Less than two months after launching its Windows Server 2003 operating system, Microsoft has released a security patch to fix a vulnerability that could let malicious sites run damaging code on the server. This might fair as a pretty good score for Microsoft and their massive Trustworthy Computing initiative, as in comparison, Red Hat Linux 9 had almost thirty security patches in two months.Elsewhere, Microsoft CEO Steve Ballmer identified Linux and open-source software as key competitive challenges to the company in a memo sent to all employees Wednesday.
Windows Server 2003 Gets First Patch; Ballmer: Linux is a ‘Challenge’
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Let the fireworks begin! Comparing 1 patch for Win Server to 30 patches for Redhat?? I am not in this one!
at least we know that linux has -30 bugs…and windows??
every OS has bugs, so if linux has more fixed bugs linux is more secure…and linux is open source so linux can correct his bugs before any one can exploit it,,,
>every OS has bugs, so if linux has more fixed bugs linux is more secure
Wrong assumption.
If an OS has more fixed bugs, it means that it has more found bugs and potentially more bugs in general.
>and linux is open source so linux can correct his bugs before any one can exploit it
Not if you are a professional ISP and only use Red Hat’s patches in order to not lose contracted support. Red Hat engineers take weekends off just like Microsoft’s engineers do too, you know.
I wish people would stop making unfair comparisons between the two. RedHat Linux is much more than an operating system – look at what you get on the three CDs – do you get a database server with Windows? With RedHat you get two. Do you get a full-fledged compiler suite with Windows? Nope. How many windows managers are there for Windows? With RedHat you get, umm… lots.
The point is that more software packages is always going to equal more bugs.
The article describes the patch as cumulative. How many patches does this include?
I don’t like the giant fighting in the streets that constantly goes on between the “Open Source Security is Invincible” guerillas and the “What are you talking about? Microsoft software has way less vulnerabilities!” police.
The way I figure is, it doesn’t really matter how many there are, it’s a matter of how many are exploited actually and to what extent. As Linux gets more and more popular, it will get more and more exploited bugs, but Microsoft’s current market domination (OK, not for servers) practically guarantees that it will be struck. If you want security, use OBSD or at least a *BSD.
I’m not one of those people who believe that open source software qua open source software is more secure (or vice versa). I personally like Free software because it’s Free, and that appeals to my ideologies. However, it is likely that Linux is more secure simply because it is UNIX-like, which tends to minimize the damage that can be done by normal (l)users.
Also, Sendmail needs to be consigned to the deepest pit of Hell. I sincerely think 1/5 of all vulnerabilities in OSS can be blamed on it. Isn’t something like exim better?
I’m far from being a MS fanboy, but I think that 1 hole in 1½ months is quite good, especially if you compare with their previous releases. I just hope they’re not hiding some holes intentionally like they did with WinXP & UPnP…
papipro, you got a point. The # of bugs doesn’t really matter that much as long as the platform stays secure.
>I wish people would stop making unfair comparisons between the two
I am sorry, but you are wrong. You are assuming that mySQL and PostgreSQL and Apache etc are not part of what Red Hat offers. This is wrong.
You have to think of it as a product. And whatever is in the box, is part of the product. And it requires to go under heavy testing before end up in that CD.
Therefore, if the security holes found, let’s say, in the mySQL package, it is 100% the same as in found in the kernel or in the net stack. In both cases you will get rooted. It doesn’t matter WHERE the hole is. All that matters is the PRODUCT and what that offers.
It is correct that not patching anything doesn’t prove anything for your security, but remember that open source is open for everyone, also the ppl who wants to exploit security problems. But it should, at least in theory, be easier or at least faster to patch an open source program since more programmers can look at the code.
Microsoft has had security problems forever. Maybe it’s understandable, as Windows is a pretty complex beast to manage. But OTOH, security is extremely important.
I’d never use Microsoft software for critical applications. Not only because of their bad security track record, but even more so because of how they deal with found security holes: they keep it quiet for a while first…
Compare that to the attitude OpenBSD has towards security holes. A while back a serious hole was found in OpenBSD (the first remote root ever!). And how did they deal with it? Not by hiding it, no, but by releasing the necessary patches _very_ fast (I think it was <24h, but don’t quote me on that), and spreading the word so that everyone could go and patch their systems.
It’s not because the one who reports the bug doesn’t have an exploit for it, that there isn’t one floating around. In short, there’s no excuse for delaying a security update.
And comparing the number of bugs between various OS’s isn’t a good comparison, because the severeness scale is very different. Microsoft tends to tell that bugs aren’t severe, while most open source OS’s play it on the safe side.
Also Microsoft will rather wait for a bunch of problems to accumulate and then issue one big patch, whereas other OS’s release one patch per problem.
As Chris said above this one patch is actually CUMULATIVE ! Meaning it is a whole bunch of fixes put into one big patch. This is very deceptive of Ballmer to talk about RedHat like that. A Linux distro brings with it many applications that a user may never use or turn on. To blame it sqaurely on Linux as a whole and not look at the applications as being outside sources is wrong and mis-leading. Would you count IIS as being part of the Windows OS core product in terms of bugs or just a application out side of it’s core OS ? If so then Windows easliy out ranks Linux in some cases as having more problems. Also look at the nature of Linux when it comes to bug finding as compared to MS’s “don’t ask, don’t tell” policy that is basiclly putting ones head in a hole and hoping for the best.
>>every OS has bugs, so if linux has more fixed bugs linux is more secure.
Since OpenBSD only fixed 1 security hole in 7 years, should we conclude that it’s the most insecure of all?
Here, your logic completely torn apart.
You are WAY off base Eugenia. If I load Cold Fusion or Peachtree or any other product in a Microsoft operating then do we count any patches and security problems as Microsoft Windows problems?
No, I didn’t think so.
Apache does not come from RedHat.
MySQL does not come from RedHat
and almost none of the other 30 RedHat patches actually were for software originating from RedHat.
On the other hand were Peachtree and Cold Fusion needing patches do you think that Microsoft would release anything to help users of those products.
No, I didn’t think so.
You’re starting to remind me a lot of the old Jesse Berst. Flamebait away!
Has it been 2 months already?
Let’s see, it was officially available on April 24, so let’s say it’s been in people’s hands since May 1. Microsoft has one month to drop the ball (unlikely) or they could be withholding fixes to make their product look good (also unlikely, but possible).
Now, I don’t know all the details but Eugenia has a point there. Mind you, we won’t truly know anything for a while now as we wait for the inevitable Service Pack. But smaller service packs would be a wonderful thing, yes? And who said Linux or Windows was perfect?
Also, MS has said that WinServer 2k3 was cut down from what was originally planned to focus on the core stuff that was functional and stable (good call on their part, but rare for MS). The rest of everything (including the components that will integrate with Longhorn) will be “phased in” as “Value upgrades”. Meaning they’ll be free or cheap and similar to service packs but can be managed separately and turned off (except for Internet Explorer). This could contribute to a better final product.
