Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Claims Linux Security a Myth

CowboyNeal posted more than 9 years ago | from the not-unlike-longhorn-shipping-dates dept.

Microsoft 901

black hole sun writes "Microsoft bigwig Nick McGrath claims that Linux security is highly exaggerated, and that the open source development model is 'fundamentally flawed.' The gist of his argument appears to be his claim of lack of accountability among distributors, coupled with generic statements short on facts. 'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.' He goes on to say that 'Linux is not ready for mission-critical computing. There are fundamental things missing,' pointing out the lack of a development environment and no single 'sign-on system' giving reference to Microsoft's foundering .Net passport program." I guess Linux can only aspire to the greatness of Windows when it has such secure applications as Outlook and Internet Explorer. Historically those have been proven to be of a caliber all their own.

cancel ×

901 comments

Sorry! There are no comments related to the filter you selected.

I'm FP (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11513679)

I'm the FP man, rocking the town. Linux is as secure as... well, it secure!

*COUGH* sendmail *COUGH* (4, Insightful)

Staos (700036) | more than 9 years ago | (#11513680)

Twenty years of buffer overflows. [google.com]

Questions?

Re:*COUGH* sendmail *COUGH* (0)

Anonymous Coward | more than 9 years ago | (#11513753)

For how long has Sendmail been part of the linux kernel tree? How many people are still running Sendmail? What is the difference between a security hole in sendmail and a security hole in a 3rd party Windows application?

Indeed (5, Insightful)

SilverspurG (844751) | more than 9 years ago | (#11513683)

"Who is accountable for the security of the Linux kernel?"
Tell me. Of the 60,000 some (give or take whatever) viruses, worms, and trojans available for Windows, how many of them even needed kernel level access? I suppose he can simply blame that on others.

There are bits of the Linux software stack that are missing
Care to elaborate? Just what part of the software stack is missing?

Re:Indeed (4, Funny)

Anonymous Coward | more than 9 years ago | (#11513700)

Care to elaborate? Just what part of the software stack is missing?

The bit that lets Firefox adds new suid root system calls to Linux via .xpi files disguised as links to FREE BOOBIES.

Re:Indeed (2, Funny)

newr00tic (471568) | more than 9 years ago | (#11513764)

[JOKE]

Oh, there's already a Bootable CD-Distro that does that, it's called BOOBIX. It has a special build of Wine, just for these purposes..

[/JOKE]

Re:Indeed (5, Funny)

had3l (814482) | more than 9 years ago | (#11513826)

"Care to elaborate? Just what part of the software stack is missing?"
They don't know, it's missing.

Re:Indeed (0)

Anonymous Coward | more than 9 years ago | (#11513835)

IMHO:
Spreading FUD seams to me a very desperate move (even if it can be successfull). It shows that their software is absolutely not any better and they have to support it by attacking the alternatives.
They are probably attack linux because they know they cannot buy it, since it's a community. With other companies it's mostly only a matter of price.

Re:Indeed (4, Funny)

AKnightCowboy (608632) | more than 9 years ago | (#11513837)

Care to elaborate? Just what part of the software stack is missing?

The entire .NET Framework is missing from the Linux kernel!!! My Visual Basic kernel modules won't even compile under Linux.

Re:Indeed (5, Insightful)

Anonymous Coward | more than 9 years ago | (#11513843)

Trying to use logic and reasoning in the face of this style MS FUD is just going to make for a long winded argument.

Here, MS is starting out with claims that don't have a thing to do with reality. They're stating nothing more than equivalents to 'what if's. Making a reasonable sounding argument that in the absence of proof sounds like it could have some backing behind it.

When MS says "The biggest challenge we need to face centres on the myth and reality. There are lots of myths out there as to what Linux can do. One myth we see is that Linux is more secure than Windows." it's just an outright lie. It sounds like he's taking the position of a firm stand against a very real problem. "the open source development process creates fundamental security problems." furthers it, by attempting to put an explanation on just what's wrong with Linux.

It's theorising, and it's the kind of logic a bunch of guys down the pub will bullshit on about for hours, talking about cars or government or whatever, things they really don't know about, but can sound knowledgeable about.

Sounding knowledgeable doesn't stand up to Reality though.

Microsoft's comments about Linux security in the face of the passing of their least secure year is the equivalent of them arguing that drink driving is actually safer, by stating "Alcohol slows you down. It would make you drive slower, therefore be safer. You'd be less likely to do anything silly cos you'd be trying to concentrate harder on driving well". On the surface to someone who knows no difference, it sounds like an argument that has merit.

But again, The Real World jumps up and gets in the road, and that's where real security issues for MS exist, and not in their false construct of marketingspeak.

hey Nick (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11513685)

put down the crack pipe and step away from the computer...

lmao

Oh yeah? (2, Funny)

nocotigo (820504) | more than 9 years ago | (#11513687)

Just wait until they roll out WinX, or is it Winux...

