|
|
| Ballmer Says Commercial Software is Better Because Someone's Rear End is on the Line |
 |
|
Wednesday, October 22 2003 @ 06:44 AM EDT
|
You know I couldn't resist covering this story. Microsoft's Steve Ballmer picked up his glove and slapped Linux across the face in a speech given at an industry conference thrown by...who else, Gartner? In his speech, he said some peculiar things about security: "Ballmer ... disputed the notion that open-source code is more secure than Windows. 'The data doesn't jibe with that. In the first 150 days after the release of Windows 2000, there were 17 critical vulnerabilities. For Windows Server 2003 there were four. For Red Hat (Linux) 6, they were five to ten times higher,' he said.
"'The vulnerabilities are there. The fact that someone in China in the middle of the night patched it--there is nothing that says integrity will come out of that process. We have a process that will lead to sustainable level of quality. Not saying we are the cat's meow here--I'm saying it is absolutely not good reasoning to think you will get better quality out of Linux.'" Ballmer's being a naughty boy again. China indeed. "In the middle of the night." Trying to frighten the children with overtones. And playing with numbers. What year is it again? Red Hat 6? Pardon me for pointing it out, but they are up to 9 now. He's choosing a 150-day period from back in the day -- and I wonder how long it took to pick the best segment of time to use -- and using that for comparison? There is a lot that can be said about this, but it's not really necessary to do any research on this sad subject, I don't think. Everyone on a Windows box just went through the worst summer and fall of security issues of all time. They already know he's just ...well, what would be the precise word here? You hate to say lying. It's so cold. However, let's do a little research, just for fun.
Judge for yourself which operating system is more vulnerable to security problems by going down the list on CERT's Incident Notes page. It goes back to 1998. And here is their Current Activity page. It's almost all Microsoft issues. Here's their Vulnerabilities Notes page. It's all Microsoft, except for one, which isn't Linux. Here is their most recent quarterly summary. And here is a chilling article. After you look at all the data, what do you think now? Was Mr. Ballmer accurate? The only way I could find Linux prominently on any list was to type it into the Customized Search engine by itself on this page , and then when you get to the list, it's a list for all vulnerabilities of all the distributions of Linux, not just Red Hat. I couldn't find anything equivalent to Microsoft announcing a vulnerability and then saying there was no patch and you should just shut that particular functionality down. Ballmer said there were 17 critical vulnerabilities in Windows 2000 in the 150-day period and that Red Hat had considerably more. But look at the list: it shows only 16 vulnerabilities for all flavors of Linux for the entire year of 2000. CERT only lists the big ones, but Ballmer did say "critical". It makes you wonder where he got his numbers from or how he defines "critical". Funny he would choose such an old time period, don't you think, for his comparison? Maybe it's because looking at July through October of this year would be devastating? I see only two Linux vulnerabilities on the list for that time period, both buffer overflow vulnerabilities, so evidently there has been considerable improvement on the Linux side. Look at what could happen to you on a Windows box in the first two weeks of September 2003, though, just using a handful of the many recent vulnerabilities here and here and here and here and here and here and here. I didn't include July and August or October or the rest of September, out of kindness. Now, what Mr. Ballmer needs to do is show me anything like that kind of news coverage of security vulnerabilities in GNU/Linux, for any two week period. And speaking of critical, look at what the results could be from the Windows security issues: "'An attacker who successfully exploited these vulnerabilities could be able to run code with local system privileges on an affected system, or could cause the RPCSS Service to fail. The attacker could then be able to take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges,' Microsoft warns."
Defying these facts, here's what Ballmer said about the built-in superiority of commercially produced software: "The Microsoft chief executive also contrasted the quality of software that's produced by commercial makers to that of software that's developed under the open-source model. 'Should there be a reason to believe that code that comes from a variety of people around the world would be higher-quality than from people who do it professionally? Why is its pedigree better than code done in a controlled fashion? I don't get that,' he said.
"'There is no road map for Linux, nobody who has his rear end on the line. We think it's an advantage a commercial company can bring--we provide a road map, indemnify customers. They know where to send e-mail. None of that is true in the other world. So far, I think our model works pretty well,' Ballmer said." Oooo. Scary. "The other world." More ominous overtones. He doesn't get it, or claims he doesn't, so I will explain. The very openness he and SCO criticize is what makes Linux more secure. Why? First, there are no artificial roadblocks. All their moats and chains and gates and laws and terror tactics to make sure no one looks at their code or "steals" it create blockades that can get in the way of fixing problems. In GNU/Linux, anybody can fix anything and offer it to the world as a cure. Then someone else can test it and verify it, and pass on that info. You don't have to use what they write, but you can if you want to. Someone is awake somewhere 24 hours a day, and so things tend to get fixed fast. As George Bernard Shaw pointed out, talent can crop up anywhere, and anyway, not even MS can hire all the talented people in the world. And here's another secret: Linux users help out with bug reports. Yes. We do that. For nothing. Just to help. Millions of us. This is the secret sauce of GNU/Linux, a significant part of its power. If we users try software and something doesn't work perfectly, we let the authors know. That is Linux' secret. Hidden problems don't stay hidden, when anyone can bump into them and let the authors know they need to fix it. If the user knows how to fix it, he or she can fix it and send the fix back to the author. And the author doesn't charge you to contact them either. It's a very efficient system. Ever try to call Microsoft? As someone wrote me the other day, Windows comes from a box. Linux comes from a community. So the result is, although Mr. Ballmer can't believe it, Linux really is more secure. And the data does jibe. It appears IT professionals are catching on now. They just released the results of a survey of IT pros, and their opinions of Linux security versus Microsoft does not match Mr. Ballmer's views. There has been a rise in confidence in Linux in the past 6 months: "New research shows that confidence in Linux as a secure platform is up. A recent survey conducted by the research firm Evans Data shows that Linux's reputation as stable and secure operating system is growing among people who write code for a living. . . .
"The survey also found that open source code, modules and tools are used more widely among developers than they were a few years ago. In a 2001 survey, Evans Data found that 38% of the 500 developers it surveyed said they used open source code in the applications they write. The most recent findings showed that 63% of developers incorporate open source today.
