Vista Security Claims Debunked 315
An anonymous reader writes "Apparently Microsoft still hasn't learned that counting vendor acknowledged vulnerabilities isn't a good way to establish the security of an OS. As an analysis of Microsoft's claims on Full Disclosure shows, we see that the methodology used was badly flawed. A bug in Firefox (not to mention emacs), counts as a flaw for Linux, while IE bugs get ignored on Vista's chart. Then we see that vulnerabilities aren't vulnerabilities when they're security-challenged features such as Vista's Teredo. Also, there's far too little consideration given to severity, given that it stoops to counting even extra access restrictions on a file in OSX to have something to show. In short, the original Microsoft analysis was good PR and poor research."
Re:Microsoft found making PR-FUD-ing research (Score:3, Insightful)
Not surprising (Score:2, Insightful)
Not that surprised... (Score:5, Insightful)
Of course, if anyone should be counting browser flaws as OS flaws, it's MS. MS makes the case that they can't remove IE from the OS since it is integral to it working properly, yet doesn't count them on the vulnerability list.
Meanwhile, FF doesn't even have to come with a Linux distro, and a bug that compromises FF as an app is much less likely to compromise the OS as a whole.
Looks like more FUD to scare non technical people from "illegal" and "unsafe" Linux.
Teredo (Score:3, Insightful)
Re:Teredo (Score:2, Insightful)
if microsoft opens a door for exploits they have a vulnerability. if another system also has a similar capability is totally irrelevant, also from the point of view of a comparison. the question is, is windows more secure or less secure because of this feature?
Strangely, It Doesn't Matter (Score:3, Insightful)
I work in a Microsoft shop. And while I have a great boss, (really, no kidding) the company is Microsoft all the way. There is zero logic at play.
But that's the way it goes. I'm old enough to remember when "Made in Japan" was the cultural equivalent of today's "Made in China." That had little basis in reality then, just like Microsoft customers today just aren't ready to comprehend **buying** something other than a Windows box and just take Microsoft's ridiculousness as fact. In time though, I think that can change. Just like the Japanese and their cars.
Re:er (Score:5, Insightful)
Vista updates by default. It is nicely built into the shutdown interface. By default you "update and shut down" if an update is available. Firewall is also built in and seems to be relatively well designed. Very honestly I am impressed with Vista's default security.
The rest of your post I agree with. For example will this help my sister-in-law who loads every toolbar and screensaver known to man? Nope. If a user downloads flaky spyware software, there isn't an OS that can help. But Vista truly is a step in the right direction for the majority of folks who just want to browse and email.
Re:The Microsoft guy did a second report (Score:3, Insightful)
No, this is still good (Score:3, Insightful)
In this narrative, Josh is the typical One-Trick-Pony, Microsoft MC## who blesses Microsoft every day for making his income so easy to come by and truly believes that Microsoft is the hammer and everything looks like a nail. Gunter is an all-around generalist who is unafraid of anything "computer" and knows enough to work on routers, networks, servers and workstations of just about all varieties which happens to include Linux among others.
Josh: "Hey, just read this security assessment comparing Vista and Linux... Vista won by a mile."
Gunter: "Yeah, I saw that... I also saw -->this-- article exposing the flaws and inconsistencies in their comparisons."
The point here is that being readily armed with a rebuttal is handy.
Re:Teredo (Score:3, Insightful)
Let's, in fact, *actually* make things more equal. Two *exactly identical* PCs with *exactly identical* installs of Linux, with one and only one exception: PC A is connected to the Internet, PC B is not. Do you *honestly* believe both PCs are equally secure? That the non-networked PC is not, actually, more secure[*], all other things remaining equal?
[*] I have to add, because I know otherwise someone would bring this up, that it's technically *possible* both PCs are equally secure, assuming the networked PC doesn't call out to the Internet, and there are no security flaws *at all* in the card drivers, firewall, etc. But unless you actually know for sure that your code and hardware are 100% secure, that unknown is, itself, less secure. That's not to mention the *actual* security flaws that actually exist, since even though the networking *might* be 100% secure, it's exceptionally close to certain that it isn't.
Re:The Microsoft guy did a second report (Score:5, Insightful)
Regardless of whether it does or does not the claims are as silly and irrelevant as the slashdot stories 'proving' that Linux is more secure.
The number of bugs is not relevant, it there is one bug the system is vulnerable. What matters is the window of vulnerability. The time between discovery of the bug by the bad guys and fixing it by the good guys.
UNIX used to be known for its insecurity. Richie and crew invented the buffer overrun bug, Tony Hoare was referring to this blunder in C when he gave his Turing Award lecture he brought up the fact that the first principle of ALGOL 60 had been security.
