Microsoft gets the Most Secure Operating Systems award

classic Classic list List threaded Threaded
29 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Microsoft gets the Most Secure Operating Systems award

Siju George
Hi,

http://www.internetnews.com/security/article.php/3667201

Just for some entertainment, no troll :-)

--Siju

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft gets the Most Secure Operating Systems award

Sunnz
Nice, let's all now switch our servers to Windows!!!

Oh but it doesn't run on ultrasparc...

Nevermind...

:D

2007/3/23, Siju George <[hidden email]>:
> Hi,
>
> http://www.internetnews.com/security/article.php/3667201
>
> Just for some entertainment, no troll :-)
>
> --Siju
>
>


--
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft gets the Most Secure Operating Systems award

ben calvert
In reply to this post by Siju George
On Thu, 22 Mar 2007 18:58:31 +0530, "Siju George" <[hidden email]> wrote:
> Hi,
>
> http://www.internetnews.com/security/article.php/3667201

From the article:

     Microsoft is doing better overall than its leading commercial competitors.
                                                        ^^^^^^^^^^

No wonder.  they stacked the deck before doing the comparison


>
> Just for some entertainment, no troll :-)
>
> --Siju
---
Ben Calvert
Flying Walrus Communications

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft gets the Most Secure Operating Systems award

RedShift
In reply to this post by Siju George
Siju George wrote:

> Hi,
>
> http://www.internetnews.com/security/article.php/3667201
>
> Just for some entertainment, no troll :-)
>
> --Siju
>
>
>

IMHO it's not a fair comparison, most linux distributions ship with alot
more software than microsoft windows does, and most bugreports indicate
an issue with third-party software.

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft gets the Most Secure Operating Systems award

Karsten McMinn
In reply to this post by ben calvert
On 3/22/07, Ben Calvert <[hidden email]> wrote:
>
>      Microsoft is doing better overall than its leading commercial competitors.
>                                                         ^^^^^^^^^^
>
> No wonder.  they stacked the deck before doing the comparison

doesn't this mean that they now have more coders on payroll
to fix stuff than they do to write the os? kinda scary.

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft gets the Most Secure Operating Systems award

Neil Joseph Schelly
In reply to this post by RedShift
On Thursday 22 March 2007 11:29 am, RedShift wrote:

> Siju George wrote:
> > Hi,
> >
> > http://www.internetnews.com/security/article.php/3667201
> >
> > Just for some entertainment, no troll :-)
> >
> > --Siju
>
> IMHO it's not a fair comparison, most linux distributions ship with alot
> more software than microsoft windows does, and most bugreports indicate
> an issue with third-party software.

If you read the article past the summary, they mention that.  While Windows
had far fewer bugs than say Red Hat, Red Hat only had 2 (out of 208)
considered high/severe.  Windows had a very high percentage of its bugs
labelled as high or severe (12 out of 39).  Similarly, I'm sure if you looked
at the time-to-fix for just the high and severe bugs from each side, you'd
see that the Microsoft ones were slower to get patched.  I'm just betting
that the 200+ less unimportant bugs included many that really just didn't
warrant any priority to fix.

Unfortunately, the article doesn't really show this in the light that suggests
the findings of Windows being the most secure commercial OS might be false,
but it's not too hard to read between the lines.  78% of statistics are made
up and 103% of statistics can say the exact opposite of what you think they
should mean.

--
Regards,
Neil Schelly
Senior Systems Administrator

W: 978-667-5115 x213
M: 508-410-4776

OASIS Open http://www.oasis-open.org
"Advancing E-Business Standards Since 1993"

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft gets the Most Secure Operating Systems award

Nick Guenther
On 3/22/07, Neil Joseph Schelly <[hidden email]> wrote:

> On Thursday 22 March 2007 11:29 am, RedShift wrote:
> > Siju George wrote:
> > > Hi,
> > >
> > > http://www.internetnews.com/security/article.php/3667201
> > >
> > > Just for some entertainment, no troll :-)
> > >
> > > --Siju
> >
> > IMHO it's not a fair comparison, most linux distributions ship with alot
> > more software than microsoft windows does, and most bugreports indicate
> > an issue with third-party software.
>
> If you read the article past the summary, they mention that.  While Windows
> had far fewer bugs than say Red Hat, Red Hat only had 2 (out of 208)
> considered high/severe.  Windows had a very high percentage of its bugs
> labelled as high or severe (12 out of 39).  Similarly, I'm sure if you looked
> at the time-to-fix for just the high and severe bugs from each side, you'd
> see that the Microsoft ones were slower to get patched.  I'm just betting
> that the 200+ less unimportant bugs included many that really just didn't
> warrant any priority to fix.
>
> Unfortunately, the article doesn't really show this in the light that suggests
> the findings of Windows being the most secure commercial OS might be false,
> but it's not too hard to read between the lines.  78% of statistics are made
> up and 103% of statistics can say the exact opposite of what you think they
> should mean.

