Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Microsoft Software IT Linux

MS Security Chief Says Windows is Safer Than Linux 713

Posted by Zonk from the some-press-is-better-than-no-press dept.
Kip Winger writes "Mike Nash, Microsoft's Chief Security Executive, has made claims that Windows is more secure than Linux. In a recent online chat, he staunchly defended Microsoft's record on security, basing part of his argument on how Windows Server 2003's 15 patches in the past year are far less than what RedHat or SuSE have had to endure." He also mentioned the recent purchase of Sybari and their Antivirus product.
This discussion has been archived. No new comments can be posted.

MS Security Chief Says Windows is Safer Than Linux More

MS Security Chief Says Windows is Safer Than Linux

Comments Filter:

  • What about (Score:5, Insightful)

    by beatdown ( 788583 ) * on Friday February 11, 2005 @10:54AM (#11642156)
    the patched that they should have done?

    • Re:What about (Score:5, Insightful)

      by halivar ( 535827 ) <bfelger@gmai l . com> on Friday February 11, 2005 @11:05AM (#11642380)
      Apparently, Microsoft policy is only to release patches for vulnerabilities that are currently being exploited.

      And yes, this is flamebait. M$ can't (or won't) secure a paper sack, much less an operating system. More patches from Linux vendors means they're actually working on the freaking problem.

      • Re:What about (Score:5, Funny)

        by NoMoreNicksLeft ( 516230 ) <john.oyler@noSpAm.comcast.net> on Friday February 11, 2005 @11:25AM (#11642714) Journal
        Isn't this a bit like claiming you are more healthy than someone else, because you've been to the hospital 40 days this year for your last-ditch chemotherapy? "Look at linux, it hasn't seen a doctor in over 10 years!".

      • Re:What about (Score:5, Insightful)

        by Shkuey ( 609361 ) on Friday February 11, 2005 @11:31AM (#11642796)
        Apparently, Microsoft policy is only to release patches for vulnerabilities that are currently being exploited.

        What about some of the biggest issues in recent history like blaster or code red? Both were patched by Microsoft well in advance of their outbreak. Irresponsible PC users cause a lot of the major security issues in this connected world; you can't put all the blame on Microsoft.

        • Re:What about (Score:3, Interesting)

          by cranktheguy ( 731726 )
          yesterday i spent an hour fixing a windows 2000 pc. worst case of spyware i have ever seen. it wouldn't let me end the processes i knew were infected. they were running as system services. they reinstalled themselves before as windows finished booting (as in, when adaware runs before you get to windows)! the quote from my roommate: "i didnt install anything." he had been using ie and running as administrator. let's see them patch that.

      • Re:What about (Score:5, Insightful)

        by Dolda2000 ( 759023 ) <fredrik.dolda2000@com> on Friday February 11, 2005 @11:38AM (#11642892) Homepage
        More patches from Linux vendors means they're actually working on the freaking problem.
        While that's true, there's another implication as well.

        While the patches for Windows includes faults in, precisely, Windows (which is what I'm guessing that he's referring to by saying "15 patches"), the patch count for Linux distros include patches for all programs in the distro. That includes not only the core parts of the operating system. In the @RISK newsletter I'm recieving from SANS, I see almost only patches for more seldomly used software, such as ncpfs, Konversation, Dillo, xdvizilla, mpg321, and so on.

        Considering how a Linux distro probably contains at least 10 times as many software packages as a Windows installation (the vast majority of which are optional to install), I can't see how it would be in Microsoft's favor that they're issuing one third as many patches as Linux distributors do.

        • Yeah, and while I'll probably be modded down for this, the problem is that these programs, while not part of the OS, are part of the distribution. If mpg123 is included on the CD's for Red Hat or SuSE, then Fedora and SuSE are shipping these products. If the product turns out to be faulty, it means their's a problem with Red Hat or SuSE's distribution, regardless of whether it's located in the kernel or not.

          And it's also not fair to say "It's only the default install" that counts. If I go to SuSE or Red

          • Re:What about (Score:3, Insightful)

            by Em Adespoton ( 792954 )
            This makes you think though, doesn't it?
            I mean, you get a RedHat install, go online, apply the patches, and then get to work doing whatever it is you want to do.

