Microsoft prepares security assault on Linux (InfoWorld) [LWN.net]

Microsoft Compares their core OS to an entire software suite and wins.

Posted Nov 11, 2003 18:59 UTC (Tue) by Spike (guest, #14160) [Link] (3 responses)

Theses MS dudes really have a slanted view. Lets compair our Server OS to a Linux disto which has THOUSANDS of applications included for security holes. Compairing an OS which comes with a handful of applications like MS-Paint and IE to Linux which is a complete system containing thousands of unique application might fool some high level executives but, not those of us in the know.

I for one would like to see the same statistic only with a suite of software similar to what Windoz 2003 ships with. I'm sure the numbers would be very different.

Microsoft Compares their core OS to an entire software suite and wins.

Posted Nov 11, 2003 19:25 UTC (Tue) by thompsot (guest, #12368) [Link] (2 responses)

That's exactly right. The only problem is, MS will get Press just because they're big and everyone watches them. Even if it's total B.S. and everyone knows it, a lot of mags/sites will print whatever drivel they come up with. We need a reputable, well-known company or organization to do a "counter study" and make it an apples-to-apples comparison. Then maybe that would get some press as well...

Microsoft Compares their core OS to an entire software suite and wins.

Posted Nov 11, 2003 21:03 UTC (Tue) by cpm (guest, #3554) [Link]

Nope, don't think so. Such an apples2apples comparison would only
get the same press *if* the same multimillions of advertising dollars
were being spent by the group who most benefits by the weighting of
such a test.

Belive it or not, the press, at least here in these United States
tends to cast a favorable light on those who buy lots and lots
of advertising. Go figure.

Microsoft Compares their core OS to an entire software suite and wins.

Posted Nov 11, 2003 21:05 UTC (Tue) by alspnost (guest, #2763) [Link]

Quite right - IBM, Oracle, where are you? Perhaps I'm missing something, but Oracle has nothing to lose by publicly bashing Microsoft (and Larry already loves doing that). IBM might be more hesitant though.

Anyway, the point is, do you reckon Oracle would run their business on Linux if they thought it had inferior security? Hmmm, thought not ;-)

Microsoft prepares security assault on Linux (InfoWorld)

Posted Nov 11, 2003 19:00 UTC (Tue) by laccata (guest, #3856) [Link] (1 responses)

OK Mr. Ballmer.

We've shown you our code, now you show us yours.

THEN, let's count the security flaws.

Then let's all fall over laughing.

Microsoft prepares security assault on Linux (InfoWorld)

Posted Nov 12, 2003 10:29 UTC (Wed) by djabsolut (guest, #12799) [Link]

Some fuel for the fire: Researcher lists 22 unpatched IE vulnerabilities following the issue of a cumulative patch for the browser by Microsoft Corporation overnight [source: Sydney Morning Herald, 2003/11/12]

Damned if you do, damned if you don't

Posted Nov 11, 2003 19:15 UTC (Tue) by JohnBell (guest, #12625) [Link] (1 responses)

If you let the assertions of the competitor go unchecked, people assume that the competitor's claims are correct, and look at the competitor's products in a more favorable light.

If you stoop to statistical wizardry to prove that your competitor's assertions are wrong, and that your product offerings are better, then your credibility is questioned and people look at your competitor's products in a more favorable light.

Microsoft is trying to address their lack of credibility in the security space, a lack of credibility which they have consistently earned over the years, by putting spin on the situation. It won't work. No matter how many numbers they throw at the problem, they still will have NO credibility. Not with security professionals, with analysts who refuse to be bought and paid for, or with their customers (lost, potential, or otherwise).

MSFT is starting to act like Novell did a few years back when NT started creeping in on Netware's home turf. They will suffer the same fate. I've said it before on other forums, and I'll say it again - $50 billion in the bank won't be enough to stop Linux. They could have $100 billion, and it wouldn't be enough. MSFT thinks they can fight a popular idea, and its associated ideals, with sheer financial might. As history has shown time and again, that strategy, though potentially long-lived as a holding action, is doomed to eventual failure.

People have often posed the question, "What would the world be like without the Microsoft monopoly?". I would submit that in about eight to ten years, everyone's going to have the answer to that question.

Damned if you do, damned if you don't

Posted Nov 12, 2003 16:46 UTC (Wed) by cpm (guest, #3554) [Link]

I don't think Microsoft really cares about their credibility. They have most of the computer using world eating out of the their hands.

let's looks at a few things.
Q1, How many times has Microsoft actually been to court?
Q2, How many times has Microsoft been found Not Guilty?

First off, MS doesn't usually go to court. They usually settle.
Secondly, Q1 is academic, doesn't matter, because the answer
to Q2, is Every Single Time.

