PDA

View Full Version : Microsoft's Jeff Jones has 'discovered' Ubuntu 's CVE Tracker



newbie2
March 17th, 2010, 10:42 AM
http://blogs.technet.com/security/archive/2010/03/09/ubuntu-cve-tracker.aspx
:P

DawieS
March 17th, 2010, 03:06 PM
Pathetic.

I felt suffocated after being dumped with a load of cookies and stuff, I had to exit Firefox to be able to breath normally again.:eek:

On the upside, I got a few new addresses to block.:grin:

bodhi.zazen
March 17th, 2010, 05:26 PM
Moved to the cafe as it is not a support thread.

_h_
March 17th, 2010, 05:28 PM
He didn't just 'discover' Ubuntu, so he claims...



Wednesday, March 10, 2010 10:04 AM by jrjones

I can't say I've just discovered Ubuntu, as I've written about it several times in the past

julio.tomaschitz
March 17th, 2010, 05:59 PM
huauhahuahua
he makes me laugh! huauhauhhuahuahuauha
if we (ubuntu/linux community) are more insecure than windows, so why we dont use anti virus, anti spam, anti spyware, anti anything? cause we are strong! we are united! this make the difference.

Simian Man
March 17th, 2010, 06:05 PM
if we (ubuntu/linux community) are more insecure than windows, so why we dont use anti virus, anti spam, anti spyware, anti anything? cause we are strong! we are united! this make the difference.

Cause nobody knows about us doesn't hurt either :).

Mr. Picklesworth
March 17th, 2010, 06:13 PM
He didn't just 'discover' Ubuntu, so he claims...

Oh, yes, Jeff is definitely not new to Ubuntu. I re-read and re-coloured one of his graphs for him over two years ago:

http://dylanmccall.blogspot.com/2008/01/ubuntu-linux-606-red-hat-enterprise.html

http://3.bp.blogspot.com/_Vi7TqTLw_Tw/R5ofDyU34VI/AAAAAAAAAHI/BwMTIwntOr8/s1600/HugeSuccess.png

His version (page 17 of the report) gave the "unfixed" number a more mellow colour, ignored a very interesting percentage and communicated a completely different message. It's all a matter of perspective.

juancarlospaco
March 17th, 2010, 06:29 PM
Some people need to understand that not all bugs need to be fixed,
some of the bugs are "needs-packaging", "wishlist", "uptream-change", "needs-debian-sync", "new-feature-patch" (...)

:)

mcduck
March 17th, 2010, 06:42 PM
Some people need to understand that not all bugs need to be fixed,
some of the bugs are "needs-packaging", "wishlist", "uptream-change", "needs-debian-sync", "new-feature-patch" (...)

:)

...not to mention that "Ubuntu Bugs" includes bugs for quite a large selection of software provided through Ubuntu's repositories, while "Windows Bugs" only includes Windows itself, and (depending on who does the calculations) a small selection of Microsoft software. You'd never see a Firefox security fix, for example, included in Windows bugs...

solitaire
March 17th, 2010, 07:00 PM
Wonder what IE8 / IE9's Bug tracker list is like..
It's probably got all the bugs marked as "ignored" (i.e. not my problem...) lol!! (last line is a JOKE!!)

gnupipe
March 17th, 2010, 07:20 PM
Jeff is not a clever man (and he works for microsoft) so you can safely ignore him.

Frak
March 17th, 2010, 07:31 PM
huauhahuahua
he makes me laugh! huauhauhhuahuahuauha
if we (ubuntu/linux community) are more insecure than windows, so why we dont use anti virus, anti spam, anti spyware, anti anything? cause we are strong! we are united! this make the difference.
No, because you're obscure to the face of the world. Also, there was a trojan outbreak not too long ago. Ubuntu is anything but "secure".

Though, I don't know why you'd ignore him. Ignoring someone from Microsoft and NIST is really a bit arrogant you think? Ignoring NIST is the epitome of ignorance, IMHO.

michaeldt
March 17th, 2010, 07:34 PM
This kills me.

First, Microsoft don't report all patched vulnerabilities the way open-source does. If they can hide the fact anything was ever patched they will. If you report a security vulnerability to them, they'll thank you, and IF it ever gets patched, it still never gets reported. The only time we hear about MS vulnerabilities are when they appear in the news as they are reported by external security companies.

Secondly, if he's going to clump together all the software Ubuntu maintains a repository for, perhaps we should have a similar tracker for ALL the most popular windows software. Sure, MS doesn't maintain those programs, but windows is pretty damn shite without them.

juancarlospaco
March 17th, 2010, 07:34 PM
Microsoft just renamed bugs to features

Frak
March 17th, 2010, 07:39 PM
This kills me.

First, Microsoft don't report all patched vulnerabilities the way open-source does. If they can hide the fact anything was ever patched they will. If you report a security vulnerability to them, they'll thank you, and IF it ever gets patched, it still never gets reported. The only time we hear about MS vulnerabilities are when they appear in the news as they are reported by external security companies.

Secondly, if he's going to clump together all the software Ubuntu maintains a repository for, perhaps we should have a similar tracker for ALL the most popular windows software. Sure, MS doesn't maintain those programs, but windows is pretty damn shite without them.
Security through obscurity works on occasion. Look at Linux, it made it this far without a big raid through being a mega obscure desktop OS.

phrostbyte
March 17th, 2010, 07:39 PM
His testing methodology seems completely flawed. For instance, he considers all packages in the main repository to be part of Ubuntu. But when he compares it to Windows, he only compares the default installed software.

I left a comment on his blog, I doubt he'll publish it (the blog seems to be moderated).

KiwiNZ
March 17th, 2010, 07:43 PM
The thread title is misleading...

" I had not seen the Ubuntu CVE Tracker before,"

Frak
March 17th, 2010, 07:43 PM
The thread title is misleading...

" I had not seen the Ubuntu CVE Tracker before,"
I agree with this post.

gnupipe
March 17th, 2010, 07:44 PM
Though, I don't know why you'd ignore him. Ignoring someone from Microsoft and NIST is really a bit arrogant you think? Ignoring NIST is the epitome of ignorance, IMHO.

It seems that you don't get it. Jeff is not hacker (not even whitehat). He has never released any exploits for example. So you can /ignore him.

phrostbyte
March 17th, 2010, 07:44 PM
Security through obscurity works on occasion. Look at Linux, it made it this far without a big raid through being a mega obscure desktop OS.

Linux is not an obscure server OS. The a big part of the security advantages of Linux stems from sound security practices and frameworks. It doesn't hurt that the US agency responsible for military/federal security policy is a Linux contributor either.

KiwiNZ
March 17th, 2010, 07:47 PM
Jeff is not a clever man (and he works for microsoft) so you can safely ignore him.

And you base that assessment on what data ?

Considering this

About jrjones

Jeff has been a security guy for 20 years. Some of the more interesting jobs he's done: security consultant doing risk assessments for the Air Force; security consultant for the NSA Orange Book program; kernel and TCP/IP developer for Trusted Xenix; Darpa researcher; VPN developer for Gauntlet firewall; security consultant in EMEA; Director of Product Management for McAfee corporate AV; VP of Product Management for PGP, Cybercop Scanner and Gauntlet firewall; and a director in the Microsoft security group.

hmmmm OK

Frak
March 17th, 2010, 07:47 PM
It seems that you don't get it. Jeff is not hacker (not even whitehat). He has never released any exploits for example. So you can /ignore him.

