Forgot your password?
typodupeerror
Windows Operating Systems Software Bug Security

Vista Security Claims Debunked 315

Posted by CowboyNeal
from the setting-things-straight dept.
An anonymous reader writes "Apparently Microsoft still hasn't learned that counting vendor acknowledged vulnerabilities isn't a good way to establish the security of an OS. As an analysis of Microsoft's claims on Full Disclosure shows, we see that the methodology used was badly flawed. A bug in Firefox (not to mention emacs), counts as a flaw for Linux, while IE bugs get ignored on Vista's chart. Then we see that vulnerabilities aren't vulnerabilities when they're security-challenged features such as Vista's Teredo. Also, there's far too little consideration given to severity, given that it stoops to counting even extra access restrictions on a file in OSX to have something to show. In short, the original Microsoft analysis was good PR and poor research."
This discussion has been archived. No new comments can be posted.

Vista Security Claims Debunked

Comments Filter:
  • by MukiMuki (692124) on Thursday June 28, 2007 @08:16PM (#19683715)
    In other news, scientists have confirmed that water is, in fact, wet.
    • Re: (Score:3, Insightful)

      by Baron_Yam (643147)
      Yeah, I'm sorry, but by this time anyone who is surprised by MicroSoft misrepresenting facts instead of actually acting on problems is either an idiot or hearing about MicroSoft for the first time.
      • But, I just quit my job at Google and applied to work at Microsoft based on this: http://slashdot.org/article.pl?sid=07/06/27/131421 9/ [slashdot.org].

      • by catwh0re (540371) on Thursday June 28, 2007 @11:39PM (#19685369)
        MY absolute favourite security falsehoods are the various ways "researches" compare one system security to anothers

        Such straight forward conclusions are impossible to make. Based on the following points.

        - If many people are analysing code, you will find more bugs. If you don't review your code (or for example, don't have peer review - which closed source often lacks.) Then no bugs at all will be discovered.

        - The existing number of unfound bugs is related to the number of discovered bugs. Well no not really: The number of found bugs is actually related to how long and how many researchers have been testing and actively looking for the bugs and second to that is how buggy the software is. I can assign a team of one researcher with no experience and they'll never find any bugs in the poorest of software.

        - A difficult and obscure to exploit bug (one that requires a perfect storm of conditions) is as important as a bug that is easily exploitable(e.g. drive by downloads). Also with that: Bugs that bring down the whole system versus bugs that only fail a single service.(E.g. blue screen versus failing to display a JPG correctly.)

        - Differences in reporting models: Total lack of transparency versus an open forum. E.g. Microsoft vs Linux reporting. You can only compare reporting from the same kind of reporting models. E.g. You can compare kHTML versus Mozilla (as they are both open and have similar review structures), but not Windows vs BSD (the dissimilar reviews allow misrepresentation via favourable skews and different classification paradigms.

        • by I'm Don Giovanni (598558) on Friday June 29, 2007 @03:51AM (#19686577)

          If many people are analysing code, you will find more bugs. If you don't review your code (or for example, don't have peer review - which closed and open source often lacks.) Then no bugs at all will be discovered.

          Fixed that for you.
          • Re: (Score:3, Interesting)

            by jc42 (318812)
            If you don't review your code (or for example, don't have peer review - which closed and open source often lacks.) Then no bugs at all will be discovered.

            Fixed that for you.


            Oh, I dunno 'bout dat. A year or so back, I got email about an open-source program that I'm responsible for, and which has a few hundred users that I know of. It was from a couple of guys in a college course about computer security. They explained a security hole (buffer overflow) and gave an example that exploited it. I fixed th
        • by digitig (1056110) on Friday June 29, 2007 @08:13AM (#19687535)

          - If many people are analysing code, you will find more bugs. If you don't review your code (or for example, don't have peer review - which closed source often lacks.) Then no bugs at all will be discovered.

          - The existing number of unfound bugs is related to the number of discovered bugs. Well no not really: The number of found bugs is actually related to how long and how many researchers have been testing and actively looking for the bugs and second to that is how buggy the software is. I can assign a team of one researcher with no experience and they'll never find any bugs in the poorest of software.

          There's a good discussion of this from software metrics guru Norman Fenton at http://www.dcs.qmul.ac.uk/~norman/papers/metrics_r oadmap.pdf [qmul.ac.uk], which shows that the existing number of unfound bugs is related to the number of discovered bugs. It's related negatively. In one sense this is a "well, duh!" finding -- that the more bugs you've discovered, the fewer are undiscovered. But much software quality assurance is founded on the assumption (which realise is what you were really challenging) that number of bugs discovered is positively correlated with number of bugs undiscovered. The empirical data says otherwise.
    • by WilliamSChips (793741) <full,infinity&gmail,com> on Thursday June 28, 2007 @08:25PM (#19683797) Journal
      Bears are Catholic. The Pope shits in the woods.
      • by cronot (530669) on Thursday June 28, 2007 @09:38PM (#19684425)
        ... and this is, scientists have concluded, Sparta.
        • Re: (Score:3, Funny)

          by Gorshkov (932507)
          Recent longitudinal studies released by the NIH in Atlanta, funded my grants from the Bill Gates foundation, have concluded that scientists are the leading cause of cancer in lab rats.
      • by EmbeddedJanitor (597831) on Thursday June 28, 2007 @09:40PM (#19684441)
        MS has the resources to actually generate amazingly good products and dominate on a level playing field.

