Linked by Thom Holwerda on Tue 21st Aug 2007 18:19 UTC, submitted by SEJeff
Privacy, Security, Encryption Jeff Jones has published another one of his vulnerability scorecards comparing various operating system offerings. As always, these figures just list the patched vulnerabilities over the designated period of time; they do not take into account any unfixed or undisclosed vulnerabilities. Hence, these reports are not proper measurements of security - they are just that, a tally of fixed vulnerabilities. Any conclusions like "x is more secure than y" cannot be drawn from this data set. As always, do with it as you please.
Order by: Score:
Looks like fun
by merkoth on Tue 21st Aug 2007 18:52 UTC
merkoth
Member since:
2006-09-22

I wonder when is he going to get tired of this. No, really, is throwing some random numbers to Excel and generating graphs that fun?

Reply Score: 16

RE: Looks like fun
by CrazyDude0 on Tue 21st Aug 2007 19:14 UTC in reply to "Looks like fun"
CrazyDude0 Member since:
2005-07-10

Nice attack merkoth:) Is telling lies on osnews that fun?

His numbers are not random, they are taken from vendor's websites.

Edited 2007-08-21 19:15

Reply Score: 1

RE[2]: Looks like fun
by flashog on Tue 21st Aug 2007 19:28 UTC in reply to "RE: Looks like fun"
flashog Member since:
2007-07-25

...but they might as well be.

Reply Score: 9

RE[2]: Looks like fun
by merkoth on Tue 21st Aug 2007 19:33 UTC in reply to "RE: Looks like fun"
merkoth Member since:
2006-09-22

Nice attack merkoth:) Is telling lies on osnews that fun?

His numbers are not random, they are taken from vendor's websites.


I don't know, you tell me. I said random numbers not because he made up the numbers, but because he keeps picking up numbers without any serious security notion to back them up. Counting fixed issues proves nothing in favor or against anyone and, IMHO of course, these numbers and charts are only for those who can't really understand what they represent.

Try to ellaborate some more your flames before calling anyone a liar.

Edited 2007-08-21 19:36 UTC

Reply Score: 13

RE[2]: Looks like fun
by flanque on Tue 21st Aug 2007 21:35 UTC in reply to "RE: Looks like fun"
flanque Member since:
2005-12-15

I think 'random' is a bad choice of a word, but I agree with his point which I think is that it's rather pointless and a very poor measure. It would seem to me that these 'reports' are more about headlines than providing any real investigative work and statistical analysis.

His 'attack' is quite justified in my view.

Reply Score: 5

What jumped out at me ...
by JoeBuck on Tue 21st Aug 2007 19:02 UTC
JoeBuck
Member since:
2006-01-11

... was the ratios. The Microsoft bars are shorter but they are almost entirely red. This means that Microsoft is fixing the high-vulnerability bugs and almost nothing else, while Apple and the Linux distributors are issuing lots of fixes for less critical issues. This is the kind of thing you'd expect if Apple and Linux folks are committed to fixing every problem, while Microsoft is only fixing what they absolutely must.

Reply Score: 20

Security from all angles?
by geekgod on Tue 21st Aug 2007 19:04 UTC
geekgod
Member since:
2005-06-29

It is really disappointing that he did not include OpenBSD and FreeBSD numbers in addition to RHEL. ;)

Reply Score: 13

RE: Security from all angles?
by Doc Pain on Tue 21st Aug 2007 19:49 UTC in reply to "Security from all angles?"
Doc Pain Member since:
2006-10-08

"t is really disappointing that he did not include OpenBSD and FreeBSD numbers in addition to RHEL. ;) "

I'd be interested in them, too. Just from the point that the Linusi mentioned are Linux distributions, and OpenBSD and FreeBSD are "just" OSes. How would things like PC-BSD or DesktopBSD perform in these charts? One main problem I do see here: The author has just minimal chances in obtaining input data for his charts from the vendors' web sites of the BSDs.

Reply Score: 2

v Let the
by CrazyDude0 on Tue 21st Aug 2007 19:13 UTC
RE: Let the
by yanik on Tue 21st Aug 2007 19:30 UTC in reply to "Let the"
yanik Member since:
2005-07-13

I'll start,

It's the number of vulnerabilities that were fixed. Who knows how much undisclosed vulnerabilities are still not fixed by Microsoft...

lol ;)

Reply Score: 8

RE[2]: Let the
by diegocg on Tue 21st Aug 2007 20:55 UTC in reply to "RE: Let the"
diegocg Member since:
2005-07-08

Bullshit. Better software has a lower number of security holes.

According to your theory, OpenBSD or qmail are absolute CRAP, because they don't release many security fixes.

Reply Score: 4

RE[3]: Let the
by monodeldiablo on Tue 21st Aug 2007 21:15 UTC in reply to "RE[2]: Let the"
monodeldiablo Member since:
2005-07-06

That's a great point which, sadly, doesn't apply here.

This comparison wasn't about security holes. It was about disclosed vulnerabilities and their patches. Since the presumption is that all of *BSD/qmail/Firefox/Linux/etc. are open to inspection and thus disclosed publicly, you're making a leap without logic to accompany you.

Your point only stands if you're willing to bet that Microsoft has disclosed all known vulnerabilities for their software, and has devoted the same number of eyes to inspecting their code.

P.S. Please tone down the anger. The parent post never even implied what you accuse them of "theorizing".

Reply Score: 11

RE[3]: Let the
by butters on Tue 21st Aug 2007 22:32 UTC in reply to "RE[2]: Let the"
butters Member since:
2005-07-08

The problem is that, regardless of the number of vulnerabilities Microsoft or Apple fix, we have no idea how many they keep to themselves, and we have no idea how many they don't know about. We don't know.

You're absolutely right that better software has a lower number of security holes. But we have no way of knowing from this data how many security holes are in any of these software products. We only know how many holes they fixed.

Any piece of software has a certain number of unfixed holes, most of them undisclosed or undiscovered. The number of fixed holes doesn't suggest anything in particular about the number of unfixed holes. A higher number of fixed holes could indicate more or less unfixed holes.

All we can really say for sure is that it is easier to discover holes in open source software. Even if there are fewer unfixed holes as a result, it is easier to discover the remaining holes. It's a tradeoff between software with fewer unfixed holes or greater difficulty of finding the unfixed holes.

Code analysis tools are getting really good. But fuzzing tools are rapidly improving as well. It's getting easier to find holes in all software, open or proprietary. So I tend to err on the side of using openness to help squash the bugs. I'd rather use software with a low defect rate than software with well-kept secrets.

The tragedy of these security metrics is that they encourage bad behavior. They primarily penalize vendors for fixing defects and waiting too long to fix defects. For a proprietary vendor, it's better not to fix them at all, especially after a couple months go by.

Reply Score: 5

RE[4]: Let the
by Xaero_Vincent on Tue 21st Aug 2007 22:49 UTC in reply to "RE[3]: Let the"
Xaero_Vincent Member since:
2006-08-18

FOSS is fast paced development and completely open for scrutiny. Therefore lots of bugs and holes are constantly being detected and repaired.

The worst Microsoft OSes in history had fewer security hole count than most Linux distros in the same period of time.

I wont deny that Vista is much more security oriented, but the numbers aren't telling the whole picture. Windows has tons of legacy code, drivers, and just plain baggage from Windows NT versions spanning over a decade ago. The legacy code is much like a petri dish for nasty security vulnerabilities. Vista also has millions of lines of new code that is likely to contain bugs and security holes as well.

Thats not to say Linux doesn't contain legacy code but it does say that its constantly being retrofitted and examined.

Edited 2007-08-21 22:59

Reply Score: 4

lower != better
by Downix on Tue 21st Aug 2007 19:33 UTC
Downix
Member since:
2007-08-21

From the looks of things, it appears that Microsoft is not putting out exploit fixes as fast as their competition. Infact, I would go so far as to say, this chart proves how little microsoft dedicates to correcting vulnerabilities in their OS. (now long did WinNUKE work, 8 years?)

Reply Score: 6

RE: lower != better
by Almafeta on Tue 21st Aug 2007 20:51 UTC in reply to "lower != better"
Almafeta Member since:
2007-02-22

As to repair speed:

Client-side: http://blogs.technet.com/security/archive/2007/06/18/2006-client-os...

Client and server together: http://blogs.technet.com/security/archive/2007/06/15/2006-days-of-r...

Looks like MS leads the pack in server-side repair times, but we're all equally unimportant client-side.

Reply Score: 1

RE[2]: lower != better
by dylansmrjones on Wed 22nd Aug 2007 09:38 UTC in reply to "RE: lower != better"
dylansmrjones Member since:
2005-10-02

LOL... you cannot use anything coming from Jeff Jones. You need neutral sources here, and not a Microsoft employee.

All neutral sources so far have proved that Linux/*BSD have far shorter repair times than Windows. Usually fixed the same day it is discovered whereas Microsoft often fails to fix issues even when they are decades old.