OK. Because releasing exploits makes you über 1337 h4xx0r and security expert?


Linux is not an obscure server OS. The a big part of the security advantages of Linux stems from sound security practices and frameworks. It doesn't hurt that the US agency responsible for military/federal security policy is a Linux contributor either.

Attack the interpreter, not the OS. Greatest philosophy when doing penetration tests. Also: http://lucky13linux.wordpress.com/2009/08/23/linux-security-hole-goes-back-eight-years/. It's more than just the OS vendor.

phrostbyte
March 17th, 2010, 07:49 PM
Attack the interpreter, not the OS. Greatest philosophy when doing penetration tests.

It's obvious the man has an agenda to try to find a problem where it doesn't exist.

Frak
March 17th, 2010, 07:50 PM
It's obvious the man has an agenda to try to find a problem where it doesn't exist.
He's a security expert. It's assumed that he is always looking for problems. That's his job.

phrostbyte
March 17th, 2010, 07:52 PM
He's a security expert. It's assumed that he is always looking for problems. That's his job.

His job is to fix problems in competitors products? :roll:

KiwiNZ
March 17th, 2010, 07:53 PM
It's obvious the man has an agenda to try to find a problem where it doesn't exist.

Ignoring vulnerabilities and bugs only hinders their resolution.

Frak
March 17th, 2010, 07:53 PM
His job is to fix problems in competitors products? :roll:
Keep your competitors products safe and they won't be used as a botnet to attack yours.

swoll1980
March 17th, 2010, 07:54 PM
No, because you're obscure to the face of the world. Also, there was a trojan outbreak not too long ago. Ubuntu is anything but "secure".

Though, I don't know why you'd ignore him. Ignoring someone from Microsoft and NIST is really a bit arrogant you think? Ignoring NIST is the epitome of ignorance, IMHO.

You're smart enough to know that trojans, and viruses are not the same, so don't play word games. Jesus Christ couldn't develop an OS that could function normally, and still manage to keep you from running an installer package as root. OS are are meant to run software. In order do this, you have to install the software. It's up to the user not to install trojans on their computer.

KiwiNZ
March 17th, 2010, 07:54 PM
His job is to fix problems in competitors products? :roll:

Being Industry aware is ;)

phrostbyte
March 17th, 2010, 07:54 PM
Ignoring vulnerabilities and bugs only hinders their resolution.

Why don't you ask him to fix them then? Ubuntu is open source, and he is clearly an uber smart security person very interested in Ubuntu security.

lykwydchykyn
March 17th, 2010, 07:55 PM
Evaluating the security of a complex system by a single metric FTW!

Frak
March 17th, 2010, 07:56 PM
Why don't you ask him to fix them then? Ubuntu is open source, and he is clearly an uber smart security person very interested in Ubuntu security.
Or he just had a lulz fest over comparing the CVE to NIST.

swoll1980
March 17th, 2010, 07:57 PM
Cause nobody knows about us doesn't hurt either :).

1/2 the servers in the world are running some type of *nix We are far from being obscure.

gnupipe
March 17th, 2010, 07:57 PM
He's a security expert. It's assumed that he is always looking for problems. That's his job.

You make me glad that I don't live in US anymore.

phrostbyte
March 17th, 2010, 07:57 PM
Or he just had a lulz fest over comparing the CVE to NIST.

So your saying that he has a malicious interest in Ubuntu security? Seems about right.

KiwiNZ
March 17th, 2010, 07:58 PM
Why don't you ask him to fix them then? Ubuntu is open source, and he is clearly an uber smart security person very interested in Ubuntu security.

But you say they don't exist . " It's obvious the man has an agenda to try to find a problem where it doesn't exist." How can he fix Bugs we dont have ?

Frak
March 17th, 2010, 07:59 PM
So your saying that he has a malicious interest in Ubuntu security? Seems about right.
He was curious, looked at Secunia and found it was fully patched, looked at the CVE saw it wasn't fully patched, checked the NIST and found that Canonical wasn't colour coding it totally correctly.

If that isn't a lulz fest of unprofessional-ism, I don't know what is.

xifer
March 17th, 2010, 08:01 PM
Keep your competitors products safe and they won't be used as a botnet to attack yours.

Bwahaaaaaahhhhhhhhhhaaaaaaaaaaaaaaaaaaaaaaa. cough. snort. Bwahaaaaaaaaaaaa.

ROTFLMFAO

gnupipe
March 17th, 2010, 08:01 PM
OK. Because releasing exploits makes you über 1337 h4xx0r and security expert?

You got it. Releasing exploits and supporting the full disclosure movement makes you 1337. At least I think so.

Frak
March 17th, 2010, 08:01 PM
Bwahaaaaaahhhhhhhhhhaaaaaaaaaaaaaaaaaaaaaaa. cough. snort. Bwahaaaaaaaaaaaa.

ROTFLMFAO
Glad somebody got the joke.

foldingstock
March 17th, 2010, 08:04 PM
Why don't you ask him to fix them then? Ubuntu is open source, and he is clearly an uber smart security person very interested in Ubuntu security.

That is a very dense viewpoint. You shouldn't attack his intelligence just because he insulted your prized Ubuntu.

He did not make any unfounded accusations. Yes, it is true that many of the reported vulnerabilities only affect third-party software, but his statements are technically correct.

Instead of making yourself look childish, be glad that not everyone blindly accepts open source software as inherently secure. Criticism is a good thing.

whiskeylover
March 17th, 2010, 08:05 PM
That is a very dense viewpoint. You shouldn't attack his intelligence just because he insulted your prized Ubuntu.


+1.

And it makes you look worse than an Apple fanboi.

phrostbyte
March 17th, 2010, 08:06 PM
That is a very dense viewpoint. You shouldn't attack his intelligence just because he insulted your prized Ubuntu.

Can you point out where I insulted his intelligence?



He did not make any unfounded accusations. Yes, it is true that many of the reported vulnerabilities only affect third-party software, but his statements are technically correct.

His statements seem to imply Windows is more then Linux are a bunch of nonsense, based on a testing methodology that is flawed in more then one fundamental way.



Instead of making yourself look childish, be glad that not everyone blindly accepts open source software as inherently secure. Criticism is a good thing.

Please reread the Ubuntu Forums CoC and ensure your future posts are in compliance with it.

foldingstock
March 17th, 2010, 08:10 PM
Can you point out where I insulted his intelligence?

I am not going to sit and argue with you. I have already made my statement and quoted you in my original post.


Please reread the Ubuntu Forums CoC and ensure your future posts are in compliance with it.

If I offended you, perhaps you should not take forum posts as seriously as you do.

phrostbyte
March 17th, 2010, 08:13 PM
I am not going to sit and argue with you. I have already made my statement and quoted you in my original post.

Can you show where in that original post that I insulted him? On the contrary, I called him "super smart". Unless you view that as sarcasm, but that's your own doing.




If I offended you, perhaps you should not take forum posts as seriously as you do.

I expect a higher level of discourse here then a typical Internet forum. That means no personal attacks. Please refrain from them in the future, as they will eventually get you banned.

gnupipe
March 17th, 2010, 08:17 PM
And you base that assessment on what data ?