"Overall confidence in Linux as a mission-critical serving platform was also up from past year's surveys. While 34% of the 500 developers surveyed in 1999 said they thought Linux was ready for prime time, 64% said in the latest survey that they would trust mission critical applications to run on Linux." So when Ballmer says the "data doesn't jibe", the question is, which data? Or, more precisely, whose? Look at the spike in security incidents this year, compared with last year, 114,855 in the first three quarters of this year and only 82,094 incidents for all of last year. It's a good time to be thinking about security.
Have you been thinking about trying Linux? HP will let you test drive various Linux environments to see how you like them. It's really a tool for developers, but the web site doesn't list any restrictions as to who can do a test drive. They offer Red Hat, Debian, Mandrake, SuSE, and others. If any of you journalists or CEOs out there have never tried Linux, why not give it a whirl? (I hope the rest of you leave them room by not crowding ahead of them. Obviously, there's limits to how many can do this at once.) Or get yourself a Knoppix CD and try Linux on your own computer here. It runs off the CD, so when you are finished, your Windows software is still there, if you insist. Knoppix is a Debian version of GNU/Linux, by the way, and some consider Debian a very secure environment indeed. It's fun. If you try it just one time, it will open your eyes. UPDATE Bruce Schneier's Cryptogram for November 15, 2003 links to this article and says this about it: "Excellent analysis of the security of Windows vs. Linux." I am, of course, honored.
|
|
|
|
| Authored by: jmc on Wednesday, October 22 2003 @ 06:59 AM EDT |
Great - tell that to the company downstairs from us that came off the net
completely and permanently after the last lot of viruses.
I offered to switch him to Linux free just to stop him moaning.
Meanwhile I'm sitting at a machine that was last booted 4 months ago (and only
then to upgrade the kernel) and didn't turn a hair during all that trouble.
---
John Collins
UK Linux hacker[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 07:07 AM EDT |
From Yahoo SCOX Stock Board
by: crunchie812
10/21/03 01:52 pm
Msg: 54387 of 54544
Ballmer's assertion:
"Should there be a reason to believe that code that comes from a variety
of people, unknown from around the world, should be somehow of higher quality
than that from people who get paid to do it professionally?"
crunchie812's reply:
"Should there be any reaon to believe that a relatively small group of
paid programmers working under the direction of a marketing machine can produce
code approaching the quality of a global team linked by the internet, whose
every line of code is subject to ruthless peer review, and whose only standard
is excellence?"
I might add ... Microsoft's programmers are seldom chosen for their expertise.
They are more selected for their ability to join the group culture and
"make code fast". [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 07:22 AM EDT |
I was dozing through the pre-dawn news, and some "expert" was
showing how to make your Windows computer safer from all these viruses and
crap:
Instead of the obvious step of telling the user to download and install Mozilla
or Opera for mail and browsing, and a decent firewall like ZoneAlarm, the
"expert" suggested that you download and install every patch MSFT
tells you is needed (at 30-40 MB per patch), and activate the wimpy XP firewall.
[ Reply to This | # ]
|
| |
| Authored by: Steve Martin on Wednesday, October 22 2003 @ 07:28 AM EDT |
OK, let's see... I interpret Ballmer's "150 days" to mean the
five-month period after each product's release date. Hmmm... wonder if that
could be because 2003 has only been out five months? By the way, notice how we
complete skipped over mentioning XP??
[ Reply to This | # ]
|
| |
| Authored by: freeio on Wednesday, October 22 2003 @ 07:38 AM EDT |
I beg to differ with Mr. Ballmer's assertion.
His claim is disingenuous, since according to their EULA, Microsoft can never be
held responsible for anythigng they do. As such, no one's "rear end is
on the line." By legal fiat, they have essentially disclaimed all
responsibility for their actions.
There are market forces which may spur Microsoft to respond in some particular
way, but that applies equally to GPL software. If GPL software is broken, we
fix it, not just because flaws detract from general acceptance of our software,
but more so because we "eat our own dog food." We use GPL
sopftware, and so it had better work for us. It benefits us to not just fix our
problems but even more so to proactively avoid them.
So the guarantee offered for this Very Expensive Microsoft software is superior
to disclaimer offered by GPL how?
It is not. Microsoft just costs more, and is decidedly less "free."
---
TRVTH[ Reply to This | # ]
|
| |
| Authored by: arch_dude on Wednesday, October 22 2003 @ 08:01 AM EDT |
I have not looked at the bug reports, but is it possible that Balmer is
comparing the bugs in the Windows release to the bugs in an entire Linux
Distribution? The software in a Linux distribution includes a huge number of
applications with far more functionality than a Windows release. Therefore,
Balmer is actually saying "look! Our Windows( 2003 OS+basic apps) has
fewer bugs than their Linux(1998 OS + basic apps + a zillion additional
apps)!"[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 08:20 AM EDT |
VIRUSES and Worms
My company provides managed Internet connections with anti virus and has
detected hundreds of thousands of Windows viruses, but have only detected 4
Linux viruese, which were linux rootkists being emailed by some of our more
techie customers.
I have no doubt that Windows has a serious problem with Viruses and that there
are no Linux viruses in the Wild. I cant give an accurate count for Windows
because we stopped keeping the totals some time ago, and the numbers were
getting so large as to be meaningless.
We provide Linux based servers and have very few "panic updates",
only bind sendmail and ssl that I can think of.
When Ballmer compairs numbers of vulnerabilities between a Linux Distro and
Windows 2003, he is comparing a full operating system with a large number of
applications, multiple web browsers, email clients, servers, applications, with
a basic operating system. To get anywhere near he should include the full
backoffice suite Office and lots of other 3rd party apps.
Whos behind gets kicked at Microsoft? some temporary contractor who is long
gone?. In the Open source community and in the kernel in particular there is
very good accountability, you name in the source code!![ Reply to This | # ]
|
| |
| Authored by: fstanchina on Wednesday, October 22 2003 @ 08:20 AM EDT |
I was particularly amused by the line "They know where to send
e-mail". Sure... I work as a programmer on Windows (but I'm getting more
fed up with this every day) and I tried several times to talk with someone at
Microsoft about issues I was having with Visual Studio, but I never heard
anything back. Not even "don't bother". Contrast this with the
usual responsiveness of open source project maintainers, from Linus to the KDE
people, the Mozilla people, the Samba people, etc. etc. etc.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 08:30 AM EDT |
PJ:
Actually, Ballmer does get it. So does McBride. As I've said before about
McBride, I'll say about Microsoft, and perhaps Sun.