Also, Red Hat is made of so many things from so many different sources that I’d say that’s not too bad. but still…only two months.
OpenBSD spanks them all though 😉
–JM
>You are WAY off base Eugenia.
If it is someone that is way off base, this is you.
>Apache does not come from RedHat.
>MySQL does not come from RedHat
>and almost none of the other 30 RedHat patches actually >were for software originating from RedHat.
You don’t understand the meat here: IT DOES NOT matter who wrote what! It does not!
What matters is the WHAT Red Hat SELLS YOU and is installing by default on a server configuration.
THIS is what matters. NOTHING goes to Red Hat’s CDs without TESTING beforehand anyway. If you get rooted because of an app Red hat includes in that CD, the DAMAGE IS DONE. It doesn’t matter who wrote what!
It is like saying that your TV broke and the real culprit was a transistor made in China. Whom are you going to hold responsible? SONY for selling you that TV, or the Huing-Shiu transistor company in China? Huh?
Think with your market/reality hats on, not with your red hats.
Compare that to the attitude OpenBSD has towards security holes. A while back a serious hole was found in OpenBSD (the first remote root ever!).
It was the “first” remote root exploit in the default installation. Previous (and numerous) root exploits in opensshd don’t count as at the time sshd was not enabled per default.
It’s because of this that their “Only one remote hole in the default install, in more than 7 years!” moniker is somewhat misleading. First, this doesn’t mention the kernel race condition which could be exploited locally to gain root privileges, and second it also hides the fact that they didn’t trust the security of their own SSH server well enough to enable it per default for quite some time, during which time it saw a number of root exploits.
And how did they deal with it? Not by hiding it
OpenBSD (or should I say Theo de Raadt) is so enamored with its reputation that it has generated a great deal of hype about its own security, as can be evidenced by its ever-changing moniker “Four years without a hole in the default install” => “Five years without a remote hole in the default install” => “Only one remote hole in the default install in nearly seven years”, etc.
Now, this isn’t to say that Microsoft is any better. However, keep in mind that most of the services for which Microsoft is releasing patches aren’t enabled per default either. Just because it isn’t enabled per default doesn’t mean it isn’t a problem.
Open BSD has had only one _known_ exploitable security hole in 7 years, which was promptly fixed.
Windows and Linux operating systems and applications have had numerous _known_ exploitable security holes, all of which have been fixed (in the case of Windows, not always promptly).
Bug fix numbers are irrelevant to the question of how many exploitable security holes will be found in an operating system (or application). The reason is simple — it is not known how many as yet _unknown_ security holes are present. If the number were 10 and a system had one fix that would be worse than a system with 30 that had 29 fixes.
>>Since OpenBSD only fixed 1 security hole in 7 years, should we conclude that it’s the most insecure of all?
well, does openbsd have all that redhat pkgs on it?
and you cant compare redhat with windows 2003…windows 2003 is paid, so have in 2 months much less users that redhat 9 have…that expose more the os..in some time windows 2003 will be just like all the other buggy windows versions…
and please, stop those dumb comparations…
Don’t use such headers please, especially when you are trying to attract trolling against me and when you don’t understand what you are replying.
I suggest you RE-READ my comment you are replying to. You lost the point completely of what I was trying to prove to the person I was replying to. Because in part, I AGREE with you.
I have to agree with the anonymous poster on this one. Eugenia is way off here. Anyone that installs everything on the CD’s that come from Redhat with all services enabled should be fired as a server admin, no matter what OS the person pretends to be able to support.
A good admin knows what he/she is installing and understands the security implications of what they are using, regardless of the OS used.
Many of the security vulnerabilities in RH9 are local vulnerabilities. These types of flaws in windows aren’t going to be found as often, as almost 100% of the windows users I know run locally with administrative access anyways, which makes local exploits that exist a moot point!
Be really careful when making apples to apples comparisons in regards to security for operating systems that are so much different and come bundled with software in completely different ways.
Just my 2 pennies…
Eugenia, you are wrong.
if windows came with all the stuff redhat comes with your would be right, but this is not the case.
a fair comprasion here will be: RedHat linux bug fixes compared to Windows bug fixes + bug fixes for all windows apps needed to achive the same things as redhat achives by default.
Look at the list of bugs on the RedHat site — many of them are not issues with the Linux OS: (Ie: Apache is a webserver, mySQL is a database server, Evolution is a mail client, vsftpd is an ftp server, samba is a file server for windows clients, etc…) If you want to compare Apples to apples let’s include all the bugs from IIS ( can anyone count the number of bugs in that piece of shyte — I don’t think there is word to define a number this large — What comes after a googol???), SQL Server ( Ya, I never heard of any bugs in this peice of shyte — sarcasm), Active Directory ( I can’t count the amount of times I’ve seen an Active Directory Database get corrupt ) Office ( Hey, I find bugs in this thing everyday )… So please compare apples to apples
Looks like the guerillas really came out of the woodwork on this one.
Don’t you have anything more original to say than “Eugenia is wrong, redhat comes with more packages, nyeh nyeh”? The point was already addressed.
Open BSD has had only one _known_ exploitable security hole in 7 years, which was promptly fixed.
Incorrect on a few accounts.
OpenBSD has had one *remote* security hole in the *default install*
In comparison, MacOS X which ships with all services off by default, has had zero security holes in the default install. Should we therefore conclude that MacOS X is more secure than OpenBSD?
a: “We are getting massive flac for our security record. Customers are demanding we do something.”
b: “Okay, send out a memo, snag a few programmers to work on it, and have marketing think up a snappy name for it.”
a: “Snappy name for what?”
b: “For… you know… not completely sucking as far as security goes, or whatever.”
And thus we have “Trustworthy Computing”. OpenBSD needs to hire a marketing department to put a spin (or at least capitol letters) on their work.
>A good admin knows what he/she is installing and understands the security implications of what they are using, regardless of the OS used.
What are you saying here???
that the admin won’t install MySQL (one of the security patches found on Red Hat’s page)? But this is why he is installing Red Hat most of the times anyway.
>Anyone that installs everything on the CD’s that come from Redhat with all services enabled should be fired as a server admin, no matter what OS the person pretends to be able to support.
WHO SAID that anyone has to do ANY of that? All I said that the admin installs Red Hat using the “server” installation option! This includes mysQL and Apache and other stuff. The point is that there are exploits to be found and it doesn’t matter if you need these services or not. What matters is that they are there!
OpenBSD has a marketing department, as Bascule mentioned. It’s called Word of Mouth, and that’s not entirely FUD-free either.
And MS _has_ greatly improved their security record in recent years.
>> I am sorry, but you are wrong. You are assuming that mySQL and PostgreSQL and Apache etc are not part of what Red Hat offers. This is wrong.
You have to think of it as a product. And whatever is in the box, is part of the product. And it requires to go under heavy testing before end up in that CD.