The perceived level of security of a system has much less to do with familiarity than any actual objective measure. None of the systems that are on the market today is built well enough for its supporters to start challenging others to this type of dick size measurement contest. Its silly and unhelpful.
Re:No, this is still good (Score:2, Insightful)
This was fairly obvious at the time. (Score:5, Insightful)
Any observer from a tech background would know that this would turn his results to shit, but he is;
It's like they always claimed about linux: (Score:1, Insightful)
Re:Teredo (Score:3, Insightful)
I am sorry, but that is incorrect. Anything that can be used as an exploit, no matter how big, small or unlikely is a potential exploit and must be listed as a security risk. This is the kind of thinking that causes most security issues. Do yourself a favor and don't think like that. Ruling out a security risk that might happen for any reason is looking the other way, and puts you, your client (employer) and the rest at risk. It might also cost you your job. I have seen people let go for much less.
If a system were not accessible over the internet and another one was, then the one that was would definitely have the internet listed as a security issue. Writing an analysis to target only the expected situation is a great way to invite disaster. Ask any company who has had a product used in a way other than intended with problematic results. Cars were never intended to be used as bombs, but they have proven to be quite effective. Exploits that were not intended to made available normally seem to become available. Environments change, needs change, people do things without permission, exploits appear.
InnerWeb
The really sad part.... (Score:5, Insightful)
Unfortunately they seem to be so obsessed with winning by FUDing and spinning that they end up making crap. This is a great disservice to the whole computer industry.
Re:As Gunnery Sergeant Hartman would say (Score:3, Insightful)
Re:The really sad part.... (Score:4, Insightful)
Thing I learned in the marketing class I failed: (Score:5, Insightful)
Obscure? And the 2nd study is just as bad! (Score:5, Insightful)
Then you claim that the second report addressed all those issues. That's not at all true. Sure, it doesn't count Firefox bugs any more, but that's not the real problem with the study. The real problem is that counting vendor-acknowledged bugs isn't a security metric at all! That's right, it's not the least bit useful for giving either an academic or real-world measure of security. You can't rescue the original study from that flaw without redoing it and abandoning the original premise.
But I guess you wouldn't know that, because you don't know these "obscure" sites that people who know about computer security do. I mean, next thing you know, people will be citing virtual unknowns like Bruce Schneier as if they knew anything about security! Or maybe Fyodor, I bet he doesn't know a damn thing about networking. What did he ever do? Make up that silly fake application they used as a "hacking" tool in the Matrix movies? [/sarcasm]
Where is the debunking? (Score:2, Insightful)
If you're going to bash Microsoft for using fuzzy math, at least have the courtesy of supplying some of your own.
Also, can somebody explain the issues with Teredo? Sorry, but simply declaring that there are lots of bugs in Microsoft's new TCP/IP implementation with absolutely no evidence to back this up doesn't help your argument.
Microsoft is about making money ... not products (Score:5, Insightful)
This means simply that Microsoft will generally pour just enough resources into a product to beat the competition and dominate the marketplace. We saw that with the browser war. When it had to overtake Netscape it came up with a good product. After it killed Netscape, and there was practically no other comparable browser, resources were taken off the browser product because it was good enough and there was no sense whatsoever in improving it.
We saw it with the IDE's. When Microsoft had to compete with Borland {Borland Pascal; Borland C/C++} it came up with the 'Visual' IDE. Visual C, Visual Fortran. It was a good IDE, and it won against Borland. After that ... it languished. Now ... now that we're seeing the Eclipse IDE and SUN's IDE ... suddenly Microsoft floors the accelerator again.
The same holds for the Operating System itself. Windows was systematically tailored to capture the eye of consumers and businesses, which it did very well. Never mind that the internals were {and still are} cludgy. What the user sees is the user-interface; that's what sells. Security flaws? Well ... as long as there is no competitor to which people can switch while retaining their investment in software and training ... security flaws aren't a show-stopper. Getting their own stuff to work was {previous Windows version have so many tightly coupled components that you never knew what would break next when you changed or added anything}, and that's why Jim Allchin very sensibly steered towards a properly engineered Windows. Vista in other words.
Given that we're seeing Linux, OS-X, and Open Solaris competing in more or less the same market we also saw an increased effort from Microsoft to tart up the user interface. Those transparant windows thingies.
This is something fundamental you have to understand about Microsoft. They are calculating folk, and never ever were trailblazers. Tail-light chasers, yes, but never trailblazers. 'Good Enough' is their goal, and their yardstick is ... the competition. Why? Because to Microsoft 'Good Enough' means 'Good enough to win in the marketplace and bring in revenue'. That's how Microsoft became so rich.
Re:Teredo (Score:3, Insightful)
Re:Microsoft found making PR-FUD-ing research (Score:5, Insightful)
Such straight forward conclusions are impossible to make. Based on the following points.