Re:Oh yeah? (1)

carninja (792514) | more than 9 years ago | (#11513712)

it's pronounced "Winks"!

Not A Myth, Just Not Inherent (5, Insightful)

the_mad_poster (640772) | more than 9 years ago | (#11513690)

Fact: Much of what winders suffers from is incompetent users. Nothing is really stopping the developers from writing spam bots for windows because idiot users on Linux could run bad code just as easily as idiot users on windows.

OTOH, you don't have such dumbass tricks ass tying your browser right to the OS or ActiveX, so you make spyware and whatnot less of a factor.

On yet another hand, however, you have the problem of moron users running sendmail daemons that listen for connections from the Internet and other stupid things. Plus, Linux has security holes. If stupid people don't patch them just like they don't path winders, what good is the security?

Again: You can protect the stupid people from the world if you want, but you can't protect them from themselves.

Mod Parent Up (1)

blahbooboo2 (602610) | more than 9 years ago | (#11513796)

Sorry, I dont get why parent is flamebait? I thought it was an interesting comment.

Re:Not A Myth, Just Not Inherent (1)

TrekkieGod (627867) | more than 9 years ago | (#11513815)

At my university, this Linux computer we use for some experiments require that some kernel modules get loaded when the experiments are being run, and unloaded when they're finished. So, one must become root to perform these functions.

The geniuses decided that it was a pain to type 'su' and a password each time (or even using sudo). So they started using root as their main account. And yes, that machine is connected to the 'net, because they like to be able to ssh into it from outside, and because every once in a while, they even browse from it.

So given my experience, I have no idea why you've been modded flamebait, other that someone found your classification of these users as "incompetent," "idiots," and "morons" offensive. I can't find more suitable terms myself.

Re:Not A Myth, Just Not Inherent (5, Insightful)

ggvaidya (747058) | more than 9 years ago | (#11513841)

IMHO, the biggest problem is that Windows has remained relatively unchanged since Win95. Win95 was a single-user application, only just beginning to explore the Internet. The biggest risk your computer could face - viruses - could be handled by being very careful about which floppy disks you used. People who used BBSes were competant enough to use antiviral programs.

With the coming of the Internet, all that changed. Windows needs to be secure enough to prevent web-based attacks, such as through badly created web application frameworks like ActiveX, as well as prevent attacks on vulnerabilities in the networking function of the OS. Stuff like using a restricted user mode, frequent updates, using a secure browser, etc. are necessary to stop such attacks.

A Windows computer is probably as secure as a Linux machine if adequate measures are taken: antivirus programs, firewalls (generally included in the former), secure passwords, not running as Admin and most importantly, frequent updates.

All this is new stuff that people have to learn. Atleast if you use Linux, somewhere down the line you *have* to learn the basics of stuff like this (I've found "rm -rf" is the best tool for teaching people to NEVER run as root!). With Windows, you can remain painfully oblivious to the most basic security techniques because the OS will *let* you - and your computer becomes the next hub for Joe Spamboss.

Hopefully, SP2 will improve things - I've found the firewall a real PITA, particularly on university-administered computers, but atleast it makes people a little more aware and careful.

I don't think branding everybody as "stupid" is the way to go about it. They're not stupid, they're just not aware. And I blame Microsoft as their enabler, atleast for these last few years.

What that guy is smoking? (3, Funny)

KiloByte (825081) | more than 9 years ago | (#11513692)

This is the classic case of a kettle calling the refrigerator black.

Re:What that guy is smoking? (0)

Anonymous Coward | more than 9 years ago | (#11513715)

Mine is beige

Re:What that guy is smoking? (1)

carninja (792514) | more than 9 years ago | (#11513731)

wasn't it the pot calling the kettle black? not all refrigerators are black, and the saying originated from when both pots and kettles were made from iron, and thus black. I don't think refrigerators were around then. (But then where's they keep the brews?)

Re:What that guy is smoking? (1)

yotto (590067) | more than 9 years ago | (#11513780)

You're absolutely right, as is the grandparent.

Think about it.

Really hard.

He's not smoking... (1)

Black Parrot (19622) | more than 9 years ago | (#11513738)


He's just pining for the fnords.

Figures (0)

Anonymous Coward | more than 9 years ago | (#11513693)

MS is preparing the hype before Google announces their OS based on linux kernel.

He has a point, you know (3, Interesting)

Anonymous Coward | more than 9 years ago | (#11513697)

If he was wrong, why would Red Hat et al sell service contracts and make money off of them? They accept that money in return for accountability, responsiblity, and SLAs - all of whicha major corporation will demand and which are not present in the pure open source model.

So, he's right, but he's also wrong in that Red Hat is no responsible for Linux kernal security, but they are responsible for getting patches out for issues discovered.

