Slashdot Mirror
Vista Security Claims Debunked
An anonymous reader writes "Apparently Microsoft still hasn't learned that counting vendor acknowledged vulnerabilities isn't a good way to establish the security of an OS. As an analysis of Microsoft's claims on Full Disclosure shows, we see that the methodology used was badly flawed. A bug in Firefox (not to mention emacs), counts as a flaw for Linux, while IE bugs get ignored on Vista's chart. Then we see that vulnerabilities aren't vulnerabilities when they're security-challenged features such as Vista's Teredo. Also, there's far too little consideration given to severity, given that it stoops to counting even extra access restrictions on a file in OSX to have something to show. In short, the original Microsoft analysis was good PR and poor research."
In other news, scientists have confirmed that water is, in fact, wet.
Well... no shit...
I am totally shocked. I just bought 10 licences too and threw away all my Linux computers!
Pulp Audio Weekly - Geek News and Reviews
These aren't the droids you're looking for.
A-Bomb
Never believe anything MS says, they are untrustworthy.
Given the previous FUD Microsoft has put out about Linux (235 patents? Which patents?), I'm not really surprised to see this.
Of course, if anyone should be counting browser flaws as OS flaws, it's MS. MS makes the case that they can't remove IE from the OS since it is integral to it working properly, yet doesn't count them on the vulnerability list.
Meanwhile, FF doesn't even have to come with a Linux distro, and a bug that compromises FF as an app is much less likely to compromise the OS as a whole.
Looks like more FUD to scare non technical people from "illegal" and "unsafe" Linux.
with the non-Core Linux components no longer listed because of based on the feedback.
This just debunks the first report.
Bears are Catholic. The Pope shits in the woods.
Please, for the good of Humanity, vote Obama.
Does that sound like a people_ready business to you?
I really doubt you'll ever hear M$ say something like...
"Our operating system is less secure than all the other major OSes but you should buy it anyway because it looks kinda pretty."
next you'll be expecting...
"Vista will cost you $43 per year more than XP just in electricity." ($1.2 billion per year more for the power companies thanks to Vista)
The rest of the complaints aside it may have very well been appropriate not to count Teredo as a vulnerability. Here's why: assume that windows was technologically backwards and couln't get on the internet. Would you then agree that Linux was less secure, because the possibility exists to hack it over the internet while that possibility does not exist for windows? No, that wouldn't be an appropriate assesment of security. To evaluate security we need to in a sense "divide by" the ability of the system to access other things. Teredo gives Vista the ability to get to ipv6 from behind a NAT, so vista has the ability to access more things (in this one limited way). Thus it should not be counted as a vulnerability unless Linux has a way to do the same thing, in which case we can compare the security implications of Linux's method versus Vista's method. But until then Terendo should be set asside when doing a security comparison (vesus an independant vulnerability assesment).
Philosophy.
what ges me is that very few security researchers ever get the chance to examine MS code like Linux allows, who knows how much code is a security risk, millions of lines of code that only its creators can really examine. there also exists the problem that in addition to security flaws in the code its self, there is the fact that most of MS users dont really take care of their OS like they should. very few people avoid IE, update their software, have a firewall or any security smarts [ie cant resist the free wallpapers/ringtones/random spyware infestations] It is better to have a good user on a flawed system than PEBKAC on a good system.
Sigs are too short to say anything truly profound so read the above post instead.
Most Microsoft customers will take the "research" at face value.
I work in a Microsoft shop. And while I have a great boss, (really, no kidding) the company is Microsoft all the way. There is zero logic at play.
But that's the way it goes. I'm old enough to remember when "Made in Japan" was the cultural equivalent of today's "Made in China." That had little basis in reality then, just like Microsoft customers today just aren't ready to comprehend **buying** something other than a Windows box and just take Microsoft's ridiculousness as fact. In time though, I think that can change. Just like the Japanese and their cars.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Why wasn't my tag "getthefacts" selected? Honestly, that's all this is - a continuation of the "Get The Facts" campaign.
You mean to tell me, counting all the vulnerabilities for anything that runs on Linux (Including software that is not developed by Linux), and then only counting the vulnerabilities that live in the core of Windows Vista doesn't make a fair and accurate comparison?
You mean Microsoft misrepresented the facts? I just wont believe it.
Seriously though. If not actually providing security, I'm glad that they're at least worried about it. There should be about 500 posts to follow arguing the virtues and failures of Vista related to security and performance. Microsoft, Joe Average, and Grandma will read 0 of these. They'll still have the computing world by the balls tomorrow because they're the status quo and have the (second?) best marketing, a near lock on hardware vendors, and all the PC games.
Joe Average got the fake stats without hearing any dissenting opinion, because he doesn't really care and it gave him warm fuzzies over that wad of cash he dropped. Also "Linux is hard/You get what you pay for" and "Macs are for sissies/Ignore that get what you pay for thing." Meanwhile his social security number just got a new loan and he's the spam king of the neighborhood by accident...but damn that was a good porn site.
Nothing short of Microsoft's own (in?)actions will bring that beast down in the near term. Luckily they're doing a decent job of it. It seems like a few are trying to apply the brakes, and it may pay off. Hopefully the consumer can stop getting reamed sometime soon.
Why is it that the anti-MS studies always come from these obscure sites that either nobody ever heard of, or have an agenda every bit as biased as Microsoft themselves?
Come on, slashdot. You can do better than this.
BTW, the problems cited by this "study" are regarding the first report. The second report only compared the base Linux system.
riding a flying pig on my way to get a sweater at the store 'cause I heard Hell had frozen over. At the gamestop next to the sweater store, some kid was playing Duke Nukem Forever, which I thought was an amazing game. ...so what do you mean the report isn't true?
Okay while no one on Slashdot feels this is news and the debunking was completely expected, it's useful for the "linux representatives" that many of us inevitably become in casual conversation with our Windows-evangelizing peers. Typical situation:
In this narrative, Josh is the typical One-Trick-Pony, Microsoft MC## who blesses Microsoft every day for making his income so easy to come by and truly believes that Microsoft is the hammer and everything looks like a nail. Gunter is an all-around generalist who is unafraid of anything "computer" and knows enough to work on routers, networks, servers and workstations of just about all varieties which happens to include Linux among others.
Josh: "Hey, just read this security assessment comparing Vista and Linux... Vista won by a mile."
Gunter: "Yeah, I saw that... I also saw -->this-- article exposing the flaws and inconsistencies in their comparisons."
The point here is that being readily armed with a rebuttal is handy.
It doesn't matter if the vulnerability counts are vendor acknowledged or third party. Vulnerability counts only tell you how many flaws were found and fixed. There is no particular reason to belive this correlates to how many were found and exploited by 'the bad guys'.
It's flimsy but I suppose you could say that recognizing reported flaws and patching them quickly shows a project or vendor takes security seriously but that is all these vulnerability reports are good for. You could say that more reported vulnerabilities means that a program became that much more secure but even that is dubious. And of course it goes without saying that claiming a program is more secure because it had fewer vulnerabilities reported defies all logic.
Actually, it would be appropriate.
If you can remove an avenue of attack, you have increased the security of your system.
Now, by removing it from the Internet you have also reduced the FUNCTIONALITY of your system.
So you end up with a less functional, more secure system.
Security is all about evaluating the possible threats and reducing their effectiveness.
No. If it is an avenue for attack, it is an avenue for attack.
If it is vulnerable, it is vulnerable.
We've been over this before with Firefox's avoidance of ActiveX. Sometimes, increasing your security simply means NOT including some functionality.
That was a sloppy report on Microsoft's part, no doubt, but the Slashdot title is misleading too. It is still helpful to remember that there has been only one exploitable vulnerability discovered on Vista in the past six months, compared to several a month on XP. Vista's OS-level security features (NX, ASLR) do in fact perform as advertised. Vista is immeasurably more secure than OSX (with only one security feature to speak of) -- not a single application security expert has made a claim to the contrary. Noticed all those OSX advisories coming out lately? That's because we appsec people are as tired as the rest of you of Apple and smug Mac assholes.