Considering this

About jrjones

Jeff has been a security guy for 20 years. Some of the more interesting jobs he's done: security consultant doing risk assessments for the Air Force; security consultant for the NSA Orange Book program; kernel and TCP/IP developer for Trusted Xenix; Darpa researcher; VPN developer for Gauntlet firewall; security consultant in EMEA; Director of Product Management for McAfee corporate AV; VP of Product Management for PGP, Cybercop Scanner and Gauntlet firewall; and a director in the Microsoft security group.

hmmmm OK

You are not necessary a *real* security expert even if you are kernel and TCP/IP developer for Trusted Xenix.

Frak
March 17th, 2010, 08:18 PM
If I offended you, perhaps you should not take forum posts as seriously as you do.

That's a revolutionary statement.

Post Monkeh
March 17th, 2010, 08:28 PM
Please reread the Ubuntu Forums CoC and ensure your future posts are in compliance with it.

lol, way to prove him wrong

Mr. Picklesworth
March 17th, 2010, 08:46 PM
Oh, yes, Jeff is definitely not new to Ubuntu. I re-read and re-coloured one of his graphs for him over two years ago:

http://dylanmccall.blogspot.com/2008/01/ubuntu-linux-606-red-hat-enterprise.html

*snip*

His (page 17 of the report) gave the "unfixed" number a more mellow colour, ignored a very interesting percentage and communicated a completely different message. It's all a matter of perspective.

Having said that, I respect that (sugar-coated delivery aside) Jeff does use and understand facts. Various people hereabouts do not.

mickie.kext
March 17th, 2010, 08:49 PM
This kills me.

First, Microsoft don't report all patched vulnerabilities the way open-source does. If they can hide the fact anything was ever patched they will. If you report a security vulnerability to them, they'll thank you, and IF it ever gets patched, it still never gets reported. The only time we hear about MS vulnerabilities are when they appear in the news as they are reported by external security companies.

Secondly, if he's going to clump together all the software Ubuntu maintains a repository for, perhaps we should have a similar tracker for ALL the most popular windows software. Sure, MS doesn't maintain those programs, but windows is pretty damn shite without them.

This.

Only reason why someone would say that Windows is more secure than open source is that Windows' gaping holes are kept secret... from customers. But hackers find it anyway. Also, most of it do not get patched for years, if ever.

Frak
March 17th, 2010, 08:51 PM
This.

Only reason why someone would say that Windows is more secure than open source is that Windows' gaping holes are kept secret... from customers. But hackers find it anyway. Also, most of them do not get patched for years, if ever.

Like how some vulnerabilities in open source programs don't get patched for years, if ever?

swoll1980
March 17th, 2010, 08:55 PM
Like how some vulnerabilities in open source programs don't get patched for years, if ever?

Discovered, or undiscovered? I know it's a lot harder to fix vulnerabilities that no one knows about.

phrostbyte
March 17th, 2010, 09:04 PM
Having said that, I respect that (sugar-coated delivery aside) Jeff does use and understand facts. Various people hereabouts do not.

You can say something factual and be incredibly misleading at the same time. That's what he is doing.

Frak
March 17th, 2010, 09:12 PM
Discovered, or undiscovered? I know it's a lot harder to fix vulnerabilities that no one knows about.

Both. There's a (known) Firefox bug that went back nearly a decade and a hole in the Linux kernel that existed for 8 years that was just patched recently.

phrostbyte
March 17th, 2010, 09:15 PM
Both. There's a (known) Firefox bug that went back nearly a decade and a hole in the Linux kernel that existed for 8 years that was just patched recently.

Firefox hasn't been around for "nearly a decade".

Frak
March 17th, 2010, 09:17 PM
Firefox hasn't been around for "nearly a decade".
It went back into Mozilla oh clever one. Nice try, though.

phrostbyte
March 17th, 2010, 09:19 PM
It went back into Mozilla oh clever one. Nice try, though.

Mozilla is also less then 10 years old. Are you thinking about "Netscape"?

Sounds like an interesting Netscape bug. Do you have a link to it?

Frak
March 17th, 2010, 09:20 PM
Mozilla is also less then 10 years old. Are you thinking about "Netscape"?

Sounds like an interesting Netscape bug. Do you have a link to it?
https://bugzilla.mozilla.org/show_bug.cgi?id=350

cdenley
March 17th, 2010, 09:25 PM
https://bugzilla.mozilla.org/show_bug.cgi?id=350

A bug that would have reported the wrong date in another 9 decades is a security vulnerability?

Midnight Star
March 17th, 2010, 09:26 PM
Propaganda is hilarious ... especially from the "Gates-Ware!" group that believes "cigarettes are good for you", when they make billions selling them and say being healthy is a bad thing when the brand being "smoked" doesn't come from them.

I would say shameful if I wasn't already laughing so hard.

Frak
March 17th, 2010, 09:27 PM
A bug that would have reported the wrong date in another 9 decades is a security vulnerability?
It's the fear that environment could be changed to allow malicious code execution through an unhandled value.

cdenley
March 17th, 2010, 09:38 PM
It's the fear that environment could be changed to allow malicious code execution through an unhandled value.

How does the incorrect time lead to "environment could be changed" which then leads to malicious code execution? There is no discussion of any security implications in that bug report. I can see how it can have some security implications as far as checking certificate expirations and such, but that wouldn't even be relevant until the year 2100, so it doesn't really matter how long it was known that it would be a problem as long as it was fixed long before it could be a problem.

Frak
March 17th, 2010, 09:40 PM
How does the incorrect time lead to "environment could be changed" which then leads to malicious code execution? There is no discussion of any security implications in that bug report. I can see how it can have some security implications as far as checking certificate expirations and such, but that wouldn't even be relevant until the year 2100, so it doesn't really matter how long it was known that it would be a problem as long as it was fixed long before it could be a problem.
I do see a risk. Here's the difference, many exploits are caused by harmless little bugs. So, hows it goin buuuudy.

cdenley
March 17th, 2010, 09:44 PM
I do see a risk. Here's the difference, many exploits are caused by harmless little bugs. So, hows it goin buuuudy.

And many exploits are caused by patches for harmless little bugs. The existence of a harmless little bug is not evidence of a security vulnerability, and is still irrelevant.

Frak
March 17th, 2010, 09:47 PM
And many exploits are caused by patches for harmless little bugs. The existence of a harmless little bug is not evidence of a security vulnerability, and is still irrelevant.
10 years is still an unreasonably long time for any known bug to remain unfixed. Period.

mickie.kext
March 17th, 2010, 09:48 PM
Please... someone seriously want to argue that IE is more secure than Firefox because he found one litle bug..?

I think this site will burry that argument http://www.positioniseverything.net/explorer.html

swoll1980
March 17th, 2010, 09:48 PM
https://bugzilla.mozilla.org/show_bug.cgi?id=350

I thought we were talking about known security vulnerabilities How did we get of topic? the kernel bug was not known. When it was discovered it was patched immediately. This leap year bug is not a security vulnerability.

cdenley
March 17th, 2010, 09:49 PM
10 years is still an unreasonably long time for any known bug to remain unfixed. Period.

I disagree. Fixing the problem 900 years before it becomes a problem seems fine to me. Either way, it is still irrelevant.

Midnight Star
March 17th, 2010, 09:49 PM
On the bug fixes and security note...

Well the biggest problems I saw on the Windows side of things was, the basic (just the basic mind you) operating system got so bogged down with bug fixes, or patched solutions for previous patched solutions, that things were breaking everywhere. 3rd party developers were scrambling daily to keep their customers software working (games for example), just as an example. It got so bad that I think Windows was the first operating system in history to become "bloat-ware" due to all the bug fixes and patches, and security fixes.

