Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Microsoft Software Security Linux

Microsoft Claims Linux Security a Myth 901

black hole sun writes "Microsoft bigwig Nick McGrath claims that Linux security is highly exaggerated, and that the open source development model is 'fundamentally flawed.' The gist of his argument appears to be his claim of lack of accountability among distributors, coupled with generic statements short on facts. 'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.' He goes on to say that 'Linux is not ready for mission-critical computing. There are fundamental things missing,' pointing out the lack of a development environment and no single 'sign-on system' giving reference to Microsoft's foundering .Net passport program." I guess Linux can only aspire to the greatness of Windows when it has such secure applications as Outlook and Internet Explorer. Historically those have been proven to be of a caliber all their own.
This discussion has been archived. No new comments can be posted.

Microsoft Claims Linux Security a Myth

Comments Filter:
  • by Staos ( 700036 ) * on Saturday January 29, 2005 @11:33AM (#11513680) Journal
    Twenty years of buffer overflows. [google.com]

    Questions?
    • The only question is, who is still using sendmail? Major distros have moved on to postfix and qmail is always an option.
      • by Doctor Crumb ( 737936 ) on Saturday January 29, 2005 @01:30PM (#11514473) Homepage
        There's also exim. I'm amazed that anyone would bring up sendmail considering the shitheap that is Exchange. Which, incidentally, there are no alternatives for. And microsoft is somehow trying to pass that off as a feature, now. "but linux has so many *choices*! It can't be ready for the enterprise!"
      • by dougmc ( 70836 ) <dougmc+slashdot@frenzied.us> on Saturday January 29, 2005 @04:35PM (#11515612) Homepage
        The only question is, who is still using sendmail? Major distros have moved on to postfix and qmail is always an option.
        I imagine that at least two `major distros' have moved on to Postfix, and so your statement would be correct, but certainly, not all have. I doubt even most.

        Red Hat and now Fedora Core, for example, still ship with sendmail. I don't recall if FC3 had other mailer daemons as an option or not but sendmail was the default mailer.

        Also, *nix does not only mean Linux. As far as I know, most other *nixes still come with sendmail rather than something else. Sure, you can replace them with postfix or qmail or whatever you want, but by default, it's sendmail. (Have qmail or postfix been ported to Windows yet? Wouldn't surprise me ...)

        As far as I know, sendmail is still the most popular mail daemon out there, even more popular than Exchange.

        As for `twenty years of buffer overflows', sendmail has a tricky job to do. It's a complicated program, extremely customizable, and a network daemon to boot. And twenty two years old! (That alone says something.)

        Certain aspects of it's architecture (especially it's monolithicity) suggested that a rewrite may provide a more secure and faster product, and out of this came smail, qmail, postfix, exim and others. But sendmail is still the standard, and it's still under development. It's been quite some time since I've heard of a buffer overflow for sendmail ... (lat se

    • by slavemowgli ( 585321 ) on Saturday January 29, 2005 @01:38PM (#11514518) Homepage
      Yes, one. What does sendmail have to do with linux?
  • Indeed (Score:5, Insightful)

    by SilverspurG ( 844751 ) * on Saturday January 29, 2005 @11:34AM (#11513683) Homepage Journal
    "Who is accountable for the security of the Linux kernel?"
    Tell me. Of the 60,000 some (give or take whatever) viruses, worms, and trojans available for Windows, how many of them even needed kernel level access? I suppose he can simply blame that on others.

    There are bits of the Linux software stack that are missing
    Care to elaborate? Just what part of the software stack is missing?
    • Re:Indeed (Score:4, Funny)

      by Anonymous Coward on Saturday January 29, 2005 @11:36AM (#11513700)
      Care to elaborate? Just what part of the software stack is missing?

      The bit that lets Firefox adds new suid root system calls to Linux via .xpi files disguised as links to FREE BOOBIES.
    • Re:Indeed (Score:5, Funny)

      by had3l ( 814482 ) on Saturday January 29, 2005 @11:52AM (#11513826)
      "Care to elaborate? Just what part of the software stack is missing?"
      They don't know, it's missing.
    • Re:Indeed (Score:5, Funny)

      by AKnightCowboy ( 608632 ) on Saturday January 29, 2005 @11:53AM (#11513837)
      Care to elaborate? Just what part of the software stack is missing?

      The entire .NET Framework is missing from the Linux kernel!!! My Visual Basic kernel modules won't even compile under Linux.

    • Re:Indeed (Score:5, Insightful)

      by Anonymous Coward on Saturday January 29, 2005 @11:53AM (#11513843)
      Trying to use logic and reasoning in the face of this style MS FUD is just going to make for a long winded argument.

      Here, MS is starting out with claims that don't have a thing to do with reality. They're stating nothing more than equivalents to 'what if's. Making a reasonable sounding argument that in the absence of proof sounds like it could have some backing behind it.

      When MS says "The biggest challenge we need to face centres on the myth and reality. There are lots of myths out there as to what Linux can do. One myth we see is that Linux is more secure than Windows." it's just an outright lie. It sounds like he's taking the position of a firm stand against a very real problem. "the open source development process creates fundamental security problems." furthers it, by attempting to put an explanation on just what's wrong with Linux.

      It's theorising, and it's the kind of logic a bunch of guys down the pub will bullshit on about for hours, talking about cars or government or whatever, things they really don't know about, but can sound knowledgeable about.

      Sounding knowledgeable doesn't stand up to Reality though.

      Microsoft's comments about Linux security in the face of the passing of their least secure year is the equivalent of them arguing that drink driving is actually safer, by stating "Alcohol slows you down. It would make you drive slower, therefore be safer. You'd be less likely to do anything silly cos you'd be trying to concentrate harder on driving well". On the surface to someone who knows no difference, it sounds like an argument that has merit.