MOD PARENT UP!
Quote from the Slashdot story: "In short, the original Microsoft analysis was good PR and poor research." It amazes me how easily people accept abuse, and give excuses for being abused. It was not "good PR". My best understanding is that Microsoft's analysis was an intentional lie.
My rule number one in dealing with Microsoft: Unless forced by circumstances, never upgrade to a new version of Windows until the second service pack is released. Let other people have the grief. The huge number of bugs in Windows XP before SP2 was very expensive for us. If I remember correctly, SP2 fixed more than 630 bugs, and some of the fixes were not documented. It is not only the vulnerabilities that are expensive.
Quote from the link in the Slashdot story: "Also, the entire networking stack was rewritten for Vista, and that means lots of new bugs are present. I have already spoken to other researchers who have not disclosed such flaws publicly. However, a good start for learning about some is the Symantec paper that analyzed Vista during the BETA phases and revealed numerous issues."
Microsoft has, in my opinion, a long, long history of not allowing their programmers to finish their jobs. There were even security vulnerabilities in the Microsoft Help protocols!
This isn't a debunking.
I feel Jeff really needs to perform another less exaggerated analysis.It's an armchair critique of someone else's work.
[...] a good start for learning about [Vista flaws] is the Symantec paper that analyzed Vista during the BETA phases and revealed numerous issues.A competitor (see Live OneCare) wrote an article about an early BETA of a new OS saying is had some issues? Shocking!
Even though OS X claims to be secure, researchers have obviously shown that Apple will have flaws too. This is nature of software, and it affects all code.What are you saying here, Kristian? Bugs are inevitable, so we should just give Apple a free pass on their share of problems because, well, it affects all software?
Ok, that's enough of that.
I feel Kristian really needs to perform his own research and analysis, and draw his own conclusions.
PS: Don't mod this as flamebait until you read Kristian's entire post. Really.
Error:
More to the point, and as you alluded to, security is all about balancing safety (or security, if you will) and functionality. In this case, I believe that not including Teredo on by default as a security hole is a fallacy. Sure, it adds functionality, but at the same time, creates significant security problems without notifying or asking the user. And grandparent, know what you're talking about. A Hexago tunnel is easy enough to come by on Linux, and very little work to set up (literally cut and paste). Teredo can be run on Linux too, though I cannot recall how.
Basically, it comes down to this: Microsoft sacrificed what could potentially be a significant amount of security for a feature that is meaningless, and for that matter useless, to the majority of users (at least for now, and Microsoft has a tolerable patch system, so...). And that feature is on by default, without asking the user. So, yeah, I'd call that a security hole.
There's an old saying that says pretty much whatever you want it to.
"Thus it should not be counted as a vulnerability unless Linux has a way to do the same thing..."
So the vulnerabilities in ActiveX and COM shouldn't be counted either since Linux doesn't use those... Or vulnerabilities in DirectX shouldn't count because Linux doesn't use it?? That just isn't logical.
Anything that can be used as a vector to successfully compromise a computer should be counted as a vulnerability because that's what it is.
The race isn't always to the swift... but that's the way to bet!
Any observer from a tech background would know that this would turn his results to shit, but he is;
- A Microsoft Employee
- A Blogger
so that never mattered anyway.No users = no vulnerability reports.
"I need a submit macro"
You mean like the "Preview" button right next to the "Submit" one?
"I like systems, their application excepted", George Sand (French)
Unfortunately they seem to be so obsessed with winning by FUDing and spinning that they end up making crap. This is a great disservice to the whole computer industry.
Engineering is the art of compromise.
After extensive research we found that having the computer powered up was the source of all the security flaws. Don't blame MS - they don't make the power cords!
Engineering is the art of compromise.
With due respect, I have to disagree. If a project or vendor takes security seriously, they'll design the software so that it has zero security bugs.
Almost nobody delivers this for popular commercial software like Windows, Office, etc, but that's more because the people paying for such software seem to not care about security at all, or value new features, convenience, and speed much more than they do security or reliability.
However, people designing control systems for airplanes, hospital medical equipment used in lifesaving situations, and so forth, actually do a fair job of delivering software which has zero security issues. This level of quality isn't undoable for more widely used general-purpose software-- some of DJB's software has close to a perfect security record, for example, but it is rare to find software which was designed from the start with the assumption that no security holes are acceptable.
Especially in the PC world, it's common to find software which is significantly broken in the initial release and needs to be patched before it is even feature-complete, much less close to being "bug free" or "secure"....
"The human race's favorite method for being in control of the facts is to ignore them." -Celia Green
Hard is what makes crackers salivate.
qz
I haven't seen Cisco jump to run Vista on their Firewall Machines. So, maybe, just maybe, they had a reason to stick to *nix.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
What kind of an account is "All Users"? /usr/share ? Can I log in
Is it sort of like
as "All Users" with admin creds?
Marketing is cheaper than R&D.
> This just debunks the first report.
Yeah, so did he address all the other serious flaws? Such as the whole "number of vendor acknowledged issues" != "useful security metric"? Because unless he did something radically different, his whole methodology was wrong.
You can't just subtract a few worthless bugs from the charts and turn that into a useful security metric. It just doesn't work that way. For an example of something that would be more useful, you could find all the bugs that lead to remote compromise and count the number of days it was widely known before it was patched for some definition of "widely known."
But then you end up with things like that story saying that IE 6 had critical flaws for about 9 months out of last year. Yeah, IE7 is better (hard not to be!) but still.
How are they obscure? You can't know much about security at all without knowing about people like insecure.org, SecuriTeam, or the Full-Disclosure mailing list. Or maybe you meant the author, Kristian Hermansen? They're a security researcher at Cisco, FYI. But even then, what does obscurity matter if their criticisms are valid? You could be an anonymous coward and make a valid point, after all (alas, that's merely a hypothetical because you do not).
Then you claim that the second report addressed all those issues. That's not at all true. Sure, it doesn't count Firefox bugs any more, but that's not the real problem with the study. The real problem is that counting vendor-acknowledged bugs isn't a security metric at all! That's right, it's not the least bit useful for giving either an academic or real-world measure of security. You can't rescue the original study from that flaw without redoing it and abandoning the original premise.
But I guess you wouldn't know that, because you don't know these "obscure" sites that people who know about computer security do. I mean, next thing you know, people will be citing virtual unknowns like Bruce Schneier as if they knew anything about security! Or maybe Fyodor, I bet he doesn't know a damn thing about networking. What did he ever do? Make up that silly fake application they used as a "hacking" tool in the Matrix movies? [/sarcasm]
I read the article pretty carefully. I don't see any actual numbers to back up this "debunking".
If you're going to bash Microsoft for using fuzzy math, at least have the courtesy of supplying some of your own.
Also, can somebody explain the issues with Teredo? Sorry, but simply declaring that there are lots of bugs in Microsoft's new TCP/IP implementation with absolutely no evidence to back this up doesn't help your argument.
It's not "good PR and poor research". It's lying.
If that's all they want to do, they sure don't need Vista to do it. Linux will do just fine.
I think I'd choose functionality over security, if it was some function I like.
I mean, in their entire history, when has Microsoft ever done ANYTHING untrustworthy?
Like literally copying/stealing other people's code line for line and putting it in their OS? (Stacker)
Like putting in software hooks to see if competing office products were running and then crash them or make them run slow? (WordPerfect)
Like swapping code in an OS and a browser to make it appear that the browser was integral to the OS to weasel out of antitrust issues? (Win98 / Explorer)
Naw... I just can't believe that MicroSoft would stoop so low as to try to promote its "ground-up" new OS (that amazingly has many of the exact same vulnerabilities as XP) as being hardened and more secure than Linux and OSX>
They wouldn't do anything like that, would they?
This means simply that Microsoft will generally pour just enough resources into a product to beat the competition and dominate the marketplace. We saw that with the browser war. When it had to overtake Netscape it came up with a good product. After it killed Netscape, and there was practically no other comparable browser, resources were taken off the browser product because it was good enough and there was no sense whatsoever in improving it.