Frak
March 17th, 2010, 09:52 PM
Please... someone seriously want to argue that IE is more secure than Firefox because he found one litle bug..?

I think this site will burry that argument http://www.positioniseverything.net/explorer.html

Nobody has even tried to argue about that, so you arguing this is really lulzy.

IMMA ARGUE WITH YOU EVEN THOUGH YOU HAVEN'T BROUGHT UP THIS POINT. RAWR I'M RIGHT SEE?

scottuss
March 17th, 2010, 09:53 PM
Everyone seems to be getting in a flurry over nothing.

Calm down, and ask yourself: would you want to use Windows? The answer is probably no. So just smile, know that you use Linux and get on with your life. If Windows were as secure as *nix, this guy would probably be out of a job. He needs to spout FUD to make himself look useful.

Chill! :D

swoll1980
March 17th, 2010, 09:54 PM
It's the fear that environment could be changed to allow malicious code execution through an unhandled value.

You're grasping at straws.

swoll1980
March 17th, 2010, 09:55 PM
Nobody has even tried to argue about that, so you arguing this is really lulzy.

IMMA ARGUE WITH YOU EVEN THOUGH YOU HAVEN'T BROUGHT UP THIS POINT. RAWR I'M RIGHT SEE?

I think they call that straw man.

Frak
March 17th, 2010, 09:56 PM
You're grasping at straws.
Says the pot.

Frak
March 17th, 2010, 09:56 PM
I think they call that straw man.
You're awfully defensive, did I hit a nerve?

swoll1980
March 17th, 2010, 09:58 PM
You're awfully defensive, did I hit a nerve?

? I was referring to the whole "how can you say IE is this..." even though IE wasn't mentioned. It had nothing to do with you.

Frak
March 17th, 2010, 09:59 PM
? I was referring to the whole "how can you say IE is this..." even though IE wasn't mentioned. It had nothing to do with you.
I thought you were referring to me pretty much dumping the argument over (which I did, since it was pretty much irrelevant). My apologies.

mickie.kext
March 17th, 2010, 10:25 PM
But if that is not the argument, what is then?

Fact that Firefox bug from 1998 is still there just shows that they value everyones opinion and do not delete silly bug reports. Someone can find something he do not like with firefox now, report it, and in 10 years someone can make new straw-man argument.

If you try to do that with MS product, some MS employee will just delete bug report with no explanation why he did it. That is why thay can say that MS stuff is secure. You cant point on bugs so easily. You have to make viruses to prove them, and I beleive that CoC forbids linking to viruses...

I think that whole this thread is about MS claiming their products are more secure because their bug tracking system if flawed. All sofware has bugs, just MS does not admit that their has too.

KiwiNZ
March 17th, 2010, 10:35 PM
But if that is not the argument, what is then?

Fact that Firefox bug from 1998 is still there just shows that they value everyones opinion and do not delete silly bug reports. Someone can find something he do not like with firefox now, report it, and in 10 years someone can make new straw-man argument.

If you try to do that with MS product, some MS employee will just delete bug report with no explanation why he did it. That is why thay can say that MS stuff is secure. You cant point on bugs so easily. You have to make viruses to prove them, and I beleive that CoC forbids linking to viruses...

I think that whole this thread is about MS claiming their products are more secure because their bug tracking system if flawed. All sofware has bugs, just MS does not admit that their has too.

Where in the linked article did he claim MS is more secure and failed to admit to theirs?

The article was not about MS bugs it was about a bug tracker for Ubuntu. He was not discussing MS bugs therefore did not admit or deny.

mickie.kext
March 17th, 2010, 10:48 PM
Where in the linked article did he claim MS is more secure and failed to admit to theirs?

The article was not about MS bugs it was about a bug tracker for Ubuntu. He was not discussing MS bugs therefore did not admit or deny.

Why would MS employee talk about Ubuntu bugs, other than trash and bash the competition and make point how Windows is safer?

Also, picture in #7 is also from same Jeff Jones's blog (If I understood correctly). It tries to show how Windows is more secure, omitting and skewing some facts in process.

gnupipe
March 17th, 2010, 10:51 PM
why would ms employee talk about ubuntu bugs, other than trash and bash the competition and make point how windows is safer?

+1

KiwiNZ
March 17th, 2010, 10:56 PM
Why would MS employee talk about Ubuntu bugs, other than trash and bash the competition and make point how Windows is safer?

Also, picture in #7 is also from same Jeff Jones's blog (If I understood correctly). It tries to show how Windows is more secure, omitting and skewing some facts in process.

The article linked in post #1 was Tuesday, March 09, 2010 11:11 PM jrjones

The article linked in post #7 is http://dylanmccall.blogspot.com/2008...nterprise.html

A year earlier , please present correct statements not

Fear

Uncertainty

Doubt

swoll1980
March 17th, 2010, 11:02 PM
The way the article is presented makes it a bash attempt. "I discovered Ubuntu". As if this is all there is to know about it. Would be like "I discovered the elephant man" He's pretty damn ugly! Oh that's that's not a bash attempt, it's constructive criticism. Take your blinders off Kiwi.

KiwiNZ
March 17th, 2010, 11:18 PM
The way the article is presented makes it a bash attempt. "I discovered Ubuntu". As if this is all there is to know about it. Would be like "I discovered the elephant man" He's pretty damn ugly! Oh that's that's not a bash attempt, it's constructive criticism. Take your blinders off Kiwi.

OK for clarity here is the text of his blog ost

"
UBUNTU CVE TRACKER
Today I was looking at some of the various vendor security and advisory sites and I noticed at the top of the Ubuntu site: For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

I had not seen the Ubuntu CVE Tracker before, so I checked out, very interested because of the fact that certain sites continue to assert and report that some Linux distributions do not have any Unpatched issues. For example, take a look at the page Vulnerability Report: Ubuntu Linux 9.10 on secunia.com (9.10 is Ubuntu Karmic Koala, released on October 29, 2009) and you’ll see a couple of interesting summary statistics as shown here:



Looks good, eh? However, if you take a look at the CVE tracker, you get a view that is a bit different:



You can see the Risk Color Key, but it is about what you’d expect. Red is High or Critical, orange is Medium and yellow is Low. The asterisk means that this is a package maintained by Canonical instead of a 3rd-party.

I didn’t bother to do a count, but I can see that the number of “needed” fixes is somewhat larger than zero, however, I did not see an RED = High vulnerabilities, so I did check on more thing – I wondered how these severity ratings mapped to CVSS as used by the National Vulnerability Database (ie, http://nvd.nist.gov). I spot-checked a few:

CVE-2009-4537, kernel, Orange(Medium) by Canonical, High(7.8) by CVSS
CVE-2009-4565, sendmail, Orange(Medium) by Canonical, High(7.5) by CVSS
CVE-2010-0408, apache2, Orange(Medium) by Canonical, Medium(5.0) by CVSS
CVE-2010-0433, openssl, Orange(Medium) by Canonical, Medium(4.3) by CVSS
CVE-2007-5901, krb5 (kerberos), Yellow(Low) by Canonical, High(10.0) by CVSS
There were 474 CVE entries, so I didn’t do a comprehensive check, but it turns out that there are more than a few of these unfixed vulnerabilities that are rated High by CVSS.

Filed under: Security, Open Source, Ubuntu, CVSS, Vulns, Vulnerabilities, Secunia"

He did NOT say "I discovered Ubuntu".

