Microsoft Claims Linux Security a Myth

black hole sun writes "Microsoft bigwig Nick McGrath claims that Linux security is highly exaggerated, and that the open source development model is 'fundamentally flawed.' The gist of his argument appears to be his claim of lack of accountability among distributors, coupled with generic statements short on facts. 'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.' He goes on to say that 'Linux is not ready for mission-critical computing. There are fundamental things missing,' pointing out the lack of a development environment and no single 'sign-on system' giving reference to Microsoft's foundering .Net passport program." I guess Linux can only aspire to the greatness of Windows when it has such secure applications as Outlook and Internet Explorer. Historically those have been proven to be of a caliber all their own.

*COUGH* sendmail *COUGH*

[Staos]

Twenty years of buffer overflows. [google.com]

Questions?

Indeed

[SilverspurG]

"Who is accountable for the security of the Linux kernel?"

Tell me. Of the 60,000 some (give or take whatever) viruses, worms, and trojans available for Windows, how many of them even needed kernel level access? I suppose he can simply blame that on others.

There are bits of the Linux software stack that are missing

Care to elaborate? Just what part of the software stack is missing?

Not A Myth, Just Not Inherent

[the_mad_poster]

Fact: Much of what winders suffers from is incompetent users. Nothing is really stopping the developers from writing spam bots for windows because idiot users on Linux could run bad code just as easily as idiot users on windows.

OTOH, you don't have such dumbass tricks ass tying your browser right to the OS or ActiveX, so you make spyware and whatnot less of a factor.

On yet another hand, however, you have the problem of moron users running sendmail daemons that listen for connections from the Internet and other stupid things. Plus, Linux has security holes. If stupid people don't patch them just like they don't path winders, what good is the security?

Again: You can protect the stupid people from the world if you want, but you can't protect them from themselves.

Well..yeah..he would say this

[grasshoppa]

You see, it's called marketing. He is saying exactly what big wig CIO/CEO/C[A-Z]{2} understand and like to hear. Accountability. That's a big thing to most corporations.

Now, him saying that Redhat can't improve the kernel is simple BS, and could either be a fundamental lack of understanding on his part, or just a flat out lie. Given his position, I'm guessing it's a lie. Redhat ( as have most distributers ) patches the kernel with it's own magic, and will often update it on it's own.

Cliff notes: MS marketting with head in sand. News at 11.

Ho-hum

[twilight30]

Move along, people. Nothing to see here. There's no point in getting pissed off about this; Microsoft shills are liars and exaggerators.

I will never forget -- seeing as how it happened only on 19 December just gone -- about my broadband installation. Not wanting to rock the boat nor confuse the cable installer guy, I rebooted into XP just prior to his arrival. He hooked my old beater celery up with DHCP and I surfed for about ten minutes. I thanked him and he left.

So I figured I'd do the decent thing and do the security updates. ...

Eight hours later, I cleaned off the last of the spyware, adware, malware horseshit.

To Nick McGrath: Fuck off and die, you wanker. How much you want to bet your router at home runs a Linux variant for firewalling purposes?

Who is accountable for Windows?

[nharmon]

From Windows XP's EULA:

LIMITATION ON REMEDIES; NO CONSEQUENTIAL

OR OTHER DAMAGES. Your exclusive remedy for any breach

of this Limited Warranty is as set forth below. Except

for any refund elected by Microsoft, YOU ARE NOT ENTITLED

TO ANY DAMAGES, INCLUDING BUT NOT

LIMITED TO CONSEQUENTIAL DAMAGES, if

the Product does not meet Microsoft's Limited Warranty,

So, are we believe that if Windows crashes my data, that I can hold Microsoft accountable?

At least with Linux I have access to the source code, and can hire programmers to scratch my itches for me. Somehow, I don't think microsoft would give out source code if they went under.

Not a technical argument

[Malfourmed]

McGrath is not making a technical argument, but a management/legal one. In business, security (ie peace of mind) is not defined by the tightness of a piece of code but by who you can make accountable for any failure.

Microsoft at least is the clear and sole owner of its product. Though any single customer's ability to make it responsible for product deficiencies is slight at best, a statement of "we're here and responsible for our stuff" is superficially reassuring.

Microsoft takes responsibility for Windows Bugs?

[Taladar]

Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?

From these words I conclude that any business that lost time/money from Security Holes or Bugs in Windows they can go to Microsoft and present a bill which Microsoft will gladly pay.

Now is your chance to backrupt M$S

[Anonymous Coward]

So the Microsoft bigwig Nick McGrath says 'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel.."
Well Ok Nicky - you are implying then that MS DOES take responsibility for the security of its products? If tht is so then you are lying because the last time I read YOUR EULA it states that you guys will take our money but will not take responsibility for any defects etc in YOUR products.

Once again we have idiots making statements for none other than the idiots that are running the IT industry...

Let's keep the bias out of the submission..

[Staplerh]

Come now. This is rediculous:

I guess Linux can only aspire to the greatness of Windows when it has such secure applications as Outlook and Internet Explorer. Historically those have been proven to be of a caliber all their own.

