Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Vista Security Claims Debunked

CowboyNeal posted more than 7 years ago | from the setting-things-straight dept.

Windows 315

An anonymous reader writes "Apparently Microsoft still hasn't learned that counting vendor acknowledged vulnerabilities isn't a good way to establish the security of an OS. As an analysis of Microsoft's claims on Full Disclosure shows, we see that the methodology used was badly flawed. A bug in Firefox (not to mention emacs), counts as a flaw for Linux, while IE bugs get ignored on Vista's chart. Then we see that vulnerabilities aren't vulnerabilities when they're security-challenged features such as Vista's Teredo. Also, there's far too little consideration given to severity, given that it stoops to counting even extra access restrictions on a file in OSX to have something to show. In short, the original Microsoft analysis was good PR and poor research."

cancel ×

315 comments

Sorry! There are no comments related to the filter you selected.

Microsoft found making PR-FUD-ing research (5, Funny)

MukiMuki (692124) | more than 7 years ago | (#19683715)

In other news, scientists have confirmed that water is, in fact, wet.

Re:Microsoft found making PR-FUD-ing research (3, Insightful)

Baron_Yam (643147) | more than 7 years ago | (#19683735)

Yeah, I'm sorry, but by this time anyone who is surprised by MicroSoft misrepresenting facts instead of actually acting on problems is either an idiot or hearing about MicroSoft for the first time.

Re:Microsoft found making PR-FUD-ing research (1)

x_MeRLiN_x (935994) | more than 7 years ago | (#19684781)

[blockquote]Windows XP, touted as the most secure OS to date on release. Also,
touted as secure in SP1, and again most secure in SP2. We are now
seeing it again with Vista. Are we really supposed to believe that
somehow this mantra is going to change just because Microsoft tells us
so?[/blockquote]

Microsoft "Research" (5, Funny)

WilliamSChips (793741) | more than 7 years ago | (#19683797)

Bears are Catholic. The Pope shits in the woods.

Re:Microsoft "Research" (4, Funny)

cronot (530669) | more than 7 years ago | (#19684425)

... and this is, scientists have concluded, Sparta.

The really sad part.... (4, Insightful)

EmbeddedJanitor (597831) | more than 7 years ago | (#19684441)

MS has the resources to actually generate amazingly good products and dominate on a level playing field.

Unfortunately they seem to be so obsessed with winning by FUDing and spinning that they end up making crap. This is a great disservice to the whole computer industry.

Re:The really sad part.... (4, Insightful)

MightyMartian (840721) | more than 7 years ago | (#19684527)

After all these years it surely must be clear to everyone that MS is fundamentally a marketing company. It stopped being a technology/software company nearly twenty years ago. Since marketing is basically legalized distortion and lying, no one should be surprised.

Thing I learned in the marketing class I failed: (5, Insightful)

Anonymous Coward | more than 7 years ago | (#19684565)

Marketing is cheaper than R&D.

Re:The really sad part.... (1)

thelastquestion (1090169) | more than 7 years ago | (#19684711)

yeah, microsoft has the resources to do that, but then they have that shit-ton of managers to deal with... who, btw, are the ones that decide to partake in the FUD, and get in the way of anyone trying to make a good product by 'managing.'

Microsoft is about making money ... not products (5, Insightful)

golodh (893453) | more than 7 years ago | (#19684863)

It may be sad, but it's really straightforward: Microsoft is a typical profit maximizer. That's their aim. Every activity they do, be it product development, marketing, or plain PR is aligned with that central business goal.

This means simply that Microsoft will generally pour just enough resources into a product to beat the competition and dominate the marketplace. We saw that with the browser war. When it had to overtake Netscape it came up with a good product. After it killed Netscape, and there was practically no other comparable browser, resources were taken off the browser product because it was good enough and there was no sense whatsoever in improving it.

We saw it with the IDE's. When Microsoft had to compete with Borland {Borland Pascal; Borland C/C++} it came up with the 'Visual' IDE. Visual C, Visual Fortran. It was a good IDE, and it won against Borland. After that ... it languished. Now ... now that we're seeing the Eclipse IDE and SUN's IDE ... suddenly Microsoft floors the accelerator again.

The same holds for the Operating System itself. Windows was systematically tailored to capture the eye of consumers and businesses, which it did very well. Never mind that the internals were {and still are} cludgy. What the user sees is the user-interface; that's what sells. Security flaws? Well ... as long as there is no competitor to which people can switch while retaining their investment in software and training ... security flaws aren't a show-stopper. Getting their own stuff to work was {previous Windows version have so many tightly coupled components that you never knew what would break next when you changed or added anything}, and that's why Jim Allchin very sensibly steered towards a properly engineered Windows. Vista in other words.

Given that we're seeing Linux, OS-X, and Open Solaris competing in more or less the same market we also saw an increased effort from Microsoft to tart up the user interface. Those transparant windows thingies.

This is something fundamental you have to understand about Microsoft. They are calculating folk, and never ever were trailblazers. Tail-light chasers, yes, but never trailblazers. 'Good Enough' is their goal, and their yardstick is ... the competition. Why? Because to Microsoft 'Good Enough' means 'Good enough to win in the marketplace and bring in revenue'. That's how Microsoft became so rich.

Re:Microsoft found making PR-FUD-ing research (0)

Anonymous Coward | more than 7 years ago | (#19684133)

Can someone put a DUH tag on this? This definitely deserves one.

As Gunnery Sergeant Hartman would say (2, Funny)

Anonymous Coward | more than 7 years ago | (#19683749)

Well... no shit...

Re:As Gunnery Sergeant Hartman would say (1)

Ucklak (755284) | more than 7 years ago | (#19683883)

Well... no shit... Twinkletoes...

Re:As Gunnery Sergeant Hartman would say (2, Insightful)

Dachannien (617929) | more than 7 years ago | (#19684471)

I suppose "What is your major malfunction, numbnuts?!" is also appropriate here.

Shocked! (5, Funny)

yotto (590067) | more than 7 years ago | (#19683753)

I am totally shocked. I just bought 10 licences too and threw away all my Linux computers!

You don't need to see our identification. (4, Funny)

Bombula (670389) | more than 7 years ago | (#19683773)

These aren't the droids you're looking for.