        Unfortunately they seem to be so obsessed with winning by FUDing and spinning that they end up making crap. This is a great disservice to the whole computer industry.

        • by MightyMartian (840721) on Thursday June 28, 2007 @09:50PM (#19684527) Journal
          After all these years it surely must be clear to everyone that MS is fundamentally a marketing company. It stopped being a technology/software company nearly twenty years ago. Since marketing is basically legalized distortion and lying, no one should be surprised.
          • Re: (Score:3, Interesting)

            by h2_plus_O (976551)
            eehhhhh.... you've got that backwards. Back in the BSOD days, they were mostly marketing, sorta somewhat a little bit engineering. Today they're a for-real engineering shop with an overgrown marketing department. Today MS is much more solid from an engineering point of view than they were, say, 10 years ago. BSODs are waaaaay less common than they were- they're virtually a thing of the past- they're just an engineering shop with a lot of crap legacy code they inherited from their cowboy predecessors.
            • Re: (Score:3, Interesting)

              by MrManny (1026106)

              BSODs are waaaaay less common than they were

              Perhaps because Windows XP and Vista don't show BSODs anymore but rather just restart the whole system silently, leaving it up to the user's imagination what has caused this? I am not trying to rant (well.. okay, partially I do) but how exactly does stability issues concealment count as good engineering?

              • by Sigma 7 (266129) on Friday June 29, 2007 @01:56AM (#19686145)

                Perhaps because Windows XP and Vista don't show BSODs anymore but rather just restart the whole system silently, leaving it up to the user's imagination what has caused this?
                Right click on My-Computer, select properties. Click on Advanced System Settings. Under the advanced tab, click settings for Startup and Recovery. Uncheck Automatically Restart.

                Alternatively, press F8 during bootup and disable automatic restarts.

                I am not trying to rant (well.. okay, partially I do) but how exactly does stability issues concealment count as good engineering?
                Unless you are in a reboot loop, or have a persistent failure of your system, you generally want to restart the computer if there's a STOP error.
            • by jorghis (1000092) on Friday June 29, 2007 @02:09AM (#19686209)
              I would contend that they were very much an engineering shop back then. It isnt reasonable to compare MS products of the early 90s to Vista/Leopard/Whatever today. Back when windows 95 shipped it was head and shoulders technically better than the other operating systems targeting average everyday folks. Although in retrospect its pretty obvious that it was a mistake, noone at MS or anywhere else really worried too much about things like security on consumer PCs. It wasnt bad engineering so much as it was just not an issue at the time. Virtually all companies didnt see the consumer security problems coming, not just MS.

              Unlike most people here I do like Vista, but I honestly think that compared to their competitors they have lost a lot of ground in engineering strength compared to what they once were.
        • by Anonymous Coward on Thursday June 28, 2007 @09:55PM (#19684565)
          Marketing is cheaper than R&D.
          • by CaptainZapp (182233) * on Friday June 29, 2007 @01:56AM (#19686147) Homepage

            Marketing is cheaper than R&D.

            You haven't read an annual company report recently, or ever for that matter?

            Even in sdoftware - or pharmaceutical companies where one would assume that a lot is spent for research the R&D budget is usual ~18% (which varies, of course) while sales and marketing usually eats away approx. half of the costs.

            Sales, marketing and distribution is horrendously expensive and gets a far bigger chunk of the budget then R&D.

            This is a generalisation, of course, but true for the vast majority of companies.

            • Re: (Score:3, Funny)

              Marketing is cheaper than R&D.

              You haven't read an annual company report recently, or ever for that matter?
              You haven't read the title of the grandparent. He said he failed it, sheesh...you people.
            • Marketing has a much higher ROI potential than actual R&D, which may not even pan out. If it does, well, marketing is still more profitable in most cases. People will buy stupid shit if you market it properly. Particularly when it comes to computers or any other sort of information technology, which most people view the way the monkeys viewed the black monolith, as a mysterious object to be feared.

              Two prime examples from my line of work of people buying into marketing hype with zero understanding of
          • Not cheaper ... (Score:4, Insightful)

            by Ihlosi (895663) on Friday June 29, 2007 @03:51AM (#19686573)
            Marketing is cheaper than R&D.



            It's not cheaper (quite the contrary), but the effects of marketing are much more immediate than the effects of research. And it's the quarterly report that counts, not how the company is doing in three years.