            Now let's go to Microsoft land.
            You install XP (if it isn't pre-installed), plug it into a firewall, configure firewall, go online, install updates, and then... and then...
            ...Install Office, go online, install updates...
            [repeat for x pieces of software by miscellaneous different software manufacturers]
            And FINALLY get down to doing whatever wor

          • Re:What about (Score:3, Insightful)

            by Dolda2000 ( 759023 )
            If the product turns out to be faulty, it means their's a problem with Red Hat or SuSE's distribution, regardless of whether it's located in the kernel or not.
            Yes. However, if it's a local non-root exploit in a program that noone ever uses, that means that it's not actually a threat to security.

            It's still their problem, and that's why they issue patches. It's nothing to worry about, however.

      • By this logic... (Score:3, Insightful)

        by sterno ( 16320 )
        Using that logic, Microsoft outlook is far more secure than Novell Evolution because patches are coming out all the time for Outlook.

        What really matters in the end is:

        1) The seriousness of exploits
        2) The quantity of exploits
        3) The imposition placed on IT people in applying patches to fix exploits

        If you release a lot of patches but they are readily applied without causing downtime, etc, then that's not a big problem. If a few exploits are found but the exploits are huge gaping holes, that's bad for every

    • Antispyware (Score:3, Informative)

      by brentcastle ( 807566 )
      Is it just me or was the story about 10 stories down about how spyware can disable Microsoft's Antispyware and take your cc #s, passwords, etc. I have been using a copy of linux on one of my exposed servers for several years without patching and without any significant security configuration at boot and it runs like a dream! [Although I like my OpenBSD machines better :-D]

    • Re:What about (Score:3, Funny)

      by FyRE666 ( 263011 ) *
      I just like the fact that Slashdot have published this story using their classy "babyshit" stylesheet.

  • I think that I can say for most people here... (Score:5, Insightful)

    by rednip ( 186217 ) on Friday February 11, 2005 @10:54AM (#11642163) Journal
    rofl

    Microsoft is basing that claim by number of patch distributions, not by size for severity, cute. So, just because they (usually) wait up to a month to release a patch, somehow they are better FUD never had so much meaning. I'd be outraged, but words like this are so expected.

  • Of course it is.... (Score:3, Funny)

    by beamz ( 75318 ) on Friday February 11, 2005 @10:55AM (#11642179)
    when the machine is turned off.

  • No Real Surprise... (Score:3, Insightful)

    by wasted ( 94866 ) on Friday February 11, 2005 @10:56AM (#11642199)
    If anyone from Microsoft said anything to indicate that their software is in any way inferior to other software, it would hurt their marketing.

    Knowing this, their only option is to claim that they have the best software.

    • Re:No Real Surprise... (Score:5, Insightful)

      by freemacmini ( 852263 ) on Friday February 11, 2005 @11:48AM (#11643041)
      MS like most corporations know that the truth does not matter to Americans. Americans believe what they want to believe no matter what the facts are.

      History also shows that any lie that is repeated enough becomes indistinguishable from the truth.

      This is true in politics, it's true in entertainment and it's true in business.

      • Re:No Real Surprise... (Score:3, Informative)

        by miu ( 626917 )
        Americans believe what they want to believe no matter what the facts are.

        History also shows that any lie that is repeated enough becomes indistinguishable from the truth.

        The Big Lie was invented by the French in the 12th century and made infamous in modern times by the Germans. I don't think the problem is uniquely American.

  • Saying things makes them true. (Score:5, Interesting)

    by bigtallmofo ( 695287 ) on Friday February 11, 2005 @10:56AM (#11642205)
    If you can just manage to say something that gets picked up by major news organizations, then it might make it come true.

    Or at the very least, you might at least fool some people enough to continue to give you money.

    • That's exactly how the Bush administration works (Score:3, Insightful)

      by Anonymous Coward

      "If you can just manage to say something that gets picked up by major news organizations, then it might make it come true.

