Slashdot Mirror
Vista Security Claims Debunked
An anonymous reader writes "Apparently Microsoft still hasn't learned that counting vendor acknowledged vulnerabilities isn't a good way to establish the security of an OS. As an analysis of Microsoft's claims on Full Disclosure shows, we see that the methodology used was badly flawed. A bug in Firefox (not to mention emacs), counts as a flaw for Linux, while IE bugs get ignored on Vista's chart. Then we see that vulnerabilities aren't vulnerabilities when they're security-challenged features such as Vista's Teredo. Also, there's far too little consideration given to severity, given that it stoops to counting even extra access restrictions on a file in OSX to have something to show. In short, the original Microsoft analysis was good PR and poor research."
In other news, scientists have confirmed that water is, in fact, wet.
Well... no shit...
I am totally shocked. I just bought 10 licences too and threw away all my Linux computers!
Pulp Audio Weekly - Geek News and Reviews
These aren't the droids you're looking for.
A-Bomb
Never believe anything MS says, they are untrustworthy.
Given the previous FUD Microsoft has put out about Linux (235 patents? Which patents?), I'm not really surprised to see this.
Of course, if anyone should be counting browser flaws as OS flaws, it's MS. MS makes the case that they can't remove IE from the OS since it is integral to it working properly, yet doesn't count them on the vulnerability list.
Meanwhile, FF doesn't even have to come with a Linux distro, and a bug that compromises FF as an app is much less likely to compromise the OS as a whole.
Looks like more FUD to scare non technical people from "illegal" and "unsafe" Linux.
with the non-Core Linux components no longer listed because of based on the feedback.
This just debunks the first report.
Bears are Catholic. The Pope shits in the woods.
Please, for the good of Humanity, vote Obama.
Does that sound like a people_ready business to you?
The rest of the complaints aside it may have very well been appropriate not to count Teredo as a vulnerability. Here's why: assume that windows was technologically backwards and couln't get on the internet. Would you then agree that Linux was less secure, because the possibility exists to hack it over the internet while that possibility does not exist for windows? No, that wouldn't be an appropriate assesment of security. To evaluate security we need to in a sense "divide by" the ability of the system to access other things. Teredo gives Vista the ability to get to ipv6 from behind a NAT, so vista has the ability to access more things (in this one limited way). Thus it should not be counted as a vulnerability unless Linux has a way to do the same thing, in which case we can compare the security implications of Linux's method versus Vista's method. But until then Terendo should be set asside when doing a security comparison (vesus an independant vulnerability assesment).
Philosophy.
Most Microsoft customers will take the "research" at face value.
I work in a Microsoft shop. And while I have a great boss, (really, no kidding) the company is Microsoft all the way. There is zero logic at play.
But that's the way it goes. I'm old enough to remember when "Made in Japan" was the cultural equivalent of today's "Made in China." That had little basis in reality then, just like Microsoft customers today just aren't ready to comprehend **buying** something other than a Windows box and just take Microsoft's ridiculousness as fact. In time though, I think that can change. Just like the Japanese and their cars.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Very few people avoid IE, update their software, have a firewall or any security smarts
Vista updates by default. It is nicely built into the shutdown interface. By default you "update and shut down" if an update is available. Firewall is also built in and seems to be relatively well designed. Very honestly I am impressed with Vista's default security.
The rest of your post I agree with. For example will this help my sister-in-law who loads every toolbar and screensaver known to man? Nope. If a user downloads flaky spyware software, there isn't an OS that can help. But Vista truly is a step in the right direction for the majority of folks who just want to browse and email.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
riding a flying pig on my way to get a sweater at the store 'cause I heard Hell had frozen over. At the gamestop next to the sweater store, some kid was playing Duke Nukem Forever, which I thought was an amazing game. ...so what do you mean the report isn't true?
