Microsoft Claims Linux Security a Myth 901
black hole sun writes "Microsoft bigwig Nick McGrath claims that Linux security is highly exaggerated, and that the open source development model is 'fundamentally flawed.' The gist of his argument appears to be his claim of lack of accountability among distributors, coupled with generic statements short on facts. 'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.' He goes on to say that 'Linux is not ready for mission-critical computing. There are fundamental things missing,' pointing out the lack of a development environment and no single 'sign-on system' giving reference to Microsoft's foundering .Net passport program." I guess Linux can only aspire to the greatness of Windows when it has such secure applications as Outlook and Internet Explorer. Historically those have been proven to be of a caliber all their own.
He has a point, you know (Score:3, Interesting)
So, he's right, but he's also wrong in that Red Hat is no responsible for Linux kernal security, but they are responsible for getting patches out for issues discovered.
Linux Security vs Microsoft AntiSecurity (Score:5, Interesting)
Excellent marketing (Score:5, Interesting)
This totally makes sense. (Score:5, Interesting)
Unfortunately, part of marketing, especially when your product is getting negative publicity, is pointing out perceived flaws in competing products. I believe the term often used is FUD, and it's nothing new or unique to MS. Heck, it's pretty much how GWB won a second term.
When it comes to this sort of thing, they have a wide lattitude of opinions they can express, especially when there is no Linux, Inc. to sue them for slander. The Linux community, however, has been quite good at spreading the word about MS badness; they're just trying to do the reverse because their feelings are hurt.
Re:Single sign-on (Score:1, Interesting)
So the real irony here is that Microsofts own technologies, which apparently Linux doesn't support, are built on top of open standards. Many of which originated as Open Source software!
It's a good job reality isn't aware of this fundemental dichotomy in the universe or we could all be in deep trouble.
Does he mean "desktop environment?" (Score:3, Interesting)
If so, isn't a huge advantage of using ANY *nix in production that you don't have to have the overhead of running a graphical desktop environment if you don't need to?
The question is (Score:3, Interesting)
If Firefox becomes the great white hope for secure browsing on the Internet and the other one where it incorporates calendaring into Thunderbird has as much success as Firefox is getting(can't remember the name for the life of me), could this in itself slow Linux adoption? Windows has improved stability-wise over the last couple of years by leaps and bounds and supposedly they are looking at making it more secure (but I am not holding my breath too much).
Just a thought.
Re:Not A Myth, Just Not Inherent (Score:3, Interesting)
Rather the reverse I would say. You can't protect stupid people from the world. Too many of them to protect. One can only protect onesself from the stupid people. Which is why I install firewalls, AV, programs and update patches. Depending of Microsoft to do it for you just is asking for someone to exploit you.
RE: IBM... (Score:1, Interesting)
Re:Not a technical argument (Score:4, Interesting)
"we're here and responsible for our stuff"
but phrased a little differently, what they're really saying is that in all the world there's only one company that has sufficient faith in Microsoft OS software that they're willing to be responsible for it (and if you read the EULA they're not responsible anyway). In contrast Linux has many companies who are all sufficiently confident in Linux that they're willing to stand up and actually take responsibility for it. Why are they so confident? Because they know that even if a problem is found they can fix it themselves and provide that fix to their customers.
Personally I'd be more willing to trust the system that has lots of companies wanting to step up and offer to be responsible. If I wanted accountability I'd pay one those comanies to be responsible for any issues, rather than Microsoft, standing alone, claiming they are responsible "sort of, in a way, maybe".
Jedidiah.
Re:Let's keep the bias out of the submission.. (Score:5, Interesting)
I tend to agree that there is a trend problem, though it isn't the mere presence of editorializing; that's always been there. It's the breathtaking inanity of the editorials of late, both from submitters and the editors. One good way of measuring the information value of a piece of information is the extent to which it is a surprise; I see a surprising editorial comment about once a week now (like "this wasn't really Microsoft's fault, you have to blame the user for giving his password out to a stranger"), the rest are total Slash-think that can and have had Perl scripts written to replace them. ("Go away, or I shall replace you with a very small shell script.")