- If many people are analysing code, you will find more bugs. If you don't review your code (or for example, don't have peer review - which closed source often lacks.) Then no bugs at all will be discovered.
- The existing number of unfound bugs is related to the number of discovered bugs. Well no not really: The number of found bugs is actually related to how long and how many researchers have been testing and actively looking for the bugs and second to that is how buggy the software is. I can assign a team of one researcher with no experience and they'll never find any bugs in the poorest of software.
- A difficult and obscure to exploit bug (one that requires a perfect storm of conditions) is as important as a bug that is easily exploitable(e.g. drive by downloads). Also with that: Bugs that bring down the whole system versus bugs that only fail a single service.(E.g. blue screen versus failing to display a JPG correctly.)
- Differences in reporting models: Total lack of transparency versus an open forum. E.g. Microsoft vs Linux reporting. You can only compare reporting from the same kind of reporting models. E.g. You can compare kHTML versus Mozilla (as they are both open and have similar review structures), but not Windows vs BSD (the dissimilar reviews allow misrepresentation via favourable skews and different classification paradigms.
Bad examples (Score:3, Insightful)
Visual Studio vs Borland: VS was never better than Borland on a level playing field. MS only completed by being a bully.
My main point is that MS don't get their products Good Enough. MS get there by putting their effort into attacking the competition rather than by developing (or even offering) good products.
I think MS marketing is more Mafia tactics than anything technical.
Re:Microsoft found making PR-FUD-ing research (Score:4, Insightful)
Re:Microsoft is about making money ... not product (Score:4, Insightful)
x86 made only incremental gains from the 486 to the Pentium IV. Suddenly, wham! AMD comes out with the 64-bit Opteron and Athlon 64 and they kick the crap out of Intel on price, performance, and power consumption for a year or so.
Now we've seen a ferocious flurry of innovation from Intel, which has suddenly been pouring money into R&D and taking advantage of its superior manufacturing processes. We've got Intel vs. AMD to thank for quad-core, low-power, hardware virtualization... and best of all, $59 dual-core 64-bit processors from Newegg
Now AMD is falling behind fairly rapidly, and we can expect Intel to slack off its R&D correspondingly. But in a year or five, AMD or someone else (VIA? IBM? MIPS?) will be back with something new and send Intel scrambling again.
Re:Thing I learned in the marketing class I failed (Score:2, Insightful)
Re:Thing I learned in the marketing class I failed (Score:5, Insightful)
You haven't read an annual company report recently, or ever for that matter?
Even in sdoftware - or pharmaceutical companies where one would assume that a lot is spent for research the R&D budget is usual ~18% (which varies, of course) while sales and marketing usually eats away approx. half of the costs.
Sales, marketing and distribution is horrendously expensive and gets a far bigger chunk of the budget then R&D.
This is a generalisation, of course, but true for the vast majority of companies.
Re:The really sad part.... (Score:4, Insightful)
Unlike most people here I do like Vista, but I honestly think that compared to their competitors they have lost a lot of ground in engineering strength compared to what they once were.
I'll call bull (Score:2, Insightful)
1. I've had that disabled for years, and I've had exactly one instance of BSOD-ing so far. (The reason was a crappy driver. Yeah, that's so MS's fault. A Linux user would be _so_ able to continue using their KDE programs if the video drivers crashed. Not.)
2. You would still notice it if your computer was restarting all the time. So, you know, it would be exactly the same amount of tech support calls whether it's "I've got a BSOD" or "this damn computer keeps restarting".
3. It wouldn't be that well hidden anyway, because it does briefly show a BSOD before restarting.
4. And if ad-absurdum they actually managed to hide it that well that you don't even notice, then why would it matter?
So, you know, propaganda tends to work better if it doesn't amount to telling people "your Windows BSOD's all the time!... even though you've probably never seen it actually doing it." It tends to be kinda like me telling you that you have to move because there's an elephant in your bathroom, even though you probably don't see it.
Re:Obscure? And the 2nd study is just as bad! (Score:5, Insightful)
"The numbers" would certainly look very different if Microsoft adopted the methodology used by most open source projects of fully disclosing every bug. Or if open source projects mirrored Microsoft's practices. It is very well known that Microsoft does NOT fully disclose all bugs and many cumulative patches silently fix MANY problems. The severity of bugs is also classified very differently.
You are right about one thing, it is all a numbers game. But you are WRONG that it means anything, even that Microsoft is improving. It means NOTHING. Nothing at all. It's only a numbers game. Even if someone else games the numbers differently and Linux-based systems look better, it still means nothing to compare numbers of bugs when very different philosophies and practices govern which bugs are fully disclosed and how their severities are rated.
