and it installs Q3 and the latest patch, but doesn't copy the files across. That's because id were being lazy again. So you copy the files over manually.
Basically, that's because the "installer" for the Q3 version of Linux is the equivalent of a self-extracting ZIP file, which id put the absolute bare minimum of effort into. Still, it's not hard.
When Q3 was released, the Linux version had all sorts of quirks. For example, it was released back when glibc was still new, and X servers might not support all the stuff Q3 needed, and it's sound code sucked (because id didn't test it properly). Yes, you have to have sound and video working in the OS. Duh! You need to do all that too.
Still, the Windows version had quirks too. Lots of video cards hardly worked with the game at all. Of those that did work, absolutely none of them came with working OpenGL drivers. You had to install either an OpenGL-enabled video driver, or an Mini-ICD. It had all kinds of problems with other hardware. I don't see any of that included in your Windows instructions.
Q3 was always a pain in the ass, on any platform. If you install it on a more modern version of Windows or Linux (and on Linux, if you use an installer that doesn't suck), you will have no problems whatsoever.
Compare with the process of installing UT2004 on Linux. Insert the DVD. Open it up (click the icon on the desktop). Run the installer. A GUI installer pops up. Answer the questions about where you want to install (or ignore them, if you like), and press the Go button. Enter your CD key. Press OK. Wait for files to copy. Run game. Game works perfectly first time. That's no different than the process of installing UT2004 on Windows.
The fact is that it's quite easy to package Linux software so that it's very easy to install and use. It's just that most commercial developers don't bother (and frequently the Linux versions themselves are half-assed), and open-source developers have no need to because they can just get software included in distributions.
The overall security of a system can't be measured just by how much bugs are found, because two different operating systems:
- Has a different user base
- Has a different number of developers working on it
- The design is different
- An average sysadmin for one kind of system and an average sysadmin usually have differnt levels of qualification.
- The interest of crackers on those systems differs
Plan 9 will certainly have less bugs than GNU/Linux because the codebase and complexity of those systems is amazingly different, and also GNU/Linux has orders of magnitude more users than Plan 9. There are lots of GNU/Linux sysadmins and not too many people with knowledge on Plan 9. Plan 9 has lots of experimental features, but it grows slowly. GNU/Linux grows at an amazing rate, but tends to be more conservative about it's design. Also Plan 9 is developed by a single team, while GNU/Linux is a collection of different efforts, so it's hard to tell where it starts and where it finishes. There are probably very few if none Plan 9 servers, and very few, if none, crackers targeting Plan 9.
The same goes for Windows Vs. GNU/Linux.
1) The design of the systems is quite different, so it doesn't matter if an exploit is found, the important question is: Does the design of the operating system make those exploits easily exploitable? And also, you may choose to run any services/programs on your server, they are third party, Let's not talk about bugs in those applications, does the OS itself have Important exploits, and what does the OS to prevent bugs in third party apps from being exploited? Also, we may have a system with no bugs but with inherent design flaws that make it insecure anyway.
2) Are we comparing the right versions?, that is, Vista is a secured version of windows, they are not using XP to make the comparision, so, shouldn't we choose SELinux or similar?
3) Does the system provide you with enough tools to detect, debug, and correct possible vulnerabilities? Can you create a workarround for the vulnerability?
4) GNU/Linux doesn't do this fancy shit of bringing "new" versions to the market. We just upgrade, so, we are comparing the ammout of vulnerabilities found on a new OS vs. an OS with an important userbase.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Hah, I laugh at TFA. The last time I tried to use Vista, I had to jump through so many hoops just to launch a program that I ultimately gave up.
"You have attempted to run a program! Please scan your fingerprint to confirm"
"Are you sure?"
"Are you really really sure?"
"Okay, request sent to MS central to allow execution. Please wait 24 hours for a response from India"
It's such a pain in the ass to get anything done in Vista it's no wonder it's perceived as "secure." Your house is secure if you completely encase it in concrete - probably more secure than a bank vault. But, what good is it if you can't USE it?
You seem to be pointing the finger squarely at the developer. Most often that is not where the blame should reside.
I would point out that if you are on a deadline for delivery, things get cut. Its just business. Managers fully support good documentation, well planned naming conventions, well structured code, etc... Just so long as it doesn't interfere with getting the product out the door on time.
And... FWIW... I also have tons of source (both open and closed source) to maintain, modify, w/e...
Opinion:=TMyOpinion.Create(Me);
Could someone count the botnets out there per operating system? I don't care so much about vulnerabilities so much as all the spam I get from compromised machines. Or put another way, it's not the holes but the number of active exploits that we should be counting.
Comment removed based on user account deletion
This is so pointless, so ridiculous. It's blog masturbation. Hey come to think of it, that's redundant. Anyway: are we all supposed to go back to Windows now because it's so secure? Give me a fucking break and stop wasting our time with these masturbation articles.
... just didn't remember it all that clearly, that's all.
For the Blackadder deprived, here's the original one:
Baldrick: "I have a cunning plan!"
