Slashdot Mirror
Vista Security Claims Debunked
An anonymous reader writes "Apparently Microsoft still hasn't learned that counting vendor acknowledged vulnerabilities isn't a good way to establish the security of an OS. As an analysis of Microsoft's claims on Full Disclosure shows, we see that the methodology used was badly flawed. A bug in Firefox (not to mention emacs), counts as a flaw for Linux, while IE bugs get ignored on Vista's chart. Then we see that vulnerabilities aren't vulnerabilities when they're security-challenged features such as Vista's Teredo. Also, there's far too little consideration given to severity, given that it stoops to counting even extra access restrictions on a file in OSX to have something to show. In short, the original Microsoft analysis was good PR and poor research."
with the non-Core Linux components no longer listed because of based on the feedback.
This just debunks the first report.
Why is it that the anti-MS studies always come from these obscure sites that either nobody ever heard of, or have an agenda every bit as biased as Microsoft themselves?
Come on, slashdot. You can do better than this.
BTW, the problems cited by this "study" are regarding the first report. The second report only compared the base Linux system.
Actually, it would be appropriate.
If you can remove an avenue of attack, you have increased the security of your system.
Now, by removing it from the Internet you have also reduced the FUNCTIONALITY of your system.
So you end up with a less functional, more secure system.
Security is all about evaluating the possible threats and reducing their effectiveness.
No. If it is an avenue for attack, it is an avenue for attack.
If it is vulnerable, it is vulnerable.
We've been over this before with Firefox's avoidance of ActiveX. Sometimes, increasing your security simply means NOT including some functionality.
That was a sloppy report on Microsoft's part, no doubt, but the Slashdot title is misleading too. It is still helpful to remember that there has been only one exploitable vulnerability discovered on Vista in the past six months, compared to several a month on XP. Vista's OS-level security features (NX, ASLR) do in fact perform as advertised. Vista is immeasurably more secure than OSX (with only one security feature to speak of) -- not a single application security expert has made a claim to the contrary. Noticed all those OSX advisories coming out lately? That's because we appsec people are as tired as the rest of you of Apple and smug Mac assholes.
I'll clarify my point since it seems to be flying by many of you: security assessment != security comparison; you don't do two security assessments and then compare them, rather you compare the security of comparible features, to avoid an apples v.s oranges situation that makes the comparison meaningless. This is admitted by the people defening Linux themselves as they complain that it isn't right to compare Linux + firefox to Vista - IE. The same principle is in action here, if you want to compare the security of the two you need to compare basically the same feature set or the result is meaningless.
/sarcasm)
(I have an XP box on my desk that isn't connected to the net while my OSX machine is. I guess for me that means that OSX is more vulnerable than XP. When I post that claim in response to the next security comparison article I expect all of you who disagree to the above standards of security comparison to admit the awesomeness of my XP box
Philosophy.
MOD PARENT UP!
Quote from the Slashdot story: "In short, the original Microsoft analysis was good PR and poor research." It amazes me how easily people accept abuse, and give excuses for being abused. It was not "good PR". My best understanding is that Microsoft's analysis was an intentional lie.
My rule number one in dealing with Microsoft: Unless forced by circumstances, never upgrade to a new version of Windows until the second service pack is released. Let other people have the grief. The huge number of bugs in Windows XP before SP2 was very expensive for us. If I remember correctly, SP2 fixed more than 630 bugs, and some of the fixes were not documented. It is not only the vulnerabilities that are expensive.
Quote from the link in the Slashdot story: "Also, the entire networking stack was rewritten for Vista, and that means lots of new bugs are present. I have already spoken to other researchers who have not disclosed such flaws publicly. However, a good start for learning about some is the Symantec paper that analyzed Vista during the BETA phases and revealed numerous issues."
Microsoft has, in my opinion, a long, long history of not allowing their programmers to finish their jobs. There were even security vulnerabilities in the Microsoft Help protocols!
This isn't a debunking.
I feel Jeff really needs to perform another less exaggerated analysis.It's an armchair critique of someone else's work.
[...] a good start for learning about [Vista flaws] is the Symantec paper that analyzed Vista during the BETA phases and revealed numerous issues.A competitor (see Live OneCare) wrote an article about an early BETA of a new OS saying is had some issues? Shocking!
Even though OS X claims to be secure, researchers have obviously shown that Apple will have flaws too. This is nature of software, and it affects all code.What are you saying here, Kristian? Bugs are inevitable, so we should just give Apple a free pass on their share of problems because, well, it affects all software?
Ok, that's enough of that.
I feel Kristian really needs to perform his own research and analysis, and draw his own conclusions.
PS: Don't mod this as flamebait until you read Kristian's entire post. Really.
Error:
MOD PARENT DOWN!
1. I think we all know where the quote is from.
2. Except you.
mod me funny
"the communication of a statement that makes a false claim, expressly stated or implied to be factual, that may harm the reputation of an individual, business, product, group, government or nation."
