Weekly Edition
Return to the Announcements pageSponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
Steve Ballmer's "executive letter"
For the curious, here is Steve
Ballmer's letter attacking Linux. "According to statistics posted on the
security Web site Secunia, Red Hat Enterprise Linux 3 has averaged 7.4
security advisories per month, compared with 1.7 advisories for Windows
Server 2003. And as Yankee Group noted in its Linux, UNIX and Windows TCO
Comparison study, 'Linux-specific worms and viruses are every bit as
pernicious as their UNIX and Windows counterparts - and in
many cases they are much more stealthy.'"
(Log in to post comments)
Steve Ballmer's "executive letter" Posted Oct 27, 2004 18:11 UTC (Wed) by flewellyn (subscriber, #5047) [Link] Uh huh.
The fact of note here is that yes, Linux systems do have more security advisories than Windows. This is not, however, a point in favor of Windows. It means that security holes in Windows are just not publicised, MS relying on "security through obscurity".
Plus, read the advisories. Often they are of the form "such and such bug was found which could, in theory, lead to this kind of attack, patching just in case" for the FLOSS side of things; I've read a great many such advisories that said "no known exploit, but...". On the other hand, getting MS to fix a security hole requires massive exploitation of the hole before they notice.
So, really, Mr. Ballmer is just shooting his own leg off.
Steve Ballmer's "executive letter" Posted Oct 27, 2004 19:37 UTC (Wed) by xorbe (guest, #3165) [Link] Someone would need to sit down and sift through each bug individually, and ascertain if it affects what could be considered the "core OS". That means throwing out all the Office, WMP, Apache, and PhpNuke bugs, etc. Like _anyone_ on either side of the fence is going to do that. And "core OS" is unfortunately open to debate...
Steve Ballmer's "executive letter" Posted Oct 27, 2004 21:05 UTC (Wed) by balazs (subscriber, #4704) [Link] "Someone" did.http://www.theregister.co.uk/2004/10/22/linux_v_windows_s...
Steve Ballmer's "executive letter" Posted Oct 28, 2004 9:49 UTC (Thu) by xose (guest, #535) [Link] The full report:
Steve Ballmer's "executive letter" Posted Oct 28, 2004 10:19 UTC (Thu) by janamanohar (guest, #25711) [Link] looks like Ballmer has just replaced Windoze with Linux and Linux with Windoze. I think you can do much better than these words.
Is it possible to come out in public with identical machines, 1 with Windows and 1 with Linux and have an analysis on the performance for a period of time. something similar to a public contest. That should put M$ once and for all to sleep. The facts will be in the open.
Steve Ballmer's "executive letter" Posted Oct 28, 2004 14:33 UTC (Thu) by mmarq (guest, #2332) [Link] " So, really, Mr. Ballmer is just shooting his own leg off. "Not really yet!... This should not be a matter of propaganda,...
So why does not IBM, HP, RH, Novell,... just raise the price of 'support services' concerning networks with Windows(tm) machines or with Windows(tm) machines in 'strategic places'...
THAT WOULD BE THE DECISIVE ANSWER... to all this BS propaganda,... and for the first time in recent times MS would be helpless and uncovered, because no partner would stick their neck out in such an exponencial growing threat,... EVEN KIDS CAN EASLY EXPLOIT WINDOWS(tm)...
So is time for the 'Services Providers' in the "Fair" side of things to *Get Serious*.
dude.... Posted Nov 1, 2004 13:56 UTC (Mon) by mdekkers (guest, #85) [Link] fix your caps-lock key.....
Steve Ballmer's "executive letter" Posted Oct 27, 2004 18:27 UTC (Wed) by martinfick (subscriber, #4455) [Link] This article makes it plainly clear is that MS is being hit hard forsecurity and they are desperately trying to distract people. Seems like a failing strategy. You can throw stones all day long at your competitors, but at the end of the day it will be hard to retain your customers if your OS is being repeatedly compromised.
Steve Ballmer's "executive letter" Posted Oct 27, 2004 23:58 UTC (Wed) by man_ls (subscriber, #15091) [Link] True, but what did you expect him to say? "We are doomed and we will fall fighting"? I will be very scared the day I hear from Microsoft: "We are porting all our applications to Linux, and we will embrace and extend the platform".
"Embrace and extend" Linux? Posted Oct 29, 2004 15:23 UTC (Fri) by smurf (subscriber, #17840) [Link] What'd be the problem with M$ "embracing and extending" Linux?They can't do anything about the kernel, that's GPL'd. The rest is a matter of dynamically linking with Wine.