      Or at the very least, you might at least fool some people enough to continue to give you money."

      Correct. It's called PR, and it works. Microsoft does it all the time, spewing out completely false or misleading statements knowing those will get the headlines. Corrections get buried on page 17.

      The Bush administration has carried this out to a fine art. They make a grandiose annou

  • All true (Score:5, Funny)

    by ArsonSmith ( 13997 ) on Friday February 11, 2005 @10:56AM (#11642206) Journal
    My linux computer is so over run with spyware and viruses that it is completely unusable and it is firewalled.

    I connect my fresh installed XP system directly to the internet and I can go months before I get any malicous programs on my computer.

    hmm, or do I have that backwards?

  • That reminds me ... (Score:3, Funny)

    by graphicartist82 ( 462767 ) on Friday February 11, 2005 @10:56AM (#11642210)
    ... I need to approve the new MS patches on the SUS server.

  • Credibility and Redmond? (Score:5, Insightful)

    by basking2 ( 233941 ) on Friday February 11, 2005 @10:57AM (#11642214) Homepage
    We see these posts trumpeted by entities like Slashdot. It it warrented? Does Redmond have any credibility on things like this left? Should we be paying any more attention to this sort of behavior than to just consider what MS is doing? :\ I'm more interested in the well thought out comments all-y'all have.

    • Re:Credibility and Redmond? (Score:5, Insightful)

      by CrankyFool ( 680025 ) on Friday February 11, 2005 @11:06AM (#11642402)
      Redmond has significant credibility within the sector that actually gives purchasing approval (rather than, perhaps, purchasing recommendations). When they come up with something like "look, we only released 15 patches instead of Linux's 1028426," that's a very simple message that many people will have problems seeing through. These people will go away from reading this story believing, simply, that Microsoft is right. Sadly, some of them will likely be influenced by their unwillingness to believe a company representative would utter such a bald faced lie (and of course, in some respects he's not lying. Linux has had a ton of patches; WS2003 has not. Those are the facts. What they mean, of course, is exactly the opposite from what he claims they mean).

      Worst of all, though, is that if Information Week or any other "I'm an important IT person and I read industry publications" magazine carries a story on the front page that says "Microsoft Security Chief: Windows More Secure Than Windows," than 3-4 days after they saw the story (and maybe not even read it), your average PHB will just remember the "You know, I seem to remember recently that someone came out and said Windows was more secure than Linux. I don't remember how they proved it or where I saw it, but I distinctly remember it..."

      Which is why I do think there's value in a vigorous response and a careful analysis of the claims in an effort to make sure we're ready to vehemently argue against this insanity.

  • FUD (Score:4, Insightful)

    by Libor Vanek ( 248963 ) <[moc.liamg] [ta] [kenav.robil]> on Friday February 11, 2005 @10:57AM (#11642226) Homepage
    FUD on the horizont, sirre ;-)

    - if you compare RedHat/SuSE then you have to compare it to Windows Server + complete BackOffice + complete Visual Studio + complete MS Office and you still are not close enough...
    - I'd be interested in average time to fix critical bugs...
    - also number of known un-fixed cricital bugs will be interesting (incl. IE on Windows)

  • Request new Slashdot Section (Score:5, Funny)

    by Neil Watson ( 60859 ) on Friday February 11, 2005 @10:57AM (#11642230) Homepage
    I think we need a new section for these stories. I propose we call it 'Flamebait'.

  • Not Surprised (Score:5, Insightful)

    by PhreakinPenguin ( 454482 ) on Friday February 11, 2005 @10:57AM (#11642231) Homepage Journal
    "Mike Nash, Microsoft's Chief Security Executive"

    What does everyone think he's supposed to say? Windows security is inferior to linux? He'd lose his job.

  • From TFA... (Score:5, Insightful)

    by jskiff ( 746548 ) on Friday February 11, 2005 @10:57AM (#11642233) Homepage
    "Year-to-date for 2005, Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003. In the same time period, for just this year, Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities."

    This actually brings up an interesting point. Does Windows have less bugs (I know, I know) than these Linux distros? Or are Red Hat and Novell more proactive to fix the bugs they do have? Unfortunately, my guess is most PHBs would think the former.