Re:You don't need to see our identification. (-1, Troll)

christian.einfeldt (874074) | more than 7 years ago | (#19684457)

MOD PARENT UP! This is funny! The quote is a classic example of a Jedi mind trick used by Obi-Wan Kenobi in Star Wars III -- Return of the Sith, to get past some Storm Trooper guards running a checkpoint.

http://www.mediafirst.co.uk/news/jedi.htm [mediafirst.co.uk]

EXTERIOR: TATOOINE -- MOS EISLEY -- STREET.

The speeder is stopped on a crowded street by several combat-hardend stormtroopers who look over the two robots. A Trooper questions Luke.

TROOPER: How long have you had these droids?

LUKE: About three or four seasons.

BEN: They're for sale if you want them.

TROOPER: Let me see your identification.

Luke becomes very nervous as he fumbles to find his ID while Ben speaks to the Trooper in a very controlled voice.

BEN: You don't need to see his identification.

TROOPER: We don't need to see his identification.

BEN: These are not the droids you're looking for.

TROOPER: These are not the droids we're looking for.

BEN: He can go about his business.

TROOPER: You can go about your business.

BEN: (to Luke) Move along.

TROOPER: Move along. Move along.

Not surprising (2, Insightful)

CyberPhoenix (1121789) | more than 7 years ago | (#19683781)

Never believe anything MS says, they are untrustworthy.

Don't accept abuse. MS apparently lied. (5, Interesting)

Futurepower(R) (558542) | more than 7 years ago | (#19684225)

MOD PARENT UP!

Quote from the Slashdot story: "In short, the original Microsoft analysis was good PR and poor research." It amazes me how easily people accept abuse, and give excuses for being abused. It was not "good PR". My best understanding is that Microsoft's analysis was an intentional lie.

My rule number one in dealing with Microsoft: Unless forced by circumstances, never upgrade to a new version of Windows until the second service pack is released. Let other people have the grief. The huge number of bugs in Windows XP before SP2 was very expensive for us. If I remember correctly, SP2 fixed more than 630 bugs, and some of the fixes were not documented. It is not only the vulnerabilities that are expensive.

Quote from the link in the Slashdot story: "Also, the entire networking stack was rewritten for Vista, and that means lots of new bugs are present. I have already spoken to other researchers who have not disclosed such flaws publicly. However, a good start for learning about some is the Symantec paper that analyzed Vista during the BETA phases and revealed numerous issues."

Microsoft has, in my opinion, a long, long history of not allowing their programmers to finish their jobs. There were even security vulnerabilities in the Microsoft Help protocols!

Re:Don't accept abuse. MS apparently lied. (1)

snowgirl (978879) | more than 7 years ago | (#19684753)

It was not "good PR". My best understanding is that Microsoft's analysis was an intentional lie.


I thought that PR was lying... isn't it?

Not that surprised... (4, Insightful)

Coopjust (872796) | more than 7 years ago | (#19683785)

Given the previous FUD Microsoft has put out about Linux (235 patents? Which patents?), I'm not really surprised to see this.

Of course, if anyone should be counting browser flaws as OS flaws, it's MS. MS makes the case that they can't remove IE from the OS since it is integral to it working properly, yet doesn't count them on the vulnerability list.

Meanwhile, FF doesn't even have to come with a Linux distro, and a bug that compromises FF as an app is much less likely to compromise the OS as a whole.

Looks like more FUD to scare non technical people from "illegal" and "unsafe" Linux.

The Microsoft guy did a second report (4, Interesting)

Utopia (149375) | more than 7 years ago | (#19683795)

with the non-Core Linux components no longer listed because of based on the feedback.

This just debunks the first report.

Re:The Microsoft guy did a second report (1)

CastrTroy (595695) | more than 7 years ago | (#19684023)

Does it, or does it debunk the second report? It was my understanding that the first report included absolutely everything available for the distro, while the second report included less stuff, but still tons of stuff that isn't included in a base "windows" install.

Re:The Microsoft guy did a second report (2, Informative)

dhasenan (758719) | more than 7 years ago | (#19684157)

The second report lacked detail. It mentioned that the writer had removed some packages but kept GNOME around, but only about five lines were dedicated to each distro (there were four, though I believe two were Red Hat or strongly Red Hat based).

Also, none of the vulnerabilities were enumerated, so you couldn't guess at what software was installed on that basis.

So it's quite possible that the report was based on Linux, X11, and GNOME with the minimal amount of other stuff to make the system run, but somehow I doubt that.

Re:The Microsoft guy did a second report (5, Insightful)

Zeinfeld (263942) | more than 7 years ago | (#19684251)

Does it, or does it debunk the second report? It was my understanding that the first report included absolutely everything available for the distro, while the second report included less stuff, but still tons of stuff that isn't included in a base "windows" install.

Regardless of whether it does or does not the claims are as silly and irrelevant as the slashdot stories 'proving' that Linux is more secure.

The number of bugs is not relevant, it there is one bug the system is vulnerable. What matters is the window of vulnerability. The time between discovery of the bug by the bad guys and fixing it by the good guys.

UNIX used to be known for its insecurity. Richie and crew invented the buffer overrun bug, Tony Hoare was referring to this blunder in C when he gave his Turing Award lecture he brought up the fact that the first principle of ALGOL 60 had been security.

The perceived level of security of a system has much less to do with familiarity than any actual objective measure. None of the systems that are on the market today is built well enough for its supporters to start challenging others to this type of dick size measurement contest. Its silly and unhelpful.

Re:The Microsoft guy did a second report (0)

Anonymous Coward | more than 7 years ago | (#19684871)

Not all vulnerabilities are equal. The number of bugs begins to matter once you factor in bug severity. Different bugs affect different systems.

Re:The Microsoft guy did a second report (0)

Anonymous Coward | more than 7 years ago | (#19684875)

That's quite incorrect.

Unix wasn't known for its insecurity, insecurity was discovered on Unix because it's what first got connected on the net (well, the real net). *everything* was insecure back then.

K&R didn't "invent" the buffer overflow, didn't even popularize it, for the simple reason that until C took that role, anything that wasn't finance (cobol) or scientific (fortran) was written in assembly.

When Hoare said that the first principle of Algol 60 had been security, what he meant was programmer safety. Nothing to do with DOS, SQL injection, trojans, viruses or anything, just the idea that if you overflow, the program dies there and then, and tells you why instead of running amok for 10 minutes and then core mysteriously.