This is true, I will agree.. in my humble opinion. Let's save the editorializing for the comments. This is 'News for Nerds' - this sort of snide comment has a place in an Op/Ed page, but certainly not the 'front page' of a news site. I suppose there are divergent ideas of what Slashdot really is, but I think that endeavouring to be unbiased would be great.

I'm not meaning to troll or to be 'flamebait' here, just to point out a disturbing trend I've noticed in biased story submissions.

Re:Excellent marketing

[meisenst]

Any IT manager worth their salt will look past this FUD and look towards things like... this [slashdot.org], where Microsoft's single sign-on program fails them utterly. Oh, wait, isn't that one of the key points this guy tried to make, even though Passport has basically begun to circle the drain?

Just personal experience

[agraupe]

Here's my personal evaluations of security differences:

Spyware:
Windows: I run a spyware checker every week or two, and it almost consistently finds new spyware.
Linux: Is there a spyware checker for linux? Does there need to be? I know that my Linux box runs consistently fast, and has no search bars.
Edge: Linux

Default Habits:
Windows: The Windows XP install, by default, seems to create an Administrator account with no password, no User account, and no suggestion that there should be a user account. Also, there's many services that are on by default, that really shouldn't be.
Linux: All linux distros I've used require a root password, and strongly emphasize that root is not to be used for day-to-day computing. Depending on the distro, most unnecessary services are off by default.
Edge: Linux

Updating:
Windows: Use an insecure browser, tied to the OS itself, to browse to Windows Update, wherein the system is updated. Note that these updates have a nasty habit of breaking things, and this does not update third-party software which may be vulnerable.
Linux: sudo apt-get update; sudo apt-get OR upgrade
sudo emerge sync; sudo emerge --update world
Edge: Linux

Do I need to go on?

A bird in the hand is worth two in the bush.

[jonastullus]

i really don't want to play down the problems linux has with its development model and i sure have heard great things about the microsoft development process!

but i'd rather have a more secure system now, which lacks in development stringency, then a provenly unsafe system which can prove exactly when, why and how their bugs came into the system...

microsoft is just far too lax concerning their outward security policy (like not caring about the blatant RC4 exploit). their "patch day" with all those patches that never quite close the exploits is just a farce!

well, gnu/linux with all its applications has had a bad streak of exploits as well recently and i would strongly recommend a stricter development process, but if i were microsoft i'd definitely tone down on the linux-is-insecure-and-lacks-accountability bashing and instead invest some serious effort in making my own product look a little more convincing and less like the bug-ridden security hole that it is!

jethr0

Re:Single sign-on

[Anonymous Coward]

I corrected it for you: Apparently it's well-known at Microsoft that Linux doesn't support **Microsoft's deliberately incompatible version of** Kerberos.

Development Environment?

[Roguelazer]

"there is no single Development Environment for Linux as there is for Microsoft"

Yes, what a good point. There are multiple DE's for linux. This is a bad thing, because it means developers have a choice. There should only be one piece of software for each category, and it should be manufactured by Microsoft. Choice is bad, people!

Hm

[Lisandro]

Microsoft bigwig Nick McGrath claims that Linux security is highly exaggerated, and that the open source development model is 'fundamentally flawed.

Why, of course he does. That's his job.

In other stories, water's wet, sky is blue and women have secrets. More news at 10!

Re:Is he serious

[WhiplashII]

This is not a recent strategy... in marketing you commonly look at your strengths and weaknesses - and then see how you are perceived by your customers. If your customers already know your strengths, your marketing strategy is to convince them that your weaknesses are also strong.

It just sounds silly to those who know. But it does work in most cases...

Re:Not A Myth, Just Not Inherent

[ggvaidya]

IMHO, the biggest problem is that Windows has remained relatively unchanged since Win95. Win95 was a single-user application, only just beginning to explore the Internet. The biggest risk your computer could face - viruses - could be handled by being very careful about which floppy disks you used. People who used BBSes were competant enough to use antiviral programs.

With the coming of the Internet, all that changed. Windows needs to be secure enough to prevent web-based attacks, such as through badly created web application frameworks like ActiveX, as well as prevent attacks on vulnerabilities in the networking function of the OS. Stuff like using a restricted user mode, frequent updates, using a secure browser, etc. are necessary to stop such attacks.

A Windows computer is probably as secure as a Linux machine if adequate measures are taken: antivirus programs, firewalls (generally included in the former), secure passwords, not running as Admin and most importantly, frequent updates.

All this is new stuff that people have to learn. Atleast if you use Linux, somewhere down the line you *have* to learn the basics of stuff like this (I've found "rm -rf" is the best tool for teaching people to NEVER run as root!). With Windows, you can remain painfully oblivious to the most basic security techniques because the OS will *let* you - and your computer becomes the next hub for Joe Spamboss.

Hopefully, SP2 will improve things - I've found the firewall a real PITA, particularly on university-administered computers, but atleast it makes people a little more aware and careful.

I don't think branding everybody as "stupid" is the way to go about it. They're not stupid, they're just not aware. And I blame Microsoft as their enabler, atleast for these last few years.

Re:Indeed

[Anonymous Coward]

Trying to use logic and reasoning in the face of this style MS FUD is just going to make for a long winded argument.