>>
Well, thank you for clarifying. In this case, guys, there is no need for argument at all. What are you gonna argue about? That Redhat is not equal to wget, vnc and xpdf? Personally, I think it is a good sign that people will go to this lenght to demonstrate how secure ms server is.
I am starting you think you want this web site to turn into an os war flamebait jamboree.
You argue that since MySQL and all these other apps come on the RedHat CD, then it should be counted. Well, you know what, when your distro comes with 10x as many apps, I would expect to see 10x as many bug reports. And how many of the Redhat bug fixes fix REMOTE security holes? Most of those bugs are just local fixes which I don’t even care about because I am on a trusted system (that is, someone has to break into my home before they can break into my PC).
which, in this case is not easy to do. Eugenia is partly right: If Redhat ships it, they are responsible for testing it beforehand but, at the same time, that still rates as an unfair comparison.
To be truly fair, you have to normalize both platforms. Let’s not forget that Server 2k3 was delayed THREE times specifically to enhance security and reliability. Story here:
http://news.com.com/2100-1001-966174.html?tag=nl .
But, I’ll admit that truly fair testing is hard because of the way in which each company releases their software. Microsoft makes occasional major releases and multiple service packs. Their major add-on software follows its own release path while Redhat makes major releases and point upgrades much more frequently. I have mixed feelings about both methods but don’t have a better suggestion.
IMO, what really matters is the number of known security holes without any fixes and the time it takes to the team to fix an hole. I don’t care if some OS has 120 patches as long as it didn’t took much time to fix these holes and that you can apply those patches easily. I would say that this OS would be better than one with only 5 patches but with 10 known holes that won’t be fixed soon.
Eugenia said:
“Therefore, if the security holes found, let’s say, in the mySQL package, it is 100% the same as in found in the kernel or in the net stack. In both cases you will get rooted. It doesn’t matter WHERE the hole is. All that matters is the PRODUCT and what that offers.”
No, what matters is whether a vulnerability is remotely exploitable or not. If Apache is remotely exploitable, especially to get root, then it’s a big deal. But if MySQL has a local exploit, that hardly matters for dedicated hosts, or hosts that trust their users. It’s all a matter of whether the teeming masses can break in, or whether you have to first have a shell account to do damage. Big difference there.
>But if MySQL has a local exploit, that hardly matters for dedicated hosts, or hosts that trust their users
What you say about this?
https://rhn.redhat.com/errata/RHSA-2003-093.html
I have to side with Eugenia on this one. Redhat (and most other Linux distros) chose to put the various packages into their release. The did not have to, they voluntarily did so. But when they did it Redhat was putting their support behind the packages. So it is fair to compare the two as ocmpeting releases for different Operating Systems.
It would be nice if a distro were to make a version without the kitchen sink. If that were done then an apples to apples comparison could be done by funtionality.
I am much more pro-Linux than Eugenia, but the truth, even an ugly one, is still the truth. With the cornicopia of packages that come with Redhat et al also comes a greater number of places where exploits can be made. I still trust Linux more though, rational or not. I know the how/what/and why of every process that runs on my servers, and if a vulnerability is found I trust the community to patch it before it gets serious. I can’t say the same for Microsoft. Perception of a company is very important.
>What are you saying here???
>that the admin won’t install MySQL (one of the security >patches found on Red Hat’s page)? But this is why he is >installing Red Hat most of the times anyway.
Hmm, pretty simple actually. If someone configures two web servers for the same task, will they both not need the same type of software? If a database is needed, wont it be needed on Windows too?
If Redhat makes a cd with a kernel, init, Bash, and a simple gui will you finally be happy then? Maybe there wont be any security related vulnerabilities, but its flexibility will definitely be different. Then they could make add on disk sets that have apache 2.0, mysql, postgress, apache 1.3, Gnome, KDE, etc each on seperate disks. Then it _might_ be somewhere close to the Windows world and your “out of the box” statement on security would be closer to valid.
>WHO SAID that anyone has to do ANY of that? All I said that >the admin installs Red Hat using the “server” installation >option! This includes mysQL and Apache and other stuff. The >point is that there are exploits to be found and it doesn’t >matter if you need these services or not. What matters is >that they are there!
Its common sense if your a good server admin. If you install Windows 2000 Server and IIS and SQLserver, you MUST worry about security patches for EACH product. At least Redhat puts ALL of their products together to make it easy to update for security vulnerabilities across multiple servers configured for different tasks.
You have a point about the “server” install option in the Redhat installer. It installs services that probably not every server admin are going to use. Using that option is a double edged sword, it makes setting up easy, but opens possibly many unneccessary security risks. But, that doesn’t invalidate my point about what makes a good server admin either. If you open up the MSDN book and install every copy of Server software that comes from Microsoft, you’ll probably be able to accomplish many types of server configurations easily, and open yourself up to many of the same risks as in Redhat.
Matt: How many windows managers are there for Windows? With RedHat you get, umm… lots.
Let me see:
litestep: http://www.litestep.net/
objectDesktop: http://www.stardock.com/products/odnt/
geoshell: http://www.geoshellx.com/
cloud9nine: http://www.cloud9ine.com/main.asp
aston: http://www.astonshell.com/aston/index.html
core: http://coreshell.info/
carbon: http://carbon.shellscape.org/
sharpE: http://www.lowdimension.net/
lcars: http://www.lcars-terminal.net/
etc. etc. etc.
you can find more at http://www.desktopian.org/
For what it’s worth, I agree with you.
I’d like to remind everyone who disagrees that Red Hat doesn’t just make a kernel branch, they make a *DISTRIBUTION*. By saying distribution, that includes all software they choose to include in it, especially that which is enabled by default.
Now, it is true that a default Red Hat install includes more stuff than most default Windows installs. However, Red Hat could just as easily ship a stripped-down system a make the admins manually install their software. That is a choice that they have made. Microsoft has made it the other way.
When a corporation buys Red Hat, they’re taking Red Hat’s good name as collateral to their investment. It’s Red Hat’s job to make sure that their experience using it is entirely satisfactory. And the fastest way for them to lose faith in Red Hat is to get rooted by something Red Hat installed by default.
Well, the logic of the question determines the answer. You will notice that, when politicians or poolsters want to rig public opinion, the first thing they do is rephrase the question in a way that would suit them. On this issue then, here are the REAL questions that a real-life admin looking to make an informed techinical deployment would be asking:
1. Is IIS more secure than Apache?
2. Does the Windows DNS server have less bugs than bind?
3. Does Exchange have more or less bugs than Cyrus/Postfix?
4. Is Asp less than than perl or php?
4. Does MSSQL have more or less bugs than postgresql or mysql?
> If an OS has more fixed bugs, it means that it has more
> found bugs and potentially more bugs in general.
