Slashdot Mirror
6 Months On, Vista Security Still Besting Linux
Martin writes "Great report on security vulnerabilities for MS/Linux/OS X. This is a revised version of the one Jeff Jones did back on March 21: Windows Vista — 90 Day Vulnerability Report. This time he did what the Linux community had asked. Everyone complained that he did the report based on a full Linux distro including optional components, not on just a base OS install. So this time he did both; Vista still came out on top. I was shocked that Apple was even on the list as I believed all those Mac commercials!"
Point me at the problems in Linux and I'll fix them.
What? Can't do that with Vista?
I'll take Linux, thank you.
I don't know the meaning of the word 'don't' - J
Jeff Jones ... This time he did what the Linux community had asked.
He went and f*cked himself?
One comment and it's already dead - and not a cache link to be seen. Oh well, tune in tomorrow...
Full: http://216.239.51.104/search?q=cache:l2ZWLi31QdIJ: blogs.csoonline.com/node/218+http://blogs.csoonlin e.com/node/218&hl=en&ct=clnk&cd=1&gl=us&client=fir efox-a
: blogs.csoonline.com/node/218+http://blogs.csoonlin e.com/node/218&hl=en&client=firefox-a&gl=us&strip= 1
Text only:
http://216.239.51.104/search?q=cache:l2ZWLi31QdIJ
creation science book
Sure, if EVERY action you do prompts a "You are clicking your mouse, cancel or allow", or some other message, sure that is security, but then you are left with a crappy user experience. I think Linux and Mac have got a better balance between allowing actions in user mode without authorization and actions requiring authorization.
Sorry - the previous google cache link was to the 90 day writeup, not the 6 month writeup. Here's the text of the 6 month writeup... (site is very slow right now).
;-)
...
Windows Vista - 6 Month Vulnerability Report
Submitted by Jeff Jones on Thu, 2007-06-21 11:53. Topic(s): | Client | Corporate Management | Information Security | Operating Systems
I was somewhat surprised (but pleased) at the level of interest back when I published my Windows Vista - 90 Day Vulnerability Report. It was about the earliest span of time I thought might give us some indicators, and the indicators did look good. (Though, I did not give us an "A+", in spite of some of the attributions
Six months is a much more interesting time frame, and gives us the opportunity to see if the early trend indicators are holding up, or if the early signs of progress were a short-term gain. Also, I thought it was worth going a little deeper in the analysis to look at the total fixed and unfixed vulns as I did last time, plus these additional views:
* Include a comparison view of Linux distribution workstation builds that exclude vulnerabilities non-default optional components as well as OpenOffice and other applications that do not have equivalents on Windows XP.
* Include a comparison view that excludes Low and Medium severities to just focus on High severity vulnerabilities fixed and unfixed in the first 6 months, and
* A comparison view that combines both of these
For the full details, or to print the report, you can download the report in pdf.
For those that only want the executive summary, here is a key chart that shows the publicly disclosed High severity vulnerabilities during the first 90 days of availability, broken down by vulns fixed and vulns unfixed. Note that this chart is showing the reduced Linux builds that exclude non-default and optional components without equivalents on WIndows. (clicking the chart also gets you to the full report.)
High Severity Vulns, Fixed and Unfixed in First 6 Months of Windows, Red Hat, Novell SUSE, Ubuntu, Apple Mac
The results of the analysis show that Windows Vista continues to show a trend of fewer total and fewer High severity vulnerabilities at the 6 month mark compared to its predecessor product Windows XP (which did not benefit from the SDL) and compared to other modern competitive workstation OSes (which also did not benefit from an SDL-like process).
If you share the opinion that Windows and applications ported to Windows get a higher level of researcher scrutiny than other OSes, then the 6-month results are even more positive. If you don't share that opinion, then they still stand on their own
Read, Enjoy, Forward.
Best regards ~ Jeff
Full Disclosure: I work for Microsoft - read my previous blog post, Exactly how biased am I?.
Also, I'd like to make a shameless plug for my other blog, http://blogs.technet.com/security, where I sometimes post more personal entries such as The Saga of My Luggage & British Air and Building My Windows Vista Media Center - Part 1 - The System.
creation science book
...as popular as Linux, then it will be targeted, too. Or something like that.
http://www.microsoft-watch.com/content/security/mi crosoft_is_counting_bugs_again.html Updated response "Jeff Jones Vista security progress."
This should be a wakeup call to all those businesses holding back on Vista migration. Vista is clearly the better choice.
Greets
UbuntuBoy
This is stupid, Linux as a distro is a complete solution from A-Z ... Vista is a bit of a solution as its just an operating system with limited services. Why did he do it to Vista anyway? shouldn't he be doing it to a server edition of Windows?
When i see a windows system and linux system that do exactly the same things have the same purpose software installed on them i can see the viability of the test.
Further, malware runs rampet in Windows, nearly 50% of Vista's vulns were not patched, where regardless of how many Linux has they get fixed when found. More secure? You tell me is a nightclub more secure when the bouncer only kicks out half the troublemakers whole a tougher and meaner club down the street deals with all of them?
Contradict another post on the front page http://it.slashdot.org/article.pl?sid=07/06/27/001 8252/. If Vista is on top than how could Microsoft Security be one of the worst jobs? What are they doing too good of a job???
I eat Karma for breakfast, lunch, and dinner. That's why I don't have any.
Article seems to be slashdotted already. I think the real security test will be outside the lab in the hands of the common user. If one of the major factors in determining the security of Vista was based on Microsoft's allow/deny pop ups, then just how secure will Vista be in a year or less when the common user is tired of seeing those boxes and just starts clicking 'Allow' and lets everything through? The OS is as secure as its user is vigilant and when the user becomes apathetic to security concerns the OS loses whatever edge it had against trojans, root kits, backdoors, viruses, etc.
Look, Everybody! A company is trying to use statistics to make themselves look good, when that's not necessarily the case!
Nothing to see here, please move along...
http://www.microsoft-watch.com/content/security/mi crosoft_is_counting_bugs_again.html
Looks like there are several errors with the method the blogger used to evaluate security flaws
This has already been analysed at microsoft-watch, and several flaws are pointed out there, the most basic one being that counting flaws is not a good measure of security anyway.
I can explain it for you, but I can't understand it for you.
On the back of recent news that less than half of Vista "issues" have been patched, yet alone publicly announced, we get another article touting the merits of two things that can't be directly compared.
Sometimes I see Open Source kicking itself in the face with all the transparency it offers, yet I'm overwhelmed with a sense of pride and happiness that communities can develop such a transparent process in the public eye.
Discovering problems and exploiting them in a closed source product is quite a daunting task - I'd say almost 4 times as much work as exploiting a system where you can compile debug symbols into the binary, and nothing short of 1000 times harder than if you had the source code. What these "reports" and discoveries show is that layers of obfuscation act to confuse people as to the actual level of vulnerability you're exposed to.
There are many vulnerability hunters out there, now, employed by governments across the world simply to "dive in" at a deepend of closed applications looking for exploitable code - closed source simply means that only wealthy, bigger teams will be successful. Open Source means that anyone can help thwart these hunters, makes vulnerability research fair game, and most importantly, accepts community involvement into the fixing and pre-emptive policy that makes OS software better software.
Matt
One canard trotted out by MS defenders *used* to be "Windows has more vulnerabilities discovered because it's so popular, everyone attacks it!". Watch for that line to be modified in the coming months as more MS proponents switch to "it's more secure by design". Keeping the "only more vulnerabilities discovered because it's so widely installed" would imply that Vista is not widely installed/used, which is not good PR.
So, when Linux had fewer vulnerabilities, it was because it was obscure. When Vista has fewer vulnerabilities, it's because it's fundamentally more secure. I'm not trying to be sarcastic here - it may very well be *true*. It's just something to keep in mind as you watch the never-ending stream of these 'vulnerability/exploit' reports come out every few months.
creation science book
According to Netcraft it's running Linux ;)
64.28.79.84 Linux Apache/2.0.46 Unix PHP/4.3.3 13-Mar-2007
I guess you know you're trolling, and that why you posted AC. I'm going to bite anyhow, even though I know better.
m l
Yes, Linux is not entirely user friendly yet. No denying that. But maybe you mean 1%, as you said... It's not really a good troll your way.