The only thing maintaining Slashdot's reputation is Slashdot's reputation, and that's a formula for a dangerous and sudden collapse. Were I economically dependant on Slashdot, that would concern me.
But this particular editorial does have the virtue of being almost empirically true. Microsoft, as the current owner of the least secure software in common use, just isn't in a position to be criticizing others about security. Evidentally, whatever things they are trumpeting about themselves must not be important, because they are clearly not being reflected in actual results. Something that, if provided, most IT managers will prefer even over the ever-popular empty platitudes, and most IT managers are hardly able to ignore the results of Microsoft security.
Re:Indeed (Score:3, Interesting)
Gee, kids these days...
Microsoft Argument == Creationism (Score:5, Interesting)
As we all know, Open Source Software development is structurally similar to the scientific method and evolution in terms of how "new things" are created by the these systems. Similarly, what Microsoft is claiming is that software can't be created well "at random" through emergent means (we know that's a crock) but needs "the Hand of an intelligent Creator" to control everything (Microsoft == God, apparently). Ergo: Microsoft is claiming that only "Creationist Software" is good software - "Evolutionary Software" is evil software.
I think this could be useful angle of attack against Microsoft FUD: they are advocating creationism and faith-based solutions to computer science.
Why I spit on M$ programming skills (Score:5, Interesting)
Around 1989, I had to use whatever Visual Studio was called then. In the debugger, while stepping thru some C code, I accidentally stepped into strcmp or some other function for which the source code was not available. It dropped into assembler mode, quite fine, just a matter of stepping until it exited back to C code. Except it then displayed the C debug screen without first clearing the assembler debug screen. Lots of pieces left over, register displays, hex codes for instructions, etc. Almost unreadable. It gradually cleared itself up as I continued to use it.
Around 2002, I had to use Visual Studio for some small project. You can click on an API and it automatically adds skeleton code to source files. It leaves those windows open, and I did not want so many windows open at once, so I tried to close them. Nothing under any menu I could see, but the X in the corner worked. Next time I used the skeleton code inserter, it complained that the file had been modified by an external program.
Now I suppose I was doing things the non-M$ way. There is probably some perfectly normal way of getting rid of excess windows. Maybe I should have iconized them instead, but that clutters up the task bar. I found two other similar bugs within the first half hour of using the beast.
These are the kind of bugs that anyone using the program would stumble across very quickly. How can the M$ deveopers take any pride in releasing such buggy code? How can they stand to even use such crap software? Is it so crappy that they don't use it themselves?
I have no respect for M$ programming skills.
Re:MS Development tools pwn everyone (Score:2, Interesting)
Really? (Score:5, Interesting)
I've heard this from several corners. Sometimes, even from people I trust a bit. I still don't get it. I don't live in the MS world, so I don't have much of a reason to experiment, but I am honestly interested in what makes them so great.
I hear about the "tool tip" style reference checking, auto-library chain analysis, etc. The first would annoy the shit out of me, and the second I get from my make file (or ant, depending on what I'm building).
C# seems to be a slight step up over Java, but nowhere near enough to incur the cost of switching platforms. (I say this as someone who develops and maintains production apps in Java, and hates the language.)
As a sysadmin-cum-developer-cum-business-guy, I do everything in vi, make/ant, cscope, and custom tools using primitives like sed, awk, grep, perl, svn, RT, image-magick, [custom mailing list manager], etc (yeah, perl can replace sed and awk. I mean to, some day...). I think I have everything I need, but I'd love to hear about how it could be done better.
So, please, do tell- what makes MS dev tools so great? I'm really curious.
Re:Linux Security vs Microsoft AntiSecurity (Score:5, Interesting)
There's another important point that I haven't seen anyone mention: There's an important difference between exploitable design flaws and exploitable implementation flaws. When implementation flaws are exploited, those flaws can usually be fixed without removing essential functionality upon which legitimate users may have come to depend. When design flaws are exploited, the design must be changed to correct those flaws, and to do this, is often necessary to frustrate the legitimate expectations of real customers.