Reply Score: 3

RE[3]: lower != better
by Almafeta on Wed 22nd Aug 2007 13:50 UTC in reply to "RE[2]: lower != better"
Almafeta Member since:
2007-02-22

LOL... you cannot use anything coming from Jeff Jones. You need neutral sources here, and not a Microsoft employee.


He cites his sources scrupulously. If he were just citing random numbers without sources, then you'd have a point, but he shows where he got his information, which you could look at yourself if you bothered.

All neutral sources so far have proved that Linux/*BSD have far shorter repair times than Windows.


The neutral sources are saying the opposite -- as he's showing.

Maybe you'd like a FSF-funded source? Their results are unlikely to reflect reality, but they'll be more comforting for you.

Usually fixed the same day it is discovered whereas Microsoft often fails to fix issues even when they are decades old.


Microsoft employs thousands of people whose nine-to-five job solely consists of hunting for bugs and creating tested fixes that won't break more than they fix. OSS relies on people's sense of duty to submit fixes in their free time, and generally uses the first fix created when someone finally gets around to addressing it, not the best answer or even a tested answer. Same day? With some large companies, you might get that, but with OSS, it's not when it gets fixed, but whether.

Oh, and 'decades old bugs'? Decades, really? Heh, I don't know of any decades-old Microsoft product still in use. For that matter, I don't know of any decades-old software product by any company still in use, except by retrocomputing enthusiasts like me. Just what could you possibly mean? (Deciding to not rip off the old Unix architecture instead of creating something new and different, deciding to keep the source closed instead of giving in to corporate espionage and opening up their system to attacks, and deciding to not rip off customers via copyleft instead of paying employees and creating code for themselves, are all business decisions, not 'bugs.')

Reply Score: 1

RE[4]: lower != better
by chris_dk on Thu 23rd Aug 2007 10:24 UTC in reply to "RE[3]: lower != better"
chris_dk Member since:
2005-07-12

OSS relies on people's sense of duty to submit fixes in their free time

Ah, more FUD to feed the FUD-machine.

OSS companies pay their employees, repeat after me, "pay".

Reply Score: 1

RE: lower != better
by DigitalAxis on Wed 22nd Aug 2007 03:26 UTC in reply to "lower != better"
DigitalAxis Member since:
2005-08-28

Uh, keep in mind this is just how many vulnerabilities have been fixed, not how many vulnerabilities there ARE.

With this data, you could just as easily say Windows had fewer bugs and that's why they haven't found as many, or that Microsoft is just having a hard time finding the bugs in their systems.

Reply Score: 4

Attacking Microsoft?
by gedmurphy on Tue 21st Aug 2007 19:53 UTC
gedmurphy
Member since:
2005-12-23

Why do people take so much pleasure in attacking Microsoft?

Although none of us have the true figures of what vunls were discovered for each operating system, it appears that Microsoft have had less serious vunls patched than all the other operating systems, yet people still attack them.

If this were the other way round and the *nix variants were low, people wouldn't come to the same conclusion.

I'd say this is a great thing for Windows users.

The Windows of today is a very secure operating system, no matter how much the linux guys hate to admit it.

Reply Score: 2

RE: Attacking Microsoft?
by jack_perry on Tue 21st Aug 2007 20:19 UTC in reply to "Attacking Microsoft?"
jack_perry Member since:
2005-07-06

Why do people take so much pleasure in attacking Microsoft?


Perhaps because this Mr. Jones' weblog is an unashamedly naked attempt on Microsoft's part to attack everyone else?

I don't understand how anyone can find this defensible. If I had an OS company, and someone in my security department was publishing graphs that showed fewer fixed vulnerabilities for my OS than for other OS's, I'd fire him off the bat. Especially if my company already had a well-deserved reputation for not taking security very seriously.

Edited 2007-08-21 20:35

Reply Score: 8

RE[2]: Attacking Microsoft?
by Thom_Holwerda on Tue 21st Aug 2007 20:48 UTC in reply to "RE: Attacking Microsoft?"
Thom_Holwerda Member since:
2005-06-29

I don't understand how anyone can find this defensible.

Then you need to get your peepers checked.

The dataset presented in the scorecard is fairly useless for assessing security performance- and, lo and behold, the author of it never claimed anything otherwise. He presents his figures as what they are: a tally of fixed vulnerabilities. Period. Nothing more, nothing less. Nowhere in the article do I see "Windows is more secure than x" or any similar statement.

In other words, Jones just presents the raw numbers - for whatever they may mean. It is you (as well as other readers) who draw the conclusions - not the author. To come back to your wondering - this is very easily defendable if you learn to accept that Jones is not drawing any conclusions from his dataset - he just presents them as-is. They are figures that have been found to be very accurate.

What's really interesting here is the question why does Windows have a lower figure of fixed vulnerabilities than the other operating systems? The answer to this is not presented by Jones, so any conclusions you are reading/writing in this comment section are drawn by the readers, not the author.

Reply Score: 1

RE[3]: Attacking Microsoft?
by Punktyras on Wed 22nd Aug 2007 06:41 UTC in reply to "RE[2]: Attacking Microsoft?"
Punktyras Member since:
2006-01-07

What is the use of picture/text/graph/whatever in itself? Null. They are used (not just this case, but in general) to tell us something aren't they? And readers show their opinions and as long as author doesn't bother to say what he thinks of it and so they try to find out WHAT the author intended to say.
At last isn't 1 picture worth 1000 words?

Edited for typos

Edited 2007-08-22 06:43

Reply Score: 3

RE: Attacking Microsoft?
by KenJackson on Tue 21st Aug 2007 20:19 UTC in reply to "Attacking Microsoft?"
KenJackson Member since:
2005-07-18

Although none of us have the true figures of what vunls were discovered for each operating system, it appears that Microsoft have had less serious vunls patched than all the other operating systems, yet people still attack them.

Because if that's what the charts mean, then the charts don't jive with common experience. Almost everyone has experience with Windows viruses, but few users of any other OS have a similar experience.

Reply Score: 6

RE[2]: Attacking Microsoft?
by PlatformAgnostic on Wed 22nd Aug 2007 07:24 UTC in reply to "RE: Attacking Microsoft?"
PlatformAgnostic Member since:
2006-01-02

I will deny this vehemently... what everyone has experience with since the old days of nimda and code red is not viruses. What you see clogging up people's PCs and sending home data is trojan horses. These are not viruses and they do not exploit security vulnerabilities.

When is the last time you've heard of a server-side exploit for Windows, even on a terminal server? Windows is a really securable OS. The default config for XP was not security oriented, because usability was still a major concern in 2001. People these days are more aware and interested in security, so the usability tradeoff has become more acceptable.

Reply Score: 3

RE[3]: Attacking Microsoft?
by KenJackson on Wed 22nd Aug 2007 10:29 UTC in reply to "RE[2]: Attacking Microsoft?"
KenJackson Member since:
2005-07-18

What you see clogging up people's PCs and sending home data is trojan horses. These are not viruses and they do not exploit security vulnerabilities.

OK, I used the word viruses in a generic way that would better be described as malware. But it remains true that almost everyone that uses Windows has had their PC infected with something that at least inconvenienced them, if not harmed them. And infection of non-Windows systems are extremely rare.

People these days are more aware and interested in security, so the usability tradeoff has become more acceptable.

By that, perhaps you mean that people know they have to constantly run bothersome security software that annoys them with popups asking them to confirm that they really want to do what they are trying to do. That doesn't make a convincing argument that Windows is secure.

Reply Score: 3

RE: Attacking Microsoft?
by prymitive on Tue 21st Aug 2007 20:46 UTC in reply to "Attacking Microsoft?"
prymitive Member since:
2006-11-20


The Windows of today is a very secure operating system, no matter how much the linux guys hate to admit it.


Says who? Bill ?
Every operating system is as much secure as the user is smart. Sure it can be more or less secure by default but You can break that, it can be more or less easy to keep it secure but that is all, no OS is _secure_ all the time (even if You apply all patches) no matter what the user does to it.
Btw. I always thought that UNpatched bugs are more important, number of fixed bugs only shows that there are less bugs in the soft, not that it is less secure.

Edited 2007-08-21 20:46

Reply Score: 2

RE: Attacking Microsoft?
by monodeldiablo on Tue 21st Aug 2007 20:55 UTC in reply to "Attacking Microsoft?"
monodeldiablo Member since:
2005-07-06

There are a number of responses that I can think of to your post.

a) People bash Microsoft because it's the consummate bully. The open source movement in general has no PR machine, no centralized antidote to FUD, no entrenched lobbyists spending millions to change national policy and bend the rules of the free market. Microsoft is a multi-billion dollar international corporation that's taken every available opportunity to discredit the fruits of the free labor of a multitude of volunteers the world over, donated to the public for the better good of everybody.

