Slashdot Mirror
Vista Security Claims Debunked
An anonymous reader writes "Apparently Microsoft still hasn't learned that counting vendor acknowledged vulnerabilities isn't a good way to establish the security of an OS. As an analysis of Microsoft's claims on Full Disclosure shows, we see that the methodology used was badly flawed. A bug in Firefox (not to mention emacs), counts as a flaw for Linux, while IE bugs get ignored on Vista's chart. Then we see that vulnerabilities aren't vulnerabilities when they're security-challenged features such as Vista's Teredo. Also, there's far too little consideration given to severity, given that it stoops to counting even extra access restrictions on a file in OSX to have something to show. In short, the original Microsoft analysis was good PR and poor research."
with the non-Core Linux components no longer listed because of based on the feedback.
This just debunks the first report.
Actually, it would be appropriate.
If you can remove an avenue of attack, you have increased the security of your system.
Now, by removing it from the Internet you have also reduced the FUNCTIONALITY of your system.
So you end up with a less functional, more secure system.
Security is all about evaluating the possible threats and reducing their effectiveness.
No. If it is an avenue for attack, it is an avenue for attack.
If it is vulnerable, it is vulnerable.
We've been over this before with Firefox's avoidance of ActiveX. Sometimes, increasing your security simply means NOT including some functionality.
MOD PARENT UP!
Quote from the Slashdot story: "In short, the original Microsoft analysis was good PR and poor research." It amazes me how easily people accept abuse, and give excuses for being abused. It was not "good PR". My best understanding is that Microsoft's analysis was an intentional lie.
My rule number one in dealing with Microsoft: Unless forced by circumstances, never upgrade to a new version of Windows until the second service pack is released. Let other people have the grief. The huge number of bugs in Windows XP before SP2 was very expensive for us. If I remember correctly, SP2 fixed more than 630 bugs, and some of the fixes were not documented. It is not only the vulnerabilities that are expensive.
Quote from the link in the Slashdot story: "Also, the entire networking stack was rewritten for Vista, and that means lots of new bugs are present. I have already spoken to other researchers who have not disclosed such flaws publicly. However, a good start for learning about some is the Symantec paper that analyzed Vista during the BETA phases and revealed numerous issues."
Microsoft has, in my opinion, a long, long history of not allowing their programmers to finish their jobs. There were even security vulnerabilities in the Microsoft Help protocols!
This isn't a debunking.
I feel Jeff really needs to perform another less exaggerated analysis.It's an armchair critique of someone else's work.
[...] a good start for learning about [Vista flaws] is the Symantec paper that analyzed Vista during the BETA phases and revealed numerous issues.A competitor (see Live OneCare) wrote an article about an early BETA of a new OS saying is had some issues? Shocking!
Even though OS X claims to be secure, researchers have obviously shown that Apple will have flaws too. This is nature of software, and it affects all code.What are you saying here, Kristian? Bugs are inevitable, so we should just give Apple a free pass on their share of problems because, well, it affects all software?
Ok, that's enough of that.
I feel Kristian really needs to perform his own research and analysis, and draw his own conclusions.
PS: Don't mod this as flamebait until you read Kristian's entire post. Really.
Error:
MOD PARENT DOWN!
1. I think we all know where the quote is from.
2. Except you.
mod me funny
"the communication of a statement that makes a false claim, expressly stated or implied to be factual, that may harm the reputation of an individual, business, product, group, government or nation."
Stuff like this seems very close to being Slander and Libel. I'm sure a more informed reader will know why it isn't, but even then, it just seems quite close to being so. There are many organizations and individuals with an invested interest in the promotion and sale of Linux.
Brandon Petersen
Perhaps because Windows XP and Vista don't show BSODs anymore but rather just restart the whole system silently, leaving it up to the user's imagination what has caused this? I am not trying to rant (well.. okay, partially I do) but how exactly does stability issues concealment count as good engineering?
>1. I've had that disabled for years, and I've had exactly one instance of BSOD-ing so far. (The reason was a crappy driver. Yeah, that's so MS's fault. A Linux user >would be _so_ able to continue using their KDE programs if the video drivers crashed. Not.)
I call BS too. I used to have an unstable video driver (open source ATI stuff) and I more than once ssh-ed into my box to restart X-windows.
At least on Linux you still have a chance to recover. At least I have open and closed drivers, at least I have a choice.
BTW, the only time I ever had a kernel panic on Linux was when I had faulty RAM... about 7 years ago.
News about the Kettle Open Source project: on my blog
It gives you a chance to atleast do a controlled restart including a sync. You also have a chance of debugging what went wrong if you are inclined to that.
Arguing that a system that gives you a chance to figure out what went wrong and recover gracefully from it is somehow equal to a system that simply hides everything ugly, booting in mid-whatever is simply absurd.
Your logic eludes me. Why do you need a second computer to simply boot your first? And exactly what does a firewall have to do with graphic driver instability?
And exactly at which point in time did it become "true" that Joe Sixpack can successfully configure and run e.g. a firewall, but completely impossible for him to learn "a bunch of command-line stuff"? Why is it that the stuff (firewalls, anti-virus, anti-malware, corrupted registries ) that Microsoft imposes on the end-user is "normal", while an optional feature in Linux renders that system completely unusable to anyone else but raving nerds?