Is it that time of year again already? (n/t) (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11513698)

except that which is necessary to post...

In other news... (4, Funny)

k4_pacific (736911) | more than 9 years ago | (#11513703)

In other news, a representative from Yugo blasted BMW for not putting rear window heaters on their cars. "If you have to push it in the winter, your hands will get cold. What a crappy car."

Linux Security vs Microsoft AntiSecurity (5, Interesting)

michelcultivo (524114) | more than 9 years ago | (#11513705)

From Bruce Schneier [schneier.com] "Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months. This means that a unpatched Linux system with commonly used configurations (such as server builds of RedHat 9.0 or Suse 6.2) have an online mean life expectancy of 3 months before being successfully compromised." I think the term is not "more secure" but "less vulnerable".

Well..yeah..he would say this (5, Insightful)

grasshoppa (657393) | more than 9 years ago | (#11513706)

You see, it's called marketing. He is saying exactly what big wig CIO/CEO/C[A-Z]{2} understand and like to hear. Accountability. That's a big thing to most corporations.

Now, him saying that Redhat can't improve the kernel is simple BS, and could either be a fundamental lack of understanding on his part, or just a flat out lie. Given his position, I'm guessing it's a lie. Redhat ( as have most distributers ) patches the kernel with it's own magic, and will often update it on it's own.

Cliff notes: MS marketting with head in sand. News at 11.

Is he serious (1)

k3rnl (847979) | more than 9 years ago | (#11513708)

Is he serious? Or is it some kind of joke?

Re:Is he serious (1)

WindBourne (631190) | more than 9 years ago | (#11513745)

no. This is just Marketing. There has been a recent trend to take your opponents strength and declare them for your own. If repeated enough in the media and by enough ppl, then more will believe it.

Re:Is he serious (2, Insightful)

WhiplashII (542766) | more than 9 years ago | (#11513836)

This is not a recent strategy... in marketing you commonly look at your strengths and weaknesses - and then see how you are perceived by your customers. If your customers already know your strengths, your marketing strategy is to convince them that your weaknesses are also strong.

It just sounds silly to those who know. But it does work in most cases...

Re:Is he serious (0)

Anonymous Coward | more than 9 years ago | (#11513769)

Yes, hahaha you caught us.

who's responsible for the security? (0)

Anonymous Coward | more than 9 years ago | (#11513709)

i honestly don't know who's responsible either.. maybe it's Linus?.. or how about that penguin dude! aah tux will save us wont you tux?

Re:who's responsible for the security? (1)

adepali (749748) | more than 9 years ago | (#11513830)

All your security is belongs to me

Title corrected (1, Funny)

Anonymous Coward | more than 9 years ago | (#11513710)

Should be:
Linux claims M$ security a Myth.

Excellent marketing (5, Interesting)

vijayiyer (728590) | more than 9 years ago | (#11513716)

This is another example of Microsoft's marketing prowess. They know that IT managers want to hear about vendor accountability, single source solutions, etc. Those who still are using only Windows are probably not technically competent enough to see through the FUD. The truth is irrelevant here.

Re:Excellent marketing (2, Insightful)

meisenst (104896) | more than 9 years ago | (#11513754)

Any IT manager worth their salt will look past this FUD and look towards things like... this [slashdot.org] , where Microsoft's single sign-on program fails them utterly. Oh, wait, isn't that one of the key points this guy tried to make, even though Passport has basically begun to circle the drain?

Plain wrong! (1)

thames (558443) | more than 9 years ago | (#11513717)

here are fundamental things missing,' pointing out the lack of a development environment and no single 'sign-on system' giving reference to Microsoft's foundering .Net passport program.
Login:

and emacs.

Re:Plain wrong! (0, Offtopic)

Billy the Mountain (225541) | more than 9 years ago | (#11513812)

vi! Emacs is crap!

BTM

Myth (0)

Anonymous Coward | more than 9 years ago | (#11513719)

If anybody actually used Linux for anything, we could find out. As it is... we just don't know.

Yeah.... (0)

Anonymous Coward | more than 9 years ago | (#11513723)

Who is accountable for the security of the NT kernel? Microsoft are so arrogant that they protest at being made accountable to the US government or the EU, so I doubt it's them. Windows is only ready for mission-critical computing if mission-critical means uptimes around 35 days.

Ho-hum (5, Insightful)

twilight30 (84644) | more than 9 years ago | (#11513724)

Move along, people. Nothing to see here. There's no point in getting pissed off about this; Microsoft shills are liars and exaggerators.

I will never forget -- seeing as how it happened only on 19 December just gone -- about my broadband installation. Not wanting to rock the boat nor confuse the cable installer guy, I rebooted into XP just prior to his arrival. He hooked my old beater celery up with DHCP and I surfed for about ten minutes. I thanked him and he left.

So I figured I'd do the decent thing and do the security updates. ...