          • Here's an actual example - the faculty head of a university department is conducting a corridor tour of your department with some visitors. One student has a poster presentation in the open common area with a couple of relevant textbooks on the table. Another student is out of sight in a research lab working on his/her research project. Who is the faculty head and the visitors going to consider to be the expert on their subject?

        • by golodh (893453) on Thursday June 28, 2007 @10:39PM (#19684863)
          It may be sad, but it's really straightforward: Microsoft is a typical profit maximizer. That's their aim. Every activity they do, be it product development, marketing, or plain PR is aligned with that central business goal.

          This means simply that Microsoft will generally pour just enough resources into a product to beat the competition and dominate the marketplace. We saw that with the browser war. When it had to overtake Netscape it came up with a good product. After it killed Netscape, and there was practically no other comparable browser, resources were taken off the browser product because it was good enough and there was no sense whatsoever in improving it.

          We saw it with the IDE's. When Microsoft had to compete with Borland {Borland Pascal; Borland C/C++} it came up with the 'Visual' IDE. Visual C, Visual Fortran. It was a good IDE, and it won against Borland. After that ... it languished. Now ... now that we're seeing the Eclipse IDE and SUN's IDE ... suddenly Microsoft floors the accelerator again.

          The same holds for the Operating System itself. Windows was systematically tailored to capture the eye of consumers and businesses, which it did very well. Never mind that the internals were {and still are} cludgy. What the user sees is the user-interface; that's what sells. Security flaws? Well ... as long as there is no competitor to which people can switch while retaining their investment in software and training ... security flaws aren't a show-stopper. Getting their own stuff to work was {previous Windows version have so many tightly coupled components that you never knew what would break next when you changed or added anything}, and that's why Jim Allchin very sensibly steered towards a properly engineered Windows. Vista in other words.

          Given that we're seeing Linux, OS-X, and Open Solaris competing in more or less the same market we also saw an increased effort from Microsoft to tart up the user interface. Those transparant windows thingies.

          This is something fundamental you have to understand about Microsoft. They are calculating folk, and never ever were trailblazers. Tail-light chasers, yes, but never trailblazers. 'Good Enough' is their goal, and their yardstick is ... the competition. Why? Because to Microsoft 'Good Enough' means 'Good enough to win in the marketplace and bring in revenue'. That's how Microsoft became so rich.

          • Bad examples (Score:3, Insightful)

            IE & Netscape: MS bought a browser and went further with it. They killed Netscape by giving away IE, not by IE being better.

            Visual Studio vs Borland: VS was never better than Borland on a level playing field. MS only completed by being a bully.

            My main point is that MS don't get their products Good Enough. MS get there by putting their effort into attacking the competition rather than by developing (or even offering) good products.

            I think MS marketing is more Mafia tactics than anything technical.

          • by MoxFulder (159829) on Friday June 29, 2007 @12:38AM (#19685737) Homepage

            We saw it with the IDE's. When Microsoft had to compete with Borland {Borland Pascal; Borland C/C++} it came up with the 'Visual' IDE. Visual C, Visual Fortran. It was a good IDE, and it won against Borland. After that ... it languished. Now ... now that we're seeing the Eclipse IDE and SUN's IDE ... suddenly Microsoft floors the accelerator again.
            Kind of like Intel vs. AMD, eh?

            x86 made only incremental gains from the 486 to the Pentium IV. Suddenly, wham! AMD comes out with the 64-bit Opteron and Athlon 64 and they kick the crap out of Intel on price, performance, and power consumption for a year or so.

            Now we've seen a ferocious flurry of innovation from Intel, which has suddenly been pouring money into R&D and taking advantage of its superior manufacturing processes. We've got Intel vs. AMD to thank for quad-core, low-power, hardware virtualization... and best of all, $59 dual-core 64-bit processors from Newegg :-)

            Now AMD is falling behind fairly rapidly, and we can expect Intel to slack off its R&D correspondingly. But in a year or five, AMD or someone else (VIA? IBM? MIPS?) will be back with something new and send Intel scrambling again.
            • by drsmithy (35869) <drsmithy.gmail@com> on Friday June 29, 2007 @03:53AM (#19686583)

              x86 made only incremental gains from the 486 to the Pentium IV. Suddenly, wham! AMD comes out with the 64-bit Opteron and Athlon 64 and they kick the crap out of Intel on price, performance, and power consumption for a year or so.

              I think you need to seriously revise your x86 history.

              That is not to say that x86_64 wasn't a significant improvement, but to basically suggest the Pentium, Pentium Pro/II/III and Pentium 4 were just faster 486s is ludicrous. Each of those CPU families represents a serious increase in the design and capabilities of the x86 platform and they all came from Intel. Indeed, one of the main reasons x86_64 was so significant was because it repesents one of the few times AMD has been the leader, not the follower, in the last few decades.