Here, MS is starting out with claims that don't have a thing to do with reality. They're stating nothing more than equivalents to 'what if's. Making a reasonable sounding argument that in the absence of proof sounds like it could have some backing behind it.

When MS says "The biggest challenge we need to face centres on the myth and reality. There are lots of myths out there as to what Linux can do. One myth we see is that Linux is more secure than Windows." it's just an outright lie. It sounds like he's taking the position of a firm stand against a very real problem. "the open source development process creates fundamental security problems." furthers it, by attempting to put an explanation on just what's wrong with Linux.

It's theorising, and it's the kind of logic a bunch of guys down the pub will bullshit on about for hours, talking about cars or government or whatever, things they really don't know about, but can sound knowledgeable about.

Sounding knowledgeable doesn't stand up to Reality though.

Microsoft's comments about Linux security in the face of the passing of their least secure year is the equivalent of them arguing that drink driving is actually safer, by stating "Alcohol slows you down. It would make you drive slower, therefore be safer. You'd be less likely to do anything silly cos you'd be trying to concentrate harder on driving well". On the surface to someone who knows no difference, it sounds like an argument that has merit.

But again, The Real World jumps up and gets in the road, and that's where real security issues for MS exist, and not in their false construct of marketingspeak.

Re:Well..yeah..he would say this

[Jeff DeMaagd]

My biggest objection is whether Microsoft takes accountability for their own products? They should shut up, because they aren't ready for the enterprise.

Re:Indeed

[tdemark]

'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.'

Who is accountable for the safety of drinking water? Does Evian, for example, take responsibility? It cannot, as it does not produce water. It packages one distribution of water.

Let him talk

[SamShazaam]

A delusional enemy is more vulnerable. Linux has gone too far for his words to carry much weight. The truth is already known in the industry.

Re:Not A Myth, Just Not Inherent

[Cthefuture]

Again: You can protect the stupid people from the world if you want, but you can't protect them from themselves.

Pffft, right. I'm as geeky as they come but I want my system to be secure without me having to think about it. I got code running through my head all day long, the last thing I need to think about is whether or not my system in secure. I do want my system to be secure and protect me though. The OS needs to do that for me because I don't want to care about that stuff.

Re:Well..yeah..he would say this

[daviddennis]

How is Microsoft accountable when their own license agreements say clearly that they are not liable for any consequences resulting from use of their systems?

If they were genuinely accountable, they'd be bankrupt.

I have to say, this is a pet peeve of mine - pretending to take responsibility when there is, in fact, no responsibility taken is just plain wrong.

D

Re:Indeed

[prandal]

Care to elaborate? Just what part of the software stack is missing?

DRM.

Re:Linux Security vs Microsoft AntiSecurity

[Omnifarious]

*nod* Judging from the number of ssh attempted login scans, there are a fair number of comprimised Linux boxes out there. :-(

I'm starting to get really annoyed with Open Source people patting themselves on the back over security when stuff like that last thing where the people tried to get someone responsible for Linux kernel development to accept a security related patch, and ended up having to get an article on Slashdot before it happened.

Security doesn't just magically happen. The Open Source development model is the only way to go if you want real security, but it actually requires effort on the part of maintainers to make it happen.

Re:Indeed

[Anonymous Coward]

Read the EULA for Windows.

Microsoft isnt responsible for the security of windows either!

Re:Who is accountable for Windows?

[ggvaidya]

Everybody does that: even Red Hat [redhat.com] (see point 7). IANAL, but basically what this means is that if Windows (or Red Hat) screws up your comp, you can't hold Microsoft or Red Hat accountable. Why? Because as any geek knows, there's about a thousand things which can cause a computer screw-up, from script kiddies to accidently hitting the 'del' button, and they don't think they should be responsible, which is a perfectly reasonable position to take IMHO.

What the guy is saying is that if Windows turns out to have a problem, you can rely on Microsoft to provide updates. You *can't* legally rely on Linus Torvalds or any of the other developers to provide a solution to the problem. However, if you have an agreement with Red Hat, you can rely on them in the same way, AFAIK.

Shit, that's a lot of acronyms for one post :|.

Who is accountable for the security of the Windows

[CharonX]

Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?
Er... and who is accountable for the Security for Windows?
Microsoft?
Internet-swiss-cheese-security-Exlorer Microsoft?
And will Microsoft take responsiblity for their security holes? Will they pay for the damages caused by crashes and exploits for their buggy software?
Maybe if they get their software quality up to a reasonable level they can START asking questions, but as long as they are as bad as now, they better keep their mouths shut, or they'll have to stuff their own feet in them.

Re:Indeed

[timeOday]

Accountability is a complete red herring in the first place. Microsoft explicitly disclaims any liability for whatever may go wrong with Windows. Just like everybody else - but then MS has the gall to slam others for lack of accountability!?

They can make accountability an issue right after they start taking the blame for virii and worms, and reimburse business for all the expense and inconvenience Windows holes cause.

Re:Ho-hum

[steve_stern]

So I figured I'd do the decent thing and do the security updates. ... Eight hours later, I cleaned off the last of the spyware, adware, malware horseshit.