Re:The Microsoft guy did a second report (Score:3, Insightful)
Not cheaper ... (Score:4, Insightful)
It's not cheaper (quite the contrary), but the effects of marketing are much more immediate than the effects of research. And it's the quarterly report that counts, not how the company is doing in three years.
Re:Microsoft found making PR-FUD-ing research (Score:5, Insightful)
Fixed that for you.
Re:Microsoft is about making money ... not product (Score:4, Insightful)
x86 made only incremental gains from the 486 to the Pentium IV. Suddenly, wham! AMD comes out with the 64-bit Opteron and Athlon 64 and they kick the crap out of Intel on price, performance, and power consumption for a year or so.
I think you need to seriously revise your x86 history.
That is not to say that x86_64 wasn't a significant improvement, but to basically suggest the Pentium, Pentium Pro/II/III and Pentium 4 were just faster 486s is ludicrous. Each of those CPU families represents a serious increase in the design and capabilities of the x86 platform and they all came from Intel. Indeed, one of the main reasons x86_64 was so significant was because it repesents one of the few times AMD has been the leader, not the follower, in the last few decades.
Re:I'll call bull (Score:0, Insightful)
At least on Linux you still have a chance to recover. At least I have open and closed drivers, at least I have a choice.
What's going to survive when you kill X?
If you have browser/text editor and other programs attached to the X display they die as well once you restart X.
You can't start another X session to get to them because the client/server (or client?) is frozen!
Unless by recover you mean not having to reboot the OS, which will *gasp* affect the digits you get back from your uptime!
When drivers act up you're F'ed, Windows or not.
Re:Don't accept abuse. MS apparently lied. (Score:4, Insightful)
I don't think it has to be. Let's consider a hypothetical case: suppose you had an chemical plant that for years spewed toxic effluent into the river, and which got a deservedly bad name for this. Then, let's suppose, the cleaned up their act and stopped dumping toxins, maybe compensate the people living locally.
At this point, the company still have a bad image, even though they are now good neighbours, so it's a legitimate tactic to get a PR crew in to address the image problems. You've seen the sort of thing: take some film crews around the plant, make some commercials with lots of pictures of sunlight, ripe wheat, green trees and healthy babies.
On the other hand, they could do pretty much the same thing if they haven't got rid of the toxic effluent, or if they solved the problem by venting it as vapour through the air conditioning system at the nearest school.
The trouble is that companies seem to have figured out that they get about the same effect whether they fix the problem or not. So why spend money fixing the problem if the PR is all that's needed?
So, yeah, PR is pretty much the same thing as lies. It needn't be, and it shouldn't be -- but on the whole, that's the way to bet.
And my Porsche has an annoying leak (Score:3, Insightful)
See it's not about theory, fanboys. It's about practical outcomes. Per person per unit per second per whatever the practical outcomes of MS 'security' are disaster and failure compared to everything else. Period full stop. And if all the fanboys in the world, got off
You can wave your MS flag in my face all.fucking.day. telling me about the theoretical import of security gaps in some other widget and it won't amount to anything because the effect of these gaps is maybe 0.0001% of the effect of yours.
So suck it up, my pimpled minions - your God is a cardboard God.
Re:Heh (Score:4, Insightful)
Heh, you've never used any *nix before, except as a toy. There's a fucking mountain of difference. Does your box run any services for the network? Does it share any printers or disks? Does it have any other users logged into it? Does it run any scheduled tasks or background jobs? If you're doing *any* of these things, then there's no way in hell you want the system to reboot. If you're not doing any of these things, you're not running Linux, you're running a bloody X-terminal.
Upfront cost isn't the point (Score:3, Insightful)
Two prime examples from my line of work of people buying into marketing hype with zero understanding of the technology.
1. The vast majority of our clients are small businesses. I'm talking 5 to 10 employees, which are primarily "the people who do some work, and one or two administrative assistants". Zero tech staff whatsoever. I cannot even begin to count the number of these small business owners that call me whining that their VoIP service "doesn't work" and it turns out it's because they bought some insanely expensive Cisco firewall (or some other firewall "appliance"). They have only the foggiest notion of what a firewall does, they have zero idea how to set one up, configure it, or maintain it, but some doofus salesman somewhere told them how important firewalls are and how they have to have one, so they forked over hundreds of dollars for a box they can barely identify.
2. To diagnose VoIP problems I also frequently need to ask what sort of internet connection the client has. Most of them give a totally inane response like "it's the fastest one they offer" or "business-class". In other words, they have no idea what they're paying for every month, but they can recite the bullshit marketing terms all day long.
People have no idea what the hell they're buying. Companies routinely offer crap and doll it up with important-sounding fluff, and people buy it, having no understanding of what they're purchasing or how to compare a good product from bad. It doesn't take long for bean-counters to realize that they can cut back on making an actual reliable product, and divert the savings into marketing, at which point people will start handing over cash.