    • Re:From TFA... (Score:3, Informative)

      by MarkGriz ( 520778 )
      This actually brings up an interesting point. Does Windows have less bugs (I know, I know) than these Linux distros? Or are Red Hat and Novell more proactive to fix the bugs they do have?

      Actually, I think a more important question is, how significant of a security risk are the respective bugs?

      The claim is that MS had less vulnerabilities than various Linux distros. Yet, I'd be willing to bet many of the Windows security holes are big enough to drive a truck through. Remote exploits and the like. If th

    • Re:From TFA... (Score:3, Insightful)

      by Trigun ( 685027 )
      I have yet to view a listing for the bugfixes for Suse and Red Hat, but history shows that a majority of the patches are for applications, not the core OS.

      The fact that you can break linux down into kernel, library, and application bugs, and with Windows you really can't.

      Also, did MS also include patches to WinAmp, mIRC, etc? Of course not. They package one window manager, one filesystem, one kernel, one webserver, one sql server, one browser. Even at a patch per package ratio, they are losing.

    • Re:From TFA... (Score:3, Insightful)

      by miyako ( 632510 )
      While I am certainly much to lazy to actually look at the recent 78 patches for Suse, based on my memory, most of the patches as of late have been for some pretty obscure bugs with no known exploits.
      The other big thing about the difference in the number of patches is that a windows patch may actually patch a number of libraries, where as with Linux each would be a different patch.
      I do agree that overall Linux distributions do tend to have more patches than windows, but that's largely because Linux distrib

  • And later.. (Score:5, Funny)

    by salvorHardin ( 737162 ) <adwulfNO@SPAMgmail.com> on Friday February 11, 2005 @10:58AM (#11642246) Journal
    ...when the world stopped laughing, it was revealed this person might have some sort of conflict of interest, being that he works for MS and all....

  • Quoted from the article... (Score:3, Insightful)

    by cnelzie ( 451984 ) on Friday February 11, 2005 @10:58AM (#11642248) Homepage
    Microsoft's top security honcho insisted Thursday that Microsoft "is making progress on security using any reasonable metric."

    What is a 'resonable metric'? Is that one that only provides the results that one wishes to see or is that a metric provided by a reputable security organization that is known for being extremely truthful and accurate in its results?

  • Windows and Red Hat (Score:5, Informative)

    by bruceleekick ( 548999 ) on Friday February 11, 2005 @10:58AM (#11642254)
    Windows 2003 Currently, 5 out of 44 Secunia advisories, is marked as "Unpatched" in the Secunia database. Red Hat rrently, 0 out of 133 Secunia advisories, is marked as "Unpatched" in the Secunia database. I think I would rather take a system that is all patched then one that is Unpatchable.

    • Red Hat currently, 0 out of 133 Secunia advisories

      Based on flaws in 64 different packages out of a total of 477 packages.

      11 red hat update for kernel
      6 red hat update for ethereal
      5 red hat update for httpd
      4 red hat update for samba
      4 red hat update for mozilla
      4 red hat update for cvs
      4 red hat update for cups
      etc.

      Lets compare that against the Windows Server 2003 Enterprise edition. All of these defects are against the core Windows operating system. You have to go to the other Microsoft

  • Proactive vs. Reactive (Score:3, Insightful)

    by Mr. BS ( 788514 ) on Friday February 11, 2005 @10:58AM (#11642262)
    Linux might have more security holes within the release times but I feel the Linux patches are more proactive than reactive.

    When Microsoft releases a patch it's usually because thousands of users have already been complaining about something and they have to address it in a reactive mode. In Linux, someone makes a discovery of a security flaw, contact's the vendor, and it's usually patched within a couple of days. Note that within that discovery, everyone is still happy as a clam because there haven't been 50,000 trojan's trying to exploit it.

  • no patches available? (Score:5, Insightful)

    by RealityMogul ( 663835 ) on Friday February 11, 2005 @10:59AM (#11642286)
    If there's only 15 for 2003, then why does that secunia link list 44?