And *anyway*, measuring security by number of patches for bugs and
time it takes to patch is silly. Every OS, even OpenBSD as we just
saw, is probably full of undetected exploits that are constantly
getting fixed indirectly as overall code quality is improved.

-Nick

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft gets the Most Secure Operating Systems award

Stuart VanZee
In reply to this post by Siju George
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]]On Behalf Of
> Siju George
> Sent: Thursday, March 22, 2007 8:29 AM
> To: OpenBSD Misc
> Subject: Microsoft gets the Most Secure Operating Systems award
>
>
> Hi,
>
> http://www.internetnews.com/security/article.php/3667201
>
> Just for some entertainment, no troll :-)
>
> --Siju
>

I think I'll print out this article for use any time my boss gets
a wild hair up his ass and wants to convert to windows.  The stats
for number of vulnerabilities and turn around time have always
been abysmal for windows and this article just proves that nothing
has changed.  Maybe I could admit that this is marginally better
than previous windows versions (maybe) but it is still very sloppy
when compared to OpenBSD.  

A special thanks to Theo and the OpenBSD team for making me look
so good all these years.

stuart

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft gets the Most Secure Operating Systems award

Stuart VanZee
In reply to this post by RedShift
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]]On Behalf Of
> RedShift
> Sent: Thursday, March 22, 2007 10:30 AM
> To: [hidden email]
> Subject: Re: Microsoft gets the Most Secure Operating Systems award
>
>
> Siju George wrote:
> > Hi,
> >
> > http://www.internetnews.com/security/article.php/3667201
> >
> > Just for some entertainment, no troll :-)
> >
> > --Siju
> >
> >
> >
>
> IMHO it's not a fair comparison, most linux distributions
> ship with alot
> more software than microsoft windows does, and most
> bugreports indicate
> an issue with third-party software.
>

First, these types of articles (generally) have nothing to do
with making a fair compairison. They are made up by marketing
guys for marketing reasons.

Second, It just goes to show that an OS that doesn't ship
with a bunch of extra fluff that most people aren't going to
need anyway is always the best choice.  That was one of the
first things that attracted me to OpenBSD.  I remember saying
to myself "What? You have to enable the web server?  It isn't
on right out of the box?  WOW! What a concept!"  Needless to
say, I threw away my Red Hat CDs and haven't looked back.

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft gets the Most Secure Operating Systems award

Lars D. Noodén
In reply to this post by RedShift
On Thu, 22 Mar 2007, RedShift wrote:
> Siju George wrote:
>> http://www.internetnews.com/security/article.php/3667201
>> Just for some entertainment, no troll :-)
>
> IMHO it's not a fair comparison, most linux distributions ship with alot
more
> software than microsoft windows does, and most bugreports indicate an issue
> with third-party software.

It's even more bullshit than that.

Among other things, it compares the number of 'patches', which for non-MS
systems tend to be 1:1 or close to it whereas MS has be making a point of
rolling as many vulnerabilities into a single patch as possible.

The metrics are not described.  Terms like 'patch', 'vulnerability',
'advisory' are intermingled in a most unclear manner.  Patch 'development
time' seems undefined as well.

Symantic makes its living selling paper bailing cups in a leaky boat.
The media actively participates in obfuscating the issues, the causes and
the solutions by publicizing such crap from Symantic and MS.

-Lars
Lars NoodC)n ([hidden email])
         Ensure access to your data now and in the future
         http://opendocumentfellowship.org/about_us/contribute

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft gets the Most Secure Operating Systems award

beck-7
In reply to this post by RedShift
> Siju George wrote:
> >Hi,
> >
> >http://www.internetnews.com/security/article.php/3667201
> >
> >Just for some entertainment, no troll :-)
> >
> >--Siju
> >
>
> IMHO it's not a fair comparison, most linux distributions ship with alot
> more software than microsoft windows does, and most bugreports indicate
> an issue with third-party software.

        I think it's a very fair comparison. Hmm. let's see, An OS that ships
with a big pile of stinking garbage written quickly to dangle the
prettiest shiny things in front of users little brains before anyone
else does.  Linux distros do the first to market and damn the
consequences game just as well as Microsoft ever has.