    • by Tumbleweed (3706) * on Thursday June 28, 2007 @11:53PM (#19685495)
      Au contraire - Gartner Group just released a study which concluded MS Water(tm) was not, in fact, wet*, unlike GNU/Water or H2O-BSD.

      (*) MS Water(tm) tested at temperatures below 0 degrees C and above 100 degrees C, GNU/Water and H2O-BSD tested between 0 degrees C and 100 degrees C.
  • by Anonymous Coward
    Well... no shit...
  • Shocked! (Score:5, Funny)

    by yotto (590067) on Thursday June 28, 2007 @08:21PM (#19683753) Homepage
    I am totally shocked. I just bought 10 licences too and threw away all my Linux computers!
  • by Bombula (670389) on Thursday June 28, 2007 @08:23PM (#19683773)
    These aren't the droids you're looking for.
  • Not surprising (Score:2, Insightful)

    by CyberPhoenix (1121789)
    Never believe anything MS says, they are untrustworthy.
    • MOD PARENT UP!

      Quote from the Slashdot story: "In short, the original Microsoft analysis was good PR and poor research." It amazes me how easily people accept abuse, and give excuses for being abused. It was not "good PR". My best understanding is that Microsoft's analysis was an intentional lie.

      My rule number one in dealing with Microsoft: Unless forced by circumstances, never upgrade to a new version of Windows until the second service pack is released. Let other people have the grief. The huge number of bugs in Windows XP before SP2 was very expensive for us. If I remember correctly, SP2 fixed more than 630 bugs, and some of the fixes were not documented. It is not only the vulnerabilities that are expensive.

      Quote from the link in the Slashdot story: "Also, the entire networking stack was rewritten for Vista, and that means lots of new bugs are present. I have already spoken to other researchers who have not disclosed such flaws publicly. However, a good start for learning about some is the Symantec paper that analyzed Vista during the BETA phases and revealed numerous issues."

      Microsoft has, in my opinion, a long, long history of not allowing their programmers to finish their jobs. There were even security vulnerabilities in the Microsoft Help protocols!
      • by Lonewolf666 (259450) on Friday June 29, 2007 @04:13AM (#19686669)
        My rule number one in dealing with Microsoft: Unless forced by circumstances, never upgrade to a new version of Windows until the second service pack is released. Let other people have the grief. The huge number of bugs in Windows XP before SP2 was very expensive for us. If I remember correctly, SP2 fixed more than 630 bugs, and some of the fixes were not documented. It is not only the vulnerabilities that are expensive.
        Better yet:
        Wait until the service pack is out and independent reviewers are happy with it. Because if people stick to the rule "after SP X things are fine", it is merely an incentive for Microsoft to rush the service packs until the number X in question is reached.
        In the case of Vista, it seems Microsoft was already organizing the beta testing for SP1 before the OS was released to end users:
        http://news.com.com/2100-1016_3-6152704.html [com.com]
        That article was from January 23rd. Looks like the beginning of a trend to increase the SP count as fast as possible.
  • by Coopjust (872796) on Thursday June 28, 2007 @08:24PM (#19683785)
    Given the previous FUD Microsoft has put out about Linux (235 patents? Which patents?), I'm not really surprised to see this.

    Of course, if anyone should be counting browser flaws as OS flaws, it's MS. MS makes the case that they can't remove IE from the OS since it is integral to it working properly, yet doesn't count them on the vulnerability list.

    Meanwhile, FF doesn't even have to come with a Linux distro, and a bug that compromises FF as an app is much less likely to compromise the OS as a whole.

    Looks like more FUD to scare non technical people from "illegal" and "unsafe" Linux.
  • by Utopia (149375) on Thursday June 28, 2007 @08:24PM (#19683795)
    with the non-Core Linux components no longer listed because of based on the feedback.

    This just debunks the first report.
    • by CastrTroy (595695)
      Does it, or does it debunk the second report? It was my understanding that the first report included absolutely everything available for the distro, while the second report included less stuff, but still tons of stuff that isn't included in a base "windows" install.
      • Re: (Score:3, Informative)

        by dhasenan (758719)
        The second report lacked detail. It mentioned that the writer had removed some packages but kept GNOME around, but only about five lines were dedicated to each distro (there were four, though I believe two were Red Hat or strongly Red Hat based).

        Also, none of the vulnerabilities were enumerated, so you couldn't guess at what software was installed on that basis.

        So it's quite possible that the report was based on Linux, X11, and GNOME with the minimal amount of other stuff to make the system run, but somehow
        • Re: (Score:3, Informative)

          by ozmanjusri (601766)
          It mentioned that the writer had removed some packages but kept GNOME around, but only about five lines were dedicated to each distro (there were four, though I believe two were Red Hat or strongly Red Hat based).