Perhaps a more relevant question would be, "Why are some people so quick to leap to Microsoft's defense?" Would these same folks rush to the defense of Lennar if they attacked the volunteer laborers who help build homes for the poor in impoverished countries?

b) Why should you care? Fanboys from every possible computer religion come on all the time and bash Linux/*BSD/Windows/BeOS/etc. You ask why they do it, yet you don't make much of an attempt at seeing their point.

c) You don't know what you're talking about. Too many people (including the author) have already pointed out that this is a meaningless metric. If, as you mentioned, the results were the other way 'round, the *nix variants are open and transparent, so you could actually see why their numbers are so low. The same is not true of Microsoft (and Apple, for that matter), who has a vested interest in keeping their cards close to their chest. You have no idea if this is a "great thing for Windows users," because this isn't an apples-to-apples comparison. You're merely buying into the intended conclusion without critically examining the evidence that supposedly supports it.

That's called blind faith.

d) You're creating a false dichotomy. This is not an issue of Microsoft vs. Linux. You'll pardon the harshness of pieces of this post, but you're really doing nothing to spur on acceptence or debate. You're merely polarizing the discussion further. Painting all "the linux guys" with the same brush is not constructive, since many of us see value in what Microsoft brings to the table, yet disapprove of the antagonistic way they treat the rest of the world. No community is perfect, but the advantage that the open source community has over any other model I've observed is its inherent openness to criticism.

At the end of the day, almost every one of your sentences in that comment needs to be backed up by evidence... evidence you don't have access to. You're more than entitled to your opinion, but if you hope to sway anybody here (or do any more than justify your position through repetition), you're going to have to do more than make empty claims. Prove it that this is great for Windows users. Let's see some demonstrable proof that "the Windows of today is a very secure operating system".

It's not that we don't believe you, it's just that we can't be expected to have the same faith as you do. Show us some proof and we're more easily swayed.

Reply Score: 13

RE[2]: Attacking Microsoft?
by Almafeta on Tue 21st Aug 2007 20:57 UTC in reply to "RE: Attacking Microsoft?"
Almafeta Member since:
2007-02-22

The open source movement in general has no PR machine, no centralized antidote to FUD, no entrenched lobbyists spending millions to change national policy and bend the rules of the free market.


The FSF, EFF, and OIN, et multiple al.

Reply Score: 3

RE[3]: Attacking Microsoft?
by monodeldiablo on Tue 21st Aug 2007 21:50 UTC in reply to "RE[2]: Attacking Microsoft?"
monodeldiablo Member since:
2005-07-06

You're joking, right?

You listed a couple of underfunded volunteer organizations and a collaborative patent pool (???) as evidence of "a PR machine... spending millions to change national policy"?

Please read my post again.

http://www.opensecrets.org/lobbyists/clientsum.asp?txtname=Microsof...

Reply Score: 7

RE[2]: Attacking Microsoft?
by MollyC on Tue 21st Aug 2007 22:44 UTC in reply to "RE: Attacking Microsoft?"
MollyC Member since:
2006-07-04

"The open source movement in general has no PR machine, no centralized antidote to FUD, no entrenched lobbyists spending millions to change national policy and bend the rules of the free market."

OSS icon IBM has more money and more lobbyists than does Microsoft. Slashdot is owned by an OSS company worth hundreds of millions, and it trashes Microsoft 24/7, even to the extent that the very icons used for Microsoft and Windows stories trash Microsoft and Windows. The tech media praises OSS constantly. Linux, despite having a userbase share of less than 1%, gets at least 50% of OS coverage by the tech media, nearly all of it uncritical, and this has been going on for 10 years now. Stop with the crocodile tears that you can't combat MS in a PR battle.

Besides that, Jeff Jones' blog is just a blog. There's nothing preventing an IBM or Red Hat employee from doing similar blogs.


Microsoft is a multi-billion dollar international corporation that's taken every available opportunity to discredit the fruits of the free labor of a multitude of volunteers the world over, donated to the public for the better good of everybody."

LOL
Now we see the self-righteous holier-than-thou attitude of particular OSS advocates that is so nauseating. Look, if you want to donate your free labor to the rich execs of Red Hat so when you see those execs driving around in Ferraris, you get the warm and fuzzies, thinking, "WOW, I helped give him that!!", then fine, but don't get all self-righteous about it. At least Microsoft pays its programmers.
Oh, and stop with the "I do this for the good of all mankind" bull. Sure, the rational OSS programmers may feel that way, but I've seen all too many OSS programmers state that one of their motives is not "the good of mankind" but "destroying Microsoft", "Windows", "Office", etc. You cannot state that your goal is to destroy Microsoft then expect Microsoft to sit idly by. Your side started the PR wars, not Microsoft.


"Perhaps a more relevant question would be, "Why are some people so quick to leap to Microsoft's defense? Would these same folks rush to the defense of Lennar if they attacked the volunteer laborers who help build homes for the poor in impoverished countries?"

Do volunteer home builders have a stated goal of destroying Lennar? Do they publicly equate Lennar wiht the devil? Do they publicly declare themselves to be holier than home builders that work for money?
And let's get one thing straight: You are NOT akin to a free laborer building homes for the poor in impoverished countries. IBM is not "impoverished". Red Hat is not "impoverished". These are billionaire companies that sell the works of your free labor to others for billions.

Besides, do you realize how incredibly boring this site would be if it 100% of the comments were by you MS bashers? :p

Edited 2007-08-21 22:47

Reply Score: 7

RE[3]: Attacking Microsoft?
by Xaero_Vincent on Tue 21st Aug 2007 23:12 UTC in reply to "RE[2]: Attacking Microsoft?"
Xaero_Vincent Member since:
2006-08-18

MollyC,

Some people just hate Microsoft for being so big, powerful, and predatory towards competitors. For me, I dislike them solely because of that, not their software products.

The same people probably feel the same way towards Apple, Google, Walmart, oil companies, drug companies, lawyers, hospitals, so on.

I certainly feel that way and believe the government should establish authority over the growth rate of businesses that can inflict dominance over people and crush competition. I believe companies should simply not be allowed to grow beyond a certain point without paying heavily--much higher taxes.

Edited 2007-08-21 23:14

Reply Score: 3

RE[3]: Attacking Microsoft?
by raver31 on Wed 22nd Aug 2007 00:56 UTC in reply to "RE[2]: Attacking Microsoft?"
raver31 Member since:
2005-07-06

MollyC is one of these people who instinctively jumps to Microsofts defense at every calling. It does not matter what the subject is, he/she is always there defending the guilty.

Now, Lets look at some of MollyC's fallacies ;

Linux, despite having a userbase share of less than 1%

Yeah right, show the figures, or don't spout crap.

Look, if you want to donate your free labor to the rich execs of Red Hat so when you see those execs driving around in Ferraris

This comes from one of the people who usually say there is no money to be made with OSS.

I've seen all too many OSS programmers state that one of their motives is not "the good of mankind" but "destroying Microsoft", "Windows", "Office", etc

Don't know where you meet your programming friends, but any that I know do not think like that.

Can we have an ignore button to blank out shills like MollyC ?

Reply Score: 5

RE[4]: Attacking Microsoft?
by MollyC on Wed 22nd Aug 2007 15:36 UTC in reply to "RE[3]: Attacking Microsoft?"
MollyC Member since:
2006-07-04

"Now, Lets look at some of MollyC's fallacies ;"

Yes, let's. ;)


'Linux, despite having a userbase share of less than 1%'

"Yeah right, show the figures, or don't spout crap."


I guess you're forcing me to post stats from one of the many web statistic sites that shows Windows at ~92%, Mac at ~6%, and Linux at 0.8%. Oh well, you asked for it:
http://marketshare.hitslink.com/report.aspx?qprid=2

And that's just one of many sites showing similar results.

But you completely missed the point I was making (and I see you truncated my statement), which was that for the past 10 years, the amount of coverage Linux gets in the tech media is wildly disproportional with its actual use, and that coverage is almost 100% uncritical. You don't want to deal with actual numbers, fine. We can go qualitative rather than quantative. So I'll rephrase my statement, "Linux, despite have a much smaller than Windows, gets nearly equal amount of coverage in the tech media, nearly all of it uncritical." That is a great asset in battling Microsoft wrt PR wars (the poster I responded to was saying that OSS had no means to fight PR wars).


"This comes from one of the people who usually say there is no money to be made with OSS."

I normally say the opposite of that. That companies that don't rely primarily on software can make/save tons of money by using OSS created by free labor. Companies that sell hardware or services can use OSS as the software that runs that hardware or service, and they can do it for less money than paying their own programmers. Tivo, for instance (though the OSS community seems to be trying to put a stop to that). IBM has shifted their services to a Linux base so that they can save the expense of maintaning AIX to the degree they would have had to in the past. Red Hat sells free-labor software to business with very expensive support contracts. Consulting companies can make a lot of money providing support for software they expended no resources in creating (but of course, they can do the same for closed source as well, and do; as most types of support don't require tweaking actual code).