You’re assuming that bugs in closed source programs are as likely to be found as they are in open source programs and dismissing the fact that Microsoft doesn’t keep a public database of all reported bugs, so there is no way to measure Microsoft’s response to bug reports. For all we know, Microsoft may dismiss 90% of all bug reports off-hand without even giving them a second look until they’re repeated at least n times, because the reports they receive are, for the most part, reports of symptoms only and not as likely to include objective evidence of errors in the code.
How many of the errors that were found in open source programs were found only because someone was able to read the source code? How many of those errors would never have been found or reported if the source had not been available?
In other words, how many of the errors in open source code related to improper handling of edge cases or inputs that were so unlikely that the chances of encountering them were virtually nil? How many errors of that kind lurk in Microsoft’s programs and will never be noticed, let alone fixed, because the only people who can read the source code are Microsoft employees who may or may not care about handling edge cases customers complain?
Also, you’re counting patches for servers and applications that are not part of the Linux operating system. These programs would be referred to as “third party software” by ISVs. Shouldn’t you include security patches for all third party Windows software in the security patch count for Microsoft?
>> How many windows managers are there for Windows?
> stuff, and blah stufff…
> some more crappy desktop environments…
> crappy, flaky ports of *nix window managers to windows…
…and the lack of documentation/stability/code and feature maturity are a HELL of a lot worse than Linux, like a 100 x worse….
>> It would be nice if a distro were to make a version without the kitchen sink.
>>
Why would that be nice, can you please explain? Why is less choice better for a server admin? Just because there’s php and kde in the cd doesn’t mean that I have to add those packages when I’m building a mail server. I choose what I want, and leave out the rest. Its only takes like two or so minutes. Is that a problem for you?
I personally give KUDOS to Redhat and the other dists for supporting so many packages, their financial small size not withstanding. I think it is very nice and commendable, first that the owners and maintainers of these packages do allow other people to include the fruit of their hard labour, and secondly that companies like Redhat will go the extra mile to do all the work required to include them. I mean, redhat could easily say: you need mysql or apache? Go download and compile them, period. From my experience, having these packages in their dist makes administration and software maitainance that much easier.
I am sorry, but you are wrong. You are assuming that mySQL and PostgreSQL and Apache etc are not part of what Red Hat offers. This is wrong.
I must politely disagree with you. We are comparing operating systems, not “products”. Windows is very useless without buying applications to run on it, so by your logic one could say that Windows is a useless operating system; but such is not the case.
If you are comparing bugs in an operating system, then you can’t count security bugs in 3rd party software as part of that system. If you are comparing a “product” (meaning a complete, useful environment) then you must compare the bugs in MSSQL, IIS, MS FTP Server, MS dev tools, MS Office, Outlook, etc. Just because Red Hat bundles all of these applications in one offering and Microsoft charges you more per individual application should have no bearing whatever on the type of comparison you are trying to run. We are talking about and comparing the applications and operating systems, not the business models.
So, as usual, the Windows (the OS) vs. Red Hat (the OS + hundreds of 3rd Party applications) comparison is an invalid one.
I agree with Eugenia here. When people compare RedHat versus Windows, not a few will miss to note that redHat comes with LOTS more software, all free, bladibladibla.
One shouldn’t forget all the software on the RedHat CD’s when it comes to bugs. That’s very hypocritical.
And besides, MS and the Open Source use the same tools and use the same language: C/C++. And we haven’t seen any proof for Eric Raymond’s statement that Open Source has less bugs. It sounds good, like any marketing department slogan. But obviously, it doesn’t work that way, as Dijkstra could have told you.
Wrawrat writes: “IMO, what really matters is the number of known security holes without any fixes and the time it takes to the team to fix an hole.”
Remember the recent SQL Server exploit? The fix was there for 6 months or so. Fixing the bug is a minor part of the havoc a buffer overflow can wreck.
Making comparisons between the two is a little difficult because of their different approaches. What seems to matter when it comes to security is how much work an administrator needs to do in order to keep the system running securely.
At the end of the day, what you get with RH is a server OS package. If you are just an admin trying to make a living (as opposed to an OS zealot of some flavour, like the majority of us), you don’t give a shit about whether RH wrote Apache, MySQL or not, you care about whether it is easy to do your job.
If you aren’t a zealot, and are just interested in keeping your systems running, would you rather have been a RH9 admin or a Server 2K3 admin for the past month or so?
The practice of comparing the number of bugs from a thousand or so packages that come with a Linux distro with the handful of programs that come with Windows is FUD so old I’m surprised people keep disinterring it.
It’s also worth remembering that in Linux, a local privilege escalation is a big deal, and counted as a security hole. In windows, many of my programs will not work *unless* they are run as root (or ‘Administrator’ in Windows speak). I would suspect that about 95% of windows boxes are run as Admin, so are effectively already rooted.
>>>> It would be nice if a distro were to make a version without the kitchen sink.
>>>>
>>
>>Why would that be nice, can you please explain?
For one it would allow an apples to apples comparison as I said earlier. For another it would give me a nice compact starting point to build a box. Slackware works well for me, but I would not mind if it were even more lean. All the important apps I tend to build from source and keep track of directly (creating my own packages). The exception is OpenSSH which I use the default package for, I just don’t like configuring it for some reason.
I’ve been waiting to use this:
http://www.people.virginia.edu/~rjh9u/apporang.html
I notice that the Red Hat link is to actual errata and that the Microsoft link is to the news.com version of a press release.
There is a giant difference between a company where you can actually get a bug list vs. a company that doesn’t even admit there are bugs until they are hammered by external agencies who discover the bugs without any help from Microsoft.
What does a patch from Microsoft actually contain? Why are some patches uninstallable and others aren’t? Microsoft has a reputation of barely fixing a security bug and then using a patch to make sure Microsoft’s secret back doors into the software remain intact.
Ultimately if you are running a business, it is better to know what you are dealing with. And Linux offers this knowledge. Microsoft offers undocumented patches many of them uninstallable and a very hostile attitude regarding acknowleding and fixing bugs. For instance, Windows XP SP1 introduced many new bugs and Microsoft has shown zero interest in fixing them.
While Linux still is a young OS, it enjoys popularity because people are just sick and tired of Microsoft’s anti-customer culture.
>> All the important apps I tend to build from source and keep track of directly (creating my own packages).
>>
I can appreciate your viewpoint, but unless you are averse to spending a minute to choose exactly what you want, I don’t see how having a mysql or httpd rpm on cd can prevent you from doing a completely lean install.
That the owner/operator of a tech site could be so misinformed.
Comparing apples to oranges is not a valid comparison. is SuSE less secure than Red Hat because they ship more applications for you to install IF YOU WANT THEM?
You’ve already had illustrated that Red Hat ships with two databases. if there is a hole in each, that will be two listings for Red Hat. However, nobody in the real world runs two databases on a box outside of a testing environment. So the MOST any person/entity could have apply to them is ONE, not the TWO you wish to count. And for the people that don’t runa database it is ZERO. So the number TWO is entirely meaningless as a security metric.