I do not have blinders on. However I am not prejudiced against any OS , why because they are just OPERATING SYSTEMS. I use probably every day Windows , OSX and Linux. Weekly add in HP-UX , Solaris and others.

I have worked with many folks from Microsoft and guess what , they are nice people , doing their jobs , just like the folks at Canonical , Redhat , Novell , IBM , Apple etc etc etc

rottentree
March 17th, 2010, 11:35 PM
I have worked with many folks from Microsoft and guess what , they are nice people

Do they really have horns on their forehead?

gnupipe
March 17th, 2010, 11:41 PM
I have worked with many folks from Microsoft and guess what , they are nice people , doing their jobs , just like the folks at Canonical , Redhat , Novell , IBM , Apple etc etc etc

How much money you got from uncle Bill? Just asking.

mickie.kext
March 17th, 2010, 11:43 PM
The article linked in post #1 was Tuesday, March 09, 2010 11:11 PM jrjones

The article linked in post #7 is http://dylanmccall.blogspot.com/2008...nterprise.html

A year earlier , please present correct statements not

Fear

Uncertainty

Doubt
Post #7 actually talks about this http://blogs.technet.com/security/archive/2008/01/23/download-windows-vista-one-year-vulnerability-report.aspx

While thread is about this http://blogs.technet.com/security/archive/2010/03/09/ubuntu-cve-tracker.aspx

Why is important that there was 1 year between posts? I am just saying that guy is biased.

I really don't see what you think is FUD here? I am confused. I would rather think that Jeff Jones is making FUD because he incorectly count bugs.

And I did not said that MS employees are bad people, just Microsoft is competior to Linux and has to be hostile to it and find any way to slow it down. Therefore, nobody should beleive what MS employee say about linux (publicly, at least) becuse it is his job to hide Linux's good sides and try to expose bad ones.

Also, nobody should expect Red Hat employees to say nice things about Windows. They need to show to their customers why Windows suck and why RHEL is better. Everybody has some bias. That does not make them bad people.

Rowen91
March 17th, 2010, 11:45 PM
Cause nobody knows about us doesn't hurt either :).
I think cause Linux is so supported the moment theres a vulerability someone some were has found a way to fix it.



FOSS FOREVER!!!

Post Monkeh
March 17th, 2010, 11:46 PM
of course the guy is biased, he's an employee of microsoft, it's in his intrest to make his companies product look better than others, but he isn't telling any lies

fewt
March 17th, 2010, 11:48 PM
How much money you got from uncle Bill? Just asking.

Are you serious? So, he's automatically a f...ing shill because he has a brain and an intelligent opinion?

What the h..l is wrong with you people?

phrostbyte
March 17th, 2010, 11:49 PM
A pro-FOSS book written by a veteran Microsoft employee:
http://www.lulu.com/content/4964815

A [mildly] pro-FOSS book written by Microsoft Research:
http://research.microsoft.com/en-us/collaboration/fourthparadigm/4th_paradigm_book_part4_lynch.pdf

The author/maintainer of LaTeX and many of the current maintainers of GHC (the Haskell compiler) work for Microsoft Research. Not everyone in Microsoft is anti-FOSS, especially their research division is full of people who go against the upper management. Possibly why MSR got hit very hard by layoffs. :)

Microsoft has had a very hard time getting their employees to drink the kool-aid in general. You may continue to see "Microsoft" do things that are seemingly out of character because of this.

Frak
March 17th, 2010, 11:51 PM
How much money you got from uncle Bill? Just asking.
Yeah, very mature.

Name change
March 17th, 2010, 11:54 PM
Not trying to be a brown-noser, but I think this thread has run its course...
As any other Microsoft centric thread it began nicely with a post by MS dev about Ubuntu bug list and soon deteriorated into full-fletched flame fest of BoycottNovell proportions.

Frak
March 17th, 2010, 11:55 PM
Not trying to be a brown-noser, but I think this thread has run its course...
As any other Microsoft centric thread it began nicely with a post by MS dev about Ubuntu bug list and soon deteriorated into full-fletched flame fest of BoycottNovell proportions.
BTW, nice avatar.

phrostbyte
March 17th, 2010, 11:55 PM
Not trying to be a brown-noser, but I think this thread has run its course...
As any other Microsoft centric thread it began nicely with a post by MS dev about Ubuntu bug list and soon deteriorated into full-fletched flame fest of BoycottNovell proportions.

Another success by the Power Rangers?

gnupipe
March 17th, 2010, 11:56 PM
Yeah, very mature.

Your new avatar is strange.

pookiebear
March 18th, 2010, 12:06 AM
I posted this as a comment, lets see if it shows up.

"if you look at the percentage of apps that were updated/patched on the CVE and compare that to the percentage of apps that were patched updated in windows? who wins?.. who cares.
At work I sell and support 100% Microsoft products for 100s of business customers, I work for a MS Silver Partner. But everyone I work with hates the bloated apps, and the spyware fight everyday....FakeAV anyone?
So at home I use a linux OS because it works just like Windows and it is free. For the 2.7gb of hard drive space it takes up, it includes the OS, music editing software and 2 different suites of open source MSOffice clones. Plus a photoshop clone. And all of it is 64 bit. Something about free just rings to the tune of Awesome.

Added to that, there are AV products for linux too. I should know I had to install and run 7 of them simultaniously to get my computer benchmarks tests to slow down to the speed of a fresh install windows 7 with nothing else running.

If you really want to impress me with a Microsoft product. Go back to windows 2000. Add the latest Directx to it and fix the security flaws that the spyware guys love to attack. And stop the SQL instance installs in the 07 versions of office. They always break when you have to uninstall the trial version that comes on every new computer. When it breaks you can't install the customer's copy of office 2003 that they all like better.

Don't get me wrong here, I am not a fanboy of linux at all. I happen to like my wife's macbook pro better. I just can't stomach the thought of paying that much money when I can get 99.9%-100.1% of a mac for free with linux.

I apologize for misspellings and bad grammar above. I have been a computer tech for 20 years, not an english major. "

-pb

swoll1980
March 18th, 2010, 12:08 AM
He did NOT say "I discovered Ubuntu".



I just reread the article. I don't know where the hell I got it from. I could have swore he said it. This just makes me feel like a stupid *******.

swoll1980
March 18th, 2010, 12:19 AM
Anyways there's nothing wrong with criticism. However when all one does is criticize, it's hard to take what they are saying as an unbiased opinion. Reminds me of this interview I saw with Bill Gates, and Steve Jobs. They were asked to say something nice about each others companies, and they barfed out these generic canned responses, making sure they didn't accidently give each other any kind of credit for anything. Makes me want to punch them.

Frak
March 18th, 2010, 12:20 AM
Anyways there's nothing wrong with criticism. However when all one does is criticize, it's hard to take what they are saying as an unbiased opinion. Reminds me of this interview I saw with Bill Gates, and Steve Jobs. They were asked to say something nice about each others companies, and they barfed out these generic canned responses, making sure they didn't accidently give each other any kind of credit for anything. Makes me want to punch them.
You mean, IN THE FACE?

Name change
March 18th, 2010, 12:35 AM
What's wrong with a prissy pink unicorn? Personally I like his avatar, but mine is way better. :D
Nah my is better :D

swoll1980
March 18th, 2010, 12:41 AM
Now you feel like a stupid *******? /Looks at swoll1980's avatar


Yeah what's wrong with swoll's avatar?