What I have said is that it's hard for a company that relies on selling software to the masses (i.e. over-the-shelf software that are neither custom solutions nor require huge amount of support (i.e. not enough to live on support contracts)) to do so with OSS because once sold, it can be copied by the masses for free. And bigger players can customize the software and sell rivals, undercutting the original creators, without having done any of the original legwork.




'I've seen all too many OSS programmers state that one of their motives is not "the good of mankind" but "destroying Microsoft", "Windows", "Office", etc/

"Don't know where you meet your programming friends, but any that I know do not think like that."


Again, you take an excerpt of what I said to make a point. You didn't include the part where I excluded "rational OSS programmers" from my statement. I assume your "friends" are "rational". But I've seen the "MUST DESTROY MICROSOFT" sentiment on slashdot hundreds of times. Even OSNews's own "ChrisA" has said this numerous times, both here and other places (lke channel9, scoble's blog, and even the discussion mailing list of an OSS project that was being ported from Linux to Windows, where he condemned the devs for their betrayal, etc).

Edited 2007-08-22 15:51

Reply Score: 0

RE[5]: Attacking Microsoft?
by raver31 on Thu 23rd Aug 2007 08:03 UTC in reply to "RE[4]: Attacking Microsoft?"
raver31 Member since:
2005-07-06

The link you posted was MARKETSHARE not USERBASE... There is a big difference, and that was my point.

The others, I agree there is a lot of Linux using cabbages that want to destroy Microsoft, but frankly, none of them muppets are programmers, unless you count "hello world" as a program.

Reply Score: 2

RE[3]: Attacking Microsoft?
by archiesteel on Wed 22nd Aug 2007 14:46 UTC in reply to "RE[2]: Attacking Microsoft?"
archiesteel Member since:
2005-07-02

Oh, and stop with the "I do this for the good of all mankind" bull. Sure, the rational OSS programmers may feel that way, but I've seen all too many OSS programmers state that one of their motives is not "the good of mankind" but "destroying Microsoft", "Windows", "Office", etc. You cannot state that your goal is to destroy Microsoft then expect Microsoft to sit idly by. Your side started the PR wars, not Microsoft.


That is complete and utter bull, though I wouldn't expect anything coming from someone whose income depends on Microsoft.

First, you have absolutely no evidence to back your insinuation that "many OSS programmers" have destroying Microsoft as their goal (never mind the fact that, to you, any reduction of Microsoft's market share is tantamount to destroying it).

Next is the *ludicrous* assertion that the OSS side started the PR wars. Why do you think people dislike MS in the first place, MollyC? It's because of Microsoft's anticompetitive behavior and predatory tactics towards them or the OS of their choice.

Personally, I like many of Microsoft's products, but I *do* think that they need to be reigned in. I think the DOJ should in fact have split MS in two back in the days - but then again, that's because I don't have a financial interest in MS (or OSS) dominating the computing industry. Therefore, I can imagine a world with a more diverse OS ecosystem, unlike you who feels that MS *has* to own the market, for purely selfish reasons.

Finally, your comments about IBM and Red Hat miss the mark completely. They do not *own* OSS. They *profit* from it. In fact, there is nothing preventing MS from also profiting from OSS if it wanted to. But it doesn't want to share. It wants it all.

If IBM owned a closed-source OS that had 90% of the market, and abused that dominating position to increase its share in other markets, then maybe you'd have a point, but right now all you have is a half-assed, highly emotional plea to support the abuses of an evil empire.

Reply Score: 5

RE[4]: Attacking Microsoft?
by MollyC on Wed 22nd Aug 2007 16:25 UTC in reply to "RE[3]: Attacking Microsoft?"
MollyC Member since:
2006-07-04

"all you [MollyC] have is a half-assed, highly emotional plea to support the abuses of an evil empire."

LOL
Good one!

Just a few corrections to your rant.
First, my income depends neither on Micrsoft nor any tech company.
Second, Microsoft has released lots of OSS code, including just recently the DLR. So your "In fact, there is nothing preventing MS from also profiting from OSS if it wanted to. But it doesn't want to share. It wants it all." is a bit hyperbolic, but that's cool. My previous posts in this thread employed hyperbole to a high degree. ;)

Edited 2007-08-22 16:32

Reply Score: 0

RE[5]: Attacking Microsoft?
by Xaero_Vincent on Wed 22nd Aug 2007 17:50 UTC in reply to "RE[4]: Attacking Microsoft?"
Xaero_Vincent Member since:
2006-08-18

MollyC,

If Microsoft were so friendly to open source then explain why they have been threatening the movement with patent infringement claims? Do you call milking the movement for bucks an act of kindness?

If Microsoft was so "kind-hearted" they would have done what IBM, Google, and some other big guys have done: allow open source free use of software patents without the threat of litigation.

As far as I am concerned, your backing of Microsoft has little merit. Microsoft would think nothing of stabbing you in the back if they saw it as a business advantage. You simply have no credibility in my opinion.

Edited 2007-08-22 17:51

Reply Score: 6

RE[5]: Attacking Microsoft?
by archiesteel on Wed 22nd Aug 2007 23:29 UTC in reply to "RE[4]: Attacking Microsoft?"
archiesteel Member since:
2005-07-02

First, my income depends neither on Micrsoft nor any tech company.


Really? Are you not Molly Cieslinski, from Waggener Edstrom, a PR firm representing Microsoft?

Reply Score: 5

RE[6]: Attacking Microsoft?
by sbergman27 on Thu 23rd Aug 2007 17:33 UTC in reply to "RE[5]: Attacking Microsoft?"
sbergman27 Member since:
2005-07-24

Would that be this company?

http://en.wikipedia.org/wiki/Waggener_Edstrom

Reply Score: 2

RE[3]: Attacking Microsoft?
by monodeldiablo on Wed 22nd Aug 2007 18:08 UTC in reply to "RE[2]: Attacking Microsoft?"
monodeldiablo Member since:
2005-07-06

Phew! Where to start? There's so much wrong in your post, it's no wonder these things spur emotional screaming matches. I couldn't help laughing at most of it, though.

Please, in the future, try to maintain a little more civility in your posts. This had a very low signal to noise ratio almost exclusively because of your shrill partisan hyperbole, mischaracterizations and personal attacks. A partial (hopefully constructive) rebuttal follows.

OSS icon IBM has more money and more lobbyists than does Microsoft.


Blatantly, demonstrably, patently untrue. Microsoft is one of the top 20 lobbyist organizations (and top 10 corporate lobbyists) in the United States. Even if IBM were exclusively lobbying on behalf of FOSS (an assumption that's ludicrous to make, but necessary to show how ridiculous your claim is), it still spends an order of magnitude less than Microsoft. [1]

The tech media praises OSS constantly. Linux, despite having a userbase share of less than 1%, gets at least 50% of OS coverage by the tech media, nearly all of it uncritical, and this has been going on for 10 years now.


And it never occurred to you that this might be because of merit, a disruptive development model or its explosive growth? Don't let your bias color your interpretation. Proportionality has never been a good metric for reporting, since it completely ignores the significance of the subject. Just because something isn't saturating the market doesn't mean it's not compelling.

Besides that, Jeff Jones' blog is just a blog. There's nothing preventing an IBM or Red Hat employee from doing similar blogs.


The difference, though, is that most such blogs by employees of Red Hat, IBM, Novell, Ubuntu, OpenedHand, etc. tend to focus on technical or community issues and solutions. Very few devote much time or attention to discrediting or slandering Microsoft. In fact, I think you'll find most critical FOSS blogs spend most of their time and attention attacking weaknesses in the community itself. As I said before, FOSS's strength is its reliance on constructive criticism.

Regardless, a blog is hardly the PR vehicle that a targeted ad campaign is, such as the multi-million dollar "Get the Facts" push. When I referred to Microsoft's dedicated PR dollars, I wasn't talking about employee blogs. That much should be self-evident.

Now we see the self-righteous holier-than-thou attitude of particular OSS advocates that is so nauseating.


There was nothing "holier-than-thou" or "self-righteous" about my statement. Your nausea is no more the fault of FOSS contributors than hurrican relief volunteers or neighborhood watch members. I recommend you look up the meaning of the term "self-righteous". It implies coersion and peer pressure, but nobody here has tried to browbeat you into donating code to the FOSS arena. Nobody is trying to force you to contribute your time and effort. In fact, you're free to use the fruits of others' donated labor with no strings attached. Because of this, your reaction is particularly unwarranted and hints at some other reason for disliking FOSS.

Look, if you want to donate your free labor to the rich execs of Red Hat so when you see those execs driving around in Ferraris, you get the warm and fuzzies, thinking, "WOW, I helped give him that!!", then fine, but don't get all self-righteous about it. At least Microsoft pays its programmers.


Red Hat pays its programmers, too. As does every other commercial contributor to Linux. Those that aren't getting paid directly still feel that they are donating their labor for the greater good. If Red Hat or IBM turn a profit off of it, well, good for them, but that's just a side-effect. Like any other engineer, most FOSS programmers take pride in the beauty of their product. Their personality encourages them to participate in a community where elegant solutions are rewarded with praise. Just because this might not describe you doesn't mean anybody's judging you or pressuring you to fall in.