They have never been exonerated of any crimes of which they have been accused. And that is quite a lot. Does the general press care? Umm, Nope.

Steve Ballmer in his keynote rant, kept talking about hackers from China.
Why China? Was he implying something about Chinese programmers. Umm, well, yah! Were his comments derogatory and racist? Umm, well, yah! Will anyone call that ranting freak on his racist and derogatory commentary on the skill and talent of Chinese programmers? Umm, Nope.

Why? because Microsoft is a good company? Because Microsoft is an ethical company? Umm, Nope.

Why? Because they are rich, and they buy lots of advertising.

Microsoft comes up to the plate with a posistion, or they pay someone else to come to the plate with a Microsoft posistion. What does the "boss" reading her Wall Street Journal see? She sees that Microsoft is wonderful and everyone else is just jealous (or whatever). Now, the Microsoft posistion can be torn apart in the following days, in the side bars, and comments, and letters to the editors. How much weight does that carry with Joe or Joan Boss? Not nearly as much as the first impression.
As well all know, First impressions last the longest.

Microsoft prepares security assault on Linux (InfoWorld)

Posted Nov 11, 2003 19:16 UTC (Tue) by euvitudo (guest, #98) [Link] (5 responses)

Linux has them extremely terrified. It's quite amusing. The one problem I see with their strategy is that they seem to be all talk. The issue with the spammers (i.e., the bounty placed on their heads) seems to show that they are more concerned about the way the public perceives their product than they are with actually fixing the holes. They don't seem to want to spend their billions on fixing their software, rather, they want to make everyone "think" that they fixed it. If they really wanted to fix their image, they should first fix their product. If they really wanted to deter spammers, they should first fix their product. Dragging in spammers, or spreading FUD about Linux et al., won't fix their products. Of course, I'm preaching to the choir, so I'd better quit now. ;)

Cheers!

Microsoft prepares security assault on Linux (InfoWorld)

Posted Nov 11, 2003 19:19 UTC (Tue) by euvitudo (guest, #98) [Link]

doh! That should have been virus writers, even though it appears that they are one and the same.

Microsoft prepares security assault on Linux (InfoWorld)

Posted Nov 11, 2003 20:02 UTC (Tue) by ccchips (subscriber, #3222) [Link] (3 responses)

I've been trying to get Microsoft to fix their products, from a system administrator's point of view, since the early 1990's.

What really irks me is that I used to harp on their developing a really good system-wide scripting language (which they did NOT have even unto NT 4.0.) So, when they did, they developed it in such a way that people could use it to usurp e-mail communications.

Yah!

Microsoft prepares security assault on Linux (InfoWorld)

Posted Nov 11, 2003 21:23 UTC (Tue) by 87C751 (guest, #11362) [Link] (2 responses)

Time and time again, I'm reminded of a full-page ad in the WSJ, circa 1997, with the headline "You won't know where your desktop ends and the internet begins." And they said it like it was a *good* thing.

When Microsoft discovered the internet, back around '95, they envisioned it as a larger version of a workgroup. They saw the net as Mr. Rogers' Neighborhood. And friendly neighborhoods don't need policemen or door locks, because We All Just Get Along. Ironically, they had already been dealing with PC-borne viruses for the better part of a decade, and attack vectors such as the zipfile comment with embedded ANSI keyboard redefinitions were already common knowledge. In other words, the neighborhood wasn't safe even before the internet came along. With that backdrop, it still stupefies me that MS could have been *so* wrong in their security approach. But they went along as they always have, assuming that they invented anything they touched.

Perhaps it's simply too late for MS to really turn around.

Microsoft prepares security assault on Linux (InfoWorld)

Posted Nov 12, 2003 3:56 UTC (Wed) by ccchips (subscriber, #3222) [Link]

I believe that if Microsoft took security really seriously, they should send out their whatever-engineers to their various favorite IT heads, and tell them to hire people who know how to use programming tools of *all* kinds to deal with security issues, generate analyses and reports, and all manner of tricks and techniques people who are *serious* about IT should know how to do *themselves.*

Instead, they'll probably show more pointing and clicking and pretty pictures. Maybe there'll even be some policeman icons in there. And they'll continue to encourage bosses to alienate anyone who isn't trying to sell a Microsoft certified package.

I would almost wager money on it.

Microsoft prepares security assault on Linux (InfoWorld)

Posted Nov 12, 2003 4:49 UTC (Wed) by XERC (guest, #14626) [Link]

I don't want them to turn around. I want to get
rid of the basters and I wish that they burned faster!!!

I hate them becaouse of their lack of proffessional ethics.