Blackadder: "Baldrick, you wouldn't recognise a cunning plan if it painted itself purple and danced naked on top of a harpsichord singing 'Cunning plans are here again'."
News about the Kettle Open Source project: on my blog
That's truly insightful, you know. If you read to the bottom of the page, it says "I work for Microsoft".
Deliberately disabling Windows' firewall, which is enabled by default, is not testing the 'default security' of the OS.
Of course, since there are no current known remote exploits in any of Vista's network services, and Vista's Data Execution Prevention should catch any unknown ones, I'm not sure that deliberately disabling the firewall will cause any problems.
You can't really list the published vulnerabilities and say for certain which OS/Platform has the best or worst security. You've gotta look at practical daily use. Windows Server 2003 versus Red Hat Enterprise Linux 4 or Tiger Server? I couldn't tell you which one is more vulnerable. A good sysadmin can keep either up and running if they're vigilent and they all require care and feeding.
The real test is on the desktop--where the dumb users are.
I work at a University. I support Windows, Linux, and MacOS X boxes.
Guess which one has the most security problems? [Note the past tense]
Windows. Granted, it's XP. Why? Because most of the established scientific applications (the ones we use) don't work on Vista yet. Vista might prove to be a better mousetrap than XP with regards to security but we thought the same thing about XP SP2, right? Time will tell. Ask me again in 18 months.
Number 2 on the security problem list is linux. They are largely run by grad students in research labs (read as high turnover for greenhorn sysadmins). Sometimes, if we're lucky, we see some more interesting exploit injections but unpatched boxes with some sort of service running were usually quick and easy targets.
Amongst our 1500 Macs, I've only heard of 2 instances where they were compromised. In both cases, the vector of intrusion was SSH and a weak password. Despite all of the published Mac OS X vulnerabilities and sky-is-falling rhetoric from the security experts, I have yet to see any "real" exploits for them here on our campus.
Well, why the hell does that mean anything? Until this last semester, most of our campus was using static IP addresses in public addressable space. No firewalls, limited ACLs, and our computers exposed directly to the internet on a fat pipe. We've had botnet zombies out the wazoo, rootkits from hell, network scans from every black hat in the known universe, and pretty much every trick in the book has been thrown at us. [One of the reasons for our fancy new network with NAC]
The only thing that knocked-over our Macs were common dictionary attacks on SSH. Since most Mac users are completely ignorant of security (present company excluded, of course), that was a bush league exploit. Nobody ever exploited Safari bugs or any of the other services.
The scariest thing on campus are the Windows rootkits. None of us know how many "Silons" are among us. By the time we find one, it's way too late. Linux rootkits are ugly, too, but are not nearly as common.
As far as Vista vs Linux--again, time will tell. If you really want to know for yourself which is better, set them up side by side and hang their asses on public addressable network spaces. You'll find out which one has the best mojo for keeping out intrusions soon enough.
From my own experience, I'll put my money where my mouth is with my Mac any day.
I might know what I'm talkin' about, but then again, this is Slashdot...
There are several fundamental flaws in the arguments in this article:
- He compares OS vulnerabilities of the first 90 days since first release. This doesn't tell us which OS is the most secure at this moment. Merely, it tells that more recent OS's have undergone more testing prior to release.
- He notes 125 known issues with RHEL prior to release compared to 0 for Windows Vista, but of course no vulnerabilities are known prior to release as Vista is closed source and has not been available for public scrutiny, while RHEL is built on available open source code.
But that's not all, differences in how bugs are classified may make some OS's appear more secure - it is known that Microsoft has classified vulnerabilities as bugs thus reducing the "official vulnerability number". Without a strictly uniform and independent classification scheme for bugs, there is simply no data to compare.
A reasonable comparison would compare the OS's vulnerability issues the past 90 days, that is with fully patched systems. Known issues that have not yet been patched should not be included as this simply is caused by the longer time for scrutiny of older OS's. Secondly, bugs must be classified in a coherent manner: Remote root, remote user, local root, local user, DOS etc...
This document is useless in the discussion of which OS is the most secure to run as of today. There is no way that a conclusion can me made in favour of any OS on the list.
It appears that OpenBSD remains the most secure system, and I bet FreeBSD is a strong contender.
The nerdically correct term would be "It's dead Jim!"
Too many of these comparisons are apples and oranges things. If you run you Ubuntu box as root, you are heading for trouble. Running Windows as an administrator also exposes the user to significantly enhanced risk. If you are concerned with this risk, run as a normal user. I do. Your risk will be much lower. Vista makes it much easier to run as a normal user. My wife and kids have normal user accounts on our modern machine. I will be trying to "upgrade" my old XP box (an older Win ME box I upgraded to XP with an additional 512 MB of RAM 3 years ago) to Vista home basic for the improved security support.
Haha, its pretty funny reading all of these responses. How about giving Vista a break for a chance penguin lovers?
Since when does being a Socialist mean 'someone who has a different opinion than me'?
Great. Can I have your address so I know where to send my lawyer after something you've changed brings my company to a halt. I didn't think so. Linux may have its place, but the support and backing of a large company goes very far.