Oh, and stop with the "I do this for the good of all mankind" bull. Sure, the rational OSS programmers may feel that way, but I've seen all too many OSS programmers state that one of their motives is not "the good of mankind" but "destroying Microsoft", "Windows", "Office", etc. You cannot state that your goal is to destroy Microsoft then expect Microsoft to sit idly by.


You've created a pretty bad straw man argument there. I went out of my way to point out that I don't dislike Microsoft or many of its products. I also don't deny that some in the community do. Judging a movement by the most radical of its members is a profound fallacy. I find it particularly ironic that you push this point, though, considering your own lopsided and irrational agenda.

Ignoring an argument because some rabid believers take it too far discredits the whole debate because it merely polarizes the discussion without observing valid criticisms. To put it another way, should civil rights be denied to African-Americans because they were advocated by the Black Panthers?

And let's get one thing straight: You are NOT akin to a free laborer building homes for the poor in impoverished countries. IBM is not "impoverished". Red Hat is not "impoverished". These are billionaire companies that sell the works of your free labor to others for billions.


But there are plenty of people who are impoverished who can't afford IBM's, Red Hat's or Microsoft's software. The advantage that FOSS has is that those people still have legal access to good software. They need only pay Red Hat or IBM if they want enterprise-level support. You're misinterpreting my analogy to construct yet another straw man.

Besides, do you realize how incredibly boring this site would be if it 100% of the comments were by you MS bashers? :p


On the contrary, I think that if we engaged in rational discourse instead of resorting to calling anybody with a differing opinion an "MS basher", this would be a much more interesting site. The hyperbole, personal attacks and overall aggressively empty nature of most posts here have started to devalue dialogue here in much the same way they have brought Slashdot's value down.

[1] http://www.opensecrets.org/industries/contrib.asp?Ind=B12&cycle=200...

Reply Score: 3

RE[3]: Attacking Microsoft?
by chris_dk on Thu 23rd Aug 2007 10:00 UTC in reply to "RE[2]: Attacking Microsoft?"
chris_dk Member since:
2005-07-12

At least Microsoft pays its programmers

FUD. All open source companies pay their employees.

The difference is that volunteers can join the development and they do it, because they want to.

Reply Score: 1

pruneau Member since:
2007-08-22

Just .5 more cents, though.

First, as it was already pointed out, by H.H. B. Schneier himself and some other people, real secure software will be produced when the software companies will somehow be held accountable of the security of what they deliver.

The typical production cycle of software still follows this progress:
- make it work (most of the time)
- make it fast (whenever they are more that enough user complaints)
- make it secure (when we are more than 95% sure some capital loss or other litigations are headed our way)

Security will never be about insurance, more about risks: because it's going to be an arm race between 'us 'an 'them' forever, that's a sad fact.

Now if someone wants to go and produce useful security metrics instead of doing some kind of backwater irrelevant PR^H^Hstatistics, here's my idea:
You're favorite OS/Application can be as insecure as it gets, if you are the only one using it, you are at less risk than a "semi-secure" OS that is targeted by millions.

This is indeed a caricature, but if someone could really get out some statistics pointing out, let'say, the number of actives attack vectors against the number of un-patched threat out there, per OS, that would give you an estimation of how much using this OS is a real risk, and probably how much it's going to cost you to "secure" it.

Any takers ?
(I might start searching for venture capital anytime soon ;-)

Reply Score: 2

RE: Attacking Microsoft?
by Redeeman on Tue 21st Aug 2007 21:25 UTC in reply to "Attacking Microsoft?"
Redeeman Member since:
2006-03-23

you are forgetting that microsoft and us, have very different opinions of what is a very severe thing..

for microsoft, it basically has to mean that your data and business gets destroyed so badly, that its BAD for MICROSOFT themselves, while for us, just being able to crash an application, with the extremely small and theoretical possibility of hogging ressources.

Reply Score: 4

RE: Attacking Microsoft?
by historyb on Wed 22nd Aug 2007 01:36 UTC in reply to "Attacking Microsoft?"
historyb Member since:
2005-07-06

Why do people take so much pleasure in attacking Microsoft?


They did to themselves by having substandard products and using illegal monopolistic tactics to stifle competition.

The Windows of today is a very secure operating system, no matter how much the Linux guys hate to admit it.


By itself no, it's a piece of junk.

Reply Score: 2

RE: Attacking Microsoft?
by Soulbender on Wed 22nd Aug 2007 05:05 UTC in reply to "Attacking Microsoft?"
Soulbender Member since:
2005-08-18

"Why do people take so much pleasure in attacking Microsoft? "

Because they're a topdog with questionable business ethics?

Reply Score: 2

v RE: Attacking Microsoft?
by ronaldst on Wed 22nd Aug 2007 07:12 UTC in reply to "Attacking Microsoft?"
RE: Attacking Microsoft?
by dylansmrjones on Wed 22nd Aug 2007 11:31 UTC in reply to "Attacking Microsoft?"
dylansmrjones Member since:
2005-10-02

The Windows of today is a very secure operating system, no matter how much the linux guys hate to admit it.


Nobody denies that Windows today is more secure than Windows yesterday (compare Win2K3 Server with Win95).

But calling it very secure is relative. Compared with earlier versions of Windows, Windows today is quite secure. Compared with OpenBSD Windows is a joke.

The problem here is not about security or lack there of. The problem is Jeff Jones and his deliberately unethical behaviour in regard to his "score card". He clearly states in a hidden manner that Windows is more secure, though he does hide it through "clever" sentences.

And of course persons like MollyC and CrazyDude0 are on the barricade immediately defending their Holy Church of Redmond.

Reply Score: 3

Hehe, this guy is hilarious!
by shapeshifter on Tue 21st Aug 2007 20:35 UTC
shapeshifter
Member since:
2006-09-19

I couldn't stop laughing for a long time.
Stripped down RHEL server more volnurable than Windows, lol.
Notice how Ubuntu has the most vulns.
Guess what's the biggest threat to Microsoft on the desktop?
Well, must be nice getting a fat paycheque from Microsoft.
And he really needs to check himself into a rehab.

Back to the real world.
I was rebuilding an XP system yesterday.
Cleaning all the trojans and spyware was fun.
It's always pleasure to see quality written Windows components like Smitfraud.c and Vundo.
I though "safe mode" was relatively safe untill Smitfraud showed me otherwise, lol.
And almost 100Mb of patches since Service pack 2.
And that's just the OS stuff.
Granted there is a "Mediaplayer" if you can call it that.
How can a garbage like XP be allowed to be on the market? Isn't there some kind of consumer protection provided by governments?

Reply Score: 3

RE: Hehe, this guy is hilarious!
by linumax on Wed 22nd Aug 2007 03:07 UTC in reply to "Hehe, this guy is hilarious!"
linumax Member since:
2007-02-07

I though "safe mode" was relatively safe untill Smitfraud showed me otherwise, lol.

Umm... I thought Safe Mode was a Diagnostic Mode with few disabled services that has nothing to do with security.
Sounds like you don't really spend much time on Windows.

Cleaning all the trojans and spyware was fun.

Yes, fully patched XP machines can still be infected, however, it simply depends on how you use your machine. For porn? File sharing? Say yes to whatever pop-up and running all those tiny 'all our free porn is yours instantly' executables? Anyway, I'm happy that you had fun, let's see what I do to prevent that extra fun from happening:

I use Firefox and recently IE7. AV and Firewall are also running quietly in the background. Add some common sense juice to the mix! The only spyware ever that founds its way to my machine came with KaZaA (RIP.. NOT) and that was a long time ago and my own fault. eMule replaced it, free, oss and works perfectly.

Taking care of XP's security is not that hard and does not require much effort even for non techies. Just give them a few tips on safely doing the deeds they do ;)

Granted there is a "Mediaplayer" if you can call it that.

Well, since it plays media, I guess you can. And it does a good enough job. I also like some of the little hidden features like "Synchronized Lyrics".

How can a garbage like XP be allowed to be on the market?

Well, it's probably because XP is not the pure garbage that you think it is. Where I work, we have around 500 desktops and almost half that number of laptops, all running XP (except a few 2000 and Linux boxes and 3 Vista machines).
The alternate-reality XP that you mention would have brought our software development business down long time ago. Didn't happen, didn't happen to millions and millions of other people happily running XP.

Please switch back to real world. Microsoft products are a lot more secure than they used to be (look at IIS), and Linux is a lot more user-friendly than it used to be (Ubuntu?). Both are filling in the gaps, turning weaknesses into strengths, benefiting us, users.