And yes, apt-get is a -lot- easier. Why? Because you left the steps out on the Windows side where you search for some utility on the web and have to wade through search results that mean nothing and attempt to find what you want, or you could just apt-get install it. 1 step, not several.
As for your game installation example, maybe you should pick something actually made FOR Linux, instead of hacked onto it later. Darwinia, for example: http://www.darwinia.co.uk/downloads/demo_linux.ht
Check out those complicated instr... err, no. You just download and run the file. Okay, you have to make it executable first. Just a bit of security there. At least it didn't ask you 'cancel or allow?' about 5 times.
Including the steps to set up video properly is a bit disingenuous unless you include the steps for Windows as well. Including finding and downloading the proper drivers for sound, video, motherboard chipset, etc. Is it easier on Windows? A bit, yes. But the steps still exist.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
There are still a lot of problems with this 'comparison'. For instance:
- The 'reduced feature set' used for the comparison still contains a lot of software not include with windows
- All information is based on what the company behind the software discloses. I believe that not all holes in Vista that MS knows about are disclosed. It is also not unlikely that what Microsoft calls 'critical' is not the same as what Canonical calls 'critical'. In any case, different measures are used for the different OS's, and you can't compare things that are measured in different ways.
- The usual 'less known holes != safer' discussion...
I personally don't know which OS is safer, but based on these numbers, I am not going to draw any conclusions.
Jan
Why should I care whether or not people run Linux, or Windows, or *BSD, or Mac OSX, or Novell, or freakin' Amigas? At home.
Run whatever the fuck you want.
The key to the enjoyment of pop music is to replace any instance of "love" with "C.H.U.D."
This actually looks like a fair comparison.
On the other hand, nobody's vetting the Vista source right now. And there's no indication of what the various vendors mean by "High Priority" -- is it something that only the locally logged in user could trigger? Is it a vulnerability that would allow for remote exploits? Is it a remote attack at all, or does it just open up the possibility for trojans?
What we'd need is an independent service listing the vulnerabilities and ranking them themselves using the same criteria for each operating system. Until that comes out, I'll say Vista is more secure for now. But as crackers become more familiar with the system, the rate at which new vulnerabilities in Vista are identified will increase.
He's not comparing vulnerabilities - he's comparing vulnerability disclosures.
It's not a measure of how secure the OSes are - it's a measure of how secretive the makers of the OSes are.
....
I installed quake 3 On my first day of Linux. Copied the files from the disk, ran the linux stuff for Id. IN all I had to use 3 maybe 4 commands total, and the only web site I went to was Ids site. It was basically the first thing I installed after doing my redhat installation. I never really got into using linux, but its not the quagmire you for believe it to be.
You mad
1. Vista isn't exactly in widespread use. The sort of people who poke holes in Windows and use it for spam bots etc will concentrate on XP for now as it is much easier. The anti-piracy and activation make pirating Vista a little harder, again this means the low life will not use it for a while.
2. Linux is easily available to all. Plus people identifying security holes are helping out, they do it to improve the product. They would do this for Windows too, but they don't have access to the code.
3. Mac OS uses a lot of open source tools, gcc, samba etc.. these have bugs and holes identified from time to time. So Apple naturally has to plug them.
"I was shocked"
/. so I am not the average user.
Perhaps you were and cue the trolls and me.
I got my first Mac 3 months ago( a macbook pro) and I am not going back to Windows, perhaps Linux(have replaced my windows desktop with ubuntu at work log time ago)
But of course this is
Microsoft must be happy with the huge userbase that happily has bought their products for years until the day they could finally get what they were promised. Of course I am now trolling here, I have not tried Vista so I don't know anything about how good it is, but the story seems to be repeating itself for every OS release.
Linux Apache/2.0.46 (Unix) PHP/4.3.3
lol
yea whats up with apache being such a ram memory hug? i recommend the author switches to lighttpd or nginx
A good way to reduce the possibility of malware affecting you in Linux is to run your browser as another user. It's easy to set-up, almost pain free, and means that, barring local root exploits, it can't delete/alter your data, modify your login scripts etc.
I'm sure it's possible to do in Windows - runas firefox.exe - but I haven't tried it.
Get your own free personal location tracker
I just RTFA, and like most research, the thing is a bit artificial. Ok, I'm not a security expert, nor a statistician, but the thing reads like a drug company pamphlet. The nature of vulnerabilities, their implications on end users, are not taken into account. They weren't in the previous research either.
And just like a new drug that comes onto the market (not talking about XP, though I've just come to like it - pity it's on its way out), Vista has the benefit of 'beginner's luck' because
At least that's how I see it. The best way to judge the security of an operating system is by anecdotes of security breaches, what they cost to companies and and how easy it was to recover from them.
When you hear about teenagers having keyloggers in thousands of Windows XP boxes, then it quickly becomes apparent what kind of security XP offers. It's great for games, for file sharing, for shit that doesn't matter. It's not great for storing your accounting records, tax returns and doing online banking. Similarly, using Vista for the same thing is a bit foolish. Not advisable to trust your life savings to an OS during its honeymoon period.
Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
I'm still not buying Vista. I have an OS that does what I want and works well. I don't have to pay money for it, and all it requires in return is a bit of patience. It lets me run my applications, does so efficiently, without nag screen, cd keys, and other f'ing hassles.
Tom
Someday, I'll have a real sig.
Quidnam Latine loqui modo coepi?
I had to laugh, but funnily enough, as soon as I posted, the site loaded and I got to read the article, heh heh.
Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
I've been running Linux as my desktop exclusively now for about five years. No viruses. No worms. No adware. Oh yeah, and it's free as in beer. The security on it just works. My vendor sets up the firewall for the appropriate level of paranoia "out of the box". Tools for system auditing (chrootkit, nmap, etc...) are usually installed by default. When windows can do all this for free, I'll give it another go. But until then, any such study I see is largely theoretical.
THe problem is that he is like me; He does not know the enemies OS. So, what he did, was pick through the OS install and decided what sounds like it belongs and what does not.
What is needed is for a Linux distro guy who has good knowledge of Windows (or perhaps somebody from wine) to re-do this report. And if it shows that MS did a better job on addressing security, I would suggest that the distro's need to get their act together. For the last 5 years, the windows fanboys have ran around saying that the # of windows is the attraction for security problems, while those in the know, say it has to do with ease of cracking. If this report is real, then Linux just went below MS and that will attract the vermin to us. IOW, we MUST remain above MS in terms of security to prevent having the security attacks that MS has.
I prefer the "u" in honour as it seems to be missing these days.
I approach this as someone who does not know a tremendous amount about how to measure security flaws, or what various security flaws really mean...
But the survey listed also shows Windows XP as the second most secure operating system of the ones surveyed.
I can believe that Microsoft improved their security with Vista. But if they also tell me their security was great with Windows XP, I have to conclude that they're fudging the numbers.
Philip Sandifer's academic website
Since Open Source rigorously discloses every flaw known in it, what is the value of comparisons of one Vendor's chosen disclosures versus that which is 100% transparent?
None
Microsoft only discloses what it has to and is often at odds with security researchers about problems only to be proven wrong later. One claim from a blog was that Vista shipped with 60,000 bugs. How many of those are documented for the public?
I can say that on my test certified Vista machine, brand new from Dell, I've already seen the network card totally disappear from the system only to reappear again an hour later. The Broadcom diagnostic tool reported no hardware issues. The Explorer shell still crashes/stalls frequently. Files get locked with no way aside from a reboot to unlock them. Wifi fails to reconnect to the same network it was previously connected to when sspi broadcast for that network is disabled. I just tried restoring a hibernated laptop, previously connected to a domain. Black screen & hard reboot.
Beyond that, on this brand new machine, specced for Vista. Vista is SLOW.
MS, concentrate on making Vista better instead of having people do useless studies. kthnxbye
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
I keep hearing that Linux isn't user friendly. But people are so used to Windows that they find anything else pretty much alien to them.