Okay while no one on Slashdot feels this is news and the debunking was completely expected, it's useful for the "linux representatives" that many of us inevitably become in casual conversation with our Windows-evangelizing peers. Typical situation:
In this narrative, Josh is the typical One-Trick-Pony, Microsoft MC## who blesses Microsoft every day for making his income so easy to come by and truly believes that Microsoft is the hammer and everything looks like a nail. Gunter is an all-around generalist who is unafraid of anything "computer" and knows enough to work on routers, networks, servers and workstations of just about all varieties which happens to include Linux among others.
Josh: "Hey, just read this security assessment comparing Vista and Linux... Vista won by a mile."
Gunter: "Yeah, I saw that... I also saw -->this-- article exposing the flaws and inconsistencies in their comparisons."
The point here is that being readily armed with a rebuttal is handy.
Actually, it would be appropriate.
If you can remove an avenue of attack, you have increased the security of your system.
Now, by removing it from the Internet you have also reduced the FUNCTIONALITY of your system.
So you end up with a less functional, more secure system.
Security is all about evaluating the possible threats and reducing their effectiveness.
No. If it is an avenue for attack, it is an avenue for attack.
If it is vulnerable, it is vulnerable.
We've been over this before with Firefox's avoidance of ActiveX. Sometimes, increasing your security simply means NOT including some functionality.
That was a sloppy report on Microsoft's part, no doubt, but the Slashdot title is misleading too. It is still helpful to remember that there has been only one exploitable vulnerability discovered on Vista in the past six months, compared to several a month on XP. Vista's OS-level security features (NX, ASLR) do in fact perform as advertised. Vista is immeasurably more secure than OSX (with only one security feature to speak of) -- not a single application security expert has made a claim to the contrary. Noticed all those OSX advisories coming out lately? That's because we appsec people are as tired as the rest of you of Apple and smug Mac assholes.
MOD PARENT UP!
Quote from the Slashdot story: "In short, the original Microsoft analysis was good PR and poor research." It amazes me how easily people accept abuse, and give excuses for being abused. It was not "good PR". My best understanding is that Microsoft's analysis was an intentional lie.
My rule number one in dealing with Microsoft: Unless forced by circumstances, never upgrade to a new version of Windows until the second service pack is released. Let other people have the grief. The huge number of bugs in Windows XP before SP2 was very expensive for us. If I remember correctly, SP2 fixed more than 630 bugs, and some of the fixes were not documented. It is not only the vulnerabilities that are expensive.
Quote from the link in the Slashdot story: "Also, the entire networking stack was rewritten for Vista, and that means lots of new bugs are present. I have already spoken to other researchers who have not disclosed such flaws publicly. However, a good start for learning about some is the Symantec paper that analyzed Vista during the BETA phases and revealed numerous issues."
Microsoft has, in my opinion, a long, long history of not allowing their programmers to finish their jobs. There were even security vulnerabilities in the Microsoft Help protocols!
This isn't a debunking.
I feel Jeff really needs to perform another less exaggerated analysis.It's an armchair critique of someone else's work.
[...] a good start for learning about [Vista flaws] is the Symantec paper that analyzed Vista during the BETA phases and revealed numerous issues.A competitor (see Live OneCare) wrote an article about an early BETA of a new OS saying is had some issues? Shocking!
Even though OS X claims to be secure, researchers have obviously shown that Apple will have flaws too. This is nature of software, and it affects all code.What are you saying here, Kristian? Bugs are inevitable, so we should just give Apple a free pass on their share of problems because, well, it affects all software?
Ok, that's enough of that.
I feel Kristian really needs to perform his own research and analysis, and draw his own conclusions.
PS: Don't mod this as flamebait until you read Kristian's entire post. Really.
Error:
The problem exists on any NT-based system, actually. What is happening is that when the installer runs, it is running with Administrator credentials. The retarded, non-user account aware installer installs the icon in the "All Users" desktop. You, a non-administrator, cannot remove it from your desktop because you can use the "All Users" desktop, but cannot alter it. The failing silently thing can also happen on 2000/XP, albeit rarely. Sometimes the "Permission Denied" box can take many minutes to display for apparently no reason at all, particularly on some computers with strange software installed (I've noticed many similar failures when the Dell support tools are installed).