I've seen a number of people repeat the naive argument that when there are more Linux users, we will have the same problems with viruses that Windows users have. This argument only makes sense if we ignore MicroSoft's irresponsibility in the design of their software. MicroSoft has knowingly and repeatedly committed to designs that are fundamentally flawed. These design flaws include things like adding powerful, general purpose programming languages and macro languages for applications like word processors, and then adding automatic processing of these files in Mail User Agents. Keep in mind that during the '80s, MicroSoft, along with the rest of the computer industry, faced repeated hoaxes of email viruses, and had to offer again and again to customers the explanation that email could not carry viruses because it did not carry executable content. When MicroSoft made the decision to add automatic handling of executable content to their email systems, they could not have been ignorant of the fact that easy proliferation of viruses would be a consequence of their decision.
MicroSoft has generally been reluctant to fix the design flaws in their software, because they are committed to some level of backward compatibility. Of course, responsible designs, up front, might have made this commitment less problematic. The result has been a florishing industry for anti-virus software. We now go to third party vendors to make up for the poor quality of MicroSoft software and for their unwillingness to take responsibility for their own mistakes.
My experience with widely used Linux software is that the stuff that becomes popular is usually designed much more thoughtfully that is typical of MicroSoft's products. Serious security design flaws are denounced quickly, and perhaps more rudely than is really required. While the vetting process for Linux based software is far from perfect, it has clearly been much more successful than MicroSoft's persistent irresponsibility. I regularly follow email lists about security flaws in Unix/Linux systems, and the vast majority of those flaws are implementation flaws rather than design flaws. The flaws for Linux in particular are quickly address, and patches are released. While I'm aware of virus scanners that run on Unix and Linux systems, to me they seem focussed on scanning email and files for Windows viruses. There are Unix and Linux based because Unix/Linux machines are often file servers and email gateways for Windows systems, and not because there is any problem with viruses that attack Unix/Linux systems.
Finally, Linux developers have not been required to cover for their perjury in the courts and have not been nearly so tempted to violate that maxim of software development that every Computer Science student learns in school: Software should be modular. It should be divided into separate modules, where each module does its job. The interfaces between modules should be clean and simple. Applications should not ever be integrated into the core of operating system. A consequence of rational design in the Unix/Linux world is that software upgrades are far less problematic. I routinely tell my Linux systems to go grab all the relevent updates at SuSE's web site and apply them automatically, and while I have face occasional, minor problems, I have never once had a serious problem with any such update. Every Windows administrator knows that each new update carries with it a substantial risk of rendering his systems inoperab
Re:*COUGH* sendmail *COUGH* (Score:3, Interesting)
And this is what I find puzzling about Microsoft. There can be no question that they have just an enormous number of extremely competent, indeed smart, people working for them (yes, they do). They seem to have the kind of non-cube farm work environment that smart people want to work in. So with these simply huge numbers of people working for the Redmond Borg, why can they not have this "discussing the structure of the program and determining whether it is resistant to attack and fails gracefully without exposing the rest of the system"?
In business, this is a legitimate question (Score:5, Interesting)
In making a business decision, it's unlikely for anyone to take responsibility. The larger the business, the smaller the likelyhood. It's not an issue of cowardice; the risks simply don't outweigh the rewards.
So, the question "who do you blame" is a legitimate question. System fails, Clients sue company, company pays clients, insurance company pays company; insurance company sues vendor.
In business, those who take chances are the people who create the great successes and the great failures. These people exist. They are not the norm.
"Nobody ever got fired for buying IBM." The point is not that this is true. The point is that people say (or said) this. They're saying that if you're working for someone and you want to keep your job, you make the safe decision.
Accountability? (Score:2, Interesting)
And Microsoft takes the blame for their OS's security, but they are hardly ever held accountable for it.
Re:Indeed (Score:5, Interesting)
Re:Profitable Insecurity (Score:5, Interesting)
I think that this is present in the minds of program managers at Microsoft to some extent and has been an issue that has needed to be dealt with. But it is not the only one, nor is it the most glaring.
Microsoft suffers from an inferiority complex when it comes to performance and computing. So often the design compromises which occur in the name of performance are more damaging than the ones which happen in the name of cutting costs and making release schedules. This is speaking as a former insider.
For example, early NT systems (through 3.x) used a microkernel architecture with the drivers running in ring 1 on Intel and ring 0 on alpha. GDI.exe was a user-mode program.