      But again, The Real World jumps up and gets in the road, and that's where real security issues for MS exist, and not in their false construct of marketingspeak.
      • Re:Indeed (Score:5, Insightful)

        by Master of Transhuman ( 597628 ) on Saturday January 29, 2005 @03:00PM (#11515035) Homepage

        This reminds of the guy in the Bush administration that said something to the effect that "reality-based people" don't have any effect in the "real" world - just all those "faith-based people" in the administration.

        Which is actually true. Even Seymour Hersh said it on the Daily Show interview I just watched a few minutes ago - that regardless of what he writes, or the NYT writes or anybody else - the administration is going to do whatever they want - including invading Iran and getting hundreds of thousands more people killed.

        And that's true about Microsoft and anything Microsoft says - it's all going to be total bullshit and deliberate lies and that's the caliber of the people working there - but they're going to do it anyway.

        Time to ignore them and just get on with it. As Abbie Hoffman once said, "Do Your Own Thing and Only Your Own Thing".

        Or as William Burroughs said, "Never let the critic teach you the cloth" (as they say in bullfighting).

    • Re:Indeed (Score:4, Insightful)

      by tdemark ( 512406 ) on Saturday January 29, 2005 @11:55AM (#11513860) Homepage
      'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.'

      Who is accountable for the safety of drinking water? Does Evian, for example, take responsibility? It cannot, as it does not produce water. It packages one distribution of water.
      • Re:Indeed (Score:5, Funny)

        by Jesus_666 ( 702802 ) on Saturday January 29, 2005 @01:45PM (#11514570)
        That's why water is not ready for mission-critical drinking, as it's development model is fundamentally flawed and it's lacking a single 'drink-on system'. Because of that Microsoft has been forcing it's employees to only drink Jack Daniel's Tennessee Whiskey since 1984.
        • Re:Indeed (Score:4, Funny)

          by Evil Pete ( 73279 ) on Saturday January 29, 2005 @06:40PM (#11516404) Homepage

          That's why water is not ready for mission-critical drinking

          Hence the need for Microsoft's new .WET architecture to solve these problems.

          forcing it's employees to only drink Jack Daniel's Tennessee Whiskey since 1984

          Truly, this explains so much.

      • Who is accountable for the safety of drinking water? Does Evian, for example, take responsibility? It cannot, as it does not produce water. It packages one distribution of water.

        Yes, Evian does take responsibility. As the producer of the food product - namely, bottled water - it is held responsible for its quality and safety to the consumer by the Food and Drug Administration.

        But hey - way to go trying to make a lame analogy. And by the way, raising your hands and saying "who knows who is responsible" an
        • Re:Indeed (Score:3, Insightful)

          by cowbutt ( 21077 )
          I think you'll find that's exactly the point the OP (tdemark) was making.

          Red Hat takes reponsibility for their distro in the same way Evian takes reponsibility for the safety of the water they sell. But neither take responsibility for all instances of the raw materials they package and sell.

        • Re:Indeed (Score:5, Insightful)

          by theCoder ( 23772 ) on Saturday January 29, 2005 @02:09PM (#11514722) Homepage Journal
          Actually, it was a great analogy. Just a Evian doesn't take responsibility for drinking water as a whole, but just it's bottled water product, Red Hat doesn't take responsibility for the Linux kernel downloaded from kernel.org or other places, but does for its particular version of the kernel (and the other software it includes).

          At least as much as Microsoft does for Windows, anyway.
        • Re:Indeed (Score:5, Interesting)

          by hunterx11 ( 778171 ) <hunterx11@noSpaM.gmail.com> on Saturday January 29, 2005 @02:15PM (#11514757) Homepage Journal
          Actually, this is an excellent analogy, just not in the way the grandparent intended. As a producer of bottled water, Evian is held to lower standards than communities are for providing tap water. Tap water may not be free, but it's sure cheaper than bottled water, and the bottled water companies exist only because they convince people that their product is better, when in many cases it is objectively not.
    • Re:Indeed (Score:5, Insightful)

      by prandal ( 87280 ) on Saturday January 29, 2005 @12:00PM (#11513898)
      Care to elaborate? Just what part of the software stack is missing?

      DRM.
    • Re:Indeed (Score:5, Insightful)

      by Anonymous Coward on Saturday January 29, 2005 @12:04PM (#11513929)
      Read the EULA for Windows.

      Microsoft isnt responsible for the security of windows either!
    • Re:Indeed (Score:5, Insightful)

      by timeOday ( 582209 ) on Saturday January 29, 2005 @12:07PM (#11513951)
      Accountability is a complete red herring in the first place. Microsoft explicitly disclaims any liability for whatever may go wrong with Windows. Just like everybody else - but then MS has the gall to slam others for lack of accountability!?

      They can make accountability an issue right after they start taking the blame for virii and worms, and reimburse business for all the expense and inconvenience Windows holes cause.

    • There are bits of the Linux software stack that are missing

      Care to elaborate? Just what part of the software stack is missing?

      Anti-virus scanners and spyware removal tools... ;)

    • Re:Indeed (Score:5, Insightful)

      by brianosaurus ( 48471 ) on Saturday January 29, 2005 @02:54PM (#11515009) Homepage
      Even more basic,

      accountability != security

      When one of those 60,000 viruses, etc, attacks your Windows box, you know exactly who is accountable for the security hole: Microsoft.

      But what good has that done any of us? I still see the worms trying to infect my system daily (fortunately I run Apache on FreeBSD, not IIS on Windows). When I visit my relatives with Windows boxes, I have to clean up hundreds of pieces of spyware and adware. Knowing who to point your finger at doesn't stop the thousands (or whatever) of compromised machines from constantly spamming us.

