Slashdot Mirror
6 Months On, Vista Security Still Besting Linux
Martin writes "Great report on security vulnerabilities for MS/Linux/OS X. This is a revised version of the one Jeff Jones did back on March 21: Windows Vista — 90 Day Vulnerability Report. This time he did what the Linux community had asked. Everyone complained that he did the report based on a full Linux distro including optional components, not on just a base OS install. So this time he did both; Vista still came out on top. I was shocked that Apple was even on the list as I believed all those Mac commercials!"
Point me at the problems in Linux and I'll fix them.
What? Can't do that with Vista?
I'll take Linux, thank you.
I don't know the meaning of the word 'don't' - J
Jeff Jones ... This time he did what the Linux community had asked.
He went and f*cked himself?
Full: http://216.239.51.104/search?q=cache:l2ZWLi31QdIJ: blogs.csoonline.com/node/218+http://blogs.csoonlin e.com/node/218&hl=en&ct=clnk&cd=1&gl=us&client=fir efox-a
: blogs.csoonline.com/node/218+http://blogs.csoonlin e.com/node/218&hl=en&client=firefox-a&gl=us&strip= 1
Text only:
http://216.239.51.104/search?q=cache:l2ZWLi31QdIJ
creation science book
Sure, if EVERY action you do prompts a "You are clicking your mouse, cancel or allow", or some other message, sure that is security, but then you are left with a crappy user experience. I think Linux and Mac have got a better balance between allowing actions in user mode without authorization and actions requiring authorization.
Sorry - the previous google cache link was to the 90 day writeup, not the 6 month writeup. Here's the text of the 6 month writeup... (site is very slow right now).
;-)
...
Windows Vista - 6 Month Vulnerability Report
Submitted by Jeff Jones on Thu, 2007-06-21 11:53. Topic(s): | Client | Corporate Management | Information Security | Operating Systems
I was somewhat surprised (but pleased) at the level of interest back when I published my Windows Vista - 90 Day Vulnerability Report. It was about the earliest span of time I thought might give us some indicators, and the indicators did look good. (Though, I did not give us an "A+", in spite of some of the attributions
Six months is a much more interesting time frame, and gives us the opportunity to see if the early trend indicators are holding up, or if the early signs of progress were a short-term gain. Also, I thought it was worth going a little deeper in the analysis to look at the total fixed and unfixed vulns as I did last time, plus these additional views:
* Include a comparison view of Linux distribution workstation builds that exclude vulnerabilities non-default optional components as well as OpenOffice and other applications that do not have equivalents on Windows XP.
* Include a comparison view that excludes Low and Medium severities to just focus on High severity vulnerabilities fixed and unfixed in the first 6 months, and
* A comparison view that combines both of these
For the full details, or to print the report, you can download the report in pdf.
For those that only want the executive summary, here is a key chart that shows the publicly disclosed High severity vulnerabilities during the first 90 days of availability, broken down by vulns fixed and vulns unfixed. Note that this chart is showing the reduced Linux builds that exclude non-default and optional components without equivalents on WIndows. (clicking the chart also gets you to the full report.)
High Severity Vulns, Fixed and Unfixed in First 6 Months of Windows, Red Hat, Novell SUSE, Ubuntu, Apple Mac
The results of the analysis show that Windows Vista continues to show a trend of fewer total and fewer High severity vulnerabilities at the 6 month mark compared to its predecessor product Windows XP (which did not benefit from the SDL) and compared to other modern competitive workstation OSes (which also did not benefit from an SDL-like process).
If you share the opinion that Windows and applications ported to Windows get a higher level of researcher scrutiny than other OSes, then the 6-month results are even more positive. If you don't share that opinion, then they still stand on their own
Read, Enjoy, Forward.
Best regards ~ Jeff
Full Disclosure: I work for Microsoft - read my previous blog post, Exactly how biased am I?.
