The first place many companies look for Apache support is their main distribution provider, most commonly Red Hat or SuSE. As open source grows, the need for support grows, and this new need has led to the development of a new support option: third-party vendors who manage or patch software. Flaws raise red flag on Linux security but many users remain confident about the security of the open-source environment notices ComputerWorld.
Who’s Patching Open Source?
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
It seems whenever MS puts out some news about a new campaign to show its benefits over linux, the trade journals/magazines follow suite and put out some articles questioning the viability of Linux. Now I’m not saying these issues should be discounted and aren’t legitimate concerns for the community to look at, but when it comes to Open Source, this has been the trend I’ve observed so far. Just my two cents, MS zealots, flame away!
It seems whenever MS puts out some news about a new campaign to show its benefits over linux, the trade journals/magazines follow suite and put out some articles questioning the viability of Linux.
Well, on any site I’ve seen posting about a new MS security flaw, if the site has a talkback forum, there’s usually about 800 posts proclaiming that the ultimate solution to any Windows problem is the reformat the hard drive and install Linux, so I think this sort of thing goes both ways
I hear ya WorknMan, but posts don’t bother me, it’s the regular trade press that “appears” to me to follow the MS lead rather than keep and independent analysis. Again, MS types flame away, I’m wearing my fire proof underwear. =)
BTW, I use both OS’s on a daily basis and am constantly evaluating the merits of both to do the job best. So don’t lump me in the MS vs. Linux category.
“It seems whenever MS puts out some news about a new campaign to show its benefits over linux, the trade journals/magazines follow suite and put out some articles questioning the viability of Linux.”
“Who’s Patching Open Source?
The first place many companies look for Apache support is their main distribution provider, most commonly Red Hat or SuSE. As open source grows […]”
I’m not sure wether that’s Red Hat or SuSE mostly. Because Apache ain’t Linux only.
FLOSS and Apache is not exactly the same league as (GNU/)Linux. FLOSS is much more than solely Linux or Apache. Apache runs on much more than Linux only. Including Win32. There’s also quite a lot Apache offpsrings (IBM made one for example) which run on Win32. A friend of mine works at a bank where they run these IBM webservers on Win32 and they just get support for it, from IBM. But what where one can get support for generic Apache/Win32?
“Flaws raise red flag on Linux security but many users remain confident about the security of the open-source environment notices ComputerWorld.”
Since there’s a difference i’m always keep wondering about what every individual means with “Linux”. Is it a distribution? A kernel? An OS? What does the _author_ mean with “Linux”?
Regarding security flaws in the kernel there were only 2 local ones in the past months. Desktop users don’t even feel that. Some servers together with ie. rsync would. But is it worse than RPC? This was already adresssed by someone else in the rc2 -> rc3 thread and i think it’s a good point.
The kernel bugs were local root exploits. They are only relevant if you have a system connected to the internet while you provide, for example, public access to services like TELNET or SSH (apart from physical access).
Such services should not be accessable on file servers, http servers or whatever server for the public except the administrators.. unless you have a vurnable ssh or a weak password; whatever, then this exploit will come in handy if you want to own the machine.. apart from other mechanisms preventing exploits like stack randomization, and other non-default kernel patches elevating security.
Dpl is right. Linux is just a kernel. Apache is just a daemon that happens to run on Linux. It can also run on FreeBSD, OpenBSD even Windows products.
>> Apache runs on much more than Linux only. Including Win32. There’s also quite a lot Apache offpsrings (IBM made one for example) which run on Win32.
Oracle make (and support) one too.
Well first the person that gave them the software.
If it is a distro then contact them.
Otherwise contact the creator of the package then the actual author of the package.
Try support groups such as web forums or usenet, try googling for the answer.
Well that’s one of the problems with open source, people and companies want to get support from one company they don’t want to waste their time going around the above loop.
>The kernel bugs were local root exploits. They are only relevant if you have a system connected to the internet while you provide, for example, public access to services like TELNET or SSH (apart from physical access).
I do enjoy reading Linux advocates claiming on page 1 that viruses are harmless on Linux because they can only affect local user, and claiming on page 2 that local root exploits are harmless for Linux because they requre access to the box.
How about adding 1 and 2 and realizing that local root exploit is and will be the preferred way for Linux viruses to propagate and rootkits to exploit the system?
Linux zealots are so obsessed with the way malware works on Windows- they refuse to open eyes to ways malware will work on Linux.