Just what you would expect from Microsoft. How about Slashdot adopt a policy that it will *never* publish an article which refers to an article in which Vendor A says Vendor A's products are better than all the competing products? I know, that would eliminated 90% of the so called 'news' out there, but if there was ever a case where Sturgeon's Law applied, it is to PR fluff pieces like this one. For the most part, on a single user system, the only thing that matters is 'How many remote exploits allow an attacker to modify the system?'. In 10 years of running Linux, I've had that happen once (the old wu-ftpd teardrop attack. God knows how many Windows systems have had to clean up. I have to admit, I have no idea how secure Vista is or isn't. I don't plan to find out. Even without security flaws Vista is an extremely poor value.
This seems to have the same flawed logic as the last time, which I posted about (and which I can't find to link to, sorry), which is this:
THE TOTAL NUMBER OF VULNERABILITIES IS IRRELEVANT.
See, the problem is, we have no idea what the total number of vulnerabilities is for a given OS, thus it is meaningless to compare the absolute numbers. It is however meaningful to compare the %, and from that you get a different conclusion:
- approx 30% of currently reported Vista bugs are High Severity. Or, the odds of a new bug being high severity is 30%.
- 25/45 (55% or so) of XP bugs are High Severity.
- 98/348 (28%) of RHEL bugs are High Severity
- 52/160 (32%) for Ubuntu
- 20/75 (26%) for Mac OS X
At best, we can conclude from this that Vista is almost as good as Linux / Mac now. At least, in the absence of other factors, such as low adoption rate (low # users = low # of reports, all else equal) and "undisclosed, reported" vulnerabilities, both of which are unaccounted for in the article.
It is also important to remember that these numbers only represent vulnerabilities that:
1) were discovered by a user (which is easier to do if you have the source)
2) reported to the vendor (which in my experience is more likely in a receptive OSS community than a corporate environment)
3) are disclosed by the vendor (again, more likely in OSS than corporate)
Thank you, but I'd rather stay with my less secure Linux. Not because I hate Microsoft or someone told me it was more secure. The reason is my personal experience with Linux and with various Microsoft Operating Systems. I know it's kind of early to judge Vista alone, but I do see a pattern in Microsoft products security.
As it also depends on what is turned on and what is turned off.
Still an apples to oranges comparison..
no sig yet
Was either a comparison of windows vista security flaws as it ships from dell with all its third party software versus those distro's (given thats how alot of users are going to "get" vista - crammed with third party apps from the manufacturers they buy their pc's from). Or a comparison against and OS that followed the same business model (solaris 9 perhaps?, hp-ux? aix?). It's really hard to sit back and say "we're so secure" when the basis of comparison is moderately flawed in the first place.
In alot of ways, Mac OS X is perhaps the best thing to compare vista to in that regard, but even thats a little tough.
How would this be any different if Linux was top dog? I'm a bot net guy, I want to make a bot net, I'm going to cast the widest net possible. You think if Joe Sizpack was running Linux he _wouldn't_ click that file promising him "free smileys" or constantly keep his stuff up to date? And if the "bug" in question doesn't have admin privledges on a home system, who does? Try explaining the idea of "admin" and "user privledges" to someone who thinks a cd tray is a drink holder. Good luck!
I used to sysadmin in an elementary school. We had over 100 PCs -- Maybe 40 different hardware configurations. Windows 95, windows 95 OSR2, Windows 98, Windows 98SE (We also had one XP machine -- no more than that because Windows Multiuser support works differently in NT than in Windows 9 -- and nowhere near as well). So what would happen if I set out to install some high class piece of Windows software in 100 machines?
Typically, it would install fine on about 91 machines. Six would fail for some reason -- typically a missing DLL or a recently installed DLL that only was present on machines that had some specific software package installed. Two of the remaining machines would have unique problems -- often not shared by conceptually identical PCs elsewhere in the building. And one machine would melt down completely. So, I have half a day of installation, three half day debugging jobs and another few hours of work to get the destroyed machine back on line.
It took a few years, but by the time I was through, I was no longer a Windows fan
The Spanish have a word for this sort of thing -- "Atascadero". It means about what it sounds like it means. Perhaps Microsoft should adopt it for their next OS.
====
Is Linux better? For servers, yes. For desktops, No. But it's not much worse, and it -- unlike Windows -- seems still to be improving. In the long run if people can have aggravation for free or pay handsomely for aggravation, I imagine that most of them will opt for free aggravation.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
This report is seriously misleading. The conclusions made do not follow from facts presented without employing logical fallacies. The data presented in the report measures amount of fixes made. The basic fallacy involves the assumption that just because a fix is not made, there no critical need for one. As a matter fact, a lesser number of fixes may indicate failure to find, report, and fix problems rather than absence of problems.
Since the Linux effort is open, all issues are reported and fixed in the open, with an effort made to report and fix as much as possible, which ensures software quality. Since proprietary systems are not open, their issues are not reported and fixed in the open. As a matter fact, a fewer number of fixes does not in itself indicate a lesser number of problems, or better software quality. On the contrary, a lesser number of fixes may indicate a lesser percent of problems being found, reported and fixed, which implies a lesser quality of software. A fewer number of fixes can be as much due to failing to fix vulnerabilities due to not finding them, or not having them reported.
