|
|
| Dueling Studies on Security and TCO in Windows and Linux |
 |
|
Friday, October 22 2004 @ 01:13 PM EDT
|
The Register has something you'll be interested in, a detailed study of security in Windows and Linux by Nicholas Petreley. The link is to the article, and the full report is here. The conclusion after all the slicing and dicing? Linux is inherently more secure. You might want to have the study handy when folks start quoting Steve Ballmer at you: "'We're more secure than the other guys,' Ballmer said, blaming the sheer volume of attacks against his company's products on their popularity and the resulting fame that can be gained by hacking them. 'There are more vulnerabilities in Linux, it takes longer for Linux developers to fix security problems. It's a good decision to go with Windows.'" According to Petreley, not true.
From Petreley's Executive Summary:
"We compared Windows vs. Linux by examining the following metrics in the 40 most recent patches/vulnerabilities listed for Microsoft Windows Server 2003 vs. Red Hat Enterprise Linux AS v.3 . . . .
The results were not unexpected. Even by Microsoft's subjective and flawed standards, fully 38% of the most recent patches address flaws that Microsoft ranks as Critical. Only 10% of Red Hat's patches and alerts address flaws of Critical severity. These results are easily demonstrated to be generous to Microsoft and arguably harsh with Red Hat, since the above results are based on Microsoft's ratings rather than our more stringent application of the security metrics. If we were to apply our own metrics, it would increase the number of Critical flaws in Windows Server 2003 to 50%.
"We queried the United States Computer Emergency Readiness Team (CERT) database, and the CERT data confirms our conclusions by a more dramatic margin. When we queried the database to present results in order of severity from most critical to least critical, 39 of the first 40 entries in the CERT database for Windows are rated above the CERT threshold for a severe alert. Only three of the first 40 entries were above the threshold when we queried the database about Red Hat. When we queried the CERT database about Linux, only 6 of the first 40 entries were above the threshold." If you like to do comparisons of your own, Microsoft's "Get the Facts" website has white papers galore, the best that money can buy, and some others as well. Laura DiDio's two-part study on TCO is hilariously headlined: Large Enterprises: Switching from Windows to Linux "Prohibitively Expensive, Extremely Complex, Provides No Tangible Business Gains". Talk about your loyal servant. She never adds in the cost of coping with viruses and other malware. *No* tangible business gain? I'd say having an inherently more secure operating system is a tangible business gain by any metric, but suit yourself. Joe Barr does his own analysis, factoring in the costs of a visit from the BSA. Here's another study, that found the opposite of Ms. DiDio: "Companies with at least 2,000 employees can reduce their total cost of ownership (TCO) by as much as 26 percent over three years by using Linux servers over Windows, and 12 percent on open-source office applications over Office products from Microsoft Corp., said Soreon, an IT researcher who focuses exclusively on European markets." The savings, they say, come from reduced license fees and operating costs. Even Gartner now says that Open Source is a value proposition. Gartner Vice President Mark Driver at their yearly conference Symposium/ITxpo is reported to have repeatedly said, "You'd be stupid not to use open source as part of your application management strategy." I'm sure he wasn't intentionally calling anybody else's study stupid or anything. Speaking of headlines, here's my personal favorite, as a counterpoint to Microsoft's amusing spin on the DiDio study, from CXOtoday.com Business News for Technology Buyers: "If Microsoft's Cheaper Than Linux, The Earth's Flat." It says it all, no?
|
|
|
|
| Authored by: Anonymous on Friday, October 22 2004 @ 02:28 PM EDT |
| Corrections HERE! (please) [ Reply to This | # ]
|
| |
| Authored by: skip on Friday, October 22 2004 @ 02:28 PM EDT |
A year ago last thursday, I was strolling in the zoo
When I met a man who thought he knew the lot
He was laying down the law about the hackers and The FOSS
And the number of patents a Microsoft has got
So I asked him "What's that Kernel's name?" and he answered
"That's a Unix!"
And I'd have gone on thinking that was true
If the animal in question hadn't put that chap to shame,
And remarked "I ain't a Unix I'm a GNU!
I'm a GNU I'm a GNU
The g-nicest piece of software in the zoo
I'm a GNU how do you do?
You really oughtta g-know w-who's w-who
I'm a GNU spelt G - N - U
I'm not a SCO or a microsoft tha'noo
So let me introduce, I'm neither man nor moose
Oh, g-no, g-no, g-no, I'm a GNU!"
I had taken a few chances by declaring I'd be free
Whence I travelled first with Stallman at MIT
On the second night I stayed there I was wakened from a dream
Which I'll tell you all about some other time
Among the hunting trophies on the wall above my bed
Stuffed and mounted was a face I thought I knew
A bsd? An Unix? a win32 or three?
Then I seem to hear a voice—"I'm a GNU!
I'm a GNU—a-g-nother GNU
I wish I could g-nash my teeth at you
I'm a GNU A G-linux Gnu?