The closest you can come (and even this is not apples to apples) is to compare “default install” to “default install”. You have 6 bugs and I have 3, therefore I am twice as secure is WOEFULLY POOR ANALYSIS.
On top of all of the above, is 6 bugs causing the color to display blue instead of red LESS secure than 3 trivial remote root exploits?
Please don’t use the you have 6 bugs I have 3 argument in the future. It is utterly and totally flawed.
The real menance here, folks, is Microsoft Windows. Redhat includes a mozilla rpm, but you don’t have to install it. Windows, on the other hand, forces IE on you, whether you like it or not.
True, Redhat includes the gaim rpm on CD, but you do not have to install it. Microsoft, on the other hands, has decided that a MSN is part of the OS!!!
Redhat includes mysql, but you don’t have to install it. Microsoft, with its upcoming Longhorn, is practically bundling MSSQL into the OS, potentially upstaging other db competitors and giving themselves an edge in the long run.
We know why they do these things, and that’s the most important reason why alternative OSes like Linux and FreeBSD must be encouraged
Please notice.. The vast majority of the linux patches are for *applications*. Most of these apps are cross platform as well, and these patches (though not in RPM format), would apply to them too.
Well, both matter, as you can’t apply a fix if it doesn’t exist, eh?
Anyway, it’s not the problem of the vendor if nobody is using their fix. The Slammer worm was quite nasty, but we can’t blame Microsoft because they made the fix. It wasn’t really their problem. You can only blame those lazy sysadmins that didn’t bothered to use it.
I agree with your comment, and I respect your love for OSS (as I’m using Linux too), but…
Quote: Microsoft has a reputation of barely fixing a security bug and then using a patch to make sure Microsoft’s secret back doors into the software remain intact.
…please don’t spread FUD unless you have valid proofs.
Microsoft does CUMULATIVE rollup packages which will have 2,3 or 20 fixes in them and it gets listed ONCE on their security list and is assigned ONE MS- number.
The Microsoft plaform is one big security leak and time afer time after time after time, they fail to secure their platform. Microsoft users need this type of article so that they can pick up their ass and carry on.
Magic Lantern is part of the Windows OS. There are specific patches so that it is not detectable by virus scanners.
Oftentimes, Microsoft has to maintain back doors to activate monitoring software such as Magic Lantern.
http://lists.anti-dmca.org/pipermail/dmca_discuss/2001-December/000…
Your Fear, Uncertainty and Doubt arise because Windows XP is a closed OS from a closed company. If the Windows OS were open, then there would be no trust issue and my mentioning of the spyware that is part of Windows would be accepted as fact, not as FUD.
Microsoft is a company that was found guilty of being an illegal monopoly, using illegal business practices to sustain that monopoly, and yet had no substantive penalties or operative changes imposed on them. Only a Prince Mishkin is unable to see what is going on here.
Governments all over the world are moving to Linux because of the spyware that is in Windows. I am not making this up. You can read all about it on the net.
Please don’t let your ignorance get in the way of knowing what is really going on with Microsoft and their spyware.
Eugenia Loli-Queru, yes, it has been an improvement over Windows 2000. When Windows 2000 was released, heck, even BEFOIRE the release there was a security patch being issued, and if I remember correctly, it appeared on the Windows Update site on the 27 February.
As for Windows 2003 vs. Redhat, lets first of all compare like with like and considering that there is a handful of patches for default and depreciated features (which Redhat suggests not to install), one has to relook their put down of Redhat Linux. Secondly, Windows 2003 is brand new, lets wait until a string of patches are released and whether or not they have fixed their “lets release three patches to fix one problem”. The best exxample was a security issue with RASPPP and the phonebook. Microsoft released three patches, and fortunately it was a matter of “third time lucky”. I’m sorry, but I expect more from a multi-billion dollar organisation. If Redhat can issue patches and correct problems the first time, that is what I expect of Microsoft as well.
Uhh no, most engineers (myself included) are on call 24/7/365.
You keep mentioning this “Default Install” what is installed with this? I have a RH 9 server (for DB2) that I did not install but I administer. Now the guy who did the install is not an idiot so I have to assume he followed the directions for a conventional install. That box had MySQL, a DNS server, CUPS or lpr (maybe both can’t remember) and Apache installed. Is that typical for a “just follow the prompts” server install? If so then how can you not include these in the comparison?
I realize you can deselect packages (see posts above) but I am curious about what gets installed unless you specifically tell it not to (like MSN mesenger, one of the most anoying programs of all time).
I would be happier if the install defaulted to less and prompted you to see if you wanted more. I don’t consider it bloat or anything silly like that, I just prefer an opt in model versus an opt out.
Why haven’t they included the latest update for IE into their statistics? the June 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 has already been released, shouldn’t that be counted as a necessary update for Windows 2003?
Eugenia, obviously you have made up your mind and settled on your interpretation.
I see you lashing out, trying to get people to see things your way.
Almost to the point, where you think your view point is fact.
As a microsoft sysadmin (MCSE+i), a newbie Redhat/FreeBSD admin, and someone who has spent years providing technical support….I have to say that your view point, has mild validity amongst marketing dronez, and the suits…but I’d even have to balk at that a bit.
I know for a fact that many of them are smarter then that.
You are trying to pass off a simplistic argument at face value.
Your opinion (in this particular case), has not merit with me.
I have found common ground with some of your opinions in the past. But today, I think this particular one is irrelevant.
From InfoSecurity magazine:
Magic Lantern Info Sought Again
A Fearing that the FBI’s Magic Lantern project could “greatly impact the privacy and civil liberties of all Americans who communicate via e-mail,” Rep. Ron Paul (R-Texas) asked the FBI to provide information on the keystroke logger, or justify it’s refusal to share information. According to published reports, Paul asked for a response within two weeks. The FBI refused to comment.
http://www.infosecuritymag.com/2002/jan/digest17.shtml#brief4
And another good link:
http://www.cfif.org/5_8_2001/Free_line/current/f_l_genie.htm
The plain and simple truth is that Magic Lantern is part of Windows XP. The FBI can send your computer a TCP/IP packet to activate it and then your machine with send out extra TCP/IP packets to what look like DNS hosts, Akamai servers, or other ‘normal’ hosts, but these packets actually contain encrypted segments of a keystroke log of your computer.
Some of you really need to chill out a bit. Stop being zealots for a moment and admit that there might be some valid complaints against your favorite system. You want to see me do it too? I’m a mac-head: Apple hardware is overpriced and they should be more open in releasing their source. There, it’s not that hard.
Now, let’s clarify things. We’re having a serious case of miscommunication. Some of you are thinking merely of Windows and Linux in terms of kernels. I don’t have enough information about it, but I’d warrant there isn’t actually a significant difference in the number of bugs in the kernels of each system.
Most of the problems in any system (unless it has severe internal flaws) come from the included userland utilities. It is the job of the OS manufacturer (in this case Red Hat) to make sure everything that is installed and enabled by default plays nice.