Edited 2007-08-22 03:13

Reply Score: 5

RE: Hehe, this guy is hilarious!
by suryad on Wed 22nd Aug 2007 13:16 UTC in reply to "Hehe, this guy is hilarious!"
suryad Member since:
2005-07-09

XP still is full of holes but if you are smart it can remain clean as my machine has. No I dont use ani spyware or anti virus. Maybe once in 6 months just to be sure.

You are complaining about the size of the updates post SP2? Have you seen Mac OSX updates? Besides I woudl rather MS fix them than just forget about them.

Also another myth, XP slows down over time and need a rebuild. I made a note when I last did a clean install. 1 year 4 months and counting. No slowdowns none whatsoever. I still boot in 15 seconds. I still use 110 mb at startup with 20 services turned on.

XP is not that bad as people make it out to be. Is Linux better? As an OS hell yes. Do I use it exclusively? Hell no. Most of the stuff I am used to has poor replacements in Linux. That and games.

I am just glad we have all these choices to choose out weapon of choice. Right now mine is XP. Once Vista SP1 comes out and I build a new machine I will move to Vista. I will just make sure to use vLite.

Stop taking sides people! Just use and compute and enjoy!

Reply Score: 3

Re: Attacking Microsoft?
by Downix on Tue 21st Aug 2007 20:36 UTC
Downix
Member since:
2007-08-21

The Windows of today is a very secure operating system, no matter how much the linux guys hate to admit it.

It is? **checks** I don't know where you are getting these figures, as McAffe, SpyBot and AVG all keep finding newer and newer problem code in my new Vista install. Never had this problem with Linux and I've run it since '93.

Edited 2007-08-21 20:36

Reply Score: 2

Heh.
by Almafeta on Tue 21st Aug 2007 20:47 UTC
Almafeta
Member since:
2007-02-22

Amusingly, and as has come to be expected, OSNews prefaced this article with an editorial, implying: "This article shows Windows is better -- so it obviously has to be complete bullshit without an ounce of infalliable FSF-funded research in there -- yet we're going to link to it anyways."

Interestingly, not linked by OSNews is how he got these numbers -- f'rex, rounding in Linux's favor by excluding packages which are traditionally among the buggiest under the justification that "XP does not have comparable [components]":

http://blogs.csoonline.com/methodology_sources_and_assumptions_for_...

Reply Score: 1

RE: Heh.
by Thom_Holwerda on Tue 21st Aug 2007 20:50 UTC in reply to "Heh."
Thom_Holwerda Member since:
2005-06-29

Amusingly, and as has come to be expected, OSNews prefaced this article with an editorial, implying: "This article shows Windows is better -- so it obviously has to be complete bullshit without an ounce of infalliable FSF-funded research in there -- yet we're going to link to it anyways."

Oh god it's that time of the year again. OSNews is anti-Microsoft, pro-FSF now!

Reply Score: 1

RE[2]: Heh.
by dylansmrjones on Wed 22nd Aug 2007 10:09 UTC in reply to "RE: Heh."
dylansmrjones Member since:
2005-10-02

Don't worry Thom. OSnews being pro-FSF will never happen ;)

Reply Score: 3

RE: Heh.
by PlatformAgnostic on Wed 22nd Aug 2007 07:35 UTC in reply to "Heh."
PlatformAgnostic Member since:
2006-01-02

Thom's got a point. It's not OSNews with the editorial blurb... it's SEJeff. I don't know exactly why he linked this story when he so vehemently disagrees with it.

I usually find the editors to have decent taste in what they choose to link. The blurbs can be off, but it's not really the style of this site to edit their content too much.

Reply Score: 2

RE[2]: Heh.
by Thom_Holwerda on Wed 22nd Aug 2007 17:58 UTC in reply to "RE: Heh."
Thom_Holwerda Member since:
2005-06-29

Thom's got a point. It's not OSNews with the editorial blurb... it's SEJeff. I don't know exactly why he linked this story when he so vehemently disagrees with it.

I did write this blurb. The "submitted by" just means the link was sent in by that person. The blurbs are almost always written by us, or copied from the source article.

Reply Score: 1

RE[3]: Heh.
by PlatformAgnostic on Thu 23rd Aug 2007 07:48 UTC in reply to "RE[2]: Heh."
PlatformAgnostic Member since:
2006-01-02

Ok... I was improperly extrapolating from my experience of submitting links.

I guess I disagree with the content of your blurb then (not saying you're wrong to put it there, I just have a different opinion).

With the exposure of Microsoft software to the intense scrutiny of the security community, and with the high price offered by various organizations for unpatched flaws in Windows and other common software, Microsoft can't leave any really exploitable vulnerability unfixed and unreported for too long. So, in a sense, every real vulnerability is patched.

It's fair to say that it's well-nigh impossible to compare Microsoft software to OSS because they both have different metrics for what is consider a serious vulnerability. But the time to patch comparison probably is fair because in all cases, the time of the initial report is recorded along with the attributions for the researchers who submitted the bugs. If a vendor messes around with this, the security community usually raises a stink.

The comparison is not exactly fair for one other reason: if Microsoft finds a vuln, they usually spend a while looking through all the codebases for similar problems. Perhaps Red Hat does the same, but it might take some time for similar vulnerabilities to get fixed in all the upstream trees.

Reply Score: 2

RE[2]: Heh.
by Almafeta on Thu 23rd Aug 2007 14:06 UTC in reply to "RE: Heh."
Almafeta Member since:
2007-02-22

Just about every time I have submitted an article, the blurb's been completely rewritten. For example, when I submitted an article about Fiwix, the blurb was about how it's an OS intended for educational use; it was completely thrown out instead in favor for one about how it's "fully focused on being Linux compatible."

Reply Score: 2

Ironic
by dbodner on Tue 21st Aug 2007 20:49 UTC
dbodner
Member since:
2007-07-01

Anyone else find it ironic the headline of his blog reads:

"Looking at Security from All Angles. Security is not simple, so we should try not to simplify it to the point of uselessness."

Did anyone find anything of substance in his report? Seemed like it was just a few graphs that really didn't delve down into the problem of OS security. Seems "simplified to the point of uselessness" to me.

I guess your motto changes when it fits your employer.

Reply Score: 2

Counting vulnerabilities (LWN article)
by irbis on Tue 21st Aug 2007 21:21 UTC
irbis
Member since:
2005-07-08

For the sake of objectivity the Linux Weekly News June article "Counting vulnerabilities" (by Corbet) is still worth reading and one of the most balanced articles on this subject (Jeff Jones' vulnerability scorecards) as far as I know.

You can find the LWN article here:
http://lwn.net/Articles/239457/

Reply Score: 3

existing _and_ fixed
by PipoDeClown on Tue 21st Aug 2007 21:32 UTC
PipoDeClown
Member since:
2005-07-19

so how many reported bugs have been fixed?

Reply Score: 1

It's not 2003 anymore
by MollyC on Tue 21st Aug 2007 22:09 UTC
MollyC
Member since:
2006-07-04

According to gedmurphy's bio, he's a ReactOS dev, which normally would get kudos around here. But he dares question the anti-Microsoft group-think and is immediately trashed by the peanut gallery. :p

Jeff Jones' "scorecards", which put Vista, Win Server 2k3, and even XP SP2 in a good light, are released for PR purposes, that's quite clear. But the real issue is that he's able to release such scorecards for PR purposes. He wouldn't have been able to in the past. 2007 versions of Windows are much more secure than 2003 versions.

I'm not concerned over which OS is more secure than another, I'm concerned with each OS improving its security, period. What I find amusing is that MS-haters just can't *stand* the thought of Microsoft improving its security. A reasonable person would want all OSes to be secure and to become more secure as time goes on. But MS-haters hope, wish, root, and pray for Windows to be insecure. So much so, that they close their eyes and ears at any evidence that Windows security is much better than it has been in the past. It's hilarious and pathetic at the same time.

The facts are that it's been years since a major virus/worm attack, XP SP2 was much more secure than previous versions of XP, Windows Server 2k3 has a very good security record which Vista builds on and improves on, IIS6 has had a nearly *perfect* record since it was released in 2003, etc. MS haters can go into their "I ain't tryin' to hear that!" routine, putting their hands over their ears and going "la la la la", but it doesn't change the facts that MS is greatly improving its security.

That being said, as a practical matter, Windows is more dangerous to run from a security standpoint. I confidently run my Mac without any anti-virus software, secure in the knowledg that it simply will not be attacked, despite its vulnerabilities. Just as I'm confident that Windows will be constantly attacked, no matter how secure it may be, and anti-virus software is needed to thwart attacks that don't rely on holes in the OS. Of course, I still update my Mac and Windows comuters with security updates each month (or nearly so).

I'll close with this:
In the 90's Linux advocates cried "STABILITY!!" Microsoft largely neutralized that issue, so then Linux advocates started crying "SECURITY!!" But slowly, but surely, Microsoft is taking that advantage away as well (which is why Linux advocates are loathe to acknowledge any security improvements in Windows). Soon, Linux advocates will have to rely on "FREE" (sheepishly adding "(as in beer)").