Stuff like this seems very close to being Slander and Libel. I'm sure a more informed reader will know why it isn't, but even then, it just seems quite close to being so. There are many organizations and individuals with an invested interest in the promotion and sale of Linux.
Brandon Petersen
eehhhhh.... you've got that backwards. Back in the BSOD days, they were mostly marketing, sorta somewhat a little bit engineering. Today they're a for-real engineering shop with an overgrown marketing department. Today MS is much more solid from an engineering point of view than they were, say, 10 years ago. BSODs are waaaaay less common than they were- they're virtually a thing of the past- they're just an engineering shop with a lot of crap legacy code they inherited from their cowboy predecessors.
If there's one thing I won't stand for, it's intolerance.
Perhaps because Windows XP and Vista don't show BSODs anymore but rather just restart the whole system silently, leaving it up to the user's imagination what has caused this? I am not trying to rant (well.. okay, partially I do) but how exactly does stability issues concealment count as good engineering?
>1. I've had that disabled for years, and I've had exactly one instance of BSOD-ing so far. (The reason was a crappy driver. Yeah, that's so MS's fault. A Linux user >would be _so_ able to continue using their KDE programs if the video drivers crashed. Not.)
I call BS too. I used to have an unstable video driver (open source ATI stuff) and I more than once ssh-ed into my box to restart X-windows.
At least on Linux you still have a chance to recover. At least I have open and closed drivers, at least I have a choice.
BTW, the only time I ever had a kernel panic on Linux was when I had faulty RAM... about 7 years ago.
News about the Kettle Open Source project: on my blog
242 wow sounds like you found the suspected linux patent violations
and proof there not in linux
It gives you a chance to atleast do a controlled restart including a sync. You also have a chance of debugging what went wrong if you are inclined to that.
Arguing that a system that gives you a chance to figure out what went wrong and recover gracefully from it is somehow equal to a system that simply hides everything ugly, booting in mid-whatever is simply absurd.
Your logic eludes me. Why do you need a second computer to simply boot your first? And exactly what does a firewall have to do with graphic driver instability?
And exactly at which point in time did it become "true" that Joe Sixpack can successfully configure and run e.g. a firewall, but completely impossible for him to learn "a bunch of command-line stuff"? Why is it that the stuff (firewalls, anti-virus, anti-malware, corrupted registries ) that Microsoft imposes on the end-user is "normal", while an optional feature in Linux renders that system completely unusable to anyone else but raving nerds?
Here's an actual example - the faculty head of a university department is conducting a corridor tour of your department with some visitors. One student has a poster presentation in the open common area with a couple of relevant textbooks on the table. Another student is out of sight in a research lab working on his/her research project. Who is the faculty head and the visitors going to consider to be the expert on their subject?
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
As both firefox and emacs runs on windows (via cygwin) bugs in both programs should be counted as windows bugs.
:)
But as MSIE does not run on Linux it should not be counted as a Linux bugs.
In fact I could write a small visual basic program here now in the comment, with a serious bug, and you can count that to.
Anyway, I don't know why I'm writing this. After several hundred comments, few people will ever read this, and the people who is counting will live in ignorance forever...
tech based people aren't reall "users" in the base term. Incorrect. Tech based people are as much of a user as anyone else.
The only difference is that non-tech based people will try to contact the tech-based people in order for the computer to be repaired. A technician will immediately try to get information about that STOP error code and if necessary, guide the user to disable the automatic restart for one session. Being condescending to someone because they make a valid point only paints yourself as a monkey.
Their point is valid, you are not. Condescending doesn't mean what you think it means.
If you carefully reread my posting, you will notice that I addressed the first point where error messages are hidden from the user, and the second point on why hiding error messages behind an automatic reboot is a good idea. If you have additional information that makes information in my posting incorrect, perhaps you'd like to contribute rather than complain.
If you don't review your code (or for example, don't have peer review - which closed and open source often lacks.) Then no bugs at all will be discovered.
Fixed that for you.
Oh, I dunno 'bout dat. A year or so back, I got email about an open-source program that I'm responsible for, and which has a few hundred users that I know of. It was from a couple of guys in a college course about computer security. They explained a security hole (buffer overflow) and gave an example that exploited it. I fixed the problem, and sent them a nice message thanking them for their help.
If my source hadn't been available online, they wouldn't have used it as a test case in their course, and I'd have never learned about the problem (until someone exploited it, perhaps on some of the web sites that use the program). The fact that the program was open-source made it possible for total strangers to look at it, detect the problem, and tell me about it.
Granted, open-source code doesn't always result in peer review. But it does so far more open than closed source. I've worked on a lot of corporate software projects over a few decades, and I've yet to see even one "review" that turned a problem that I hadn't already discovered and solved myself. In my experience, corporate code reviews are always trivial, "Mickey-Mouse" reviews that go over the obvious ideas but never really look at the code or discover real problems. But if you put your code on the Net, you're often surprised by who takes an interest, and then shows off their expertise by telling you about problems.
In particular, it's good to know that some Comp Sci profs are encouraging their students to use available open-source code as test cases for their course work. This is a real boon to developers with the sense to take advantage of such help.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.