And if you didn't boot into Linux for many months resulting in lots of unpatched security holes, and there were a ton of people trying to attack Linux boxes because Linux controlled 95% of the market, you'd have the same experience there.

What's your point?

A security hole is a security hole is a security hole. Windows and Linux both have them. The fact that more people target Windows does not make it less secure.

Interesting Statement

[Anonymous Coward]

"... There are more skilled developers writing for the Microsoft platform than for open source...."

Microsoft can and does employee very sharp and talented people. But with some of the constraints the Microsoft business model imposes on them, how much talent reaches the end user?

I just have to wonder if design decisions in the Windows architecture such as remote procedure calls, user land applications in kernel space, legacy compatibility and embedding code into e-mail and http clients were decisions that were made by young, talented people who didn't foresee how hostile of an environment the WWW would become.

Re:MS Development tools pwn everyone

[Anonymous Coward]

I don't think script kiddies uses Microsoft SDK. They rather use "third party" rootkits and such.

And no, Linux wouldn't prove less secure with more applications due to better IDE, RAD, SDK... you name it. It doesn't have such flaws in security like ActiveX without sandbox, office suites requiring admin privileges and flawed DCOM.

Besides, you always have SELinux...

Re: Linux Security vs Microsoft AntiSecurity

[Black Parrot]

> I'm starting to get really annoyed with Open Source people patting themselves on the back over security when stuff like that last thing where the people tried to get someone responsible for Linux kernel development to accept a security related patch, and ended up having to get an article on Slashdot before it happened.

Hey - maybe if Slashdot carried an article about Windows security problems now and then, they would get fixed too!

Lack of what?

[kidlinux]

This "lack of accountability" argument is bullshit. Why does Microsoft have an EULA for its software? To cover their asses so they can't be held accountable for damages caused by their shitty software. When was the last time Microsoft was taken to court over losses due to poor software? If they could be held accountable, they'd get sued right out of business!

Re:MS Development tools pwn everyone

[NamShubCMX]

Please elaborate HOW they are superior, because I always found them to be quite equivalent...

I'm actually serious, you were moderated informative but I am really wondering where the superiority of the MS tools come from..?

This is a terrible article!

[raddan]

Aside from the fact that there are no references to back up any of the claims that this McGrath fellow is making (I'd even settle for a research firm that was paid-off by Microsoft!), the 'author' of this article wrote a grand total of FIVE sentences. All five of those sentences paraphrase something else that McGrath says. The rest of the article simply quotes McGrath straight.

There's no discussion of the points, no consideration of other factors, and as far as I can tell, no fact-checking. There is simply no journalism happening here. I know I can simply move on, but it irritates me to know that some CIO out there (probably mine) will take this all in without a second-thought.

The shortcomings of the Windows OS are OBVIOUS to anyone who has to admin these systems in a real production environment, and even more apparent to those of us who have the pleasure of also running other [openbsd.org] systems [apple.com]. Just imagine what Windows might be like if they spent half of their propaganda budget on fixing the freaking software.

Re:MS Development tools pwn everyone

[Pete]

I'm presuming this is some sort of weird troll, moderated "informative" for some odd reason (seriously moderator, "informative"? What derf?)

Seriously, if you think the Microsoft development tools are far superior to anything [kde.org] else [borland.com] in [eclipse.org] the [activestate.com] world [macromedia.com], then I can only presume you've never used anything else in the world :).

Re:Indeed

[cillasri]

And who is accountable for the security of the Windows kernel?

Will Microsoft held accountable for all the flaws in Windows, for all the viruses, spam, spyware? Let me guess...

Re:Not a technical argument

[Linker3000]

Fair point - in which case as the IT manager for over 26 networked and interconnected offices **I** am responsible for security - for all our boxes regardless of whether they run Windows or Linux (we have 26 Windows servers and 4 Linux servers in our empire).

Microsoft's products are just tools we use to run the business and if the tool's broken it is *MY* job to ensure we get it fixed - 'getting it fixed' in this case might be to refer to the manufacturer (ie: M$) to see whether they have fixed it and if not, perhaps look for an alternative tool that will do the job. Microsoft should take care to note the latter option.

Re:Not A Myth, Just Not Inherent

[Anonymous Coward]

Fact: Much of what winders suffers from is incompetent users.

NO! This is fiction. Let's look at the history:
1. Blaster - all you have to do is hook up an unfirewalled system to the Internet and you got it. Up until recently, all Windows systems were unprotected until patches were downloaded from the 'net which required... you guessed it! connection to the Internet.
2. SQLslammer - all you have to do is have SQLserver running on your machine and connected unfirewalled to the Internet. The biggest problem is that many people who didn't use SQLserver thought they were safe. Wrong! By defayult, Microsoft installed and started SQLserver whether it was needed or not by the end user. I saw many SBS users compromised by this who were mystified - "But we don't even use SQLserver! How did we get infected?"
3. Outlook viruses - many of them did not require you to even read the damned e-mail with a virus; just preview it!
4. Vulnerabilties in viewer - all you had to do was browse to a web-site and view a specially malformed picture and you get infected.
5. Vulnerabilities in IE - many of the vulnerabilties in IE do not reuire any user action. Just browse to specially crafted web-site and you get infected automatically!