Let me repeat again: local root exploits are bad. They are bad because they will be the entry point for Linux malware.
Now, how long that bug was in Linux code unnoticed? Well,…
Now, how long did it take to fix that bug? 3 weeks. If it is fast, then you are about to get unpleasant surprise: hackers who want to screw you work faster.
Last, but not least: Linux kernel is the crown jewel of Open Source. Reviewed by independent developers all over the world plus developers from such monsters as IBM and Oracle,- still that is not enough to eradicate long lasting root exploits?
May be it is not enough to just open the source? What is missing?
Can someone just ask that question: what else should be done for local root exploits not to be in open code for months and to be fixed for less than weeks when found? Instead of bashing Microsoft using old software development model (which is bad): ask yourself why new and better software development model is still not producing sufficiently good results?
Two 2.4 kernel patches in less than month, plus new 2.6.1 kernel with ‘bug fixes and improvements’ that just arrived- well, are we talking about New Microsoft here? What’s wrong with you, Open Source people?
When a person buys a new computer, the first stop for support is the computer’s maker. If the problem is software related, then first stop is the computer’s maker which in turn they may direct you to the software’s maker.
Until Open Source software gets placed on new computers, the first stop for support is the software’s maker. If companies buy new computers with Open Source software, then first stop for support is the place the companies bought the computers.
If you can not get support from the computer’s maker or the software’s maker, then third party support may be your only solution.
I think SCO was trying to discourage people from going the Open Source way by implying there was no support. Now, Microsoft is trying to do the same thing.
>>The kernel bugs were local root exploits. They are only relevant if you have a system connected to the internet while you provide, for example, public access to services like TELNET or SSH (apart from physical access).
>I do enjoy reading Linux advocates claiming on page 1 that viruses are harmless on Linux because they can only affect local user, and claiming on page 2 that local root exploits are harmless for Linux because they requre access to the box.
>How about adding 1 and 2 and realizing that local root exploit is and will be the preferred way for Linux viruses to propagate and rootkits to exploit the system?
It is indeed the preferred way when you’re a clueless administrator who’d be stupid enough to run a binary you don’t trust explicitly as root on your local machine to prove your point.
Local root exploits require access first to the machine, usually using vulnerable systems that have remote access to the machine to be attacked, or exploiting insecure versions of services running in the machine to be attacked, or an inside job by saboteurs. In either cases you’d drop to a root shell or be able to execute arbitrary instructions once you perform the local root exploit. Note the condition that you DO need to get access first – if that condition cannot be satisfied then local root exploits won’t count.
Running insecure services is already a joke. Not patching systems for security fixes and instead blindly blame other people is another joke. Please don’t propagate the number of jokers by hiring or even maintaining incompetent administrators who’d run untrusted code on their systems.
>Linux zealots are so obsessed with the way malware works on Windows- they refuse to open eyes to ways malware will work on Linux.
>Let me repeat again: local root exploits are bad. They are bad because they will be the entry point for Linux malware.
Local root exploits ARE bad when your machine is already in a situation begging to be compromised, or the administrator of that machine is begging crackers to compromise his setup.
>Now, how long that bug was in Linux code unnoticed? Well,…
Compare that with bugs so obvious, and yet goes unfixed. Which do you think is better?
At any rate, the bug was quite obscure. There must’ve been a hard time finding that bug on either sides, given that both sides have copies of the code. At least in the open source model, the good guys also have a fighting chance in the race called security.
>Now, how long did it take to fix that bug? 3 weeks. If it is fast, then you are about to get unpleasant surprise: hackers who want to screw you work faster.
As you do need access to the machine as a pre-condition, you first must have a compromised system either via running insecure versions of software, or be in a hostile physical environment where anyone can lay their hands on your machine, or be an idiot to run insecure code for you to be screwed real hard.
>Last, but not least: Linux kernel is the crown jewel of Open Source. Reviewed by independent developers all over the world plus developers from such monsters as IBM and Oracle,- still that is not enough to eradicate long lasting root exploits?
You’re living in the dream world wherein everyone can fix every bug almost instantaneously. Bug squashing does take time, and sometimes the bug would not be as obvious as you may want it to be. At least in the open source approach, you can verify and fix it given that you do have the know how. If you only know how to rant though, then you’re not fixing anything. Compare this to the close source approach wherein you can’t get independent developers or monsters such as IBM and Oracle to review the code…
>May be it is not enough to just open the source? What is missing?