But then you read stuff like this and realise it's not as hard as people think.
http://www.cio.com/article/120452
Sure, if stuff breaks it can be hard to put right, but the same is true if your Windows PC won't boot and you don't know much about computers.
As Windows' defenders are wont to say, "Windows only has more known defects because it is the most popular OS." In this case, Linux and OSX have more security defects because they have had more exposure, right?
Just sayin...
Because, most likely you cannot, more than likely someone else won't, and even then you might not apply the fix should it become available.
Its human nature. Its far easier to take an easy shot at someone else other than act. Oh sure I can say I will fix it, but fact is its easier to say so on some message board that take the action.
Look, with Vista they have a vested interest in correcting the bugs. For those in Linux I cannot overcome I can only hope someone else sees it as important enough to warrant a fix. Thats the crux of it. Sure I could do it, if I had time, if I had the knowledge, if I had the resources. Saying "with Linux you can just change it" is akin to handing someone a bunch of parts and telling them if they don't like the car they can fix it. Being able to use something, having an generalized knowledge of how it works, is all a far cry from being able to actually change it.
So while cheap shots at MS are the forte of many we can't forget that just because its open source, its linux, that we have the power. The opening is there, just don't expect someone to walk through it
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Why should I care whether or not people run Linux, or Windows, or *BSD, or Mac OSX, or Novell, or freakin' Amigas? At home.
Run whatever the fuck you want.
Because the spambots that have pretty much ruined email are running on window machines.
Sux is your friend, despite its name.
Karma cannot be described by words alone.
This part has "PR shill" written all over it. No techie would ever write this.
Probably Microsoft has hired some more people to work on "guerilla marketing" techniques, just like they did with the People Ready campaign.
Every expression is true, for a given value of 'true'
Rather than take his word for it why not just check at Secunia.
Vista
Ubuntu 6.06
"We are all geniuses when we dream"
- E.M. Cioran
I'd just like to say I'm thrilled to be able to say this.
If Vista was a bigger percentage of the PC market, there would be more exploits for it.
Pay back's a bitch, ain't it?
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
I hate these flipping biased "reports" (from any side). But as far as UAC/Vista goes... anyone who thinks that it actually is worth a d4mn, just go to the command prompt and try to delete that folder that forced UAC authentication. What? It works?? Security my ace.
TODO - Insert Creative/Witty Signature
Yes, because typing in "apt-get" or "emerge" makes so much more sense to new users than double-clicking an icon that says "setup".
There are many new users, more specifically the older ones, that are more comfortable with a keyboard. It looks to them like a high-tech typewriter, which they already are comfortable with. The mouse, on the other hand, often gets astonished looks. I have given up on being surprised when someone asks which is the left button.
Well, yes...
In the corporate world, vista's marketshare is currently massively smaller than xp/2003, and smaller than linux, solaris, macos and hpux too... Businesses won't deploy vista for another year or more.
For this reason, vulnerability researchers will not be focusing on vista yet, tho if they find a vulnerability in earlier versions of windows they may check to see if it's still present in vista.
Linux, which has a sizeable server marketshare is a significant target for vulnerability research, and that research is much easier to perform because the source code is available, so you get more value from your time doing research on a platform for which you have source, which goes some way to counterbalance the number of people actively looking.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Just like most users, the hackers can't find their way around the new OS, either. Just wait until Service Pack 1 comes out. I hear Vista gets ribbons! Now it will be *really* super-secure.
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
I looked at the user comments at the bottem of the article. One juicy tidbit was to this link..
i crosoft_is_counting_bugs_again.html
http://www.microsoft-watch.com/content/security/m
The biggest bug in Windows is between the chair and keyboard. The item in question is gullable, has admin privilages, and can run widely dispensed Windows specific code. As a sample of this, just look at the members of any botnet and the OS in use.
Anything that doesn't run Windows code and has the default of not running admin is more secure than patched Windows in most cases.
Vista still runs Windows code, it's biggest fault, but it seems to be driving towards better system security and user permissions.
The truth shall set you free!
Ah, the classic installing Quake 3 on Linux vs. Windows post.
That has been posted several times etc, now by MS fanbois, give or take a few variations.
I run both, but have yet to try WoW on linux, is it even possible???
If so, then I may make the ever eternal switch and become a linux only user.
Only to idiots, are orders laws.
-- Henning von Tresckow
What he's doing is taking the OS as it is installed. Vista and XP have so few programs installed by default. Ubuntu and OS X give you a ton of applications with the OS, so there are more opportunities for security flaws. When it comes down to it, these reports, regardless of their outcome, say what the reporters want them to say. Security is a tricky thing, and every operating system is vulnerable. People should be focusing on better security practices rather than how many flaws there are. And companies should focus, not on how many flaws they have, but how quickly they can patch those flaws, expecially when they are the sole patchers in the case of proprietary operating systems.
Can't they get an impartial and respected analyst like Rob Enderle or Maureen O'Gara to publish their foregone conclusions for them any more? They have to rely on an employee's blog entries?
Help stamp out iliturcy.
Jeff Jones is "strategy directory at Mirosoft's Trustworthy Computing group".
What that report and its blatant misuse of statistics shows is only one thing: Microsoft's Trustworthy Computing group employs morons.
Yes, the OpenOffice code base is complex. Show me another application as functionally complex with a similar architecture that's easy to fix.
You also sweep away all of the *many* other ways to participate in a project to help it along.
Finally, nearly all OSS projects are driven by one or two people coding with other contributions (testing, bug reports, documentation, packaging, translations) kicking the projects into high-gear. There are a few that are so big the leaders code contribution is a small part, but that's the rare exception.
OT Rant: OO.org team: please move to GTK+.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Or worse, you can use a tool like xremote to hijack the keyboard/mouse and interact with the programs you have running, including root shells if you have one open!
We need a way to restrict xauth, so you can grant a host/user limited access to your X server, such that they can only interact with their own clients and cant keylog or kill other X resources etc.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
After reading this report I've decided to abandon my 11 years of Unix experience and head back over to Windows. Clearly when I made the switch to Unix/Linux/BSD systems back in the 1990's I was misinformed by my years of experience working on windows and suffering with viruses and vulnerabilities. I must have just jumped on the whole Intarweb band wagon. Silly me.
Clearly it is all just about security and nothing to do with lighter faster operating systems tailored to specific purposes. Nobody cares about focused tool sets. Nobody cares about vendor independence. Nobody needs to have a system open enough that you can get at every aspect of the OS because nobody develops software that could possibly need that level of understanding. Nobody cares about a free, open, and stable software development suites... Nobody really cares about precisely tuned servers in clusters... or embedded systems... or monotonic scheduling...
I certainly don't. Not after this study. No sir. I'm making the switch now. Yep. Don't try and talk me out of it.
[signature]
Kind of a funny story considering some security venders claim Vista is less secure than XP: http://www.zdnet.com.au/news/software/soa/Microsof t-partner-Vista-less-secure-than-XP/0,130061733,33 9274261,00.htm
Based on my early experiences with Vista in our Beta roll out users are generally annoyed with Vista's security features and will likely turn them off once they are saavy enough to do so.
The VPN compatability problems they are having with major vendors such as Juniper's VPN solutions also give me reason for pause. Some users will basically start taking files home with him and emailing them to co-workers since they cannot use the VPN. This is a major concern when it involves personal data. Vista may be an improvement on the home front, but it is plain not ready for business.
Good grief! It's been YEARS!!! since we first heard about the superior nature of Linux/UNIX security, and we still see a crapflood of articles about it every time there is a slow news day, like when all the information about the first generation iPhone finally emerges and there are no more iPhone stories in the queue, then BAMMO! Right on schedule, another story about LINUX vs. Windows security. This story is even a TROLL, all on with a headline about Vista besting Linux. What crap! ENOUGH with these LINUX/Windows security shootout stories, already!
If you mod me down, I shall become more powerful than you could possibly imagine.
These comparisons are a joke. The number of bugs or vulnerabilities itself is completely meaningless because of the wide variety of issues you can have. For example, would you rather have 10 vulnerabilities that each enable a malicious Web site to crash your browser, or 1 vulnerability that enables a malicious Web site to browse your local disk?