Also, I'd like to make a shameless plug for my other blog, http://blogs.technet.com/security, where I sometimes post more personal entries such as The Saga of My Luggage & British Air and Building My Windows Vista Media Center - Part 1 - The System.
creation science book
...as popular as Linux, then it will be targeted, too. Or something like that.
http://www.microsoft-watch.com/content/security/mi crosoft_is_counting_bugs_again.html Updated response "Jeff Jones Vista security progress."
This should be a wakeup call to all those businesses holding back on Vista migration. Vista is clearly the better choice.
Greets
UbuntuBoy
This is stupid, Linux as a distro is a complete solution from A-Z ... Vista is a bit of a solution as its just an operating system with limited services. Why did he do it to Vista anyway? shouldn't he be doing it to a server edition of Windows?
When i see a windows system and linux system that do exactly the same things have the same purpose software installed on them i can see the viability of the test.
Further, malware runs rampet in Windows, nearly 50% of Vista's vulns were not patched, where regardless of how many Linux has they get fixed when found. More secure? You tell me is a nightclub more secure when the bouncer only kicks out half the troublemakers whole a tougher and meaner club down the street deals with all of them?
Contradict another post on the front page http://it.slashdot.org/article.pl?sid=07/06/27/001 8252/. If Vista is on top than how could Microsoft Security be one of the worst jobs? What are they doing too good of a job???
I eat Karma for breakfast, lunch, and dinner. That's why I don't have any.
Look, Everybody! A company is trying to use statistics to make themselves look good, when that's not necessarily the case!
Nothing to see here, please move along...
http://www.microsoft-watch.com/content/security/mi crosoft_is_counting_bugs_again.html
Looks like there are several errors with the method the blogger used to evaluate security flaws
This has already been analysed at microsoft-watch, and several flaws are pointed out there, the most basic one being that counting flaws is not a good measure of security anyway.
I can explain it for you, but I can't understand it for you.
On the back of recent news that less than half of Vista "issues" have been patched, yet alone publicly announced, we get another article touting the merits of two things that can't be directly compared.
Sometimes I see Open Source kicking itself in the face with all the transparency it offers, yet I'm overwhelmed with a sense of pride and happiness that communities can develop such a transparent process in the public eye.
Discovering problems and exploiting them in a closed source product is quite a daunting task - I'd say almost 4 times as much work as exploiting a system where you can compile debug symbols into the binary, and nothing short of 1000 times harder than if you had the source code. What these "reports" and discoveries show is that layers of obfuscation act to confuse people as to the actual level of vulnerability you're exposed to.
There are many vulnerability hunters out there, now, employed by governments across the world simply to "dive in" at a deepend of closed applications looking for exploitable code - closed source simply means that only wealthy, bigger teams will be successful. Open Source means that anyone can help thwart these hunters, makes vulnerability research fair game, and most importantly, accepts community involvement into the fixing and pre-emptive policy that makes OS software better software.
Matt
One canard trotted out by MS defenders *used* to be "Windows has more vulnerabilities discovered because it's so popular, everyone attacks it!". Watch for that line to be modified in the coming months as more MS proponents switch to "it's more secure by design". Keeping the "only more vulnerabilities discovered because it's so widely installed" would imply that Vista is not widely installed/used, which is not good PR.
So, when Linux had fewer vulnerabilities, it was because it was obscure. When Vista has fewer vulnerabilities, it's because it's fundamentally more secure. I'm not trying to be sarcastic here - it may very well be *true*. It's just something to keep in mind as you watch the never-ending stream of these 'vulnerability/exploit' reports come out every few months.
creation science book
I guess you know you're trolling, and that why you posted AC. I'm going to bite anyhow, even though I know better.
m l
Yes, Linux is not entirely user friendly yet. No denying that. But maybe you mean 1%, as you said... It's not really a good troll your way.