It’s not enough to just open the source. There must be also people who’d review them. One person may not see all the bugs, and not all people, despite all their skills
>Can someone just ask that question: what else should be done for local root exploits not to be in open code for months and to be fixed for less than weeks when found? Instead of bashing Microsoft using old software development model (which is bad): ask yourself why new and better software development model is still not producing sufficiently good results?
I agree that we shouldn’t just bash Microsoft. As the terminator once remarked on a music video, bashing MS is “waste of ammo.” Better spend it coding.
The scientific method of producing software (which is open source) is indeed producing better results – you’re just too ignorant to appreciate it, or too naive to see it.
>Two 2.4 kernel patches in less than month, plus new 2.6.1 kernel with ‘bug fixes and improvements’ that just arrived- well, are we talking about New Microsoft here? What’s wrong with you, Open Source people?
Huh? And that’s a bad thing? Speedy fixes to software?
Microsoft takes MONTHS to patch their software for bugs in the name of “regression testing.” Be thankful already that they do get noticed and fixed, instead of the Microsoft way of belittling the problem until all fingers point to them – and only at that time they’d fix the flaws.
> cx wrote:
> > The kernel bugs were local root exploits. They are only relevant if you have a system connected to the internet while you provide, for example, public access to services like TELNET or SSH (apart from physical access).
Russian Guy wrote:
> […] claiming on page 2 that local root exploits are harmless for Linux because they requre access to the box.
Fallacy.
“Harmless” is not what s/he claimed. Go figure the “only relevant” sentence; there’s clearly pointed out there are circumstances where it _does_ matter.
Well that’s one of the problems with open source, people and companies want to get support from one company they don’t want to waste their time going around the above loop.
First of all I said companies not people. Individuals and small businesses normally have quite different support needs compared to large enterprises.
Second you are continuing the myth that a enterprise needs one company. That is what Microsoft wants you to think but it is bullshit.
Does Microsoft support the PC hardware?
Do they do the networking?
The answer is No.
Unless you actually study a real world enterprise support system you will not see why what Microsoft says is wrong.
Normally a company has one or more procedures for dealing with an emergency. Not everything goes to the helpdesk. Sometimes local people actually outsource the work. Sometimes there are more than one help desks for dealing with different areas of support needed.
If someones PC keeps crashing they call support.
If the local network goes down they call support.
If the program they are using doesn’t do what it they call tech support.
But these are all relayed to different places in the end. Some are handled locally, some are outsourced etc.
And most large enterprises use heterogeneous systems. They do not all use the same brand of equipment. Some companies use more than one outsourced tech support because that is their requirement. Maybe their old mainframes are supported by one company and their new PC line another and their networking by another.
This is what the industry really looks like.
What Microsoft says is just a lie.
Ofcourse the patching issue is a problem. Linux has several problems just that it seems to go by the Microsoft model thinking that problems go away with more marketing! Well, it DOESN’T!
The fact is all systems are unsecure one way or the other, some less, some more. Linux and Windows are on par being worst as they are both big players and very much hated players by so many.
Diversity is the solution to the security issues, there are several high quality OSs on the market both open and proprietary which most likely can solve the problem. Also one good thing with diversity is that you can actually learn from other systems model and that way be more open to potential problems.
SAying that Linux is the crown jewel of open source software is also ignorant, because the crown jewel is Apache. Apache is most widely accepted and appreciated…
Linux though is indeed a crown jewel… of ZEALOTRY!
All of what you’re talking is hypothetical. The fact is that there are NO Linux viruses in the wild. Proportionately to market share, Windows has 50 times more viruses than Linux.
It’s so obvious from your post that you are not an objective participant in this debate, but that you actively wish that Linux had as many security problems as Windows. Wishful thinking, in other words. Not very rational.
XBe
Linux enthusiasts would sound less like zealots if they had the same marketing budget as MS. Without the same means, their only recourse is aggressive advocacy.
The original zealots were armed jewish resistant to the Roman Empire, just around Jesus’ time (indeed, some scholars claim that Jesus might have been a zealot at some time). They did not have Rome’s means, but that only strenghtened their resolve.