Vista still encourages users to run with higher privileges than necessary, and the platform is still host to over 99% of the viruses and malware ever created. It is not even recommended to run Windows without third-party security enhancements such as anti-virus. Many will tell you to run it only in a virtualizer, not on bare hardware, so you can wipe the Windows "disk" every night and start fresh the next day. In fact, Microsoft will tell you to do that, it's what VirtualPC is for.
Anyone who believes this crap deserves Vista. Enjoy.
The fundamental failure with the phrase "Vista is still more secure..." starts with the incontrovertible fact that Windows is shipped as a black box.
The temporary absence of security issues with Vista means nothing because neither the scope nor the scale of exploits is known. That is commonly described by the phrase "security through obscurity."
History has shown that Microsoft's approach to security is to talk a good game. Period. While I do not doubt Microsoft has hired excellent security programmers, their contributions don't make it through the management gauntlet.
Another way to highlight my point:
When you buy a windows-equipped box will you:
1: Use email on win32 without an antivirus application?
2. Go on the internet on win32 without a firewall?
3. Run win32 without a NAT?
I propose the following experiment instead:
Computer 1: Linux desktop distro immediately after install with no firewall script.
Computer 2: Vista equipped PC straight out of the box with the windows supplied firewall disabled.
Computer 3: Mac OSX straight out of the box.
Run tripwire on all three machines and put them directly on the internet. (aka no NAT)
That might be a better way to compare default security of OS's.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
We give up, we'll go home now, and install Norton Antivirus and Windows Defender with the rest of the lemmings.
The *only* way to "measure" security is to "measure" breakins. You can talk about technological advances in architecture, but abstracting security to bug counting is goofy. Linux systems don't get broken into, because there simply aren't ways to get at them, particularly on the desktop. With things like AppArmor and SELinux your browser is isolated from other processes, every distro ships with the "desktop" version locked down (100% firewalled) by default, and samba, cups, and the other common network daemons (ntp? ssh?) are mature suites with excellent security histories.
I can't get the article to open, but I'm curious as to the vulnerabilities which he counted. How many of them actually have real world applications?
Here is how I would come up with a synthetic benchmark of security:
1. Admit that it will be synthetic, and is ultimately an exercise in mental masturbation
2. Count the bugs.
3. Remove all bugs that have no possibility to be exploited, and all "fixed" bugs.
4. Separate bugs into "server" and "desktop" bugs.
5. Multiple bugs by an index number between 0 and 1, with 0 being harmless bugs, and 1 being bugs that give you "root".
6. Total up bug indexes.
7. Now, count all fixed bugs (excluding impossible to exploit ones), multiple by a "damage index" (see #5), then multiple by (Time to fix bug, measured from release of software)/(Time software has been released). Add this to your result from #6.
8. Voila! You've now posted something that will most likely compete favorably with MS's bug number. It will also still be totally useless.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Lets give Jobs, et al time to produce their own twisted statistics to prove exactly the same thing for their own OS's.
just remember there are 3 types of lies, "lies, damn lies and statistics".
Not that im claiming he's wrong mind you, just that history has proven to be a battle of seemingly erroneous statistics stacked on top of one another that seem to claim totally different things.
Is it going to make me switch to vista? no... But i cant say i really care either, probably the most insecure part of my home server is the code i've written for it!
A good way to reduce the possibility of malware affecting you in Linux is to run your browser as another user. It's easy to set-up, almost pain free, and means that, barring local root exploits, it can't delete/alter your data, modify your login scripts etc.
Instead of messing around xhost, sudo, wrapper-scripts (as one of the comments suggests), etc, and opening up the security holes that entails, just launch Firefox like so:
ssh -X ff@localhost firefox
(You might want to create some keys, change ~ff/.ssh/authorized_keys, etc, to make this a bit easier, but I'm sure you get the idea. You might also need to make sure X forwarding is enabled, but it typically is by default these days.)
I'm sure it's possible to do in Windows - runas firefox.exe - but I haven't tried it.
Works fine. Easier than it is in Linux as well ;).
Windows Security is such a boring job, all you do is sit around watching the computers on the network run flawlessly. Look at the sad sack Maytag repairman in all those commercials and ask yourself, 'Is this how I want to end up?'
Think global, act loco
Sorry but Windows is insecure ... IE7 runs as an Admin so the Internet has access greater than you do...
...
On Unix/Linux/MacOSX the Browser runs as the user and so is secure even if it is bug ridden
Puteulanus fenestra mortis
You can't win, Moderator. If you strike me down, I shall become more powerful through meta-moderation and Excellent karma than you could possibly imagine.
If you mod me down, I shall become more powerful than you could possibly imagine.
Based on all this score ranting, can I assume that you use futuremark to compare ati vs nvidia as well?
My point is this: my coworker had her brand new vista laptop owned to the point of explorer repeatedly crashing on bootup after just two days of websurfing!
I'm sure you can blame this on user error, and I would even agree with you, in fact it proves that any scores on your linked test are all but irrelevant in comparison to end user's being tricked into installing trojans on their own machines.
At least that's how I see it. The best way to judge the security of an operating system is by anecdotes of security breaches, what they cost to companies and and how easy it was to recover from them.
No, that's an atrocious way of judging security, because you're not measuring _security_, you're measuring _frequency and impact of exploits_.
An exploit is not necessarily indicative of a security vulnerability. Especially since the most frequently exploited part of the system is the user.
When you hear about teenagers having keyloggers in thousands of Windows XP boxes, then it quickly becomes apparent what kind of security XP offers.
No, it becomes apparent how much it has been exploited. This says nothing conclusive about security. Correlation != causation, remember.
Not advisable to trust your life savings to an OS during its honeymoon period.
No sillier than trusting any other OS whose only measurable, verifiable advantage is that it's been exploited less.
Default installs should BOOT INTO FSCKING VGA MODE.
I solve 99% of Linux installation problems by rebooting and editing the X config file to say "vesa". Why can't this be the default?
Ubuntu is a zillion times worse because it sets some weird 32-bit graphics mode for the install process. What's up? 256 colors not enough for an installer?
Madness.
No sig today...
The overall security of a system can't be measured just by how much bugs are found, because two different operating systems:
- Has a different user base
- Has a different number of developers working on it
- The design is different
- An average sysadmin for one kind of system and an average sysadmin usually have differnt levels of qualification.
- The interest of crackers on those systems differs
Plan 9 will certainly have less bugs than GNU/Linux because the codebase and complexity of those systems is amazingly different, and also GNU/Linux has orders of magnitude more users than Plan 9. There are lots of GNU/Linux sysadmins and not too many people with knowledge on Plan 9. Plan 9 has lots of experimental features, but it grows slowly. GNU/Linux grows at an amazing rate, but tends to be more conservative about it's design. Also Plan 9 is developed by a single team, while GNU/Linux is a collection of different efforts, so it's hard to tell where it starts and where it finishes. There are probably very few if none Plan 9 servers, and very few, if none, crackers targeting Plan 9.
The same goes for Windows Vs. GNU/Linux.
1) The design of the systems is quite different, so it doesn't matter if an exploit is found, the important question is: Does the design of the operating system make those exploits easily exploitable? And also, you may choose to run any services/programs on your server, they are third party, Let's not talk about bugs in those applications, does the OS itself have Important exploits, and what does the OS to prevent bugs in third party apps from being exploited? Also, we may have a system with no bugs but with inherent design flaws that make it insecure anyway.
2) Are we comparing the right versions?, that is, Vista is a secured version of windows, they are not using XP to make the comparision, so, shouldn't we choose SELinux or similar?
3) Does the system provide you with enough tools to detect, debug, and correct possible vulnerabilities? Can you create a workarround for the vulnerability?
4) GNU/Linux doesn't do this fancy shit of bringing "new" versions to the market. We just upgrade, so, we are comparing the ammout of vulnerabilities found on a new OS vs. an OS with an important userbase.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
You seem to be pointing the finger squarely at the developer. Most often that is not where the blame should reside.
I would point out that if you are on a deadline for delivery, things get cut. Its just business. Managers fully support good documentation, well planned naming conventions, well structured code, etc... Just so long as it doesn't interfere with getting the product out the door on time.