Eight hours later, I cleaned off the last of the spyware, adware, malware horseshit.

To Nick McGrath: Fuck off and die, you wanker. How much you want to bet your router at home runs a Linux variant for firewalling purposes?

Red hat does take responsibility though (5, Informative)

m50d (797211) | more than 9 years ago | (#11513725)

They take responsibility for their distribution. They will patch their kernel if anything seems wrong with it. From time to time they pay for an audit. Similarly the debian people vouch for their kernel, and so on. The vanilla kernel.org kernel is only accountable to the kernel.org people, true, but most "enterprise" distribution makers will stand up for every package they distribute.

Who is accountable for Windows? (5, Insightful)

nharmon (97591) | more than 9 years ago | (#11513727)

From Windows XP's EULA:

LIMITATION ON REMEDIES; NO CONSEQUENTIAL

OR OTHER DAMAGES. Your exclusive remedy for any breach

of this Limited Warranty is as set forth below. Except

for any refund elected by Microsoft, YOU ARE NOT ENTITLED

TO ANY DAMAGES, INCLUDING BUT NOT

LIMITED TO CONSEQUENTIAL DAMAGES, if

the Product does not meet Microsoft's Limited Warranty,



So, are we believe that if Windows crashes my data, that I can hold Microsoft accountable?

At least with Linux I have access to the source code, and can hire programmers to scratch my itches for me. Somehow, I don't think microsoft would give out source code if they went under.

MOD PARENT UP (nm) (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#11513765)

nm

Single sign-on (1)

Daniel Boisvert (143499) | more than 9 years ago | (#11513729)

I think he's referring to MS Active Directory and their Kerberos support, not the .NET Passport boondoggle.

Apparently it's well-known at Microsoft that Linux doesn't support Kerberos. [tldp.org]

Re:Single sign-on (1, Interesting)

Anonymous Coward | more than 9 years ago | (#11513777)

Of course ADS is pretty much LDAP at it's core, and PAM can be configured to use ADS for authentication via. winbind (Samba).

So the real irony here is that Microsofts own technologies, which apparently Linux doesn't support, are built on top of open standards. Many of which originated as Open Source software!

It's a good job reality isn't aware of this fundemental dichotomy in the universe or we could all be in deep trouble.

Re:Single sign-on (2, Insightful)

Anonymous Coward | more than 9 years ago | (#11513789)

I corrected it for you: Apparently it's well-known at Microsoft that Linux doesn't support **Microsoft's deliberately incompatible version of** Kerberos.

Not a technical argument (4, Insightful)

Malfourmed (633699) | more than 9 years ago | (#11513732)

McGrath is not making a technical argument, but a management/legal one. In business, security (ie peace of mind) is not defined by the tightness of a piece of code but by who you can make accountable for any failure.

Microsoft at least is the clear and sole owner of its product. Though any single customer's ability to make it responsible for product deficiencies is slight at best, a statement of "we're here and responsible for our stuff" is superficially reassuring.

Superficial... (2, Informative)

rhsanborn (773855) | more than 9 years ago | (#11513763)

...especially because they claim they are explicitly not responsible for anything.

Re:Not a technical argument (0)

Anonymous Coward | more than 9 years ago | (#11513768)

And you are part of the microsloth FUD machine.

Have you forgotten that the US Justice Dept took them to court and LOST?
What about in California ? Do you know what the cost was of taking the "owners" of Windows98 to court? The "winners" got a coupon worh $10...

Come on man - and least here at Slashdot don't be a phoney...

FUUUUUUD! (1)

CdXiminez (807199) | more than 9 years ago | (#11513733)

Fud! Fud! FUD! Fudfudfudfud! FUUUUUUD!

Re:FUUUUUUD! (0)

Anonymous Coward | more than 9 years ago | (#11513785)

Dude, shut the fud up.

Re:FUUUUUUD! (1)

Anonymous Writer (746272) | more than 9 years ago | (#11513845)

Elmer FUD!

More FUD (2)

slobber (685169) | more than 9 years ago | (#11513734)

There are fundamental things missing, ... no single 'sign-on system' giving reference to Microsoft's foundering .Net passport program.

Please, someone, tell him about kerberos...

Re:More FUD (1)

craXORjack (726120) | more than 9 years ago | (#11513749)

Yes, and e-Directory too. And besides, wtf does .Nuts Passport have to do with 'Mission Critical Computing'?

Who takes the blame for Windows viruses? (1)

ryen (684684) | more than 9 years ago | (#11513735)

the virus creators, not Microsoft.

Re:Who takes the blame for Windows viruses? (0)

Anonymous Coward | more than 9 years ago | (#11513825)

An analogy... in Minneapolis, if your leave your car unlocked with the keys inside, that in itself is illegal.

If your car gets stolen while its doors were unlocked, the police WILL give you a ticket for this offense.