The whole idea sort of presupposes that Microsoft is capable of understanding what Linux is all about in the first place, and somehow I doubt they can.
There's a reason why the Mac's MultiFinder's credits once said:
comparing RHEL against Windows Posted Oct 27, 2004 18:48 UTC (Wed) by ndye (subscriber, #9947) [Link] Once again, don't forget that RHEL3 includes a (smaller-than-some-other-distributions) pile of applications with security advisories, while Windows excludes Office, Acrobat, etc.
Steve Ballmer's "executive letter" Posted Oct 27, 2004 18:48 UTC (Wed) by pjs (guest, #10927) [Link] Every month, running Windows Update seems to have more than 1.7 "critical" updates... and each one patches MANY problems. Many they aren't "advisories" in Steve's world-o-spin?
Steve Ballmer's "executive letter" Posted Oct 27, 2004 18:49 UTC (Wed) by JoeBuck (subscriber, #2330) [Link] Linux-specific viruses are so stealthy that they appear not to exist (other than "proof of concept" viruses trumpeted by some anti-virus companies).
Steve Ballmer's "executive letter" Posted Oct 27, 2004 19:04 UTC (Wed) by jwb (subscriber, #15467) [Link] Well, he has a point. A Linux rootkit is much harder to detect than a regular Linux program. On Windows, getting a list of regular programs and getting a list of running rootkits is equally difficult.
Steve Ballmer's "executive letter" Posted Oct 27, 2004 21:35 UTC (Wed) by ballombe (subscriber, #9523) [Link] At least Windows certainly cannot be put at fault for giving a falsesense of security...
difficulty of detecting rootkits Posted Oct 28, 2004 1:02 UTC (Thu) by mbp (guest, #2737) [Link] Well, yes and no. I've looked at about five machines with rootkits installed in the last couple of years. In every case it was possible to detect the rootkit while the machine was still running, with a bit of intelligent analysis. (Yes, I did tell the owners to reinstall from trusted media.) In theory there are rootkits which by playing kernel tricks can be absolutely undetectable, but the ones I've observed in the wild are not quite that good. Somebody who does security full time might have much better numbers.
The big difference is that by rebooting from any of a number of live CDs you can get Linux back to an absolutely trusted state, from which detecting a rootkit is reasonably easy. This is harder on Windows for several reasons:
* the recovery console is text only, but many useful programs require a GUI
* NT recovery will (by default) not access the disks unless it can read the SAM database and check the administrator password. (Surely one of the most idiotic features ever, given the person is physically on the console and could boot Linux to look at the disks anyhow.)
Given the chance of trying to recover a rooted Linux machine or a rooted Windows machine I'd choose Linux.
(I barely use Windows these days so I may be wrong.)
difficulty of detecting rootkits Posted Oct 28, 2004 3:01 UTC (Thu) by bojan (subscriber, #14302) [Link] > * NT recovery will (by default) not access the disks unless it can read the SAM database and check the administrator password. (Surely one of the most idiotic features ever, given the person is physically on the console and could boot Linux to look at the disks anyhow.)
Yeah, there is that one. There is also the thing with LocalSystem having more privileges than Administrator. Basically, the system is designed to not trust the very person that is supposed to be in charge of it (eh?). And yet, to bypass that is trivial - just run a service as LocalSystem that leaves a shell open. Not to mention the fact that many services actually already run as LocalSystem, therefore being completely exposed anyway.
Then there is the explanation as to why the graphics drivers should run in the kernel. Here is the summary. In the old NT 3.51, if the graphical subsystem died (which ran in userland), although the kernel stayed up, there was no way to do anything with the system (one needs a GUI to do things on NT). So, the "logical" solution was to put the GUI into the kernel and gain some speed instead. Hello? How about making the system in a way that it can be used WITHOUT the GUI? But no, that would look too much like Unix :-)
And it goes on and on...
difficulty of detecting rootkits Posted Oct 28, 2004 15:17 UTC (Thu) by mmarq (guest, #2332) [Link] " Given the chance of trying to recover a rooted Linux machine or a rooted Windows machine I'd choose Linux.
(I barely use Windows these days so I may be wrong.) "
If you understand by a rootkit, the immense quantity of "Trojan" software out there, and growing, it should not be very smart to letting it rest at the care of a single anti-virus/anti-trojan program... it is already a *false security*.
I'm not an real expert in the field, can only talk about my experience, and it seems to me that the question is not what rootkit/trojan 'Trend to be' more elaborated, a Windows or a Linux one, because since Linux is much more difficult to penetrate it *must* have a more elaborated rootkit and so a 'trending' more difficult removal...