And... FWIW... I also have tons of source (both open and closed source) to maintain, modify, w/e...
Opinion:=TMyOpinion.Create(Me);
Could someone count the botnets out there per operating system? I don't care so much about vulnerabilities so much as all the spam I get from compromised machines. Or put another way, it's not the holes but the number of active exploits that we should be counting.
Comment removed based on user account deletion
... just didn't remember it all that clearly, that's all.
For the Blackadder deprived, here's the original one:
Baldrick: "I have a cunning plan!"
Blackadder: "Baldrick, you wouldn't recognise a cunning plan if it painted itself purple and danced naked on top of a harpsichord singing 'Cunning plans are here again'."
News about the Kettle Open Source project: on my blog
That's truly insightful, you know. If you read to the bottom of the page, it says "I work for Microsoft".
You can't really list the published vulnerabilities and say for certain which OS/Platform has the best or worst security. You've gotta look at practical daily use. Windows Server 2003 versus Red Hat Enterprise Linux 4 or Tiger Server? I couldn't tell you which one is more vulnerable. A good sysadmin can keep either up and running if they're vigilent and they all require care and feeding.
The real test is on the desktop--where the dumb users are.
I work at a University. I support Windows, Linux, and MacOS X boxes.
Guess which one has the most security problems? [Note the past tense]
Windows. Granted, it's XP. Why? Because most of the established scientific applications (the ones we use) don't work on Vista yet. Vista might prove to be a better mousetrap than XP with regards to security but we thought the same thing about XP SP2, right? Time will tell. Ask me again in 18 months.
Number 2 on the security problem list is linux. They are largely run by grad students in research labs (read as high turnover for greenhorn sysadmins). Sometimes, if we're lucky, we see some more interesting exploit injections but unpatched boxes with some sort of service running were usually quick and easy targets.
Amongst our 1500 Macs, I've only heard of 2 instances where they were compromised. In both cases, the vector of intrusion was SSH and a weak password. Despite all of the published Mac OS X vulnerabilities and sky-is-falling rhetoric from the security experts, I have yet to see any "real" exploits for them here on our campus.
Well, why the hell does that mean anything? Until this last semester, most of our campus was using static IP addresses in public addressable space. No firewalls, limited ACLs, and our computers exposed directly to the internet on a fat pipe. We've had botnet zombies out the wazoo, rootkits from hell, network scans from every black hat in the known universe, and pretty much every trick in the book has been thrown at us. [One of the reasons for our fancy new network with NAC]
The only thing that knocked-over our Macs were common dictionary attacks on SSH. Since most Mac users are completely ignorant of security (present company excluded, of course), that was a bush league exploit. Nobody ever exploited Safari bugs or any of the other services.
The scariest thing on campus are the Windows rootkits. None of us know how many "Silons" are among us. By the time we find one, it's way too late. Linux rootkits are ugly, too, but are not nearly as common.
As far as Vista vs Linux--again, time will tell. If you really want to know for yourself which is better, set them up side by side and hang their asses on public addressable network spaces. You'll find out which one has the best mojo for keeping out intrusions soon enough.
From my own experience, I'll put my money where my mouth is with my Mac any day.
I might know what I'm talkin' about, but then again, this is Slashdot...
There are several fundamental flaws in the arguments in this article:
- He compares OS vulnerabilities of the first 90 days since first release. This doesn't tell us which OS is the most secure at this moment. Merely, it tells that more recent OS's have undergone more testing prior to release.
- He notes 125 known issues with RHEL prior to release compared to 0 for Windows Vista, but of course no vulnerabilities are known prior to release as Vista is closed source and has not been available for public scrutiny, while RHEL is built on available open source code.
But that's not all, differences in how bugs are classified may make some OS's appear more secure - it is known that Microsoft has classified vulnerabilities as bugs thus reducing the "official vulnerability number". Without a strictly uniform and independent classification scheme for bugs, there is simply no data to compare.
A reasonable comparison would compare the OS's vulnerability issues the past 90 days, that is with fully patched systems. Known issues that have not yet been patched should not be included as this simply is caused by the longer time for scrutiny of older OS's. Secondly, bugs must be classified in a coherent manner: Remote root, remote user, local root, local user, DOS etc...
This document is useless in the discussion of which OS is the most secure to run as of today. There is no way that a conclusion can me made in favour of any OS on the list.
It appears that OpenBSD remains the most secure system, and I bet FreeBSD is a strong contender.
Too many of these comparisons are apples and oranges things. If you run you Ubuntu box as root, you are heading for trouble. Running Windows as an administrator also exposes the user to significantly enhanced risk. If you are concerned with this risk, run as a normal user. I do. Your risk will be much lower. Vista makes it much easier to run as a normal user. My wife and kids have normal user accounts on our modern machine. I will be trying to "upgrade" my old XP box (an older Win ME box I upgraded to XP with an additional 512 MB of RAM 3 years ago) to Vista home basic for the improved security support.
Apart from microsoft propaganda and support of course. And the 'bragging rights' effect, of people who always want the swankiest laptop with the newest stuff.
Haha, its pretty funny reading all of these responses. How about giving Vista a break for a chance penguin lovers?
Since when does being a Socialist mean 'someone who has a different opinion than me'?
Just what you would expect from Microsoft. How about Slashdot adopt a policy that it will *never* publish an article which refers to an article in which Vendor A says Vendor A's products are better than all the competing products? I know, that would eliminated 90% of the so called 'news' out there, but if there was ever a case where Sturgeon's Law applied, it is to PR fluff pieces like this one. For the most part, on a single user system, the only thing that matters is 'How many remote exploits allow an attacker to modify the system?'. In 10 years of running Linux, I've had that happen once (the old wu-ftpd teardrop attack. God knows how many Windows systems have had to clean up. I have to admit, I have no idea how secure Vista is or isn't. I don't plan to find out. Even without security flaws Vista is an extremely poor value.
This seems to have the same flawed logic as the last time, which I posted about (and which I can't find to link to, sorry), which is this:
THE TOTAL NUMBER OF VULNERABILITIES IS IRRELEVANT.
See, the problem is, we have no idea what the total number of vulnerabilities is for a given OS, thus it is meaningless to compare the absolute numbers. It is however meaningful to compare the %, and from that you get a different conclusion:
- approx 30% of currently reported Vista bugs are High Severity. Or, the odds of a new bug being high severity is 30%.
- 25/45 (55% or so) of XP bugs are High Severity.
- 98/348 (28%) of RHEL bugs are High Severity
- 52/160 (32%) for Ubuntu
- 20/75 (26%) for Mac OS X
At best, we can conclude from this that Vista is almost as good as Linux / Mac now. At least, in the absence of other factors, such as low adoption rate (low # users = low # of reports, all else equal) and "undisclosed, reported" vulnerabilities, both of which are unaccounted for in the article.
It is also important to remember that these numbers only represent vulnerabilities that:
1) were discovered by a user (which is easier to do if you have the source)
2) reported to the vendor (which in my experience is more likely in a receptive OSS community than a corporate environment)
3) are disclosed by the vendor (again, more likely in OSS than corporate)
Thank you, but I'd rather stay with my less secure Linux. Not because I hate Microsoft or someone told me it was more secure. The reason is my personal experience with Linux and with various Microsoft Operating Systems. I know it's kind of early to judge Vista alone, but I do see a pattern in Microsoft products security.
As it also depends on what is turned on and what is turned off.
Still an apples to oranges comparison..
no sig yet
Was either a comparison of windows vista security flaws as it ships from dell with all its third party software versus those distro's (given thats how alot of users are going to "get" vista - crammed with third party apps from the manufacturers they buy their pc's from). Or a comparison against and OS that followed the same business model (solaris 9 perhaps?, hp-ux? aix?). It's really hard to sit back and say "we're so secure" when the basis of comparison is moderately flawed in the first place.
In alot of ways, Mac OS X is perhaps the best thing to compare vista to in that regard, but even thats a little tough.