You really oughtta g-know w-who's w-who
I'm not a daft old McBride who'll sue
Nor am I in the least like that dreadful hearty beast
Oh, g-no, g-no, g-no, I'm a GNU!
G-no, g-no, g-no, I'm a GNU!
G-no, g-no, g-no, I'm a GNU!"
---
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Mumbo, perhaps. Jumbo, perhaps not!"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Reply to This | # ]
|
- I post this, then a few minutes later, the topic changes, ah well.... - Authored by: Anonymous on Friday, October 22 2004 @ 02:52 PM EDT
- Splendid! (n/t) - Authored by: tiger99 on Friday, October 22 2004 @ 02:53 PM EDT
- But we acknowledge our sources!! - Authored by: Anonymous on Friday, October 22 2004 @ 04:05 PM EDT
- I post this, then a few minutes later, the topic changes, ah well.... - Authored by: Acrow Nimh on Friday, October 22 2004 @ 04:27 PM EDT
- be polite - Authored by: Anonymous on Saturday, October 23 2004 @ 05:59 AM EDT
- I post this, then a few minutes later, the topic changes, ah well.... - Authored by: Anonymous on Saturday, October 23 2004 @ 09:07 PM EDT
- For completeness... - Authored by: Anonymous on Monday, October 25 2004 @ 05:40 AM EDT
| |
| Authored by: skip on Friday, October 22 2004 @ 02:33 PM EDT |
Main posts in this thread may only be made by senior managers or attorneys for
"The SCO Group". Main posts must use the name and position of the
poster at "The SCO Group". Main posters must post in their official
capacity at "The SCO Group".
Sub-posts will also be allowed from non-"The SCO Group" employees or
attorneys. Sub-posts from persons not connected with "The SCO Group"
must be very polite, address other posters and the main poster with the
honorific "Mr." or "Mrs." or "Ms.", as
appropriate, use correct surnames, not call names or suggest or imply unethical
or illegal conduct by "The SCO Group" or its employees or attorneys.
This thread requires an extremely high standard of conduct and even slightly
marginal posts will be deleted.
P.J. says you must be on your very best behavior.
If you want to comment on this thread, please post under "O/T"
---
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Mumbo, perhaps. Jumbo, perhaps not!"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Reply to This | # ]
|
| |
| Authored by: Turin on Friday, October 22 2004 @ 02:36 PM EDT |
Unfortunately, Petreley is about as credible as Ballmer. Petreley has been
bashing Microsoft for over 10 years, first as an OS/2 zealot and now as a late
convert to the Linux side of the house since IBM shelved OS/2 after losing the
desktop wars back in the 90's.
Someone a little more evenhanded is appropriate for a security or TCO
evaluation, methinks.[ Reply to This | # ]
|
- The problem of course is crediblity - Authored by: Anonymous on Friday, October 22 2004 @ 02:45 PM EDT
- The problem of course is crediblity - Authored by: LotusEater on Friday, October 22 2004 @ 02:46 PM EDT
- The problem of course is crediblity - Authored by: Anonymous on Friday, October 22 2004 @ 02:48 PM EDT
- Not really - Authored by: macrorodent on Friday, October 22 2004 @ 02:48 PM EDT
- Why is it? - Authored by: Anonymous on Friday, October 22 2004 @ 03:02 PM EDT
- The problem of course is crediblity - Authored by: Anonymous on Friday, October 22 2004 @ 03:38 PM EDT
- The problem of course is crediblity... But not Mr. Petreley's credibility. - Authored by: Groklaw Lurker on Friday, October 22 2004 @ 04:04 PM EDT
- The problem of course is crediblity - Authored by: Anonymous on Friday, October 22 2004 @ 04:39 PM EDT
- Why? - Authored by: Anonymous on Friday, October 22 2004 @ 05:39 PM EDT
- Why? - Authored by: Anonymous on Monday, October 25 2004 @ 09:40 AM EDT
- Nick and EV1Servers - Authored by: Anonymous on Friday, October 22 2004 @ 07:27 PM EDT
- Petreley and Credibility - Authored by: Observer on Friday, October 22 2004 @ 09:41 PM EDT
- It is impossible to have less crediblity than Microsoft. - Authored by: Anonymous on Saturday, October 23 2004 @ 12:30 AM EDT
- The problem of course is the evidence - Authored by: Weeble on Saturday, October 23 2004 @ 01:47 AM EDT
- The problem of course is crediblity - Authored by: Anonymous on Saturday, October 23 2004 @ 02:50 AM EDT
- The problem of course is crediblity - Authored by: Anonymous on Saturday, October 23 2004 @ 03:12 AM EDT
- The problem of course is crediblity - Authored by: Latesigner on Saturday, October 23 2004 @ 06:41 AM EDT
| |
| Authored by: blacklight on Friday, October 22 2004 @ 02:53 PM EDT |
"'We're more secure than the other guys,' Ballmer said, blaming the sheer
volume of attacks against his company's products on their popularity and the
resulting fame that can be gained by hacking them. 'There are more
vulnerabilities in Linux, it takes longer for Linux developers to fix security
problems. It's a good decision to go with Windows.'" Steve Ballmer
I am going through a garbage experience where I have spent the last two weeks
working out the methodology for centrally securing the settings of a 100+
network of Windows XP SP1 desktops. Right now, I am finishing the selection of
1100 GPO parameter settings on my custom speadsheet, which I put together from
scratch. I figure that if I were dealing with Windows XP SP2, I would have to go
through a minimum of 1500 GPO parameter settings. I may be unfair, but this kind
of fine-grained selection capability has a lot more with petty micromanagement
than with creating any real security. In fact, I will state straight out that
the GPO's are a micromanager's or a control freak's wet dream. Anybody who has
seriously thought about security wouldn't be burying the security parameters
among 1500 parameters, would he or she? As for the TCO: my CEO is painfully
aware of how much my time is costing him.