      Not to mention M$'s latest announcements limiting security updates to only non-pirated copies. That's a tough call. On the one hand, the pirates get what they deserve; they didn't buy the product, so they are not entitled to support. That's fine.

      The problem is that its not just the pirates who are penalized. Having thousands of unpatched Windows machines is bad for everyone. The worms and viruses don't care if its a legal copy or not. They'll infect and add the pirate machines into the spam-cluster. Who is accountable for those, now that MS has washed that one off their hands? I still say Microsoft.
  • by the_mad_poster ( 640772 ) <shattoc@adelphia.com> on Saturday January 29, 2005 @11:35AM (#11513690) Homepage Journal
    Fact: Much of what winders suffers from is incompetent users. Nothing is really stopping the developers from writing spam bots for windows because idiot users on Linux could run bad code just as easily as idiot users on windows.

    OTOH, you don't have such dumbass tricks ass tying your browser right to the OS or ActiveX, so you make spyware and whatnot less of a factor.

    On yet another hand, however, you have the problem of moron users running sendmail daemons that listen for connections from the Internet and other stupid things. Plus, Linux has security holes. If stupid people don't patch them just like they don't path winders, what good is the security?

    Again: You can protect the stupid people from the world if you want, but you can't protect them from themselves.
    • by ggvaidya ( 747058 ) on Saturday January 29, 2005 @11:53AM (#11513841) Homepage Journal
      IMHO, the biggest problem is that Windows has remained relatively unchanged since Win95. Win95 was a single-user application, only just beginning to explore the Internet. The biggest risk your computer could face - viruses - could be handled by being very careful about which floppy disks you used. People who used BBSes were competant enough to use antiviral programs.

      With the coming of the Internet, all that changed. Windows needs to be secure enough to prevent web-based attacks, such as through badly created web application frameworks like ActiveX, as well as prevent attacks on vulnerabilities in the networking function of the OS. Stuff like using a restricted user mode, frequent updates, using a secure browser, etc. are necessary to stop such attacks.

      A Windows computer is probably as secure as a Linux machine if adequate measures are taken: antivirus programs, firewalls (generally included in the former), secure passwords, not running as Admin and most importantly, frequent updates.

      All this is new stuff that people have to learn. Atleast if you use Linux, somewhere down the line you *have* to learn the basics of stuff like this (I've found "rm -rf" is the best tool for teaching people to NEVER run as root!). With Windows, you can remain painfully oblivious to the most basic security techniques because the OS will *let* you - and your computer becomes the next hub for Joe Spamboss.

      Hopefully, SP2 will improve things - I've found the firewall a real PITA, particularly on university-administered computers, but atleast it makes people a little more aware and careful.

      I don't think branding everybody as "stupid" is the way to go about it. They're not stupid, they're just not aware. And I blame Microsoft as their enabler, atleast for these last few years.
    • Again: You can protect the stupid people from the world if you want, but you can't protect them from themselves.

      Pffft, right. I'm as geeky as they come but I want my system to be secure without me having to think about it. I got code running through my head all day long, the last thing I need to think about is whether or not my system in secure. I do want my system to be secure and protect me though. The OS needs to do that for me because I don't want to care about that stuff.
    • by Coryoth ( 254751 ) on Saturday January 29, 2005 @11:57AM (#11513875) Homepage Journal
      Fact: Much of what winders suffers from is incompetent users. Nothing is really stopping the developers from writing spam bots for windows because idiot users on Linux could run bad code just as easily as idiot users on windows.

      For now, yes, but as SELinux, or RSBAC, or any of the Mandatory Access Control, role based systems gain popularity in mainstream Linux (and SELinux, for now, seems to be the best candidate on the popularity front), the ability for idiot users to run bad code goes down massively.

      Yes, in theory an idiot user could run bad code, but under a well implemented SELinux policy, while the code may run, it wouldn't actually have rights to do much of anything. At worst it might be able to fill up the home partition with useless data, or something along those lines, but spam bots and zombies and mass mailing viruses would be a far more difficult task to write indeed. A sufficiently smart idiot could grant the process the rights to do what it wants, but really...

      Yes, such a system is not a cure all. People can still do bad things to themselves, and no matter how well you build it, there's always an idiot who can break it. It does, however, significantly raise the security bar on what it is easy to trick a user into doing.

      Jedidiah
    • You can protect the stupid people from the world if you want, but you can't protect them from themselves.


      Rather the reverse I would say. You can't protect stupid people from the world. Too many of them to protect. One can only protect onesself from the stupid people. Which is why I install firewalls, AV, programs and update patches. Depending of Microsoft to do it for you just is asking for someone to exploit you.
    • by Anonymous Coward
      Fact: Much of what winders suffers from is incompetent users.

      NO! This is fiction. Let's look at the history:
      1. Blaster - all you have to do is hook up an unfirewalled system to the Internet and you got it. Up until recently, all Windows systems were unprotected until patches were downloaded from the 'net which required... you guessed it! connection to the Internet.
      2. SQLslammer - all you have to do is have SQLserver running on your machine and connected unfirewalled to the Internet. The biggest problem i
    • "Much of what winders suffers from is incompetent users."

      That's only partly true. The vast majority of the problem with Windows is that it demands that its users do stupid things, and frequently does stupid things automatically on the user's behalf -- usually without giving any indication that it's doing those stupid things.

      Writing malware for Linux is no different from writing malware for Windows, except for one crucial detail: Windows will automatically install and run the malware, while Linux requires
  • by KiloByte ( 825081 ) on Saturday January 29, 2005 @11:35AM (#11513692)
    This is the classic case of a kettle calling the refrigerator black.
  • by Anonymous Coward on Saturday January 29, 2005 @11:36AM (#11513697)
    If he was wrong, why would Red Hat et al sell service contracts and make money off of them? They accept that money in return for accountability, responsiblity, and SLAs - all of whicha major corporation will demand and which are not present in the pure open source model.