We saw it with the IDE's. When Microsoft had to compete with Borland {Borland Pascal; Borland C/C++} it came up with the 'Visual' IDE. Visual C, Visual Fortran. It was a good IDE, and it won against Borland. After that ... it languished. Now ... now that we're seeing the Eclipse IDE and SUN's IDE ... suddenly Microsoft floors the accelerator again.
The same holds for the Operating System itself. Windows was systematically tailored to capture the eye of consumers and businesses, which it did very well. Never mind that the internals were {and still are} cludgy. What the user sees is the user-interface; that's what sells. Security flaws? Well ... as long as there is no competitor to which people can switch while retaining their investment in software and training ... security flaws aren't a show-stopper. Getting their own stuff to work was {previous Windows version have so many tightly coupled components that you never knew what would break next when you changed or added anything}, and that's why Jim Allchin very sensibly steered towards a properly engineered Windows. Vista in other words.
Given that we're seeing Linux, OS-X, and Open Solaris competing in more or less the same market we also saw an increased effort from Microsoft to tart up the user interface. Those transparant windows thingies.
This is something fundamental you have to understand about Microsoft. They are calculating folk, and never ever were trailblazers. Tail-light chasers, yes, but never trailblazers. 'Good Enough' is their goal, and their yardstick is ... the competition. Why? Because to Microsoft 'Good Enough' means 'Good enough to win in the marketplace and bring in revenue'. That's how Microsoft became so rich.
Definitely no surprise here. Stupid Mircrosuck.
You have a point. However, take a look at all the zombie Windows machines out there. How many of these are "Mom & Pop" PCs used only for browsing and emails? The reality is that Windows will be the dominant home computer OS for 10 years. Anything that can reduce the zombie pc count is great in my book.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
Power savings over how many years of use, once you factor in power required to manufacture the new system and transport it, etc? Is it really much of a savings, either cash or watts(btus, whatever), then? If it costs you x-hundreds of dollars for a new system (typical user:buys prebuilt at retail store), and you only save less than 50 bucks a year on the electric, right there you'd have to run the machine 2 times x-units of one hundred dollars times years to just break even on the purchase cost, let alone all the energy expended in the "developing world" where all the electronics come from and they are "backdating" the pollution costs to sometime in the future. At even 500 bucks for a cheap system you'd have to run the thing ten years to get a balance on the purchase price, if the old machine was still functioning fine.
Not saying more energy efficient computers aren't useful,they are, along with all other appliances, but upgrading immediately because you want to, as opposed to sticking with the old one not being broken and struggling by with the old operating system that is working and you have it finally adjusted "just right" for your needs might be still more economical in the medium run. I think it is better to upgrade hardware when it physically is broken, and just keep making software better, not more bloated and resource hungry, cooler and more efficient chips notwithstanding.
Anyway, that is what I do, I maintain a system until it actually and truly is broken, not just old, broken, then I upgrade (last one the mobo went). I figure I have gotten the most computing out of the least amount of dollars and watts that way, and contributed the least amount of pollution. And I certainly wouldn't upgrade just to run a newer operating system, none of the current ones released within the last few years are truly "obsolete" or can't do the job for most people's usages. In fact, I think there ought to be a law similar to what they have for car parts-ten years. Sell an OS, you have to keep applying patches and bugfixes for ten years minimum.
I wish there were a "+10, ridiculously insightful" rating.
/.
This comment is the most insightful thing I've seen on
in over a month. And me without mod points, so I'm
posting.
If that is M$'s strategy, then they're not doing to well- they touted Vista as being better than XP :)
"The quickest way to end a war is to lose it" -Orwell
do you people not understand what you're doing? No, I'm not concerned about Microsoft. I don't care about Microsoft.
But... think of twitter. This can't be good for his health.
oh, wait. Right. Keep posting these "M$" articles, then.
...Proved to be inaccurate. Video at 11.
Behold! Uh, what was I going to say?
But I've been allowing full access to my Vista machine in which I store text files containing my bank account, social security and blood type! Whatever will I do?!
*barf*
brian botkiller "Condensing fact from the vapor of nuance" - Neal Stephenson, Snow Crash
"the communication of a statement that makes a false claim, expressly stated or implied to be factual, that may harm the reputation of an individual, business, product, group, government or nation."
Stuff like this seems very close to being Slander and Libel. I'm sure a more informed reader will know why it isn't, but even then, it just seems quite close to being so. There are many organizations and individuals with an invested interest in the promotion and sale of Linux.
Brandon Petersen
Any bad data (e.g. using Firefox bugs but not IE bugs) is the least of it. The real problem with his research is the notion that counting vendor-acknowledged bug reports is any measure of security at all. Maybe if he'd done something like an analysis of exposure windows for critical bugs in a default install he could get somewhere, but no. We have yet another worthless bug count.
You don't need to invalidate the data if the methodology is wrong! And if the methodology is wrong, you don't need any numbers to prove it. That's the case here, but you and so many others are hung up on the bug count. Oh, he did address some of the claims and fixed the bug count. But if you'd read the title of the rebuttal on Full-Disclosure, you'd know that the problem was that he tried to measure security by counting bugs to begin with!
They didn't say WHICH people.
Visual Studio vs Borland: VS was never better than Borland on a level playing field. MS only completed by being a bully.
My main point is that MS don't get their products Good Enough. MS get there by putting their effort into attacking the competition rather than by developing (or even offering) good products.
I think MS marketing is more Mafia tactics than anything technical.
Engineering is the art of compromise.
name drop all you like, but it doesnt change the fact that the article wasnt written BY and MS researcher, nor does it change the fact that the author did his best to compare an equivalently functional system whether you like it or not.
If every slashdot reader put the same amount of zeal into creating new development methodologies for the open source environment (of which I am an active, but not specific user thereof) as Microsoft has put into the SDL, maybe the numbers game would start to revert.
Its all a numbers game, and has little bearing on reality, because if you compare (say) 10 critical vulns in windows, and consider the number of windows systems affected against (say) 100 *nix vulnerabilities, the results of successful exploitation on windows are significantly worse. What the article shows is that MS is improving. Does it show the same for common linux distro's?
go to http://www.us-cert.gov/
type in "windows"
Results for: windows Document count: windows (2543)
then,
type in "linux"
Results for: linux Document count: linux (2301)
well, no news is good news!
A differential of 242 reports is not that much! And I'm even a Linux admin!
this doesn't account for severity either, but it just goes to show you, don't trust security reports in any form.
They're using their grammar skills there.
x86 made only incremental gains from the 486 to the Pentium IV. Suddenly, wham! AMD comes out with the 64-bit Opteron and Athlon 64 and they kick the crap out of Intel on price, performance, and power consumption for a year or so.
Now we've seen a ferocious flurry of innovation from Intel, which has suddenly been pouring money into R&D and taking advantage of its superior manufacturing processes. We've got Intel vs. AMD to thank for quad-core, low-power, hardware virtualization... and best of all, $59 dual-core 64-bit processors from Newegg
Now AMD is falling behind fairly rapidly, and we can expect Intel to slack off its R&D correspondingly. But in a year or five, AMD or someone else (VIA? IBM? MIPS?) will be back with something new and send Intel scrambling again.
My bicyles
R&D is cheaper than bad publicity or customer support for a shoddy product, I'd wager. But they wouldn't teach that in a marketing class, would they? ;-)
Not if you develop right. I don't see where creating a good, modular operating system is anything more than good design and hard work.
Nothing to do with "research."
The problem is that MS isn't about good design, but about throwing everything in that anybody ever asked for, even if a well-designed system would have perfectly good APIs to solve the same problem without feature XY.
You haven't read an annual company report recently, or ever for that matter?
Even in sdoftware - or pharmaceutical companies where one would assume that a lot is spent for research the R&D budget is usual ~18% (which varies, of course) while sales and marketing usually eats away approx. half of the costs.