Therefore, data presented in this report indirectly suggests that the open-source process is better at ensuring software quality.
Vista and XP have so few programs installed by default.
BZZZT!
Have you seen an OEM system with Vista or XP that came with "few programs". There's serious bloatware on there, and I bet all of it has serious security problems. Think of all those sound/video driver applets; those all have administrator access.
On the other hand, OEM Linux systems don't come with that stuff. Not even from Dell.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
I think that a better measure of OS security should include the following:
1. How many anti-virus/anti-* software packages are available for it? i.e. how many companies believe that there are enough problems with the OS that they can make money plugging the holes from the outside. Look at the revenue. What percentage of the users are running some form of this software?
2. How many computers running this OS are botted? i.e. how many machines running this OS have been completely taken over.
3. Do a survey to see user perception. "The (riaa) wants proof that you have illegal music on your machine. If they can break into your computer, they can easily place such proof there. What OS do you want it to run?"
4. Place machines running each OS directly on the internet using default settings. How long will it take for the machine to be comprimised.
5. What OS are the machines using that are used to spam us?
6. etc...
There are plenty of real-world methods of checking security, which are not based on who can hide the most problems.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
He is referring to the Vista operating system itself, installed off of a disk. He is not talking about security flaws in the extra crap that vendors such as Dell add. The thing is that, since Linux and its components are open source, there are bound to be more bugs and security flaws found, because there are so many more eyes looking at the code. However, this does not mean that it is any less secure than Vista. If you look at the report, Linux distributions have fixed a much larger percentage of their bugs in the first 6 months. Microsoft, even though the number of flaws is under 50, has fixed only about half of those flaws, which Linux distributions fixed a much larger percentage in that time period. Now, again, I am not saying that Linux is immune to security flaws and that Windows is the spawn of the devil. I am simply stating that you cannot look at just the number of flaws. I mean, if Windows was released Open Source, I would sincerely expect that there would be floods of security flaws found, and I'd bet my life on that.
"The item in question is gullable, has admin privilages..."
...and obviously can't spell.
Except that I have no idea what you just said.
I'm going to cast the widest net possible.
.exe were hidden, clicking on a .jpg.exe does not run the program. You get asked if you want to save it to disk or what program to use to open it, or in some cases, do you want to launch the program. Getting a prompt instead of viewing the photo is a major clue to a Linux user that the Windows user never got.
Windows (older versions but common exploit) hides known extentions by default. Users are admins by default. Opening MyNakedWife.jpg.exe was an exploit that nailed many a Windows user. No warning of any kind was given, the software was installed.
Linux by default nobody runs as root. Ubuntu takes it up a notch. Even if the
You think if Joe Sizpack was running Linux he _wouldn't_ click that file promising him "free smileys" or constantly keep his stuff up to date?
With Linux much like modern Windows, they phone home and look for updates. Being offered an update from a 3rd party is still a problem for Windows users and less so for Linux users. Example.. Go to any flash site without flash installed. The untrusted site may or might not send you to get the official flashplayer. In linux, you have to follow the instructions to go to Adobe and get the tarball for the flashplayer 9, then unpack, and install. It's a little more work, but you generaly get it from a trusted source.
Another common Windows exploit requiring a fault between the chair and keyboard used fake picutres of Windows error messages. Clicking the little x in the corner of the box is as much of an install button as the rest of the photo. This was also a common Windows social engineering trick to get the clueless to click on the install button. Linux does not install root level software by a click on a webpage when not running root. Since most Linux users don't run root, this exploit is broken. The exception is Firefox plug-ins that users can install in their browser.
Short attention span Windows users who can one click install your botnet software for you are easy to find. There are millions of them. Even if there were as many Linux users as Windows users, you would find many fewer willing to follow your social engineering.
Maybe you know some Linux exploits of the fault between the chair and keyboard that is as simple as hidden extensions, executible IM messages, and webpage install buttons disguised as a error dialog box that I should know about. If you do, fill me in..
The truth shall set you free!
I know you're not supposed to feed the troll but:
Take installation. Linux zealots are now saying "oh installing is so easy, just do apt-get install package or emerge package": Yes, because typing in "apt-get" or "emerge" makes so much more sense to new users than double-clicking an icon that says "setup".
Ubuntu. Click "Synaptic." Search for what you want. Get everything checked to install, click "apply" at the top. Unless you're recommending that newbies use a harder, less graphical interface. In which case, you're an idiot.
Also, on the topic of installs: I've installed 3 OSes in the last two years. Slackware, XP, and Ubuntu. Ubuntu was the easiest and most pleasant -- I got to sit there with Firefox and GAIM open while it installed. XP was slightly more annoying than Slackware.
As for your Linux zealots thing: I have never encountered people like that. Maybe you need to go to forums populated by people older than fifteen?
I admit there are assholes, however, and people who run around with only "if you don't like it, fix it!" "RTFM!" type answers. But these are a minority, and I bet most of them can't answer your question anyway. Most people will respond helpfully to questions, unless you come off like an asshole yourself. And try seeking help on Windows forums. There are assholes everywhere.