    So, he's right, but he's also wrong in that Red Hat is no responsible for Linux kernal security, but they are responsible for getting patches out for issues discovered.
  • by k4_pacific ( 736911 ) <k4_pacific@@@yahoo...com> on Saturday January 29, 2005 @11:37AM (#11513703) Homepage Journal
    In other news, a representative from Yugo blasted BMW for not putting rear window heaters on their cars. "If you have to push it in the winter, your hands will get cold. What a crappy car."
  • by michelcultivo ( 524114 ) on Saturday January 29, 2005 @11:37AM (#11513705) Journal
    From Bruce Schneier [schneier.com] "Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months. This means that a unpatched Linux system with commonly used configurations (such as server builds of RedHat 9.0 or Suse 6.2) have an online mean life expectancy of 3 months before being successfully compromised." I think the term is not "more secure" but "less vulnerable".
    • *nod* Judging from the number of ssh attempted login scans, there are a fair number of comprimised Linux boxes out there. :-(

      I'm starting to get really annoyed with Open Source people patting themselves on the back over security when stuff like that last thing where the people tried to get someone responsible for Linux kernel development to accept a security related patch, and ended up having to get an article on Slashdot before it happened.

      Security doesn't just magically happen. The Open Source development model is the only way to go if you want real security, but it actually requires effort on the part of maintainers to make it happen.


      • > I'm starting to get really annoyed with Open Source people patting themselves on the back over security when stuff like that last thing where the people tried to get someone responsible for Linux kernel development to accept a security related patch, and ended up having to get an article on Slashdot before it happened.

        Hey - maybe if Slashdot carried an article about Windows security problems now and then, they would get fixed too!

    • by AdrianG ( 57465 ) <adrian@nerds.org> on Saturday January 29, 2005 @01:30PM (#11514477) Homepage

      There's another important point that I haven't seen anyone mention: There's an important difference between exploitable design flaws and exploitable implementation flaws. When implementation flaws are exploited, those flaws can usually be fixed without removing essential functionality upon which legitimate users may have come to depend. When design flaws are exploited, the design must be changed to correct those flaws, and to do this, is often necessary to frustrate the legitimate expectations of real customers.

      I've seen a number of people repeat the naive argument that when there are more Linux users, we will have the same problems with viruses that Windows users have. This argument only makes sense if we ignore MicroSoft's irresponsibility in the design of their software. MicroSoft has knowingly and repeatedly committed to designs that are fundamentally flawed. These design flaws include things like adding powerful, general purpose programming languages and macro languages for applications like word processors, and then adding automatic processing of these files in Mail User Agents. Keep in mind that during the '80s, MicroSoft, along with the rest of the computer industry, faced repeated hoaxes of email viruses, and had to offer again and again to customers the explanation that email could not carry viruses because it did not carry executable content. When MicroSoft made the decision to add automatic handling of executable content to their email systems, they could not have been ignorant of the fact that easy proliferation of viruses would be a consequence of their decision.

      MicroSoft has generally been reluctant to fix the design flaws in their software, because they are committed to some level of backward compatibility. Of course, responsible designs, up front, might have made this commitment less problematic. The result has been a florishing industry for anti-virus software. We now go to third party vendors to make up for the poor quality of MicroSoft software and for their unwillingness to take responsibility for their own mistakes.

      My experience with widely used Linux software is that the stuff that becomes popular is usually designed much more thoughtfully that is typical of MicroSoft's products. Serious security design flaws are denounced quickly, and perhaps more rudely than is really required. While the vetting process for Linux based software is far from perfect, it has clearly been much more successful than MicroSoft's persistent irresponsibility. I regularly follow email lists about security flaws in Unix/Linux systems, and the vast majority of those flaws are implementation flaws rather than design flaws. The flaws for Linux in particular are quickly address, and patches are released. While I'm aware of virus scanners that run on Unix and Linux systems, to me they seem focussed on scanning email and files for Windows viruses. There are Unix and Linux based because Unix/Linux machines are often file servers and email gateways for Windows systems, and not because there is any problem with viruses that attack Unix/Linux systems.

      Finally, Linux developers have not been required to cover for their perjury in the courts and have not been nearly so tempted to violate that maxim of software development that every Computer Science student learns in school: Software should be modular. It should be divided into separate modules, where each module does its job. The interfaces between modules should be clean and simple. Applications should not ever be integrated into the core of operating system. A consequence of rational design in the Unix/Linux world is that software upgrades are far less problematic. I routinely tell my Linux systems to go grab all the relevent updates at SuSE's web site and apply them automatically, and while I have face occasional, minor problems, I have never once had a serious problem with any such update. Every Windows administrator knows that each new update carries with it a substantial risk of rendering his systems inoperab

  • by grasshoppa ( 657393 ) on Saturday January 29, 2005 @11:37AM (#11513706) Homepage
    You see, it's called marketing. He is saying exactly what big wig CIO/CEO/C[A-Z]{2} understand and like to hear. Accountability. That's a big thing to most corporations.

    Now, him saying that Redhat can't improve the kernel is simple BS, and could either be a fundamental lack of understanding on his part, or just a flat out lie. Given his position, I'm guessing it's a lie. Redhat ( as have most distributers ) patches the kernel with it's own magic, and will often update it on it's own.

    Cliff notes: MS marketting with head in sand. News at 11.
  • Excellent marketing (Score:5, Interesting)

    by vijayiyer ( 728590 ) on Saturday January 29, 2005 @11:39AM (#11513716)
    This is another example of Microsoft's marketing prowess. They know that IT managers want to hear about vendor accountability, single source solutions, etc. Those who still are using only Windows are probably not technically competent enough to see through the FUD. The truth is irrelevant here.
  • Ho-hum (Score:5, Insightful)

    by twilight30 ( 84644 ) on Saturday January 29, 2005 @11:40AM (#11513724) Homepage
    Move along, people. Nothing to see here. There's no point in getting pissed off about this; Microsoft shills are liars and exaggerators.