Sales, marketing and distribution is horrendously expensive and gets a far bigger chunk of the budget then R&D.
This is a generalisation, of course, but true for the vast majority of companies.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
Yes, I know it's good for your karma to rehash the same "Windows BSODs" crap, but I'll call bull.
1. I've had that disabled for years, and I've had exactly one instance of BSOD-ing so far. (The reason was a crappy driver. Yeah, that's so MS's fault. A Linux user would be _so_ able to continue using their KDE programs if the video drivers crashed. Not.)
2. You would still notice it if your computer was restarting all the time. So, you know, it would be exactly the same amount of tech support calls whether it's "I've got a BSOD" or "this damn computer keeps restarting".
3. It wouldn't be that well hidden anyway, because it does briefly show a BSOD before restarting.
4. And if ad-absurdum they actually managed to hide it that well that you don't even notice, then why would it matter?
So, you know, propaganda tends to work better if it doesn't amount to telling people "your Windows BSOD's all the time!... even though you've probably never seen it actually doing it." It tends to be kinda like me telling you that you have to move because there's an elephant in your bathroom, even though you probably don't see it.
A polar bear is a cartesian bear after a coordinate transform.
The point is simply that number of disclosed bugs is not a valid comparison. It matters not if he "did his best".
"The numbers" would certainly look very different if Microsoft adopted the methodology used by most open source projects of fully disclosing every bug. Or if open source projects mirrored Microsoft's practices. It is very well known that Microsoft does NOT fully disclose all bugs and many cumulative patches silently fix MANY problems. The severity of bugs is also classified very differently.
You are right about one thing, it is all a numbers game. But you are WRONG that it means anything, even that Microsoft is improving. It means NOTHING. Nothing at all. It's only a numbers game. Even if someone else games the numbers differently and Linux-based systems look better, it still means nothing to compare numbers of bugs when very different philosophies and practices govern which bugs are fully disclosed and how their severities are rated.
PJRC: Electronic Projects, 8051 Microcontroller Tools
Even if the functionality is of no use to you?
...was well counted, after all, it's a nice OS with a poor text editor.
:(){
It's not cheaper (quite the contrary), but the effects of marketing are much more immediate than the effects of research. And it's the quarterly report that counts, not how the company is doing in three years.
x86 made only incremental gains from the 486 to the Pentium IV. Suddenly, wham! AMD comes out with the 64-bit Opteron and Athlon 64 and they kick the crap out of Intel on price, performance, and power consumption for a year or so.
I think you need to seriously revise your x86 history.
That is not to say that x86_64 wasn't a significant improvement, but to basically suggest the Pentium, Pentium Pro/II/III and Pentium 4 were just faster 486s is ludicrous. Each of those CPU families represents a serious increase in the design and capabilities of the x86 platform and they all came from Intel. Indeed, one of the main reasons x86_64 was so significant was because it repesents one of the few times AMD has been the leader, not the follower, in the last few decades.
Oh please.
Let's be honest here. No matter what study was produced using no matter what methodology, if it showed that Microsoft was improving you guys would rush to debunk the study or dig up some site that does the debunking for you. RMS himself could declare that Microsoft was improving security, and you guys would rip him to shreds. The point of the OP of this subthread is that the debunking report is just as biased as the MS report, and I've seen zero evidence that that isn't the case. I'll go further: the comments to this entire thread are 100x more biased than the MS reports. It's not like you guys are being objective with your analyses either, so get off your high horse.
-- "I never gave these stories much credence." - HAL 9000
Shit, that was so biting I thought my eyes were going to pop.
It ain't easy. If you don't count emacs, you pretty much can't count a lot of "basic" Linux tools. You'd have to strip both systems to their bones (which is arguably easier with Linux, granted), but then, you're comparing two very artificial sets without any meaning in everyday life. I can't imagine Linux being very useful if reduced to the kernel, and I highly doubt it's even possible with Windows.
Here's my way of counting: Take the average customer PC. To faciliate things, let's take a "standard" Windows install as the base. I.e. a system where you have a calculator, an editor, a webbrowser and so on. Then, take of every kind of program in that install base the one with the least security holes (i.e. in case there is one in notepad, use a different but similar editor with fewer bugs as a "replacement"), same goes for IE or FF or Opera or... whatever (just to settle this once and for all). No, Lynx is NOT a valid replacement for IE since it cannot display graphics. It has to be a replacement that offers at the very least the same amount of functionality (thus, technically Opera would not be a valid replacement for IE, unless they finally accept some sort of plugins).
And of course you would have to create different sets. A server needs very different program groups installed than an office PC, or a gamer PC. Yes, that means you can't just take one set and say that this is the valid comparison for every kind of setup there is.
I'm aware that is not easy and it takes a lot to assemble, research and test that. But unless something like this is done, every kind of comparison will be crooked in a way or another.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The original "research" and the so-called "debunking" are total crap, to say the least. What the "research" shows is "Linux guys fixed more bugs than Microsoft's, and that means Vista security is good". Some kind of reverse Microsoft logic, or what? Given that Vista is closed source and Linux is open and considering the means for finding holes in proprietary software the number of vulnerabilities found should be at least tripled.
Now the "debunking". Just vague declarations. Only propositions like "they rewrote all the code so there MUST be more bugs". Well, maybe, but it's not a fact. Also the "debunking" really doesn't have ane figures. The microsoft guy at least shown some numbers on which he or we may base our conclusions. But debunking... It's not a debunking. We need an independent research like the MS guy did but we need to do it right. So that match is drawn at 1:1, but the time hasn't run out yet.
Micrososft are merely playing the same game OpenBSD have been playing for all these years... Apply the loosest standard to yourself, and the strictest to your competitors, and you're bound to come out smelling of roses.
Was that a whiff of manure in the background?
Heh. So basically you can keep the kernel running, but your X programs are fucked anyway. Well, gee, that's so different from rebooting the system.
In fact, lemme get this straight. So Linux is _so_ much better because when a driver crashed, Joe Average could:
1. buy a second computer, so he can SSH into the first one. Just, you know, because it's so evil to buy a $25 firewall for your Windows box, but it's cool to buy a whole second computer for your Linux box.
2. learn a bunch of command-line stuff and other nerdy stuff, so, you know, he can actually kill the right process. Which otherwise he wouldn't have needed.
3. reload X and restart his programs. The unsaved changes are still lost anyway.
4. Maybe (or maybe not) discover that the driver did screw something else up. Like, since most drivers come with their own agpgart kernel drivers, left that one in an unstable state. So let's do that all again, with a bit of forced unloading and loading drivers back.
As opposed to that evil old Windows XP, where he restarts the computer and the program. So basically just step 3. And if you're running KDE or, to a lesser extent, Gnome, it actually takes more time to start X than it takes to boot an XP computer completely.
Heh.
Look, honestly, for Joe Average whether he restarts just X or the whole XP, is irrelevant. His programs and unsaved data are still fucked either way, and the full restart is a no-brainer. You don't even need to know what "ps" and "kill -9" are. Whether or not the kernel kept running is, at most, relevant for uptime e-penis size bragging rights, but normal people tend to not give a damn about those willy-waving contests.
A polar bear is a cartesian bear after a coordinate transform.
>> Sales, marketing and distribution is horrendously expensive and gets a far bigger chunk of the budget then R&D.
Newsflash!
Distribution is in FACT part of marketing.
And Marketing also touches R&D, giving it input in for of assumed/collected/calculated requirements.
"Then we see that vulnerabilities aren't vulnerabilities when they're security-challenged features such as Vista's Teredo."
Well, what do you expect for a feature named after shipworms?
I wouldn't call the P4 a serious increase in capabilities - Netburst was pretty awful. There was a reason they completely dropped Netburst and went back to P6 when they designed the Core architecture. Netburst-based processors were faster than the P3 line, but not quite as capable of delivering performance.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
The piece of shit Taurus I also have has no leak therefore it must be a better car than my old Porsche. And it's true that if every car in the world were my old Porsche then all the cars in the world would have that same annoying leak. Ergo the world is a better place for all the piece of shit Taurus's on the road.