Now, I expect lots of flaming on this; use a firewall, don't enable ActiveX, etc, etc. But, damnit, this lead was about responsibility! and the fact is, that until recently, Windows shipped with all the hole needed to infect a machine automatically enabled/open/vulnerable. No one eems to think that Microsoft is responsible for this. No, instead, it is all stupid user's fault for taking a system that Microsoft bills as "Internet ready" and connecting it to the Internet! As the above examples illustrate, it doesn't take any user action to corrupt a Windows machine; just one that trusts Microsoft!

Re:This totally makes sense.

[Stevyn]

If you want to compare GWB to Microsoft, fine. But this implies John Kerry is then on the same side as Linux.

Re:Not A Myth, Just Not Inherent

[StormReaver]

"Much of what winders suffers from is incompetent users."

That's only partly true. The vast majority of the problem with Windows is that it demands that its users do stupid things, and frequently does stupid things automatically on the user's behalf -- usually without giving any indication that it's doing those stupid things.

Writing malware for Linux is no different from writing malware for Windows, except for one crucial detail: Windows will automatically install and run the malware, while Linux requires its users to go through multiple manual steps to run malware and will still protect users from a system meltdown even when that malware is finally installed and run (provided the user isn't running as root, but running non-root is the default Linux behavior).

Linux requires users, even the incompetent users, to explicitly authorize software to run. Windows just assumes it has that authorization, even when its so-called protections are supposed to prevent that.

Linux is great protection for the incompetent users, because those users are probably not bright enough to allow malware to be installed even if the malware presents step-by-step instructions.

Re:*COUGH* sendmail *COUGH*

[Anonymous Coward]

even if it didn't do the same search replacing sendmail with the following and compare the counts:

sendmail counts: 54,800

windows counts: 193,000

now we know that windows hasn't been around nearly as long as sendmail, and yet it has nearly FOUR times the buffer overflow matches.

now let's do -

Internet Explorer: 349,000

Outlook Express: 57,700

Outlook Express has been in use for under 8 years and has 300 more matches for buffer overflow than sendmail.

according to your logic for deducing how secure something is, I'd still pick sendmail over anything microsoft makes.

Re:Really?

[elhaf]

To be honest, what's really great is MS with Whole Tomato [wholetomato.com] on top. See that website for some of the greatest features ever. It's like crack; when I have to develop without these features, like autocomplete, I feel crippled. Whenever you type something like Obj obj = getObj(); and then obj. on the next line, it then pops up a list of valid functions on the Obj class. Of course, you can just keep typing, and it will let you, but as you type it narrows the list to those that match (or if you misspell, none match). If you just hit enter it takes the current match and spells it out. It gives you the ease of typing short names while actually using longer, more descriptive names for functions without burdening the programmer. Also, if you type something like obj.fun( it will then list the parameters in a tooltip for that function. A click will give you all the variant signatures of that function, if any. Then, of course, the MS part of the whole thing is just robust and clean. After 20 years, they've gotten most things right by now.

Re:*COUGH* sendmail *COUGH*

[einhverfr]

A lot of things have changed since 2001, yes? It's 2005 now, correct? Qmail is in the process of overtaking Sendmail, and for good reason.

Sendmail is still the standard-bearing monster that everyone loves to hate. Mostly, I think because of the fact that everyone *knows* it. Even two years ago, it was still required on many Linux job apps.

Secondly, never underestimate the number of legacy systems out there. I have sendmail running on at least two of my legacy systems. Of course they only function as an MTA and don't actually listen on any exposed address.... Of course qmail is on my production systems.

Here is the issue. Open source or proprietary software re: security? Security a matter of design rather than something revealed by a simple litmus test. Open source and proprietary software can be secure or insecure. But the way we find this is by discussing the structure of the program and determining whether it is resistant to attack and fails gracefully without exposing the rest of the system. This is easier with open source software.

Oh, and anyone who trusts whatever Microsoft has to say re: security is going to get what is comming to them.

Re:*COUGH* sendmail *COUGH*

[Doctor Crumb]

There's also exim. I'm amazed that anyone would bring up sendmail considering the shitheap that is Exchange. Which, incidentally, there are no alternatives for. And microsoft is somehow trying to pass that off as a feature, now. "but linux has so many *choices*! It can't be ready for the enterprise!"

Re:*COUGH* sendmail *COUGH*

[slavemowgli]

Yes, one. What does sendmail have to do with linux?

Profitable Insecurity

[Doc Ruby]

Because the way they do it at MS, they're raking in about $40B:y. Good security would cost them more money than just talking about it. They're smart enough to know how to turn insecurity into a marketing triumph, without paying the cost.

Missed the point

[A nonymous Coward]

It doesn't matter what the state of UNIX IDEs was in 1989. The point is they released shoddy code which they must have known was shoddy. Whether IDE or not, it was shoddy, the developers themselves surely must have been using it all the time every day, they could not have avoided noticing it was shoddy, and they released it anyway.