Being a zealot is not necessarily a bad thing – it depends if your cause is just or not. MS zealots defend a multi-billion empire who has been found guilty of anti-competitive monopolistic practices, and who wants to dominate every market it enters (though so far it has only dominated the OS and Office markets). The Linux zealots defend the right to choice, the work of thousands of volunteers and paid programmers, and the general idea that code should be free (as in freedom). It’s not hard, for me at least, to decide which one has a nobler cause. (Which is why I see BSD zealots as brothers, even though they’re often more aggressive towards Linux than MS…)
I do agree with you that what we need (and not only the field of computing, but throughout society in general) is more diversity and interoperability. No one should dominate, both for the sake of competition and democracy.
Linux enthusiasts would sound less like zealots if they had the same marketing budget as MS. Without the same means, their only recourse is aggressive advocacy.
It’s called Virus marketing and for the amount of virus marketing Linux does through advocacy/zealotry MS would have to spend probably more money than they do today on traditional advertising.
So budget or no budget, the results are the same.
Speaking of overzealous advocacy, no one like being lied to. I think the “advocates” have probably turned away as many people from Linux as they have converted.
Diversity is the solution to the security issues, there are several high quality OSs on the market both open and proprietary which most likely can solve the problem. Also one good thing with diversity is that you can actually learn from other systems model and that way be more open to potential problems.
Maybe diversity works for acadenucs in their ivory towers but having a diverse set of operating environments raises costs substantially. When evaluating security, it is reasonable to ask whether the cost of diversity is worth it. I doubt it, frankly, given that there are protective mechanisms that can be used to safeguard resources at a reasonable cost. Note the term “reasonable”. That doesn’t mean “invincible”. Spending a billion dollars on security to achieve 99.999999% security versus spending a few thousand to achieve 98.99999% security is probasbly a waste of money and time. So, seriously, don’t make blanket statements like that. Security demands better consideration than that.
Maybe diversity works for acadenucs in their ivory towers but having a diverse set of operating environments raises costs substantially. When evaluating security, it is reasonable to ask whether the cost of diversity is worth it. I doubt it
I see your point. In an enterprise this would definitely become a problem. But honestly, I was more thinking of “the market” rather than individual companies. For instance if diversity would be a fact, a virus would probably don’t clogg down the whole world at the same time but rather a fraction.
However, mentioning diversity in one enterprise I’d say the key to that is open standards. If there are certain standards patching things together would be a lot easier. Also there is this issue with different purpose needs different equipment.
For instance, http servers in a company could use FreeBSD, Firewalls go OpenBSD, desktops could be XP and inhouse design agency might wanna go with OS X. File servers run Solaris.
Would that diversity cost that much as all above mentioned is aimed at completely different things? It’s a interesting question…
You’ll find many studys early on reguarding the security (or lack there of) of commertal Unix systems. Many predating Windows.
While each artical has it’s own unique twist some of them attaching an agenda of some sort they all do make one point.
New code needs to be road tested to find all the bugs.
Anti-virus companys will say “Hay see it’s possable for a virus to bypass Unixes security” true enough however viruses get attention and before an anti-virus company can make an anti-virus scanner the bug is fixed.
Microsoft will say “See Unix systems have bugs too” as true as this is the real problem isn’t how many bugs are found but how many of those bugs exist anymore.
To summerise a conversation between me and a Microsoft supporter:
Him: What good is the source code?
Me: So people can hunt down and eliminate bugs
Him: Why would anyone bother?
Me: I don’t know. They just do.
He may have a point here. Microsoft’s poor response to bugs is sabotoging themselfs. Sun Microsystems takes a reputation for secure systems sereously. But what is in it for those who hunt down Linux bugs?
And what if they lost intrest?
But what is in it for those who hunt down Linux bugs?
And what if they lost intrest?
And here is the big problem!
The BSDs are complete systems, everyone who runs FreeBSD have in one way or the other a similar system.
As Linux users quickly point out, is that Linux is just a kernel, sure that may be secure. But since every other system out there is partially their own OS, it’s increasingly hard to predict what security flaws exists in the different combinations.
Naturally this might also result in bugs getting “dropped” as someone involved in one project might not want to be involved in some other projects sources and voila, problem gets dropped between chairs.
IMHO the so called “GNU” model is hardly secure, not to mention the fact that the level of revising the code is not as tough as in for instance OpenBSD.
Question still remains though, if those finding bugs simply stop, what would happen then?
“The BSDs are complete systems, everyone who runs FreeBSD have in one way or the other a similar system.”
This one is getting old. Everyone who runs a certain (GNU/)Linux distribution has so too. There’s no 1 OS called “Linux”.
