You know I couldn't resist covering this story. Microsoft's Steve Ballmer picked up his glove and slapped Linux across the face in a speech given at an industry conference thrown by...who else, Gartner?
In his speech, he said some peculiar things about security:
"Ballmer ... disputed the notion that open-source code is more secure than Windows. 'The data doesn't jibe with that. In the first 150 days after the release of Windows 2000, there were 17 critical vulnerabilities. For Windows Server 2003 there were four. For Red Hat (Linux) 6, they were five to ten times higher,' he said.
"'The vulnerabilities are there. The fact that someone in China in the middle of the night patched it--there is nothing that says integrity will come out of that process. We have a process that will lead to sustainable level of quality. Not saying we are the cat's meow here--I'm saying it is absolutely not good reasoning to think you will get better quality out of Linux.'"
Ballmer's being a naughty boy again. China indeed. "In the middle of the night." Trying to frighten the children with overtones. And playing with numbers. What year is it again? Red Hat 6? Pardon me for pointing it out, but they are up to 9 now. He's choosing a 150-day period from back in the day -- and I wonder how long it took to pick the best segment of time to use -- and using that for comparison? There is a lot that can be said about this, but it's not really necessary to do any research on this sad subject, I don't think. Everyone on a Windows box just went through the worst summer and fall of security issues of all time. They already know he's just ...well, what would be the precise word here? You hate to say lying. It's so cold.
However, let's do a little research, just for fun.
Judge for yourself which operating system is more vulnerable to security problems by going down the list on CERT's Incident Notes page. It goes back to 1998. And here is their Current Activity page. It's almost all Microsoft issues. Here's their Vulnerabilities Notes page. It's all Microsoft, except for one, which isn't Linux. Here is their most recent quarterly summary. And here is a chilling article. After you look at all the data, what do you think now? Was Mr. Ballmer accurate? The only way I could find Linux prominently on any list was to type it into the Customized Search engine by itself on this page , and then when you get to the list, it's a list for all vulnerabilities of all the distributions of Linux, not just Red Hat. I couldn't find anything equivalent to Microsoft announcing a vulnerability and then saying there was no patch and you should just shut that particular functionality down. Ballmer said there were 17 critical vulnerabilities in Windows 2000 in the 150-day period and that Red Hat had considerably more. But look at the list: it shows only 16 vulnerabilities for all flavors of Linux for the entire year of 2000. CERT only lists the big ones, but Ballmer did say "critical". It makes you wonder where he got his numbers from or how he defines "critical".
Funny he would choose such an old time period, don't you think, for his comparison? Maybe it's because looking at July through October of this year would be devastating? I see only two Linux vulnerabilities on the list for that time period, both buffer overflow vulnerabilities, so evidently there has been considerable improvement on the Linux side.
Look at what could happen to you on a Windows box in the first two weeks of September 2003, though, just using a handful of the many recent vulnerabilities here and here and here and here and here and here and here. I didn't include July and August or October or the rest of September, out of kindness. Now, what Mr. Ballmer needs to do is show me anything like that kind of news coverage of security vulnerabilities in GNU/Linux, for any two week period. And speaking of critical, look at what the results could be from the Windows security issues:
"'An attacker who successfully exploited these vulnerabilities could be able to run code with local system privileges on an affected system, or could cause the RPCSS Service to fail. The attacker could then be able to take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges,' Microsoft warns."
Defying these facts, here's what Ballmer said about the built-in superiority of commercially produced software:
"The Microsoft chief executive also contrasted the quality of software that's produced by commercial makers to that of software that's developed under the open-source model. 'Should there be a reason to believe that code that comes from a variety of people around the world would be higher-quality than from people who do it professionally? Why is its pedigree better than code done in a controlled fashion? I don't get that,' he said.
"'There is no road map for Linux, nobody who has his rear end on the line. We think it's an advantage a commercial company can bring--we provide a road map, indemnify customers. They know where to send e-mail. None of that is true in the other world. So far, I think our model works pretty well,' Ballmer said."
Oooo. Scary. "The other world." More ominous overtones.
He doesn't get it, or claims he doesn't, so I will explain. The very openness he and SCO criticize is what makes Linux more secure. Why? First, there are no artificial roadblocks. All their moats and chains and gates and laws and terror tactics to make sure no one looks at their code or "steals" it create blockades that can get in the way of fixing problems. In GNU/Linux, anybody can fix anything and offer it to the world as a cure. Then someone else can test it and verify it, and pass on that info. You don't have to use what they write, but you can if you want to. Someone is awake somewhere 24 hours a day, and so things tend to get fixed fast. As George Bernard Shaw pointed out, talent can crop up anywhere, and anyway, not even MS can hire all the talented people in the world.
And here's another secret: Linux users help out with bug reports. Yes. We do that. For nothing. Just to help. Millions of us. This is the secret sauce of GNU/Linux, a significant part of its power. If we users try software and something doesn't work perfectly, we let the authors know. That is Linux' secret. Hidden problems don't stay hidden, when anyone can bump into them and let the authors know they need to fix it. If the user knows how to fix it, he or she can fix it and send the fix back to the author. And the author doesn't charge you to contact them either. It's a very efficient system. Ever try to call Microsoft?
As someone wrote me the other day, Windows comes from a box. Linux comes from a community.
So the result is, although Mr. Ballmer can't believe it, Linux really is more secure. And the data does jibe. It appears IT professionals are catching on now. They just released the results of a survey of IT pros, and their opinions of Linux security versus Microsoft does not match Mr. Ballmer's views. There has been a rise in confidence in Linux in the past 6 months:
"New research shows that confidence in Linux as a secure platform is up. A recent survey conducted by the research firm Evans Data shows that Linux's reputation as stable and secure operating system is growing among people who write code for a living. . . .
"The survey also found that open source code, modules and tools are used more widely among developers than they were a few years ago. In a 2001 survey, Evans Data found that 38% of the 500 developers it surveyed said they used open source code in the applications they write. The most recent findings showed that 63% of developers incorporate open source today.
"Overall confidence in Linux as a mission-critical serving platform was also up from past year's surveys. While 34% of the 500 developers surveyed in 1999 said they thought Linux was ready for prime time, 64% said in the latest survey that they would trust mission critical applications to run on Linux."
So when Ballmer says the "data doesn't jibe", the question is, which data? Or, more precisely, whose?
Look at the spike in security incidents this year, compared with last year, 114,855 in the first three quarters of this year and only 82,094 incidents for all of last year. It's a good time to be thinking about security.
Have you been thinking about trying Linux? HP will let you test drive various Linux environments to see how you like them. It's really a tool for developers, but the web site doesn't list any restrictions as to who can do a test drive. They offer Red Hat, Debian, Mandrake, SuSE, and others. If any of you journalists or CEOs out there have never tried Linux, why not give it a whirl? (I hope the rest of you leave them room by not crowding ahead of them. Obviously, there's limits to how many can do this at once.) Or get yourself a Knoppix CD and try Linux on your own computer here. It runs off the CD, so when you are finished, your Windows software is still there, if you insist. Knoppix is a Debian version of GNU/Linux, by the way, and some consider Debian a very secure environment indeed. It's fun. If you try it just one time, it will open your eyes.
UPDATE Bruce Schneier's Cryptogram for November 15, 2003 links to this article and says this about it: "Excellent analysis of the security of Windows vs. Linux." I am, of course, honored.