decoration decoration
Stories

GROKLAW
When you want to know more... 		decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

Click here to send an email to the editor of this weblog.

You won't find me on Facebook

Donate

Donate Paypal

No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.

What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments

Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
Gates, Security, and Doubtful Accounts
Monday, February 07 2005 @ 08:32 AM EST

Want to laugh? There is a hilarious interview with Bill Gates by Der Spiegel, in which they ask him many questions about security, malware, and other things, and it includes this classic interchange:

SPIEGEL: Microsoft is not only a part of the solution, but also, because of its market power, part of the problem. When a company provides more than 90 percent of all personal computers with software it is inevitably a target for hackers interested in causing the most damage possible.

Gates: There are actually a large number of operating systems in addition to Windows, for example, such as OS from Apple or Linux and Unix...

SPIEGEL: ... but in the realm of normal personal computers, they don't play a large role worldwide.

Gates: The truth is: the fewer operating systems there are within a company, the better it is from a security point of view.

SPIEGEL: I beg your pardon?

I beg your pardon, indeed. Yes, you heard him. Monocultures are a security plus.

Here is a paper [PDF] by some security professionals presenting a decidedly different opinion.

What is there to do but laugh?

Doug Pike, the "Doubtful Accounts" cartoonist who specializes in financial cartoons, has been inspired by Microsoft. Maybe he got his inspiration when he read that Microsoft will be releasing 13 security patches on Tuesday, including several critical updates. They won't tell us what they are in detail until a teleconference on Wednesday, though, so surf the Internet at your own risk, Windows users.

Or maybe he read about MySQL having only one bug per 4,000 lines of code, compared to 1 to 7 bugs per 1,000 lines of commercial code:

"Commercial code typically has anywhere from one to seven bugs per 1,000 lines of code, according to an April report from the National Cybersecurity Partnership's Working Group on the Software Lifecycle, which cited an analysis of development methods by the Software Engineering Institute at Carnegie Mellon University.

"Coverity's analysis of MySQL found an average of one bug in every 4,000 lines of code--results that are at least four times better than is typical with commercial software.

"The findings parallel earlier work by Coverity in auditing the Linux kernel; that work found that a recent version of the kernel had 985 flaws in 5.7 million lines of code, less than a single flaw in every 10,000 lines of code."

Or maybe it was reading about Microsoft launching a program to create a partnership with governments worldwide "to share information and conduct joint projects on network and information technology security," with the goal of more effectively handling viruses, worms and other incidents.

I'm sure that will work out. And it won't cost much either.

Here is the press release about it. Why don't they just fix the software? I think it would be cheaper and certainly easier on the rest of us. Or just switch to GNU/Linux, folks, and do yourselves a favor.

ComputerWeekly's report on the new SCP program says Microsoft is "hoping to help governments handle internet security threats more effectively" through the new program. Microsoft? Help governments handle internet security? When they think a monoculture is a security plus?

Well. Where is the little boy who says the emperor has no clothes when you need him? OK. I'll fill in: Isn't Microsoft's software the problem in the first place? I view it like this: If your doctor operates on you and leaves the scalpel inside you by mistake, will you ask him to do the surgery to remove it? Similarly, if Microsoft's software is insecure and causing security problems, do you ask them to handle your security? Why not find better, more secure software to use instead? Duh.

Canada has signed on, and so has Norway and Chile. And Delaware, which uses a lot of Microsoft software:

"As participants, Canada, Chile, Norway and the United States will work cooperatively with Microsoft, exchanging information that can be used to better anticipate, help prevent, and respond to and mitigate the effects of information technology ( IT ) security attacks. Among the types of data to be exchanged are these:

  • Information about publicly known and reported vulnerabilities that Microsoft is investigating
  • Information about upcoming and released software updates to facilitate resource planning and deployment
  • Security incident metrics
  • Incident information in the event of a critical incident or emergency
  • Information on Microsoft® product security, Microsoft's approach to security, and its incident response process

"In addition to information exchange, the SCP provides opportunities for cooperation with Microsoft on projects identified by the participating government agencies, including these:

  • Cooperative consumer outreach and education activities, including development and distribution of materials and special events
  • Collaboration in computer incident response processes, including joint response in the event of an emergency"

So, tax dollars will be spent dealing with Microsoft malware. I think they've come up with a business model that might just work. Create a problem, and then charge money to deal with it. Get governments to pitch in.