Frak
March 18th, 2010, 12:45 AM
Yeah what's wrong with swoll's avatar?
Pink Ranger > Pink Pony

swoll1980
March 18th, 2010, 12:50 AM
Pink Ranger > Pink Pony

You guys should have done Voltron (http://en.wikipedia.org/wiki/Voltron) instead. They're way cooler.

Frak
March 18th, 2010, 12:55 AM
You guys should have done Voltron (http://en.wikipedia.org/wiki/Voltron) instead. They're way cooler.

http://imgur.com/eEGu4l.jpg > http://imgur.com/eBXve.jpg

cariboo
March 18th, 2010, 01:00 AM
This thread seems to have wandered way off topic, I believe there is a Power Ranger thread already. Keep it on topic, or it will be closed.

Chame_Wizard
March 18th, 2010, 02:07 AM
I smell an irony here.:lolflag:

And Frak,50+% of PR footages,monsters etc(since day 1 till RPM),are coming from the Japanese original. (http://tvtropes.org/pmwiki/pmwiki.php/Main/SuperSentai)

Kenny_Strawn
March 18th, 2010, 04:18 AM
For an MS employee to finally like Linux is amazing. Not surprising, however, as Keith Curtis also is a Linux fan now...

witeshark17
March 18th, 2010, 04:24 AM
It's clearly easier to keep Unix type systems secure.

Frak
March 18th, 2010, 04:55 AM
It's clearly easier to keep Unix type systems secure.
Security is a very difficult thing to enforce and solely depends on the person at the workstation in the end. Having a smart user makes any system secure.

aala
April 16th, 2010, 02:52 PM
This guy sucks, he's just a hater!...
No matter what they say, GNU/Linux Distros are better than MS Crap; And they are feeling the pressure, that's why they are throwing **** at us!
But anyway that's the only thing losers can do,... just talk!....Nothing but Bark like dogs!

Doctor Mike
April 16th, 2010, 04:56 PM
This guy sucks, he's just a hater!...
No matter what they say, GNU/Linux Distros are better than MS Crap; And they are feeling the pressure, that's why they are throwing **** at us!
But anyway that's the only thing losers can do,... just talk!....Nothing but Bark like dogs!Aala, your post could be seen as demonstrating hate of MS and people who promote it. I don't think anyone needs to sink to a low level when the high road is in front of them. It's more likely that the blog originator lacks the knowledge to evaluate security on a Linux platform. This thread, however, could be useful to people like "me" for example to help me seperate what is and is not a valid security concern. So, I would not like to see it closed.

Would like some feedback on ways to make real (Ubuntu and related software) security issues more understandable to lay users (I personally don't like taking things on faith). I could see how a lay user would make the same mistake the blog originator did.

techn0mad
April 17th, 2010, 04:16 PM
Would like some feedback on ways to make real (Ubuntu and related software) security issues more understandable to lay users (I personally don't like taking things on faith). I could see how a lay user would make the same mistake the blog originator did.

There are probably gigabytes of discussions about the topic of Windows vs. <your OS here> security. I gave up trying to count vulnerabilities some time ago and focused on the question: Why would Microsoft not resolve such persistent and widely perceived problems with its flagship product? While I'm not certain it is easy to explain to "lay users", I believe that the reason is because of a decision Microsoft made long ago in order to increase its user base and to grow its business (the long description of this can be found in the middle of this (http://www.joelonsoftware.com/articles/APIWar.html)post on the excellent "Joel on Software" (http://www.joelonsoftware.com) site).

Deferring the explanation of the details, the reason Microsoft does not fix their security problems is simply because they cannot. There is a deep flaw with the architecture of the Windows OS, and if they fixed it, millions of existing Windows applications would stop working. Microsoft needs those millions of applications to continue working in order to maintain their market share, and therefore they cannot fix the problem.

As to the details of the problem, my understanding is that due to its size, Windows has many cases where buffer overflows (http://en.wikipedia.org/wiki/Buffer_overflow) can be used by an attacker to inject small bits of his/her own code into the system. This is not at all unique to Windows, as can be seen by checking the CERT vulnerability databases (http://www.us-cert.gov/cas/techalerts/). The problem in Windows is that communications between various programs, threads, windows, dialogs, etc. are done using messages. To close a dialog box in Windows, you send it a message saying "close". Put simply, the architectural flaw is that there is no control over who can send what messages to whom. Once you can run some code anywhere on a Windows box, you can send any message to any part of the system and have your way.

Microsoft can spend week after week finding and fixing buffer overflow errors in their software, but there is a vast pool of non-Microsoft applications they cannot control or fix, and all it takes is one buffer overflow somewhere to get access to the messaging system in Windows and the attacker can take full control. I am not a Windows programmer and I don't claim to know all of the gory details, but if you look up "Shatter Attack" (http://web.archive.org/web/20060115174629/http://security.tombom.co.uk/shatter.html) you will find information about one of the fundamental, architectural security problems in Windows. Lookup "Windows Privilege Escalation" (http://sec.apotheon.org/articles/the-importance-of-privilege-separation)to find more. I have a colleague at work who used to work at MS, and he said that someone had a blog there explaining how to run Windows with privilege separation enabled (i.e. the system runs as the administrator, and you run as a normal user) and apparently most applications software will not work in this environment.

This is why I find it amusing when Microsoft FUDsters hold up a vulnerability in Linux or OS X and try to use it to claim that Windows is no less secure than other systems. An early OS X virus required the user to agree to execute it, and then to enter the superuser/root password. In most Windows exploits, the same steps take milliseconds to complete, without any user intervention at all. That is simply the root of the problem. Linux, UNIX, OS X, etc. are fundamentally more secure due to their (correctly implemented) security architecture and privilege separation model.

This is why I tell anyone who will listen to simply install Ubuntu and leave Windows behind. :)

On a darker note, this is also why we are all growing more and more vulnerable (http://www.linuxinsider.com/story/33504.html) to so called cyber-attacks (http://en.wikipedia.org/wiki/Advanced_Persistent_Threat). The use of Windows is so prevalent in industry and government that attackers have an easy time to get in and take whatever they want, primarily due to the Windows monoculture (http://en.wikipedia.org/wiki/Monoculture_%28computer_science%29) in these environments. It may be more important to get people in these areas to consider switching away from Windows than your mother or your neighbor.

toupeiro
April 17th, 2010, 05:24 PM
I haven't seen my post show up on his blog, but here it is/was:


Ok, lets follow your logic down the rabbit hole a bit:

In the last 10 years, how many exploits and back doors have not only been found, but executed against on windows servers, Microsoft web servers, and databases? How many against the same set of criteria running Linux OSes? How many web browser vulnerabilities has windows been hit by due to the nature of how the web browser was an integrated component of the GUI? You seem to be using this post as a way to imply that Linux is not more inherently secure than windows environments, but having supported both environments in real world enterprise situations, I can tell you that the track record in the data centers I've supported or known people to have supported tells a different truth. I've sat in meetings with Microsoft consultants assessing securities around technologies merely because they were Microsoft implemented technologies, where with alternative choices, compliance could be reached on other platforms with much reduced investment in time and money.