As for you having inserted skeleton code without problems, that also is not the point. No doubt you have had some kind of training on it. I had to jump into it and use it the best I could. It is supposed to be intuitive, is it not? It wasn't. Clicking the X is supposed to close the window, right? Should not the IDE have known that it had closed its own window?

I found three repeatable bugs within half an hour of just stumbling around trying to figure out how it worked for some little pissant project. Are their QA people so jaded they can't find these problems? Are their development teams so rigid in their practices that they never stumbled across these bugs themselves?

If the development teams can't be bothered to fix their own dog food, either they eat something else, or they have extreme tolerance for crap. It does not bode well for their work on projects they don't use as much, which is just about everything else.

It all speaks of shoddy practices from one end to the other. That's the point.

Re:Development Environment?

[yamla]

I'm not sure that's what he meant. Because, after all, there are multiple development environments for Windows as well. Borland, Microsoft, heck you can even get emacs, kdevelop, etc. running in Windows.

I agree with you that multiple options for development environments are good, I'm just not sure that's what he was implying.

Re:Profitable Insecurity

[Saeed al-Sahaf]

No, I don't think so. I think they are very much like a cult and at high levels have deluded themselves into thinking that these issues don't really exist if they don't talk about them. I think at lower levels, there are Probibly many who do want to talk about it, but like their jobs more.

Your point....

[King_TJ]

Your point still stands, yes - but I think it's sort of off-topic from the intent of Microsoft's original statements.

They were primarily trying to make claims about the lack of security in Linux based on missing components, plus a lack of accountability for bug fixes.

You're addressing an issue of availability of software applications for both platforms.

I do agree with you though. Linux is still pretty much an OS that's best used by application developers or as a server platform of some sort. The attempts to "hammer it into shape" as a general-use desktop environment are still "half-baked", and that's largely due to a lack of variety of applications to run on it.

After all, you can have the most elegant, powerful operating system on the planet - but if nobody writes apps to run on it, what good is it?

People can (and in the case of Windows, certainly DO) put up with a lot of problems and deficiencies in an OS as long as it allows them to use the software apps they want/need to run. Linux is sorely lacking in the games dept., the music editing/creation dept., and in some aspects of graphics design and editing. It also comes up a little short for people needing to do accounting work. (Peachtree for Linux? Quickbooks for Linux? DAC Easy Accounting for Linux, even? Perhaps a version of M.Y.O.B. for Linux? Nope.... none of 'em. And accountants like standardization. Even if you write a cool new accounting package for Linux - you better at least support imports/exports to some of these Windows packages or it won't gain much traction.)

Flipping The Question

[DannyO152]

Most folks have the take that Microsoft McGrath is throwing bricks from the glass house. But let me take a different view. Does Red Hat take responsibility? And the answer is, yes, or else. Because since you can get a Linux kernel from many sources any distributor that behaves irresponsibly (or insensitively) will lose the business end of their business, and, poof, they're gone. And this concept extends beyond the kernel to other aspects of doing business.

A few of us (call me a semi-pro minus or hobbyist plus) left the RedHat tent with the way they handled the transition from 9.0 -> Fedora, and, in retrospect, I'm happier and it seems from the financial results that RedHat is happier.

Now McGrath's comments are not meant to be part of a serious debate about how us users may get the most safe, seamless, fuss-free, and satisfactory experience with the kit we own, but are the equivalent to the flip side of preaching to the choir, which I suggest is reminding the congregation of damnation should they even think of leaving the church. Remember the Flintstones, how much of the "technology" was powered by a purposed, humiliated animal who would look up and say to the audience, "It's a living." I suppose it is.

Re:Indeed

[cowbutt]

I think you'll find that's exactly the point the OP (tdemark) was making.

Red Hat takes reponsibility for their distro in the same way Evian takes reponsibility for the safety of the water they sell. But neither take responsibility for all instances of the raw materials they package and sell.

Who is accountable for Windows?

[analog_line]

'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.'

And who, pray tell, is accountable for the thousands of holes that have left Windows users open to viruses, trojans, and other malicious uses of their hardware? Billions of dollars in money throw into the toilet fixing the results of nonexistant to pathetic securty in Windows, with an EULA that specifically absolves Microsoft of all blame if anything goes wrong using their software, and they have the gall to claim that they are accountable for Windows?

Should I be submitting my bills to Microsoft instead of my clients when their poorly designed, poorly implemented software causes them to need my services for hours on end, making them unable to do work, let alone pay my fees?

Re:Indeed

[theCoder]

Actually, it was a great analogy. Just a Evian doesn't take responsibility for drinking water as a whole, but just it's bottled water product, Red Hat doesn't take responsibility for the Linux kernel downloaded from kernel.org or other places, but does for its particular version of the kernel (and the other software it includes).

At least as much as Microsoft does for Windows, anyway.

Re:Just personal experience

[The_Spud]

The linux installers still have major issues. It's total head in the sand stuff to claim that installing linux is as easy as windows. The main distro I've used are mandrake, redhat and fedora and the installers have all caused problems with partition tables. In particular FC2 had that great bug which fucked the partition table geometery and made other OS's installed unbootable. FC3 installer has a bug which causes the installer to fail if you have used disk management tools such as Norton Ghost or Drive image.