Microsoft prepares security assault on Linux (InfoWorld)

Posted Nov 11, 2003 19:42 UTC (Tue) by davidl (guest, #12156) [Link] (4 responses)

Microsoft's aim is to undermine critics and place a question mark over Linux's security by revealing that, on average, Windows poses less of a security risk.

They've already lost this argument, and it's laughable they seem to want to keep bringing it up. Figures are good up to a certain point, but it's experience that counts. Like moving away from Windows and not having to do the nightmare administration and patching sessions that progressively shorten life-expectancy i.e. ME.

Last week, the company announced a $5 million reward program aimed at bringing virus writers to justice. Although it is unlikely to reap any tangible results, the message was clear: Microsoft is taking security seriously.

Would somebody care to tell me how this makes their software more secure? If anything this will just create more viruses, as people find more elaborate ways of trying to get away with it. Never tell anyone you're putting a bounty on their heads.

"there were 17 critical vulnerabilities. For Windows Server 2003, there were four. For Red Hat Linux 6, they were five to ten times higher."

We've also been through this many times before - and RED HAT LINUX 6!!!! Do we really need to go that far back? Remind me, how many bits of software and all-round functionality do I get in a Linux-distro out of the box? A heck of a lot more than Win 2003, that's for sure. Why do all of the vulnerabilities in Windows seem to carve gaping holes into the entire system? Why don't they add in the vulnerabilities for Exchange, SQL Server......? Oh, I get it. Bringing up stuff like this will just make people who don't already know come round to the truth.

"Why should code submitted randomly by some hacker in China and distributed by some open source project, why is that, by definition, better?"

Oh we just can't avoid those communist references, can we? Given that Microsoft is really trying to get into Chinese markets it's probably best not to come up with PR gaffes like this. I thought that's why Bill Gates was taking more of a back-seat and Steve was doing more of the running? It's better because the whole process is about, plain and simple, just getting it right - not just the visible things but the infrastructure like the kernel, filesystems, network stacks.... Discussion, iterative improvement, which is paid lip-service in commercial projects, and getting the boring stuff right so it doesn't have to be worried about. It isn't about chucking the thing together in a short period of time without thinking about it. How on Earth do you think that Microsoft came up with NTFS, the worst filesystem ever built, or the Win32 API, COM, the list is endless. A directive comes down "Oh, we need a filesystem" and someone simply throws it together because there is no time, no funding for those mundane things and they're just bored stiff by it. Put all that together and you've got a badly functioning system which not even Microsoft understands. Because of this we then get the usual Microsoft production line hack-fest to try and whip it into shape before release.

There was an article on VNUNet about a Safeway IT guy using Linux-based systems as a basis for some of their more critical functions. There was no fanfare, no "Oh, this is so exciting - it's the technology for the next decade" - nothing like that. He basically said that the thing worked, solidly and reliably so that he didn't really have to do anything and then he moved on to talk about something else Safeway-related. It's interesting that he also asked (I read that as told) a software company to port their system to the Linux-based environment they were using. It works! Get it Steve? We really don't need to tell anyone about it. In the same vain I suggest Microsoft gets its head down regarding the Trustworthy Computing initiative.

That means it should have something more tangible than the questionable reports it has sponsored in the past in an attempt to show Windows has a comparable or lower total cost of ownership than Linux.

What, you mean the reports that have already failed and people realised are paid for by Microsoft? I fail to see how this new security assault is any different to the rubbish we've had in the past. Just gives us all more cannon fodder.

Microsoft failed to respond to our questions, although its law and corporate affairs spokeswoman told us that she didn't think the company intended to launch a security attack on Linux and that it would be "odd" if the company used strong comparative information to state its case.

Well they'd lose, again, as they have done on so many occasions in the past. Besides, after all of the 'reports' that have gone before I don't think that any analyst company would want to work with them again. I really want all of this crap to end and Microsoft to be finished so I can get on with the business of making money out of making computing and IT actually work.

One person's meat...

Posted Nov 12, 2003 0:25 UTC (Wed) by fLameDogg (guest, #11305) [Link] (3 responses)

"I really want all of this crap to end and Microsoft to be finished so I can get on with the business of making money out of making computing and IT actually work."

How thoughtless. How about all the people making money out of fixing things that don't work (or just break all of the time)? You cruel, cruel person.

One person's meat...

Posted Nov 12, 2003 5:06 UTC (Wed) by XERC (guest, #14626) [Link]

Hei, fLameDogg, have You Ever tried
INTERCAL<http://www.catb.org/~esr/intercal/>??
or Malebonge<http://www.mines.edu/students/b/bolmstea/malbolge/index.html>??
or maybe Unlambda<http://www.eleves.ens.fr:8080/home/madore/programs/unlambda/> ??
or something more pornographic like BrainF***<http://home.planet.nl/~faase009/Ha_BF.html>???