And yes, apt-get is a -lot- easier. Why? Because you left the steps out on the Windows side where you search for some utility on the web and have to wade through search results that mean nothing and attempt to find what you want, or you could just apt-get install it. 1 step, not several.
As for your game installation example, maybe you should pick something actually made FOR Linux, instead of hacked onto it later. Darwinia, for example: http://www.darwinia.co.uk/downloads/demo_linux.ht
Check out those complicated instr... err, no. You just download and run the file. Okay, you have to make it executable first. Just a bit of security there. At least it didn't ask you 'cancel or allow?' about 5 times.
Including the steps to set up video properly is a bit disingenuous unless you include the steps for Windows as well. Including finding and downloading the proper drivers for sound, video, motherboard chipset, etc. Is it easier on Windows? A bit, yes. But the steps still exist.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
There are still a lot of problems with this 'comparison'. For instance:
- The 'reduced feature set' used for the comparison still contains a lot of software not include with windows
- All information is based on what the company behind the software discloses. I believe that not all holes in Vista that MS knows about are disclosed. It is also not unlikely that what Microsoft calls 'critical' is not the same as what Canonical calls 'critical'. In any case, different measures are used for the different OS's, and you can't compare things that are measured in different ways.
- The usual 'less known holes != safer' discussion...
I personally don't know which OS is safer, but based on these numbers, I am not going to draw any conclusions.
Jan
Why should I care whether or not people run Linux, or Windows, or *BSD, or Mac OSX, or Novell, or freakin' Amigas? At home.
Run whatever the fuck you want.
The key to the enjoyment of pop music is to replace any instance of "love" with "C.H.U.D."
He's not comparing vulnerabilities - he's comparing vulnerability disclosures.
It's not a measure of how secure the OSes are - it's a measure of how secretive the makers of the OSes are.
....
I installed quake 3 On my first day of Linux. Copied the files from the disk, ran the linux stuff for Id. IN all I had to use 3 maybe 4 commands total, and the only web site I went to was Ids site. It was basically the first thing I installed after doing my redhat installation. I never really got into using linux, but its not the quagmire you for believe it to be.
You mad
1. Vista isn't exactly in widespread use. The sort of people who poke holes in Windows and use it for spam bots etc will concentrate on XP for now as it is much easier. The anti-piracy and activation make pirating Vista a little harder, again this means the low life will not use it for a while.
2. Linux is easily available to all. Plus people identifying security holes are helping out, they do it to improve the product. They would do this for Windows too, but they don't have access to the code.
3. Mac OS uses a lot of open source tools, gcc, samba etc.. these have bugs and holes identified from time to time. So Apple naturally has to plug them.
I've been running Linux as my desktop exclusively now for about five years. No viruses. No worms. No adware. Oh yeah, and it's free as in beer. The security on it just works. My vendor sets up the firewall for the appropriate level of paranoia "out of the box". Tools for system auditing (chrootkit, nmap, etc...) are usually installed by default. When windows can do all this for free, I'll give it another go. But until then, any such study I see is largely theoretical.
THe problem is that he is like me; He does not know the enemies OS. So, what he did, was pick through the OS install and decided what sounds like it belongs and what does not.
What is needed is for a Linux distro guy who has good knowledge of Windows (or perhaps somebody from wine) to re-do this report. And if it shows that MS did a better job on addressing security, I would suggest that the distro's need to get their act together. For the last 5 years, the windows fanboys have ran around saying that the # of windows is the attraction for security problems, while those in the know, say it has to do with ease of cracking. If this report is real, then Linux just went below MS and that will attract the vermin to us. IOW, we MUST remain above MS in terms of security to prevent having the security attacks that MS has.
I prefer the "u" in honour as it seems to be missing these days.
I approach this as someone who does not know a tremendous amount about how to measure security flaws, or what various security flaws really mean...
But the survey listed also shows Windows XP as the second most secure operating system of the ones surveyed.