They're talking to the radical right wing in Congress. Mentions of China and
terrorism are the clues for this.
They want Congress to outlaw the GPL, and it's the same kind of effort they're
now making in Europe to get approval for software patents.
Stuart Thayer
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 08:38 AM EDT |
| "The Microsoft chief executive also contrasted the quality of software that's
produced by commercial makers to that of software that's developed under the
open-source model. 'Should there be a reason to believe that code that comes
from a variety of people around the world would be higher-quality than from
people who do it professionally? Why is its pedigree better than code done in a
controlled fashion? I don't get that,' he said.
Of all the things that
was said, this was the part that pissed me off. That takes nerve to even think
that somehow only professionals know how to write better software. For the
record, I am a professional developer (in the sense I get paid to write code).
I am formally trained but everything I do day-to-day didn't come from a course.
I am self-taught, like many professionals. The only difference between a
amateur and professional developer is the paycheck and I know many a so-called
"amateur" who could code rings around me.
Nice job trying to propagate the
idea that only professionals write good software. I write OSS in my spare time.
Does that mean my code will be of better quality because I am pro during the
day?
It is crap like this that is an insult to programmers everywhere. It
must be nice to be the George W. Bush of Microsoft. Every company needs one, I
guess. [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 08:45 AM EDT |
Microsoft has to attack Linux on security because security is Microsoft's
biggest liability. They know that the reporters reporting and the majority of
the people reading Ballmer's statements will accept the view that Linux is
insecure and will never never never refute that view. The facts are just a minor
nuisance. [ Reply to This | # ]
|
| |
| Authored by: mac586 on Wednesday, October 22 2003 @ 09:12 AM EDT |
| I was in Kuwaiti desert when Melissa hit the US military installation I was
visiting. The entire network was shut down, every single computer powered off,
until the sysadmins we able to sanitize the exchange server and apply patchs.
Each workstation was powered up individually and sanitized. The entire process
took 72 hours. (What computers were still operating and sending mail? The shiny
new Linux servers I was installing.) Do you think the US government was
indemnified for the downtime suffered worldwide?
Regardless of what
Mr. Balmer says, things have only gotten worse since then. A few years ago a
white paper was published which focused on the economical impacts of network
downtime. If a company were to suffer 2 weeks of downtime in the course of a
year, the company would more than likely go out of business. How many companies
have suffered such a fate due to the security implications of a MS
infrastructure?
Linux terrorists on Tuesday, Chinese coders on midnight
shift on Wednesday. Boy it's getting deep.
[ Reply to This | # ]
|
| |
| Authored by: haro on Wednesday, October 22 2003 @ 09:20 AM EDT |
| This (well known)
browser check demo for IE at heise will install
and execute a windows executable that will pop up a window to tell you you are
vulnerable. Try it if you dare. I don't know what else they do, or any
other link on the net for that matter, but it is clear what they can do.
I
think there are those here who remembers testemony that IE is an integral part
of the windows os, thus surely it is relevant to count this vulnerability.
There
are vulnerabilities everywhere, but are there anything nearly as bad in the
linux world?
Now for the real dare. Use IE, and let some family members,
e.g. teenage boys, browse using your broadband connection, then use an internet
banking facility to pay some bills. [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 09:44 AM EDT |
As always PJ very well worded and the links are loaded with TRUTH! I offer local
and US cd's of knoppix to all my friends online and here at home, at my own
expense, i keep iso's up to date for fresh burned cd's to anyone who wants
one. I am new to linux and WANTED to find a way to help, thats my way :)...so
anyone know anyone who wants a free cd, I even pay shipping.
Kathy
k_odriscoll at comcast dot net[ Reply to This | # ]
|
| |
| Authored by: markus on Wednesday, October 22 2003 @ 09:51 AM EDT |
Why is this story posted here on Groklaw ?
I was under the assumption
Groklaw is concentrating on the litigation surrounding Linux, SCO, IBM etc. When
I'm coming to Groklaw I expect to find thing pertinent to these topics. There is
no need to repeat the news-sites or slashdot.
Until now stories and comments
at Groklaw are extraordinary and I fear by getting too much off-topic the trolls
will find us and the good stuff gets buried in the
noise.
Markus ---
--
Markus Baertschi, Switzerland [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 09:54 AM EDT |
Here, in a single link, is one of the better sources.
Why Open Source Software / Free
Software (OSS/FS)? Look at the Numbers! by David A. Wheeler (last revised 8
Sept 2003).
It has lots of link to additional
resources.
Regards,
Jim (agriffin not logged in) [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 09:55 AM EDT |
ROFL.
If that's the case, then "someone's" rear end would be battered,
bruised and generally abused.
I am sure you can guess who the "someone" is. :)
Regards,
Fredrick[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 10:08 AM EDT |
Ballmer forgot to include all the critical vulnerabilities found
subsequent to the first 150 days in his count. Just because MS
(and most of the world) weren't aware of the faults doesn't make
Windows 2000 more secure - they didn't suddenly appear at a later
date. Blackhats have been taking advantage of these flaws for years.
How disingeneous can one be?
Based on the EULA it certainly appears that Microsoft's Read End
is NOT on the line - maybe the end user's is? Clause 13 says MS
may pay the princely sum of $5.00 in damages if found liable!
(Thought I'd include the full text of the relevent clauses for
your reading pleasure, just to remind everyone where Ballmer is
actually coming from with his "Rear End on the line" comments).
My favourite part:-
"THE ENTIRE RISK AS TO THE QUALITY, OR ARISING OUT OF THE
USE OR PERFORMANCE OF THE SOFTWARE, REMAINS WITH YOU."