There is no "preference towards Windows." Most people don't even know what Linux is. A lot of people don't even know what an Operating System is. They don't understand that it is a program that can be replaced. Just that it's part of the computer, like the OSD on a TV that adjusts the brightness and contrast. It's not that they're stupid, it's just that they don't know any better, and were never told, or taught.
and I have had similar experiences too.
But on other hardware, Windows installed fine, and Feisty Fawn did not detect the sound card and the wifi connection kept dropping. Documentation for that wifi card/driver on Debian said you probably need to use a cvs snapshot of the wifi driver for stability.
Its hard to have an objective comparison of what works out of the box (as that would require a study of lots of hardware). But as for objective analysis, the Ubuntu install is definitely superior (Based on a live-cd, where you can already start working, as it is installing, with to-the-point questions, etc).
1: Find Quake 3 CD
2: Goto Id Software Website
3: Download Linux Demo
4: install Linux demo
5: Copy all files in the base directory of Quake 3 into the base of the Q3 Linux demo
6: Download newest point release, repeat base copy again.
7: Run game, have fun blow shit up.
Ill give you a hint, the only command line used was on step 4, chmod I think, its been a while.
Do you get it now?
You mad
My girlfriend (stay with me here) bought a brand new Core 2 Duo from Dell for about $1200 with Vista on it and everything fairly well matched. We installed World of Warcraft on the system. It was capable of rendering the game on the highest settings, but even on the lowest settings the system was having serious internal problems.
The video drivers kept crashing, sometimes as often as every 15 seconds, and not surviving for more than 2 minutes... the screen would flash black for a second and the hard drive would thrash, and then the game would reappear. Once you exited the game, or if you would ALT+TAB or run in windowed mode, you would see a bubble notification popping up from the system tray notifying us that (paraphrasing) "the video card driver had crashed, but Windows Vista was able to recover."
Now, I'm not sure if I should blame Windows Vista, Dell, or the nVidia drivers... but it was in no way fulfilling that the system was able to identify that it was crashing, and recover, yet it was not able to prevent it from crashing in the first place. Nothing improved even after applying every possible update to the system. To my knowledge, it still suffers from the same problem to this day. (No helpful support from Dell, by the way.)
Whoever is responsible for this, somebody really dropped the ball. In any case, I wouldn't touch Vista with a 40-foot pole.
I can just see a bubble popping up to tell me, "A hacker has stolen your personal information, but Windows Vista was able to recover."
Move all sig!
Look, everyone knows Vista is more secure than Linux. Just look at its pedigree: it comes from a long line of the highest rated operating systems that the US Government has had the resources to design special tests and ratings for. And take a look at the list of huge companies that have chosen Windows as the platform of choice for their high security applications. Big, trusted companies like Diebold, maker of some of the finest voting machines you can fix err...lay your eyes on. Hell, even big slot machine and ATM companies have chosen Windows as their security platform of choice. I can tell because sometimes I can see the security in action...Stop errors and blue screens...that's Windows saying, "Oh, no you didn't."
You know what else?
Billboards. That's right billboards that show precious ads to thousands of passers by choose Windows to operate their mission critical, high security software. Can you imagine the hil... chaos that would ensue if one of these billboards were hacked?
I think Windows has really redefined security. See it's not about the integrity of the software that's actually running on your device. It's about the security of the media. And nobody is working harder to make sure the CD's and DVD's you install are protected from real threats. And they'll be secure if you ever have to reinstall because of bugs. Piracy and counterfeiting are the real security problems. Thankfully Microsoft has some magic technology called DRM to ensure we're not having to pay more than necessary to make up for this "shrinkage".
Thankfully Microsoft has our best interests in mind and they're protecting us all 24/7/360. They're on our side. So let's all do what we can do to make sure Windows and Microsoft are as secure as they've made our computing lives.
Thank you.
They're exactly right. I'm tired of people spouting that privelege elevation, in any of its forms (graphical sudo, authenticate, UAC) is "shifting the blame". Neither Canonical, nor Apple, nor Microsoft have the slightest idea whether pr0n.exe is a legitimate program or a trojan, nor do they have any way of knowing. (Incidentally, can you imagine what it would be like if Microsoft did implement some kind of heuristic detection algorithm that tried to guess whether something was legitimate or not? Oh, the lawsuits and gnashing of teeth when it gets it wrong, both false positive and false negative!). The user, on the other hand, does know. More specifically, they know if they're been trying to install a program, or whether they're just browsing dodge websites when an elevation prompt pops up out of the blue, or whether they're just trying to view a picture.jpg.exe. The OS doesn't.
What's purple and commutes? An Abelian grape.
That's still vulnerable to this problem because ssh -X gives the remote application access to your complete X desktop. Indeed, the OpenSSH man page confirms this:So, to run Firefox securely, don't just run it as another user. Run it on a separate X server too, using xnest, Xvnc or (even better) VMware. The sux utility has also been suggested, but I am not convinced - malware running within Firefox rather than launching a separate process will still be able to log keystrokes.