I can believe that Microsoft improved their security with Vista. But if they also tell me their security was great with Windows XP, I have to conclude that they're fudging the numbers.
Philip Sandifer's academic website
Since Open Source rigorously discloses every flaw known in it, what is the value of comparisons of one Vendor's chosen disclosures versus that which is 100% transparent?
None
Microsoft only discloses what it has to and is often at odds with security researchers about problems only to be proven wrong later. One claim from a blog was that Vista shipped with 60,000 bugs. How many of those are documented for the public?
I can say that on my test certified Vista machine, brand new from Dell, I've already seen the network card totally disappear from the system only to reappear again an hour later. The Broadcom diagnostic tool reported no hardware issues. The Explorer shell still crashes/stalls frequently. Files get locked with no way aside from a reboot to unlock them. Wifi fails to reconnect to the same network it was previously connected to when sspi broadcast for that network is disabled. I just tried restoring a hibernated laptop, previously connected to a domain. Black screen & hard reboot.
Beyond that, on this brand new machine, specced for Vista. Vista is SLOW.
MS, concentrate on making Vista better instead of having people do useless studies. kthnxbye
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
Because, most likely you cannot, more than likely someone else won't, and even then you might not apply the fix should it become available.
Its human nature. Its far easier to take an easy shot at someone else other than act. Oh sure I can say I will fix it, but fact is its easier to say so on some message board that take the action.
Look, with Vista they have a vested interest in correcting the bugs. For those in Linux I cannot overcome I can only hope someone else sees it as important enough to warrant a fix. Thats the crux of it. Sure I could do it, if I had time, if I had the knowledge, if I had the resources. Saying "with Linux you can just change it" is akin to handing someone a bunch of parts and telling them if they don't like the car they can fix it. Being able to use something, having an generalized knowledge of how it works, is all a far cry from being able to actually change it.
So while cheap shots at MS are the forte of many we can't forget that just because its open source, its linux, that we have the power. The opening is there, just don't expect someone to walk through it
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Why should I care whether or not people run Linux, or Windows, or *BSD, or Mac OSX, or Novell, or freakin' Amigas? At home.
Run whatever the fuck you want.
Because the spambots that have pretty much ruined email are running on window machines.
The stuff at http://www.microsoft-watch.com/content/security/mi crosoft_is_counting_bugs_again.html shows that the Microsoft count is per patch instead of per vulnerability. I don't think it is a fair comparison, and Jones should have admitted that.
Rather than take his word for it why not just check at Secunia.
Vista
Ubuntu 6.06
"We are all geniuses when we dream"
- E.M. Cioran
I'd just like to say I'm thrilled to be able to say this.
If Vista was a bigger percentage of the PC market, there would be more exploits for it.
Pay back's a bitch, ain't it?
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
I looked at the user comments at the bottem of the article. One juicy tidbit was to this link..
i crosoft_is_counting_bugs_again.html
http://www.microsoft-watch.com/content/security/m
The biggest bug in Windows is between the chair and keyboard. The item in question is gullable, has admin privilages, and can run widely dispensed Windows specific code. As a sample of this, just look at the members of any botnet and the OS in use.
Anything that doesn't run Windows code and has the default of not running admin is more secure than patched Windows in most cases.
Vista still runs Windows code, it's biggest fault, but it seems to be driving towards better system security and user permissions.
The truth shall set you free!
Yes, the OpenOffice code base is complex. Show me another application as functionally complex with a similar architecture that's easy to fix.
You also sweep away all of the *many* other ways to participate in a project to help it along.
Finally, nearly all OSS projects are driven by one or two people coding with other contributions (testing, bug reports, documentation, packaging, translations) kicking the projects into high-gear. There are a few that are so big the leaders code contribution is a small part, but that's the rare exception.