11. DISCLAIMER OF WARRANTIES. To the maximum extent permitted
by applicable law, Microsoft and its suppliers provide the Software, and
support services (if any) AS IS AND WITH ALL FAULTS, and Microsoft
and its suppliers hereby disclaim all OTHER warranties and conditions,
whether express, implied or statutory, including, but not limited to, any
(if any) IMPLIED warranties, DUTIES or conditions of MERCHANTABILITY,
OF fitness for a particular purpose, OF RELIABILITY OR AVAILABILITY, OF
ACCURACY OR COMPLETENESS OF RESPONSES, OF RESULTS, OF WORK-
MANLIKE EFFORT, OF LACK OF VIRUSES, AND OF LACK OF NEGLIGENCE,
ALL WITH REGARD TO THE SOFTWARE, AND THE PROVISION OF OR
FAILURE TO PROVIDE SUPPORT OR OTHER SERVICES, INFORMATION,
SOFTWARE, AND RELATED CONTENT THROUGH THE SOFTWARE OR
OTHERWISE ARISING OUT OF THE USE OF THE SOFTWARE. also, there
is no warranty or condition of title, quiet enjoyment, quiet possession,
correspondence to description or non-infringement with regard to the
Software. THE ENTIRE RISK AS TO THE QUALITY, OR ARISING OUT OF
THE USE OR PERFORMANCE OF THE SOFTWARE, REMAINS WITH YOU.
12. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER
DAMAGES. To the maximum extent permitted by applicable law, in no
event shall Microsoft or its suppliers be liable for any special, incidental,
punitive, indirect, or consequential damages whatsoever (including, but
not limited to, damages for loss of profits or confidential or other inform-
ation, for business interruption, for personal injury, for loss of privacy, for
failure to meet any duty including of good faith or of reasonable care, for
negligence, and for any other pecuniary or other loss whatsoever) arising
out of or in any way related to the use of or inability to use the SOFTWARE,
the provision of or failure to provide Support or otherwise arising out of the
use of the software, or otherwise under or in connection with any provision
of this EULA, even in the event of the fault, tort (including negligence), mis
representation, strict liability, breach of contract or breach of warranty of
Microsoft or any supplier, and even if Microsoft or any supplier has been
advised of the possibility of such damages.
13. LIMITATION OF LIABILITY AND REMEDIES. NOTWITHSTANDING ANY
DAMAGES THAT YOU MIGHT INCUR FOR ANY REASON WHATSOEVER
(INCLUDING, WITHOUT LIMITATION, ALL DAMAGES REFERENCED HEREIN
AND ALL DIRECT OR GENERAL DAMAGES IN CONTRACT OR ANYTHING ELSE),
THE ENTIRE LIABILITY OF MICROSOFT AND ANY OF ITS SUPPLIERS UNDER
ANY PROVISION OF THIS EULA AND YOUR EXCLUSIVE REMEDY HEREUNDER
SHALL BE LIMITED TO THE GREATER OF THE ACTUAL DAMAGES YOU INCUR
IN REASONABLE RELIANCE ON THE SOFTWARE UP TO THE AMOUNT ACTUALLY
PAID BY YOU FOR THE SOFTWARE OR US$5.00. THE FOREGOING LIMITATIONS,
EXCLUSIONS AND DISCLAIMERS SHALL APPLY TO THE MAXIMUM EXTENT
PERMITTED BY APPLICABLE LAW, EVEN IF ANY REMEDY FAILS ITS ESSENTIAL
PURPOSE.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 10:42 AM EDT |
True Story (I was sitting in the meeting when this was discussed):
A
commercial software vendor has announced a new version of one of the products
(I'll call it version `B'). And since it has a feature that some users have
been looking forward to that the version were'currently using (version `A') does
not have. Project managers begin looking at plans to upgrade to `B' ever since
hearing about the new features that would be available based on the vendor's
roadmap. But (and as Pee Wee would say `A big but...') a feature
that we are currently using in `A' is no longer available in `B'. It is
expected to be available in about six months when version `B.1' comes out. And
to top it off, support for `A' is not going to be available in a couple of
months. And there's an aggravating side issue: we're in the midst of upgrading
other software, including the database that this product connects to. The new
versions run on either version of the database, but `A' will not be
certified on the new version. So the company is faced with a decision: rewrite
the applications based on this product to workaround this temporarily
unavailable feature, use the previous version without vendor support until
version B.1 comes out, or upgrade the database and find that `A' will not even
work. Oh! I almost forgot the best part: the missing feature is a security
feature!
Now I'm not sure how closely my coworkers were following the
`roadmap' for this product but it was obviously close enough to have been
anticipating the new features and to know when they were due out. But I'd be
willing to bet almost anything that no mention of dropping security features
appeared on the roadmaps they were looking at. I've encountered similar things
before involving vendor roadmaps for both hardware and software products and
their general lack of reliability; they're typically only even remotely accurate
until the next trade show. Is it any wonder that most folks do not find
much comfort in a vendor's roadmap? Ever try to plan a series upgrades of
several interdependent software products based on vendor roadmaps? Or plan how
your internally written software will be developed to use features announced in
those roadmaps? It's nearly impossible. So, roadmaps don't have anywhere near
the worth that Ballmer ascribes to them. About all they're good for is
providing fodder for coffee break discussions.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 10:48 AM EDT |
I spent a week trying to clean up after Blaster and Nachi. Would Mr. Ballmer be
so kind to provide me with his mail address so I can send him an invoice for the
time I spent working on his super secure OS. [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 11:10 AM EDT |
It would be absurd to think that for all the products that ship with RedHat 9
and for the length of time it has been out that there wouldn't be any security
issues. I count 53 myself.
See https://rhn.redhat.com/errata/rh-9-errata-security.html
But rh9 does a good job alerting me when an advisory is issued (redhat network
alert icon) so I usually get the updates installed on the same day.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 11:14 AM EDT |
| via this
feedback form.
steve balmer says microsoft is responsible for windows
security. ok, first i don't use windows but i assume you folks do. could you
please review your microsoft eula and explain what that legal document says
microsoft is responsible for?
likewise, were you able to determine where
unix/bsd/linux users can get repaid for bandwidth used and time spent deleting
various ms hosted worms that exploited ms security holes?
kevin lyda (too
lazy to log in at the mo) [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 11:40 AM EDT |
another MSFT and SCO connection:
from yahoo today:
http://biz.yahoo.com/d
jus/031017/1856000958_3.html
how would SCO benefit from one of
these, exactly? Did SCO pay for theirs?