/. put down the fucking cheetos and hammered out code it still wouldn't make any difference because that train's already left the station.
See it's not about theory, fanboys. It's about practical outcomes. Per person per unit per second per whatever the practical outcomes of MS 'security' are disaster and failure compared to everything else. Period full stop. And if all the fanboys in the world, got off
You can wave your MS flag in my face all.fucking.day. telling me about the theoretical import of security gaps in some other widget and it won't amount to anything because the effect of these gaps is maybe 0.0001% of the effect of yours.
So suck it up, my pimpled minions - your God is a cardboard God.
- 486 SX 66Mhz machine running Windows 3.1
- In Dick Cheney's Bunker
- No Modem
- No Token Ring
- No Banyan VINES
- No Ethernet or IPX
- No TCP/IP winsock implementation.
Most Secure Windows Ever!In MS case, they also have a well funded research department that seems to do pure research and not research for their products. Some of the research may make into their products but it may be years or decades down the line. This skews the budget a little. We don't really know if in fact they spend more to market their products are opposed to developing them.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Here's an actual example - the faculty head of a university department is conducting a corridor tour of your department with some visitors. One student has a poster presentation in the open common area with a couple of relevant textbooks on the table. Another student is out of sight in a research lab working on his/her research project. Who is the faculty head and the visitors going to consider to be the expert on their subject?
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
Which is perfectly fair enough. If you design a house with lots of windows (not the O/S for once) then each window is potentially a point of entry. You can use toughened glass, non-opening windows, but it still won't be as secure as an unterrupted wall would have been. So you would be compromising security for features - in this case natural light.
The problem only starts if you then claim that the security of your design is in no way compromised by the windows. Or that it's unfair to compare it against the security of houses with no windows, since those houses have no natural light.
Don't let THEM immanentize the Eschaton!
He was wrong in some details, but correct on the basic point. Intel's real failing point was after Pentium-III. At that point, 2 things happened. First, the marketers gained too much power, and pushed the "market metric," clock speed, with the resulting NetBurst architecture of the Pentium4, which has been abandoned. Second, Intel pursued the IA-64, which was really a combination of an academic nifty idea with marketers' desires to be clone-proof, but with the consequence of leaving delivering value to the customer a lower priority.
In other words in the Pentium-4 generation, Intel delivered a marketer-driven (marketer, not market driven) architecture with sub-par engineering, and was distracted by the internal desires for IA-64.
The living have better things to do than to continue hating the dead.
What all these "Marketing is cheaper than" comments seem to miss is that Testing is cheaper when the public will do it for free. It's a common mantra, and one not even remotely limited to MicroSoft.
A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort.
I think you missed his point. I don't think his statement that marketing is cheaper than R&D is meant to imply that companies spend less on marketing than on R&D. My monthly food budget is $700 and $300 is for my car- therefore cars are cheaper than food!
I believe the original intent was that if a company has $10,000 to spend are they more likely to get a better return on that money by investing it in marketing, or by investing it in R&D? Or conversely, in order to earn $10,000 how much would I have to spend on marketing versus how much would I have to spend on R&D? I think the original statement was saying that I could spend less on marketing to earn $10,000 than I would have to spend on R&D. Look at the number of companies that do very minimal R&D and primarily marketing ("Market On, apply it directly to the bottom line") and how effective they are. The fact that companies pour so much money into marketing is because they know how effective it is. The company I work for has a large marketing budget/department, but if we were equally committed to R&D and had equivalent number of researchers, an appropriate lab/technical equipment, and so on, I'm very confident that the R&D budget would exceed the Marketing budget.
In other news, researchers were shocked to hear the sun set in the west.
Do the math yourself. Lunix has more bugs than an ant hill. OS X has more holes than swiss cheese. And by comparison, they make Windows look like Fort Knox.
What does, "Microsoft is about making money ... not product," even mean? You're saying that Microsoft is attempting to accomplish an end instead of a mean... that seems reasonable. After all, why would Microsoft make products? To sell them? For money, perhaps? Show me a business that is not about making money. Then show me that business in 5 years and see if it still exists. The closest example I could think of would be an independent artist who is creating for personal reasons rather than commercial. But businesses ARE commercial. Thats what makes them businesses and not artists, hobbyists, or clubs.
I clearly remember using a security flaw in Excel (XP or 2003 I believe) running on Windows XP to run programs with adminstrator rights on locked down system. When IT found what we were doing they monitored our systems but were unable to prevent us from using this trick. We used this trick to install software for our PDAs and sales tool software from our vendors because to get any software install through IT require a request going through corporate channels and a minimum of two weeks before it was installed.
"It is not my intent to offend, but if offense is taken, the fault lies with the audience." attributed to Patrick Henry
As both firefox and emacs runs on windows (via cygwin) bugs in both programs should be counted as windows bugs.
:)
But as MSIE does not run on Linux it should not be counted as a Linux bugs.
In fact I could write a small visual basic program here now in the comment, with a serious bug, and you can count that to.
Anyway, I don't know why I'm writing this. After several hundred comments, few people will ever read this, and the people who is counting will live in ignorance forever...
I wouldn't call the P4 a serious increase in capabilities - Netburst was pretty awful.
Untrue. It started off poorly, but quickly ramped up. Despite the arguments of fanbois, P4s were quite competitive in absolute terms, just not on a per-Mhz basis. There was also hyperthreading.
Further, the knowledge gained by Intel with the P4 has allowed them to very quickly take the Core architecture to 3Ghz (and it clearly has a lot of headroom yet), while AMD is languishing at lower clock speeds.
There was a reason they completely dropped Netburst and went back to P6 when they designed the Core architecture. Netburst-based processors were faster than the P3 line, but not quite as capable of delivering performance.
But they were, they just needed high clock speeds. Netburst was "dropped" (not completely accurate) because it hit clock speed ceilings, not because it delivered no value.
JADBP
At that point, 2 things happened. First, the marketers gained too much power, and pushed the "market metric," clock speed, with the resulting NetBurst architecture of the Pentium4, which has been abandoned.
This argument gets floated regularly, but it is nonsensical. There is nothing wrong, from an engineering perspective, of choosing to pursue performance increases by improving clock speed instead of IPC. Indeed, one of the big promises from RISC was that its simpler design would allow quick and easy ramping of clock speeds at the sake of IPC. I don't seem to recall DEC getting the same criticism for the Alpha, that Intel did with the P4, despite both essentially "playing the Mhz game". Indeed, the Alpha seems to be treated by many as God's gift to CPUs.
Ironic that it took an ostensibly CISC CPU to deliver the benefits of RISC.
Second, Intel pursued the IA-64, which was really a combination of an academic nifty idea with marketers' desires to be clone-proof, but with the consequence of leaving delivering value to the customer a lower priority.
The ia64 eventually delivered fairly good performance, it just didn't feature at the low end. Itanic machines were quite competitive for high-end computing needs.
In other words in the Pentium-4 generation, Intel delivered a marketer-driven (marketer, not market driven) architecture with sub-par engineering, and was distracted by the internal desires for IA-64.
No, they simply chose to pursue an engineering path focusing on clock rate instead of IPC. There is nothing inherently wrong with this approach, and the subsequent benefits are clear when one reads about Core 2 CPUs being overclocked to 3.5+ GHz.
AMD provide solid competition, and the k8 was unquestionably a great CPU (sadly - like many AMD CPUs - let down by poor supporting hardware) in the x86 arena, but to suggest Intel haven't been the source of solid engineering throughout the lifetime of the platform - more so than AMD -just doesn't stand up to any sort of analysis.
Perhaps I don't want to sit in on a 45 minute file system check.
Perhaps I want to do a proper shutdown on my development database.
Perhaps I want to do lots of things that your little brain can't comprehend right now.
All the same I was pointing out advantages and you haven't disproved anything with your pointless rant.