Now, the easiest way to do this is simply to disable lots of things by default. After all, if they’re all turned off, they can’t mess anything else up, and they can always be turned on when needed.
This is the strategy that Windows as a product takes. Red Hat as a product goes the other way and installs a fairly extensive set of software by default.
Now, neither approach is necessarily better. Windows is, out of the box, much less functional than Red Hat. However, Red Hat is much more vulnerable to software conflicts and bugs.
And someone earlier raised a good point. If you’re going to praise Red Hat as superior because it includes more software, then you also have to accept that some of that software is going to introduce bugs. There really is a reason that most OS manufacturers don’t include too much with their system.
Wow, Microsoft must have innovated again. Better run out and empty your wallet for them. Hurry!!!
redhat doesen’t jsut patch teh core system, rh gives patches for everything!
From a business standpoint, anyone who disagrees with Eugenia is wrong, plain and simple, and I’ll tell you why.
There’s a phrase – “Nobody ever got fired for buying IBM.” The point of the phrase is tro poke fun of the fact that you can’t be blamed for choosing the big company – you, as the IT implementer, now have deniability – “Hey, I chose IBM…how could I have known!?” It’s true in America – everything is about blame. Red Hat makes most of their money from support and consulting, and they make money because they stand behind the products they DISTRIBUTE, whether they wrote them or not, and are expected to maintain them.
When Red Hat releases a packaged set, they inherit (and do voluntarily assume) responsibility for all packages they distribute. Case closed.
You may not agree with this in theory, but that’s how it does currently work.
Right, that explains this.
From: http://securityresponse.symantec.com/avcenter/vinfodb.html
“Systems Affected: Linux” – 8 results found
“Systems Affected: Windows” – 1285 results found
and this:
Top Attacked Ports
netbios-ns 137
www 80
ms-sql-m 1434
netbios-ssn 139
microsoft-ds 445
– http://isc.incidents.org/
I see how RedHat is more vulnerable than Windows (ROTFLMFAO)
THIS JUST IN – no operating system is totally secure! Ok, ok, all you OpenBSD and TrustedSOLARIS people in the back sit down and be quiet. The more code humans write, the higher the liklihood of mistakes.
Another thing is that Redhat comes preloaded (if not enabled) with a lot of programs already installed. How many of these patches were for Redhat software. What if Redhat decides (and this WON’T happen) to not bundle anything they didn’t make themselves (besides the kernel and other needed items).
It would make redhat super-secure. But not very usable by the average Joe. Just ask the OpenBSD people.
btw, my bikeshed is red.
I disagree with Eugenia here. She has a point, that if a package is in the RedHat box, you have to include the vulerability, but to be fair, you have to compare it against a Windows server configured with IIS, Exchange Server, SQL Server, etc.
The other issue at play here is that many times security vulnerabilities affect a library that multiple Linux packages depend on, so a vulnerability in that library may require 5 different apps to be rebuilt against it, which counts now as 6 updates.
Also, don’t forget about all the MS vulns we don’t hear about. We all know that MS only releases fixes for vulnerabilities that are discovered by others and publicized. There could be 45 vulnerabilities in Win2k3 server that we’ll never know about.
/g
Clicking Security after following your incorrect link to “ALL” errata, you will find this:
04/03 – 06/03 there are 21 patches, not “almost 30”.
03/31 – 05/30 also reveals 25 patches, which is also not “almost 30”.
My FUD arise because of the lack of proof, and I hardly take a message in a mailing list as one. Anyway, one source isn’t enough. “You can read all about it on the net” isn’t one.
AFAIK, not all governments all around the world are moving to Linux. I only heard of China, Germany(?) and one or two other I forgot. Many are choosing another platform. I guess that most top secret data ain’t sitting on Windows PC, anyway.
Microsoft didn’t get a big penalty or operative changes _for a reason we don’t know_. It could be because of a spyware, but also because of corruption or 1001 other reasons…
I don’t say: “There is no spyware in Windows. Never!”. I just say that you are spreading propaganda that is backed by no solid proof. I’m sure there’s enough people hacking Windows that they would have detected that kind of software long ago. I might be wrong, but at least I don’t claim that I know the absolute truth like you do.
If you don’t want to run Windows because of this, fine. That’s your choice. Just don’t start a Linux conversion crusade backed with unproven propaganda.
“Gee, I gotta buy Microsoft because I’m too afraid of my own incompetence. If I don’t buy the lame software from the big company, who will I blame?”
The key point here is realizing that IT staff buy Microsoft because they know Microsoft has so many bugs and problems that it is guaranteed they themselves will never be held accountable for anything.
And we wonder why there is an 80% IT project failure rate.
>> From a business standpoint, anyone who disagrees with Eugenia is wrong, plain and simple, and I’ll tell you why
>>.
Actually, that’s not true in most of the cases. Future shop sold a cell phone package to me today, but I was specifically told to contact motorolla, not future shop, in the case something goes wrong with it. Or take the case of pc makers who, as part of the deal, sell you machines bundled with AOL or sprint dialup, for example. When you aol breaks, you don’t call compaq. You call aol.
By the way, she doesn’t like it when you make her person the subject of the comment, so this “sorry, she’s right” heading you used is not welcome.
If you’re such a rocket scientist, you would have read the Red Hat release notes which CLEARLY states that LPR and all other printing protocols have been DEPRECIATED and replaced with CUPS.
A default install is a installation with the defaults selected by RedHat. A full default install would include all packages MINUS the depreciated.
As for the sundry packages that come with it, would you install Postgresql and MySQL on the same server? of course not, that would be bloody stupid, hence the reason this whole tit-for-tat BS that keeps floating about patches gets level headed people like me pissed off.
I’m interested in moving to Linux, and RedHat looks fine (plus it’s on campus here at ncsu) but i don’t want to patch it all the time. Is there any way to set it up to automatically download and install these things? A patch every couple of days I don’t want to bother with.
Balmer: “Linux has added credibility and an illusion of support and accountability”
Hmm, little “accountability 101” about Microsoft products.
from: c:winntsystem32eula.txt
“13. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL
AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM
EXTENT PERMITTED BY APPLICABLE LAW, IN NO
EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE
LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT,
OR CONSEQUENTIAL DAMAGES WHATSOEVER
(INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR
LOSS OF PROFITS OR CONFIDENTIAL OR OTHER
INFORMATION, FOR BUSINESS INTERRUPTION, FOR
PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR
FAILURE TO MEET ANY DUTY INCLUDING OF GOOD
FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE,
AND FOR ANY OTHER PECUNIARY OR OTHER LOSS
WHATSOEVER) ARISING OUT OF OR IN ANY WAY
RELATED TO THE USE OF OR INABILITY TO USE THE
PRODUCT, THE PROVISION OF OR FAILURE TO
PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER
OR IN CONNECTION WITH ANY PROVISION OF THIS
EULA, EVEN IN THE EVENT OF THE FAULT, TORT
(INCLUDING NEGLIGENCE), STRICT LIABILITY,
BREACH OF CONTRACT OR BREACH OF WARRANTY OF
MICROSOFT OR ANY SUPPLIER, AND EVEN IF
MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES. ”
A little “101” about Microsoft’s “support”
From: http://support.microsoft.com/default.aspx?scid=fh;en-us;Prodoffer02…
# Online Support: $99 offer!* Receive an online response within 24 hours.
# Phone Support: Speak with a Support Professional for $245*
Hmm, where’s Microsoft’s “support and accountability” Steve?