And finally, just because somebody's full of it doesn't mean you have to turn around and let him talk shite.

Re:The Microsoft guy did a second report (1)

node 3 (115640) | more than 7 years ago | (#19684039)

with the non-Core Linux components no longer listed because of based on the feedback.

This just debunks the first report.
Just debunks *one aspect* of the first report. Or did he take the other items into consideration as well?

As it stands, this debunks the first and second (i.e., all) reports.

Re:The Microsoft guy did a second report (2, Insightful)

walt-sjc (145127) | more than 7 years ago | (#19684055)

While this FA may not be the right one, there are others that debunk the second report too. Links are in the last /. story on it. In short, the guy is a PR tool, and anyone that buys into the report is either naive in the extreme or just plain witless.

Re:The Microsoft guy did a second report (0)

Anonymous Coward | more than 7 years ago | (#19684507)

No it debunks the second.

If you had actually *read* the microsoft report (the second, that is), instead of just being happy with the conclusion and spouting off crap on /., you'd have noticed that what he calls a "reduced component set" consists of a standard desktop install, checking that apache, mysql and the likes were not install, and specifically excluding the gimp and openoffice. Needless to say, that is much more software than Windows alone. For instance, you may get both Konqueror and Firefox, KWrite, xpdf (just metionning that one because it had a "high" NVD entry for a DOS), and, and, and.

TFA has more details... In case your mind isn't already made up.

One thing I'd like to kow it why he's using NVD instead of CERT. Anyone?

Which is no better than the first! (1)

Xenographic (557057) | more than 7 years ago | (#19684625)

> This just debunks the first report.

Yeah, so did he address all the other serious flaws? Such as the whole "number of vendor acknowledged issues" != "useful security metric"? Because unless he did something radically different, his whole methodology was wrong.

You can't just subtract a few worthless bugs from the charts and turn that into a useful security metric. It just doesn't work that way. For an example of something that would be more useful, you could find all the bugs that lead to remote compromise and count the number of days it was widely known before it was patched for some definition of "widely known."

But then you end up with things like that story saying that IE 6 had critical flaws for about 9 months out of last year. Yeah, IE7 is better (hard not to be!) but still.

Now... (4, Funny)

Anonymous Coward | more than 7 years ago | (#19683815)

Does that sound like a people_ready business to you?

What do people expect??? (0)

Anonymous Coward | more than 7 years ago | (#19683819)

I really doubt you'll ever hear M$ say something like...

"Our operating system is less secure than all the other major OSes but you should buy it anyway because it looks kinda pretty."

next you'll be expecting...

"Vista will cost you $43 per year more than XP just in electricity." ($1.2 billion per year more for the power companies thanks to Vista)

Re:What do people expect??? (1)

timmarhy (659436) | more than 7 years ago | (#19684175)

while it's true it'll require a beefier pc to run, upgrading to a newer pc like a core2 will result in power SAVINGS.

Yo0 insensitive clod. (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19683831)

Vio7ated. In the

Teredo (3, Insightful)

Umbral Blot (737704) | more than 7 years ago | (#19683839)

The rest of the complaints aside it may have very well been appropriate not to count Teredo as a vulnerability. Here's why: assume that windows was technologically backwards and couln't get on the internet. Would you then agree that Linux was less secure, because the possibility exists to hack it over the internet while that possibility does not exist for windows? No, that wouldn't be an appropriate assesment of security. To evaluate security we need to in a sense "divide by" the ability of the system to access other things. Teredo gives Vista the ability to get to ipv6 from behind a NAT, so vista has the ability to access more things (in this one limited way). Thus it should not be counted as a vulnerability unless Linux has a way to do the same thing, in which case we can compare the security implications of Linux's method versus Vista's method. But until then Terendo should be set asside when doing a security comparison (vesus an independant vulnerability assesment).

Re:Teredo (2, Insightful)

howlingmadhowie (943150) | more than 7 years ago | (#19683895)

so because my old zx80 can't do a lot of things a modern pc can do, i shouldn't regard critical security problems in modern pcs as vulnerabilities?

if microsoft opens a door for exploits they have a vulnerability. if another system also has a similar capability is totally irrelevant, also from the point of view of a comparison. the question is, is windows more secure or less secure because of this feature?

Re:Teredo (0)

Anonymous Coward | more than 7 years ago | (#19683995)

"so because my old zx80 can't do a lot of things a modern pc can do, i shouldn't regard critical security problems in modern pcs as vulnerabilities?"

Not when comparing modern pcs to zx80's. I guess this was hard to understand when it was spelled out crystal clear in the OP. Back to your regularly scheduled slashdot trolling.

Re:Teredo (2, Informative)

DECS (891519) | more than 7 years ago | (#19684291)

No you are absolutely wrong.

A vulnerability is a vulnerability regardless of whether other systems have similarly flawed mechanisms.

If Mac OS X had a vulnerability in its Apple File Service, it wouldn't be dismissed simply because Windows doesn't natively support the AFP service.

Re:Teredo (1)

Tony Hoyle (11698) | more than 7 years ago | (#19683983)

Teredo doesn't really work though - I've wanted to use it on a couple of occasions just to get some connectivity on a temporary net connection.. and it's never worked once. It seems to require port forwarding setup on the router - and if you're going to do that you might as well open port 41 and use a 6to4, so you haven't gained anything.

Re:Teredo (1)

Tony Hoyle (11698) | more than 7 years ago | (#19684021)

dammit. I meant protocol 41.

stupid posting filter.
stupid posting filter.
stupid posting filter.
stupid posting filter.
goddammit I need a submit macro.

Submit Macro (4, Funny)

WiseWeasel (92224) | more than 7 years ago | (#19684419)

"I need a submit macro"

You mean like the "Preview" button right next to the "Submit" one?

Re:Teredo (1)

Wordplay (54438) | more than 7 years ago | (#19684081)

assume that windows was technologically backwards and couln't get on the internet. Would you then agree that Linux was less secure, because the possibility exists to hack it over the internet while that possibility does not exist for windows?

Yep, I would agree with that. Linux would be less secure, because it's hackable over wire, whereas your hypothetical GimpOS can only be hacked from the console. GimpOS may be considerably less capable in many ways, though, as is often the tradeoff.

Since when does accessibility not play into security?