Speaking of problems, cryptography expert Phil Zimmerman says a recently discovered flaw in Word and Excel encryption is serious:

"'I think this is a serious flaw — it is highly exploitable. It is not a theoretical attack,' says Zimmermann, referring to a flaw in Microsoft’s use of RC4 document encryption unearthed recently by a researcher in Singapore.

"'The lay user ought to be entitled to assume that the encryption produced by Microsoft is adequate … If Microsoft wants to earn the respect of the cryptographic community and the public it must rise to the occasion by producing competent security.'

"Microsoft has been dismissive of the seriousness of the flaw, which relates to the way it has implemented the RC4 encryption stream cipher. As explained by Hungjun Wu of the Institute of Infocomm Research, it would allow anyone able to gain access to two or more versions of the same password and encrypted document to reverse engineer the scheme used to make it secure."

Or maybe Pike was inspired by this Microsoft answer to a question about security and IE, posed by Neowin:

"5. One of the main areas of concern, in terms of security, has always been IE's extremely tight integration into Windows itself. Does Microsoft have any plans of, perhaps, going towards a more module based environment, with Longhorn, in hopes of further securing the OS?

"Internet Explorer remains a viable, valuable, and mature browser that meets the needs of our customers and ISVs who have a great deal invested in it. Major security improvements were made in SP2 and innovating on Internet Explorer in the future and continuing to honor the investment our customers and ISVs have made in Internet Explorer remains the best and smartest option available to us.

"The IE team is in the process of designing and developing Internet Explorer for Longhorn. It's too early to provide a list of specific features, but major investments are being made in the areas of end user features, security and privacy, and developer support (for both add-on and website developers)."

That's their story, and they're sticking to it. That article also mentions their Security Response Center:

"Microsoft is also bolstering its defense against Internet security threats through the Microsoft Security Response Center (MSRC), a world-class service and support organization. The MSRC has a dedicated team, and a large network of ISP and anti-virus partners, to respond quickly to security issues and better protect customers. MSRC evaluates and analyzes security issues, creates and tests updates, and distributes security bulletins and associated updates. The MSRC also works with law enforcement agencies worldwide to shut down malicious attacks and prosecute the criminals behind them."

You would be mistaken if you think that means this is something new. Microsoft's own history of the MSRC [warning: it is hard to get back to Groklaw from that site by hitting the back button, but persistence or ingenuity wins the day] says it has been in existence since 1996, although under a different name. This is the unit that identifies bugs and comes up with patches. So, I think it's fair to judge them by their track record. But let's let them tell you about that themselves:

"Since its creation, the MSRC has eliminated over 150 vulnerabilities affecting roughly 40 Microsoft products. People frequently argue about what this number means. Does it mean that Microsoft products are full of security holes? We're admittedly biased, but we don't think so.

"Instead, we think this number reflects how aggressively we scrutinize our own products, and how openly we discuss vulnerabilities when they're found. Statistics from independent security experts back us up on this score—they show that security vulnerabilities are found in all vendors' products at roughly the same rate. What sets Microsoft apart is the fact that we tell the world about them, so our customers can apply the fixes we provide and eliminate them."

It's impossible not to be struck dumb by this claim, so I'll use sign language and just point your eyes north, to the beginning of this article for statistics that contradict this silly claim. A lot of money is now wrapped up in the MS malware industry, that's clear. Mike Dalton, President of McAfee in Europe, the Middle East and Africa, put it plainly at a security conference last October:

"'Microsoft is clearly not doing a good job at security,' said McAfee's Dalton. 'Most people in this room who work in security have their jobs because of Microsoft.'"

And end users must hold up their end in this struggle, with tutorials to bone up on. Here is a list of articles CastleCops recently ran, a 10-step program for Windows users to deal with all the various threats in that environment.

Whatever the inspiration, here is the cartoon Doug Pike just drew for Groklaw:

Doug Pike is a 13-year member of the National Cartoonists Society specializing in business and financial cartoons. Some of his prominent clients have included CNNfn, CNBC-anchorman Ron Insana, book publisher John Wiley & Sons, and Standard & Poor's. Doug's work draws upon his experiences as a business owner, investor and MBA graduate from the University of Chicago. Here's his website, where I found he also has a couple of books, one with what I think may be my favorite title, Invest Like a Cartoonist. A collection of his cartoons are also on the website. I like the last one scrolling down, with the caption, "I believe I said sell my American Dental stock and buy me $50,000 worth of their debentures."