What did that rant have to do with anything anyway? The fact remains that I *can* do a certain thing on Linux and I can't do it on Windows.
Get over it.
News about the Kettle Open Source project: on my blog
Type in "apple".
Wow, only 1476!
Hmm, let's try "bsd".
Wow, only 145.
"unix"
862
"buzz word"
No results were found for your search.
Okay. What do these numbers prove again?
Microsoft is bad, mmkay?
Mod parent UP!, then mod grandparent DOWN! and then Give me the -1 off-topic this post deserves.
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
PEBCAK (#1 Issue Regarding Any version of Windows) P - Problem E - Exists B - Between C - Chair A - And K - Keyboard ID10T error. BSOD STOP 0x4d534655 KERNEL_REALLY_SUCKS_WE_KNOW_N_WILL_PATCH_LATER ==> (MSFU)
By the time of IE5 and Netscape 4 Communicator was "aging," it's true that Communicator was less capable and more buggy than IE. By that point, the damage had already been done. Netscape's funding model had been destroyed and without cash, they could not possibly compete *in that marketplace at that time.*
Much has changed since then, and I'm posting this from Firefox 2 today. Let me point out that today's market is not the same market as 1998.
I think that what you've said is true, but it does not paint an accurate picture of why Netscape was falling behind. It seems akin to suggest that a person died of natural causes (when they had been shot by an assailant an hour before) because it's natural to bleed to death when you have that many bullet holes!
Netscape could not fight Microsoft in 1998 because the shooting started in 1996.
But Herr Heisenberg, how does the electron know when I'm looking?
Looks like two people failed :P, R&D research has an 'effective upper bound', basically your return on investment drops significantly above a certain percentage. Why throw away money.
GPLv2: I want my rights, I want my phone call! DRM: What use is a phone call, if you are unable to speak?
Couldn't that also mean they do more marketing than research & development?
Marky Mark Killed Jason Bourne!
I don't think the argument "Vista is less secure than Linux only because it contains insecure packages that Linux does not..." will fly very far.
In the end people who have their systems compromised will not think kindly of that logic.
The race isn't always to the swift... but that's the way to bet!
(IANAL)
I think the point, while this may not been GP's intention, is that marketing can bring profits this quarter. R&D cannot do that.
Atlas Shrugged : Thematic Story
Certain percentage of what? Budget? Once you're spending more than 18% of your budget on R&D it automatically starts becoming marginally less productive?
I agree that at a certain point simply throwing more money into R&D doesn't necessarily guarantee more useful research (law of diminishing returns), but the same is true of marketing- just because I got $12 million in sales from $2 million invested in marketing, doesn't mean I'll get $24 million in sales from $4 million invested. Why throw away money on marketing?
I would suggest that there is an "effective lower bound" as well (which is more significant to the discussion). You can't simply spend $500 on R&D and expect anything beneficial, however you may be able to spend $500 on marketing and see some benefit. The "effective lower bound" on marketing is lower than the "effective lower bound" on R&D, so essentially it is cheaper for small companies to get into marketing as opposed to serious R&D.
Marketing has a much higher ROI potential than actual R&D, which may not even pan out. If it does, well, marketing is still more profitable in most cases. People will buy stupid shit if you market it properly. Particularly when it comes to computers or any other sort of information technology, which most people view the way the monkeys viewed the black monolith, as a mysterious object to be feared.
Two prime examples from my line of work of people buying into marketing hype with zero understanding of the technology.
1. The vast majority of our clients are small businesses. I'm talking 5 to 10 employees, which are primarily "the people who do some work, and one or two administrative assistants". Zero tech staff whatsoever. I cannot even begin to count the number of these small business owners that call me whining that their VoIP service "doesn't work" and it turns out it's because they bought some insanely expensive Cisco firewall (or some other firewall "appliance"). They have only the foggiest notion of what a firewall does, they have zero idea how to set one up, configure it, or maintain it, but some doofus salesman somewhere told them how important firewalls are and how they have to have one, so they forked over hundreds of dollars for a box they can barely identify.
2. To diagnose VoIP problems I also frequently need to ask what sort of internet connection the client has. Most of them give a totally inane response like "it's the fastest one they offer" or "business-class". In other words, they have no idea what they're paying for every month, but they can recite the bullshit marketing terms all day long.
People have no idea what the hell they're buying. Companies routinely offer crap and doll it up with important-sounding fluff, and people buy it, having no understanding of what they're purchasing or how to compare a good product from bad. It doesn't take long for bean-counters to realize that they can cut back on making an actual reliable product, and divert the savings into marketing, at which point people will start handing over cash.
mirrorshades radio -- darkwave, industrial, futurepop, ebm.
Obviously performance can be bought with clock speed, IPC, or a combination of both. Pentium-4 was an extreme exercise in clock speed, and usually extremes wind up having problems of one sort or another. Pentium-4 had 2 problems - the "peaky" performance was handled by better compilers and by ramping the clock speed up enough so the valleys were fast enough. But the thermal problems were its downfall.
IA64 eventually did deliver decent performance. But the cost was incredible. Had Intel been simply going after that level of performance, they could have done it much more cheaply, quickly, and effectively. But you only have to look at the IP shell games they and HP played to realize that being clone-proof was the primary drive, not performance. That also meant that the architecture had to be sufficiently different that they could keep it completely fenced in.
EVERY company in a market dominating spot like Intel eventually gets tied up in self-absorbed internal goals that don't necessarily mesh with the marketplace. That says nothing bad about their engineering teams at all - it just says that when a company is far enough ahead of the competition that the competition isn't really pushing it any more, internal pressures come to bear that can produce odd-looking results. This tendency usually gets corrected, as it has in Intel's case. But there's no guarantee that it won't happen again.
One could argue that some of the same is happening with Microsoft, because their prime competitor has become their own install base. They have to keep persuading people to buy something new to replace something that they've already got that still works. Then they have to make the new product different enough to the customer feels that they're getting something for their money, but the more different, the more disruptive, etc.
The living have better things to do than to continue hating the dead.
So, here I am, running a small network (10+ computers) in a home business environment.
I do have 2 instances of Windows 98SE and 1 instance of Windows XP SP2 deployed (the Windows 98SE for desktop activity and XP for some testing and support roles). I presume that because network access is proxied, cleansed, firewalled and NAT'd, that things are fairly secure.
And, they are. I cannot allow the XP machine directly onto the internet, due to regulatory security concerns (and my business does involve other peoples codebases).
I am thinking of deploying Vista; indeed I almost have (one client wanted some Vista work done). And now, BANG!, I learn that Vista will convert my carefully proxied, cleansed, firewalled and NAT'd system into Swiss cheese, by default...
Thanks, Microsoft. I sure hope that you had the best security people in the business pore over that feature. But still, no warantee -- so I guess any Vista installation will have to be COMPLETELY off-net for a while.
But, that can't be done, because it needs to validate. I guess I would need to turn OFF my network, let Vista validate, and then take it off-net... But that won't work (it does for XP, thank heavens); as I understand it, Vista will need revalidation every 6 months or so...
So, what I need to know is -- how do I safely and prudently deploy Vista, with the assumption that it is a hostile component? Or, can I disable Teredo completely? And, are there other components in Vista that are equally bizarre?
My clients are going to start demanding Vista work any day now...
Just another "Cubible(sic) Joe" 2 17 3061
While Intel did reach higher clock speeds with Netburst, I don't think they couldn't have done the same with P6 - after all, they did.
I will grant you the Hyperthreading point, though. That did come first on Netburst.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
"In short, the original Microsoft analysis was good PR and poor research."
And which moron thought otherwise???
Probably some slashdotter.
Hell! Go get some life and stop resting in the same place (of mind) all your life.
That's usually a result of business consultants telling execs that marketing is cheaper than R&D, therefore they should spend more on marketing/sales/distribution than R&D.
Hence, crummy product, lots of FUD.
"We are Microsoft. You shall be assimilated. Competition is futile."