    I will never forget -- seeing as how it happened only on 19 December just gone -- about my broadband installation. Not wanting to rock the boat nor confuse the cable installer guy, I rebooted into XP just prior to his arrival. He hooked my old beater celery up with DHCP and I surfed for about ten minutes. I thanked him and he left.

    So I figured I'd do the decent thing and do the security updates. ...

    Eight hours later, I cleaned off the last of the spyware, adware, malware horseshit.

    To Nick McGrath: Fuck off and die, you wanker. How much you want to bet your router at home runs a Linux variant for firewalling purposes?
  • by m50d ( 797211 ) on Saturday January 29, 2005 @11:40AM (#11513725) Homepage Journal
    They take responsibility for their distribution. They will patch their kernel if anything seems wrong with it. From time to time they pay for an audit. Similarly the debian people vouch for their kernel, and so on. The vanilla kernel.org kernel is only accountable to the kernel.org people, true, but most "enterprise" distribution makers will stand up for every package they distribute.
  • by nharmon ( 97591 ) on Saturday January 29, 2005 @11:40AM (#11513727)
    From Windows XP's EULA:

    LIMITATION ON REMEDIES; NO CONSEQUENTIAL

    OR OTHER DAMAGES. Your exclusive remedy for any breach

    of this Limited Warranty is as set forth below. Except

    for any refund elected by Microsoft, YOU ARE NOT ENTITLED

    TO ANY DAMAGES, INCLUDING BUT NOT

    LIMITED TO CONSEQUENTIAL DAMAGES, if

    the Product does not meet Microsoft's Limited Warranty,



    So, are we believe that if Windows crashes my data, that I can hold Microsoft accountable?

    At least with Linux I have access to the source code, and can hire programmers to scratch my itches for me. Somehow, I don't think microsoft would give out source code if they went under.
  • by Malfourmed ( 633699 ) on Saturday January 29, 2005 @11:40AM (#11513732) Homepage
    McGrath is not making a technical argument, but a management/legal one. In business, security (ie peace of mind) is not defined by the tightness of a piece of code but by who you can make accountable for any failure.

    Microsoft at least is the clear and sole owner of its product. Though any single customer's ability to make it responsible for product deficiencies is slight at best, a statement of "we're here and responsible for our stuff" is superficially reassuring.
    • Superficial... (Score:3, Informative)

      by rhsanborn ( 773855 )
      ...especially because they claim they are explicitly not responsible for anything.
    • by Coryoth ( 254751 ) on Saturday January 29, 2005 @12:06PM (#11513946) Homepage Journal
      I think the difference doesn't actually look good for Microsoft really. Yes they say

      "we're here and responsible for our stuff"

      but phrased a little differently, what they're really saying is that in all the world there's only one company that has sufficient faith in Microsoft OS software that they're willing to be responsible for it (and if you read the EULA they're not responsible anyway). In contrast Linux has many companies who are all sufficiently confident in Linux that they're willing to stand up and actually take responsibility for it. Why are they so confident? Because they know that even if a problem is found they can fix it themselves and provide that fix to their customers.

      Personally I'd be more willing to trust the system that has lots of companies wanting to step up and offer to be responsible. If I wanted accountability I'd pay one those comanies to be responsible for any issues, rather than Microsoft, standing alone, claiming they are responsible "sort of, in a way, maybe".

      Jedidiah.
    • Fair point - in which case as the IT manager for over 26 networked and interconnected offices **I** am responsible for security - for all our boxes regardless of whether they run Windows or Linux (we have 26 Windows servers and 4 Linux servers in our empire).

      Microsoft's products are just tools we use to run the business and if the tool's broken it is *MY* job to ensure we get it fixed - 'getting it fixed' in this case might be to refer to the manufacturer (ie: M$) to see whether they have fixed it and if
  • by Taladar ( 717494 ) on Saturday January 29, 2005 @11:41AM (#11513739)
    Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?
    From these words I conclude that any business that lost time/money from Security Holes or Bugs in Windows they can go to Microsoft and present a bill which Microsoft will gladly pay.
  • by Staplerh ( 806722 ) on Saturday January 29, 2005 @11:43AM (#11513746) Homepage
    Come now. This is rediculous:

    I guess Linux can only aspire to the greatness of Windows when it has such secure applications as Outlook and Internet Explorer. Historically those have been proven to be of a caliber all their own.

    This is true, I will agree.. in my humble opinion. Let's save the editorializing for the comments. This is 'News for Nerds' - this sort of snide comment has a place in an Op/Ed page, but certainly not the 'front page' of a news site. I suppose there are divergent ideas of what Slashdot really is, but I think that endeavouring to be unbiased would be great.

    I'm not meaning to troll or to be 'flamebait' here, just to point out a disturbing trend I've noticed in biased story submissions.
    • by Jerf ( 17166 ) on Saturday January 29, 2005 @12:27PM (#11514069) Journal
      I'm not meaning to troll or to be 'flamebait' here, just to point out a disturbing trend I've noticed in biased story submissions.

      I tend to agree that there is a trend problem, though it isn't the mere presence of editorializing; that's always been there. It's the breathtaking inanity of the editorials of late, both from submitters and the editors. One good way of measuring the information value of a piece of information is the extent to which it is a surprise; I see a surprising editorial comment about once a week now (like "this wasn't really Microsoft's fault, you have to blame the user for giving his password out to a stranger"), the rest are total Slash-think that can and have had Perl scripts written to replace them. ("Go away, or I shall replace you with a very small shell script.")