I use linux for work every day and it really anoys me when I have to read the same crap on slashdot about how linux is better in all ways compared to windows. If we don't acknowledge the many problems that exist with linux how are they ever going to be fixed?

Like using an ATI graphics card for 3D acceleration. On windows click - click-restart done.

Linux : Linux download latest version of drivers
install rpm
Switch to run level 3
run configuration prog.
Manually edit X config files because they forked the fucker and your distro now uses xorg and the config files aren't compatible. Restart X
CRASH!
Wait 3 months for ATI to fix the bloody drivers.

When they can make installing your graphics drivers as simple as on windows we are getting somewhere.

Re:Indeed

[John Allsup]

Red Hat are responsible for the Linux kernels that they distribute and no others. The Microsoft person argues that since there is no one body that takes responsibility for all Linux kernels, then there is nobody that takes reponsiblity for Linux and thus itself is unreliable. This is a strawman argument: the supplier of your Linux distro takes responsibliity and you should use a distro from a supplier that you trust. The supplier will take responsibility for this distro that you buy from them, but obviously not for any other distro that you may obtain by other means. Microsoft tries to assert that no such suppliers exist.

Also, only Microsoft takes responsiblity for security on Windows, and clearly they shirk those responsibilities and are untrustworthy when it comes to security. This nobody worth trusting takes responsiblity for windows.

Re:Indeed

[brianosaurus]

Even more basic,

accountability != security

When one of those 60,000 viruses, etc, attacks your Windows box, you know exactly who is accountable for the security hole: Microsoft.

But what good has that done any of us? I still see the worms trying to infect my system daily (fortunately I run Apache on FreeBSD, not IIS on Windows). When I visit my relatives with Windows boxes, I have to clean up hundreds of pieces of spyware and adware. Knowing who to point your finger at doesn't stop the thousands (or whatever) of compromised machines from constantly spamming us.

Not to mention M$'s latest announcements limiting security updates to only non-pirated copies. That's a tough call. On the one hand, the pirates get what they deserve; they didn't buy the product, so they are not entitled to support. That's fine.

The problem is that its not just the pirates who are penalized. Having thousands of unpatched Windows machines is bad for everyone. The worms and viruses don't care if its a legal copy or not. They'll infect and add the pirate machines into the spam-cluster. Who is accountable for those, now that MS has washed that one off their hands? I still say Microsoft.

Re:Indeed

[Master of Transhuman]

This reminds of the guy in the Bush administration that said something to the effect that "reality-based people" don't have any effect in the "real" world - just all those "faith-based people" in the administration.

Which is actually true. Even Seymour Hersh said it on the Daily Show interview I just watched a few minutes ago - that regardless of what he writes, or the NYT writes or anybody else - the administration is going to do whatever they want - including invading Iran and getting hundreds of thousands more people killed.

And that's true about Microsoft and anything Microsoft says - it's all going to be total bullshit and deliberate lies and that's the caliber of the people working there - but they're going to do it anyway.

Time to ignore them and just get on with it. As Abbie Hoffman once said, "Do Your Own Thing and Only Your Own Thing".

Or as William Burroughs said, "Never let the critic teach you the cloth" (as they say in bullfighting).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Well..yeah..he would say this

[Srin Tuar]

1. Accountability means you can point your finger at me and I'll say "yep, my bad."


With Free software you can actually find out which individual programmer created the security problem in question. (He doesnt have to admit or deny it, because its all a matter of public record)

With Microsoft you have a big faceless corporation.

Tell me again, even by your stretched definition, how can anyone think Microsoft has better "Accountability" ?

Microsoft are you Accountable?

[mnmn]

I entered the address of a website, it wasnt a particularly nasty site, just something resulting from a google search.

And it automatically installed a spyware application. No YES/NO dialogues just installed it. After that I saw attempts at outbound port 6667 to various external servers.

Now I do manage servers that hold financial data, and servers with ERP software that run the company.

I ask you, Microsoft, can you be held accountable if our company melts down should malicious spyware enter the system with their authors intending to corrupt our backups and bring everything down?

Will you pay us the millions that we lose as we lose our customers?

Will you as a result of such a catastrophe give us an OS that does NOT allow such breaches of security?

I understand IE in Windows 2003 is more secured, and we should never browse for anything on the server itself... etc. However Windows2003 has not been matured enough to bring out the bugs while Windows2000 has issues even after SP4, and after Microsoft will cease to provide bugfixes for it.

We replaced our firewall with OpenBSD. We simple cannot find a reason to upgrade it from the 3.4 version, since the older version is so secure. Hell yeah we've had attacks of all kinds, to almost all ports, syn cookies even ddos type attacks that slowed the Internet connection, but we're still up, and without ever having an issue for over two years of OpenBSD operation.

Coming back to Linux, which is also a UNIX clone, and which has more eyeballs on it, and more companies taking responsibility for it, tell me, should I pay for a crappy OS with someone behind it you can point fingers to, or a nice OS with no person behind it simply because youll never have to point fingers?