Re:Teredo (0)

Anonymous Coward | more than 7 years ago | (#19684557)

Yep, I would agree with that. Linux would be less secure, because it's hackable over wire, ...

...provided it is connected.

Depending upon your definition of "security", yes. (4, Interesting)

khasim (1285) | more than 7 years ago | (#19684123)

Here's why: assume that windows was technologically backwards and couln't get on the internet. Would you then agree that Linux was less secure, because the possibility exists to hack it over the internet while that possibility does not exist for windows? No, that wouldn't be an appropriate assesment of security.

Actually, it would be appropriate.

If you can remove an avenue of attack, you have increased the security of your system.

Now, by removing it from the Internet you have also reduced the FUNCTIONALITY of your system.

So you end up with a less functional, more secure system.

Security is all about evaluating the possible threats and reducing their effectiveness.

Teredo gives Vista the ability to get to ipv6 from behind a NAT, so vista has the ability to access more things (in this one limited way). Thus it should not be counted as a vulnerability unless Linux has a way to do the same thing, in which case we can compare the security implications of Linux's method versus Vista's method.

No. If it is an avenue for attack, it is an avenue for attack.

If it is vulnerable, it is vulnerable.

We've been over this before with Firefox's avoidance of ActiveX. Sometimes, increasing your security simply means NOT including some functionality.

Re:Depending upon your definition of "security", y (1)

netcrusher88 (743318) | more than 7 years ago | (#19684281)

Security is all about evaluating the possible threats and reducing their effectiveness.

More to the point, and as you alluded to, security is all about balancing safety (or security, if you will) and functionality. In this case, I believe that not including Teredo on by default as a security hole is a fallacy. Sure, it adds functionality, but at the same time, creates significant security problems without notifying or asking the user. And grandparent, know what you're talking about. A Hexago tunnel is easy enough to come by on Linux, and very little work to set up (literally cut and paste). Teredo can be run on Linux too, though I cannot recall how.

Basically, it comes down to this: Microsoft sacrificed what could potentially be a significant amount of security for a feature that is meaningless, and for that matter useless, to the majority of users (at least for now, and Microsoft has a tolerable patch system, so...). And that feature is on by default, without asking the user. So, yeah, I'd call that a security hole.

Re:Depending upon your definition of "security", y (1)

AmberBlackCat (829689) | more than 7 years ago | (#19684811)

I think I'd choose functionality over security, if it was some function I like.

Re:Teredo (2, Insightful)

node 3 (115640) | more than 7 years ago | (#19684161)

Here's why: assume that windows was technologically backwards and couln't get on the internet. Would you then agree that Linux was less secure, because the possibility exists to hack it over the internet while that possibility does not exist for windows?
Actually, yes, if all other things remain equal. What kind of moron are you imagining who would claim otherwise? I have to call "straw man" on this one.

Let's, in fact, *actually* make things more equal. Two *exactly identical* PCs with *exactly identical* installs of Linux, with one and only one exception: PC A is connected to the Internet, PC B is not. Do you *honestly* believe both PCs are equally secure? That the non-networked PC is not, actually, more secure[*], all other things remaining equal?

[*] I have to add, because I know otherwise someone would bring this up, that it's technically *possible* both PCs are equally secure, assuming the networked PC doesn't call out to the Internet, and there are no security flaws *at all* in the card drivers, firewall, etc. But unless you actually know for sure that your code and hardware are 100% secure, that unknown is, itself, less secure. That's not to mention the *actual* security flaws that actually exist, since even though the networking *might* be 100% secure, it's exceptionally close to certain that it isn't.

Re:Teredo (2, Interesting)

Umbral Blot (737704) | more than 7 years ago | (#19684213)

I'll clarify my point since it seems to be flying by many of you: security assessment != security comparison; you don't do two security assessments and then compare them, rather you compare the security of comparible features, to avoid an apples v.s oranges situation that makes the comparison meaningless. This is admitted by the people defening Linux themselves as they complain that it isn't right to compare Linux + firefox to Vista - IE. The same principle is in action here, if you want to compare the security of the two you need to compare basically the same feature set or the result is meaningless.

(I have an XP box on my desk that isn't connected to the net while my OSX machine is. I guess for me that means that OSX is more vulnerable than XP. When I post that claim in response to the next security comparison article I expect all of you who disagree to the above standards of security comparison to admit the awesomeness of my XP box /sarcasm)

Re:Teredo (1)

Eric Damron (553630) | more than 7 years ago | (#19684427)

Microsoft was using this bogus report to show that their OS was more secure than OSX or Linux. There were NOT saying "My browser is more secure than your's but your TCP/IP stack is better than ours..." Which is what you would have us do.

What people care about is that their computer doesn't get compromised... period...

"if you want to compare the security of the two you need to compare basically the same feature set or the result is meaningless."

Actually what you are trying to do is meaningless. As a consumer I want to know how likely it will be that my system will get damaged by ciber attacks. That's the bottom line. Anything else is meaningless.

Believe me, your point didn't "fly by" anyone. We simply don't agree.

Re:Teredo (1)

Umbral Blot (737704) | more than 7 years ago | (#19684461)

But, as I mentioned elswhere, if you boasst that you are better in security by these standards then Microsoft will simply respond by saying that they appear less secure only because they have so many more features. And that will make Microsoft more attractive. So if you want to convince the consumer you have to stick to comparing security on a feature by feature basis, or be open to the above argument making Linux look bad functionally.

Re:Teredo (1)

ozmanjusri (601766) | more than 7 years ago | (#19684633)

Microsoft will simply respond by saying that they appear less secure only because they have so many more features. And that will make Microsoft more attractive.

That's a nonsensical argument.

Anyone who wants similar functionality on Linux can install it (on Debian; apt-get install miredo).

It's a feature very few people will ever want, so it's not installed by default. That's sensible packaging, not a lacking feature.

Re:Teredo (1)

Umbral Blot (737704) | more than 7 years ago | (#19684729)

That doesn't change in the least what microsoft will say in response to the security comparison. Which is why comparisons should stick to comparible features, so as to avoid that kind of response completely. If the Linux community reponds that you could get all the features of windows microsoft is going to say: "windows is still better because they come with it by default", and "the security comparison is flawed because it omitted all the programs people will install for the oh-so-vital features of windows".