Microsoft takes responsibility for Windows Bugs? (4, Insightful)

Taladar (717494) | more than 9 years ago | (#11513739)

Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility?
From these words I conclude that any business that lost time/money from Security Holes or Bugs in Windows they can go to Microsoft and present a bill which Microsoft will gladly pay.

Now is your chance to backrupt M$S (2, Insightful)

Anonymous Coward | more than 9 years ago | (#11513742)

So the Microsoft bigwig Nick McGrath says 'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel.."
Well Ok Nicky - you are implying then that MS DOES take responsibility for the security of its products? If tht is so then you are lying because the last time I read YOUR EULA it states that you guys will take our money but will not take responsibility for any defects etc in YOUR products.

Once again we have idiots making statements for none other than the idiots that are running the IT industry...

No development environment? (1)

m50d (797211) | more than 9 years ago | (#11513744)

I use KDevelop and it works fine, thank you very much.

Let's keep the bias out of the submission.. (4, Insightful)

Staplerh (806722) | more than 9 years ago | (#11513746)

Come now. This is rediculous:

I guess Linux can only aspire to the greatness of Windows when it has such secure applications as Outlook and Internet Explorer. Historically those have been proven to be of a caliber all their own.

This is true, I will agree.. in my humble opinion. Let's save the editorializing for the comments. This is 'News for Nerds' - this sort of snide comment has a place in an Op/Ed page, but certainly not the 'front page' of a news site. I suppose there are divergent ideas of what Slashdot really is, but I think that endeavouring to be unbiased would be great.

I'm not meaning to troll or to be 'flamebait' here, just to point out a disturbing trend I've noticed in biased story submissions.

Re:Let's keep the bias out of the submission.. (0)

Anonymous Coward | more than 9 years ago | (#11513822)

I guess Linux can only aspire to the greatness of Windows when it has such secure applications as Outlook and Internet Explorer.

...and MySQL? [slashdot.org]

In all seriousness, linux (the kernel) is not significantly more or less secure than WinXP. It's the software which you run on the OS (Outlook, BIND, etc...) that makes you vulnerable

With XP, Windows now actually has a security model more on a par with SELinux than with an unpatched linux. This doesn't seem to matter in actual practice, since most windows users prefer to run everything with Administrator privileges. But I suspect people would have the same bad habits if they were running some other OS instead.

Mmm pudding... (1)

MoogMan (442253) | more than 9 years ago | (#11513755)

Great! Its nice to see someone challenging the Linux Way(tm).

Prove it :)

Microsoft software (1)

Lennie (16154) | more than 9 years ago | (#11513756)

Atleast with Microsoft you know Microsoft is accountable.

That really helps me a great deal, NOT.

I prefer the Linux model, where I can see the 3-line patch before applying (within ours or days).

Instead of the big service pack with the gazillion changes. Of which I have no idea of the impact on the system.

Yes, they have hotfixes to, but that doesn't mean I can see what they do/change.

The Microsoft way is russian roulette.

This totally makes sense. (4, Interesting)

bennomatic (691188) | more than 9 years ago | (#11513758)

Microsoft isn't a software company. They're a marketing company. They do what it takes to sell whatever they've got. I used to say that MS could pipe all their employee toilets into a packaging facility and sell Microsoft Excrement at a profit. With their marketing muscle, they could find an audience for just about any product.

Unfortunately, part of marketing, especially when your product is getting negative publicity, is pointing out perceived flaws in competing products. I believe the term often used is FUD, and it's nothing new or unique to MS. Heck, it's pretty much how GWB won a second term.

When it comes to this sort of thing, they have a wide lattitude of opinions they can express, especially when there is no Linux, Inc. to sue them for slander. The Linux community, however, has been quite good at spreading the word about MS badness; they're just trying to do the reverse because their feelings are hurt.

Just personal experience (4, Insightful)

agraupe (769778) | more than 9 years ago | (#11513760)

Here's my personal evaluations of security differences:

Spyware:
Windows: I run a spyware checker every week or two, and it almost consistently finds new spyware.
Linux: Is there a spyware checker for linux? Does there need to be? I know that my Linux box runs consistently fast, and has no search bars.
Edge: Linux

Default Habits:
Windows: The Windows XP install, by default, seems to create an Administrator account with no password, no User account, and no suggestion that there should be a user account. Also, there's many services that are on by default, that really shouldn't be.
Linux: All linux distros I've used require a root password, and strongly emphasize that root is not to be used for day-to-day computing. Depending on the distro, most unnecessary services are off by default.
Edge: Linux

Updating:
Windows: Use an insecure browser, tied to the OS itself, to browse to Windows Update, wherein the system is updated. Note that these updates have a nasty habit of breaking things, and this does not update third-party software which may be vulnerable.
Linux: sudo apt-get update; sudo apt-get OR upgrade
sudo emerge sync; sudo emerge --update world
Edge: Linux

Do I need to go on?