Doubtful Accounts Cartoon © Copyright 2005 D. Pike


  


Gates, Security, and Doubtful Accounts | 422 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
Corrections here
Authored by: MathFox on Monday, February 07 2005 @ 08:53 AM EST
the obligatory thread.

---
When people start to comment on the form of the message, it is a sign that they
have problems to accept the truth of the message.

[ Reply to This | # ]

OT Here
Authored by: rm6990 on Monday, February 07 2005 @ 08:56 AM EST
OT Here please

[ Reply to This | # ]

Symantec
Authored by: rm6990 on Monday, February 07 2005 @ 09:10 AM EST
Microsoft is not part of the solution. Microsoft is the problem, and Symantec,
McAffee and co. are the solution.

Funny how MS doesn't mention on their "Get the Facts" site that it is
other companies that are doing most of the malware prevention work for them. I
don't have to buy a third party security product when I run Linux.

[ Reply to This | # ]

Track record
Authored by: MathFox on Monday, February 07 2005 @ 09:21 AM EST
If your doctor operates on you and leaves the scalpel inside you by mistake, will you ask him to do the surgery to remove it?

It depends on the track record of the surgeon. If he has operated on hundreds of patients and I'ld be the first one where he made such an error, I'ld take the risk to have him repair the damage done by his mistake. On the other hand, a doctor that would leave tools inside patients on a weekly basis would not remain in practice for long.

Microsoft certainly has a track record on the topic of security:

Microsoft: We have this very convenient auto-run macro feature in our office file formats.
Security Expert: Are you sure that is a good idea?
MS: It is a good idea, it is a convenience for our users!
SE: Look, someone sent me a proof-of-concept virus.
MS: We haven't seen it in the wild yet!
SE: We've found OfficeInfector.A.
MS: That's an incident.
SE: The OfficeBlaster.C virus has spread to over 20 million systems.
MS: Everyone should use a virus scanner and update it daily.
SE: We just registered the 1000th variant of an Office virus.
MS: Our newest Office Offering has built-in heuristic detection of virusses and auto-run can be switched off.
In many other businesses a market regulator would have acted on this kind of behaviour. Apparently software is a different business.

---
When people start to comment on the form of the message, it is a sign that they have problems to accept the truth of the message.

[ Reply to This | # ]

Gates, Security, and Doubtful Accounts
Authored by: Anonymous on Monday, February 07 2005 @ 09:24 AM EST
"Gates: The truth is: the fewer operating systems there are within a
company, the better it is from a security point of view."

He then contiuned outlining that having several OS'es also requires more effort
to administrate them all -- or security will suffer rather than increase.
That, in and of itself, makes sense.

cu,
Schnobs

[ Reply to This | # ]

Gates, Security, and Doubtful Accounts
Authored by: dkpatrick on Monday, February 07 2005 @ 09:39 AM EST
I think it's a given that the fewer operating environments in a company, the
cheaper it is to maintain everything.

Microsoft, however, appears to approach coding as if everyone lived in a secure
world and adding automated features, linking products together at the operating
system level, and taking as much out of the hands of the user as possible is a
'good thing'. It doesn't hurt the developers and designers!

This demonstrates a severe weakness in the Microsoft business model. They don't
have a significant consulting presence in their customers' sites. They don't
learn first hand what the customer wants and needs. Where IBM and other full
service firms have a feedback loop between consulting and development, the
Microsoft-certified consultants don't have that same relationship to Microsoft
development.

It's the old saying: "Feel my pain". Microsoft hears the complaints
and patches the daylights out of Windows. But they don't "live" the
pain and in truth haven't demonstrated a real concern for their customers other
than how much money they have.

---
"Keep your friends close but your enemies closer!" -- Sun Tzu

[ Reply to This | # ]

Where's the beef?
Authored by: Anonymous on Monday, February 07 2005 @ 09:57 AM EST
OK, I'll be the last to defend Microsoft, their business practices, their
software, their security model, etc.

HOWEVER, I fail to see anything wrong, much less egregiously wrong, with what
Bill said. To me, it does not even contradict the paper you cite. The cited
paper is an explanation of how _everybody_ running the same OS can magnify
security issues. It could certainly also apply within a single business if all
the systems were kept completely separate. However, in my experience, that
doesn't happen. It's the old story about the most secure data is on a server
which is not plugged into anything, even the wall power. The data is secure,
but no one can use it!

So, the problem with running multiple OSes inside a business is that pretty much
all the corporate data usually winds up having to be accessible from users
running _any_ of the OSes. This means that a security bug in ANY of the OSes
can expose valuable corporate data.