      The only thing maintaining Slashdot's reputation is Slashdot's reputation, and that's a formula for a dangerous and sudden collapse. Were I economically dependant on Slashdot, that would concern me.

      But this particular editorial does have the virtue of being almost empirically true. Microsoft, as the current owner of the least secure software in common use, just isn't in a position to be criticizing others about security. Evidentally, whatever things they are trumpeting about themselves must not be important, because they are clearly not being reflected in actual results. Something that, if provided, most IT managers will prefer even over the ever-popular empty platitudes, and most IT managers are hardly able to ignore the results of Microsoft security.
  • by bennomatic ( 691188 ) on Saturday January 29, 2005 @11:44AM (#11513758) Homepage
    Microsoft isn't a software company. They're a marketing company. They do what it takes to sell whatever they've got. I used to say that MS could pipe all their employee toilets into a packaging facility and sell Microsoft Excrement at a profit. With their marketing muscle, they could find an audience for just about any product.

    Unfortunately, part of marketing, especially when your product is getting negative publicity, is pointing out perceived flaws in competing products. I believe the term often used is FUD, and it's nothing new or unique to MS. Heck, it's pretty much how GWB won a second term.

    When it comes to this sort of thing, they have a wide lattitude of opinions they can express, especially when there is no Linux, Inc. to sue them for slander. The Linux community, however, has been quite good at spreading the word about MS badness; they're just trying to do the reverse because their feelings are hurt.

  • by agraupe ( 769778 ) on Saturday January 29, 2005 @11:44AM (#11513760) Journal
    Here's my personal evaluations of security differences:

    Spyware:
    Windows: I run a spyware checker every week or two, and it almost consistently finds new spyware.
    Linux: Is there a spyware checker for linux? Does there need to be? I know that my Linux box runs consistently fast, and has no search bars.
    Edge: Linux

    Default Habits:
    Windows: The Windows XP install, by default, seems to create an Administrator account with no password, no User account, and no suggestion that there should be a user account. Also, there's many services that are on by default, that really shouldn't be.
    Linux: All linux distros I've used require a root password, and strongly emphasize that root is not to be used for day-to-day computing. Depending on the distro, most unnecessary services are off by default.
    Edge: Linux

    Updating:
    Windows: Use an insecure browser, tied to the OS itself, to browse to Windows Update, wherein the system is updated. Note that these updates have a nasty habit of breaking things, and this does not update third-party software which may be vulnerable.
    Linux: sudo apt-get update; sudo apt-get OR upgrade
    sudo emerge sync; sudo emerge --update world
    Edge: Linux

    Do I need to go on?

  • by jonastullus ( 530101 ) on Saturday January 29, 2005 @11:45AM (#11513767) Homepage
    i really don't want to play down the problems linux has with its development model and i sure have heard great things about the microsoft development process!

    but i'd rather have a more secure system now, which lacks in development stringency, then a provenly unsafe system which can prove exactly when, why and how their bugs came into the system...

    microsoft is just far too lax concerning their outward security policy (like not caring about the blatant RC4 exploit). their "patch day" with all those patches that never quite close the exploits is just a farce!

    well, gnu/linux with all its applications has had a bad streak of exploits as well recently and i would strongly recommend a stricter development process, but if i were microsoft i'd definitely tone down on the linux-is-insecure-and-lacks-accountability bashing and instead invest some serious effort in making my own product look a little more convincing and less like the bug-ridden security hole that it is!

    jethr0
  • by Nova Express ( 100383 ) <lawrenceperson@g ... inus threevowels> on Saturday January 29, 2005 @11:47AM (#11513782) Homepage Journal
    Michasel Moore accused Paris Hilton of being "too fat."

    Mike Tyson accused Michael Jordan of being "violent and out of control."

    And Richard Simmons accused Charlton Heston of being "way too gay."

  • by Roguelazer ( 606927 ) <Roguelazer@[ ]il.com ['gma' in gap]> on Saturday January 29, 2005 @11:49AM (#11513806) Homepage Journal
    "there is no single Development Environment for Linux as there is for Microsoft"

    Yes, what a good point. There are multiple DE's for linux. This is a bad thing, because it means developers have a choice. There should only be one piece of software for each category, and it should be manufactured by Microsoft. Choice is bad, people!

    • I'm not sure that's what he meant. Because, after all, there are multiple development environments for Windows as well. Borland, Microsoft, heck you can even get emacs, kdevelop, etc. running in Windows.

      I agree with you that multiple options for development environments are good, I'm just not sure that's what he was implying.
  • Hm (Score:5, Insightful)

    by Lisandro ( 799651 ) on Saturday January 29, 2005 @11:52AM (#11513824)
    Microsoft bigwig Nick McGrath claims that Linux security is highly exaggerated, and that the open source development model is 'fundamentally flawed.

    Why, of course he does. That's his job.

    In other stories, water's wet, sky is blue and women have secrets. More news at 10!
  • by Noksagt ( 69097 ) on Saturday January 29, 2005 @11:52AM (#11513828) Homepage
    Linux is not ready for mission-critical computing. There are fundamental things missing. For example, there is no single development environment for Linux as there is for Microsoft
    What does this mean? Sure, there is Anjuta, KDevelop, Eclipse, GNU/X-Emacs, etc. But there are a ton of development environments on windows too. Is this supposed to be the age-old KDE/gnome debate?

    If so, isn't a huge advantage of using ANY *nix in production that you don't have to have the overhead of running a graphical desktop environment if you don't need to?
  • The question is (Score:3, Interesting)

    by rikkards ( 98006 ) on Saturday January 29, 2005 @11:54AM (#11513853) Journal
    how insecure would Windows be if you were able to remove IE and Outlook from the picture?
    If Firefox becomes the great white hope for secure browsing on the Internet and the other one where it incorporates calendaring into Thunderbird has as much success as Firefox is getting(can't remember the name for the life of me), could this in itself slow Linux adoption? Windows has improved stability-wise over the last couple of years by leaps and bounds and supposedly they are looking at making it more secure (but I am not holding my breath too much).