Linux (1)

MyIS (834233) | more than 9 years ago | (#11513761)

The flaw in the argument is that Linux as a standalone entity does not exist - it is always an interpretation of a particular vendor, i.e. RedHat or SuSe or whoever. And those vendors do indeed claim responsibility for whatever pieces of code they decide to pack onto their CDs. That's what they ultimately get paid for.

And on a practical level, well, we all know the security statistics.

MS can't understand (1)

Groo Wanderer (180806) | more than 9 years ago | (#11513762)

MS has this self imposed myopia when it comes to security, they won't and can't understand because if they do, it is game over for them.

That said what they won't allow themselves to admit is who is responsible for the kernel. The simple answer is everyone and anyone, that is the beauty of open source. If there is one entity that chooses not to do something, you can shoulder the responsibility.

In open source, there is no one throat to strangle, just 10, 100 or a million different paths, and you choose the right one or forge your own. If there is a flaw, someone will fix it, and they will be the new king. MS can't come to terms with this.

You don't need a single entity to decide for you, you can do right on your own. All the tools are there.

-Charlie

A bird in the hand is worth two in the bush. (5, Insightful)

jonastullus (530101) | more than 9 years ago | (#11513767)

i really don't want to play down the problems linux has with its development model and i sure have heard great things about the microsoft development process!

but i'd rather have a more secure system now, which lacks in development stringency, then a provenly unsafe system which can prove exactly when, why and how their bugs came into the system...

microsoft is just far too lax concerning their outward security policy (like not caring about the blatant RC4 exploit). their "patch day" with all those patches that never quite close the exploits is just a farce!

well, gnu/linux with all its applications has had a bad streak of exploits as well recently and i would strongly recommend a stricter development process, but if i were microsoft i'd definitely tone down on the linux-is-insecure-and-lacks-accountability bashing and instead invest some serious effort in making my own product look a little more convincing and less like the bug-ridden security hole that it is!

jethr0

"I'm Bill Gates and I approved this crap." (1)

dlleigh (313922) | more than 9 years ago | (#11513772)

Apparently it's not about good design, algorithms and code. It's about "accountability" and "responsibility", i.e. who to blame when the crappy code finally hits the real-world fan.

Who needs a good product when we have someone to point finger at?

Right-o... (1)

Ninjy (828167) | more than 9 years ago | (#11513774)

From "Microsoft's Longhorn Faces Antitrust Scrutiny":
One analyst opines that Microsoft is appearing to soften its image to become kinder and gentler. 'They don't want people to hate them anymore. They've learned from their mistakes.'

It's okay, we all suffer from schizophrenia every once in a while.

Give 'em Credit (1)

nikin (638522) | more than 9 years ago | (#11513775)

...their imagination knows no bounds...

(-1: Troll) (1)

mrsam (12205) | more than 9 years ago | (#11513776)

Can this entire article be marked as flamebait?

I try to motivate myself into responding to that flunky, but I just can't. Please, there's no reason to state the obvious replies to this drivel.

This is so pathetic, so worthless, that I really feel some pity for Microsoft's utter inability to deal with Linux's threat to their business model, in any meaningful way.

They're totally reduced to thrashing around, looking for something, anything, negative they can throw against Linux, and make it stick.

I've seen better stuff on Usenet.

backfire (1)

Doc Ruby (173196) | more than 9 years ago | (#11513779)

McGrath is playing on the major corporate IT fear "who do we sue when something goes wrong?". But it will backfire, if any of the (usually spineless MS lapdog) IT magazine press actually talk about the reality. Microsoft's hugeness and bad attitude towards its insecurity means that you *can't* sue MS when it screws you. Occasionally you can, and win, but the odds are much higher that you can't afford to start the battle, especially if the MS exploit has damaged your business substantially. Combined with the much higher odds that your MS SW will be exploited than your Linux SW, and MS is flirting with disaster. The inevitable dividend on their decades of investment in insecurity and not caring.

In other news... (4, Funny)

Nova Express (100383) | more than 9 years ago | (#11513782)

Michasel Moore accused Paris Hilton of being "too fat."

Mike Tyson accused Michael Jordan of being "violent and out of control."

And Richard Simmons accused Charlton Heston of being "way too gay."

Make Smart Decisions ASAP & Fix the Unexploite (1)

Noksagt (69097) | more than 9 years ago | (#11513784)

"In Microsoft's world customers are confidant that we take responsibility. They know that they will get their upgrades and patches."
And Linux users get patches from their distros (though the original source might be further upstream). The key that McGrath misses is that many F/OSS projects try to make smart decisions in advance & embrace them. MS still has everyone running as Administrator. Another important thing is to fix known bugs before there is an exploit. MS's track record on either of these two points isn't exactly great.