    Notably, the RedHat and Suse links list a higher number of vulnerabilities, but also state that there are ZERO unpatched security holes.

    Surprisingly, the Windows 2003 product still has unpatched holes.
    • It is important to note that linux bundle much, much more then windows in a single distribution. It has several server software, more then one office suite, several development tools and many other stuff.

      Even with the bundle with the os to conquer strategy, MS carries much less. The fair comparisson would to compare the security of MS Office + all MS Servers + MSDN + other things.

  • typical MS solution (Score:3, Insightful)

    by j0nb0y ( 107699 ) <jonboy300@ya[ ].com ['hoo' in gap]> on Friday February 11, 2005 @11:00AM (#11642287) Homepage
    Problem: MS's products are insecure.

    Solution: Have your Security Chief claim that your products are more secure than the competition.

  • User experience (Score:5, Interesting)

    by Matey-O ( 518004 ) <michaeljohnmiller@mSPAMsSPAMnSPAM.com> on Friday February 11, 2005 @11:00AM (#11642296) Homepage Journal
    (This is not a rant, merely a description of what happened to me receintly:)
    1. reboot computer - It'd hung running something the rhymes with Titborrent.
    2. Login prompt -log in
    3. Get a start button, click on it to start a browser
    3a. lose focus as MS is saying AVG isn't turned on. (It's not?)
    4. Hit start again to get a browser
    4a. Lose focus again as AVG says it's not working.
    5. Press start to start a browser.
    5a. Lose focus as the UPS monitoring tool adversises that it's HERE! PRESENT! ACCOUNTED FOR!
    6. Press Start to get a browser.
    6a. Lose focus AGAIN as MS spyware gives me a status update.
    7. go over to the iBook, it doesn't Constantly Interrupt Your Train of Thought At Every Opportunity!

  • Normal Activities (Score:3, Insightful)

    by tilleyrw ( 56427 ) on Friday February 11, 2005 @11:02AM (#11642329)

    People are funny.

    Microsoft is a corporation. It needs a base of support to exist. Pausing in its creation of "new and improved!" products to backtrack and actually fix anything is not additive to the bottom line (profit).

    Therefore, MS will never fix anything. They will merely use PR to promote their products. If falsehoods are created and spread, they will focus on the person who created that lie, not the legal individual Microsoft. (Corps. are equivalent to living people in most states but that's a rant for another time.)

    Q.E.D., nothing to see here. Move along.

  • If Internet Explorer is any indication ... (Score:5, Insightful)

    by reporter ( 666905 ) on Friday February 11, 2005 @11:05AM (#11642383) Homepage
    For 2 reasons, I doubt the veracity of Mike Nash's claims that Windows is more secure than Linux. First, due to the open nature of Linux development, Linux enjoys far more testers than Windows. More eyeballs means that more bugs will be found and fixed.

    Second, comparing Internet Explorer (IE) and Firefox indicates that Windows is likely more bug ridden than major open-source software like Linux. I have used both IE and Firefox. From my experience of visiting thousands of pornographic sites laden with naked women beckoning you to "enter" their site (and other things), I can definitely say that IE is chock full of security problems. After 1 week of pornographic surfing with IE, my entire system (browser and OS) becomes infected with malware -- to the point that I must reload Windows. I have yet to experience the same problem with Firefox.

    The only thing that I hate about Firefox is that it is very slow, probably due to the fact that my computer system has limited DRAM and that Firefox must swap to disk more often than IE. Such is the price that I must pay to enjoy porn.

  • just think (Score:5, Insightful)

    by justforaday ( 560408 ) on Friday February 11, 2005 @11:05AM (#11642392)
    Just think...If MS were to not release *any* security patches at all, they could use that figure as absolute proof that Windows is more secure than anything else out there!

  • Mandatory Access Controls (Score:5, Informative)

    by Coryoth ( 254751 ) on Friday February 11, 2005 @11:08AM (#11642433) Homepage Journal
    Hopefully the Linux community can move forward with SELinux, or some other system that has mandatory access controls. Once that is properly in place Linux will have a significant tangible security advantage over Windows.