Regarding the BSD’s there’s a lot outside of the base called Ports collection which is maintained by so many different people. Have a look at http://www.freshports.org for FreeBSD. Lots of these programs are in common (GNU/)Linux distributions too as well as for other OSes, even proprietary Unices.
Therefore when people lose interest to develop, audit these programs the BSD’s have a disadvantage too. Only in the literal case where you’re speaking about the Linux kernel and programs which solely are used together with (GNU/)Linux distribution you have a point, but then again i refuse to see it such black vs white. There’s already GNU/K*BSD too for example, negating that “programs together with (GNU/)Linux” part though there ain’t big userbase.
“As Linux users quickly point out, is that Linux is just a kernel, sure that may be secure.”
The former i agree with, the latter is according to me the most vulnerable part of an OS.
“But since every other system out there is partially their own OS, it’s increasingly hard to predict what security flaws exists in the different combinations.”
I don’t think i understand what you mean however like i said earlier 1) both BSD, (GNU/)Linux distributions as well as proprietary OSes can and do share common programs 2) for servers several hardening methods exist to make these more secure. Examples: chroot, stack protection, packet scrubbing to name a few. Among other, such methods make it easier to predict security flaws or rather to predict you’re not vulnerable however it’s far more difficult to protect the kernel.
“IMHO the so called “GNU” model is hardly secure”
I find your lack of arguments for such wild assertion disturbing.
“not to mention the fact that the level of revising the code is not as tough as in for instance OpenBSD.”
What’s “level of revising the code”?
“Question still remains though, if those finding bugs simply stop, what would happen then?”
Well, that would be some situation like the do_brk bug i suppose. One server got cracked (MPlayerhq.hu’s) with the author doing nothing. Then another server (Debian’s) got cracked, do forensics, find out what’s wrong, work together with kernel developers, and fix it. Do you really think there isn’t one kernel developer who can fix such bug? Very negative thinking i suppose. Anyone can pick the developing up, because the source is open. Therefore i think FLOSS is because of this nature (plus portability too) generally enjoying a longer life span than proprietary software.
Pretty much anyone who wants to from the looks of it !
Lately anyway.
:: But what is in it for those who hunt down Linux bugs?
And what if they lost interest?:: by Jeffery McLean.
The people hunting for bugs might be the software creators or some one who has a heavy investment in using the software. These people will want the software to work so they will invest time to find the bugs. A lot of the projects in Open Source are done by people who love to program and design software, in fact they do it without getting paid.
There are always new programmers and users of software. Even if a certain number lose interest there will be others that become interested.
One small advantage of Open Source is that the source code is out there and any one that is interested can pick up where some one left off.
Just think if Microsoft released the source code to Win98. If some one was interested they could keep Win98 a live by adding on new features and fixing bugs to Win98. For the users who think Win98 suites them fine, they would not need to upgrade.
I favor Linux, but I hate people when they bullshit you and tell you so many lies. My friend installed linux (debian) 5 days later it is hacked. He said he applied all the patches, but still something happens and they can get into the system. Linux has to make so much progress. Linux now has the advantage over Windows on many issues of course, but that’s most because of its limitations. A small user base, less feature capable software, etc… There is not much challenge for Linux now and despite this fact Linux and Windows are compared in many issues. This is not very good for Linux at all. That means that windows is far more better than Linux. Plug and play support, windows environment, consistency, number of applications, ease of use, developers etc.. Windows win in all of these.
Linux wins for the number people you can get help from, no matter what, there are more linux people out there to help you. Linux ties with windows when it comes to security. You have to apply lots of patches to make it secure and the patch management is not automatic as it is the case in windows. However Linux has a slight advantage, cause I didn’t see any worms affecting it.
Linux is best suited for server enivornments, assuming that you have people that knows what they are doing with linux. Otherwise linux is costly, cause training people to use linux is more costly than training them to use windows.
“but I hate people when they bullshit you and tell you so many lies.”
I hate it when people don’t back up experiences with details or arguments with details. Like you did in your post.
“My friend installed linux (debian) 5 days later it is hacked. He said he applied all the patches”
What exactly happened? Is this *the* proof “Linux” (the K-E-R-N-E-L) is not secure? No. Does it proof Debian is not secure? No. It doesn’t proof a goddamn thing, if only because it is 1 example from a friend of 1 user which friend does not provide any details. I’m interested in what exactly happened though.
“Linux now has the advantage over Windows on many issues of course, but that’s most because of its limitations.”