OT Rant: OO.org team: please move to GTK+.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Kind of a funny story considering some security venders claim Vista is less secure than XP: http://www.zdnet.com.au/news/software/soa/Microsof t-partner-Vista-less-secure-than-XP/0,130061733,33 9274261,00.htm
Based on my early experiences with Vista in our Beta roll out users are generally annoyed with Vista's security features and will likely turn them off once they are saavy enough to do so.
The VPN compatability problems they are having with major vendors such as Juniper's VPN solutions also give me reason for pause. Some users will basically start taking files home with him and emailing them to co-workers since they cannot use the VPN. This is a major concern when it involves personal data. Vista may be an improvement on the home front, but it is plain not ready for business.
Good grief! It's been YEARS!!! since we first heard about the superior nature of Linux/UNIX security, and we still see a crapflood of articles about it every time there is a slow news day, like when all the information about the first generation iPhone finally emerges and there are no more iPhone stories in the queue, then BAMMO! Right on schedule, another story about LINUX vs. Windows security. This story is even a TROLL, all on with a headline about Vista besting Linux. What crap! ENOUGH with these LINUX/Windows security shootout stories, already!
If you mod me down, I shall become more powerful than you could possibly imagine.
These comparisons are a joke. The number of bugs or vulnerabilities itself is completely meaningless because of the wide variety of issues you can have. For example, would you rather have 10 vulnerabilities that each enable a malicious Web site to crash your browser, or 1 vulnerability that enables a malicious Web site to browse your local disk?
Vista still encourages users to run with higher privileges than necessary, and the platform is still host to over 99% of the viruses and malware ever created. It is not even recommended to run Windows without third-party security enhancements such as anti-virus. Many will tell you to run it only in a virtualizer, not on bare hardware, so you can wipe the Windows "disk" every night and start fresh the next day. In fact, Microsoft will tell you to do that, it's what VirtualPC is for.
Anyone who believes this crap deserves Vista. Enjoy.
The fundamental failure with the phrase "Vista is still more secure..." starts with the incontrovertible fact that Windows is shipped as a black box.
The temporary absence of security issues with Vista means nothing because neither the scope nor the scale of exploits is known. That is commonly described by the phrase "security through obscurity."
History has shown that Microsoft's approach to security is to talk a good game. Period. While I do not doubt Microsoft has hired excellent security programmers, their contributions don't make it through the management gauntlet.
Another way to highlight my point:
When you buy a windows-equipped box will you:
1: Use email on win32 without an antivirus application?
2. Go on the internet on win32 without a firewall?
3. Run win32 without a NAT?
I propose the following experiment instead:
Computer 1: Linux desktop distro immediately after install with no firewall script.
Computer 2: Vista equipped PC straight out of the box with the windows supplied firewall disabled.
Computer 3: Mac OSX straight out of the box.
Run tripwire on all three machines and put them directly on the internet. (aka no NAT)
That might be a better way to compare default security of OS's.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
We give up, we'll go home now, and install Norton Antivirus and Windows Defender with the rest of the lemmings.
The *only* way to "measure" security is to "measure" breakins. You can talk about technological advances in architecture, but abstracting security to bug counting is goofy. Linux systems don't get broken into, because there simply aren't ways to get at them, particularly on the desktop. With things like AppArmor and SELinux your browser is isolated from other processes, every distro ships with the "desktop" version locked down (100% firewalled) by default, and samba, cups, and the other common network daemons (ntp? ssh?) are mature suites with excellent security histories.
I can't get the article to open, but I'm curious as to the vulnerabilities which he counted. How many of them actually have real world applications?
Here is how I would come up with a synthetic benchmark of security:
1. Admit that it will be synthetic, and is ultimately an exercise in mental masturbation
2. Count the bugs.
3. Remove all bugs that have no possibility to be exploited, and all "fixed" bugs.
4. Separate bugs into "server" and "desktop" bugs.
5. Multiple bugs by an index number between 0 and 1, with 0 being harmless bugs, and 1 being bugs that give you "root".
6. Total up bug indexes.
7. Now, count all fixed bugs (excluding impossible to exploit ones), multiple by a "damage index" (see #5), then multiple by (Time to fix bug, measured from release of software)/(Time software has been released). Add this to your result from #6.