Re:Teredo (0)

Anonymous Coward | more than 7 years ago | (#19684585)

You show really quite advanced thinking for an idiot.

Re:Teredo (1)

Antique Geekmeister (740220) | more than 7 years ago | (#19684275)

Your logic is flawed, I'm afraid. Linux apparently does not do it beause it's a fundamentally stupid "feature", appropriate for trade show demos but a really bad idea in the real world, since it subverts the basic security policies of most NAT's.

Re:Teredo (1)

Umbral Blot (737704) | more than 7 years ago | (#19684301)

That's an appropriate point to bring up ... in a feature comparison, not a security comparison. Look, if you don't ignore features in this context when they are different than the Windows crowd can simply claim that Windows has more security problems because it has more features than Linux. You don't want them to claim that do you?

That makes no sense... (1)

Eric Damron (553630) | more than 7 years ago | (#19684315)

"Thus it should not be counted as a vulnerability unless Linux has a way to do the same thing..."

So the vulnerabilities in ActiveX and COM shouldn't be counted either since Linux doesn't use those... Or vulnerabilities in DirectX shouldn't count because Linux doesn't use it?? That just isn't logical.

Anything that can be used as a vector to successfully compromise a computer should be counted as a vulnerability because that's what it is.

Re:Teredo (1)

HoldmyCauls (239328) | more than 7 years ago | (#19684327)

Good attempt to be fair, but if you're going to walk outside during a storm and without an umbrella, you deserve to get rained on. So it is with security: if a system *can* be hacked in some way, that is the definition of a vulnerability. No matter how many daemons I run, even if each one can be hacked in the same way, I have one vulnerability per open port on those that connect to vulnerable daemons. I think what you meant to say is, "in comparing Linux to Windows, we need to define a rubrick based on the communicative *abilities* of a system relative to its security *vulnerabilities*" Your basic premise being that it is not fair to fault a system designer for trying is true, but an imperfect system today, though better than a perfect system tomorrow*, still has its flaws. A piece of software like Teredo *needs* to be planned well, and patched quickly.

*paraphrasing the adage, "A good plan executed today is better than a perfect plan executed at some indefinite point in the future." -- George S. Patton

Re:Teredo (2, Insightful)

innerweb (721995) | more than 7 years ago | (#19684383)

I am sorry, but that is incorrect. Anything that can be used as an exploit, no matter how big, small or unlikely is a potential exploit and must be listed as a security risk. This is the kind of thinking that causes most security issues. Do yourself a favor and don't think like that. Ruling out a security risk that might happen for any reason is looking the other way, and puts you, your client (employer) and the rest at risk. It might also cost you your job. I have seen people let go for much less.

If a system were not accessible over the internet and another one was, then the one that was would definitely have the internet listed as a security issue. Writing an analysis to target only the expected situation is a great way to invite disaster. Ask any company who has had a product used in a way other than intended with problematic results. Cars were never intended to be used as bombs, but they have proven to be quite effective. Exploits that were not intended to made available normally seem to become available. Environments change, needs change, people do things without permission, exploits appear.

InnerWeb

Remove the power cord too (3, Funny)

EmbeddedJanitor (597831) | more than 7 years ago | (#19684479)

After extensive research we found that having the computer powered up was the source of all the security flaws. Don't blame MS - they don't make the power cords!

Re:Teredo (1)

TechnicolourSquirrel (1092811) | more than 7 years ago | (#19684647)

The rest of the complaints aside it may have very well been appropriate not to count Teredo as a vulnerability. Here's why: assume that windows was technologically backwards and couln't get on the internet. Would you then agree that Linux was less secure, because the possibility exists to hack it over the internet while that possibility does not exist for windows?
That's impressive the way you managed to completely factor any actual real world risk to the end user out of the concept of 'security'. I guess, by your logic, if Microsoft added a 'feature' to let anyone on the internet 'collaborate' with you by modifying any file on your hard drive they wish, we could not call them any less secure than LINUX, because LINUX doesn't have this feature. Never mind that every single Windows user just lost all their files. That doesn't fit your definition of 'comparatively insecure'. Perhaps your sig should read 'Sophistry! Sophistry!...'

Re:Teredo (1)

Umbral Blot (737704) | more than 7 years ago | (#19684739)

I'll clarify my point since it seems to be flying by many of you: security assessment != security comparison; you don't do two security assessments and then compare them, rather you compare the security of comparible features, to avoid an apples v.s oranges situation that makes the comparison meaningless. This is admitted by the people defening Linux themselves as they complain that it isn't right to compare Linux + firefox to Vista - IE. The same principle is in action here, if you want to compare the security of the two you need to compare basically the same feature set or the result is meaningless. (I have an XP box on my desk that isn't connected to the net while my OSX machine is. I guess for me that means that OSX is more vulnerable than XP. When I post that claim in response to the next security comparison article I expect all of you who disagree to the above standards of security comparison to admit the awesomeness of my XP box /sarcasm)

er (1)

wizardforce (1005805) | more than 7 years ago | (#19683841)

what ges me is that very few security researchers ever get the chance to examine MS code like Linux allows, who knows how much code is a security risk, millions of lines of code that only its creators can really examine. there also exists the problem that in addition to security flaws in the code its self, there is the fact that most of MS users dont really take care of their OS like they should. very few people avoid IE, update their software, have a firewall or any security smarts [ie cant resist the free wallpapers/ringtones/random spyware infestations] It is better to have a good user on a flawed system than PEBKAC on a good system.

Re:er (4, Insightful)

MyLongNickName (822545) | more than 7 years ago | (#19684025)

Very few people avoid IE, update their software, have a firewall or any security smarts

Vista updates by default. It is nicely built into the shutdown interface. By default you "update and shut down" if an update is available. Firewall is also built in and seems to be relatively well designed. Very honestly I am impressed with Vista's default security.

The rest of your post I agree with. For example will this help my sister-in-law who loads every toolbar and screensaver known to man? Nope. If a user downloads flaky spyware software, there isn't an OS that can help. But Vista truly is a step in the right direction for the majority of folks who just want to browse and email.

Re:er (1)

Tony Hoyle (11698) | more than 7 years ago | (#19684083)

Well it won't actually let them download the spyware... UAC is as flaky as hell.

I actually have about half a dozen icons on my desktop it's impossible to delete. You hit delete, the UAC prompt comes up, you confirm, and *nothing happens*. You'd think that would have come out in beta testing.. maybe it did, and MS ignored it.