OK, I didn’t read that part before posting my last message, but…
Do you know the credibility of these sources?
Magic Lantern is a program, right? Can’t you just trace it with a debugger, or make a memory dump and analyse it? Can’t you trace where the packets are going? Encryptions are breakable, too. Can’t you just break them? Or maybe Intel and NIC manufacturers are participating to that conspiration?
I can’t prove the inexistance of a spyware, but you can’t prove it’s existence either. I’ll listen to you if you have concrete proofs, not some articles or editorials from unknown sites.
When the German Intelligence Agency came out and said they were switching off Windows and to Linux, they claimed they had investigated Windows and found proof of Microsoft spyware.
If they are spending over $20 million to switch off of Windows, I trust they are doing this for a REAL REASON!
It is very difficult to prove a negative. And that is why it is silly for everything that is not a mathematical proof to be labeled as FUD.
It is silly to think there is not spyware in Windows.
Why didn’t the FBI answer Ron Paul’s inquiry?
Why did all the virus scanner companies have to change their code to ignore certain areas of Windows?
Everything adds up to there being spyware in Windows.
Install apt, write a small script similar to the following and add it to cron. Note, this will not install kernel updates. You may want to research Ximian’s RedCarpet. Up2date may also provide non interactive patching.
#!/bin/bash
rm /tmp/updated.txt
apt-get update || (echo “Failed to update catalog” | mail user@host)
apt-get upgrade -y 2>&1 >/tmp/updated.txt
cat /tmp/updated.txt | mail user@host
True, one only needs to look at the list of un-patched vulnerabilities in Internet Explorer. I sorry, but whether it is “critical” or not, the issued should be fixed, and fixed properly the first time.
Germany – standardizing not just military + intelligence infrastructure but entire government on Linux and open-source IT.
Other large countries that have significant moves from Windows to Linux for military and intelligence computing:
Canada
France
England
Spain
China
Singapore
India
This is just the tip of the iceberg. More and more countries are moving to Linux. Without open source code, you simply cannot trust the OS. Microsoft is totally opposed to open source for a good reason — they have too much too hide.
With closes source ‘if’ there was spyware, there would be nothing that the user could do to remove it, because it’s not possible to recompile the kernel.
Pleeeese buy Microsoft products though, because even though the architecture of the platform is 99% the unchanged, somehow Microsoft has innovated again, like nobody else can. They have a working platform and because it works, you would be a fool to use anything else. This is comming from a business standpoint BTW.
>>If you’re such a rocket scientist, you would have read the >>Red Hat release notes which CLEARLY states that LPR and all
>>other printing protocols have been DEPRECIATED and replaced
>>with CUPS.
First off, where did I say I was a rocket scientist? I am a decent programmer, and an acceptable admin. If I were great I sure as heck would be making more money than I am.
Second I SAID I was not familiar with RH and that I did not do the install. Finally, I said it installed CUPS or lpr but could not remember which. Is that hard to understand? Put simply I saw a printing process on the server which did not need it so I disabled it. I did not pay attention to which it was.
Oh yeah, it is deprecated, not depreciated. Why don’t you go tell some newbie to RTFM instead of quipping about posts you did not read well enough to comment on intelligently.
I simply asked the informed readers of this site if the normal default install for a RH server included the oackages listed above. Not a trick question, nor a slam against RH.
A little “101” about Microsoft’s “support”
From: http://support.microsoft.com/default.aspx?scid=fh;en-us;Prodoffer02…..
# Online Support: $99 offer!* Receive an online response within 24 hours.
# Phone Support: Speak with a Support Professional for $245*
Hmm, where’s Microsoft’s “support and accountability” Steve?
That has always been by bone of contention with Windows supporters and sales reps. On one hand they sell and promote a product that has “support and accountability”, yet, on the other hand, what do you really get for the $1000s spent on the product?
When I was a yong lad I was taught that piracy hurts because companies sell products and uses that money too provide technical support and updates to their customers. By customers not buying the product they company can’t provide those services. Whats happen to good old fashioned values and ethics? If I buy a copy of Windows XP or what ever, I expect atleast some level of technical support. Sure, I don’t expect a tutorial on how to use it, however, if I come across a BSOD I should be able to phone up, explain it and the person on the end of the phone diagnose the problem.
Again I ask, if you are paying $1000s for software and get so support, what are you actually paying for? if they want to move to a user pays system, why don’t they reduce the price of the software to compensate for the loss of support?
Why not just say Linux sucks next time and save the trouble of trying to sound unbiased?
On point since you felt the need to bring it up. I’d like to point to exhibit (A)which is the BILLIONS in dollars in damage done by viruses to MICROSOFT software. Beyond that I don’t think there is much to say.
Open Source IS more secure, people who count patches are fools, and although a large percentage of Internet runs on Free OS’s (BSD’s, Linux’s) they do not come close to matching the monetary loss made by people running Microsoft software.
Am I saying all MS software sucks? Certainly not. But from a security standpoint you windows backers can point out a thousand patches Red Hat made, but it still won’t make up for the fact that security wise and monetary damage wise it is an order or magnitude better than anything comging out of Redmond.
“Microsoft wins antitrust trial! Why? Because, in spite of its settlement, Microsoft doesn’t have to lower prices. The raison d’être for being a monopoly is to be able to set prices to maximize profits at the expense of the consumer. Indeed, this is the very definition of monopoly. Microsoft suppressed competition so that it didn’t have to compete on price. A monopoly has no other purpose for stifling competition! The Department of Justice’s myopic focus on competition is because this trial was brought about by the behest of Microsoft’s competitors, and not by consumers, who are being gouged by the billions! Because Microsoft’s monopoly is firmly established, the concessions it made in its settlement will have little effect on the company or the competition, and will do nothing to lower Microsoft’s truly exorbitant prices.”
“Microsoft has a simple strategy for earning great profits. The software business is a natural monopoly business because average total costs continually decline with increased output. Therefore, if Microsoft could find a way to eliminate competition without having to compete on price, then profits would increase dramatically as Microsoft sold more software. Microsoft has succeeded. Ironically, the main method that Microsoft has used to stifle competition is predatory pricing—distributing its products at no apparent cost to the consumer, primarily by original equipment manufacturer (OEM) distribution, so that its software becomes a standard, which would then allow Microsoft to charge that price which yields maximum profits at the expense of the consumer.”