    Yes Fedora currently has SELinux in the default install. Unfortunately they have had to use a fairly permissive policy because too many applications and libraries don't properly respect the sort of security bounds that ought to be in place. Right now SELinux on Fedora is like user account permissions on Windows. While it is technically there, the majority of applications simply aren't written with it in mind (eg. all those Windows apps that need to run as Administrator), so in practice it doesn't do much.

    SELinux is done though, and Fedora has integrated it in nicely (including into the rpm system). What is needed now is for all those open source developers out there to realise that there is a new level of security, other than just filem permissions, that they need to consider and respect. If they can just restrict where they write files to, and what files they want to access to the minimum required that would be great. If they can compartmentalize operations so that each can run as a seperate process with least privilege all the better. This is work that needs to be done though.

    Once such things are seriously in place all this harping by Microsoft about "Windows being more secure" will be so obviously the hot air that it is that we won't even have to worry about it anymore.

    Jedidiah.
    • Yes Fedora currently has SELinux in the default install. Unfortunately they have had to use a fairly permissive policy because too many applications and libraries don't properly respect the sort of security bounds that ought to be in place.

      Immutable files on BSD require the same kind of care... but remember, Windows has this problem in a far worse way, because Microsoft's need to remain compatible with apps that ran on the old DOS-based Windows means that they have to accomodate programs that assumed they

  • One of the problems with the Linux name. (Score:3, Informative)

    by nberardi ( 199555 ) * on Friday February 11, 2005 @11:08AM (#11642435) Homepage
    This is one of the problems with "Linux", people compare Windows, the OS, to Linux, the kernel. I bet most of the patches from Red Hat were non-kernel related patches. However this is the beast that will have to be dealt with soon, because as soon as a company like Red Hat or Suse or who ever has a bad patch year it is going to bring down the whole Linux community, economically. It's just like Martha Stewart and how her company went in the tank because her name was attached to it. The name Linux is tied to closely to the OS's, that is my point.

  • A better metric (Score:3, Insightful)

    by saddino ( 183491 ) on Friday February 11, 2005 @11:08AM (#11642436)
    Nash also said that the number of patches shouldn't be the only criteria users apply to tell if Microsoft's doing its job.

    How about:
    (# installations w/ active malware, spyware, trojans or viruses) /
    (# installations)

    This seems a much fairer criteria with respect to the notion of being "more secure." And one, IMHO, I imagine isn't very favorable to MS.

  • The sad thing is... (Score:3, Insightful)

    by RootsLINUX ( 854452 ) <[rootslinux] [at] [gmail.com]> on Friday February 11, 2005 @11:10AM (#11642477) Homepage
    The 95% of those out there that are 'unenlightened' when it comes to computers and technology probably wouldn't even question M$'s claims. "Oh, Microsoft say they've issued less patches for Windows than others did for Linux and thus Windows is safer. I'm glad to have someone trustworthy to tell me these things!". (-_-)

    Because M$ is more reputatable than Red Hat or Novell, the general public will much more likely consider their claims to be true. Oh well. At least it makes for a good laugh for us /.ers.

  • Linux Vs Windows (Score:5, Insightful)

    by KingBahamut ( 615285 ) on Friday February 11, 2005 @11:10AM (#11642478)
    This is an argument that can largely be debated on a variety of levels. Honestly? Linux and ultimately unix of any flavor has just as many vulnerabilities as Windows does. Difference -- typically most of those vulnerabilities are patched and assessed before they take affect.

    Just do a search for Sendmail Vulnerabilities on google.

    Result =
    Results 1 - 10 of about 143,000 for Sendmail Vulnerabilities. (0.39 seconds).

    for Microsoft
    Result =
    Results 1 - 10 of about 364,000 for Microsoft Exchange Vulnerabilities. (0.18 seconds).

    You can have this discussion for days on end, and really, what the *nix community has up on the M$ community is knowledge and ability. No, there arent any viruses that are successfully written for *nix. Spyware isnt even remotely a concept to a linux user. And most vulnerabilities get patched as quickly as they are given POC. Does this mean that linux users patch any more or less than Windows users, no. But we do it more effeciently and with greater success.