I'm currently offloading my work into a win2k3 client ready to ditch vista for good.. taking much longer than I'd hoped, but my six months of vista hell is nearly over (yay!!!). We dropped vista as a supported platform, because our customers had basically reached the conclusion we had - it's nowhere near ready for primtime.

Re:er (1)

MyLongNickName (822545) | more than 7 years ago | (#19684131)

I haven't experienced this issue. I will say vista is flaky, especially in file copying. Damn slow. Very honestly, I still prefer Win 2K over XP or Vista, and for any real work will still be using it or 2003 Server.

Re:er (2, Informative)

daeg (828071) | more than 7 years ago | (#19684265)

The problem exists on any NT-based system, actually. What is happening is that when the installer runs, it is running with Administrator credentials. The retarded, non-user account aware installer installs the icon in the "All Users" desktop. You, a non-administrator, cannot remove it from your desktop because you can use the "All Users" desktop, but cannot alter it. The failing silently thing can also happen on 2000/XP, albeit rarely. Sometimes the "Permission Denied" box can take many minutes to display for apparently no reason at all, particularly on some computers with strange software installed (I've noticed many similar failures when the Dell support tools are installed).

Of course, the solution is blindingly simple. If an icon is on the "All Users" desktop, and you delete it, it simply marks it deleted for *your copy* of the desktop. If you rename it, it's the same icon.. just renamed on your desktop. If an administrator wants to delete it, give them another context menu option, or let them delete it from the actual "All Users\Desktop" folder.

Arguments in terms of Active Directory/Domains are moot--you could simply administer that right via group policies to prevent users from renaming, for example, the icon for Outlook.

Googley moogley? (0)

Anonymous Coward | more than 7 years ago | (#19684549)

What kind of an account is "All Users"?
Is it sort of like /usr/share ? Can I log in
as "All Users" with admin creds?

Re:Googley moogley? (0)

Anonymous Coward | more than 7 years ago | (#19684799)

It's not an actual account, it is more of a general user profile loaded along with the user profile of the account logged in.

Re:er (1)

TheRaven64 (641858) | more than 7 years ago | (#19684189)

I haven't used Windows for ages, but do Windows users actually still shut down? I don't think I've ever shut the machine down. It gets rebooted when I install security updates, and goes to sleep when I'm not using it, but it's never actually shut down.

Re:er (1)

Chandon Seldon (43083) | more than 7 years ago | (#19684319)

Updates on Vista and updates on, say, Ubuntu are quite different. The automatic updates on Vista upgrade the core OS components. The updates on Ubuntu update all of the officially supported pacakges - everything from OpenOffice to The Gimp to Freeciv. If there's a security bug in Photoshop's processing of .tiff files, Vista automatic updates won't help you.

Re:Browsing and email (1)

symbolic (11752) | more than 7 years ago | (#19684791)

If that's all they want to do, they sure don't need Vista to do it. Linux will do just fine.

Strangely, It Doesn't Matter (2, Insightful)

mpapet (761907) | more than 7 years ago | (#19683901)

Most Microsoft customers will take the "research" at face value.

I work in a Microsoft shop. And while I have a great boss, (really, no kidding) the company is Microsoft all the way. There is zero logic at play.

But that's the way it goes. I'm old enough to remember when "Made in Japan" was the cultural equivalent of today's "Made in China." That had little basis in reality then, just like Microsoft customers today just aren't ready to comprehend **buying** something other than a Windows box and just take Microsoft's ridiculousness as fact. In time though, I think that can change. Just like the Japanese and their cars.

Get The Facts (1)

r_jensen11 (598210) | more than 7 years ago | (#19683911)

Why wasn't my tag "getthefacts" selected? Honestly, that's all this is - a continuation of the "Get The Facts" campaign.

Re:Get The Facts (0)

Anonymous Coward | more than 7 years ago | (#19684003)

I don't think tags are selected so much aggregated. If 50 other people tagged it as "getthefacts" too it probably would have appeared so. That's not the exact threshold but you get the idea.

Re:Get The Facts (4, Funny)

node 3 (115640) | more than 7 years ago | (#19684343)

Well, no doubt CmdrTaco carefully sifts through all the tags submitted for every story, and diligently evaluates them for selection. He even, I'm certain, cross-references tags for relationships to other projects to see if one is just an unlabeled continuation of the other. After such fastidious examination, and only then, does it make the grade. A grade which your most impressive tag passes with ease.

Given Slashdot's exemplary editorial standards, how could it possibly be otherwise?

This is clearly a gross oversight on Taco's part, and will be looked into with the gravest of concern, there can be no doubt. I suspect your well-crafted tag will don the front page in no time, perhaps even in an extra-crisp font to make up for any negligence and mishandling involved.

I look forward to it with heightened eagerness, and commend you on the alacrity and aplomb you've shown in this, your all-important tag-choosing endeavor.

Godspeed, you will prevail.

Not fair? (1)

avb85 (1007803) | more than 7 years ago | (#19683921)

You mean to tell me, counting all the vulnerabilities for anything that runs on Linux (Including software that is not developed by Linux), and then only counting the vulnerabilities that live in the core of Windows Vista doesn't make a fair and accurate comparison?

I can't believe it either (1)

caller9 (764851) | more than 7 years ago | (#19683929)

You mean Microsoft misrepresented the facts? I just wont believe it.

Seriously though. If not actually providing security, I'm glad that they're at least worried about it. There should be about 500 posts to follow arguing the virtues and failures of Vista related to security and performance. Microsoft, Joe Average, and Grandma will read 0 of these. They'll still have the computing world by the balls tomorrow because they're the status quo and have the (second?) best marketing, a near lock on hardware vendors, and all the PC games.

Joe Average got the fake stats without hearing any dissenting opinion, because he doesn't really care and it gave him warm fuzzies over that wad of cash he dropped. Also "Linux is hard/You get what you pay for" and "Macs are for sissies/Ignore that get what you pay for thing." Meanwhile his social security number just got a new loan and he's the spam king of the neighborhood by accident...but damn that was a good porn site.