    Just a thought.
  • by CajunArson ( 465943 ) on Saturday January 29, 2005 @12:00PM (#11513897) Journal
    First of all, I can't trust this article because it's not digitally signed!
    Now, on to the point. If someone comes out and says: "the default Linux kernel released by most distributions is not secure." I'll say 'hell yes'. Note that this is not what TFA states, it is a much broader screed against open source in general.
    The problem is that if Microsoft wanted to launch a rational attack on Linux's security they would also be attacking their own products. I'm not even talking about the differences between open and closed source here, I'm talking about the ways that Linux and Windows both are susceptible to security issues. Right now most default Linux distributions put out kernels and user-space utilities in a system that assumes every piece of software has to be perfect to ensure security! (especially anything running as root) Windows is basically the same way. Once a hole gets found, it is easily possible to hijack and entire system.
    Now, at this point the arguments between Linux and Windows invariably devolve along the lines of: Linux gives you the source code so you can find the bugs yourself or Windows runs too many services and that's why its not secure. On the windows side we get arguments about how you 'can't trust unsigned open-source code!' (which actually does have some merit if you don't check source signatures you grab from some random mirror, but does not really speak to the OSS development model). The problem is that these arguments are more about which system is easier to band-aid than which system is innately more secure.
    Let's really look at default Linux vs. Windows. Both have admin and user accounts, both follow a similar model of discretionary access controls, both can be hacked remotely although windows tends to get hit more because it runs too many standardized services.
    The point of this very long rant is that Linux does indeed have security problems that are not of a nature much different than Windows. I would say the better track record of Linux so far is NOT due to it being open-source; that does help finding bugs, but plenty of Windows bugs are found and fixed before the Windows boxes are hacked. Instead it's because Linux (with some exceptions) does not install a bunch of stuff by default, Linux systems are not as homogeneous as Windows systems (software monoculture time), and Linux admins have historically been better than Windows admins (this is definitely something that will be subject to change in the next few years).

    So is there a solution? Well, nothing is ever going to be perfect, but systems like SELinux and GRSec are big improvements because instead of saying "the whole system is perfect" they instead say "components in this system will be compromised, how to we isolate and protect it?"
    There's a problem though, these systems require old-time Linux users to deal with new restrictions they might not want to deal with. I promise you that SELinux policies that work great on a production webserver would drive you insane on a development box, but you need to protect both machines, a hacker will target both.
    I'll save my rant on Microsoft's security for when this story gets duped, it's another mess entirely. Just MS is foobarred should not be an excuse for not looking to find and fix problems in Linux.
  • by CharonX ( 522492 ) on Saturday January 29, 2005 @12:06PM (#11513948) Journal
    Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?
    Er... and who is accountable for the Security for Windows?
    Microsoft?
    Internet-swiss-cheese-security-Exlorer Microsoft?
    And will Microsoft take responsiblity for their security holes? Will they pay for the damages caused by crashes and exploits for their buggy software?
    Maybe if they get their software quality up to a reasonable level they can START asking questions, but as long as they are as bad as now, they better keep their mouths shut, or they'll have to stuff their own feet in them.
  • Lack of what? (Score:5, Insightful)

    by kidlinux ( 2550 ) <duke AT spacebox DOT net> on Saturday January 29, 2005 @12:15PM (#11514004) Homepage
    This "lack of accountability" argument is bullshit. Why does Microsoft have an EULA for its software? To cover their asses so they can't be held accountable for damages caused by their shitty software. When was the last time Microsoft was taken to court over losses due to poor software? If they could be held accountable, they'd get sued right out of business!
  • by raddan ( 519638 ) on Saturday January 29, 2005 @12:28PM (#11514078)

    Aside from the fact that there are no references to back up any of the claims that this McGrath fellow is making (I'd even settle for a research firm that was paid-off by Microsoft!), the 'author' of this article wrote a grand total of FIVE sentences. All five of those sentences paraphrase something else that McGrath says. The rest of the article simply quotes McGrath straight.

    There's no discussion of the points, no consideration of other factors, and as far as I can tell, no fact-checking. There is simply no journalism happening here. I know I can simply move on, but it irritates me to know that some CIO out there (probably mine) will take this all in without a second-thought.

    The shortcomings of the Windows OS are OBVIOUS to anyone who has to admin these systems in a real production environment, and even more apparent to those of us who have the pleasure of also running other [openbsd.org] systems [apple.com]. Just imagine what Windows might be like if they spent half of their propaganda budget on fixing the freaking software.

  • by JGski ( 537049 ) on Saturday January 29, 2005 @12:47PM (#11514195) Journal
    Microsoft is using pretty much the same arguments that creationists use against evolution.

    As we all know, Open Source Software development is structurally similar to the scientific method and evolution in terms of how "new things" are created by the these systems. Similarly, what Microsoft is claiming is that software can't be created well "at random" through emergent means (we know that's a crock) but needs "the Hand of an intelligent Creator" to control everything (Microsoft == God, apparently). Ergo: Microsoft is claiming that only "Creationist Software" is good software - "Evolutionary Software" is evil software.

    I think this could be useful angle of attack against Microsoft FUD: they are advocating creationism and faith-based solutions to computer science.

  • related articles (Score:3, Informative)

    by Deanalator ( 806515 ) <pierce403@gmail.com> on Saturday January 29, 2005 @12:48PM (#11514199) Homepage
    I like the related articles at the bottom of the page.