How would this be any different if Linux was top dog? I'm a bot net guy, I want to make a bot net, I'm going to cast the widest net possible. You think if Joe Sizpack was running Linux he _wouldn't_ click that file promising him "free smileys" or constantly keep his stuff up to date? And if the "bug" in question doesn't have admin privledges on a home system, who does? Try explaining the idea of "admin" and "user privledges" to someone who thinks a cd tray is a drink holder. Good luck!
I used to sysadmin in an elementary school. We had over 100 PCs -- Maybe 40 different hardware configurations. Windows 95, windows 95 OSR2, Windows 98, Windows 98SE (We also had one XP machine -- no more than that because Windows Multiuser support works differently in NT than in Windows 9 -- and nowhere near as well). So what would happen if I set out to install some high class piece of Windows software in 100 machines?
Typically, it would install fine on about 91 machines. Six would fail for some reason -- typically a missing DLL or a recently installed DLL that only was present on machines that had some specific software package installed. Two of the remaining machines would have unique problems -- often not shared by conceptually identical PCs elsewhere in the building. And one machine would melt down completely. So, I have half a day of installation, three half day debugging jobs and another few hours of work to get the destroyed machine back on line.
It took a few years, but by the time I was through, I was no longer a Windows fan
The Spanish have a word for this sort of thing -- "Atascadero". It means about what it sounds like it means. Perhaps Microsoft should adopt it for their next OS.
====
Is Linux better? For servers, yes. For desktops, No. But it's not much worse, and it -- unlike Windows -- seems still to be improving. In the long run if people can have aggravation for free or pay handsomely for aggravation, I imagine that most of them will opt for free aggravation.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
This report is seriously misleading. The conclusions made do not follow from facts presented without employing logical fallacies. The data presented in the report measures amount of fixes made. The basic fallacy involves the assumption that just because a fix is not made, there no critical need for one. As a matter fact, a lesser number of fixes may indicate failure to find, report, and fix problems rather than absence of problems.
Since the Linux effort is open, all issues are reported and fixed in the open, with an effort made to report and fix as much as possible, which ensures software quality. Since proprietary systems are not open, their issues are not reported and fixed in the open. As a matter fact, a fewer number of fixes does not in itself indicate a lesser number of problems, or better software quality. On the contrary, a lesser number of fixes may indicate a lesser percent of problems being found, reported and fixed, which implies a lesser quality of software. A fewer number of fixes can be as much due to failing to fix vulnerabilities due to not finding them, or not having them reported.
Therefore, data presented in this report indirectly suggests that the open-source process is better at ensuring software quality.
Vista and XP have so few programs installed by default.
BZZZT!
Have you seen an OEM system with Vista or XP that came with "few programs". There's serious bloatware on there, and I bet all of it has serious security problems. Think of all those sound/video driver applets; those all have administrator access.
On the other hand, OEM Linux systems don't come with that stuff. Not even from Dell.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
I think that a better measure of OS security should include the following:
1. How many anti-virus/anti-* software packages are available for it? i.e. how many companies believe that there are enough problems with the OS that they can make money plugging the holes from the outside. Look at the revenue. What percentage of the users are running some form of this software?
2. How many computers running this OS are botted? i.e. how many machines running this OS have been completely taken over.
3. Do a survey to see user perception. "The (riaa) wants proof that you have illegal music on your machine. If they can break into your computer, they can easily place such proof there. What OS do you want it to run?"
4. Place machines running each OS directly on the internet using default settings. How long will it take for the machine to be comprimised.
5. What OS are the machines using that are used to spam us?
6. etc...
There are plenty of real-world methods of checking security, which are not based on who can hide the most problems.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
He is referring to the Vista operating system itself, installed off of a disk. He is not talking about security flaws in the extra crap that vendors such as Dell add. The thing is that, since Linux and its components are open source, there are bound to be more bugs and security flaws found, because there are so many more eyes looking at the code. However, this does not mean that it is any less secure than Vista. If you look at the report, Linux distributions have fixed a much larger percentage of their bugs in the first 6 months. Microsoft, even though the number of flaws is under 50, has fixed only about half of those flaws, which Linux distributions fixed a much larger percentage in that time period. Now, again, I am not saying that Linux is immune to security flaws and that Windows is the spawn of the devil. I am simply stating that you cannot look at just the number of flaws. I mean, if Windows was released Open Source, I would sincerely expect that there would be floods of security flaws found, and I'd bet my life on that.
"The item in question is gullable, has admin privilages..."
...and obviously can't spell.
Except that I have no idea what you just said.
I'm going to cast the widest net possible.
.exe were hidden, clicking on a .jpg.exe does not run the program. You get asked if you want to save it to disk or what program to use to open it, or in some cases, do you want to launch the program. Getting a prompt instead of viewing the photo is a major clue to a Linux user that the Windows user never got.
Windows (older versions but common exploit) hides known extentions by default. Users are admins by default. Opening MyNakedWife.jpg.exe was an exploit that nailed many a Windows user. No warning of any kind was given, the software was installed.
Linux by default nobody runs as root. Ubuntu takes it up a notch. Even if the
You think if Joe Sizpack was running Linux he _wouldn't_ click that file promising him "free smileys" or constantly keep his stuff up to date?
With Linux much like modern Windows, they phone home and look for updates. Being offered an update from a 3rd party is still a problem for Windows users and less so for Linux users. Example.. Go to any flash site without flash installed. The untrusted site may or might not send you to get the official flashplayer. In linux, you have to follow the instructions to go to Adobe and get the tarball for the flashplayer 9, then unpack, and install. It's a little more work, but you generaly get it from a trusted source.
Another common Windows exploit requiring a fault between the chair and keyboard used fake picutres of Windows error messages. Clicking the little x in the corner of the box is as much of an install button as the rest of the photo. This was also a common Windows social engineering trick to get the clueless to click on the install button. Linux does not install root level software by a click on a webpage when not running root. Since most Linux users don't run root, this exploit is broken. The exception is Firefox plug-ins that users can install in their browser.
Short attention span Windows users who can one click install your botnet software for you are easy to find. There are millions of them. Even if there were as many Linux users as Windows users, you would find many fewer willing to follow your social engineering.
Maybe you know some Linux exploits of the fault between the chair and keyboard that is as simple as hidden extensions, executible IM messages, and webpage install buttons disguised as a error dialog box that I should know about. If you do, fill me in..
The truth shall set you free!
Way to miss the forest for the trees. The substance of this discussion has nothing to do with whether or not Vista is more secure than past versions or not, nor really is it a straight comparison of actual security concerns but rather with their methodology in presenting their vulnerability information. Vista IS more secure than previous versions MS has put out because they actually focused on it this time. Methinks you saw an opportunity to drone on a mindless rant about the Linux community and what you perceive as MS bashing. Could it be that there might be some skewed PR numbers when a MS employee (later disclosed) does a comparison between OS's, finds that commonly accepted security benchmarks don't seem to be good enough, uses his own questionable methodology with disclosed vulnerabilities, includes application vulnerabilities not on a base Linux install, and doesn't count the stealth patches included with recent Vista patches? Grow up? As if.
I know you're not supposed to feed the troll but:
Take installation. Linux zealots are now saying "oh installing is so easy, just do apt-get install package or emerge package": Yes, because typing in "apt-get" or "emerge" makes so much more sense to new users than double-clicking an icon that says "setup".
Ubuntu. Click "Synaptic." Search for what you want. Get everything checked to install, click "apply" at the top. Unless you're recommending that newbies use a harder, less graphical interface. In which case, you're an idiot.
Also, on the topic of installs: I've installed 3 OSes in the last two years. Slackware, XP, and Ubuntu. Ubuntu was the easiest and most pleasant -- I got to sit there with Firefox and GAIM open while it installed. XP was slightly more annoying than Slackware.
As for your Linux zealots thing: I have never encountered people like that. Maybe you need to go to forums populated by people older than fifteen?
I admit there are assholes, however, and people who run around with only "if you don't like it, fix it!" "RTFM!" type answers. But these are a minority, and I bet most of them can't answer your question anyway. Most people will respond helpfully to questions, unless you come off like an asshole yourself. And try seeking help on Windows forums. There are assholes everywhere.