One person's meat...

Posted Nov 12, 2003 10:48 UTC (Wed) by davidl (guest, #12156) [Link] (1 responses)

"How thoughtless. How about all the people making money out of fixing things that don't work (or just break all of the time)? You cruel, cruel person."

I think we should be able to mod stuff up. This is funny.

One person's meat...

Posted Nov 12, 2003 16:01 UTC (Wed) by Baylink (guest, #755) [Link]

It may be funny, but it's also *true*. We've been a Unix house for 15 years, going back to
Tandy 16 Xenix. If our customers didn't *insist* on Windows desktops, we'd probably be out of
business for lack of work.

Let's do the analysis ourselves

Posted Nov 11, 2003 21:14 UTC (Tue) by dank (guest, #1865) [Link] (2 responses)

Just as with the Mindcraft study, there may be a grain of truth in this.

It would be nice if, say, the lwn.net vulnerability page
(http://lwn.net/Vulnerabilities/) had a column for "date discovered"
as well as a column listing how many of the main distributions
are currently vulerable, and the number of days it took for that
number to drop to zero. That's a tremendous amount of work to
gather that data, but it'd be pretty handy to have around on
an ongoing basis as a way to tell how well Linux is doing on security.

(This would be like http://bugme.osdl.org/ but only for security
issues with CAN numbers, and would only contain data about when
each distro closed the hole.)

Perhaps the only way to make it practical would be if volunteers gathered
that data for their favorite distribution, and kept the lwn.net database
up to date...

Let's do the analysis ourselves

Posted Nov 11, 2003 21:51 UTC (Tue) by Ross (guest, #4065) [Link] (1 responses)

Or maybe "Date publicly disclosed" since we don't always know the discovery date.

Let's do the analysis ourselves

Posted Nov 12, 2003 10:57 UTC (Wed) by Liefting (guest, #8466) [Link]

You actually need four days:
a. Day of discovery of the vulnerability
b. Day the vulnerability was announced
c. Day the vulnerability was patched - i.e. a working but otherwise non-invasive patch was released
d. Day an exploit for the vulnerability became available

On Linux/OSS, a and b are generally the same, and c is just a few hours behind, so d never happens. On Windows, you'll typically find that a happens in secret, and b only happens until d happens. Then there's the time waiting for c.

Can we come up with a really useful metric, e.g. "vulnerability days" for each patch? That being the time between d and c? Then calculate the # of vulnerability days (or hours for that matter) for each RPM/program/whatever and see how good/bad a fully loaded Linux (Everything Install) and Windows (Full OS + Office, Databases, exchange, you name it) is doing?

That would be the basis of a really good counterargument.

Microsoft prepares security assault on Linux (InfoWorld)

Posted Nov 11, 2003 22:18 UTC (Tue) by stumbles (guest, #8796) [Link] (1 responses)

They gotta be joking. With the rash of updates, repeated updates for the same fix,
etc..... they don't have a bit to flip on.

Microsoft prepares security assault on Linux (InfoWorld)

Posted Nov 11, 2003 22:33 UTC (Tue) by Ross (guest, #4065) [Link]

Sure they do -- when they compare MS patch turnaround times to outdated and
unsupported Linux distributions :)

Microsoft prepares security assault on Linux (InfoWorld)

Posted Nov 11, 2003 23:55 UTC (Tue) by oloryn (guest, #7408) [Link]

Last week, the company announced a $5 million reward program aimed at bringing virus writers to justice. Although it is unlikely to reap any tangible results, the message was clear: Microsoft is taking security seriously.

No, the message is that Microsoft takes PR about security seriously. I don't think we really see any signs yet that Microsoft has abandoned the tack of prioritizing PR over actual effectiveness.

Microsoft prepares security assault on Linux (InfoWorld)

Posted Nov 12, 2003 3:47 UTC (Wed) by ccchips (subscriber, #3222) [Link]

<paranoia>We all know that Microsoft software users are notorious for piracy, cracking, and all manner of devious technology, especially if they can crack into some big ol' UNIX(Linux?) box and cause trouble.

So, who's to say that this new anti-Linux security thing isn't going to be accompanied by a raft of those script-kiddies all-of-a-sudden banging on Linux boxes all over the world?
</paranoia>

Microsoft prepares security assault on Linux (InfoWorld)

Posted Nov 12, 2003 4:41 UTC (Wed) by dandyman (guest, #16782) [Link]

@#$% Microsoft. Open Source will make them look stupid again.