To run a secured windows computing environment, it's been my experience that the TCO is much, much higher than it is to run a secured linux computing environment, but the actual level of security attained on a linux computing environment is higher. In the last 10 years, I cannot ever remember having one unplanned outage due to a security vulnerability that was exploited on a linux environment. I simply can't say the same for windows. It's still a very good, versatile, and very broadly used OS, but its visibility is also its strongest downfall from a security standpoint. If we're purely focusing on security here, its hard to argue against that fact. Leaving everything else promoting security in linux aside, it's smaller footprint is also a component making it more inherently secure. As it grows, that statement will have diminishing returns, but the nature of how open source software works and is patched still keeps a buffer of security Windows simply cannot have because anyone can pop the hood and check the engine. You aren't forced to keep going back to the same mechanic whom, perhaps, has lost a little steam in getting things fixed fast enough because he's overcommitted himself.

jkxx
April 17th, 2010, 07:06 PM
techn0mad and toupeiro pretty much nailed it there.

Microsoft has been paying for skewed 'studies' that make FOSS software look bad when compared to Windows for years, so that's nothing new. TCO's been their favorite statistic to overemphasize for as long as I can remember. (Slashdot discussions from before 2005 come to mind..)

It boils down to a set of talking points Microsoft pushes onto the business types of companies (who usually aren't too tech-savvy) to entice them to go the Windows route. Once hooked, they don't really have a choice but to stay with Windows.

I'll refrain from commenting on the technical merits of Linux and Windows here though. :)

techn0mad
April 17th, 2010, 08:38 PM
techn0mad and toupeiro pretty much nailed it there.

Microsoft has been paying for skewed 'studies' that make FOSS software look bad when compared to Windows for years, so that's nothing new. TCO's been their favorite statistic to overemphasize for as long as I can remember. (Slashdot discussions from before 2005 come to mind..)

It boils down to a set of talking points Microsoft pushes onto the business types of companies (who usually aren't too tech-savvy) to entice them to go the Windows route. Once hooked, they don't really have a choice but to stay with Windows.

I'll refrain from commenting on the technical merits of Linux and Windows here though. :)

It's pretty much become a recycled meme:

1970: "Nobody ever got fired for buying IBM"

2010: "Nobody ever got fired for buying Microsoft"

The interesting question is who will the next contender be?

techn0mad
April 17th, 2010, 08:47 PM
I haven't seen my post show up on his blog, but here it is/was:

I attended a webcast a few weeks ago from a security outfit called Mandiant (http://www.mandiant.com). They are a heavy-duty network security group who originally coined the phrase "Advanced Persistent Threat" (http://en.wikipedia.org/wiki/Advanced_Persistent_Threat) (APT). These guy have years of three-letter government agency and military experience under their belt.

In the webcast they went on about how the current set of attackers are patient, methodical, and sophisticated and they are out to steal valuable information from pretty much anyone who has some (i.e. Google, Adobe, Northrup-Grumman, etc. etc.).

After the webcast, during the question period, I asked the presenter if they had any experience dealing with APT in non-Windows environments (i.e. Linux). He said that it had been years since they had heard of any incidents that did not involve Windows in some way.

QED

earthpigg
April 17th, 2010, 09:22 PM
My conclusion:

The article is designed to discredit Secunia, not Ubuntu.

-he points out that Secunia claims Ubuntu to be free of security vulnerabilities.
-not even Ubuntu makes such a claim.

-leaves the reader to conclude that "Secunia is not a reliable source of information."

This serves the best interests of Microsoft as Secunia has been critical of MS in the past.

nothing to see here folks, move on.

toupeiro
April 17th, 2010, 09:42 PM
My conclusion:

The article is designed to discredit Secunia, not Ubuntu.

-he points out that Secunia claims Ubuntu to be free of security vulnerabilities.
-not even Ubuntu makes such a claim.

-leaves the reader to conclude that "Secunia is not a reliable source of information."

This serves the best interests of Microsoft as Secunia has been critical of MS in the past.

nothing to see here folks, move on.

No, thats not all he's saying:


can't say I've just discovered Ubuntu, as I've written about it several times in the past and I'm pretty upfront about trying to examine the reality behind Linux-fan claims that Linux distros are somehow "inherently more secure."

He also makes this statement:


wouldn't you say that Mozilla just happens to be the team responsible for development in the Ubuntu distribution in the same way that the IE team is the responsible development team for the Windows 7 "distribution" (OS)?

I can even say "yep, if there is a vuln in Firefox, it is definitely not Ubuntu or Red Hat's fault." However, does that matter to the use of the operating system?

This really makes it sound like he doesn't understand how integrated his own product is which he is paid by Microsoft to support. If he's actually suggesting, by posing a question like this, that the limit of exposure to system compromise produced to the OS by firefox is no different than the limit of exposure to system compromise by IE, he's been out to lunch for the last decade on security exploits. IE's development and integration has been DIRECTLY responsible for some horrible system exploits at levels firefox could never impose purely on the way IE integrates with the explorer shell in Windows. He's using Secunia as his scape goat to the different message he's trying to convey, IMO.

Maybe I read in between the lines too much, but simply put, I've seen too many MS dog and pony shows touting how secure they are, and I've seen their products just get riddled with massive exploit after massive exploit. I'm tired of giving them the benefit of the doubt. :P

clanky
April 18th, 2010, 10:51 AM
Is he a microsoft employee - Yes

Are his comments designed to promote Microsoft products over others - very probably.

Is he wrong - Absolutely not.

The biggest security vulnerability in Linux is the misguided idea that Linux is impervious to malware. Many users believe that because they are running linux they can't get viruses and do not have to consider security as an issue.

Regardless of this guys motives what he is saying should be taken as a wake up call to the Linux community - Stop claiming that Linux is secure - by playing down security vulnerabilities or in many cases denying that there are any you are also playing down / denying the need for them to be resolved.

The 2 biggest falicies peddled by people who claim that Linux is inherently more secure than other platforms are these:

1. Linux server security == desktop security

There is a huge difference between securing a server running server processes against external attack and securing a desktop OS against the idiot sitting behind the keyboard. The main security vulnerability in any desktop OS system is the user, if a user can be persuaded to install malicious code then no amount of security features will help. This is where the slightly misguided "security through obscurity" argument has some merit, Linux is not secure because no-one knows about it, but it is less vulnerable to attack because it's relatively small user base is generally more tech savvy to start with and are less likely to click on the free_porn_virus icon.

2. The fact that Linux users are less vulnerable to attack == Linux is more secure

Yes Linux users are less likely to be effected by malware than Windows users, that is an almost indisputable fact, that is not the same as saying that desktop Linux is inherently more secure than Windows. If Desktop Linux had the same number of users as Windows it would also have the same number of people creating malware and the same number of "idiot" users who click on every link they find and click OK to every security warning.

jkxx
April 18th, 2010, 11:42 AM
Some of the security claims are technical, others are architectural.

For example, on x86 architectures both Linux and Windows run in protected mode, in many cases with NX (no execute) protection added on. What does this mean? In both cases it means that it's non trivial for a random app to corrupt the kernel or memory it should not have access to. Non trivial does not mean impossible, however, so this only goes so far.

Traditionally, Windows has fared worse in this aspect for a number of reasons. The top one I can think of is the inclusion of [closed source] graphics drivers into the kernel, known as ring0. This makes 3D games somewhat faster on Windows, but it means the 3D API can be exploited to take over the kernel. Linux tries to stay away from closed-source drivers so the attack surface on the kernel is smaller. (This is why people are unhappy about Nvidia's binary-only drivers for Linux as they pose the same problem.)