>north
You're an immobile computer, remember?
Vista is *safe for now because of it's poor adoption by users, since it is not wide spread it is pointless to develop botnet software to infect it.
Hey, the guy went nuts at the end but he does have a few valid points.
M$ doesn't announce vulnerabilities until they've got a fix, and therefore the "vulnerability count" for Vista is probably inaccurate.
Also, Vista enjoys the same "security through obscurity" that Linux does - WinXP is still a more lucrative target. Supposing that the Vista adoption-rate will grow, the number of exploits discovered will grow in turn. I think we will see another MSBlast-esque exploit again in a couple years.
He definitely nailed it when he talked about how people were staying away from Vista, however. I've known a lot of people who recently bought a Vista-loaded machine and ended up putting XP or Linux on it. Entire departments, in some cases. I'm still staying away from it.
The AC peer post suggests that turning the firewall off is not "default" and is not fair.
I used to believe firmly in firewalls, but I've come around to the OpenBSD point of view. If you NEED a firewall, you've got a problem. A firewall should be ONLY for defense-in-depth. The OS+services should be secure without one, then you add a firewall for that extra bit of coverage. That way, if there's a day-0 exploit for your OS+services, the firewall will protect you. If there's a day-0 exploit for your firewall, the OS+services are secure. As long as you keep both patched, you need aligned day-0 exploits in both firewall and OS+services in order to get cracked, and that's the product of 2 unlikely events, far more unlikely.
Of course most exploits are really human engineering, anyway. (Click this link)
The living have better things to do than to continue hating the dead.
If you actually go down the list of security vulnerabilities for the Linux distributions, half of it is stuff like this:4 10-07.xml
http://www.gentoo.org/security/en/glsa/glsa-200
Every single one of those counts as a vulnerability against a Linux distro. If Microsoft had a vulnerability like that, they probably wouldn't fix it, much less publish it as a vulnerability.
-- The act of censorship is always worse than whatever is being censored. Always.
Everyone else in the IT world already knew this, but I must say that I'm SHOCKED to see this reported on /.
Is the level of irrational Microsoft hatred here at /. diminishing?
Support OS Freedom! Let people choose what they like (Windows / Mac / Linux / BSD) and don't mock them for it!
Prevent linux based DDOS's!
http://linux.denialofservice.org/
Notice how even the MS fanboys can't get around the fact that MS needs a reboot after installing a fucking game. :)
This report means nothing. We all know there are security holes in Vista that are yest to be found. How many? We don't know! It could be more or less then Linux and OS X. These results could also be an indication that Microsoft is worse at finding security holes. It could also mean Microsoft is better at hiding them. It doesn't say much about Vista.
"In linux, you have to follow the instructions to go to Adobe and get the tarball for the flashplayer 9, then unpack, and install. It's a little more work, but you generaly get it from a trusted source."
.exe and bad .exe? Suspect them all and make the user decide: Grannie doesn't care/know anything about '.exe', but Grannie will at least get an annoying popup requiring admin privleges if she tries opening "README.txt.exe". She'll click "OK" and install a virus, and that's exactly how the system should work. Even if Grannie saw ".exe", Grannie is still opening that sucker up. Hiding the extension didn't matter at all.
Grannie isn't going to be unpacking tarballs. And not all Grannies have sons or grandsons who are linux users/gurus. And what is a trusted source again? Grannie just knows she needs Flash (yes she knows that much at least) and here's a little button that will get it to her.
Microsoft is all about ease of use. People accuse UAC of moving the security responsibility of the OS onto the user. Huh? Security has always been the responsibility of the end user. Is the OS smart enough enough to know good
Linux will have to make the same deal with the devil one day, to sacrifice security for usability, or it will never reach the mainstream desktop.
Well, I'll be the first admit that my C-skills are pretty rusty, though I do spend a good amount of time with languages that use related structures, I haven't done any actual from-scratch projects with C/C++ in a long time. That being said, I've been able to debug, trace, and fix various projects over the last few years. Off the top of my head some webcam drivers (I think it was for the whatever driver the "Creative Webcam Go" used) as well as the OpenH323gk project.
Actually tracking down security issues, though, would be a bit harder. When you've got a bug you know about you can debug, trace, and find the source of the loop/crash/etc just by following your debug trail. With a security issue, you might not know it's even there unless it's pointed out... it's not the same as having a visible crash or malfunction in most cases.
So upgrading/fixing broken code is not too hard. Finding abstract or obscure faults is - IMHO - a lot more difficult. Even with well-commented code, you can't fix what you don't know is there. Alternately, it's sometimes a combination of your coding-type and that of the original coder as to whether a particular piece of source is readable/fixable.
Obviously a Microsoft shill from day one. It was obvious then - it's obvious now.
In twelve hours, there will be twenty security experts ripping holes in this moron's so-called "analysis."
Vista is not secure - NOTHING made by Microsoft is secure. Period. End of story. They could work from now to the end of this century, employ nanotechnology and advanced artificial intelligence - and their crap would STILL be unreliable, insecure, and complicated to use. It's a matter of corporate culture and attitude, not security knowledge or technology. Bill Gates simply does not give a shit about ANYTHING but sucking money out of his customers wallets at any cost to those customers well-being, corporate or home, it doesn't matter.