Steve Ballmer very much reminds me of those Big Three auto executives in the
80's who were going on and on as to how much their cars were superiors to the
Japanese imports.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Friday, October 22 2004 @ 02:55 PM EDT |
| \ \ \ \ \ \ \
Trolls please post
umopəpısdn.
\\\ Cyp \\\
\ \
\ \ \ \ \ [ Reply to This | # ]
|
| |
| Authored by: tiger99 on Friday, October 22 2004 @ 02:56 PM EDT |
| ... where all good Trolls can lurk. Come on, say something. [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Friday, October 22 2004 @ 03:16 PM EDT |
Of course it costs more to switch from Windows to Linux.
That's why you should start off with Linux in the first place!
[ Reply to This | # ]
|
| |
| Authored by: Slimbo on Friday, October 22 2004 @ 03:30 PM EDT |
I get alot of IT trade publications. Normally Microsoft rotates their GTF adds,
but for the last several weeks it has been nothing but full page Laura Didio
studies. I think they've lost hope on the other studies. [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Friday, October 22 2004 @ 03:42 PM EDT |
In general I agree with the conclusions but disagree with some of the "facts"
brought up in the document. I already used The Register site to reply and will
see what kind of feedback I get. To summarize:
- The broad
condemntation of RPCs is over the top to me. There are certainly valid uses of
RPCs and ignores that you can use RPCs without exposing the interface to the
network.
- Does not mention that once you break a network server, the cracker
then loads / runs a root exploit (if available) to get to root access. It raises
the bar but does not significantly delay the determined cracker.
- The Linux
kernel is by no means "minimal" and includes a lot of stuff that could be run in
user land. It is certainly advantageous that there is less "inside" the boundary
than on Windows, but that isn't a compelling argument for better security under
Linux.
I mention these because I believe these issues can be dealt with
better and as-is, the overall conclusions are weakened.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Friday, October 22 2004 @ 04:04 PM EDT |
I wonder if anyone has tried to create metrics for including the cost of vendor
lock-in.
While it's true that there is inertia moving from one Linux distribution to
another, it's minimal in comparison to moving from Windows to anything else.
And, the situation is likely to get much worse, with Longhorn lock-in will be
the key feature!
I would suggest that there is a huge cost differential between moving from
Windows to Linux now, and moving in years to come - Microsoft is going to make
it as hard as possible to get off Windows (and MS Office).
My advice, find the areas in you company that have least inertia, and move them
ASAP.
Example - File and printer sharing, switch each file share and printer share
piece by piece to a Samba server. Low disruption, low cost. Depending on
current setup, it may be possible to do without users even noticing.
Plus - instant benefit, as the servers will stay up and running without
attention. Also, you may be able to make better use of your resources - no need
to use X Windows, so more shares and printers on the same kind of hardware.
Desktops will probably provide the most inertia. Many applications have not
been designed to run on Linux - but typically, only a small number of
applications require Windows.
If no alternative is available, it may be possible to get by with terminal
services, or VMWare.
I guess my main point is that TCO of Windows vs GNU/Linux will diverge. MS is
already having trouble keeping up with FOSS development, and will have
difficulty selling customers on new OSes without new features, but once DRM
kicks in, Windows will be hard to get rid of.
Don't just look at the numbers now, but look at where they are going.[ Reply to This | # ]
|
| |
| Authored by: ray08 on Friday, October 22 2004 @ 04:09 PM EDT |
I'm sure if you ask Stevie, he would argue that the world is indeed flat, if
that's a requirement for winblows to be cheaper. IMHO, in Stevie's alternate
reality, the world is flat (just look around), pigs can (but don't) fly, and
h*ll is a very cold place even in July. And he has the money to buy all the
necessary studies to prove it!
More seriously, it's called propaganda (brain washing). Tell people the same
thing enough times from different sources, and they start to believe it. Hitler,
et al, were masters of it. I hope the masses are smart enough to sort through M$
crapola.