[ Reply to This | # ]
|
| |
| Authored by: rand on Wednesday, October 22 2003 @ 11:43 AM EDT |
So, anyone know how many rear ends have lost their jobs at MS because of
piss-poor software being released?
How about demotions due to viral vulnerablities?
---
urk...I apologize in advance for wrong keystrokes: tendonitis of the lfet hand,
the fingers drag sometimes...[ Reply to This | # ]
|
| |
| Authored by: DaveAtFraud on Wednesday, October 22 2003 @ 12:32 PM EDT |
Both Microsoft and SCO tout the fact that they indemnify their customers as an
advantage of their products over Linux and other Open Source Software. The
American Heritage Collegiate Dictionary defines indemnify
as:
1. To protect against damage, loss, or injury; insure. 2. To
make compensation to for damage, loss, or injury suffered. This
definition of indemnify seems to be at odds with the Disclaimer of Waranties,
Exclusion of Damages, and Limitations of Liabilities sections of your products'
end user license agreements (EULA). Please explain your meaning of indemnify
when you say that you "...indemnify your customers while Linux does not" or, if
you are using the dictionary meaning of indemnify, when your EULAs will be
changed to incorporate generally accepted meaning of
indemnify.---
Quietly implementing RFC 1925 wherever I go. [ Reply to This | # ]
|
| |
| Authored by: ra on Wednesday, October 22 2003 @ 12:50 PM EDT |
It's starting to seem to me that this episode really was never about killing
Linux.
SCO is going to each of the 1000 largest companies and quietly threatening them
with legal action.
If 500 say go to hell, and 500 give them $200,000 just to shut them up, SCO gets
away with $100,000,000.
This is all before the IBM trial ever even sees a judge.
SCO hopes to either get the Red Hat case dismissed or sent to Utah and delayed.
At worst, they want to keep it delayed in Delaware. They may be able to
accomplish one of those three in which case their skimming program continues.
When its all over, the people who paid may feel a little stupid, but it was just
$200,000. Linux won't be that much worse for the wear. Nobody will blame
Linux or the community around it. SCO was the bad guys but they got away with
it. Boies gets his 20% fee from the program.
As a final F-you to us in the Linux community, they may actually sue someone and
try to get the GPL revoked or something. Or maybe they won't - I don't think
they will still care at that point.
One thing that can hurt SCO is if the press gives companies a reason not to give
SCO a tiny bit of money.
Another thing that can hurt SCO's licensing plan would be a lawsuit that they
would not be able to send to Utah or delay.
Since they don't even show the licenses except under NDA, noone even knows
enough about the licenses or the licensing program to get an injunction to stop
SCO from selling them.
We can try to get Attorney Generals to watch them but pre-trial settlements are
legal, even if one side knows it doesn't have a strong case. And that's how
these are most likely being packaged.
Derivative works and contract clauses and revocable or not revocable don't
matter at all as long as SCO can keep a little bit of uncertainty so some
companies are willing to make a trivial payment just in case.
Its fraud. We know its fraud. But what can we do about it?[ Reply to This | # ]
|
| |
| Authored by: ZeusLegion on Wednesday, October 22 2003 @ 12:50 PM EDT |
PJ: Sorry if you were expecting Ballmer to be any more intelligent than the
lucky dumb jock he's portrayed as in "The Pirates of Silicon
Valley" which, btw, contains a fantastic and disturbingly creepy portrayal
of Bill Gates by Anthony Michael Hall (The Dead Zone, Weird Science, Breakfast
Club, Vacation). Rent it tonight.
---
Z[ Reply to This | # ]
|
- Forgot one... - Authored by: Anonymous on Wednesday, October 22 2003 @ 01:54 PM EDT
| |
| Authored by: Sri Lumpa on Wednesday, October 22 2003 @ 01:12 PM EDT |
Everyone on a Windows box just went through the worst summer and fall of
security issues of all time. They already know he's just ...well, what would be
the precise word here? You hate to say lying. It's so cold.
Well,
you can always say he is Prevaricating.
Also: The fact that someone in China in the middle of the night
patched it--there is nothing that says integrity will come out of that process.
Let's rephrase it from our point of view:
"The fact that
someone in India* in the middle of the night patched it--there is nothing that
says integrity will come out of that process, especially when so few people can
check the integrity of the code."
So having people in developping
countries writing your software is bad with Free Software but good with
proprietary software when they outsource?
Also, Linux's lack of a
roadmap set in stone is good because it is largely a user-driven effort so new
goals can easily be added to the informal roadmap if enough interest is
manifested. That is much better than MS's succession of stone-set roadmaps that
they consistently fail to deliver upon.
Even their failure to deliver
their promises used to fail to be on time but at least they took a hint from
Linux's development by not giving a date for the release of Longhorn (it will be
done when it will be done), something that has absolutely nothing to do with
them migrating many customers to a three years plan where they can upgrade to
any new version produced during these three years regardless of wether or not
there will be a new version. Too bad that the interval between XP and Longhorn
will be more than 3 years.
*not that MS does outsource everything in
India or that there aren't many talented people there, I'm just mirroring their
rethoric here, not trying to offend anyone, so sorry if I did offend you.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 01:17 PM EDT |
| Having worked with computers since the pre-Microsoft days and followed every
version of Windows since the 1.0 "smoke and mirrors" demo, in my experience
there are three basic steps the average person can and should take to avoid the
worst of Windows' problems:
- Never directly connect a Windows
machine to the Internet. Avoid fake "firewall" software such as Zone Alarm; the
most reliable solution is a dedicated free Unix machine. FloppyFW and Devil
Linux are two highly regarded Linux distributions, Devil being the more fully
featured and slightly easier to use, but FloppyFW providing more than enough for
most people and being still quite easy to set up.
- Never use Microsoft
Internet Explorer. (Caveat: Many Windows applications still use the IE
engine.)
- Never use Microsoft Outlook or Microsoft Outlook
Express.
Even following only the second and third steps will result in
drastically improved security. With all three steps combined, the home user will
avoid approximately 80-90% of all problems relating to Microsoft Windows.
However, they really ought to boot from Knoppix and give it a whirl. They may
find themselves pleasantly surprised.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 01:21 PM EDT |
It has occurred to me, after listen to all of the Microsoft and TSG lies about
how their compaines develop software, that we are asking the wrong questions.