Nothing to see here, move along.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
How would this be any different if Linux was top dog? I'm a bot net guy, I want to make a bot net, I'm going to cast the widest net possible.
That doesn't explain why web server exploits hit IIS much more then apache which STILL has more installations. The widest net possible idea is less important then building your OS' security foundation on shifting sand. Windows has had terrible security because it was built on a foundation of sand. It has taken them years and years to go back and build a secure foundation that the OS can rest on.
Of the ignorance of people like the Submitter. Macs running OS X do not have viruses. That's what the commercial says. Why? Because it's true. And who gives a damn about Vista security? No one is using it. And no amount of glowing crap filled fluff pieces counting exploits will change the fact that Microsoft's complete lack of security gave us bot nets and robot spammers. And still does. Now fuck off.
Fiat Homos et Pereat Theos
You have provided, not only for the OSS world but developers in general, the single most important point when it comes to maintainability.
The problem with OpenOffice is even more basic.
You see, it was originally StarOffice, written by a German company. Have you ever looked at the source code? It's half German -- both comments and identifiers. I'm a native English speaker, and I've studied German for several years in college (I can carry on a conversation just fine), but I can't understand most of it. And they love acronyms; I usually can't even tell if the acronyms they're using are in English or German.
There are ways any huge program can be made easier for people to get started working on. OpenOffice is the only one I've looked at for which the answer is "Translate it to English".
It does make Vista look good, doesn't it? Until you look at the table, and notice that it only mentions serious security flaws that are fixed, and serious security flaws that have been disclosed but not fixed yet. It doesn't mention serious security flaws that have not yet been disclosed....
If you believe everything you read, you'd better not read. - Japanese proverb
It doesn't take long to add small features to an open source app. I wanted mpg123 to have a 'back' function. It took me all of five minutes to do this. I'm 15 years old, with no formal (programming) teaching. The task would be even more trivial for someone with more experience.
A couple more examples of how open sources apps are useful vs. proprietary: I can recompile my free (as in freedom) for any architecture and port them to any system without getting permission (which probably wouldn't be granted), adding keyboard support to AEWM etc..
Seriously, don't knock open sources apps saying they are "poorly commented" and take a lot of time to modify. Fixing small bugs (bugs generally are) is tivial for most programmers.
Uh oh, here come the Linux fanbois as expected. I shouldn't have to fix the bugs in my OS, i guess you have more time on your hands than most. I'll stick to enjoying my OS while you toil away fixing security issues.
Where? I don't see a link.
I want to make sure I understand you. You are saying that you cannot download a *.deb file and click on it to install? What happens when you do --what sort of error do you get?
Of course, with Ubuntu, it's probably easier to get it straight from the repository, ie. go to Synaptic and find BZFlag (or whatever program you're looking for) and just install it. That gives you more info about the program (see how big the file is, etc.). But you should be able to download and double-click, just like a Windows file.
When it comes to giving instructions about what to do on Linux, though, a script file is probably the simplest way to do it, simply because you can just cut'n'paste it onto the command line. This applies not just to installing programs but to everything in general. So, yes, people will give instructions like "sudo apt-get install bzflag", just because it's easier than "Click on Applications, click on Internet, click on Synaptic, click on search, type 'bzflag', click on Install, click on OK." (Or whatever the specific order happens to be --I use Kubuntu, which is slightly different.)
The equivalent in Windows would be a character string like: "Start > Settings > Control Panel > Add/Remove Programs > Add > From CD". You never hear anyone complaining, "Boy, what a long complicated piece of text, with all these greater-than signs!"
If you are used to installing software by command-line, I can see your concern for the newbie who might feel intimidated by that method. But the newbie doesn't have to do it your way.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
There is a flaw in your browser software. I have emailed you an executable attachment that will resolve the problem.
[1] "By Jeffrey R. Jones Director, Microsoft Security Business and Technology Unit"
- 5173565.html_ News_Researcher_Says_Vista_The_Most_Secure_OS.6304 6006.details/ articles/itproviewpoint031004.mspx
[2] "Jeffrey R. Jones, a self-described "security guy" who works at Microsoft's security division"
[3] "an overview of Microsoft's progress in improving security by Jeffrey R. Jones, Senior Director - Microsoft Security Business Unit."
[1] - http://articles.techrepublic.com.com/5100-1035_11
[2] - http://www.boxxet.com/Windows_Vista/Windows_Vista
[3] - http://www.microsoft.com/technet/security/secnews
boycott slashdot February 10th - 17th check out: altSlashdot.org
I can't help but put on paper that this blog contains what a child of two would tell you if you showed it these results.
If I would add another operating system, the one I wrote, then it would have a very low security vulnerability count. Simply because nobody is looking at my system or knows anything about the internals makes it neither secure nor vulnerable.
These numbers simply won't show you whether one systems is more secure in general usage. However, anybody thinking they do, should go work for Microsoft. Because these people are surely stupid enough to slow a company down.