---
Caldera is toast! And Groklaw is the toaster! (with toast level set to BURN)[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Friday, October 22 2004 @ 04:17 PM EDT |
| I kept (I wish I knew where it was right now) a copy of a newspaper article in
The Age newspaper in Melbourne from about five years ago entitled "Linux won't
change the world," about the Gartner group's examination of the future of our
favourite operating system.
I knew that one day it would come around
to bite them in their highly-paid, ignorant, collective asses. [ Reply to This | # ]
|
| |
| Authored by: penfold on Friday, October 22 2004 @ 04:24 PM EDT |
I think it is probably the easiest answer to all of the numbers thrown about in
the "Get the facts."
"98.36 of all statistics are fiction."
Sometimes it is too easy to get buried in the details. I am certainly thinking
of keeping this report handy to put the "Of Life" spin on Microsoft's
marketing campaign. :)
However, I think I will quote the above witty one liner to anyone preaching to
be about M$ and ask them if they wanted to dicuss things that may cause them to
question what their "Get the facts" brochure wants them to believe.
---
The worth of man is determined by the battle between good and evil in the mans
subconcious.The Evil within is so strong that the way to win is to deny it
battle[ Reply to This | # ]
|
| |
| Authored by: seanlynch on Friday, October 22 2004 @ 04:46 PM EDT |
| Please read the posting rules for this weblog, and please respect them. [ Reply to This | # ]
|
| |
| Authored by: Groklaw Lurker on Friday, October 22 2004 @ 04:52 PM EDT |
This post violates one or more of the posting guidelines on Groklaw and thus,
should be removed.
---
(GL) Groklaw Lurker
End the tyranny, abolish software patents.[ Reply to This | # ]
|
| |
| Authored by: cheros on Friday, October 22 2004 @ 05:09 PM EDT |
| I knew there was a reason why IP addresses were logged.. [ Reply to This | # ]
|
| |
| Authored by: Prototrm on Friday, October 22 2004 @ 05:16 PM EDT |
As I've stated here and on the Linux Gazette (the .net one) before, it's not
possible to make Windows secure without making major changes to the basic design
of the OS. Windows is a single-user operating system with a thin layer of
multi-user painted on top. Programs and system services can interact on such an
intimate level that a flaw anywhere in the OS can compromise the entire system.
Notice how many things break with the additional security in XP's Service Pack
2. It's like having repeated unprotected group sex with complete strangers.
And another thing: can someone explain to me why some programs, such as Doom 3,
*require* administrator access in order to run? This is a *game*, for cryin' out
loud, not a low-level security or disk utility tool! This is the sort of thing
that almost forces you to give your User ID the Windows equivalent of Root
access, which is a dangerous thing to do.
At this point, Microsoft doesn't dare fix the bad design. If it did, there would
be even more broken applications than with SP2. All it can do is treat the
symptoms as they appear, and hope to keep ahead of the deluge. I'm reminded of
an old 3 Stooges short, where they're in a boat that's leaking and Larry drills
a hole in the bottom to "let the water out".
Until Microsoft is willing to break backward compatibility, which it will never
do, it will never make Windows as secure as Linux/Unix. [ Reply to This | # ]
|
| |
| Authored by: Groklaw Lurker on Friday, October 22 2004 @ 05:25 PM EDT |
It is sad to think that managerial employees of SCO are reduced to posts such as
this. One must wonder what ever will become of them...
---
(GL) Groklaw Lurker
End the tyranny, abolish software patents.[ Reply to This | # ]
|
| |
| Authored by: Greebo on Friday, October 22 2004 @ 05:50 PM EDT |
| Wrong section Anon. The Troll thread is up the page a bit.
If you think
anyone here believes any of this BS you are sadly mistaken. Actions speak
louder than words, and PJ has shown herself to be a woman of integrity, honesty,
and good judgement. Jeff Merkey on the other hand.... well, just read some of
the stuff on LKML, and what he has allegidly posted on Groklaw as anon and i
think you'll soon see the difference.
So i you think we're going to put any
faith in the words of an anonomous coward you are sadly mistaken.
Sad.
Very, very sad.
Greebo ---
-----------------------------------------
Recent Linux Convert and Scared Cat Owner [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Friday, October 22 2004 @ 06:11 PM EDT |
| You really need to take some troll lessons. [ Reply to This | # ]
|
| |
| Authored by: overshoot on Friday, October 22 2004 @ 06:11 PM EDT |
| That there are exceptions to the GrokLaw posting-in-good-taste rules.
In
particular, there is no limit to the defamatory bad taste allowed in posts
attacking PJ personally. I can understand the reasons for bending over
backwards for them, but it saddens me regardless. [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Friday, October 22 2004 @ 06:12 PM EDT |
While not contesting the Petreley results in general, they must know one thing:
the CERT vulnerability metrics are partly based on a product's 'popularity'.