Of course, the solution is blindingly simple. If an icon is on the "All Users" desktop, and you delete it, it simply marks it deleted for *your copy* of the desktop. If you rename it, it's the same icon.. just renamed on your desktop. If an administrator wants to delete it, give them another context menu option, or let them delete it from the actual "All Users\Desktop" folder.
Arguments in terms of Active Directory/Domains are moot--you could simply administer that right via group policies to prevent users from renaming, for example, the icon for Outlook.
Well, no doubt CmdrTaco carefully sifts through all the tags submitted for every story, and diligently evaluates them for selection. He even, I'm certain, cross-references tags for relationships to other projects to see if one is just an unlabeled continuation of the other. After such fastidious examination, and only then, does it make the grade. A grade which your most impressive tag passes with ease.
Given Slashdot's exemplary editorial standards, how could it possibly be otherwise?
This is clearly a gross oversight on Taco's part, and will be looked into with the gravest of concern, there can be no doubt. I suspect your well-crafted tag will don the front page in no time, perhaps even in an extra-crisp font to make up for any negligence and mishandling involved.
I look forward to it with heightened eagerness, and commend you on the alacrity and aplomb you've shown in this, your all-important tag-choosing endeavor.
Godspeed, you will prevail.
Any observer from a tech background would know that this would turn his results to shit, but he is;
- A Microsoft Employee
- A Blogger
so that never mattered anyway."I need a submit macro"
You mean like the "Preview" button right next to the "Submit" one?
"I like systems, their application excepted", George Sand (French)
Unfortunately they seem to be so obsessed with winning by FUDing and spinning that they end up making crap. This is a great disservice to the whole computer industry.
Engineering is the art of compromise.
After extensive research we found that having the computer powered up was the source of all the security flaws. Don't blame MS - they don't make the power cords!
Engineering is the art of compromise.
I haven't seen Cisco jump to run Vista on their Firewall Machines. So, maybe, just maybe, they had a reason to stick to *nix.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Marketing is cheaper than R&D.
How are they obscure? You can't know much about security at all without knowing about people like insecure.org, SecuriTeam, or the Full-Disclosure mailing list. Or maybe you meant the author, Kristian Hermansen? They're a security researcher at Cisco, FYI. But even then, what does obscurity matter if their criticisms are valid? You could be an anonymous coward and make a valid point, after all (alas, that's merely a hypothetical because you do not).
Then you claim that the second report addressed all those issues. That's not at all true. Sure, it doesn't count Firefox bugs any more, but that's not the real problem with the study. The real problem is that counting vendor-acknowledged bugs isn't a security metric at all! That's right, it's not the least bit useful for giving either an academic or real-world measure of security. You can't rescue the original study from that flaw without redoing it and abandoning the original premise.
But I guess you wouldn't know that, because you don't know these "obscure" sites that people who know about computer security do. I mean, next thing you know, people will be citing virtual unknowns like Bruce Schneier as if they knew anything about security! Or maybe Fyodor, I bet he doesn't know a damn thing about networking. What did he ever do? Make up that silly fake application they used as a "hacking" tool in the Matrix movies? [/sarcasm]
I mean, in their entire history, when has Microsoft ever done ANYTHING untrustworthy?
Like literally copying/stealing other people's code line for line and putting it in their OS? (Stacker)
Like putting in software hooks to see if competing office products were running and then crash them or make them run slow? (WordPerfect)
Like swapping code in an OS and a browser to make it appear that the browser was integral to the OS to weasel out of antitrust issues? (Win98 / Explorer)
Naw... I just can't believe that MicroSoft would stoop so low as to try to promote its "ground-up" new OS (that amazingly has many of the exact same vulnerabilities as XP) as being hardened and more secure than Linux and OSX>
They wouldn't do anything like that, would they?