> Let's be honest here. No matter what study was produced using no matter what methodology, if it showed that Microsoft was improving you guys would rush to debunk the study or dig up some site that does the debunking for you.
What the hell are you talking about? Yeah, they may have improved (it's still too early to tell, but it looks like they have), yet that wasn't the point of the study. The point of the study was PR bragging rights of "we've acknowledged fewer bugs!" which is worthless as a security metric.
> The point of the OP of this subthread is that the debunking report is just as biased as the MS report, and I've seen zero evidence that that isn't the case.
Then educate yourself, because you haven't examined the methodology at all. Bug counts as a whole were soundly denounced ages ago in the security community. Something you do not appear to be a part of. Moreover, even if someone is biased, it doesn't matter so long as they have good data and sound methodology. The original report had bad data, the revised one fixed that, but both used poor methodology, so the report was bad. Now, if he releases another one using a better method (say, "exposure window for widely exploited critical flaws") with good data, it will be a good study even if he's biased. The data and the methods used to draw conclusions from it are what's important in a study, not the bias of the researcher.
> I'll go further: the comments to this entire thread are 100x more biased than the MS reports. It's not like you guys are being objective with your analyses either, so get off your high horse.
Let me guess, you think that ad hominem is a spell from Harry Potter? Because you're way too worried about the whole "Microsoft vs. Linux" angle and you're not paying any actual attention to the fact that people are attacking the methodology of the study instead of the identity of the person doing it.
Untrue. It started off poorly, but quickly ramped up. Despite the arguments of fanbois, P4s were quite competitive in absolute terms, just not on a per-Mhz basis. There was also hyperthreading.
Further, the knowledge gained by Intel with the P4 has allowed them to very quickly take the Core architecture to 3Ghz (and it clearly has a lot of headroom yet), while AMD is languishing at lower clock speeds.
There was a reason they completely dropped Netburst and went back to P6 when they designed the Core architecture. Netburst-based processors were faster than the P3 line, but not quite as capable of delivering performance.
But they were, they just needed high clock speeds. Netburst was "dropped" (not completely accurate) because it hit clock speed ceilings, not because it delivered no value. I'm not going to go into great detail here since this whole thread is offtopic anyway. Suffice it to say, you clearly don't have much of a concept of how poorly the Netburst architecture really performed. (For example, the first several P4 parts released were actually out-performed by their older and slower cousin, the P3 1.0GHz.) Throughout the whole netburst generation the Intel CPUs were outperformed by AMD CPUs running at lower clock speeds -- in some cases by AMD CPUs running a mere 50% the speed of a netburst CPU. And you have a really nice contradiction there at the end. If they "dropped" the netburst because it hit a clock speed ceiling, then clearly the one "missing element" (in your words, high clock speeds) that was needed to make it capable of performance was impossible -- which obviously leads to the logical conclusion that the Netburst was not as capable of performance as the previous technology, just as the GP stated.
No I'm not an AMD fanboi. I'll buy whichever delivers the best performance at the price that suits my budget. That hasn't been Intel for going on 7 years now. When they can deliver a price/performance ratio that tops AMD in my price range, I'll buy Intel again.
There is no -1 Disagree mod. Slashdot.org/faq defines mod options. USE IT.
I call BS. IBM had Dual core and then Quad core processors before Intel/AMD. Given the partitioning and vitualisation in the AIX Pseries these days (you want to split your machine along 1/10 of a processor boundaries, go ahead, you want to put one network adapter in the machine and share it amongst multiple partitions... Sure...) I don't think that Intel is the true innovator here.
I will give you the price point... I can't purchase an IBM processor for $59.
Z.
-- Under/Overrated is meta-moderation, and therefore is Redundant.
"This is a great disservice to the whole computer industry" - by EmbeddedJanitor (597831) on Thursday June 28, @09:40PM (#19684441)
... & there is one @ another Linux oriented site as well (UBUNTU discussion, where BSD was suggested instead of Linux OR even SELinux, & I posted here in a PC-BSD post with an arstechnica article base behind it, on the note of security in the reply I posted this challenge to):
Well, ok... this isn't then - a challenge to take a multiplatform security test that runs on many a *NIX and Windows NT-based OS of modern variety (2000/XP/Server 2003) & how to get the score I did with an easy as possible roadmap in a URL below for doing so!
Run the CIS Tool 1.x, on your BSD/Linux (prefereably SELinux)/Solaris rigs, it is downloadable here:
http://www.cisecurity.org/bench.html
And, takes minute to haul in, install, & run it in an attempt to beat my 84.735 of 100 on it (from a reputable organization, The Center for Internet Security)...
Go for it, & see if you can beat my score of 84.735 on a FULLY custom security hardened Windows Server 2003 SP #2 fully patched as of the date of this posting.
Photo evidence of my score is here:
http://img.techpowerup.org/070618/APK14SecurityPoi ntsCISToolResult84735.jpg
And, the same score I obtained, literally, yesterday, as well!
(After putting on the latest patches for Windows Update to my OS which I download & store here - but, nice part is? I'll never need them, because I GHOST this image once it is patched & scanned for malware/virus/trojans/rootkits etc. with the latest/greatest up to date tools for that purpose, & practice safe email practices & more like disabling potentially "deadly" things that can be exploited in browsers like ActiveX/Java &/or scripting (for sites that do NOT need it))
For Windows users' reference, all noted here & how to GET THAT SCORE:
http://forums.techpowerup.com/showthread.php?s=2aa c2d3ff16e9b8448875ee96e27d1ec&p=375355#post375355
(That's for the Windows users here to gain by).
Thing is - I'd like to see the *NIX users of all kinds beat that security test evaluation score for safety online & how well their systems are secured, as a more "concrete evidenece thereof" in fact, since the poster I am replying to is a "SHOW ME PERSON" (as am I)...
HOWEVER - here @ slashdot, where slogans & b.s. of ALL kinds are stated vs. Windows & Microsoft?
Well - I have challenged you ALL here repeatedly on this note 7 times now, this is the 8th here!
http://it.slashdot.org/comments.pl?sid=240571&cid= 19630923
&
http://slashdot.org/comments.pl?sid=240283&cid=196 31141
&
http://linux.slashdot.org/comments.pl?sid=240501&c id=19630965
&
http://it.slashdot.org/comments.pl?sid=241957&cid= 19662703
&
http://it.slashdot.org/comments.pl?sid=241913&cid= 19662485
&
http://it.slashdot.org/comments.pl?sid=241913&cid= 19662485
& (BSD one below, no takers there either, from the "vaunted BSD most secure
I have three letters for you:
NPO.
There is no -1 Disagree mod. Slashdot.org/faq defines mod options. USE IT.
I agree with you in general, but I have to disagree with respect to IDE's. Visual Studio has always been excellent and ahead of the pack. Visual Studio.Net was a huge jump over 6, pretty much you would never have to leave the application to get your work done- when doing admin tasks on my machine, I would often just do it through VS since it was faster. VS 2003 was pretty much just a bugfix version, but VS2005 has continued to be innovative with its expanded build system, and improved intellisense features.
Eclipse is a damn fine tool, don't get me wrong, I am not trying to knock it. But to say that MS was ever stagnant in the IDE space is really just kind of wrong.
Microsoft lied to make itself look better?
No...way
I can completely appreciate this, and one of the reasons I dislike buying many heavily hyped commercial products is because I resent paying mostly for a company to tell me how good something is.
One thing about marketing, though, it that it's probably far more predictible than research in many cases. It's easy to blow lots of money on research and come out with nothing, especially since it typically requires some very specialised skills that are often hard to find. Marketing results are a bit easier to predict, though.
"Microsoft: Vista Most Secure OS Ever"
i sta+most+secure
3 223
o st_Secure_OS_Ever/1150366131
/ default.mspx
http://www.google.com/search?hl=en&q=bob+muglia+v
http://it.slashdot.org/article.pl?sid=06/06/15/17
http://www.betanews.com/article/Microsoft_Vista_M
Based on the highly publicized claim by Bob Muglia at TechEd.
http://www.microsoft.com/presspass/exec/bobmuglia
This isn't hyperbole?