And, IE has a >90% market share. I'm also sure there are more Windows
machines. Probably CERT even measures the average user's knowledge (dunno about
this). So, the higher metrics come partly from what Ballmer said, really. I must
also state that I don't dare to connect to the internet using Windows. I use
Win98 without connecting it to the Net.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Friday, October 22 2004 @ 06:36 PM EDT |
This must remain in the public record so that others can know about this
disgusting behaviour! As abhorrent as it is, we must learn to deal with the
ugliness that encompasses someone like Merkey.
Whether the post is from Merkey or one of his supporters, it serves as a
testament to the type of person that he is, and/or the type of people he
associates with.
DELETE NOT, I say.... and let the truth exist, for the public to view. I can
guarantee that if he files a lawsuit against Pamela, this will come back to
haunt him.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Saturday, October 23 2004 @ 05:07 AM EDT |
| The simple fact is that many, if not most, of the
people that have desktop
PCs on their desks do not employ them as desktop
computers at all, but merely
clients to various back-end processes such as the
Internet, file servers etc.
Or even as just terminal emulators! I have recently taken to peering
over counters while visiting various shops to see
what kind of business systems
the clerks use, and one very common theme seems to be running a terminal
emulator on Windows NT! The actual business is done with some bigger computer in
the back room (or central office), and these people havd a gigaherz,
multimegabyte system with a bloated OS running a terminal emulator app that
could be easily handled with a 1970's vintage 8-bit processor and about ten
kilobytes of memory...
(I used to have an old leftover "smart" ADM42
terminal at home that was actually implemented that way: Outwardly a huge beast
but inside it was an 8-bit Motorola 6800, memory chips and assorted TTL logic on
a big board, and of couse the video hw. The smartness meant it could be
optionally programmed to handle simple form filling locally and send the
finished form at one go).
[ Reply to This | # ]
|
| |
| Authored by: sproggit on Saturday, October 23 2004 @ 08:53 AM EDT |
When all is said and done, no operating system is 100% perfect. We've had posts
like this on Groklaw before, and the common theme is that they draw zealots the
same way that magnets draw iron filings...Reading this today, I was interested
in the lack of specific observations or facts. Another common theme for such
debates.
In other words, this debate is flawed by design. And you
thought my post title was a reference to one OS or other, didn't
you?
Just so you know, until about 5 years ago I was an admiring
believer in Microsoft, and their commitment to producing complete, integrated
software. I got annoyed with their bugs, sure, but really liked NT4, SQL6.5, VB5
and the like. I wrote a fair amount of software for the VB5/SQL6.5 model. Then
Microsoft started to change their behaviour, and from about 97 onwards the
growth of the internet released a plague of viruses. My interest
waned.
I now run GNU/Linux by choice because I believe it to be more
secure. I will not claim to be an expert [perhaps just an experienced user], but
chose not to continue with Microsoft because of what I believe to be serious
flaws. I prefer to be specific, so here they are. If we have reasoned debaters
on GL today, feel free to respond. Objective is to move the debate forward, not
start or compound a flame war, OK?
- Buffer
Overflows.This flaw is typically found in software written in the C or C++
programming language, and manifests when data written to a memory storage area
overflows that area of code, corrupting neighbouring memory. This can allow
malicious users to alter the functioning of the program by means of carefully
crafted attacks. It can be difficult to implement, but exceptionally dangerous
when done well. This is a common flaw in Microsoft software and one we have seen
many times over. It happens in Linux too, but in practice the massive "peer
review" process of the Linux community catches this type of error very well. To
quote Linus, "Many eyeballs make all bugs shallow". Microsoft has simply failed
to address this with better tools, even though they have the money to do
so.
- Feature Failure. Microsoft, in the early days, earned
market share by offering more and better features than the competition. Excel
defeated Lotus 1-2-3, for instance. IE vanquished Navigator [but here comes
Firefox]. Microsoft became accustomed to this model of beating the competition.
"Add more features" became a way of life. We've seen their products bloat and
bloat and bloat until MS Office takes a 170Mb footprint when installed. But with
this rush to add features, we've seen a wild disregard for simple checks and
balances. A new feature [say Windows Scripting Host] is introduced, because MS
perceive that unix shell scripting has no counterpart in Windows. But the
designers cheerfully ignore basic security principles and we have as a result
the fact that I could email you a message with a script attached to it that says
"FORMAT C: /Y" and if you open my attachment your machine would be wiped out.
[OK, this has been largely written out by now, but how the heck did this
get written in the first place?] No self-respecting Linux hacker would produce
that kind of feature, surely?
As a complete aside, this approach fell
short with the Linux community. Sponsored and started by "hard-core" tekkies who
had lost interest in the bloat of Windows, Linux produced lean, nimble
environments, and small, sharp tools that performed their job with neat
efficiency. Interest in "the next best feature" evapourated. Microsoft failed to
spot this sea change and are only now struggling to change their
focus.