This means simply that Microsoft will generally pour just enough resources into a product to beat the competition and dominate the marketplace. We saw that with the browser war. When it had to overtake Netscape it came up with a good product. After it killed Netscape, and there was practically no other comparable browser, resources were taken off the browser product because it was good enough and there was no sense whatsoever in improving it.
We saw it with the IDE's. When Microsoft had to compete with Borland {Borland Pascal; Borland C/C++} it came up with the 'Visual' IDE. Visual C, Visual Fortran. It was a good IDE, and it won against Borland. After that ... it languished. Now ... now that we're seeing the Eclipse IDE and SUN's IDE ... suddenly Microsoft floors the accelerator again.
The same holds for the Operating System itself. Windows was systematically tailored to capture the eye of consumers and businesses, which it did very well. Never mind that the internals were {and still are} cludgy. What the user sees is the user-interface; that's what sells. Security flaws? Well ... as long as there is no competitor to which people can switch while retaining their investment in software and training ... security flaws aren't a show-stopper. Getting their own stuff to work was {previous Windows version have so many tightly coupled components that you never knew what would break next when you changed or added anything}, and that's why Jim Allchin very sensibly steered towards a properly engineered Windows. Vista in other words.
Given that we're seeing Linux, OS-X, and Open Solaris competing in more or less the same market we also saw an increased effort from Microsoft to tart up the user interface. Those transparant windows thingies.
This is something fundamental you have to understand about Microsoft. They are calculating folk, and never ever were trailblazers. Tail-light chasers, yes, but never trailblazers. 'Good Enough' is their goal, and their yardstick is ... the competition. Why? Because to Microsoft 'Good Enough' means 'Good enough to win in the marketplace and bring in revenue'. That's how Microsoft became so rich.
I wish there were a "+10, ridiculously insightful" rating.
/.
This comment is the most insightful thing I've seen on
in over a month. And me without mod points, so I'm
posting.
"the communication of a statement that makes a false claim, expressly stated or implied to be factual, that may harm the reputation of an individual, business, product, group, government or nation."
Stuff like this seems very close to being Slander and Libel. I'm sure a more informed reader will know why it isn't, but even then, it just seems quite close to being so. There are many organizations and individuals with an invested interest in the promotion and sale of Linux.
Brandon Petersen
Visual Studio vs Borland: VS was never better than Borland on a level playing field. MS only completed by being a bully.
My main point is that MS don't get their products Good Enough. MS get there by putting their effort into attacking the competition rather than by developing (or even offering) good products.
I think MS marketing is more Mafia tactics than anything technical.
Engineering is the art of compromise.
x86 made only incremental gains from the 486 to the Pentium IV. Suddenly, wham! AMD comes out with the 64-bit Opteron and Athlon 64 and they kick the crap out of Intel on price, performance, and power consumption for a year or so.
Now we've seen a ferocious flurry of innovation from Intel, which has suddenly been pouring money into R&D and taking advantage of its superior manufacturing processes. We've got Intel vs. AMD to thank for quad-core, low-power, hardware virtualization... and best of all, $59 dual-core 64-bit processors from Newegg
Now AMD is falling behind fairly rapidly, and we can expect Intel to slack off its R&D correspondingly. But in a year or five, AMD or someone else (VIA? IBM? MIPS?) will be back with something new and send Intel scrambling again.
My bicyles
R&D is cheaper than bad publicity or customer support for a shoddy product, I'd wager. But they wouldn't teach that in a marketing class, would they? ;-)
You haven't read an annual company report recently, or ever for that matter?
Even in sdoftware - or pharmaceutical companies where one would assume that a lot is spent for research the R&D budget is usual ~18% (which varies, of course) while sales and marketing usually eats away approx. half of the costs.
Sales, marketing and distribution is horrendously expensive and gets a far bigger chunk of the budget then R&D.
This is a generalisation, of course, but true for the vast majority of companies.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
Yes, I know it's good for your karma to rehash the same "Windows BSODs" crap, but I'll call bull.