Reply Score: 3

RE: It's not 2003 anymore
by signals on Tue 21st Aug 2007 22:22 UTC in reply to "It's not 2003 anymore"
signals Member since:
2005-07-08

What I find amusing is that MS-haters just can't *stand* the thought of Microsoft improving its security. A reasonable person would want all OSes to be secure and to become more secure as time goes on. But MS-haters hope, wish, root, and pray for Windows to be insecure. So much so, that they close their eyes and ears at any evidence that Windows security is much better than it has been in the past. It's hilarious and pathetic at the same time.

I'm not a Windows user, but I'd love for Windows to become a more secure operating system. It would make all of our lives easier, even if we don't use Windows. (Wouldn't it be nice if there were no more botnets?)

But, the point most of the "MS-haters", as you call them, are trying to make is that this particular metric is meaningless. It is not "evidence that Windows security is much better than it has been in the past." All it tells us is that Microsoft has patched fewer vulnerabilities. Not that they had fewer discovered security problems, or that they were less severe, than the rest of the pack.

The fact that some of us are trying to point this out, does not make us Microsoft haters.

Reply Score: 4

RE: It's not 2003 anymore
by raver31 on Wed 22nd Aug 2007 01:03 UTC in reply to "It's not 2003 anymore"
raver31 Member since:
2005-07-06

Soon, Linux advocates will have to rely on "FREE" (sheepishly adding "(as in beer)")


ho hummm....

it is FREE as in FREEDOM, (freedom of speech/expression).... not FREE AS IN BEER !

What I find amusing is that MS-haters just can't *stand* the thought of Microsoft improving its security. A reasonable person would want all OSes to be secure and to become more secure as time goes on. But MS-haters hope, wish, root, and pray for Windows to be insecure.

If Windows is getting so secure, why do botnets keep sending me spam about increasing my penis size ?

Edited 2007-08-22 01:05

Reply Score: 4

RE[2]: It's not 2003 anymore
by Blackhouse on Wed 22nd Aug 2007 07:06 UTC in reply to "RE: It's not 2003 anymore"
Blackhouse Member since:
2005-07-06

If Windows is getting so secure, why do botnets keep sending me spam about increasing my penis size ?

Unfortunately it's not only Windows boxes these days. While Linux has the possibility to be quite secure, most sys admins don't know shit about security or don't care. This means that just as in the Windows world there are heaps of unpatched, forgotten boxes out there and quite a number of those have been compromised.

While I agree that Microsoft has been sloppy in the past with fixing some of it's security problems, it usually comes down to the sysadmin as to how secure the box really is. People are lazy and uncaring (about their computer), unsecure computers are a result of that.

As for the original article. Well it's graphs, a graphical presentation of statistics and we all know how serious to take those. The only thing you can really conclude from these is that Linux vendors fix a lot more vulnerabilities, other conclusions you like to make from the graphs are mere assumptions.

Reply Score: 1

RE[3]: It's not 2003 anymore
by MollyC on Wed 22nd Aug 2007 16:01 UTC in reply to "RE: It's not 2003 anymore"
MollyC Member since:
2006-07-04

'Soon, Linux advocates will have to rely on "FREE" (sheepishly adding "(as in beer)")


ho hummm....

it is FREE as in FREEDOM, (freedom of speech/expression).... not FREE AS IN BEER !"



Again, you miss the point I was making. Perhpas I was too subtle. I was saying that in the 90's Linux advocates used "stability" to advocate their platform to the masses. Microsoft addressed that, so Linux advocates moved on to "security" arguments to advocate their platform to the masses. Microsoft is addressing that, so soon Linux advocates will have to rely on "Free" to advocate their platform to the masses.

Now, I know that the devout say "Free as in speech, not beer" (a gross misappropriation of the US Constitution's use of "Freedom of Speech", but whatever). But the masses don't really care about "Free as in speech" aspects of software. But they do care about "Free as in beer" (how much they care is up to debate). So, when advocating to the masses, "Free as in beer" will be the prime argument. I know it won't be as heart-felt an argument as "Free as in speech", which is why I used the word "sheepishly" in my statement.

For the readers that understood my original point, but began and persisted in reading this very pedantic explanation to the end, I do apologize. ;)

Edited 2007-08-22 16:10

Reply Score: 2

RE: It's not 2003 anymore
by Soulbender on Wed 22nd Aug 2007 05:09 UTC in reply to "It's not 2003 anymore"
Soulbender Member since:
2005-08-18

"But he dares question the anti-Microsoft group-think and is immediately trashed by the peanut gallery. :p"

The anti-Microsoft groupthink provides a counterweight to the much larger Microsoft groupthink.

Reply Score: 4

RE[2]: It's not 2003 anymore
by PlatformAgnostic on Wed 22nd Aug 2007 07:39 UTC in reply to "RE: It's not 2003 anymore"
PlatformAgnostic Member since:
2006-01-02

Windows runs on close to 1 Billion computers. It's safe to say that most of those users don't think about their OS at all. Among the techies, it's pretty hard to find a culture of Microsoft groupthink outside of Redmond.

Reply Score: 2

RE[3]: It's not 2003 anymore
by Soulbender on Wed 22nd Aug 2007 08:26 UTC in reply to "RE[2]: It's not 2003 anymore"
Soulbender Member since:
2005-08-18

"Among the techies, it's pretty hard to find a culture of Microsoft groupthink outside of Redmond."

Oh please get real. How many ISV's, consultants etc are there who has Windows as their primary source of income? Not to mention gamers and power users. That's a pretty solid base for groupthink.

Reply Score: 4

Only fixed?
by signals on Tue 21st Aug 2007 22:10 UTC
signals
Member since:
2005-07-08

Maybe one of the vendors on his list should just stop patching their system for a while. Even though they would probably have quite a few massive, public, unplugged security holes, they would show up with 0 vulnerabilities in his graphs.

To the casual observer, the vendor who doesn't patch any security problems would look to be the most secure.

If there's anything you can take away from reading this guy's blog, it's that Microsoft hasn't patched as many problems as the other vendors. You can't say they didn't have as many, just that they didn't fix as many.

Reply Score: 3

All this says
by Xaero_Vincent on Tue 21st Aug 2007 22:19 UTC
Xaero_Vincent
Member since:
2006-08-18

Is Linux distros are doing a better job at detecting security vulnerabilities and fixing them. Theres probably thousands of security lurking in Vista but only few are being found and fixed. This is very typical of proprietary software because only a limited number of people may examine the code for flaws.

XP has fewer in numbers by this chart yet you can waste an XP install in five minutes by visiting the wrong sites and downloading the wrong things. This fact alone should make this entire chart irrelevant.

This chart also does *NOT* take into account hardened distros, such as RHEL and Fedora. These distros deploy numerous security tools and features that, when used, render virtually all of these security holes a non-issue!

Edited 2007-08-21 22:22

Reply Score: 4

RE: All this says
by Doc Pain on Tue 21st Aug 2007 23:18 UTC in reply to "All this says"
Doc Pain Member since:
2006-10-08

"XP has fewer in numbers by this chart yet you can waste an XP install in five minutes by visiting the wrong sites and downloading the wrong things. This fact alone should make this entire chart irrelevant."

You're mentioning an interesting point. If the charts are taken seriously and very carefully (as usual in regards of statistics), they are telling how secure an OS or a software distribution is by default. But they do not tell how secure it is after being touched by a (low skilled) user. The tendency to bypass means of security in order to leave the user with a more comfortable feeling seems to be a new mainstream in Linux world. The biggest treat for security resides between screen and chair. As you described, even the most secure OS can be compromized very fast if it is used in a nonrecommended way. A download link and "Here, this is a download manager!", and the average user has installed a bunch of trojans on his "invulnerable" PC. The most secure OS is the OS that does not have a connection to the Internet and is installed and administrated by a professional. :-)

Reply Score: 3

RE[2]: All this says
by Xaero_Vincent on Tue 21st Aug 2007 23:29 UTC in reply to "RE: All this says"
Xaero_Vincent Member since:
2006-08-18

Doc Pain,

Yes unless the security features them self stop a user.

SELinux, for example, will--depending on setup--prevent programs from running in the first place, if SELinux detects the program doing something suspicious in or with memory addresses. The user has to go out of their way to disable the security context to that program before it will run. In some distros like Fedora, SELinux is just one level of projection amongst many.

For some this might be an annoyance but for others its a wake up call for them to do their research before downloading some unknown program from the internet.

That said you will remain in a pretty safe environment if you rely solely on "trusted" repositories for your application needs.

I can see the need for the security features for file transfers and email attachments.

Edited 2007-08-21 23:36

Reply Score: 2

Fairly meaningless
by Obscurus on Tue 21st Aug 2007 23:02 UTC
Obscurus
Member since:
2006-04-20

Without other information to go on, this data tells you absolutely nothing. Has Windows XP had fewer security fixes because it is a mature, secure OS that doesn't need a lot of work, or are there a lot of unfixed or unknown security holes? Can't tell from this data. Is Ubuntu an incredibly insecure OS that requires constant patching, or are the Ubuntu devs more diligent at fixing things? Can't tell from this data. Is Vista a more secure OS, or has it had fewer fixes purely because it is fairly new? Can't tell form this data.