Well, it was decided that NT 3.x did not perform well enough, so when NT4 was designed, the essential elements of the microkernel architecture were abandoned in favor of a system where the drivers and GDI ran in ring 0. In other words, the though that stability and security were not marketable but performance was and so chose performance over the other two.
Then the TUX webserver came out, I looked at the architecture, and my first thought was "I am NOT running network services as part of my kernel! I don't want those l33t h4x0rz exploiting Ring 0!" I even pointed this out in several discussions regarding the competitive landscape at Microsoft. In general the technicians, support managers, etc. all agreed with me. But not the program managers whose job it was to steer Windows development, because parts of IIS6 run in kernel mode. Again, compromising security and stability for performance (just as TUX does). Again this decision was made to counter Linux publicity re: performance rather than to try to offer a compelling alternative.
In other words, Microsoft still is not really driven by making secure software. Or at least it wasn't when I worked there (up until shortly after Server 2003 launched). Instead, they have a whach-a-mole marketing attitude where their new products must beat their competitors' in terms of publicity based on whatever market fad is happenig at the time.
So these words are a threat but seem to indicate that they are really worried about Linux and all the free publicity that they are getting.
But when was the last time anyone trusted Microsoft re: security anyway?
Linux isn't really more secure. (Score:1, Interesting)
- 1) Running as user rather than root keeps my important files safe, and prevents bad things like rm -rf from destroying everything.
- False. Your most important files are the files you can read/write as a user. The root owned files are all just the files you copied off your Redhat (or whatever distro) cd onto your hard drive. You can just reinstall Redhat (or whatever) in 30 minutes. Running as non-root only prevents you from deleting the files that don't matter.
- 2) Running as user rather than root protects me from viruses/worms/spyware, etc.
- False again. Executables execute just fine when they are owned by a user rather than root. Sure, they can't delete your root owned files, but see #1 above.
- 3) Linux won't automatically run code off the web like ActiveX, etc.
- Only true because Linux doesn't have ActiveX. There is nothing in Linux that prevents insecure frameworks like ActiveX from being written/used. Linux has the security weaknesses required (just as Windows does) for ActiveX, it just doesn't have ActiveX.
- 4) Linux doesn't allow users to open privileged ports.
- I never understood this one. Users can still open all the other ports.
Windows NTFS also has a much more mature security infrastructure than the Linux file systems in real world use.Linux has a primitive "all or nothing" style security infrastructure.
The only reason Linux is a safer system to run today is because nobody uses it, so 1 - Linux isn't a target and 2 - no commercial software is written for it. The few Linux users that are out there are computer hobbyists with enough experience to know not to run arbitrary, unknown code. Computer literate Windows users also have no problems with viruses/etc because they know not to run arbitrary untrusted code.
ok, let's go over this together (Score:3, Interesting)
Mmkay, M$'s could be held accountable for Windows' lackings in security and loads of holes and bugs in their software. But it doesn't change anything, does it. Don't start cleaning somebody else's porch until yours is the biggest mess.
Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.
Yet, even redhat has provided countless app. and security fixes over the years. And, for the record, accountable for the security of the Linux kernel ? Well, that is a question, isn't it. Didn't know that was such a problem even M$ cares about. Oh, and by the way, who can be held accountable for the nt series kernel (about which nobody can have a clue what it contains) ? No, don't mention any names please, my prayers already contain a quite long list of names.
Linux is not ready for mission-critical computing. There are fundamental things missing. For example, there is no single development environment for Linux as there is for Microsoft, neither is there a single sign-on system.
I need to take my pills to stop my laughing spasms. Okay, let's educate ourselves. For one, would be a good homework assingment for some student to find out what o.s.'s were used in the first let's say 10 years of computer controlled systems which could be labeled mission critical. Then, Kylix and Kdevelop are both fully R&D envorinments (I deliberately don't mention "smaller" stuff) from hello world to gui development all integrated. Then regarding Passport thing, that's really awkward to reference, since everybody and the neighbor's dog is dumping it all over the place it being good for nothing useful on this earth.