Nothing short of Microsoft's own (in?)actions will bring that beast down in the near term. Luckily they're doing a decent job of it. It seems like a few are trying to apply the brakes, and it may pay off. Hopefully the consumer can stop getting reamed sometime soon.

obscure anti-MS site bashes MS - SHOCKED!! (0, Interesting)

Anonymous Coward | more than 7 years ago | (#19684057)

Why is it that the anti-MS studies always come from these obscure sites that either nobody ever heard of, or have an agenda every bit as biased as Microsoft themselves?
Come on, slashdot. You can do better than this.
BTW, the problems cited by this "study" are regarding the first report. The second report only compared the base Linux system.

Obscure? And the 2nd study is just as bad! (4, Insightful)

Xenographic (557057) | more than 7 years ago | (#19684697)

How are they obscure? You can't know much about security at all without knowing about people like insecure.org, SecuriTeam, or the Full-Disclosure mailing list. Or maybe you meant the author, Kristian Hermansen? They're a security researcher at Cisco, FYI. But even then, what does obscurity matter if their criticisms are valid? You could be an anonymous coward and make a valid point, after all (alas, that's merely a hypothetical because you do not).

Then you claim that the second report addressed all those issues. That's not at all true. Sure, it doesn't count Firefox bugs any more, but that's not the real problem with the study. The real problem is that counting vendor-acknowledged bugs isn't a security metric at all! That's right, it's not the least bit useful for giving either an academic or real-world measure of security. You can't rescue the original study from that flaw without redoing it and abandoning the original premise.

But I guess you wouldn't know that, because you don't know these "obscure" sites that people who know about computer security do. I mean, next thing you know, people will be citing virtual unknowns like Bruce Schneier as if they knew anything about security! Or maybe Fyodor, I bet he doesn't know a damn thing about networking. What did he ever do? Make up that silly fake application they used as a "hacking" tool in the Matrix movies? [/sarcasm]

And here I was... (5, Funny)

Anonymous Coward | more than 7 years ago | (#19684063)

riding a flying pig on my way to get a sweater at the store 'cause I heard Hell had frozen over. At the gamestop next to the sweater store, some kid was playing Duke Nukem Forever, which I thought was an amazing game. ...so what do you mean the report isn't true?

No, this is still good (2, Insightful)

erroneus (253617) | more than 7 years ago | (#19684075)

Okay while no one on Slashdot feels this is news and the debunking was completely expected, it's useful for the "linux representatives" that many of us inevitably become in casual conversation with our Windows-evangelizing peers. Typical situation:

In this narrative, Josh is the typical One-Trick-Pony, Microsoft MC## who blesses Microsoft every day for making his income so easy to come by and truly believes that Microsoft is the hammer and everything looks like a nail. Gunter is an all-around generalist who is unafraid of anything "computer" and knows enough to work on routers, networks, servers and workstations of just about all varieties which happens to include Linux among others.

Josh: "Hey, just read this security assessment comparing Vista and Linux... Vista won by a mile."
Gunter: "Yeah, I saw that... I also saw -->this-- article exposing the flaws and inconsistencies in their comparisons."

The point here is that being readily armed with a rebuttal is handy.

Re:No, this is still good (2, Insightful)

Anonymous Coward | more than 7 years ago | (#19684303)

The real shame is the rebuttal and article is so inaccurate and incorrect it really makes linux look even worse :( have a read of the orginal report, then of the so called proof that the original report is wrong. They use evidence outside of the time range being analyzed (for the published article) and this rebuttal doesn't even offer that much evidence. If MS is so wrong here could someone actually provide some real data as both the current links I have seen don't show anything factual at all.

Re:No, this is still good (1)

erroneus (253617) | more than 7 years ago | (#19684373)

That's called "fighting crap with crap."

woohoo if only it gave the right reason (1)

shaitand (626655) | more than 7 years ago | (#19684109)

It doesn't matter if the vulnerability counts are vendor acknowledged or third party. Vulnerability counts only tell you how many flaws were found and fixed. There is no particular reason to belive this correlates to how many were found and exploited by 'the bad guys'.

It's flimsy but I suppose you could say that recognizing reported flaws and patching them quickly shows a project or vendor takes security seriously but that is all these vulnerability reports are good for. You could say that more reported vulnerabilities means that a program became that much more secure but even that is dubious. And of course it goes without saying that claiming a program is more secure because it had fewer vulnerabilities reported defies all logic.

Re:woohoo if only it gave the right reason (1)

Chandon Seldon (43083) | more than 7 years ago | (#19684355)

And of course it goes without saying that claiming a program is more secure because it had fewer vulnerabilities reported defies all logic.

That depends. It seems perfectly logical to me to say that OpenBSD is relatively secure for an OS, and to use its two remote vulnerabilities in 10 years as evidence of that claim. The requirement there though is that OpenBSD is open source, and that it's reputation makes it so that any security researcher who finds a security problem in it gets to boast for years.

Secure by default (1)

cswiger (63672) | more than 7 years ago | (#19684481)

It's flimsy but I suppose you could say that recognizing reported flaws and patching them quickly shows a project or vendor takes security seriously but that is all these vulnerability reports are good for.

With due respect, I have to disagree. If a project or vendor takes security seriously, they'll design the software so that it has zero security bugs.

Almost nobody delivers this for popular commercial software like Windows, Office, etc, but that's more because the people paying for such software seem to not care about security at all, or value new features, convenience, and speed much more than they do security or reliability.

However, people designing control systems for airplanes, hospital medical equipment used in lifesaving situations, and so forth, actually do a fair job of delivering software which has zero security issues. This level of quality isn't undoable for more widely used general-purpose software-- some of DJB's software has close to a perfect security record, for example, but it is rare to find software which was designed from the start with the assumption that no security holes are acceptable.

Especially in the PC world, it's common to find software which is significantly broken in the initial release and needs to be patched before it is even feature-complete, much less close to being "bug free" or "secure"....

Re:Secure by default (1)

shaitand (626655) | more than 7 years ago | (#19684645)

'With due respect, I have to disagree. If a project or vendor takes security seriously, they'll design the software so that it has zero security bugs.'

With due respect that is impossible. In fact, it is impossible to ever find all the security bugs in a program of any complexity.

'However, people designing control systems for airplanes, hospital medical equipment used in lifesaving situations, and so forth, actually do a fair job of delivering software which has zero security issues.'

No, they do a fair job of delivering software that recieves no substantial examination for security issues.