Not only will Bill's statement sound reasonable to the average executive, it
will ring true to anyone in corporate IT. To combat Microsoft's FUD, we need to
make sure that we agree with true things, then steer users towards the _right_
OS.

[ Reply to This | # ]

Gates, Security, and Doubtful Accounts
Authored by: kberrien on Monday, February 07 2005 @ 09:57 AM EST
13 Patches, time to update my TCO figures.

[ Reply to This | # ]

The Gates Security Model
Authored by: Anonymous on Monday, February 07 2005 @ 10:04 AM EST

I have a system for managing cash at home. I keep it in a pile on the table.
If ALL corporations, banks, governments, individuals, etc. would adopt this
system uniformly, and eliminate other forms of money management, the world's
financial security would greatly improve. This should be completely obvious to
any Microsoft employee.

[ Reply to This | # ]

Don't forget MSN worm!
Authored by: Anonymous on Monday, February 07 2005 @ 11:17 AM EST
http://www.pcworld.com/resource/article/0,aid,119559,pg,1,RSS,RSS,00.asp

[ Reply to This | # ]

Gates, Security, and Doubtful Accounts
Authored by: bap on Monday, February 07 2005 @ 11:43 AM EST
Heh. Reminds me of my last job. I live/work in the Boston area and this
company was bought by a company out in California. We were mostly a
linux/FreeBSD shop and they were almost exclusively Windows. We had to use MS
Outlook for e-mail because that's what they had standardized on. Every time a
new Windows worm/virus appeared it'd always find its way onto the few Windows
systems we have through the VPN to the California office. We'd regularly see
e-mails like "Don't open e-mails with a subject of X" but half the
people in the California office would do that anyway. They'd end up shutting
down the e-mail servers for the better part of a day to clean things up.
Meanwhile all our linux desktops remained untouched.

[ Reply to This | # ]

Gates: Monocultures are Monopoly Plus !
Authored by: Anonymous on Monday, February 07 2005 @ 11:58 AM EST
It looks knowing Mr.Gates, this is what he means. Security over 5 versions of
Windows ( NT, 95, 98, 2000, XP ), have all failed to show improvement.


I agree with an idea I heard from some I know, that a NT base, and 98 gui became
Windows2000, what XP is I can't say for sure. The thick glue layers to make new
versions, from already security problem code, is what I have heard is why the
problems continue. Gates claims are selfserving to the once pure monopoly.

[ Reply to This | # ]

God's Gift ...
Authored by: Anonymous on Monday, February 07 2005 @ 12:05 PM EST
B.G. suffers from the same problem that all people who
become full of themselves and believe they are God's
gift to ____ (fill in the blank). They endup thinking
they have the answers to ALL the probems and that their
way is the only way, that their advice drips gold. In the
end, they just become irrelevant.

[ Reply to This | # ]

Gates, Security, and Doubtful Accounts
Authored by: blacklight on Monday, February 07 2005 @ 12:18 PM EST
"So, tax dollars will be spent dealing with Microsoft malware. I think
they've come up with a business model that might just work. Create a problem,
and then charge money to deal with it. Get governments to pitch in." PJ

Get governments to pitch in, as in using taxpayer funds to subsidize our
favorite monopoly, to pay for government IT employees to research and QA the
vulnerabilities of the Microsoft products, and to pay for the very Microsoft
solutions that these government employees helped develop. And I can't even get a
free lunch from anyone I know!

[ Reply to This | # ]

MSRC
Authored by: Anonymous on Monday, February 07 2005 @ 12:38 PM EST
Gee, I guess that the MSRC needs to update their pages. I just dropped by
Secunia's on-line database and found more than 560 vulnerabilities (not all
patched!!) in *JUST* their OS's. That doesn't count Office or any of their
applications.

If you analyze Secunia's database you'll see that about 20% of Microsoft's
vulnerabilites aren't patched. Linux and BSD run about 99-100% patched on
average. In addition, IE averages significantly higher in the type of
vulnerabilty (High level) -vs- alternative browsers (like Firefox, and Opera).

The statistics are there, even Bill could probably read them :)

[ Reply to This | # ]

Gates, Security, and Doubtful Accounts
Authored by: pscottdv on Monday, February 07 2005 @ 01:18 PM EST
From the interview:

"The speed with which, for example, the Linux community reacts to problems
is not especially high -- that's because this system, unlike ours, simply does
not keep thousands of people on standby to deal with problems."