There a myth in the market that there are hundreds of thousands of people writing code for the Linux kernel. This is not the case; the number is hundreds, not thousands
There are very few of the improvements that come through the wider community. There are more skilled developers writing for the Microsoft platform than for open source
Now that's it. When you don't know anything else to do, go offend openly every developer who dares to do FOSS work.
Re:*COUGH* sendmail *COUGH* (Score:4, Interesting)
It's entirely possible that middle-management at MS doesn't have (or doesn't want) the type of directional control they need to get their workers to produce something that is "good".
The Upper Management/Directors/Execs/Chiefs have clearly shown themselves to be the puppeteers of the great MS show. We get laughable quotes like this new one every few weeks from these characters (literally and figuratively). And it's humorous in an, "I can't believe that you believe that" kind of way while being truely pathetic.
It's a pretty common theme among large companies, however. The people that steer the metaphorical ship don't have any real idea of what goes on at the lower levels of their organization. Nor would they want to. If we run with this metaphor, they don't really want to know how the engine produces power or the detailed physics behind why a rudder turned 15 degrees one way turns the ship at a certain rate. It doesn't help that they're typically shielded/buffered from reality by some butt-kissers looking to get a bigger slice of the pie.
Everyone from the bottom up to middle management (workers, their managers, and the managers' bosses) is where the real work is done at most companies. The directional control is usually handed down from on high by the execs, and it's up to the workers to get make it happen. The ones at the lower levels the ones with the greatest sense of reality, and can head off problems before they're really problems. It's only when the executives start meddling around the real work that things start becoming ugly.
This exact scenario is the case where I work right now. We're not an IT company, specifically, but we do rely heavily on IT to get our work done. As an IT worker, I'm forced to see the inefficiency, bureaucracy, and sheer stupidity of doing things as we currently are. This is a result of decisions from 3 levels higher in the corporate food-chain than the real worker. At some point in the past, the company needed a direction regarding a rather large software project. What we got was a level of detail that should have been left up to the workers. It wasn't as much WHAT to do that got us in this mess as the HOW that was mandated. As a result, things got much worse...
We now have many non-technical managers leading teams of VERY technical people. Decisions that determine IT's direction within the company are now made by people that have no place in IT at all, much less managing IT staff and making decisions about technology.
Things are starting to change here as the clued-in technical managers and staff realize what happened, so there is hope. But I suspect MS is caught up in the same type of situation where specifics are being decided by people that have no expertise on the matter. It would certainly explain things, anyway.
Re:*COUGH* sendmail *COUGH* (Score:4, Interesting)
Red Hat and now Fedora Core, for example, still ship with sendmail. I don't recall if FC3 had other mailer daemons as an option or not but sendmail was the default mailer.
Also, *nix does not only mean Linux. As far as I know, most other *nixes still come with sendmail rather than something else. Sure, you can replace them with postfix or qmail or whatever you want, but by default, it's sendmail. (Have qmail or postfix been ported to Windows yet? Wouldn't surprise me ...)
As far as I know, sendmail is still the most popular mail daemon out there, even more popular than Exchange.
As for `twenty years of buffer overflows', sendmail has a tricky job to do. It's a complicated program, extremely customizable, and a network daemon to boot. And twenty two years old! (That alone says something.)
Certain aspects of it's architecture (especially it's monolithicity) suggested that a rewrite may provide a more secure and faster product, and out of this came smail, qmail, postfix, exim and others. But sendmail is still the standard, and it's still under development. It's been quite some time since I've heard of a buffer overflow for sendmail ... (lat se
Re:Desktop security vs Server security (Score:2, Interesting)
And most of us also use the system for work, school and play. We know more about computing and the threats to our systems than most windows users because the system is teaching us. You don't learn how things work with a mouse. You learn them by breaking the system, messing with it, building software and installing from source code. The best security in the world is learning and reacting to the real world. By sheilding us from it Microsoft has insulated us not from the threats of the world but from the tools to protect ourselves and educate ourselves about the system.
To say that Microsoft or linux is better for security is a red herring in either case. I like the basic simplicity of the *NIX model. My stuff works. My systems do what I want.
Re:Profitable Insecurity (Score:5, Interesting)
Aside from the politics which were eay over the top in my opinion, I had a few family issues that could not be adequately addressed while I worked there. Now that my year has passed and I am no longer bound by any non-compete clauses, I can be a little freer with who I am and what I am doing now.