This is so very wrong! (1, Informative)

Anonymous Coward | more than 9 years ago | (#11513786)

There are fundamental things missing,' pointing out the lack of a development environment and no single 'sign-on system' giving reference to Microsoft's foundering .Net passport program.

It should be floundering, not foundering!

A saying that fits (0)

Anonymous Coward | more than 9 years ago | (#11513788)

"First they ignore you, then they laugh at you, then they fight you, then you win."
-Mahatma Gandhi

Accountability? (1)

spiritraveller (641174) | more than 9 years ago | (#11513790)

Mr. McGrath speaks of accountability... just how many of MS's customers have been able to hold Microsoft accountable for the billions of dollars lost through security flaws in Microsoft programs???

"In Microsoft's world customers are confidant that we take responsibility. They know that they will get their upgrades and patches."

OH! He's just talking about upgrades and patches? That's accountability??? Show me a major Linux distribution that doesn't provide upgrades and patches... next show me one that is slower than Microsoft at doing it.

The only one I can think of might be Slackware, but I'm not even sure about that.

Holding accountable.... (0)

Anonymous Coward | more than 9 years ago | (#11513791)

Yeah... certainly having someone to blame in case something fucks up is more important than actually doing work.

It must be true (0)

Anonymous Coward | more than 9 years ago | (#11513793)

teh google knows all [googlefight.com]

Can we keep the editorializing out of the summary? (1)

Incoherent07 (695470) | more than 9 years ago | (#11513795)

Believe me, I realized the absurdity of the statement before I got to the sarcastic editorial comment at the end. It's not necessary. Stop it.

Single sign-on (1)

blowdart (31458) | more than 9 years ago | (#11513798)

no single 'sign-on system' giving reference to Microsoft's foundering .Net passport program

I'd suggest that he was referring to Active Directory or NTLM and not as you think, Passport. No windows network uses passport for sign-on.

Does Microsoft take responsibility? (0)

Anonymous Coward | more than 9 years ago | (#11513799)

I haven't read their shrinkwrap agreement for a while, but IIRC they pretty much disclaimed all financial and liability responsibility for everything from minor bugs to malicious destruction.

At least with Linux, if software doesn't work the way I want it to I can try to get it to work myself.

sounds like they never talk to thier customers (1)

batemanm (534197) | more than 9 years ago | (#11513800)

"In Microsoft's world customers are confidant that we take responsibility.

No we are more sure that we have to work around thier problems.

They know that they will get their upgrades and patches."

I think he missed the word 'might' out from that sentence.

Since when? (1)

Drakonite (523948) | more than 9 years ago | (#11513801)

The gist of his argument appears to be his claim of lack of accountability among distributors

Since when has MS taken accountability for it's security flaws?

It's likely not the easiest place to say this... (1)

chaboud (231590) | more than 9 years ago | (#11513803)

But there have been security vulnerabilities in Linux distros, and virii aren't absent from the landscape, either. As to which OS is more/less secure, it seems that the more important question would be "is Linux as secure as is perceived by the general public, and is Windows as insecure?" I would have to say that such levels of security/insecurity would be amazing.

Development Environment? (4, Insightful)

Roguelazer (606927) | more than 9 years ago | (#11513806)

"there is no single Development Environment for Linux as there is for Microsoft"

Yes, what a good point. There are multiple DE's for linux. This is a bad thing, because it means developers have a choice. There should only be one piece of software for each category, and it should be manufactured by Microsoft. Choice is bad, people!

Nick McGrath and Jeffrey Lee Parsons (1)

Anonymous Cowherd X (850136) | more than 9 years ago | (#11513811)

What is the difference between Microsoft's Nick McGrath [vnunet.com] and Jeffrey Lee Parsons [com.com] , the teen who got sentenced to 18 months in jail for releasing a variant of the Blaster worm [slashdot.org] ? They look alike, use Microsoft operating systems for their evil deeds and they are both criminals, the only difference is that McGrath is not going to end up in jail for bogus claims and slander, at that level it's called marketing.

Who you gonna sue!?!? (1)

Lemurmania (846869) | more than 9 years ago | (#11513813)

In a netowrking class I was obliged to take, the instructor's favorite rant about Linux was, "Who you gonna sue when something goes wrong? The penguin? The penguin!?!?" He would repeat this over and over; thought it was really witty. I pointed out to the yob that you can't really sue Microsoft either, because of their restrictive EULA, but it didn't make a dent in him. "You gonna sue the penguin?" he'd yell. Guys like him make me never want to take a course ever again. Just gimme the damn books, and let me work it out on my own, bozos.

ports... (1)

siropel (802188) | more than 9 years ago | (#11513818)

maybe if M$ will learn how to close the Windows ports (not block them after u`r already hacked), rewrite IE and Outlook, redo the user permisions ...etc ...maybe they will be 10% close to ANY linux distro security

Hm (4, Insightful)

Lisandro (799651) | more than 9 years ago | (#11513824)

Microsoft bigwig Nick McGrath claims that Linux security is highly exaggerated, and that the open source development model is 'fundamentally flawed.