          Some of the issues I noticed in the second report include:

          • choosing to assess Ubuntu 6.06 instead of 7.04 because "Ubuntu has only committed to long term support for 6.06 and not later releases."
          • The "apples to apples" feature set didn't compare actual default applications. Windows does have a
      • by Zeinfeld (263942) on Thursday June 28, 2007 @09:12PM (#19684251) Homepage
        Does it, or does it debunk the second report? It was my understanding that the first report included absolutely everything available for the distro, while the second report included less stuff, but still tons of stuff that isn't included in a base "windows" install.

        Regardless of whether it does or does not the claims are as silly and irrelevant as the slashdot stories 'proving' that Linux is more secure.

        The number of bugs is not relevant, it there is one bug the system is vulnerable. What matters is the window of vulnerability. The time between discovery of the bug by the bad guys and fixing it by the good guys.

        UNIX used to be known for its insecurity. Richie and crew invented the buffer overrun bug, Tony Hoare was referring to this blunder in C when he gave his Turing Award lecture he brought up the fact that the first principle of ALGOL 60 had been security.

        The perceived level of security of a system has much less to do with familiarity than any actual objective measure. None of the systems that are on the market today is built well enough for its supporters to start challenging others to this type of dick size measurement contest. Its silly and unhelpful.

    • by node 3 (115640)

      with the non-Core Linux components no longer listed because of based on the feedback.

      This just debunks the first report.
      Just debunks *one aspect* of the first report. Or did he take the other items into consideration as well?

      As it stands, this debunks the first and second (i.e., all) reports.
    • Re: (Score:3, Insightful)

      by walt-sjc (145127)
      While this FA may not be the right one, there are others that debunk the second report too. Links are in the last /. story on it. In short, the guy is a PR tool, and anyone that buys into the report is either naive in the extreme or just plain witless.
    • Re: (Score:3, Insightful)

      by Tsagadai (922574)
      This isn't relevant at all. The non-core microsoft programs (spyware *ducks*) are what case the problems when used with Windows. If you were to compare every linux program, even the major ones (like GNOME) you would be creating a false dicotomy. If you want to start doing that you also need to compare all windows programs, including spyware, viruses and bloatware. They have bugs too I'm sure at least the occasional virus has a buffer overflow or illegal interrupt so these should also count as errors in wind
  • Now... (Score:4, Funny)

    by Anonymous Coward on Thursday June 28, 2007 @08:27PM (#19683815)
    Does that sound like a people_ready business to you?
  • Teredo (Score:3, Insightful)

    by Umbral Blot (737704) on Thursday June 28, 2007 @08:29PM (#19683839) Homepage
    The rest of the complaints aside it may have very well been appropriate not to count Teredo as a vulnerability. Here's why: assume that windows was technologically backwards and couln't get on the internet. Would you then agree that Linux was less secure, because the possibility exists to hack it over the internet while that possibility does not exist for windows? No, that wouldn't be an appropriate assesment of security. To evaluate security we need to in a sense "divide by" the ability of the system to access other things. Teredo gives Vista the ability to get to ipv6 from behind a NAT, so vista has the ability to access more things (in this one limited way). Thus it should not be counted as a vulnerability unless Linux has a way to do the same thing, in which case we can compare the security implications of Linux's method versus Vista's method. But until then Terendo should be set asside when doing a security comparison (vesus an independant vulnerability assesment).
    • Re: (Score:2, Insightful)

      so because my old zx80 can't do a lot of things a modern pc can do, i shouldn't regard critical security problems in modern pcs as vulnerabilities?

      if microsoft opens a door for exploits they have a vulnerability. if another system also has a similar capability is totally irrelevant, also from the point of view of a comparison. the question is, is windows more secure or less secure because of this feature?
    • by Tony Hoyle (11698)
      Teredo doesn't really work though - I've wanted to use it on a couple of occasions just to get some connectivity on a temporary net connection.. and it's never worked once. It seems to require port forwarding setup on the router - and if you're going to do that you might as well open port 41 and use a 6to4, so you haven't gained anything.
    • by Wordplay (54438)
      assume that windows was technologically backwards and couln't get on the internet. Would you then agree that Linux was less secure, because the possibility exists to hack it over the internet while that possibility does not exist for windows?

      Yep, I would agree with that. Linux would be less secure, because it's hackable over wire, whereas your hypothetical GimpOS can only be hacked from the console. GimpOS may be considerably less capable in many ways, though, as is often the tradeoff.

      Since when does acce
    • by khasim (1285) <brandioch.conner@gmail.com> on Thursday June 28, 2007 @08:55PM (#19684123)

      Here's why: assume that windows was technologically backwards and couln't get on the internet. Would you then agree that Linux was less secure, because the possibility exists to hack it over the internet while that possibility does not exist for windows? No, that wouldn't be an appropriate assesment of security.

      Actually, it would be appropriate.

      If you can remove an avenue of attack, you have increased the security of your system.

      Now, by removing it from the Internet you have also reduced the FUNCTIONALITY of your system.

      So you end up with a less functional, more secure system.