(wrong compare)
According to you, which advantages?
“A small user base, less feature capable software, etc…”
(wrong compare)
Please proof the correlation.
“There is not much challenge for Linux now and despite this fact Linux and Windows are compared in many issues. This is not very good for Linux at all. That means that windows is far more better than Linux.”
Because Windows and the Linux kernel are being compared in many issues it means Windows is far more better than Linux???
I think the fact people compare a kernel with an OS shows their ignorance, because Linux is not an OS; wrong compared.
“Plug and play support, windows environment, consistency, number of applications, ease of use, developers etc.. Windows win in all of these.”
(wrong compare)
You don’t proof that by just naming them.
“Linux wins for the number people you can get help from, no matter what, there are more linux people out there to help you.”
(wrong compare)
I think there’s a sane number of places where people with Windows problems can get help and have not seen any hard numbers that FLOSS delivers better support though my personal judgement tends to experience it indeed in that way.
“Linux ties with windows when it comes to security.”
(wrong compare)
Please do state your analysis.
“You have to apply lots of patches to make it secure and the patch management is not automatic as it is the case in windows. However Linux has a slight advantage, cause I didn’t see any worms affecting it.”
(wrong compare)
Make WHAT secure? No automatic patching? Ever heard of Cron? Auto-apt? No indeed the _kernel_ doesn’t have that, you’re right…
No worms? The _first_ worm ever made was a _Sendmail_ worm. Apache worms are quite common too. Because you did not *see* it doesn’t proof a goddamn thing. Quit the S, start the N, please. TIA.
“Linux is best suited for server enivornments, assuming that you have people that knows what they are doing with linux.”
What if you have people who know what they are doing with FreeBSD, Windows, AIX ? Where’s your analysis?
“Otherwise linux is costly, cause training people to use linux is more costly than training them to use windows.”
Same is true for other OSes. However consultancy, and TCO on a longer tide span, are possibilities too.
“Linux is best suited for server enivornments, assuming that you have people that knows what they are doing with linux.”
“Otherwise linux is costly, cause training people to use linux is more costly than training them to use windows.”
Wrong compared by you as well.
Later,
When I am asked the next time about my gripes with GNU/Linux, I’ll point to this thread. Ye flipping gods…
@ cx:
> The kernel bugs were local root exploits. They are only
> relevant if you have a system connected to the internet
> while you provide, for example, public access to services
> like TELNET or SSH (apart from physical access).
>
> Such services should not be accessable on file servers,
> http servers or whatever server for the public except
> the administrators…
Bull. SSH is *designed* to be a secure connection to a remote system. I’d like to see how you intend to get your HTML files to your HTTP server if there’s no FTP or SSH. FedEx?
Then the advocates continue droning about how you’re supposed to keep your system on the latest patch levels, how fixing bugs isn’t instantaneously, and don’t even realize they’re negating the two major points the Open Source advocates keep reiterating:
* Windows is weak because people forget to patch it,
* Open Source makes bug fixing so much faster.
Who cares if it’s a virus that comes per clickable mail attachment, or an exploit of some daemon? *I* do. For the mail, I got an automatically updated anti-virus software that protects me. Who protects me against exploits when the various Linux distros cannot agree on a common package system, common file system layout, or even a common ABI so that the compiler version no longer matters?
Windows, GNU/Linux, it’s both a bag full of holes.
>>Windows, GNU/Linux, it’s both a bag full of holes.
Well said Solar! If I am ever _forced_ to use Linux at work I’ll definitely use OBSD in front of it!
Speaking of overzealous advocacy, no one like being lied to. I think the “advocates” have probably turned away as many people from Linux as they have converted.
Of course you have data to back this up, right? What? You don’t? Well, I’ll be…
Seriously, if bad behavior will turn people away from your OS, then I guess Windows is bound to keep losing users! As you said, no one likes being lied to, and that includes deceptive marketing and other kinds of FUD. In that department Microsoft reigns supreme.
XBe
Yes, I know the result is the same, that was my point. A certain amount of zealotry is acceptable in users of alternative OSes (Linux, OS X, *BSD, etc.) as they don’t have the same marketing means as MS. I also agree that word-of-mouth is a very powerful marketing tool – unfortunately for MS it’s not something you can buy, unless you prop up fake “grassroots” movements like they’ve done in the past…but these are bound to backfire in the long run, as the truth inevitably comes out.