Why, of course he does. That's his job.

In other stories, water's wet, sky is blue and women have secrets. More news at 10!

who's accountable? (1)

OmniVector (569062) | more than 9 years ago | (#11513827)

how about checking the bitkeeper logs and see who committed a certain portion of the kernel?

here's a question for microsoft. what happens when a major vulnerability comes out that none of microsoft's customers can do a damn thing about, and they have to wait days/weeks/months for a fix? shit out of luck, that's what. with linux i could hire a developer to fix it if it was causing me enough of a problem. or i could wait for one of several major companies with dozens of kernel hackors to fix it (who often have a much faster turnaround time for patches too! imagine that).

Does he mean "desktop environment?" (2, Interesting)

Noksagt (69097) | more than 9 years ago | (#11513828)

Linux is not ready for mission-critical computing. There are fundamental things missing. For example, there is no single development environment for Linux as there is for Microsoft
What does this mean? Sure, there is Anjuta, KDevelop, Eclipse, GNU/X-Emacs, etc. But there are a ton of development environments on windows too. Is this supposed to be the age-old KDE/gnome debate?

If so, isn't a huge advantage of using ANY *nix in production that you don't have to have the overhead of running a graphical desktop environment if you don't need to?

Definitely exagerated (1)

Alomex (148003) | more than 9 years ago | (#11513832)

Twenty years ago Unix was known for its lax security. You couldn't even dream of selling a unix box for enterprise software back then. Newbies think linux/unix is secure because in contrast to Windows 95/98 it is way better.

Let's not forget either that the first Internet virus ran on unix and took all of an hour to bring the network down. Just ten years ago, Berkeley grads got a hold of root password for every unix box on campus in a few hours.

Even today, compromising your user directory is rather trivial. The technique is the same as with windows: send an email that causes buffer overflow.

Getting a hold of root is a tad more difficult, but not by much. One could write a tool that systematically tests for vulnerabilities. Let's call it backGnurifice. It would try the standard sendmail/redcarpet/cgi scripts/NFS/password cracking techniques, and succeed as often as similar tools do in the windows world.

Where is the "Active Directory" killer of Linux? (1)

totro2 (758083) | more than 9 years ago | (#11513840)

McGrath does have a point about a lack of single sign-on. Yes, patchwork, complex solutions exist in Linux, but where is a "Wizard"-based solution, making it ACCESSIBLE TO THE MASSES?

I've wrestled with this problem (trying to find an easy solution, that is worthy of recommendation to others on tight budgets, who are not necessarily as geeky as me) for a long time.

What combination of networked/ditributed filesystem and distributed authentication can anyone recommend that someone with a couple years experience in the world of Debian Linux can handle (ie. someone who knows about "man" "apt-get install" /usr/share/docs/* /var/log/* /etc/*)

There are a few close candidates it seems as far as I can tell:

-Kerberos + OpenAFS + OpenLDAP -> waaay to complex to set up. There is poor/none/intimidating documentation on all three, let alone any utilities/Wizards that ask you simple questions in plain English that would help you tie them all together.

-Samba + OpenLDAP + GNUTLS -> much better documented, however this documentation could use a non-trivial update to be relevant to Debian Sarge, not just Woody: http://aqua.subnet.at/~max/ldap/#configure-openlda p

-Plone, eGroupWare, and several other "all-singing, all-dancing" web-based systems: in time one of these could realistically develop into a web-based platform that "does it all". These are all relatively easy to install but slow in performance for serious usage.

Am I missing anything here that anyone wants to share?

The Litmus Linux test.... (1)

commo1 (709770) | more than 9 years ago | (#11513847)

1. a) Can Microsoft run their own infastructure for both internet and intranet operations on their own software? ie: Would it make economic and technological sense rather than go with a more efficient and scalable system, like Linux? b) Would they want to? ie: Do they believe www.microsoft.com, as one example, to be safe running IIS? 2. a) Will Microsoft guarantee/certify/insure the integrety of .net passport services against compromise? b) Would Bill Gates store the keys to the kingdom in .net?

The question is (2, Interesting)

rikkards (98006) | more than 9 years ago | (#11513853)

how insecure would Windows be if you were able to remove IE and Outlook from the picture?
If Firefox becomes the great white hope for secure browsing on the Internet and the other one where it incorporates calendaring into Thunderbird has as much success as Firefox is getting(can't remember the name for the life of me), could this in itself slow Linux adoption? Windows has improved stability-wise over the last couple of years by leaps and bounds and supposedly they are looking at making it more secure (but I am not holding my breath too much).

Just a thought.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>