      Security is all about evaluating the possible threats and reducing their effectiveness.

      Teredo gives Vista the ability to get to ipv6 from behind a NAT, so vista has the ability to access more things (in this one limited way). Thus it should not be counted as a vulnerability unless Linux has a way to do the same thing, in which case we can compare the security implications of Linux's method versus Vista's method.

      No. If it is an avenue for attack, it is an avenue for attack.

      If it is vulnerable, it is vulnerable.

      We've been over this before with Firefox's avoidance of ActiveX. Sometimes, increasing your security simply means NOT including some functionality.
    • Re: (Score:3, Insightful)

      by node 3 (115640)

      Here's why: assume that windows was technologically backwards and couln't get on the internet. Would you then agree that Linux was less secure, because the possibility exists to hack it over the internet while that possibility does not exist for windows?

      Actually, yes, if all other things remain equal. What kind of moron are you imagining who would claim otherwise? I have to call "straw man" on this one.

      Let's, in fact, *actually* make things more equal. Two *exactly identical* PCs with *exactly identical* installs of Linux, with one and only one exception: PC A is connected to the Internet, PC B is not. Do you *honestly* believe both PCs are equally secure? That the non-networked PC is not, actually, more secure[*], all other things remaining equal?

      [*] I h

    • Re: (Score:2, Interesting)

      by Umbral Blot (737704)
      I'll clarify my point since it seems to be flying by many of you: security assessment != security comparison; you don't do two security assessments and then compare them, rather you compare the security of comparible features, to avoid an apples v.s oranges situation that makes the comparison meaningless. This is admitted by the people defening Linux themselves as they complain that it isn't right to compare Linux + firefox to Vista - IE. The same principle is in action here, if you want to compare the se
    • Your logic is flawed, I'm afraid. Linux apparently does not do it beause it's a fundamentally stupid "feature", appropriate for trade show demos but a really bad idea in the real world, since it subverts the basic security policies of most NAT's.
      • That's an appropriate point to bring up ... in a feature comparison, not a security comparison. Look, if you don't ignore features in this context when they are different than the Windows crowd can simply claim that Windows has more security problems because it has more features than Linux. You don't want them to claim that do you?
    • "Thus it should not be counted as a vulnerability unless Linux has a way to do the same thing..."

      So the vulnerabilities in ActiveX and COM shouldn't be counted either since Linux doesn't use those... Or vulnerabilities in DirectX shouldn't count because Linux doesn't use it?? That just isn't logical.

      Anything that can be used as a vector to successfully compromise a computer should be counted as a vulnerability because that's what it is.
    • Re: (Score:3, Insightful)

      by innerweb (721995)

      I am sorry, but that is incorrect. Anything that can be used as an exploit, no matter how big, small or unlikely is a potential exploit and must be listed as a security risk. This is the kind of thinking that causes most security issues. Do yourself a favor and don't think like that. Ruling out a security risk that might happen for any reason is looking the other way, and puts you, your client (employer) and the rest at risk. It might also cost you your job. I have seen people let go for much less.

      If

    • by EmbeddedJanitor (597831) on Thursday June 28, 2007 @09:44PM (#19684479)
      After extensive research we found that having the computer powered up was the source of all the security flaws. Don't blame MS - they don't make the power cords!
  • what ges me is that very few security researchers ever get the chance to examine MS code like Linux allows, who knows how much code is a security risk, millions of lines of code that only its creators can really examine. there also exists the problem that in addition to security flaws in the code its self, there is the fact that most of MS users dont really take care of their OS like they should. very few people avoid IE, update their software, have a firewall or any security smarts [ie cant resist the fr
    • Re:er (Score:5, Insightful)

      by MyLongNickName (822545) on Thursday June 28, 2007 @08:45PM (#19684025) Journal
      Very few people avoid IE, update their software, have a firewall or any security smarts

      Vista updates by default. It is nicely built into the shutdown interface. By default you "update and shut down" if an update is available. Firewall is also built in and seems to be relatively well designed. Very honestly I am impressed with Vista's default security.

      The rest of your post I agree with. For example will this help my sister-in-law who loads every toolbar and screensaver known to man? Nope. If a user downloads flaky spyware software, there isn't an OS that can help. But Vista truly is a step in the right direction for the majority of folks who just want to browse and email.
      • by Tony Hoyle (11698)
        Well it won't actually let them download the spyware... UAC is as flaky as hell.

        I actually have about half a dozen icons on my desktop it's impossible to delete. You hit delete, the UAC prompt comes up, you confirm, and *nothing happens*. You'd think that would have come out in beta testing.. maybe it did, and MS ignored it.