That was the technical side. On the architectural side, Windows started off as a-non multitasking, single user OS - security and user separation were not in the original design. In contrast Unix (including Linux) had these from day 1. This means that software on Linux is automatically limited to doing damage at most to the current user's profile folder since most software does not need to be run as root. In windows there is no such separation (yes UAC bit coming shortly) so a program can arbitrarily access anything the OS can - and most windows apps assume the user is an admin (root) and behave accordingly.

Microsoft has come up with a bandaid approach to the above in the form of User Account Control and file locking for the OS but it hasn't worked very well. Apps still expect to have access to everything, users click through or disable UAC, and the same problems result in the end.

In conclusion, Linux IS more secure because the OS incorporates true user separation where Windows does not. Exploits can still get into the kernel and cause trouble so Linux is definitely not impervious to malware. The difference here is a locked door vs an open one in Windows.

michaeldt
April 18th, 2010, 12:26 PM
A short story:

Around 7 years ago whilst temping at a university I was testing their roll-out of XP. At the time they had included in the default install a Microsoft screen-saver called Bliss, which was available from the MS website as part of their XP promotional material.

The screen-saver was essentially a cut down version of windows media player which looped a video of clouds over green hills (similar to the default background image.)

By accident, I discovered that it was possible to right click whilst the screen-saver was active and instead of interupting the screen-saver a typical right click menu would show up, the same one you would get if you right-clicked a video in windows media player. On the menu was the open to open a file. Importantly, this occured even when the desktop had been locked.

Upon opening the 'open file' dialog I was able to browse the entire hard drive. From here you could simply goto the windows folder and run task-manager. Once inside task-manager you could kill explorer.exe and then using 'new task' you could re-run explorer.exe.

By doing this you would have access to the users desktop, completely bypassing the lock-screen. This was all due to a screen-saver microsoft had made available on their website.

(I have no idea whether a similar exploit could be done in linux)

Through a contact of my father's, this was reported to Microsoft who shortly afterwards removed the offending screen-saver from the website. AFAIK, Microsoft have to this day, never mentioned this issue. Whilst this isn't a remote security issue, it does affect the ability to locally secure a users account without logging out. At the very least, Microsoft could have released a patch for the screen-saver which would disable any interaction to prevent the right click menu from being accessed.

Considering the number of XP installs still around, it makes me wonder if any other roll-outs of XP ever included this screen-saver...

blueturtl
April 18th, 2010, 03:49 PM
....The biggest security vulnerability in Linux is the misguided idea that Linux is impervious to malware. Many users believe that because they are running linux they can't get viruses and do not have to consider security as an issue.

I doubt anyone really believes Linux is impervious. The difference is that a Linux user does not constantly have to worry about things he or she doesn't know about. A Linux user knows that unless he or she does something stupid, the system will not be compromised. A Windows user does not. A Windows user might not need to do anything but leave his computer running on a network. Remember Blaster? Blaster could infect your system before you were done installing it if you had forgotten your network cable plugged.

The biggest problems with Windows are design problems. The kind of stuff that no amount of code polishing will fix. edit: Meaning, Linux users probably believe that they can't get infected without playing some part in it.


Regardless of this guys motives what he is saying should be taken as a wake up call to the Linux community - Stop claiming that Linux is secure - by playing down security vulnerabilities or in many cases denying that there are any you are also playing down / denying the need for them to be resolved.

The 2 biggest fallacies peddled by people who claim that Linux is inherently more secure than other platforms are these:

1. Linux server security == desktop security

There is a huge difference between securing a server running server processes against external attack and securing a desktop OS against the idiot sitting behind the keyboard. The main security vulnerability in any desktop OS system is the user, if a user can be persuaded to install malicious code then no amount of security features will help. This is where the slightly misguided "security through obscurity" argument has some merit, Linux is not secure because no-one knows about it, but it is less vulnerable to attack because it's relatively small user base is generally more tech savvy to start with and are less likely to click on the free_porn_virus icon.

In Windows a tech savvy user might right click on free_porn_virus to remove it in his email and trigger Microsoft's autopreview feature. It will execute automatically for the user's convenience. Too bad he just wanted to put it in the trash.

Or he might plug in a USB key he got from an equally savvy friend he trusts and Windows executes autorun.exe on it. How is it that plugging in a USB memory stick could never ever infect a Linux system? Nevermind that. It's gotta be a stupid user's fault.


2. The fact that Linux users are less vulnerable to attack == Linux is more secure

Yes Linux users are less likely to be effected by malware than Windows users, that is an almost indisputable fact, that is not the same as saying that desktop Linux is inherently more secure than Windows. If Desktop Linux had the same number of users as Windows it would also have the same number of people creating malware and the same number of "idiot" users who click on every link they find and click OK to every security warning.

The more users == as much insecurity fallacy neatly ignores all the horrible default settings and services in Windows and the fact that Mac OS has more users now than it ever did before, and still less spreading viruses than in pre-OS X times.

Sorry if I come off a bit crude. I don't like it when regular users are called idiots. I've done enough tech support work to see that often the problems these less savvy people have (especially on Windows) is not due to their own stupidity but faults in system design.

jvin248
April 18th, 2010, 04:37 PM
After breaking my all-Linux shop rule here and getting a Windows Netbook for the spousal-unit (mostly was tired of hearing 'this ain't what I got at work'), three months in and surprise surprise she gets a Virus on Windows!

The problem quickly became one of system recovery:
1- I expected the Windows Netbook to have a recovery partition - there was none (had I known that I would have imaged that drive before handing it over - but few end-users even know to do this).
2- There was no Repair CD/DVD. I had to order one from the manufacturer, pay for it plus wait 5 days (cooling off period, apparently).
3- No DVD Rom to read the DVD sent to me - so had to try finding ways to install on a USB flash drive. Google Ninja tricks required.
4- Repair CD/DVD was really meant to hold hardware drivers - not wipe & reinstall the drive image back to factory defaults after a virus infection. So some Registry problems without solutions.
5- No official Windows LiveCD to work from. I had to use an Ubuntu LiveCD to futz around with the Windows files and search for what virus was in there and clues for how to solve.
6- 'why don't you take it in somewhere to have it fixed' .. which would result in $100 charge with $100 software reinstall. Only paid $200 for the Netbook to start with.

Given that Windows is so insecure relative to viruses (and needs for anti-virus programs that sap cpu cycles), why make it so difficult to recover? Acknowledge there is a fundamental problem but communicate easy recovery. Cars ride on soft squishy tires that pick up nails - so carry a spare! If MS were serious about the end-users they would protect the OS at the front end as much as possible and give the user some tools at the back end if something fails.

1- Windows OS should be on the root partition with all user data on a second protected partition (like Linux can have "/" and "/home" .. but only advanced users know this trick - should be an option in the install process to inform new users).

2- Windows should, on their site, have a way to get recovery USB flash drives and CD/DVD roms of the software - by hardware S/N. No cost. (Linux could improve here by having a 'standard settings' patch for miscreant video drivers and wifi - a library of sorts that's faster than 'googling ninjas').

3- Windows should have a forum where virus fixes are posted.

4- What about a script on the Windows site that could be run to completely repair and restore a broken OS? Might need a special boot USB Flash stick with a safe OS to get on-line and start the repair/restore.

Of course .. all of these particular solutions could be used with Linux to enhance its user experience.

"Linux - unlikely to get a virus - but easy to recover if you do"

... and for those interested .. I gave up trying to make a go at Windows again (last use was 2005). After five days of futzing with it ... that Netbook has a copy of Ubuntu 9.10 (UNR) on it now, installed in 20 minutes. Works flawlessly.