Security is proven, never claimed. The only answers to the question of security are "no" and "maybe."
Back when windows 95 shipped it was head and shoulders technically better than the other operating systems targeting average everyday folks.
Let's look at some examples, shall we? Apple's offering in `95 was System 7.5.2. Not Mac OS's finest moment ever, as System 7.5.2 was terribly unstable, but it was still pretty solid compared to Win95.
NeXT Computer's NeXTSTEP was available. . .Win95 was nowhere close to NeXTSTEP.
AmigaOS 3.1 was contemporary with Win95 but still far better than Microsoft's best efforts.
Acorn Computer's RISC OS (version 3.60 was available when Win95 was released) is arguably Win95's equal.
Atari release MultiTOS in 1993 and then the company died (for all intents and purposes). . .bad management can do that to any company. But was Windows 95 superior to MultiTOS? That is debatable.
Linux kernel 1.2 was available in 1995. You could argue that this wasn't an "operating systems targeting average everyday folks" because it was a beast to install and configure, but, honestly, how many "average everyday folks" could successfully install Win95 back in those days? Most people who used Win95 bought computers with it preinstalled. This was particularly the case with "average everyday folks".
And then there was IBM's OS/2. It was superior to Windows 95 in every way. In some ways, OS/2 is still technically superior to Microsoft's latest efforts, despite OS/2's development having been slowed to a crawl for most of the last decade.
Face it, Windows 95 was garbage. Microsoft has, twelve years on, yet to deliver on many of the marketing promises made about 'Chicago'. "Don't commit to OS/2 because 'Chicago' will be sooo much better!" Later, when the snake oil salesmen had finished fleecing the credulous, the suckers became vocal supporters of Microsoft in the hopes of burying their shame at being swindled and made fools of in a chorus of praise. "Oooh! Such high performance!" and "It is sooo stable! I don't HAVE to reboot it three times a day, I just like that sound it makes when it starts!" and "It is sooo easy to use!".
In any case, the faithful have been strung along for so long now that they will desperately defend any nonsense that Microsoft generates. As a famous idiot once said "Fool me once, shame on you. Fool me twice. . .can't get fooled again!" But when one is fooled many times in series (how many times is it now? Win95, Win98, WinME. Win2000, WinXP, etc), brand loyalty takes on religious characteristics. "When Jesus comes back. . .I mean, when Microsoft finally gets it right, you're gonna be so sorry for making fun of me!" Pointing out the obvious disconnects between reality and Microsoft's sermons to the flock only strengthens their resolve to maintain the faith. With this in mind, it is easy to see why some people would make ludicrous claims about Windows 95. Since Microsoft's vendor lock in has this psychological aspect in addition to the technical and economic ones, debunking Microsoft's claims only serves to allow those of us who have not yet been assimilated to feel smug about having successfully resisted the BS for so long. This debunking can not influence individuals with significant portions of their credibility tied to the myth of Windows superiority. . .individuals like Ziff-Davis columnists and execs who pushed through transitioning corporate assets to Microsoft infrastructure.
What I mean with this title is that you cannot understand Microsoft's actions by looking at it from the perspective of someone who wants to produce good products. As in someone who wants to truly push the state of the art as a goal in itself. Someone who wants to 'innovate' to use that bumf-laden word. Microsoft prefers to let start-ups do that for them, select the promising ideas, and then *buy* or *copy* the technology. Which incidentally is why Microsoft is so hostile to the GPL. If any innovative code is GPL'ed, then Microsoft cannot secure an exclusive hold on it, so they cannot use it to shore up their market dominance by creating imperfect competition or their pricing power {see http://financial-dictionary.thefreedictionary.com/ Pricing+Power for a definition of pricing power}.
For background reading, see: http://ocw.mit.edu/NR/rdonlyres/A82DB83B-1F43-4EEB -8311-CC93A1B0245C/0/deltamodel.pdf for a description of the "Delta model" of strategic positioning, and note the position of Intel and Microsoft in the graph on page 3.
Rational actors versus emotional ones
Hackers and geeks {a sizeable proportion of Slashdot's readership} cannot understand Microsoft's actions because they are driven by emotion {love of tinkering, thinking source code is interesting and attractive, idealism} rather than rational thought. You can understand Microsoft's actions if you look at it from the point of view of a rational actor that tries to {mathematically speaking} maximise revenue, and to obtain that revenue, to either build or maintain sufficient dominance of the market to have that holy grail of marketing: 'pricing power'. You can understand them if you consider them from a marketing point of view. Implicit in which is that you *really* don't care what you sell, as long as it makes a profit. Some people {Slashdotters for example} need to have that, and its implications, explained to them - in small and easy steps... Hence my choice of title.
A marketing point of view
See e.g. http://ocw.mit.edu/OcwWeb/Sloan-School-of-Manageme nt/15-810Spring-2005/CourseHome/index.htm for introductory background material on marketing.
The notion of Marketing is crucial because it explains another of Microsoft's strategic constraints. Microsoft cannot afford a truly level playing field in the markets in which it operates because in such markets it wouldn't have the dominance and the lock-in that would allow it to exercise pricing power. It would slide from the top of the Delta pyramid to the right-hand side. Bye-bye profit margins.
Implications of marketing considerations for Microsoft actions
People have to realise that Microsoft truly does not care about *what* it ships ... as long as it maintains Microsoft's position in the Delta model ... which in turn determines it's ability to generate revenue.
Good enough ... for Microsoft
Now ... as I did not make explicit, but which several posters pointed out, Microsoft's 'Good Enough' means 'Good Enough to allow Microsoft to win in the marketplace while leveraging every other advantage they have'.
What other advantage? Well ... control of the PC platform for one thing. MS-Windows is the standard ... and largely because it becomes pre-loaded. As in "Hey ... it's included, right, so why look further?".
Why does it become pre-loaded? Because people are used to MS Windows, so that pre-loading MS-Windows opens the mass-market. If you doubt the sensitivity and importance of having MS W
"Apparently Microsoft still hasn't learned that counting vendor acknowledged vulnerabilities isn't a good way to establish the security of an OS."
K HFK.html); you, on the other hand, show to have a lot of brain-challenged.
:P).
Apparently idiots like you still haven't learned that making up flaws in serious OS security reports without giving a single proof of what you claim isn't a good way to try and make a report look unaccurate and biased.
"As an analysis of Microsoft's claims on Full Disclosure shows, we see that the methodology used was badly flawed."
If by "we" you mean Microsoft-hating ignorants like you I might agree, because anyone unbiased sees th exact opposite.
"A bug in Firefox (not to mention emacs), counts as a flaw for Linux, while IE bugs get ignored on Vista's chart."
Wrong (or proove that, then): bugs in Firefox and IE don't count for any OS testes (Linux was actually even stripped down from optional programs and components at request of sad Linux fanboys to make it for a completely fair comparison).
"Then we see that vulnerabilities aren't vulnerabilities when they're security-challenged features such as Vista's Teredo."
All vulnerabilities are counted with their severity attached and considered to the final conclusion and Teredo has nothing of security-challenged (http://www.securiteam.com/securityreviews/6C00O2
"Also, there's far too little consideration given to severity, given that it stoops to counting even extra access restrictions on a file in OSX to have something to show."
Severity is considered according to The National Institute of Standards (NIST) in the National Vulnerability Database (NVD) (if you can do better, go ahead), security vulnerabilities were counted exactly the same way in all OSs and OS X has plenty to show without having to make any stretch, or we wouldn't have 70+ security vulnerability patches from Apple like the one we had in February 2007, just to give an example.
"In short, the original Microsoft analysis was good PR and poor research."
In short, your ignorant misanalysis was good enthusiastic espousal of unsupported evangelistic fervour and poor reality (I know it hurts, but too bad you can't do anything against the fact that report(s) prove(s) that Vista IS the most secure OS today, isn't it? LOL