Oh, really?

http://secunia.com/product/22/
Windows XP Professional has 81 advisories, 21 unpatched

The oldest unpatched vulnerability was reported 2002-09-18

http://secunia.com/product/2568/
Fedora Core 1 has 102 advisories, 0 unpatched

(Don't get too excited, Bill, over the 102 total advisories--these include the
entire distribution which is 3 cdroms full of software.)

Yeah, you guys are real fast there, Bill!


[ Reply to This | # ]

Gates, Security, and Doubtful Accounts
Authored by: Anonymous on Monday, February 07 2005 @ 01:20 PM EST
"Gates: The truth is: the fewer operating systems there are within a
company, the better it is from a security point of view."

Uhm...
Windows 3.0
Windows 3.1
Windows 3.11 for Workgroups
Windows 95
Windows 98
Windows 98SE
Windows NT 4.0
Windows 2000
Windows ME
Windows XP Home
Windows XP Professional
Windows XP Corporate
Pending: Windows Longhorn

That is at *least* 8 different versions from the same company, Bill's own
company. So "SPIEGEL: I beg your pardon?"

[ Reply to This | # ]

Gates, Security, and Doubtful Accounts
Authored by: josmith42 on Monday, February 07 2005 @ 01:42 PM EST
If your doctor operates on you and leaves the scalpel inside you by mistake, will you ask him to do the surgery to remove it?

Well, fairly recently I had a piano technician tune my $23,000 piano. He wasn't the normal person I usually have tune my piano. He messed up. I was really upset, and called him to come fix it. Fortunately, he did this free of charge. Unfortunately, his second tuning wasn't much better. So finally I gave up and called my normal piano technician to come fix his mess.

The moral of the story? Well, maybe I wouldn't trust a doctor who messed up to take the scalpel out, mostly because my life depended on it. However, I did trust the same piano technician to fix his mess. (BTW, I've learned my lesson on that!) Maybe that's why Microsoft still has its monopoly.

---
This comment was typed using the Dvorak keyboard layout. :-)

[ Reply to This | # ]

Hospital!??
Authored by: Anonymous on Monday, February 07 2005 @ 01:59 PM EST
"Gates: If everything runs under the same platform, however, you can better
concentrate resources and more quickly repair errors. For instance, in a
hospital where different systems are used, a single problem in one section cause
the other systems to crash. Thus, from a security standpoint it is always better
to focus on one system."

He cites a hospital... this guy must be absolutely crazy!

[ Reply to This | # ]

Gates, Security, and Doubtful Accounts
Authored by: greyhat on Monday, February 07 2005 @ 02:01 PM EST
Reminds me of a quote from Albert Einstein:

"We can't solve problems by using the same kind of thinking we used when we
created them."

Anyone who believes Microsoft has the best answers (or that the
"answers" will be worth the price) doesn't deserve their money anyway
I guess...

---
"Obviously Linux owes its heritage to UNIX, but not its code. We would not, nor
will not, make such a claim."
-- Darl McBride to Linux Journal, August 28, 2002

[ Reply to This | # ]

Gates, Security, and Doubtful Accounts
Authored by: Bas Burger on Monday, February 07 2005 @ 02:46 PM EST
MSFT, buying a anti spyware firm instead of closing the leaks that cause spyware
functioning in the first place, says it all.
Total disrespect for any of their customers that did invest a lot of money into
their equipment.

I know they are powerfull, but I still don't understand that any of their
customers never tried to sue the living thing out of them.
If Ford tried their tactics he would have been bankrupted.

[ Reply to This | # ]

I full heartedly agree with Bill on this one
Authored by: Anonymous on Monday, February 07 2005 @ 03:17 PM EST
I fully agree with Bill on this one, running a single OS "Linux" in
your organization will increase security. He just failed to mention which OS you
should run.

[ Reply to This | # ]

Gates, Security, and Doubtful Accounts
Authored by: Anonymous on Monday, February 07 2005 @ 03:43 PM EST
"[warning: it is hard to get back to Groklaw from that site by hitting the
back button, but persistence or ingenuity wins the day]"

I don't know about other browsers, but on FireFox, just click the little down
arrow next to the "Back" button to bring up your previous history list
and pick "GROKLAW".

[ Reply to This | # ]

Coverity math problem?
Authored by: NewAccount on Monday, February 07 2005 @ 04:43 PM EST
985 bugs in 5.7 million lines roughly equals one in 5800 lines, not one in ten
thousand. Now, if Coverity cannot do simple math....
Hopefully the C-Net reporter messed up the numbers instead.