Essentially, this data is utterly useless, because it has no context where comparisons can be made. OF course, people will draw their own conclusions by filling in the missing information with their own biases, preconceptions, experiences and knowledge, but these graphs themselves are a ridiculous waste of time on their own.

Reply Score: 3

Comparing apples to oranges here...
by tech10171968 on Tue 21st Aug 2007 23:06 UTC
tech10171968
Member since:
2007-05-22

True, we don't see very many fixed vulnerabilities for Vista; but then, how long has Vista actually been running? Let's see the chart again once Vista's been around for a few years.

BTW, as far too many folks here have already pointed out, this metric means absolutely nothing, especially if you read it wrong. This is a metric of how many vulnerabilities have already been fixed, and not a measure of how many actually exist for the mentioned OS's. If one were to simply stop fixing vulnerabilities then that particular bar graph would look like Vista's does now because (once again) this is a measure of what has already been fixed. If you really want to be picky about it then one could easily say that Linux and others have fixed more of their issues than the Windows family; notice, once again, how no mention is made of how many vulnerabilities each OS actually has (I apologize for continuing to push that point, but apparently some people still have figured this out as of yet).

A much more useful metric would be a ratio of discovered vulnerabilities to fixed vulnerabilities for each OS; only then can either side claim bragging rights.

Edited 2007-08-21 23:08

Reply Score: 1

FUD
by Mathman on Tue 21st Aug 2007 23:18 UTC
Mathman
Member since:
2005-07-08

The day Vista ships with 10,000 packages or whatever like Linux distros do is the day I'll take this nonsense seriously.

Reply Score: 1

RE: FUD
by Obscurus on Wed 22nd Aug 2007 09:36 UTC in reply to "FUD"
Obscurus Member since:
2006-04-20

To be fair though, most of the packages that ship with a typical Linux distribution have nothing whatsoever to do with the core OS, so you would be comparing apples and oranges if you are basing your comparison on an OS with relatively few "packages" vs an OS that bundles loads of miscellaneous applications that have no bearing on the security of the OS itself. And since an install of Vista consumes nearly twice the HDD space of a Linux distro, in terms of sheer complexity, Vista is probably harder to maintain (I dare say because of all the backwards compatibility userland crud).

In terms of the Kernel itself, I would hazard a guess that the Windows Kernel is intrinsically more secure than the Linux Kernel, though I would expect a flood of posts disputing this opinion...

Reply Score: 2

This guy again?
by abraxas on Wed 22nd Aug 2007 03:21 UTC
abraxas
Member since:
2005-07-07

I really hate to fuel the fire but this guys statistics show absolutely nothing now and they showed nothing the first or second time either. I made several points the last time this guy was getting undeserved attention but believe it or not I still have some left.

The biggest issue with comparing any vulnerability statistics from Microsoft is their record of non-disclosure. Some of their security patches patch more than they let on. Some vulnerabilities are probably known about within MS but not disclosed to the public. Other vulnerabilities are classed incorrectly.

There are so many other things wrong with these reports but It's getting pretty tiresome repeating them.

Reply Score: 3

THE IMPORTANT DIFFERENCE
by pixel8r on Wed 22nd Aug 2007 03:39 UTC
pixel8r
Member since:
2007-08-11

There is a big difference between how vulnerabilities are fixed in each OS.

When a bug / vulnerability is found in Windows, MS are informed and it gets kept quiet until its fixed and patches are available and only THEN is the report released to the public, making it look like they fixed it the same day it was reported. Occasionally the vulnerability info becomes public a bit early and in this case they're sometimes not so speedy with the fix (according to what the public sees).

On the other hand, if a bug / vulnerability is found in Linux, it is either reported publicly or (depending on who discovered the bug) fixed immediately. I'm not saying this happens in all cases but in most cases patches are available within 24 hours of a security hole being discovered.
Linux by its open development processes doesn't have the opportunity to hide its flaws until it has fixes ready (and nor would anyone want it to).

This, I believe, is an important factor in the way these numbers should be interpreted.

Do we really think windows only had this many vulnerabilities? Why are they mostly critical?
Something to think about.

Reply Score: 2

RE: THE IMPORTANT DIFFERENCE
by funny_irony on Wed 22nd Aug 2007 04:55 UTC in reply to "THE IMPORTANT DIFFERENCE"
funny_irony Member since:
2007-03-07

The chart show the number of vulnerability fixed.

Is
less fix = more secure ?
or
more fix = more secure ?

If no fix = most secure, we should all go back to Win95/98 because Win95/98 is not on the chart.

Reply Score: 2

RE: THE IMPORTANT DIFFERENCE
by Obscurus on Wed 22nd Aug 2007 11:06 UTC in reply to "THE IMPORTANT DIFFERENCE"
Obscurus Member since:
2006-04-20

Publicly announcing a security flaw the day you find it is not a good idea - you don't want to draw attention to a security problem (that is just common sense). Now, if a bug is fixed in very short order from discovery, that is great, but not all bugs have an obvious fix, and it can take a while for people to work out how to fix the code without breaking other things. You don't want to announce a vulnerability and find out it is very hard to fix, and then have oodles of people exploiting that vulnerability as a result of ill-placed publicity.

If the lock to your front door is broken, you would be a bit of a twat if you put up a big sign on your roof advertising the fact. It would be much smarter to act like the lock was fine, and call a locksmith as soon as possible.


If Windows has security flaws, I'm glad MS doesn't advertise them until they are fixed, because it means that many fewer malicious people will find vulnerabilities and exploit them.

Regardless of OS, the most important factor in security is the people using or administering systems, not how many theoretical vulnerabilities might exist.

It is very hard to exploit a vulnerability if you don't know what it is.

Reply Score: 3

teasing
by Darkelve on Wed 22nd Aug 2007 07:14 UTC
Darkelve
Member since:
2006-02-06

"Any conclusions like "x is more secure than y" cannot be drawn from this data set. As always, do with it as you please."

Don't give people ideas ;)

Reply Score: 2

A better statistic
by PlatformAgnostic on Wed 22nd Aug 2007 07:44 UTC
PlatformAgnostic
Member since:
2006-01-02

People buy and sell security vulnerabilities online. A remote XP exploit used to net a researcher ~$10,000. A remote Vista exploit is worth ten times as much. Screw this scorecard BS. Money talks.

Reply Score: 2

RE: A better statistic
by Soulbender on Wed 22nd Aug 2007 08:31 UTC in reply to "A better statistic"
Soulbender Member since:
2005-08-18

Sources for your statement?

Reply Score: 2

RE[2]: A better statistic
by Blackhouse on Wed 22nd Aug 2007 16:14 UTC in reply to "RE: A better statistic"
Blackhouse Member since:
2005-07-06

This is a starter: http://www.betanews.com/article/Site_Hopes_to_Become_eBay_of_Vulner...

This is free accessible site, you can be sure that there are lots of undergrounds ones that are much busier ;)

Reply Score: 1

Re: Biased report
by mind!dagger on Wed 22nd Aug 2007 12:30 UTC
mind!dagger
Member since:
2007-06-26

I guess everyone noticed the `bias` in this `article`. This guys is a director in the Microsoft security group.

Vista may or may not be more secure. I really don't know or even wish to know. My job is primarily in Unix, Linux and, yes, Windows servers.

I do know I've seen Vista cracked by our internal IT people and we are waiting 12-16 more months before it is deployed to our staff, faculty and students on campus.

Reply Score: 3

Where-Oh-Where
by hylas on Wed 22nd Aug 2007 18:37 UTC
hylas
Member since:
2005-07-10

Where is FreeBSD, OpenBSD, Mac OS X Server numbers?
Here's a handy list:

http://www.google.com/Top/Computers/Software/Operating_Systems/


Workstation OSs

Windows Vista
Windows XP
SUSE Linux Enterprise Desktop 10
Red Hat Enterprise Linux 4 Workstation
Red Hat Enterprise Linux Desktop 5
Ubuntu 6.06 LTS
Apple Macintosh OS X 10.4


Server OSs

Windows Server 2003
Red Hat Enterprise Linux 4 Advanced/Application Server
Red Hat Enterprise Linux 5 Server
Novell SUSE Linux Enterprise Server 10


How about a broader comparison?
First blush, it looks massaged.
Happy ending, anyone?

hylas

Reply Score: 1

RE: Where-Oh-Where
by Blackhouse on Wed 22nd Aug 2007 18:52 UTC in reply to "Where-Oh-Where"
Blackhouse Member since:
2005-07-06

Well, probably MS doesn't regard Mac OS X server and the BSDs not as competitors. This is propaganda, you're aware of that, right?

Edited 2007-08-22 18:52

Reply Score: 1