There is no "preference towards Windows." Most people don't even know what Linux is. A lot of people don't even know what an Operating System is. They don't understand that it is a program that can be replaced. Just that it's part of the computer, like the OSD on a TV that adjusts the brightness and contrast. It's not that they're stupid, it's just that they don't know any better, and were never told, or taught.
and I have had similar experiences too.
But on other hardware, Windows installed fine, and Feisty Fawn did not detect the sound card and the wifi connection kept dropping. Documentation for that wifi card/driver on Debian said you probably need to use a cvs snapshot of the wifi driver for stability.
Its hard to have an objective comparison of what works out of the box (as that would require a study of lots of hardware). But as for objective analysis, the Ubuntu install is definitely superior (Based on a live-cd, where you can already start working, as it is installing, with to-the-point questions, etc).
1: Find Quake 3 CD
2: Goto Id Software Website
3: Download Linux Demo
4: install Linux demo
5: Copy all files in the base directory of Quake 3 into the base of the Q3 Linux demo
6: Download newest point release, repeat base copy again.
7: Run game, have fun blow shit up.
Ill give you a hint, the only command line used was on step 4, chmod I think, its been a while.
Do you get it now?
You mad
My girlfriend (stay with me here) bought a brand new Core 2 Duo from Dell for about $1200 with Vista on it and everything fairly well matched. We installed World of Warcraft on the system. It was capable of rendering the game on the highest settings, but even on the lowest settings the system was having serious internal problems.
The video drivers kept crashing, sometimes as often as every 15 seconds, and not surviving for more than 2 minutes... the screen would flash black for a second and the hard drive would thrash, and then the game would reappear. Once you exited the game, or if you would ALT+TAB or run in windowed mode, you would see a bubble notification popping up from the system tray notifying us that (paraphrasing) "the video card driver had crashed, but Windows Vista was able to recover."
Now, I'm not sure if I should blame Windows Vista, Dell, or the nVidia drivers... but it was in no way fulfilling that the system was able to identify that it was crashing, and recover, yet it was not able to prevent it from crashing in the first place. Nothing improved even after applying every possible update to the system. To my knowledge, it still suffers from the same problem to this day. (No helpful support from Dell, by the way.)
Whoever is responsible for this, somebody really dropped the ball. In any case, I wouldn't touch Vista with a 40-foot pole.
I can just see a bubble popping up to tell me, "A hacker has stolen your personal information, but Windows Vista was able to recover."
Move all sig!
Look, everyone knows Vista is more secure than Linux. Just look at its pedigree: it comes from a long line of the highest rated operating systems that the US Government has had the resources to design special tests and ratings for. And take a look at the list of huge companies that have chosen Windows as the platform of choice for their high security applications. Big, trusted companies like Diebold, maker of some of the finest voting machines you can fix err...lay your eyes on. Hell, even big slot machine and ATM companies have chosen Windows as their security platform of choice. I can tell because sometimes I can see the security in action...Stop errors and blue screens...that's Windows saying, "Oh, no you didn't."
You know what else?
Billboards. That's right billboards that show precious ads to thousands of passers by choose Windows to operate their mission critical, high security software. Can you imagine the hil... chaos that would ensue if one of these billboards were hacked?
I think Windows has really redefined security. See it's not about the integrity of the software that's actually running on your device. It's about the security of the media. And nobody is working harder to make sure the CD's and DVD's you install are protected from real threats. And they'll be secure if you ever have to reinstall because of bugs. Piracy and counterfeiting are the real security problems. Thankfully Microsoft has some magic technology called DRM to ensure we're not having to pay more than necessary to make up for this "shrinkage".
Thankfully Microsoft has our best interests in mind and they're protecting us all 24/7/360. They're on our side. So let's all do what we can do to make sure Windows and Microsoft are as secure as they've made our computing lives.
Thank you.
They're exactly right. I'm tired of people spouting that privelege elevation, in any of its forms (graphical sudo, authenticate, UAC) is "shifting the blame". Neither Canonical, nor Apple, nor Microsoft have the slightest idea whether pr0n.exe is a legitimate program or a trojan, nor do they have any way of knowing. (Incidentally, can you imagine what it would be like if Microsoft did implement some kind of heuristic detection algorithm that tried to guess whether something was legitimate or not? Oh, the lawsuits and gnashing of teeth when it gets it wrong, both false positive and false negative!). The user, on the other hand, does know. More specifically, they know if they're been trying to install a program, or whether they're just browsing dodge websites when an elevation prompt pops up out of the blue, or whether they're just trying to view a picture.jpg.exe. The OS doesn't.
What's purple and commutes? An Abelian grape.
That's still vulnerable to this problem because ssh -X gives the remote application access to your complete X desktop. Indeed, the OpenSSH man page confirms this:So, to run Firefox securely, don't just run it as another user. Run it on a separate X server too, using xnest, Xvnc or (even better) VMware. The sux utility has also been suggested, but I am not convinced - malware running within Firefox rather than launching a separate process will still be able to log keystrokes.
>north
You're an immobile computer, remember?
err, IE7 runs as an unpriviledged user AND in a sandbox. It can't even freagin trigger Notepad on its own anymore. This isn't Win95.
Vista is *safe for now because of it's poor adoption by users, since it is not wide spread it is pointless to develop botnet software to infect it.
Hey, the guy went nuts at the end but he does have a few valid points.
M$ doesn't announce vulnerabilities until they've got a fix, and therefore the "vulnerability count" for Vista is probably inaccurate.
Also, Vista enjoys the same "security through obscurity" that Linux does - WinXP is still a more lucrative target. Supposing that the Vista adoption-rate will grow, the number of exploits discovered will grow in turn. I think we will see another MSBlast-esque exploit again in a couple years.
He definitely nailed it when he talked about how people were staying away from Vista, however. I've known a lot of people who recently bought a Vista-loaded machine and ended up putting XP or Linux on it. Entire departments, in some cases. I'm still staying away from it.
The AC peer post suggests that turning the firewall off is not "default" and is not fair.
I used to believe firmly in firewalls, but I've come around to the OpenBSD point of view. If you NEED a firewall, you've got a problem. A firewall should be ONLY for defense-in-depth. The OS+services should be secure without one, then you add a firewall for that extra bit of coverage. That way, if there's a day-0 exploit for your OS+services, the firewall will protect you. If there's a day-0 exploit for your firewall, the OS+services are secure. As long as you keep both patched, you need aligned day-0 exploits in both firewall and OS+services in order to get cracked, and that's the product of 2 unlikely events, far more unlikely.
Of course most exploits are really human engineering, anyway. (Click this link)
The living have better things to do than to continue hating the dead.
If you actually go down the list of security vulnerabilities for the Linux distributions, half of it is stuff like this:4 10-07.xml
http://www.gentoo.org/security/en/glsa/glsa-200
Every single one of those counts as a vulnerability against a Linux distro. If Microsoft had a vulnerability like that, they probably wouldn't fix it, much less publish it as a vulnerability.
-- The act of censorship is always worse than whatever is being censored. Always.
Everyone else in the IT world already knew this, but I must say that I'm SHOCKED to see this reported on /.
Is the level of irrational Microsoft hatred here at /. diminishing?
Support OS Freedom! Let people choose what they like (Windows / Mac / Linux / BSD) and don't mock them for it!
Prevent linux based DDOS's!
http://linux.denialofservice.org/
Notice how even the MS fanboys can't get around the fact that MS needs a reboot after installing a fucking game. :)
This report means nothing. We all know there are security holes in Vista that are yest to be found. How many? We don't know! It could be more or less then Linux and OS X. These results could also be an indication that Microsoft is worse at finding security holes. It could also mean Microsoft is better at hiding them. It doesn't say much about Vista.
Well, I'll be the first admit that my C-skills are pretty rusty, though I do spend a good amount of time with languages that use related structures, I haven't done any actual from-scratch projects with C/C++ in a long time. That being said, I've been able to debug, trace, and fix various projects over the last few years. Off the top of my head some webcam drivers (I think it was for the whatever driver the "Creative Webcam Go" used) as well as the OpenH323gk project.
Actually tracking down security issues, though, would be a bit harder. When you've got a bug you know about you can debug, trace, and find the source of the loop/crash/etc just by following your debug trail. With a security issue, you might not know it's even there unless it's pointed out... it's not the same as having a visible crash or malfunction in most cases.