The question would be: Are you willing to face a 'potencial Linux rootkit' incident every year, growing perhaps to 2 or 3 incidents a year in the next couple of years, or are you willing to face a 'potencial Windows rootkit' incident every month, growing perhaps to an incident every week in the next couple of years ??... (its exponencial)
The answer is : 'Support Service Providers' you need to *Get Serious* !
difficulty of detecting rootkits Posted Oct 29, 2004 1:56 UTC (Fri) by jtc (guest, #6246) [Link] There's some useful information in your post. I'm sure Microsoft would appreciate it if you posted it in their comments/feedback section of the article. Oops! It looks like they don't have a feedback section. [I guess they're rather like the Bush administration: "We don't need any stinkin' feedback."]
Steve Ballmer's "executive letter" Posted Oct 27, 2004 18:54 UTC (Wed) by xose (guest, #535) [Link] > "According to statistics posted on the security Web site Secunia, Red Hat Enterprise Linux 3 has averaged 7.4 security advisories per month, compared with 1.7 advisories for Windows Server 2003[..]"
Maybe because RHEL 3 is more that an OS. It brings a lot of software( database nfs http.... servers, developers tools, libraries, ........... )
Windows is _only_ an OS.
Steve Ballmer's "executive letter" Posted Oct 27, 2004 19:06 UTC (Wed) by lacostej (subscriber, #2760) [Link] don't forget the calculator, IE, Windows Media Player, Note pad and of course solitaire :)
Steve Ballmer's "executive letter" Posted Oct 28, 2004 7:55 UTC (Thu) by petegn (guest, #847) [Link] Has anyone looked into the ownership of Secunia would not mind betting there is a lot of M$ Corp in there maybe even old motor mouth Ballmer ,
Boy would i love to meet that little weasel got the brain of a dead slug and the FUD engine to go with it Hey Ballmer boy read my lips yo your company is dying you extort money from your staff to pay the so called donations that you give out what with billy boy and ballmer boy ol M$ Corp is on a downer :@-)....:-)...:-)..
well you gotta have a knock now and then know what i mean ..
Pete .
Useless rant Posted Oct 28, 2004 8:06 UTC (Thu) by man_ls (subscriber, #15091) [Link] What's the use of posting your rants here other than get filtered out by reasonable people? Read the advice in the comment editor:Enter your comment text below. Please try to be polite, respectful, and informative, and to provide a useful subject line.
Useless rant Posted Oct 28, 2004 14:07 UTC (Thu) by nix (subscriber, #2304) [Link] His definition of a `dying' company is unusual, too, as is his apparent belief that slugs engage in massive FUD campaigns.
A stronger argument for the restriction of drug use I have never seen... ;}
Steve Ballmer's "executive letter" Posted Oct 27, 2004 19:18 UTC (Wed) by lacostej (subscriber, #2760) [Link] "In part, this is because of the "many eyeballs" maxim of open source software that claims a correlation between the number of developers looking at code and the number of bugs found and resolved. While this has some validity, it is not necessarily the best way to develop secure software. We believe in the effectiveness of a structured software engineering process that includes a deep focus on quality, technology advances, and vigorous testing to make software more secure."
Can someone tell me how a "structured software engineering process that includes a deep focus on quality, technology advances, and vigorous testing to make software more secure" is incompatible with F/OSS? Aren't both (the process and the eyeballs) combined in some of the most important piece of software made by the FOSS community?
Isn't Linux developed using a structured software engineering process?
Tadada. Keep talking Steve.
How to beat Linux in TCO studies Posted Oct 27, 2004 19:50 UTC (Wed) by dmarti (subscriber, #11625) [Link] If you're looking to go into the IT analyst business, all you have to learn is this seven-step guide to making Microsoft TCO look lower than Linux's:
1. Put Linux on a mainframe, Microsoft Windows on an x86 system. (yes, it's been done!)
2. Assume all IT staff are fully trained on Microsoft products and ignorant of Linux, and put "retraining" costs in Linux's column.
3. Assume all non-IT staff will require retraining on Linux desktops but not on new Microsoft product versions.
4. Keep anti-virus software costs out of the Microsoft column.
5. Load up the Linux column with the most expensive proprietary management and RDBMS software; use Microsoft's less-expensive or bundled competitors on the Microsoft side.
6. Compare Microsoft server license prices to Linux distribution support fees without adding in any required Client Access Licenses on the Microsoft side.
7. Throw in an OSRM contract on the Linux side.
How to beat Linux in TCO studies Posted Oct 27, 2004 20:25 UTC (Wed) by corbet (editor, #1) [Link] 8. Ignore costs of worm infections and other security incidents.9. Ignore costs of license tracking, license audits, and BSA raids.