We should instead be asking them to explain in detail what their prespective
software development process(es) are. I know from first hand experience what
Microsoft's is. Microsoft what be seen in a very different light, if the world
understood how software was developed at Microsoft.
Perphaps, more ex-MS employees, contractors, and consultant will add their voice
to this discussion.
I think Mr. Ballmer has brought this line of questioning upon himself and
Microsoft by claiming superiorty. Let see the process and judge for our
selves.
So, Mr. Ballmer show us the process.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 01:33 PM EDT |
Following up sort of ra's comment about $200,000 X 1000...
SCO talks about $1 billion, $3 billion, $50 billion, $1 billion per week, etc.
How much was the company worth before all this started?
How much was the executives' stock holdings worth before this started?
How much are the executives' salaries?
Canopy aside, (and perhaps inside), how much real money was involved in SCO
before this started?
The question I have, is while they might publicly talk about billions, and dream
of being billionaires, was that a realistic ambition?
We might not like these guys, but I think that they are not stupid
So I'm thinking that *perhaps* their real ambitions were somewhat lower than
the figures touted in the press.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 01:44 PM EDT |
One other thing I've noticed is that updates for the various linux packages
(openSSL and openSSH comes to mind) are for _potential_ issues. This comes from
people looking over the code and finding possible exploits, rather than the MS
approach of 'wait until an exploit is found and then fix'.
This is probably the most important aspect to the security debate between Open
Source packages and the closed source packages. People are free to find
problems in the code prior to the exploits being found.
On a side note, the low number of 'critical updates' MS touts is meaningless.
You and I have no idea how many bugs are fixed in each patch. For OSS, a fix is
usually made on a per-bug basis, and those fixes rolled into the next major /
minor release of the software. It's a numbers game designed to fool the end
user. "We've only had 4 critical updates compared to 15 for Linux"
sounds better, but if those 4 critical updates contain fixes for 5 or 6 security
issues, then it's 20-24 security holes versus the 15.
And while we're at it, how many exploits listed for Linux require someone to
first have a shell on the machine? How many exploits on the Windows side
_don't_ require a user to already have access?
The point here is that "17 critical vulnerabilities" disclosed by MS
could mean anything, and comparing 'vulnerabilities' by number is a bad idea
in general due to the natures of the exploints ("I'm on the same network
as your machine so I can get into it" against "I have to already
have an account before I can get root on it").
-- Tomcat[ Reply to This | # ]
|
| |
| Authored by: gumout on Wednesday, October 22 2003 @ 01:53 PM EDT |
It seems to be human nature to speculate, play devil's advocate and be
influenced by anecdotal evidence.
I am a harsh critic of our legal system. Having said that, I know most people
are constantly ruminating about the unpredictability of the legal system, but
for every capricious decision cited, probably ten thousand are decided correctly
with settled law. Got any idea how many lawsuits are filed every day in this
country?
IBM's IP legal department is legendary in its' cautious and skillful approach
to Intellectual Property matters. Each of us must eventually come to
our own conclusion concerning the merits of the SCO v. IBM suit.
After careful review of all the availible law and evidence I suspect the wings
will fall off my next commercial jetliner before SCO wins its jackpot.
---
Sir, ( a + bn )/n = x , hence God exists; reply![ Reply to This | # ]
|
| |
| Authored by: phrostie on Wednesday, October 22 2003 @ 04:12 PM EDT |
if i understand the EULA correctly, MS is only liable up to the purchase cost of
the software. is this a one time liability or is it for each problem?
am i making sense?
---
=====
phrostie
Oh I have slipped the surly bonds of DOS
and danced the skies on Linux silvered wings.
http://pfrostie.freeservers.com/cad-tastrafy/
http:/[ Reply to This | # ]
|
| |
| Authored by: Wesley_Parish on Wednesday, October 22 2003 @ 04:17 PM EDT |
There's a Russian political joke dating back from Brezhnev's
time:It seems that Leonard Brezhnev's mother
came to visit him,
and being a good and dutiful son, he decided to
show her all his
accomplishments. He took her all around the
Kremlin, showing her all the
things dating from the Tsarist regime
that were in storage, then down to the
various galleries of art that
had been sequestered, then around to his Dachas
(Country
Estate) around Moscow and Leningrad and Volvograd, and then to
his
Dacha on the Black Sea.He did however, notice she was
becoming quieter and
quieter and finally she stopped asking
questions. "What's the problem,
Mother?" "Son, I'm
frightened - what if the Bolsheviks
return?" I
can take only so much of a supposedly capitalist
company arguing
that a state-sanctioned predatory monopoly is in any way good,
particularly when it lies about its security record in the face of
widespread
identity theft with the corresponding loss of consumer
confidence in their own
spending power; and likewise a
supposedly capitalist company arguing that it is
in an economy's
vital interests for them to rob customers blind - in broad
daylight. These are the issues that revolutions are started
over, after
all. ---
finagement: The Vampire's veins and Pacific torturers
stretching back through his own season. Well, cutting like a child on one of
these states of view, I duck [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 04:59 PM EDT |
It seems to me that the safest way to run a windows box is to not use any
microsoft browser or e-mail client on it.. In addition, put it behind a Linux or
Freebsd firewall.
Just my 2 cents[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 05:51 PM EDT |
It's important to note that Microsoft does not even consider local priveledge
elevation issues as critical. In the linux world, if an authenticated user can
gain root access to the system he's on, it is immediately a top issue.
Microsoft's peculiar bug triage process flags these issues as 'Important' at
best.
Take for example the semi-infamous shatter attack, which Microsoft has still
failed to address properly. They just released an 'important' patch for two
shatter type vulnerabilities, but still tend to claim that once you have access
to a computer, you own it anyway.
This is pure FUD, in Balmer's classic style. Manufactured stats some American
patriotic rhetorhic, and no mention anywhere of his dubious comparisons between
different classification schemes. Bullocks, plain and simple.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 05:58 PM EDT |
I think Linus may have said it best, in a quote from a recent interview I read:
"Once you start thinking more about where you want to be than about making
the best product, you're screwed."