8. Voila! You've now posted something that will most likely compete favorably with MS's bug number. It will also still be totally useless.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Lets give Jobs, et al time to produce their own twisted statistics to prove exactly the same thing for their own OS's.
just remember there are 3 types of lies, "lies, damn lies and statistics".
Not that im claiming he's wrong mind you, just that history has proven to be a battle of seemingly erroneous statistics stacked on top of one another that seem to claim totally different things.
Is it going to make me switch to vista? no... But i cant say i really care either, probably the most insecure part of my home server is the code i've written for it!
You can't win, Moderator. If you strike me down, I shall become more powerful through meta-moderation and Excellent karma than you could possibly imagine.
If you mod me down, I shall become more powerful than you could possibly imagine.
You seem to be pointing the finger squarely at the developer. Most often that is not where the blame should reside.
I would point out that if you are on a deadline for delivery, things get cut. Its just business. Managers fully support good documentation, well planned naming conventions, well structured code, etc... Just so long as it doesn't interfere with getting the product out the door on time.
And... FWIW... I also have tons of source (both open and closed source) to maintain, modify, w/e...
Opinion:=TMyOpinion.Create(Me);
Could someone count the botnets out there per operating system? I don't care so much about vulnerabilities so much as all the spam I get from compromised machines. Or put another way, it's not the holes but the number of active exploits that we should be counting.
Comment removed based on user account deletion
There are several fundamental flaws in the arguments in this article:
- He compares OS vulnerabilities of the first 90 days since first release. This doesn't tell us which OS is the most secure at this moment. Merely, it tells that more recent OS's have undergone more testing prior to release.
- He notes 125 known issues with RHEL prior to release compared to 0 for Windows Vista, but of course no vulnerabilities are known prior to release as Vista is closed source and has not been available for public scrutiny, while RHEL is built on available open source code.
But that's not all, differences in how bugs are classified may make some OS's appear more secure - it is known that Microsoft has classified vulnerabilities as bugs thus reducing the "official vulnerability number". Without a strictly uniform and independent classification scheme for bugs, there is simply no data to compare.
A reasonable comparison would compare the OS's vulnerability issues the past 90 days, that is with fully patched systems. Known issues that have not yet been patched should not be included as this simply is caused by the longer time for scrutiny of older OS's. Secondly, bugs must be classified in a coherent manner: Remote root, remote user, local root, local user, DOS etc...
This document is useless in the discussion of which OS is the most secure to run as of today. There is no way that a conclusion can me made in favour of any OS on the list.
It appears that OpenBSD remains the most secure system, and I bet FreeBSD is a strong contender.
Too many of these comparisons are apples and oranges things. If you run you Ubuntu box as root, you are heading for trouble. Running Windows as an administrator also exposes the user to significantly enhanced risk. If you are concerned with this risk, run as a normal user. I do. Your risk will be much lower. Vista makes it much easier to run as a normal user. My wife and kids have normal user accounts on our modern machine. I will be trying to "upgrade" my old XP box (an older Win ME box I upgraded to XP with an additional 512 MB of RAM 3 years ago) to Vista home basic for the improved security support.
This report is seriously misleading. The conclusions made do not follow from facts presented without employing logical fallacies. The data presented in the report measures amount of fixes made. The basic fallacy involves the assumption that just because a fix is not made, there no critical need for one. As a matter fact, a lesser number of fixes may indicate failure to find, report, and fix problems rather than absence of problems.
Since the Linux effort is open, all issues are reported and fixed in the open, with an effort made to report and fix as much as possible, which ensures software quality. Since proprietary systems are not open, their issues are not reported and fixed in the open. As a matter fact, a fewer number of fixes does not in itself indicate a lesser number of problems, or better software quality. On the contrary, a lesser number of fixes may indicate a lesser percent of problems being found, reported and fixed, which implies a lesser quality of software. A fewer number of fixes can be as much due to failing to fix vulnerabilities due to not finding them, or not having them reported.