BTW, for those that do work at Microsoft, I was deeply involved in competitive discussions which lead to:
1) Pop3 server bundled with Windows Server 2003 (so that the SMTP/POP3 server combination can compete with Sendmail).
2) The decision to take Services for UNIX to Linuxworld was based on my suggestion though I had no power or leverage to make it happen (and others carried the torch).
3) I was the first to my knowledge to suggest the bundling of SFU with Windows Server. I made many other suggestions but I feel that it would be unwise to mention any which have not been announced either way due to NDA's.
After I left Microsoft, I began to develop a set of software tools designed to help complete the Linux software stack (and just simple utilities to make my life easier). I began a software consulting business which helps people make the most of Linux and Windows.
To tell you the truth, there are pieces missing from the Linux software stack. ANyone who tells you otherwise does not deal with the range of customers necessary to see it but it si there and includes a lot of vertically targetted software for small businesses and line of business software. Most of the software in these markets is not very mature and will take time to develop. So Linux is not for everyone in every capacity but it is getting there.
On the other hand, Windows security is a horrible myth. Windows will never be as securable as Linux is. There are fundamental problems in its design and I have no problem saying this.
Now I did not say that Windows is less secure than Linux, only that it is less securable. If you really want to, you can configure your Linux system to be less secure than Windows 95. It is not that easy to do but it can be done. On the other hand, it will be next to impossible to achieve the same securability on Windows that you have on Linux without breaking a lot of important crap.
Re:*COUGH* sendmail *COUGH* (Score:3, Interesting)
A bit over a year ago, he told me he was mad because, heh heh, he now had to save a DOC file from his email, run Word, and open the DOC file manually. I asked why. He said the latest version of Exchange prevented him from executing DOC files from within Outlook because it was too much of a security risk. I suggested that it was probably just a change in the default settings, and given his paranoid email scanning for malware, he could probably re-enable DOC file launches in Outlook. He said he spent almost a day trying and managed to eventually learn that there was no Exchange option that allowed Word execution from double clicking a DOC file in Outlook. This didn't sound right, but he's fairly technical, and he insisted it was an Exchange security issue. If so, it sure sounds like a stupid security decision was made a long time ago when Microsoft decided they wanted code to automatically execute, ostensibly for user convenience, and that ultimately lead to a lot less security and a lot less convenience.
I had to laugh. His company shells out a lot for MS licenses every year, plus a lot more money and aggravation for antivirus and anti-spyware software, and he still can't double click a DOC file to view it and my company can using Linux.
MS wins on usability? I'm not seeing it.
And you only need to read the weekly news releases of major Microsoft security problems, as well as the thriving market for Windows antivirus software, to know that Windows isn't winning on security.
The fact is, the tide has turned, and Windows is now on its way out. It's still early, but I don't see any possible reversal in the process. It's too much to expect them to go quietly, so we have all this whining and FUD. Good riddance. It can't happen fast enough for me. I'm tired of people I know getting me to support their Windows PCs. I'm very close to offering support only for Linux. My last freebie service call was to resolve an issue with Windows registration preventing operation of a legitimate system. I won't miss that. And I won't miss all the spam from the zombied Windows machines (currently about 80% of all US spam).
If you're on the fence, and looking for a good desktop Linux alternative to Windows, check out Xandros 3.0 [xandros.com]. It's easy to use and very powerful. It does Windows networking so well that Windows machines can't tell the difference. It has remote administration so you can lock down corporate PCs and remotely push updates any time you like. It has lots of nice convenience features like drag and drop CD and DVD burning. It's very stable. Other than the lack of virus issues, most corporate users probably wouldn't know it isn't XP. It's worth evaluating if you're looking for an alternative. I've been using Xandros for over two years and it's very good and just keeps getting better.
Open source software is the biggest thing ever: (Score:3, Interesting)
I haven't read a sillier comment than those of Microsoft on open source software, and Especially Linux. Simply put, open source software, is the biggest invention ever.