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 06:02 PM EDT |
I have run Windows boxes for the better part of the last 10 years or so and have
NEVER , i repeat NEVER had any problem with ANY virus, ANY worm or otherwise
malicious program. I have also used Linux for the past 5 years and just like
with Windows if you don't RTFM and just ASSume things you will inevitably have
insecure systems.
And let's be honest if you give Joe Average User (aka JOHN DONTKNOW) a Linux
box instead of a Windows box you will end up having similar problems -- not to
mention that the costs for desktop support will significantly increase.
Also if you compare exploit statistics you should not forget that there are FAR
FEWER LINUX CODERS THAN WINDOWS CODERS, so naturaly they will discover more bugs
in windows. (what was that argument about the bigger "Talent" pool
again ....!!!##!!!)
Each OS has it's place, but no OS can say that it has ALL places covered ;)[ Reply to This | # ]
|
| |
| Authored by: mikebmw on Wednesday, October 22 2003 @ 06:04 PM EDT |
I just have to stick this one out here. These quotes together paint an
intresting picture of Microsoft. (who's the commie?)
www.eWEEK.com
May 13, 2002
Allchin: Disclosure May Endanger U.S.
By Caron Carlson
A senior Microsoft Corp. executive told a federal court last week that sharing
information with competitors could damage national security and even threaten
the U.S. war effort in Afghanistan. He later acknowledged that some Microsoft
code was so flawed it could not be safely disclosed.
The bold statements and candid admissions were part of Jim Allchin's testimony
during two days in court here before Judge Colleen Kollar-Kotelly, who is
hearing the case of nine states and the District of Columbia seeking stricter
penalties for Microsoft's antitrust behavior.
www.zdnet.com
February 28, 2003, 7:30 AM PT
Gates reveals Windows code to China
Microsoft on Friday signed a pact with the Chinese government to reveal the
Windows source code, making China among the first to benefit from its program to
allay the security fears of governments.
In addition, Microsoft Chairman Bill Gates hinted that China will be privy to
all, not just part, of the source code the government wishes to inspect. [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 07:49 PM EDT |
| In spring of 1999, I reported to Microsoft that some mal-formed HTML would crash
IE 4. The tech-support people said "Don't do that, it crashes the browser."
Duh!!!
It has crashed every version since, and now crashes Outlook
too!
Now there's inovation for you! [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 08:15 PM EDT |
there would be no need for a "Trustworthy Computing" initiative nor
for the new "Securing the perimeter" initiative.
Their own actions are showing how insecure their code is.
JP
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Wednesday, October 22 2003 @ 11:36 PM EDT |
Windows might not be as safe a Linux but how much people with bad intentions
look for vulnerabilities in linux vs the numbers of people that looks for
vulnerabilities in windows os ? Windows users dont care to search for
vulnerabilities in the os they use they just wants something that works . Makes
me wonder ... how come all windows exploits software are written to work under
linux first then some are adapted to work on windows platforms ?
Linux community should face the truth , Microsoft isnt more vulnerable because
of bad programmers , its because the war is against them . People who finds
vulnerability in Linux are Linux users commited to Linux , they dont keep it a
secret and write a virus that would infect every system running any distros of
Linux, no, they report it or even better they fix it so they can get their names
somewhere written on a board or in the released source code . Windows users
usually have no programming skills at all and they don't care about it, all
they do is press that little send bug report button and forget about it and get
on with their lives.I know people who dedicate all their free times to find bugs
in windows and they tell me about it, what do I do then I REPORT IT and IT GETS
FIXED (thank god they dont know about it). If there was more people trying to
exploit every part of Linux then the number of people that dedicate all their
free time to make windows crash or to gain control over it I wonder which of the
2 OS would be proclaimed as "Less secure" . Think about it .[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Thursday, October 23 2003 @ 03:24 AM EDT |
RMS said a long time ago, back when he started GNU: if customers want to pay for
someone to call, they can pay for someone to call.
Now there's IBM, Red Hat, SUSE, Hewlett-Packard, and a lot of other companies.
If you want a phone number, if you want somewhere to escalate problems, if you
want indemnification, you can buy all of those things.
I think it's a bit of a mistake for free software people to say "you
don't need support" or "the free internet support model is
better". Yes these things are important. But the kind of support that
IBM and Red Hat sells is important too. So don't limit your answer to
"just post your questions to comp.os.linux.development and you'll get
better answers faster than Microsoft support". Do some straight-up
comparisons of Microsoft paid support and Red Hat paid support for similar
service levels.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Thursday, October 23 2003 @ 05:20 AM EDT |
...I know there's a thousand Linux-enthusiasts who want to flame me for this,
but just as Ballmer is todally biased, I think the article does the same, in a
certain way...
In a normal SW development project, finding errors means that the QA process is
working. The fact that there are a very small amount of security problems with
Linux is not necessarily an indicator of good quality -- it can also be an
indicator of bad quality assurance, as only a low amount of errors have been
found.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Thursday, October 23 2003 @ 08:19 AM EDT |
For a meaningful comparison, MS source code would need to have been freely
available for download for some number of years, never mind that the comparison
here seems to be between a MS OS and limited number of apps. vs. a whole Linux
distribution.[ Reply to This | # ]
|
| |
| Authored by: emmenjay on Thursday, October 23 2003 @ 09:08 AM EDT |
Hi Pamela
I feel that the estimable Mr Balmer is drawing you into his vortex of
Micro-speak.
Closely reading his comments, Mr Balmer is more concerned about struture in the
development process than about open source (though that is not what he says).
Roadmaps, quality programs, the exposure of posteriors, are all artifacts of a
formal or structured development environment.
The clear implication is that closed-source is structured and open-source is
not.
We ought to cut through the layers and address the real concerns.
A well organised development will most likely be more stable than a poorly
organised one. Now where can we find an example of a well run development
project? I have it: GNU/Linux.
There is clear planning and good quality control clearly visible.
Unsurprisingly, the software rocks!
I can point to commercial (closed-source) software that is rock solid, and other
commercial software that resembles a house of cards.
Same thing for open source.
The reason that Windows is so unreliable has nothing todo with its closed-source
origins. For too many years, MS were pushing to keep shiping software with more
and more bloat. Never mind if it worked. And you have to admit that the
strategy had merit - have you seen BG's bank balance?
Now, MS has finally been convinced that quality and security are good things.