[ Reply to This | # ]

"Where is the little boy who says the emperor has no clothes when you need him?" - The answer...
Authored by: Eagle on Monday, February 07 2005 @ 04:48 PM EST
There he is!
And BTW there's even more like this at the left and right arrows on that page... ;-)

[ Reply to This | # ]

Gates, Security, and Doubtful Accounts
Authored by: Anonymous on Monday, February 07 2005 @ 07:40 PM EST
I like this bit (right at the top) talking about the internet and security
threats:

"But while we still work on wonderful further developments, some really
serious issues are being forced onto the agenda, and we now have to ensure that
they do not ever become a problem."

The man clearly isn't connected to reality. He implies that internet security
and spam aren't yet a problem. Sorry, the horse has bolted. What alternative
reality is he in if he thinks we haven't yet reached the point where security is
"a problem". Perhaps he's talking about linux. Possibly what he
means is "a problem ... for Microsoft's revenues". Who knows. Either
way he is delusional, or dishonest. You choose.

[ Reply to This | # ]

Coverity's claims
Authored by: Anonymous on Monday, February 07 2005 @ 10:19 PM EST
I'm quite uncomfortable with Coverity's claims of code quality in the linux
kernel. They developed their test software using the kernel as a guinea pig!
When they wanted feedback, they would send the results to the linux-kernel
mailing list so that the developers could fix the bugs and complain about false
positives and so on. This was a win-win situation, to be sure, but I don't like
the final conclusion that the linux kernel is less buggy based on their
measurements. It's ludicrous to think that their code measures all defects (and
I think that is explained if you read enough details of the results), and it's
even sillier when you realize that the kernel was used to implement and
fine-tune the tests. It's like knowing the questions on a final exam...

Don't get me wrong. I strongly believe (and know, from first hand experience!)
that the kernel is excellent quality code. I just don't need to draw that
conclusion from poor reasoning about Coverity's data.

[ Reply to This | # ]

  • Coverity's claims - Authored by: Anonymous on Tuesday, February 08 2005 @ 12:09 PM EST
Gates, Security, and Doubtful Accounts
Authored by: Anonymous on Tuesday, February 08 2005 @ 01:36 AM EST
[warning: it is hard to get back to Groklaw from that site by hitting the back
button, but persistence or ingenuity wins the day]

It's not ingenuity that wins the day. It's not using IE that wins the day. I
opened the link in a new Firefox tab and was able to continue my surfing. Again,
BEWARE M$ IE browsers.

[ Reply to This | # ]

So, you are saying
Authored by: Anonymous on Tuesday, February 08 2005 @ 04:37 AM EST

That a company with 100% GNU/Linux installs is less secure than one with a healthy mix, e.g. 90% Microsoft and 10% GNU/Linux?

That is what you said, right?

Perhaps you'd like to rethink your views on monoculture. if it depends on the culture, then your object isn't to the mono per se.

[ Reply to This | # ]

Gates, Security, and Doubtful Accounts
Authored by: tel_cor on Tuesday, February 08 2005 @ 07:23 AM EST
Operating System monoculture is more of a management plus, rather than a
security plus. The fewer variances in the equipment and software there are, the
easier it is to track and manage the various permutations. The greater the
number of variances, the more difficult they are to track and manage. The
greater the difficulty, the more resources are needed to manage the
permutations.

Having different versions of the same operating system, such as Windows 2000,
Windows XP and Windows 98, also adds to the variances, thus to the management
burden. This is the same whether discussing non-Free, proprietary operating
systems such as Windows or MacOS, or discussing Free ones such as GNU/Linux or
FreeBSD.

---
--
My computer only displays LI-
Is that the only part of Linux my computer can run?
- Friend trying first distro

[ Reply to This | # ]

Monoculture vs. Programming Culture (and why Open Source will Conquer the world)
Authored by: bwcbwc on Tuesday, February 08 2005 @ 10:12 AM EST
It's ironic, one reason Microsoft IS the monoculture in so many places is
because sysadmins wanted to reduce support costs by standardizing their computer
environments. This argument still carries a lot of weight in big business, even
though the risks of infection or other damage increase quadratically as the
number of connections to the network (and the internet) increase. Businesses
don't seem to have recognized the tipping point where the added cost of
supporting more platforms is less that the larger loss of business function for
malware incidents that hit the whole corporation rather than just a piece of
it.