    Stability wise , come on. Ive got a redhat 7.3 box that baring powerfailures hasnt been rebooted in over a year. Its a good box, it would probably take an Arkady Rossovich low yeild nuke on its head and still live, and I dont know of any windows box thats able to admit that.

  • Yet another example (Score:5, Informative)

    by DarkMantle ( 784415 ) on Friday February 11, 2005 @11:20AM (#11642629) Homepage
    Here's another example of making stats say what you want.

    Sure, WINDOWS only had 15 patches in the last year however. IE6 had how many (at least anotehr 18-24), Remote desktop connection on 2k3 Server had 2 security fixes, IIS had about 6 patches....

    Need I continue?

    Fact is, yes, Windows had 12 updates in a year, but it's components had many more.

    And also looking at the time from exploit discovery to fix, not lookin good for them there either.

  • There's not a chance of being safer... (Score:3, Informative)

    by jimfrost ( 58153 ) * <jimf@frostbytes.com> on Friday February 11, 2005 @11:21AM (#11642651) Homepage
    ...until the standard configuration does not give (or applications require) normal users to run as administrators, or leave the filesystem and registry wide open to modification.

    So long as installers run without requiring passwords, and I have to give my daughter administrator privileges to run Disney games, Windows is in for a lot of hurt in the security domain because there's really no way to control what users, and by proxy the programs they run, muck with.

    I mean, it's so bad right now that whole markets spawned to supply band-aids for the lack of basic protections (anti-virus, anti-spyware), and to rebuild broken systems as quickly as possible (ghost). That's pathetic, particularly since Microsoft had the ability to do a much better job of securing their systems since the release of Windows NT in 1993, and it's been mainstream since XP. It's not that they couldn't do it, it's that they didn't.

  • The numbers game: thanks Microsoft! (Score:5, Funny)

    by Morganth ( 137341 ) on Friday February 11, 2005 @11:21AM (#11642657) Journal
    Perfect, let's start rating the security of our products by how many patches have been written and applied. What does this kind of numbers game encourage?

    (1) Don't write a patch, since that admits failure or insecure products.

    or

    (2) Wait a long time before writing and committing a patch, so you can do it as "one big patch" (otherwise known as, haha, a Service Pack!).

    Thanks Microsoft! Just your STATEMENTS make systems less secure (nevermind your engineering).

  • There's a story about... (Score:3, Funny)

    by david.given ( 6740 ) <dg@cowlark.com> on Friday February 11, 2005 @11:24AM (#11642698) Homepage Journal
    ...a lecture at a computer risks conference.

    The lecturer was, apparently, talking about the problems in writing mission-critical embedded devices, and at one point he asks his audience: "You all write embedded systems software. Tell me honestly; if your company wrote the software for a 747, how many of you would actually feel comfortable on board one?"

    One hand goes up.

    "You, sir! You're so confident in your software you'd trust your life to it?"

    "Hell, no," comes the reply. "But any plane running my team's software would never crash, because it'd never get off the ground..."

    I am confident in the level of safety given by running Windows on a mission-critical device.

  • Article is missing the last half of the quote (Score:5, Funny)

    by Gruneun ( 261463 ) on Friday February 11, 2005 @11:43AM (#11642953)
    "Of course, we didn't evaluate them with the network cables plugged in. We didn't want the Internet to skew our results. There's some dangerous shit out there."

  • You're all doing the math wrong... (Score:3, Insightful)

    by briancnorton ( 586947 ) on Friday February 11, 2005 @12:09PM (#11643318) Homepage
    Ok, so by some metric we determine that linux is 2x as secure as windows. Well windows systems are down more than half the time, and thus less vulnerable to compromise.

    Humor aside, counting patches is about as good of a way to determine security as counting car crashes to determine what is the safest car.