        I'm currently offloading my work into a win2k3 client ready to ditch vista for good.. taking much longer than I'd hoped, but my six months of vista hell is nearly over (yay!!!). We d
        • I haven't experienced this issue. I will say vista is flaky, especially in file copying. Damn slow. Very honestly, I still prefer Win 2K over XP or Vista, and for any real work will still be using it or 2003 Server.
        • Re: (Score:3, Informative)

          by daeg (828071)
          The problem exists on any NT-based system, actually. What is happening is that when the installer runs, it is running with Administrator credentials. The retarded, non-user account aware installer installs the icon in the "All Users" desktop. You, a non-administrator, cannot remove it from your desktop because you can use the "All Users" desktop, but cannot alter it. The failing silently thing can also happen on 2000/XP, albeit rarely. Sometimes the "Permission Denied" box can take many minutes to display f
      • I haven't used Windows for ages, but do Windows users actually still shut down? I don't think I've ever shut the machine down. It gets rebooted when I install security updates, and goes to sleep when I'm not using it, but it's never actually shut down.
      • Updates on Vista and updates on, say, Ubuntu are quite different. The automatic updates on Vista upgrade the core OS components. The updates on Ubuntu update all of the officially supported pacakges - everything from OpenOffice to The Gimp to Freeciv. If there's a security bug in Photoshop's processing of .tiff files, Vista automatic updates won't help you.

  • by mpapet (761907) on Thursday June 28, 2007 @08:35PM (#19683901) Homepage
    Most Microsoft customers will take the "research" at face value.

    I work in a Microsoft shop. And while I have a great boss, (really, no kidding) the company is Microsoft all the way. There is zero logic at play.

    But that's the way it goes. I'm old enough to remember when "Made in Japan" was the cultural equivalent of today's "Made in China." That had little basis in reality then, just like Microsoft customers today just aren't ready to comprehend **buying** something other than a Windows box and just take Microsoft's ridiculousness as fact. In time though, I think that can change. Just like the Japanese and their cars.
  • Why wasn't my tag "getthefacts" selected? Honestly, that's all this is - a continuation of the "Get The Facts" campaign.
    • by node 3 (115640) on Thursday June 28, 2007 @09:27PM (#19684343)
      Well, no doubt CmdrTaco carefully sifts through all the tags submitted for every story, and diligently evaluates them for selection. He even, I'm certain, cross-references tags for relationships to other projects to see if one is just an unlabeled continuation of the other. After such fastidious examination, and only then, does it make the grade. A grade which your most impressive tag passes with ease.

      Given Slashdot's exemplary editorial standards, how could it possibly be otherwise?

      This is clearly a gross oversight on Taco's part, and will be looked into with the gravest of concern, there can be no doubt. I suspect your well-crafted tag will don the front page in no time, perhaps even in an extra-crisp font to make up for any negligence and mishandling involved.

      I look forward to it with heightened eagerness, and commend you on the alacrity and aplomb you've shown in this, your all-important tag-choosing endeavor.

      Godspeed, you will prevail.
  • by Anonymous Coward on Thursday June 28, 2007 @08:49PM (#19684063)
    riding a flying pig on my way to get a sweater at the store 'cause I heard Hell had frozen over. At the gamestop next to the sweater store, some kid was playing Duke Nukem Forever, which I thought was an amazing game. ...so what do you mean the report isn't true?
  • by erroneus (253617) on Thursday June 28, 2007 @08:50PM (#19684075) Homepage
    Okay while no one on Slashdot feels this is news and the debunking was completely expected, it's useful for the "linux representatives" that many of us inevitably become in casual conversation with our Windows-evangelizing peers. Typical situation:

    In this narrative, Josh is the typical One-Trick-Pony, Microsoft MC## who blesses Microsoft every day for making his income so easy to come by and truly believes that Microsoft is the hammer and everything looks like a nail. Gunter is an all-around generalist who is unafraid of anything "computer" and knows enough to work on routers, networks, servers and workstations of just about all varieties which happens to include Linux among others.

    Josh: "Hey, just read this security assessment comparing Vista and Linux... Vista won by a mile."
    Gunter: "Yeah, I saw that... I also saw -->this-- article exposing the flaws and inconsistencies in their comparisons."

    The point here is that being readily armed with a rebuttal is handy.
    • Re: (Score:2, Insightful)

      by Anonymous Coward
      The real shame is the rebuttal and article is so inaccurate and incorrect it really makes linux look even worse :( have a read of the orginal report, then of the so called proof that the original report is wrong. They use evidence outside of the time range being analyzed (for the published article) and this rebuttal doesn't even offer that much evidence. If MS is so wrong here could someone actually provide some real data as both the current links I have seen don't show anything factual at all.
  • It doesn't matter if the vulnerability counts are vendor acknowledged or third party. Vulnerability counts only tell you how many flaws were found and fixed. There is no particular reason to belive this correlates to how many were found and exploited by 'the bad guys'.