Actually, while a monoculture increases the scope of damage when a disaster
occurs, and increases the probability of attack attempts, it doesn't necessarily
mean that the product has to be more or less vulneraable to attack. The
vulnerability of a product is a function internal to the code and is a function
of the development organization and the ability of the developers in the
organization. But even here, Microsoft appears to suffer in comparison with many
Open Source projects like MySQL and Linus, at least when we're talking about
defects per 1,000 LOC.

Now, MySQL and Linux are relatively centralized and controlled Open Source
projects, so I'm not convinced that the Open Source model is the greatest
contributor to the lower defect counts in those products. There are numerous
factors that contribute to the effectiveness of a development organization
besides the number of reviewers and developers available.

But one undeniable advantage of Open Source is in process improvement and
changing culture. If the development process in an Open Source project becomes
too burdensome, diverts from the primary goal, or is just plain stupid, the
community can fork the code and start a better-managed project. This option
isn't available to closed source developers. They typically have to try to
convince their organization to change the processes that most managers have
become comfortable with.

As an organism becomes older, larger and more resistant to change, it spawns
more vigorous and nimble children to sustain the genome. This model also seems
to apply to corporate ecology as well. Older organizations that can't change
from within start to age and fail in various ways. For example, they can become
a monoculture of groupthink (alzheimer's), an accretion of conflicting processes
(physical aging), or a victim of malicious management, stockholders or employees
(cancer).

Open Source has a much more effective reproductive strategy to break out of the
organizational aging cycle than any closed-source product can achieve. Imagine
if a group of MS developers wanted to start an alternative organization
completely outside Microsoft's control that they felt would be more effective at
addressing Windows security issues. And let's even assume that MS management was
amenable to this as long as they got a piece of the action and rights to
incorporate the new organization's code back into Windows. There would still be
months, or even years of due diligence, licensing and other negotiations between
the two organizations. For an open source project, these negotiations aren't
needed, because the agreements are already incorporated into the existing open
source license. As long as the forked project complies with the existing
licensing terms of the original project, they can develop their own business
model independently of any baggage from the original. In short, the
"gestation period" for a child to be born of an Open Source project is
much shorter and less prone to complications than for a commercial product.

In either case, the parent can gain the benefits of the child's market
advantages by incorporating code from the child back into their projects, but
Open Source will gain time to market advantages that aren't achievable in
closed-source. The one advantage that a closed-source fork would probably have
is in financing. A business that allowed an independent development organization
would probably provide some seed money as part of the deal to help get the
project going.

But what if you combine the two? What if a large corporation donated its source
code to already well-established open-source organizations? Or what if they
funded the open source organization? And doesn't this sound familiar? If you
look at corporate-funded Open Source projects like Apache, Eclipse and MySQL,
you have the benefit of Open Source's time to market and flexibility coupled
with the (relative) financial stability of a private company. Even as these
organizations age and become less effective, they will spawn children faster
than their competitors can reproduce or adapt. And as in life, their children
will carry their products to new heights.

[ Reply to This | # ]

Doubtful Accounts--$25 per downloaded cartoon!?
Authored by: Anonymous on Tuesday, February 08 2005 @ 12:49 PM EST
Clicked on the link in the article, clicked the cartoon section and it says it's
$25 per download for the cartoons! It says it's the honor system. I hope he's
not serious, or Groklaw just cost a lot of people some serious money.

(Maybe my sense of humor is impaired today)

[ Reply to This | # ]

MS Monoculture is not Equal to any other system monoculture
Authored by: Hargoth on Tuesday, February 08 2005 @ 03:14 PM EST
Many of us are old enough to remember other IT monocultures.

The venerable IBM mainframe.

The 'alternative' Mini-Computers such as DEC, UNISYS, and others.

These all existed before the implementation of the microprocessor.

NONE of the old monocultures allowed for the thought of "personal
Computing'.

Microprocessors first appeared in corporate IT as specialized design equipment.
This is where SUN made its name. These systems were physically as large as
their cousins the Mini-Computers, but because of the nature of microcomputers
they shrank in size with every iteration.

In a SUN monoculture, for instance, it was not uncommon to have 1 administrator
for 150-160 engineering workstations. This was accomplished by 'sharing' as
much of the system as possible, thus allowing updates to all systems by making a
single change on the server. This also meant that when an administrator
accidently steps on the power chord of the primay server's disk subsystem, you
get 150 upset engineers! OOPS!