  • This is so 90's (Score:3, Insightful)

    by blueforce ( 192332 ) <clannagael@@@gmail...com> on Friday February 11, 2005 @12:20PM (#11643468) Homepage Journal
    I'm so tired of this argument "Our software is more secure than their software". It's ridiculous. What they're really saying is "Our programmers and development processes are better than your programmers and processes." These security debates, whitepapers, and arguments are always subjective, never solve anything, and only prove that someone has time to waste.

    Any given OS, in the hands of an expert, is just as stable or secure as the next. There's just no way to effectively prove otherwise. The test domain to definitively prove which OS is truly the most secure is incredibly huge. As long as human beings code it, it's insecure. There is no version of Unix or Linux that has a higher Evaluation Assurance Level [commoncriteriaportal.org] than Windows 2000. That doesn't necessarily mean that any novice could actually secure it either.

    Reality is that Windows has a huge number of desktop installations and it's used by a large number of people that can't even open up Notepad or a command prompt if you asked them to. Those same people couldn't even install Linux so it's not reasonable to even suggest. So, how are they supposed to have any idea about security? Most of them can barely get online. It's no fluke that AOL and Windows are as popular as they are - they're easy to use and they have a small learning curve.

    Furthermore, Linux and Windows are so different that's almost ridiculous to even compare them. They solve different problems, they both have their strengths and weaknesses, and other than the fact that they're both operating systems they don't have much else in common. In many ways comparing those two systems is like comparing an F-16 to a Leer jet - they both fly; they both have wings; they both have cockpits, throttles, and tails; they're both airplanes but they don't look the same; they don't have the same internal components; they aren't operated the same; and they aren't made for the same purpose.

    Security arguments are out of style. It's safe to say that no major software maker is intentionally designing insecure software. Move on. Innovate. Come up with something original.

  • Comment removed (Score:3, Insightful)

    by account_deleted ( 4530225 ) on Friday February 11, 2005 @12:31PM (#11643601)
    Comment removed based on user account deletion
    • Please read the other responses before mine -- but this is one of the things that pisses me off about Windows Server. Microsoft makes an attempt to make serious decisions about your network or server trivial to do by an untrained employee.

      If you can't figure out how to script a remote update, you shouldn't be making the decisions about which updates to apply.

      For an example of triviality, run an hourly cron on a remote machine that does "rpm -Fvh /var/spool/updateonly/*.rpm" and then when you decide to se

  • People still don't get it (Score:3, Informative)

    by novakane007 ( 154885 ) on Friday February 11, 2005 @01:11PM (#11644121) Homepage Journal
    There is this classic confusion about classifying bugs. There is a fundamental difference between "linux" patches, as they call them, and kernel patches. The linux core has a relatively low number of security flaws. Even when they do, the severity of the patch is far lower since most bugs won't give you root level access. Unlike the windows bugs that typically will give you root/administrator rights. The distrobutions may have a lot more bugs, but they also include thousands of open source applications.
    If you want to compare bug numbers, it's only realistic when you count the number of bugs in the kernel compared to the windows base OS.

  • Testing only shows the existence... (Score:3, Insightful)

    by xRelisH ( 647464 ) on Friday February 11, 2005 @02:46PM (#11645360)
    Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003...
    ... Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities

    You can't really claim that one piece of software is more stable or secure than another by using the number of vunerabilities fixed as the only argument. According to this flawed logic, I could write a large piece of software, run one test, work fine for that one test, and claim that mine is more stable than another piece of software that has been thoroughly tested and has had bugfixes.
    I guess Nash has also forgotten the old saying that testing can only show the existence of bugs, not the absense.

  • stating the obvious (Score:3, Insightful)

    by ShadeEagle ( 153172 ) <tehshingenNO@SPAMgmail.com> on Friday February 11, 2005 @03:08PM (#11645604) Journal
    > MS Security Chief Says Windows is Safer Than Linux

    umm... yeah. BIG SURPRISE, FOLKS.

  • MS employee says Windows is safer because... (Score:5, Funny)

    by LoverOfJoy ( 820058 ) on Friday February 11, 2005 @03:57PM (#11646236) Homepage
    MS employee says Windows is safer because using Linux puts him in danger of being fired.

Slashdot Top Deals

Keep up the good work! But please don't ask me to help.

Close