- Inter-Process Communication. Another rarer but no less
dangerous flaw in Windows is more subtle to detect. Say you have two programs
running on your machine. Both can take advantage of Windows features such as OLE
[Object Linking and Embedding] and basic Windows IPC. Except that with Windows,
the program sending the message talks to the OS, which then talks to the
receiver. This means that the receiver knows it is talking to the Operating
System [which it trusts implicitly]. An otherwise harmless piece of software
with trojan code inside it can search your PC for a running app [MS Word,
anyone, or, heaven forbid, IE] and just start talking. A skilled programmer
could do a lot of damage with this. Yes, it's true that Linux has pipes and
actively encourages data exchange with human-readable flat files. But the fact
that this happens in this way, with process talking to process, and operating
via files to which ownerships can be specified, helps to reduce or eliminate
what would otherwise be a security flaw.
Another aside, and to be fair, I
personally see the more granular and refined file level security of NT onwards
[via NTFS] to be considerably superior to that of unix clones such as Linux. I
live in hope that one day someone will sponsor a project for a kernel extension
and a new file system type that allows for more refined FGAC [Fine Grained
Access Control] at the file level.
- Active-X. This came about
through successive generations of Microsoft's Visual C++ and Visual Basic work,
seeking to produce new and ever better paradigms for coding out to other
software and the operating system itself. Then Active-X found a whole new lease
of life in the web world, where developers could write Active-X modules that
could be downloaded and executed by Explorer. So this was cheerfully introduced
with little thought to security. The MS response? A check-box in IE settings
that lets you turn off IE 's use of Active-X. Closing the stable door after the
horse bolted. Yet another example of adding feature without stopping to ask the
most basic security questions.
- Lack of Architecture or
Interfaces. This might not seem so obvious at first. Steve Ballmer speaks
reverently of the power [monopoly] of the Windows API. Features get added in the
rush to keep the developers happy. But it's random. There is no clear, clean
design. The interfaces themselves are not clearly structured, have no flowing,
logical design. Half of them aren't even published, for crying out loud! I own
the Visual Basic 5 Programmers' Reference Manual and it's a hefty tome, no
mistake. It's also seriously incomplete, because Microsoft don't release all
their API calls to the "public". I suspect [have no proof] that this is because
they want their applications to run better than their competitors.
But
the simple truth is that under the covers the architecture of Windows itself has
been badly chopped around since they bought the Digital OS Team and wrote
Windows NT 3.1. There is no clear segmentation. They move major components into
and out of the kernel [like the video subsystem] for performance reasons, or
other arbitary factors, without considering consequences. Under the covers the
Windows API is just a morass of hashed together code. Windows, like many OS, was
originally designed as a ring system, with Ring0 being the kernel. There are [or
should be] clear rules about "who can call what function from where". When
Microsoft move large chunks of code around under the covers, those original
boundaries start to break, become vulnerable. In my very limited experience
Linux copes with this reasonably well. I do have issues with certain module
inter-dependencies, but it's largely pretty sound. Windows, on the other hand,
is a nightmare. I've already mentioned the video subsystem, but what about
networking? What a nightmare!
Windows originally shipped with
NetBEUI [NetBIOS Extended User Interface] as standard. TCP/IP was originally an
extra protocol shipped with NT. It was never properly written. Because windows
doesn't readily adopt the concept of daemons or subsystems, IP networking became
written into the OS in a haphazard way. This makes it's behaviour much more
vulnerable to attack. For example, with a Linux host it is possible to bring the
host up in stand-alone mode, with networking disabled. With Windows the only way
to do this is unplug the cable from the NIC. With Linux it's possible to recycle
the networking subsystem [inetd] without killing programs or services that are
using it. With Windows this is just not the case. Microsoft made a lot of the
fact that Windows NT was certified by the US Government as being C2 compliant.
[C2 is a security accreditation, where A1 is the best]. That certification [C2]
was only valid for stand-alone machines. OK, before the flames start, I must
acknowledge that this is old news. I've run Windows2000 but not XP and not
Server 2003, so I don't know if they have improved. Somehow I don't think
so.
- Development Culture
I've actually worked with
Microsoft and ex-Microsoft Developers and know a little of the way that they
produce code. One of the ideas is the concept of the bug-tracking system. As a
developer at MS, you are allowed to work on new functions or features in your
code. Every night, their CVS systems take the uploaded source and produce builds
of code, which are then released to testers. As a developer, you may then get
bugs posted against your code. You can continue to work on new features until
you get to a maximum bug count. Then you have to stop the new stuff and go fix
bugs. At any point in time, a large project like Windows XP might have thousands
of known bugs. But here's the thing. Microsoft are still willing to RTM a
product [Release To Manufacturing] that has known flaws - perhaps even thousands
of them. They argue that the Linux community is no better. The truth is that the
Linux community clearly labels beta code as beta. Literally thousands or
millions of developers work on testing, and code is very rarely released until
it is ready. I'm writing this post using Firefox 1.0PR. I started using the
browser in the 0.8 releases, accepting it to be a reasonably solid beta. Haven't
had a single problem. MS, on the other hand, don't even publish a "known bugs"
list when they ship a new product. Why? Would you buy Windows XP on release day
if you knew it had thousands of known bugs and flaws? I don't think so!!! The
difference is that MS are taking your money. When you download FOSS, you are not
being robbed.