Re:MS Development tools pwn everyone

[BillyBlaze]

You seem to imply that GCC's C++ exceptions don't actually work, that we have to resort to setjmp()/longjmp(), that templates don't work, that GCC's STL strings aren't copy-on-write, etc. All of these implications are, to put it bluntly, false. (If you didn't mean this, no offense, but you did imply it.)

And yes, C# is (a) pretty cool, and (b) different from C++. That's why we have Mono :-). As for debugging, I don't do that much (usually stack traces are enough), and my "IDE" is kwrite and a command line, but KDevelop, Eclipse, and many others do indeed have integrated debugging - if it craps out, file a bug report, don't just bitch on Slashdot.

Fair enough.

[abulafia]

I looked over that website, and most of it falls in the category of "that would bug the crap out of me". I see how it could be useful. I just don't develop that way. Interactive popups distract me from what I was trying to do.

With vim, I have tab expansion for method calls, but only when I want it - not some distracting thing that tries to second guess me. I have syntax highlighting, brace balancing, way better keyboard navigation (at the cost of being warped into the vi world, but that was done to me years ago). Method variants are a function of tab expansion. Pop up crap would distract me from what I'm doing. And arcane as it may be, s/(.*)re?gex$/somethingelse($1)/g is extremely powerful. My fingers just work that way, and I'm only 32. Don't get me started on the cool things one can do with ex commands.(god, did I just say I'm *only* 32?)

I suspect this is an old-school-new-school thing. I don't like IM, either - email me or go away. If I don't know how the object is called, I need to read the public declaration, or I have no business writing code against that interface.If assisted coding actually didn't become a distraction, and actually inferred intent, I might take the time to learn it. But now I'm just being grouchy. Thanks for the explanation of what you like. I know I'm a little bit purist; I didn't use the syntax highlighting for quite a while, because it (a) didn't work in edge cases well, and (b) well, can't you indent properly? What's the problem?

Maybe developing that way is be faster, but I do think I understand, and can troubleshoot, things better with my coding suite and style. So I'm still not swayed.

And I'll hit you with my cane, whippersnapper, if you bug me while I'm feeding the ducks.

responsibility

[belmolis]

If Microsoft is so concerned about responsibility for security flaws, why is it that they don't offer indemnification for users hurt by their software?

Re:Just personal experience

[The_Spud]

I'm not denying that for many people it goes smoothly but its still a really common experience to have hardware, e.g. wireless cards, not work. Also you haven't commented on the problem I highlighted that installing graphics drivers is a complete pain in the arse even if it works as intended. When I had an NVIDIA card, and their linux drivers are much better than ATI's, it still involved much command line use to get the drivers installed. If you upgraded the kernel then you had to compile a new kernel module. There are many things which are better about linux, the windows command line is woeful, really poor but there a good deal more things which are better on windows.

The installer issues I mentioned are software based and affect you no matter which brand of HD you use. Having a bug in a final release which renders most of the software on your multi boot system useless is increadibly poor and if the evil empire had done this we would all be laying in to them and rightly so. I have to say that critising MS for problems with their software but then completely ignoring the huge problems that exist with much open source stuff seems hypocritical and counter productive. How can OS software ever compete with proprietry if we all pretend there are no problems. It worked fine on my computer isn't going to cut it if you want linux to become mainstream.

Re:Indeed

[Fembot]

I guess their idea of accountable is "who ignores emails about bugs you send them for months upon end?" in which case I can do a pretty good job filling that role for any software projects that need it :-)

Re:NSFW

[Tenareth]

So, you clicked a link called Free Boobies, explicitely on the .nl domain where porn is look at differently (so safesearch works differently) and you expected it to be safe?

Re:That's your problem.

[imroy]

Look it's very simple for the Linux kernel. In the base of the kernel directory (usually at /usr/src/linux) there are three files. The CREDITS file lists almost every person who has contributed to the Linux kernel. It contains names, email addresses, a description of their contribution, and even street addresses in some cases. There's also MAINTAINERS which lists in the same format the people responsible for the various sections of the kernel. At the beginning of the file there's even a long description of how to get your patches into the kernel. Lastly, there is the REPORTING-BUGS file. It contains instructions on how to report bugs to the LKML (Linux kernel mailing list, in case you didn't know).

Is that not enough for you? Or do you really think the real solution is a single email address that will be spammed to hell and have newbies asking for help getting their nVidia graphics card working with Fedora?

Re:Profitable Insecurity

[einhverfr]

Do you have any facts to support your assertion that IIS6 is in any way less stable/secure because of its kernel-mode component?

When I look at the relative security of a software package, the questions I ask (going back to design) are:

1) How exposed is this to attack? How necessary is that exposure?

2) If it is compromised, how deep is the compromise?

Now, the inclusion of http.sys affects question 2 in the following way:

If a compromise occurs in http.sys (which is directly exposed to the network), then the exposure level is deeper than any usermode program running as any user. I.e. the fact that the exploit occurs in the kernel (ring 0) means that the system is fundamentally compromised in a way that it would not be if it were in usermode (ring 1 or 4 usually depending on the processor architecture).

There have been no explots to date in either http.sys or TUX but that does not mean that they are secure by design. More likely, they have not been directly targetted yet due to people sensibly not running them.