In the current MS monoculture, we have a staff of about 15 people to manage the
150 or so Windows based desktops in use here. That is a big difference. (Yes I
run Linux on all my desktops and laptop at work, and have converted many in my
group, but that is another story).

In a SUN monoculture (or Vaxen or whatever) the administrator can work with
their management and user community to immediately apply patches and software
upgrades as needed. They can also afford to allow some systems to run untouched
for years because they already have the networking infrastructure in place to
'protect' those systems.

Those types of update activities pale in comparison to the complexities of
patching and testing MS based desktops. Its a real shame.

Is it a design flaw in MS operating systems? YES.
Is it something that management understands? NO.
Is it acceptable to management? YES.
Why is it acceptable to management? ... ???

I miss the days of clean system management.
I think that my old users do too.
I also think that most people who use modern systems have never had experience
with great systems management because its really not an option in the MS
monoculture.

One of my old groups averaged three calls a week to the help desk, and over half
of those were printer related. :)

Match that in the MS monoculture.

[ Reply to This | # ]

Microsoft Security Model
Authored by: rharvey46 on Tuesday, February 08 2005 @ 04:59 PM EST
Well, now here is one for you!
If I am a Windows user (of any type) including regular user, a virus can be
installed on my machine without any action on my behalf - and without becoming a
user of a different type.
If I am a Windows developer (using quite a few of the Microsoft Windows
development tools), I need to become an Administrator to develop, test and/or
install the application on any machine (including my own machine).

So... To develop a Windows program, I need more rights than someone who pushes a
virus onto my machine? Amazing!

As a developer (on any operating system and/or environment), I should NOT need
to be an administrator. To install software (especially into a production
environment), I should (perhaps) need to be an administrator.

Another note : For every release of Visual Basic (1.0 thru .Net), Microsoft
recomends that you recompile your code for that version. However, it does not
provide the source code to the operating system - and third party vendors
generally do not provide such.
If I am coding in Java, or for Linux, I can gain access to the source code for
free (even if I can not distribute it). However, if the operating system or
language changes, I do not need to recompile.

I would much rather not need the source code but have it than not have the
source code and need it...

I would rather not need Administrator rights to develop/test code than have but
not need Administrator rights to install a virus.

Needing Administrator rights to do your work and not having it limits
productivity. Having Administrator rights creates a vast security hole (similar
to always being logged on to root). The security model should allow development
at a different level of security... Fortunately, Linux and Java provide
sandboxes that allow development in a secure environment.

[ Reply to This | # ]

My little rant on the subject...
Authored by: haegarth on Tuesday, February 08 2005 @ 06:33 PM EST
Well, PJ, I'm very sorry to have to tell you this, but your article shows one
big mistake on your part: You're thinking logically.

As far as my experience goes: to fully understand why many decision makers still
cling to Microsoft products you have to think like a manager, not like a
technician.

For decades managers have been following the herd for many reasons. One of them
must be the fact that managers tend to listen to other managers rather than to
their own technical staff. MS knew that very well, and it has worked for them
for over two decades by avoiding to talk to people really dealing with their
mediocre product lines. The managers they, in fact, were talking to, had no
reason to believe they were being cheated. Hey, we're talking about MS here, one
of the most successful companies in the world! How can they possibly fail us?
Nah, let's think positive (just as we've learned in management school), we don't
want to end up like tchnicians, do we?

Well - Bill G obviously assumes (or, to give him the benefit of the doubt,
pretends) that the situation hasn't changed, so he kept talking like everything
was going nicely for them. Too bad for him that the Spiegel is known for not
bowing to authorities (while, for my taste, they still let him off too easily) -
I wonder how it would have been with almost any other news magazine.

Personally, I didn't feel like laughing when I read that article (which may be,
at least in part, due to the fact that I read it in my dentist's waiting room).
Instead, I grew more angry with every line.

What disturbed me most wasn't the monoculture thing, it was Bill repeating the
old myth about Windows being as secure as Linux... it's the amount of
installations that triggers all those attacks by malicious hackers, remember? If
Linux were so popular, it would be hacked quite as often as Windows! Duh.

Pathetic.

Sorry to interrupt you, Bill, but the herd has started to change it's course.
You better get out of the way.

---
MS holds the patent on FUD, and SCO is its licensee....

[ Reply to This | # ]
Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details ) 		Site layout based on Woodlands theme by Bryan Bell.
Groklaw logo by John Crowley.
News Picks logo by Ted Thompson.
Powered By GeekLog
Created this page in 0.06 seconds