How to beat Linux in TCO studies Posted Oct 27, 2004 20:59 UTC (Wed) by dang (subscriber, #310) [Link] As we get more integration between desktop, browser and ZeroConf, I wonder how long before Linux gets wormier.
How to beat Linux in TCO studies Posted Oct 28, 2004 15:39 UTC (Thu) by mmarq (guest, #2332) [Link] 10.Have a deep reaching press/study body network, so that you can propagate your BS mantra.
How to beat Linux in TCO studies Posted Oct 28, 2004 15:46 UTC (Thu) by mmarq (guest, #2332) [Link] oops... (10.) it should read (14.)...sorry to be out of proper reply position.
How to beat Linux in TCO studies Posted Oct 28, 2004 0:42 UTC (Thu) by kh (subscriber, #19413) [Link] 10. Exclude the cost of backup software
11. Exclude the cost of defragmentation software
12. Exclude the cost of additional servers and software for testing patches and updates before implementation. (Try running two versions of IIS on the same server bound to different ports like you can with Linux & Apache.)
- In fairness, I have heard that Microsoft provides their software for free on "testing only servers" to fulfill the issues with number 12 now, but I am unsure of the details - best check with BSA on that one.
I like how he includes "Given the growing concern among customers about intellectual property indemnification" with his "get the facts" though...
How to beat Linux in TCO studies Posted Oct 28, 2004 1:43 UTC (Thu) by jjs (guest, #10315) [Link] Re 12:Add 13 - cost of the additional servers to truly run the system the way it they normally recommend.
I note a number of their studies will include running, say, IIS & Exchange on the same machine. Yet, MS recommends (or used to, I haven't tracked it for a while) a separate server for every service (plus backup). And, in their defense, you needed it. You couldn't run multiple services & have any kind of response. Of course, I'm certain MS was being terribly hurt by all the extra money you had to spend on multiple licenses.
Guilty Conscience? Posted Oct 27, 2004 20:20 UTC (Wed) by Tashlan (guest, #17277) [Link] "... we understand that being on the wrong end of a software patent lawsuitcould cost a customer millions of dollars, and massively disrupt their business."
Sounds like an admission to me. IBM are you listening?
Steve Ballmer's "executive letter" Posted Oct 27, 2004 20:28 UTC (Wed) by brianomahoney (subscriber, #6206) [Link] The facts are, as all those not hopelessly compromised by their past mistakes or political mis-steps, in large organizations know, that Windows is hopelessly in-secure and compromised, even if proctected by an army of MCSEs, virus scanners and firewalls. These organizations put up with most things, eg e-mail, not working properly, delays, inconvenience ... and it still does not work, individual machines are often captured and ever so often the complete e-business of the organization is brought to a halt for days.
Those of us who use Linux as our working environment used just to smile, now as more of the CEOs and CIOs I talk to see and believe we do not suffer, they are increasingly making their IT departments accountable.
As I never tire of saying having someone else to blame is neither mitigation or excuse, and I predict people will start to get fired for continuing to buy Microsoft. Mr Balmer is, as usual, full of FUD, DENIAL and EXCUSE.
Steve Ballmer's "executive letter" Posted Oct 28, 2004 2:46 UTC (Thu) by bojan (subscriber, #14302) [Link] Steve says: About three years ago, we made software security a top priority, and since then we've invested heavily in a multi-pronged effort to improve software quality and development processes, and to reduce risks for customers through education and guidance, industry collaboration and enforcement. I think it's fair to say that no other software platform has invested as much in security R&D, process improvements and customer education as we have at Microsoft. I say: ClamAV, running on my Linux based mail server, intercepted 85 virus infected e-mails in the period of around 10 hours, today only. By any measure, I'm a very small business (there is only myself in it). ALL of those e-mails came from Windows machines that have been infected. During an average week, I receive over 1,000 such e-mail messages. There is also over 200 spam messages every day, many of them from Windows systems turned into spam zombies. Will Microsoft cover the bandwidth and anti-virus implementation costs to my business (my Linux servers/desktops don't require anti-virus software, I run it to avoid deleting all those messages manually)? Can I also seek compensation for all of the traffic that Code Red caused on my Internet connection during the world-wide outbreak?
Halloween Posted Oct 28, 2004 6:31 UTC (Thu) by bsch (subscriber, #4349) [Link] This time the halloween memo is written by the boss himelf. How do the French put it? "Noblesse oblige"
|
|||||||||||