    RELATED ARTICLES

    * Microsoft to axe Windows 2000 security upgrades
    * Microsoft enhances SQL 2005 security
    * Viruses plague half of UK Windows users
    * Linux fights off hackers
    * Busy day for Linux administrators
    * Industry giants offer Linux consumer boost
    * Windows open to critical vulnerabilities
  • by smchris ( 464899 ) on Saturday January 29, 2005 @12:57PM (#11514262)

    I only have to wrap myself up in the warm and protective arms of a Microsoft EULA to feel the shielding umbrella of accountability.

    McGrath slays me.
  • by karlandtanya ( 601084 ) on Saturday January 29, 2005 @02:04PM (#11514686)
    CYA is the name of the game.


    In making a business decision, it's unlikely for anyone to take responsibility. The larger the business, the smaller the likelyhood. It's not an issue of cowardice; the risks simply don't outweigh the rewards.


    So, the question "who do you blame" is a legitimate question. System fails, Clients sue company, company pays clients, insurance company pays company; insurance company sues vendor.


    In business, those who take chances are the people who create the great successes and the great failures. These people exist. They are not the norm.


    "Nobody ever got fired for buying IBM." The point is not that this is true. The point is that people say (or said) this. They're saying that if you're working for someone and you want to keep your job, you make the safe decision.

  • by analog_line ( 465182 ) on Saturday January 29, 2005 @02:07PM (#11514713)
    'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.'

    And who, pray tell, is accountable for the thousands of holes that have left Windows users open to viruses, trojans, and other malicious uses of their hardware? Billions of dollars in money throw into the toilet fixing the results of nonexistant to pathetic securty in Windows, with an EULA that specifically absolves Microsoft of all blame if anything goes wrong using their software, and they have the gall to claim that they are accountable for Windows?

    Should I be submitting my bills to Microsoft instead of my clients when their poorly designed, poorly implemented software causes them to need my services for hours on end, making them unable to do work, let alone pay my fees?
  • by Gary Destruction ( 683101 ) * on Saturday January 29, 2005 @02:16PM (#11514760) Journal
    Why is Microsoft complaining about security liablity of Linux when they're writing and selling a desktop for it?
  • by tgibbs ( 83782 ) on Saturday January 29, 2005 @03:34PM (#11515186)
    Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?

    I applaud Microsoft's recognition of the importance of accountability. I look forward to reading Microsoft's revised license agreement, in which Microsoft will presumably accept liability for consequential damages resulting from security flaws of Microsoft products.
  • by mnmn ( 145599 ) on Saturday January 29, 2005 @03:44PM (#11515255) Homepage
    I entered the address of a website, it wasnt a particularly nasty site, just something resulting from a google search.

    And it automatically installed a spyware application. No YES/NO dialogues just installed it. After that I saw attempts at outbound port 6667 to various external servers.

    Now I do manage servers that hold financial data, and servers with ERP software that run the company.

    I ask you, Microsoft, can you be held accountable if our company melts down should malicious spyware enter the system with their authors intending to corrupt our backups and bring everything down?

    Will you pay us the millions that we lose as we lose our customers?

    Will you as a result of such a catastrophe give us an OS that does NOT allow such breaches of security?

    I understand IE in Windows 2003 is more secured, and we should never browse for anything on the server itself... etc. However Windows2003 has not been matured enough to bring out the bugs while Windows2000 has issues even after SP4, and after Microsoft will cease to provide bugfixes for it.

    We replaced our firewall with OpenBSD. We simple cannot find a reason to upgrade it from the 3.4 version, since the older version is so secure. Hell yeah we've had attacks of all kinds, to almost all ports, syn cookies even ddos type attacks that slowed the Internet connection, but we're still up, and without ever having an issue for over two years of OpenBSD operation.

    Coming back to Linux, which is also a UNIX clone, and which has more eyeballs on it, and more companies taking responsibility for it, tell me, should I pay for a crappy OS with someone behind it you can point fingers to, or a nice OS with no person behind it simply because youll never have to point fingers?
  • responsibility (Score:4, Insightful)

    by belmolis ( 702863 ) <billposer AT alum DOT mit DOT edu> on Saturday January 29, 2005 @04:33PM (#11515598) Homepage

    If Microsoft is so concerned about responsibility for security flaws, why is it that they don't offer indemnification for users hurt by their software?

  • Mission Critical (Score:4, Informative)

    by sparkz ( 146432 ) on Saturday January 29, 2005 @08:26PM (#11516993) Homepage
    He goes on to say that 'Linux is not ready for mission-critical computing.

    In general, I agree with him on this (I have not RTFA yet). Nor is Windows, of course, but that's taken for granted. Of course, it depends how critical your mission is. "Mission-Critical" is one of these phrases which is bandied around, but let's consider what it means....

    "The mission depends on this system".

    That still does not define the extent to which the mission depends on it - 80%? 90%? 100%? Nobody offers 100% availability, if that's what you're referring to.
    The phrase also ignores the mission involved. For NASA, the Mission might be to send a man to Mars and back, but what if my "mission" is to run a website which expects to get 3 hits a month with a 60% expectation of success? An Atari could cope with that - my mobile phone could probably cope with that!

    Taking the phrase in the way it's normally meant (running systems which are responsible for a significant amount of the user's business, and the failure of which would cause significant disruption of the business process and/or profit), then the whole discussion still depends entirely on the "mission" involved.
    What tradeoffs is the mission prepared to make for uptime, for example? Serving read-only webpages, I care little for data integrity (I've been serving the same data for years, I've got it on tape, CD, DVD, onsite and offsite), and only care about uptime.
    If I'm running a database which is updated many times a minute, then uptime still matters to me, but I also need to know which transactions have been fully processed, and which have failed (given Failure Scenario N, which may or may not have been predictable). That is much more difficult.

Like punning, programming is a play on words.

Working...