Linux security is highly exaggerated
Windows security is too complicated to be taken seriously. On Unix, you have user, group and public security bits. It is a simple model, yet proven enough for all tasks. On Windows, you may have ACLs based on time, on type of access, inheritable security attributes, etc etc, but Windows is still the most vulnerable O/S by the long shot.
and that the open source development model is 'fundamentally flawed.'
Thanks to open source software, there are thousands of programs to use for every possible task, the scientific knowledge on computers spreads around much faster, it helps low economies ride the computer revolution bandwagon, it helps children in poor countries get in touch with computers...imagine a world without open source software! computers would not be as widespread as they are now.
'Who is accountable for the security of the Linux kernel?'
Who is accountable for the security of Windows, given that the installation disclaimer says that Microsoft has no responsibility whatsoever on the effects of working with their O/S?
Furthermore, OSS does not need accountability: if your app does not run and does stupid things, people will not run it, your reputation will be hurt, and you will be forced afterwards to do a better job.
'Linux is not ready for mission-critical computing.
Last time I heard, the US army plans on replacing Lynx and other real-time O/Ses with Linux on their radar and defense systems. How's that for 'mission-critical'? I know several companies that produce defense applications for Linux. And Linux is actually better for this kind of software, because the source code can be audited by these companies at no charge.
the lack of a development environment
They couldn't have made a funnier and more absurd statement. Hey MS, does GCC ring a bell? it comes with every Linux distro, remember? what's the development environment of Windows out of the box? none. There is none. MS users have to spend another $300 on getting the MS Visual Studio.
and no single 'sign-on system' giving reference to Microsoft's foundering .Net passport program.
A single sign-on system is actually unimportant. I have registered myself at many many sites, but since the browser remembers my password, I don't even sign on. Furthermore, wasn't there a story about the .NET passport system security having been hacked for a week or so? and hackers having access to ALL of users' data?
I guess Linux can only aspire to the greatness of Windows
What greatness? Win32 is the single most badly-designed API, right after MFC. Microsoft actually needed to develop a whole new platform in order to get it right. There is simply no architecture behind Win32. It is a random accumulation of functions over time, with many semantic problems, no clear separation between concepts (for example, asynchronous sockets are implemented through the win32 message queue).
As for the plethora of software, it was a matter of economics that Windows has so much software: the hardware platform that it run on was the cheapest (and the dumbest!), the available functionality was OK (but second to best), and more importanly, Microsoft let Windows spread by don't caring about piracy!
And what can one say about their flagship products? Internet Explorer is full of security problems, Outlook too, Word 2003 has become a bitch to use from so much bloat, .NET has 2 million layers of abstraction and a couple of thousands of classes that it happens not to fit exactly to your problems...
Microsoft is also responsible for giving C/C++ a bad name; their software practices are truly evil. They changed some of
Re:Desktop security vs Server security (Score:2, Interesting)
It is true that a typical Linux installation doesn't have ACLs. However ACLs do not make a system more secure. On the contrary. Try administering dozens of nested directories with dozens of different permissions (some granted, some revoked, depending on their relative order), users, nested groups, owners, attributes, some inherited, some not.
It is a nightmare. Often it is impossible to fit it in one's head. It is too easy to get it wrong by accident. I have on more than one occasion.
By comparison Unix permissions seem really primitive, however they are really easy to comprehend and verify, especially for people who have more important work than administering their systems.
A major security lapse in Windows is the lack of the SUID bit. It is extremely difficult to allow a regular user to execute a trusted piece of code - one has to resort to IPC and write mountains of code - that is why few people do it.
The net result of all this is - it is simply more technically difficult to write secure software for Windows.
Re:Why I spit on M$ programming skills (Score:3, Interesting)
But they made some bad judgements. Stuff like repeatedly emphasising that you don't need to be the brightest, in fact they take on 2.1 and 2.2 grade students. While this is great, it's not quite what you say to recruit the guys that won the coding competition... Also while they had linux servers, they downplayed them heavily and talked about the windows machines. ( I got the feeling the management didn't actually know they had linux machines).
But what annoyed me most.. is they told us this story about how one of the security guards saw smoke coming from the servers in the server farm. He hit the emergency stop, which turned off all the machines. Turned out it was just dust. but they fired the poor guy. I asked what measures they put in place to stop that happening again, and they said uh none.