Common Themes and Ideas
As we
consider the [subjective and one-sided] points I have raised here, I suggest to
you that there is both a common theme to these perceived weaknesses in Windows,
and a common thread between the difference in culture between Microsoft and
GNU/Linux.
Microsoft come from a commercial world in which they have
thrived by having more and better software features than anyone else. This rush
to add functionality has been made at the expense of everything else. When did
you last see a Microsoft announcement that said simply, "We've been busy and
with this patch we've squashed all these bugs." Never happened. They can't even
do that without folding in "new features". It's almost like a
phobia.
The GNU/Linux community are purely tekkies [can you imagine
the FOSS community having an Open Source Marketing Department? Anyone watch
Dilbert?] The FOSS community are interested in different things: sharing,
learning, collaborating, and most importantly of all, raising the quality of
their artwork [and it is artwork] to the highest possible level they can attain.
They will review and rewrite and enhance and polish until what's left is a
sculptured work of art. There is no commercial rush, no competitor to beat.
The only thing that matters is the quality of the code.
These are
intrinsically different ideals and for this reason alone the religious debate
between Open and Closed software development will rage on through the years.
Enjoy your posts. Throw in a few trolls if you really have to [pick the right
post to respond to though, please]. At the end of the day, make your
choice.
When you do, please remember one thing. Today, you have a
choice. Then look around, and ask yourself who out there is protecting and
enhancing that freedom of choice, and who is trying to take it away, to
legislate against it, or patent it.
To [mis-]quote a line from "A Few
Good Men",
Those are the facts of the case, and they are
undisputed.
[ Reply to This | # ]
|
- Flawed by Design - Authored by: Anonymous on Saturday, October 23 2004 @ 09:32 AM EDT
- Flawed by Design - Authored by: Anonymous on Saturday, October 23 2004 @ 11:33 PM EDT
- Flawed by Design - Authored by: Anonymous on Saturday, October 23 2004 @ 11:46 PM EDT
- Fun with ACLs - Authored by: Zartan on Sunday, October 24 2004 @ 06:19 AM EDT
| |
| Authored by: cpw on Saturday, October 23 2004 @ 01:01 PM EDT |
| Well I just had to do it! What did I have to do? well, install Windblows
SP2 thats what!. It was my own stupid fault, and I can hear you all chuckling
away, and I can picture you all now with big, cheesy "Told you so" smirks on
your sickeningly smug faces.
I'm an IT contractor (Unix/Linux/Perl) and I
have a dual boot system at home in the office with XP and SuSE 9.1 installed,
anyway last Wednesday I was checking my email using Windows (Thunderbird in case
you're wondering) when up pops the message "New updates are available" so being
mildly paranoid and knowing the good old MS rep for being vulnerable to all
sorts of strange electrically transmitted diseases, I decided to perform the
required upgrade, bad move, very, very, bad move! Now don't get me wrong, my
eyes were open, and yes, I'd heard all horror stories about SP2 previously, but
having used the MS update system in the past without problem I just thought
"Yeah well, there may be the odd snag or two but probably nothing I can't sort
out" so I proceeded to download and install the update (all 90MB of it!). When
it had completed I performed the mandatory reboot and that's when the full
horror of my situation began to manifest itself. I use a wireless network here
and also have Norton Antivirus and Firewall s/w installed.
Of course the
first thing I do is try out the network connectivity, not a sausage, bu**er all!
sweet FA, I quickly find out that as far as any form of networking is concerned
my system is about as useful as a chocolate teapot! Close inspection reveals
that good old MS has decided that no one else's software is as good as there's
and so have turned on the firewall by default, in principle, and for your
average home user, probably a sound idea, but as far as I'm concerned a totally
rubbish one! Why won't it detect 3rd party software? anyway, I have a perfectly
adequate 3rd party product so I'll use that, so switch off the firewall. Does it
work now? nope! anyway after several happy evening hours spent trying to breath
some form of network related life into something that to all intents and
purposes is more suited to the task of a boat anchor rather than that of a
high-tech piece of computer kit, I decide that the only thing for it is to
re-install good old Microshaft Windblows from scratch and also put up with all
the fallout that that entails. Which I have duly done but not after having to
spend many hours performing a task that I should never have had to do in the
first place!