Therefore, data presented in this report indirectly suggests that the open-source process is better at ensuring software quality.
I'm going to cast the widest net possible.
.exe were hidden, clicking on a .jpg.exe does not run the program. You get asked if you want to save it to disk or what program to use to open it, or in some cases, do you want to launch the program. Getting a prompt instead of viewing the photo is a major clue to a Linux user that the Windows user never got.
Windows (older versions but common exploit) hides known extentions by default. Users are admins by default. Opening MyNakedWife.jpg.exe was an exploit that nailed many a Windows user. No warning of any kind was given, the software was installed.
Linux by default nobody runs as root. Ubuntu takes it up a notch. Even if the
You think if Joe Sizpack was running Linux he _wouldn't_ click that file promising him "free smileys" or constantly keep his stuff up to date?
With Linux much like modern Windows, they phone home and look for updates. Being offered an update from a 3rd party is still a problem for Windows users and less so for Linux users. Example.. Go to any flash site without flash installed. The untrusted site may or might not send you to get the official flashplayer. In linux, you have to follow the instructions to go to Adobe and get the tarball for the flashplayer 9, then unpack, and install. It's a little more work, but you generaly get it from a trusted source.
Another common Windows exploit requiring a fault between the chair and keyboard used fake picutres of Windows error messages. Clicking the little x in the corner of the box is as much of an install button as the rest of the photo. This was also a common Windows social engineering trick to get the clueless to click on the install button. Linux does not install root level software by a click on a webpage when not running root. Since most Linux users don't run root, this exploit is broken. The exception is Firefox plug-ins that users can install in their browser.
Short attention span Windows users who can one click install your botnet software for you are easy to find. There are millions of them. Even if there were as many Linux users as Windows users, you would find many fewer willing to follow your social engineering.
Maybe you know some Linux exploits of the fault between the chair and keyboard that is as simple as hidden extensions, executible IM messages, and webpage install buttons disguised as a error dialog box that I should know about. If you do, fill me in..
The truth shall set you free!
Great post!
Very few people can really do subtle humorous satire. I really enjoyed this. One hallmark of really good satire (a la Onion) is that when you start reading it you think that the author is serious. As you continue you realize that it's satire.
How would this be any different if Linux was top dog? I'm a bot net guy, I want to make a bot net, I'm going to cast the widest net possible.
That doesn't explain why web server exploits hit IIS much more then apache which STILL has more installations. The widest net possible idea is less important then building your OS' security foundation on shifting sand. Windows has had terrible security because it was built on a foundation of sand. It has taken them years and years to go back and build a secure foundation that the OS can rest on.
It does make Vista look good, doesn't it? Until you look at the table, and notice that it only mentions serious security flaws that are fixed, and serious security flaws that have been disclosed but not fixed yet. It doesn't mention serious security flaws that have not yet been disclosed....
If you believe everything you read, you'd better not read. - Japanese proverb
[1] "By Jeffrey R. Jones Director, Microsoft Security Business and Technology Unit"
- 5173565.html_ News_Researcher_Says_Vista_The_Most_Secure_OS.6304 6006.details/ articles/itproviewpoint031004.mspx
[2] "Jeffrey R. Jones, a self-described "security guy" who works at Microsoft's security division"
[3] "an overview of Microsoft's progress in improving security by Jeffrey R. Jones, Senior Director - Microsoft Security Business Unit."
[1] - http://articles.techrepublic.com.com/5100-1035_11
[2] - http://www.boxxet.com/Windows_Vista/Windows_Vista
[3] - http://www.microsoft.com/technet/security/secnews
boycott slashdot February 10th - 17th check out: altSlashdot.org