Linux Tricks

If you believe Jeff Jones, Microsoft’s security strategy director, then Vista is much more secure than XP, Mac OS X, and Linux.

Why, oh why, is anyone paying any attention to this man outside of the walls of Microsoft? His paychecks are signed by Bill Gates, people!

What do you think he’s going to say? “Really, when you get right down to it Windows is a fatally flawed operating system that no one in their right mind would ever use for truly secure computing?” He wouldn’t just be fired; he’d be carried out by the real Microsoft security: the Microsoft cops.

Or, let’s say he said something more politically correct, such as, “Really, Windows, and now Vista, still lag behind both Linux and Mac OS X when it comes to security, but we have gotten better.” Much nicer, but still true and he’d still end up fired.

Anyone who believes a word out of Jones’ mouth when it comes to Vista security is a fool. You want to find someone who does say nice things about Vista security from time to time that you can believe in? I suggest Larry Seltzer’s Cheap Hack blog.

Jones also goes on to explain that in the past he’s worked with Unix and the BSDs. He’s also willing to admit that security improvements are happening on Linux and Unix, but that Microsoft is doing it better. He then asks, “Am I biased? I do not think so, but let’s just all keep assuming I am, because I don’t mind. If I make comparisons, I’ll lay out my metrics.”

As it happens, Joe Wilcox, my compatriot over at Microsoft Watch, took a look at Jones’ metrics. Guess what he found.

He found that Microsoft gets its great Vista numbers by not counting all of Vista’s security problems. Jones also doesn’t count any silently fixed vulnerabilities. In other words, if Microsoft fixes a problem, but assumes no one knew about it, they don’t admit to there being a flaw in the first place.

As Ryan Naraine notes in his security blog, Zero Day, “Microsoft routinely ships silent fixes within its security bulletins if flaws are discovered internally. These are never assigned CVE numbers and will never appear in these comparison reports from Jones.”

Jones and other Microsoft security staffers, according to Naraine, also argue that everyone, including Linux distributors, issues patches with silent fixes. They do? You can fix a problem in “open source poster child” Linux without everyone knowing about it!?

One of Linux’s problems, which Mark Shuttleworth, Ubuntu founder and CEO of Canonical Ltd., is trying to fix is that Linux doesn’t just publicly track and fix its problems, it does so in so many places and in so many ways that it’s hard for developers to keep track of what’s already been fixed. Unlike with Microsoft, where if a security tree falls in Windows no one will ever hear it, in Linux, when a security tree falls everyone hears it.

You see, that’s the real difference between Linux and Windows security. In Linux, everyone sees the problems, everyone works on the problems. In Windows, Microsoft hides the problems and hope you silently accept the company’s self-serving explanations for its problems.

| del.icio.us | Stumble it!|   Slashdot It!

This entry was posted on Friday, June 29th, 2007 at 3:23 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.