'This level of quality isn't undoable for more widely used general-purpose software-- some of DJB's software has close to a perfect security record, for example'

In every vulnerability discussion you have a DJB proponent speak up. There are flaws with the DJB claims but I won't go into them specifically. It's been done before, it will be done again, and it serves no purpose.

All the perfect and near perfect security records you have mentioned have the same fundemental problem. None of them have been informed of or patched the critical remotely exploitable vulnerability I discovered and have been using since two weeks after their software was released. I have not informed them or posted it on any hacking boards because... wait for it... I'M NOT AN IDIOT.

I think this hypothetical scenerio happens more than the reported vulnerabilities.

'close to being "bug free" or "secure"....'

There is no such thing as bug free or secure. They are myths, the best you can hope for bugs that are difficult to exploit and obscure.

FUD all around (2, Interesting)

Anonymous Coward | more than 7 years ago | (#19684159)

That was a sloppy report on Microsoft's part, no doubt, but the Slashdot title is misleading too. It is still helpful to remember that there has been only one exploitable vulnerability discovered on Vista in the past six months, compared to several a month on XP. Vista's OS-level security features (NX, ASLR) do in fact perform as advertised. Vista is immeasurably more secure than OSX (with only one security feature to speak of) -- not a single application security expert has made a claim to the contrary. Noticed all those OSX advisories coming out lately? That's because we appsec people are as tired as the rest of you of Apple and smug Mac assholes.

Re:FUD all around (0)

Anonymous Coward | more than 7 years ago | (#19684825)

I'm not clear on this. Nobody claims to be *immune* from attack. When I can install Vista without needing to put in an admin password, how can I consider the OS to be safe? I agree that Vista is leaps and bounds better built than XP. There's no question about that really. But those Apple advisories? Virus' and trojans that never made it into the wild. The ability for a user to root the system when they've been given an actual account on the machine. There have been lots of advisories, but so few of them have been legitimate concerns. The ones that have been legitimate concerns affect Windows as well (via browser plugins).

Vulnerabilities exist, but until somebody actually exploits one, and in a way that is actually subversive like most of the things that hit windows, rather than having to accept a file and then open it, or opening ports closed with a default system install, I'm not going to be concerned. There isn't a vulnerability on a Mac right now to really be concerned about that way, though there are many for XP. If there aren't any for Vista yet, congrats. However, MS is the company with so much confidence in its product that it's marketing a spyware/antivirus program.

Armchair critique (4, Interesting)

weinrich (414267) | more than 7 years ago | (#19684255)

This report from Microsoft's Jeff R. Jones is ludicrous...

This isn't a debunking.

I feel Jeff really needs to perform another less exaggerated analysis.

It's an armchair critique of someone else's work.

[...] a good start for learning about [Vista flaws] is the Symantec paper that analyzed Vista during the BETA phases and revealed numerous issues.

A competitor (see Live OneCare) wrote an article about an early BETA of a new OS saying is had some issues? Shocking!

Even though OS X claims to be secure, researchers have obviously shown that Apple will have flaws too. This is nature of software, and it affects all code.

What are you saying here, Kristian? Bugs are inevitable, so we should just give Apple a free pass on their share of problems because, well, it affects all software?

Ok, that's enough of that.

I feel Kristian really needs to perform his own research and analysis, and draw his own conclusions.


PS: Don't mod this as flamebait until you read Kristian's entire post. Really.

This was fairly obvious at the time. (5, Insightful)

Cal Paterson (881180) | more than 7 years ago | (#19684363)

The Jeff Jones reports [csoonline.com] are complete crap. This was obvious at the time. He pretty much showed himself a fool by claiming that XP had less critical bugs than the current Ubuntu, SuSE and RHEL, and thus was more secure. He seems to think that he can compare security based on the number of public and critical bug reports between a company that does not release bug reports to the public and companies that do.

Any observer from a tech background would know that this would turn his results to shit, but he is;
  1. A Microsoft Employee
  2. A Blogger
so that never mattered anyway.

It's like they always claimed about linux: (1, Insightful)

tobias.sargeant (741709) | more than 7 years ago | (#19684377)

No users = no vulnerability reports.

They said hard but not impossible (1)

qzulla (600807) | more than 7 years ago | (#19684503)

Microsoft is looking into both vulnerabilities, which were made public last week. Neither of the flaws has been used in any attacks and exploiting the issues is hard, a company representative said.

Hard is what makes crackers salivate.

qz

Vista on Firewalls... (4, Funny)

flyingfsck (986395) | more than 7 years ago | (#19684545)

I haven't seen Cisco jump to run Vista on their Firewall Machines. So, maybe, just maybe, they had a reason to stick to *nix.

Re:Vista on Firewalls... (1)

jmauro (32523) | more than 7 years ago | (#19684777)

The PIX and ASA line of firewalls runs Finesse OS [wikipedia.org] which isn't based on Windows or for that matter even Unix or IOS. It's a family all to it's own.

Where is the debunking? (1, Insightful)

ThinkFr33ly (902481) | more than 7 years ago | (#19684713)

I read the article pretty carefully. I don't see any actual numbers to back up this "debunking".

If you're going to bash Microsoft for using fuzzy math, at least have the courtesy of supplying some of your own.

Also, can somebody explain the issues with Teredo? Sorry, but simply declaring that there are lots of bugs in Microsoft's new TCP/IP implementation with absolutely no evidence to back this up doesn't help your argument.

Submitter incorrect (1)

s_p_oneil (795792) | more than 7 years ago | (#19684763)

It's not "good PR and poor research". It's lying.

I Am So Amazed That MS Would Deceive (5, Funny)

NeverVotedBush (1041088) | more than 7 years ago | (#19684859)

I mean, in their entire history, when has Microsoft ever done ANYTHING untrustworthy?

Like literally copying/stealing other people's code line for line and putting it in their OS? (Stacker)

Like putting in software hooks to see if competing office products were running and then crash them or make them run slow? (WordPerfect)

Like swapping code in an OS and a browser to make it appear that the browser was integral to the OS to weasel out of antitrust issues? (Win98 / Explorer)

Naw... I just can't believe that MicroSoft would stoop so low as to try to promote its "ground-up" new OS (that amazingly has many of the exact same vulnerabilities as XP) as being hardened and more secure than Linux and OSX>

They wouldn't do anything like that, would they?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>