The reason I relate this sad little story is this; If I had been
a (non-tech-savvy) propietor of a small business (which come to think of it I
probably am) that relied heavily on having a network capability, say for
incoming orders or whatever, this little episode would have ended up costing me
big time as I would have not only been off-line and losing money in the form of
orders, but (in the absence of a service contract) I would probably have had to
pay a premium for someone to come and sort this mess out!
A subsequent visit
to the M$ website detailed an enormous number of problems with SP2, and I
feel these were not indicated with nearly enough emphasis on the update alert
that I was presented with. There are so many problems with installing SP2 that I
have to take the view that it should never have been released in it's present
form in the first place, quite frankly I think it is a totally irresponsible
thing to do, this "stuff" (I hesitate to call it software) is rubbish and so
obviously "not of merchantable quality" that I can only marvel at the total
audacity of releasing it in the first place.
So message to M$:
a)
Don't talk to me about TCO, quite frankly, I can't afford your ineptitude.
b)
GRUB has now been configured to boot Linux by default.
Say it with
flowers, send Bill a Triffid.
CPW [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Saturday, October 23 2004 @ 09:54 PM EDT |
I make part of my living supporting linux systems, using linux as a "swiss
knife for network" (read somewhere else). At the end someone has to pay me
for this job.
Yes, that costs money to these companies, but also it would cost money to
mantain a windows box. These m$ studies do not mantion this little fact, as if
the upgrades and patches m$ releases every time will do it. at the end this
adds up to the TCO.
My service is not only mantain, also do something better and new. I know the
systems, so I can suggest better ways to do it.
IBM learned this fact some years ago, they have gone fully into services, that
need hardware and software. Well IBM sells a solution, not only a piece of
hard/software, but a service to keep that thing going on, configure, adapt to
new needs, etc.
m$ has been "starting" to do this, but what they really do is sell a
whole bunch of things that the customer does not need, but as were adviced by
m$, they finally buy. Even m$ has some sort of "independent experts"
that do the advice, but in the end are recomended by m$... guess why!. I am not
saying IBM does not do this, but I have certain experience with m$ advices...
Other companies also have gone in making advices, interesting ones... to say the
least.
Theses "get the facts" studies are only for those who don't really
understand what it means to keep a system running. Each company is a different
world, everybody has different needs, some are similar: email, web, internet
surf, login, files, print; but the needs that make the bussiness, the ones that
bring real money, are extremely different. Theses "facts" from m$ do
not count on that, as if every shop is the same.
I think the companies that go the m$ way, are people that know nothing of
computers, that only know what the salesman told them; and also think that they
are the best. If people that really know take decision, definitely not the
rule, there would not be so much problems, but when people that know nothing
decide... auch!
Someone I know uses to say: "the world is composed by 99% stupids and 1%
intelligent people. What one need to do is be on that 1%, and live of the
99%". I remember this every day :)
Ivan
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Saturday, October 23 2004 @ 11:12 PM EDT |
I remember that over a year ago when sco was saying that they had tons and
millons of lines of "copied code", that this Didio were one of the
"witnesses" the sign the NDA with sco to "see" the code.
I was thinking... if she is the great expert she is, I would believe that her
history _is_ true, why would she lie on a subject like this, in the end, her
reputation is on hold.
So I ask, why has sco not appointed her as a witness? Also, can IBM do that?
She told she saw "the infringing code".
I think I know the real answer...
Ivan
[ Reply to This | # ]
|
| |
| Authored by: Wesley_Parish on Sunday, October 24 2004 @ 06:06 AM EDT |
That scared the proverbial out of me! If anything
exemplifies bad
design to me, that's it!
And all done in the name of maximizing
Microsoft
profits by making SQL Server the default so that people
stop
thinking of Oracle, DB/2 and other
competitors ...
Someone needs to
spend time in the slammer, obviously,
but who? ---
finagement: The
Vampire's veins and Pacific torturers stretching back through his own season.
Well, cutting like a child on one of these states of view, I duck [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Monday, October 25 2004 @ 03:01 PM EDT |
How can any discussion of TCO include as much stuff as
is included in those
studies and on this page, and completely
miss the question of how much one's
data is worth to them. The
risk to one's data, or to the ability to access that
data, is, IMO, a
major consideration when one considers TCO.
Here,
Windows is simply not a contender. The official MS strategy
now is that versions
of Windows prior to XP will not get real security updates,
hence no such version
of Windows is a contender. Should you happen to
update your hardware, Windows XP
or later requires Microsoft approval
(re-activation) before you can access your
data. Hence, unless you really
trust Microsoft to both be there and do the
"right thing," your data is at
great risk if you "go with" Windows. Anyone who
trusts Microsoft, is, IMO,
little less than crazy.
Unless one has data
of relatively low value, I don't see how
people can even call this a
contest. [ Reply to This | # ]
|
- I don't get it - Authored by: Anonymous on Wednesday, October 27 2004 @ 07:17 AM EDT
|
|
|
|