    It's flimsy but I suppose you could say that recognizing reported flaws and patching them quickly shows a project or vendor takes security seriously but that is all these vulnerability reports are good for. You could say that more reported vul
  • FUD all around (Score:2, Interesting)

    by Anonymous Coward
    That was a sloppy report on Microsoft's part, no doubt, but the Slashdot title is misleading too. It is still helpful to remember that there has been only one exploitable vulnerability discovered on Vista in the past six months, compared to several a month on XP. Vista's OS-level security features (NX, ASLR) do in fact perform as advertised. Vista is immeasurably more secure than OSX (with only one security feature to speak of) -- not a single application security expert has made a claim to the contrary.
  • Armchair critique (Score:4, Interesting)

    by weinrich (414267) on Thursday June 28, 2007 @09:14PM (#19684255)

    This report from Microsoft's Jeff R. Jones is ludicrous...

    This isn't a debunking.

    I feel Jeff really needs to perform another less exaggerated analysis.

    It's an armchair critique of someone else's work.

    [...] a good start for learning about [Vista flaws] is the Symantec paper that analyzed Vista during the BETA phases and revealed numerous issues.

    A competitor (see Live OneCare) wrote an article about an early BETA of a new OS saying is had some issues? Shocking!

    Even though OS X claims to be secure, researchers have obviously shown that Apple will have flaws too. This is nature of software, and it affects all code.

    What are you saying here, Kristian? Bugs are inevitable, so we should just give Apple a free pass on their share of problems because, well, it affects all software?

    Ok, that's enough of that.

    I feel Kristian really needs to perform his own research and analysis, and draw his own conclusions.


    PS: Don't mod this as flamebait until you read Kristian's entire post. Really.
  • by Cal Paterson (881180) * on Thursday June 28, 2007 @09:30PM (#19684363)
    The Jeff Jones reports [csoonline.com] are complete crap. This was obvious at the time. He pretty much showed himself a fool by claiming that XP had less critical bugs than the current Ubuntu, SuSE and RHEL, and thus was more secure. He seems to think that he can compare security based on the number of public and critical bug reports between a company that does not release bug reports to the public and companies that do.

    Any observer from a tech background would know that this would turn his results to shit, but he is;
    1. A Microsoft Employee
    2. A Blogger
    so that never mattered anyway.
  • by flyingfsck (986395) on Thursday June 28, 2007 @09:53PM (#19684545)
    I haven't seen Cisco jump to run Vista on their Firewall Machines. So, maybe, just maybe, they had a reason to stick to *nix.
  • by NeverVotedBush (1041088) on Thursday June 28, 2007 @10:38PM (#19684859)
    I mean, in their entire history, when has Microsoft ever done ANYTHING untrustworthy?

    Like literally copying/stealing other people's code line for line and putting it in their OS? (Stacker)

    Like putting in software hooks to see if competing office products were running and then crash them or make them run slow? (WordPerfect)

    Like swapping code in an OS and a browser to make it appear that the browser was integral to the OS to weasel out of antitrust issues? (Win98 / Explorer)

    Naw... I just can't believe that MicroSoft would stoop so low as to try to promote its "ground-up" new OS (that amazingly has many of the exact same vulnerabilities as XP) as being hardened and more secure than Linux and OSX>

    They wouldn't do anything like that, would they?
  • Slander and Libel (Score:4, Interesting)

    by brandonp (126) * <brandon...petersen@@@gmail...com> on Thursday June 28, 2007 @11:53PM (#19685491) Homepage
    "the communication of a statement that makes a false claim, expressly stated or implied to be factual, that may harm the reputation of an individual, business, product, group, government or nation."

    Stuff like this seems very close to being Slander and Libel [wikipedia.org]. I'm sure a more informed reader will know why it isn't, but even then, it just seems quite close to being so. There are many organizations and individuals with an invested interest in the promotion and sale of Linux.

    Brandon Petersen
  • by Bob54321 (911744) on Friday June 29, 2007 @03:32AM (#19686503)

    A bug in Firefox (not to mention emacs), counts as a flaw for Linux...
    I like text editor wars as much as the next guy, but calling emacs a bug...
  • by gelfling (6534) on Friday June 29, 2007 @07:45AM (#19687407) Homepage Journal
    The piece of shit Taurus I also have has no leak therefore it must be a better car than my old Porsche. And it's true that if every car in the world were my old Porsche then all the cars in the world would have that same annoying leak. Ergo the world is a better place for all the piece of shit Taurus's on the road.

    See it's not about theory, fanboys. It's about practical outcomes. Per person per unit per second per whatever the practical outcomes of MS 'security' are disaster and failure compared to everything else. Period full stop. And if all the fanboys in the world, got off /. put down the fucking cheetos and hammered out code it still wouldn't make any difference because that train's already left the station.

    You can wave your MS flag in my face all.fucking.day. telling me about the theoretical import of security gaps in some other widget and it won't amount to anything because the effect of these gaps is maybe 0.0001% of the effect of yours.

    So suck it up, my pimpled minions - your God is a cardboard God.

"Irrationality is the square root of all evil" -- Douglas Hofstadter

Working...