But they have an enormous codebase of rubbish. How do you turn poor quality
spagetti into quality code.
By all means, keep slicing up Mr Balmer, but we need to keep the facts
straight.
See Ya
Michael J
emmenjayatzipdotcomdotau (I was never good at punctuation).[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Thursday, October 23 2003 @ 12:06 PM EDT |
"Ballmer Says Commercial Software is Better Because Someone's Rear End
is on the Line:
Whose would that be? Have you ever looked at the Windows license? They
disclaim everything! You have more recourse with the open-source software. The
only asses on the line are from the IT department when everything crashed from
the lastest virus/bug/patch.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Friday, October 24 2003 @ 03:19 AM EDT |
Manipulating timing and numbers the way Ballmer did may seem clever only to
himself. Everyone with moderate IT knowledge will tell you that
comparing Windows to Linux in terms of security strength is an insult to open
source developers. Twisting facts in order to mislead puts Ballmer on
par with Gates, as a liar.
Obviously those in Redmond have been spending
a lot of effort exploring new arguments that Windows is better than Linux in
every way, as well as paying some big bucks to independent research firms
to come up with reports which they hope will make the public think the same
way. Apparently they don't have nearly as much a desire to improve
their products as to defend them against criticisms. A company with
that kind of business model and attitude has gone on to become the No. 1
software company in the world, and has been there for a while. It
really saddens me.[ Reply to This | # ]
|
| |
| Authored by: Wesley_Parish on Friday, October 24 2003 @ 05:12 AM EDT |
| First we had Linus Torvalds saying that SCO was
smoking crack. Now we
have Ballmer
declaring that someone's rear end is on the
line. Whose rear end?
SCO's, obviously. But the
horrific
images that brings to mind! It's way, way much too
much!!! I cry
of you, mercy! ;^) ---
finagement: The Vampire's veins and Pacific
torturers stretching back through his own season. Well, cutting like a child on
one of these states of view, I duck [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Friday, October 24 2003 @ 07:32 AM EDT |
IMHO there rear ends being mentioned can only belong to one group of people: the
marketing department. If M$ doesn't sell enough to raise SB's and BG's
bancing accounts, they get fired.
So there's the reason for their shitty products: marketing has to put its money
where its mouth is, and sell the promised product, eventhough it ain't finished
(ever!).
Jeetje[ Reply to This | # ]
|
| |
| Authored by: Scott Kruize on Friday, October 24 2003 @ 04:10 PM EDT |
Well, the article says "...what would be the precise word here? You hate
to say lying. It's so cold." All right. It's cold. But perhaps it's
also precise, which is a great virtue in rhetoric.
In my college classes in logic, the instructor and the texts agreed that a
"lie" is something that is untrue, that is known to be untrue by the
speaker (or writer), and that is conveyed with the intent to deceive. That's
precise, regardless of how 'cold' it might be.
Equally precise is the conclusion that must be drawn from Mr. Balmer's
statements, when considered along with the facts.[ Reply to This | # ]
|
| |
| Authored by: PJ on Sunday, November 16 2003 @ 12:15 AM EST |
This was a comment posted anonymously that included almost the
entire article,
so for copyright reasons, I deleted it and reproduce the
link and a snip for
reference:
Cringely has an article responding to this,
titled How
Microsoft's
Misunderstanding of Open Source Hurts Us All . He adds some
points we've missed.
At the core of Ballmer's remarks is a fundamental
misunderstanding not
only of Open Source, but of software development as an art
rather than
as a business. Cutting to the bone of his remarks, he is saying
that
Microsoft developers, since they are employees, are more skilled and
dedicated than Open Source developers. They are better, Ballmer
suggests,
because Microsoft developers have their rears (presumably
their jobs) on the
line. All those lines and all those rears are part of a
road map, he says, and
because of that road map the $30 billion plus
Microsoft gets each year
isn't too much for us to pay, so the model
works pretty well. . . .
Linus
attributes the high quality of Linux (it is very stable, certainly
compared to
Windows) to the very grass roots development effort that
Ballmer criticizes and
doesn't understand. . . .
"It's very simple," said Linus. "Because the
software is free, there is no
pressure to release it before it is really ready
just to achieve some sales
target. Every version of Linux is declared to be
finished only when it is
actually finished, which explains why it is so solid.
The other reason why
free software is better is because the personal reputation
of the
developer is attached to every release. If you are making something to
give away to the world, something that represents to millions of users
your
philosophy of computing, you will always make it the very best
product you can
make. That's the reason why Linux is a success."
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Sunday, November 16 2003 @ 08:06 AM EST |
Hm. Instead of just looking at one source (CERT) which supports your
hypothesis, why not go to the vendor iteself? RedHat's own securty advisory
page lists 29 security advisories from August 1 to November 15 for RedHat 8...a
little over 105 days. 26 for RedHat 9. Five already for RedHat Enterprise 3.0,
which has only been out for a couple of weeks. In the same time, Microsoft has
had, for all versions of it's operating systems still supported, wait for it...
15. Hm. Double the number of vulnerabilities to patch on the RedHat side, in
the same 120 day
You're deluding yourself if you think that any operating system, whether sold
or given away, is secure. Why vulnerabilities for Unix and Unix-Like OS's and
distributions don't seem to warrant a CERT advisory anymore, even with
similarly severe possible consequences, is beyond the scope of the topic.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, November 18 2003 @ 09:15 AM EST |
If you're going to point out the fact that RH 6 is an old version of Linux,
then don't talk about "Windows" in the same breath either; Talk
about Windows 2000sp4 or Windows 2003. People are too quick to talk about
Win95/98 or whatever -- they are not real O/Ss.
[ Reply to This | # ]
|
| |
| Authored by: garbage on Wednesday, January 28 2004 @ 05:38 PM EST |
| I don't think so... [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Thursday, January 29 2004 @ 04:32 AM EST |
The reason he picked 150 days is clear. 30 days is about the usual time to wait
for microsoft to release a patch after the problem is reported.
So for Win 2003, 4 critical issues = 1 patch every 30 days, with the 5th due on
day 151
I'd rather software that's patched at the same rate that holes are found - its
not quite so draining!![ Reply to This | # ]
|
|
|
|
|