So upgrading/fixing broken code is not too hard. Finding abstract or obscure faults is - IMHO - a lot more difficult. Even with well-commented code, you can't fix what you don't know is there. Alternately, it's sometimes a combination of your coding-type and that of the original coder as to whether a particular piece of source is readable/fixable.
Obviously a Microsoft shill from day one. It was obvious then - it's obvious now.
In twelve hours, there will be twenty security experts ripping holes in this moron's so-called "analysis."
Vista is not secure - NOTHING made by Microsoft is secure. Period. End of story. They could work from now to the end of this century, employ nanotechnology and advanced artificial intelligence - and their crap would STILL be unreliable, insecure, and complicated to use. It's a matter of corporate culture and attitude, not security knowledge or technology. Bill Gates simply does not give a shit about ANYTHING but sucking money out of his customers wallets at any cost to those customers well-being, corporate or home, it doesn't matter.
Nothing to see here, move along.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
How would this be any different if Linux was top dog? I'm a bot net guy, I want to make a bot net, I'm going to cast the widest net possible.
That doesn't explain why web server exploits hit IIS much more then apache which STILL has more installations. The widest net possible idea is less important then building your OS' security foundation on shifting sand. Windows has had terrible security because it was built on a foundation of sand. It has taken them years and years to go back and build a secure foundation that the OS can rest on.
Of the ignorance of people like the Submitter. Macs running OS X do not have viruses. That's what the commercial says. Why? Because it's true. And who gives a damn about Vista security? No one is using it. And no amount of glowing crap filled fluff pieces counting exploits will change the fact that Microsoft's complete lack of security gave us bot nets and robot spammers. And still does. Now fuck off.
Fiat Homos et Pereat Theos
It does make Vista look good, doesn't it? Until you look at the table, and notice that it only mentions serious security flaws that are fixed, and serious security flaws that have been disclosed but not fixed yet. It doesn't mention serious security flaws that have not yet been disclosed....
If you believe everything you read, you'd better not read. - Japanese proverb
Uh oh, here come the Linux fanbois as expected. I shouldn't have to fix the bugs in my OS, i guess you have more time on your hands than most. I'll stick to enjoying my OS while you toil away fixing security issues.
I want to make sure I understand you. You are saying that you cannot download a *.deb file and click on it to install? What happens when you do --what sort of error do you get?
Of course, with Ubuntu, it's probably easier to get it straight from the repository, ie. go to Synaptic and find BZFlag (or whatever program you're looking for) and just install it. That gives you more info about the program (see how big the file is, etc.). But you should be able to download and double-click, just like a Windows file.
When it comes to giving instructions about what to do on Linux, though, a script file is probably the simplest way to do it, simply because you can just cut'n'paste it onto the command line. This applies not just to installing programs but to everything in general. So, yes, people will give instructions like "sudo apt-get install bzflag", just because it's easier than "Click on Applications, click on Internet, click on Synaptic, click on search, type 'bzflag', click on Install, click on OK." (Or whatever the specific order happens to be --I use Kubuntu, which is slightly different.)
The equivalent in Windows would be a character string like: "Start > Settings > Control Panel > Add/Remove Programs > Add > From CD". You never hear anyone complaining, "Boy, what a long complicated piece of text, with all these greater-than signs!"
If you are used to installing software by command-line, I can see your concern for the newbie who might feel intimidated by that method. But the newbie doesn't have to do it your way.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
[1] "By Jeffrey R. Jones Director, Microsoft Security Business and Technology Unit"
- 5173565.html_ News_Researcher_Says_Vista_The_Most_Secure_OS.6304 6006.details/ articles/itproviewpoint031004.mspx
[2] "Jeffrey R. Jones, a self-described "security guy" who works at Microsoft's security division"
[3] "an overview of Microsoft's progress in improving security by Jeffrey R. Jones, Senior Director - Microsoft Security Business Unit."
[1] - http://articles.techrepublic.com.com/5100-1035_11
[2] - http://www.boxxet.com/Windows_Vista/Windows_Vista
[3] - http://www.microsoft.com/technet/security/secnews
boycott slashdot February 10th - 17th check out: altSlashdot.org
I can't help but put on paper that this blog contains what a child of two would tell you if you showed it these results.
If I would add another operating system, the one I wrote, then it would have a very low security vulnerability count. Simply because nobody is looking at my system or knows anything about the internals makes it neither secure nor vulnerable.
These numbers simply won't show you whether one systems is more secure in general usage. However, anybody thinking they do, should go work for Microsoft. Because these people are surely stupid enough to slow a company down.
Cancel or Allow?
(Sigh) . . . Allow .
Linux will have to make the same deal with the devil one day
Maybe not. Many distro's run a walled garden of safe applications. Grandma will never need to venture out of the garden and get hurt. Linspire and Ubuntu come to mind as examples that have safe online repositories. When not installing applications and doing system configuration, the users run as users, not administrators unlike Windows XP Linux will never have the ease of use of Windows 95 and Windows 98. Heck you could easly use and administer those without an account. At the login, just hit cancel. Linux has and will never be that easy to screw-up.
The truth shall set you free!
RHEL5 shipped March 14th, 2007. Why not compare it's errata?
;-p
I wouldn't count any updates released on 3/14 against RHEL5 on it's ship date - It's a perfect example of how OSS works and how fast patches are available. RH wanted to ship a stable version and didn't want to through last-minute patches into the install routine. What's the first thing you do when you install a new OS? You run the tool for online updates. So on day one 19 patches were available for all the bugs that had popped up since the version freeze to produce RHEL5.
Since 3/14, there have been 42 updates to RHEL-WS5. 11 of them have been after the 90-day mark, so that leaves you with 31 defects in the first 90 days of RHEL-WS5. That's also not using the "reduced" method to match feature-for-feature what Vista has.
However, I think the point is still always going to be that you can't have totally bug-free sofware. But it's how fast are bugs found and fixed. That's what Microsoft can't touch. How long do bugs go unreported so someone can take advantage of them on MS OS? Even once reported, how long do they linger? The same is simply not true for any critical bugs found in OSS.
But it is nice to see MS finally taking security seriously. They've only been trying to do that for 5 years with their Trustworthy Computing Initiative. Why not compare Windows 2003 Server stats, since it was released after the Trustworthy Computing Initiative? 6 months showed 38 defects. If you compare RHEL5 with just the same installed features to match WS2003 in 3 more months, I wonder how it will fair?
Of course, Microsoft had the NSA help them with Vista, which proves again that the more eyes you have on the source code, the better
I'll stick with CentOS myself... all the benefits of RHEL without the support fee costs.
Not to mention Microsoft's recently disclosed "stealth fixes".
Microsoft has the ability to control the "official" counts in a way that no open-source project, with its public repository and patch database, can. Even Apple, with its tradition of secrecy and surprises, can't sneak in patches to the open-source components of their software... but Microsoft can.
I run several botnets quite successfully.
I recommend you use Windows ME with Internet Explorer with ActiveX for surfing, run a public IIS on your machine for your web development needs, don't install a firewall and generally leave your system unpatched.
Let me know if I can aid you any further? Setting up your webserver for instance?
"Linux will never have the ease of use of Windows 95 and Windows 98."
That's not a good thing. That means Grandma isn't going to use it at all.
Way to show up late to the party. At 9:38 am when I posted, my comment was relevant, but by the time you showed up at 1:53 pm the discussion migrated. I notice you didn't add to that discussion.
I stand by what I said at the time for what was being said at the time.
http://www.computerworld.com.au/index.php/id;30684 2912;fp;4194304;fpid;1
Does windows vista have the same level of security than that?
I would say that if they don't find that many bugs into the 6 first months,
It doesn't mean it's more secure, it just show you that they aren't able to found vulnerabilities before hackers. So then when we know that redhat is the one who found the most vulnerabilites and they have "that" level of security.
I believe that finding a lot of bugs into the first 6 months is a good thing. Because if they don't find it... your computer have a hole that is just waiting for someone to use it.
Is AIDS not dangerous unless you found you have it?