Support costs real money. Microsoft uses predatory pricing to keep their monopoly alive and then charges extra for support, making support a profit center as well.
http://money.york.pa.us/Articles/Microsoft.htm
You keep mentioning this “Default Install” what is installed with this? I have a RH 9 server (for DB2) that I did not install but I administer. Now the guy who did the install is not an idiot so I have to assume he followed the directions for a conventional install. That box had MySQL, a DNS server, CUPS or lpr (maybe both can’t remember) and Apache installed. Is that typical for a “just follow the prompts” server install? If so then how can you not include these in the comparison?
How about YOU looking at the tone of your post. Fobbing off responsibilities onto a third party who can’t respond on this forum is bad form. If you were a real administrator you would know the system you’re administrating inside and out. Personally, if I don’t know a system that well, I do not administrate it until I know what I am doing. Simple as that.
Again, what is included in the server installation is in the Redhat manual and online. Again, if you actually took the time to read the documentation and become famila with the system, we wouldn’t be having this discussion right now.
As for default services running, IMHO, Redhat has way to many services running especially for those who make a workstation installation. Why does a workstation install require sendmail? it doesn’t, simple as that. So, if you are going to jump on the sledging bandwagon, it should be over the number of services loading by default on Redhat rather than its patch number.
to Eugenia:
To quote one of your comments made before my post:
“I am sorry, but you are wrong.”
I think my header was appropriate. Saying somebody is wrong is the starting point for any reasoned discussion of differing viewpoints. A more polite way to say this is “I beg to differ”. But both mean exactly the same thing.
If you read my comment, you can see that there is no trolling or attempted trolling. I think you were wrong in some of your comments for the reasons I stated. I also think many others making comments are wrong, so disagreeing with you is not the same as agreeing with those you think are wrong.
I did read your comment carefully and understood what you were saying. That is why I disagreed with you and wrote my comment, which made points you did not make.
Sincerely,
Mark Wilson
Just in case you didn’t notice…. Your OSNews editor is a gunslinging Greek woman. And she’s bright. It doesn’t mean she is always correct, though. It only means she thinks she’s right all the time. And if she’s fired up about something she cares about and you disagree with it… you take the chance of being instantly put into the troll bin.
But all of the above is what makes OSNews interesting. There are volatile people with volatile beliefs and fervent opinions. Eugenia leads by example. Don’t take it personally.
If you really want the bartender to hear what you have to say, sometimes you need to shout. Or you won’t get to drink with the rest of the rowdy bunch that are sitting at the bar. And for those who don’t want to deal with the bar scene, there are plenty of tables where you can sit and sip, observing the action from a distance.
who gives a shit about red hat or windows. use what you like, shutup about the rest. the people reading this site are interested in os’s. they’re biased already (and if they aren’t, they won’t bother posting responses to this dribble because they already know its a waste of time), you’re not going to convince anyone of redhat or windows superiority. surely you people have better things to do than sit here and go “Eugenia, you are wrong”, and “nyah nyah”. c’mon.
How about YOU looking at the tone of your post. Fobbing off responsibilities onto a third party who can’t respond on this forum is bad form. If you were a real administrator you would know the system you’re administrating inside and out. Personally, if I don’t know a system that well, I do not administrate it until I know what I am doing. Simple as that.
—————————–
Why do I bother? I did not “fob off” the responsibility, I took over administration. This might be hard for you to imagine but in some workplaces you actually get given and delegate responsibility. As it happens I was onsite doing consultant work when the install was done, though to be honest I probably would not have done the install anyway.
I saw and still see no reason to read the release notes. The sever is up and configured. I did not need to read the release notes to adjust and administer it. Nor am I going to read them just to have somebody accuse me of being a philistine anyway.
All you anti-Microsofties here, listen up. My buck is on you not being able to hack into a properly configured Windows box if your life depended on it. Patches or not, only unmaintained, unfirewalled, un-virus-protected servers are major targets.
Almost all major OS’es are fairly secure, and a good admin should be on top of patches/hot fixes/etc no matter which OS he runs. Default install security should be worthless on servers – a good admin customizes his servers before they go live, so defaults should mean jack. It’s only paper MCSE’s and Linux newbies that leave defaults as-is who fuel this battle.
Windows is not inherently insecure and neither is Linux. Patch count is worthless. Everything else is just idle chatter.
I like Eugenia. More hits and clickthroughs by me means more money for her and I’m happy to do my part. But it does bother me to be accused of trolling. I’ll try not to take that part personally.
Steve Ballmer is _very_ wrong.
Adam… Windows is well known by the entire world to be the most insecure mainstream OS. No other operating system can make this claim. Sure, it’s been improved and Windows 2K+3 is better than the rest. But making some great proclamation of its security when it has only been out a month and is being used in next to zero production environments is just plain silly. Wait until W2K+3 has been out a while and see what turns up.
And when you talk to Microsoft next, try and see if you can get a buglist out of them. It’s been about 15 years that people have been asking to no avail, but maybe your favorite illegal monopoly will listen to you.
Please spare me. The only thing massive about the Trustworthy Security Initiative is the hype machine. Security does not come out of the marketing department. Security is something that has to be proven. You go years without ridiculous security flaws in your software, then people will believe your software is secure. In the real world, who do you trust with your money? The bank that has been around for a long time with a good track record. Your data should be no different.
“All you anti-Microsofties here”
Professional.
“not being able to hack into a properly configured Windows box if your life depended on it”
Just a buck huh? lol
“Patches or not, only unmaintained, unfirewalled, un-virus-protected servers are major targets. ”
Riight, lets look back to SQL Slammer.
“It’s only paper MCSE’s and Linux newbies that leave defaults as-is who fuel this battle.”
I wish that were true, the reality of the situation is that business sometimes forces even good administrators into a position where they are not allowed to take a system down to patch. Microsoft sometimes forces even good administrators into a position where they lose systems (or services) to patches. Your closed minded philosophy only compounds the problem.
Windows has been proven to be inherently insecure, which is why Microsoft is working to fix it.
> I like Eugenia. More hits and clickthroughs by me means more money for her and I’m happy to do my part.
Then you will have to know that I do not get paid for doing OSNews. OSNews is NOT mine, David Adams is the owner. The rest of us here, are volunteers. So, if you want to click through or not, it is your call. I don’t see any of that money or any other money.
It is very difficult to prove a negative. And that is why it is silly for everything that is not a mathematical proof to be labeled as FUD.I don’t ask mathematical proofs. I ask concrete evidence, like a code dump or something like this. Accusing somebody to be a murder without any evidence won’t lead you very far even if he’s really a murder.
It is silly to think there is not spyware in Windows.Your arguments are nice, but they all seem have something in common: they seem to come straight from your ass. I respect your opinion, but that’s not what I ask for! Where are the proofs? What are your sources?
Anyway, we’re off-topic, so I won’t reply to you here. Just mail me if you want to continue this discussion.