1. I've had that disabled for years, and I've had exactly one instance of BSOD-ing so far. (The reason was a crappy driver. Yeah, that's so MS's fault. A Linux user would be _so_ able to continue using their KDE programs if the video drivers crashed. Not.)
2. You would still notice it if your computer was restarting all the time. So, you know, it would be exactly the same amount of tech support calls whether it's "I've got a BSOD" or "this damn computer keeps restarting".
3. It wouldn't be that well hidden anyway, because it does briefly show a BSOD before restarting.
4. And if ad-absurdum they actually managed to hide it that well that you don't even notice, then why would it matter?
So, you know, propaganda tends to work better if it doesn't amount to telling people "your Windows BSOD's all the time!... even though you've probably never seen it actually doing it." It tends to be kinda like me telling you that you have to move because there's an elephant in your bathroom, even though you probably don't see it.
A polar bear is a cartesian bear after a coordinate transform.
The point is simply that number of disclosed bugs is not a valid comparison. It matters not if he "did his best".
"The numbers" would certainly look very different if Microsoft adopted the methodology used by most open source projects of fully disclosing every bug. Or if open source projects mirrored Microsoft's practices. It is very well known that Microsoft does NOT fully disclose all bugs and many cumulative patches silently fix MANY problems. The severity of bugs is also classified very differently.
You are right about one thing, it is all a numbers game. But you are WRONG that it means anything, even that Microsoft is improving. It means NOTHING. Nothing at all. It's only a numbers game. Even if someone else games the numbers differently and Linux-based systems look better, it still means nothing to compare numbers of bugs when very different philosophies and practices govern which bugs are fully disclosed and how their severities are rated.
PJRC: Electronic Projects, 8051 Microcontroller Tools
...was well counted, after all, it's a nice OS with a poor text editor.
:(){
It's not cheaper (quite the contrary), but the effects of marketing are much more immediate than the effects of research. And it's the quarterly report that counts, not how the company is doing in three years.
x86 made only incremental gains from the 486 to the Pentium IV. Suddenly, wham! AMD comes out with the 64-bit Opteron and Athlon 64 and they kick the crap out of Intel on price, performance, and power consumption for a year or so.
I think you need to seriously revise your x86 history.
That is not to say that x86_64 wasn't a significant improvement, but to basically suggest the Pentium, Pentium Pro/II/III and Pentium 4 were just faster 486s is ludicrous. Each of those CPU families represents a serious increase in the design and capabilities of the x86 platform and they all came from Intel. Indeed, one of the main reasons x86_64 was so significant was because it repesents one of the few times AMD has been the leader, not the follower, in the last few decades.
242 wow sounds like you found the suspected linux patent violations
and proof there not in linux
That's because you are gullible enough to believe the hype, aggravated by your lack of will to perform a basic search for the facts. Here is a bit of debunking from a quick google search.
From Secunia's advisory atatistics:
Those are real world facts supported on real world evidence which is freely available to the public. It isn't a random blog entry which is based on god knows what data which is only known by the author and possibly doesn't even exist. So where in fact is there a need to "debunk" a moronic, unsubstantiated claim made by some microsoft employee, specially when there is all that evidence right in front of everyone's face?
Slashdot, fix your code or at least hire someone who is competent at it to do it for you.
It gives you a chance to atleast do a controlled restart including a sync. You also have a chance of debugging what went wrong if you are inclined to that.
Arguing that a system that gives you a chance to figure out what went wrong and recover gracefully from it is somehow equal to a system that simply hides everything ugly, booting in mid-whatever is simply absurd.
Your logic eludes me. Why do you need a second computer to simply boot your first? And exactly what does a firewall have to do with graphic driver instability?
And exactly at which point in time did it become "true" that Joe Sixpack can successfully configure and run e.g. a firewall, but completely impossible for him to learn "a bunch of command-line stuff"? Why is it that the stuff (firewalls, anti-virus, anti-malware, corrupted registries ) that Microsoft imposes on the end-user is "normal", while an optional feature in Linux renders that system completely unusable to anyone else but raving nerds?