Cancel or Allow?
(Sigh) . . . Allow .
Linux will have to make the same deal with the devil one day
Maybe not. Many distro's run a walled garden of safe applications. Grandma will never need to venture out of the garden and get hurt. Linspire and Ubuntu come to mind as examples that have safe online repositories. When not installing applications and doing system configuration, the users run as users, not administrators unlike Windows XP Linux will never have the ease of use of Windows 95 and Windows 98. Heck you could easly use and administer those without an account. At the login, just hit cancel. Linux has and will never be that easy to screw-up.
The truth shall set you free!
Whoosh!
RHEL5 shipped March 14th, 2007. Why not compare it's errata?
;-p
I wouldn't count any updates released on 3/14 against RHEL5 on it's ship date - It's a perfect example of how OSS works and how fast patches are available. RH wanted to ship a stable version and didn't want to through last-minute patches into the install routine. What's the first thing you do when you install a new OS? You run the tool for online updates. So on day one 19 patches were available for all the bugs that had popped up since the version freeze to produce RHEL5.
Since 3/14, there have been 42 updates to RHEL-WS5. 11 of them have been after the 90-day mark, so that leaves you with 31 defects in the first 90 days of RHEL-WS5. That's also not using the "reduced" method to match feature-for-feature what Vista has.
However, I think the point is still always going to be that you can't have totally bug-free sofware. But it's how fast are bugs found and fixed. That's what Microsoft can't touch. How long do bugs go unreported so someone can take advantage of them on MS OS? Even once reported, how long do they linger? The same is simply not true for any critical bugs found in OSS.
But it is nice to see MS finally taking security seriously. They've only been trying to do that for 5 years with their Trustworthy Computing Initiative. Why not compare Windows 2003 Server stats, since it was released after the Trustworthy Computing Initiative? 6 months showed 38 defects. If you compare RHEL5 with just the same installed features to match WS2003 in 3 more months, I wonder how it will fair?
Of course, Microsoft had the NSA help them with Vista, which proves again that the more eyes you have on the source code, the better
I'll stick with CentOS myself... all the benefits of RHEL without the support fee costs.
And if you bothered to read further you would have laughed at the idiot that wrote http://www.microsoft-watch.com/content/security/mi crosoft_is_counting_bugs_again.html as he makes blatantly false claims and uses data outside of the time period assessed. Please mod parent down as anything but insightfull. but hey this is /. facts don't enter into it.
The problem, dear Brutus, lies not in our operating systems, but in ourselves.
Lunix's #1 deficiency is that it isn't Windows. That's going to be pretty difficult to 'fix', and creating yet another text editor isn't going to help.
You want some stuff to fix? Ok: get Lunix to auto detect and auto configure new hardware. Must function at least as well as Windows 95... a feat no Lunix distro has managed to accomplish.
Also... you might want to work on a few of these while you have your hands in the Lunix source code. Oh, and perhaps check out some of this stuff, too.
Maybe after that, you'll actually be caught up to Windows 95, rather than chasing it's tail lights. Best of luck to ya! Maybe you can have that done before Windows 95 hits 15 years old?
Not to mention Microsoft's recently disclosed "stealth fixes".
Microsoft has the ability to control the "official" counts in a way that no open-source project, with its public repository and patch database, can. Even Apple, with its tradition of secrecy and surprises, can't sneak in patches to the open-source components of their software... but Microsoft can.
I run several botnets quite successfully.
I recommend you use Windows ME with Internet Explorer with ActiveX for surfing, run a public IIS on your machine for your web development needs, don't install a firewall and generally leave your system unpatched.
Let me know if I can aid you any further? Setting up your webserver for instance?
"Linux will never have the ease of use of Windows 95 and Windows 98."
That's not a good thing. That means Grandma isn't going to use it at all.
http://www.computerworld.com.au/index.php/id;30684 2912;fp;4194304;fpid;1
Does windows vista have the same level of security than that?
I would say that if they don't find that many bugs into the 6 first months,
It doesn't mean it's more secure, it just show you that they aren't able to found vulnerabilities before hackers. So then when we know that redhat is the one who found the most vulnerabilites and they have "that" level of security.
I believe that finding a lot of bugs into the first 6 months is a good thing. Because if they don't find it... your computer have a hole that is just waiting for someone to use it.
Is AIDS not dangerous unless you found you have it?
Hey, my distro wasn't on the list! I'm not using Ubuntu OR Novell. So I guess this article doesn't apply to me. How were these 'security tests' on the different operating systems performed? I like the idea of 3 computers hooked up to the internet with each running a different operating system - then give out the IP addresses and see what the actual hackers can do with each of them. THEN and only then give the results. Any 3rd party doing this research any other way is going to be shunned because maybe Microsoft is paying you off.. thus the research whatever it may be cannot be trusted.. especially from those in the Linux community. Do it right, or don't do it at all.
And you're basing that argument on 1 installation of a single game. Yeah, that's a nice and accurate way of evaluating an OS. Try calibrating your microphone for Skype. I'll give you 1 month, good luck.