The piece of shit Taurus I also have has no leak therefore it must be a better car than my old Porsche. And it's true that if every car in the world were my old Porsche then all the cars in the world would have that same annoying leak. Ergo the world is a better place for all the piece of shit Taurus's on the road.
/. put down the fucking cheetos and hammered out code it still wouldn't make any difference because that train's already left the station.
See it's not about theory, fanboys. It's about practical outcomes. Per person per unit per second per whatever the practical outcomes of MS 'security' are disaster and failure compared to everything else. Period full stop. And if all the fanboys in the world, got off
You can wave your MS flag in my face all.fucking.day. telling me about the theoretical import of security gaps in some other widget and it won't amount to anything because the effect of these gaps is maybe 0.0001% of the effect of yours.
So suck it up, my pimpled minions - your God is a cardboard God.
- 486 SX 66Mhz machine running Windows 3.1
- In Dick Cheney's Bunker
- No Modem
- No Token Ring
- No Banyan VINES
- No Ethernet or IPX
- No TCP/IP winsock implementation.
Most Secure Windows Ever!Here's an actual example - the faculty head of a university department is conducting a corridor tour of your department with some visitors. One student has a poster presentation in the open common area with a couple of relevant textbooks on the table. Another student is out of sight in a research lab working on his/her research project. Who is the faculty head and the visitors going to consider to be the expert on their subject?
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
As both firefox and emacs runs on windows (via cygwin) bugs in both programs should be counted as windows bugs.
:)
But as MSIE does not run on Linux it should not be counted as a Linux bugs.
In fact I could write a small visual basic program here now in the comment, with a serious bug, and you can count that to.
Anyway, I don't know why I'm writing this. After several hundred comments, few people will ever read this, and the people who is counting will live in ignorance forever...
Heh, you've never used any *nix before, except as a toy. There's a fucking mountain of difference. Does your box run any services for the network? Does it share any printers or disks? Does it have any other users logged into it? Does it run any scheduled tasks or background jobs? If you're doing *any* of these things, then there's no way in hell you want the system to reboot. If you're not doing any of these things, you're not running Linux, you're running a bloody X-terminal.
Marketing has a much higher ROI potential than actual R&D, which may not even pan out. If it does, well, marketing is still more profitable in most cases. People will buy stupid shit if you market it properly. Particularly when it comes to computers or any other sort of information technology, which most people view the way the monkeys viewed the black monolith, as a mysterious object to be feared.
Two prime examples from my line of work of people buying into marketing hype with zero understanding of the technology.
1. The vast majority of our clients are small businesses. I'm talking 5 to 10 employees, which are primarily "the people who do some work, and one or two administrative assistants". Zero tech staff whatsoever. I cannot even begin to count the number of these small business owners that call me whining that their VoIP service "doesn't work" and it turns out it's because they bought some insanely expensive Cisco firewall (or some other firewall "appliance"). They have only the foggiest notion of what a firewall does, they have zero idea how to set one up, configure it, or maintain it, but some doofus salesman somewhere told them how important firewalls are and how they have to have one, so they forked over hundreds of dollars for a box they can barely identify.
2. To diagnose VoIP problems I also frequently need to ask what sort of internet connection the client has. Most of them give a totally inane response like "it's the fastest one they offer" or "business-class". In other words, they have no idea what they're paying for every month, but they can recite the bullshit marketing terms all day long.
People have no idea what the hell they're buying. Companies routinely offer crap and doll it up with important-sounding fluff, and people buy it, having no understanding of what they're purchasing or how to compare a good product from bad. It doesn't take long for bean-counters to realize that they can cut back on making an actual reliable product, and divert the savings into marketing, at which point people will start handing over cash.
mirrorshades radio -- darkwave, industrial, futurepop, ebm.