        "Third party software" - in linux? fuck in Linux distributions
everything in userland is third party software. Linux is a kernel. The
operating system is then a collection of things put together by
bundlers.
       
        Do I think either vendor does a good job, no, but is Microsoft doing
a better job of it than say, Red Hat? Yep. You betcha. If you right
now took a magic fairy wand and replaced windows in all the broadband
connected machines out there with a full featured (and that means all
the bells and whistles, not spending half a day turning all the shit
off and un-setuiding all the inane shit that is setuid root) Red Hat
install with similar tools, I'm pretty sure you'd have a virus and
worm shitstorm that would make what we see now hitting our mailservers
from windows machines look like a tiny little unoffensive fart - from
a vegetarian at that. And yes a big chunk of the problem is the knuckle
dragging mouth breather in front of the keyboard - thank god that's
not OpenBSD's targeted userbase, although some days reading misc@
I wonder.

        -Bob

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft gets the Most Secure Operating Systems award

Douglas A. Tutty
In reply to this post by ben calvert
On Thu, Mar 22, 2007 at 08:12:23AM -0700, Ben Calvert wrote:

> On Thu, 22 Mar 2007 18:58:31 +0530, "Siju George"
> <[hidden email]> wrote:
> > Hi,
> >
> > http://www.internetnews.com/security/article.php/3667201
>
> >From the article:
>
>      Microsoft is doing better overall than its leading commercial
>      competitors.  ^^^^^^^^^^
>
> No wonder.  they stacked the deck before doing the comparison

As I see it they compared:

Microsoft: 12 serious vulnerabilities in the OS
Red Hat: 2 serious vulnerabilities in the kernel + packages
Mac OS X: 1 serious vulnerability in the OS
HP-UX: ?? _serious_ out of 98 total
Solaris: ?? _serious_ out of 36 total for OS + third-party apps

The article seems to rank by the number of patches.  If a vendor waits
and sends out a mega-patch even monthly, to fix more bugs than anyone
else, then that's only two patches over a 6 month period.

Its a poorly constructed survey.


Doug.

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft gets the Most Secure Operating Systems award

Greg Thomas-3
In reply to this post by beck-7
On 3/22/07, Bob Beck <[hidden email]> wrote:
>
> And yes a big chunk of the problem is the knuckle
> dragging mouth breather in front of the keyboard - thank god that's
> not OpenBSD's targeted userbase,

Damn, I wonder how I stumbled onto OpenBSD then.

Greg

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft gets the Most Secure Operating Systems award

Douglas A. Tutty
In reply to this post by beck-7
On Thu, Mar 22, 2007 at 10:41:08AM -0600, Bob Beck wrote:
 

> Linux distros do the first to market and damn the
> consequences game just as well as Microsoft ever has.
>
> "Third party software" - in linux? fuck in Linux distributions
> everything in userland is third party software. Linux is a kernel. The
> operating system is then a collection of things put together by
> bundlers.
>
> Do I think either vendor does a good job, no, but is Microsoft doing
> a better job of it than say, Red Hat? Yep. You betcha. If you right
> now took a magic fairy wand and replaced windows in all the broadband
> connected machines out there with a full featured (and that means all
> the bells and whistles, not spending half a day turning all the shit
> off and un-setuiding all the inane shit that is setuid root) Red Hat
> install with similar tools, I'm pretty sure you'd have a virus and
> worm shitstorm that would make what we see now hitting our mailservers
> from windows machines look like a tiny little unoffensive fart - from
> a vegetarian at that. And yes a big chunk of the problem is the knuckle
> dragging mouth breather in front of the keyboard - thank god that's
> not OpenBSD's targeted userbase, although some days reading misc@
> I wonder.

I'm a babe in the BSD woods but I've spent 8 years with Linux.  I
started with RH, din't like the philosophy and switched to Debian
Potato, then Sarge.  My big new box is on Etch, my small box will
probably OpenBSD.

Please don't tar (so to speak) all linux with the RH brush.  I don't
know what happens if one chooses to install Debian and select 'desktop'
task.  I don't choose any tasks and get a base install, then add one
thing at a time as I need it.  After reading the securing-debian book
(harden-doc.deb) I found that there wasn't much that applied to a base
install.  Their challenge is that they need to provide choice so they
have what they call reasonable defaults.  They also have several
different packages to do the same thing, each of which has to work on
being installed.  I think they do a good job, given their mandate.

My current frustration is that the copyleft licences (such as GPL) are
being moved to the right for some things (like the GFDL) and conflicting
with debian policy.  That means, for example, that the tar(1) man page
is a summary that points you to GNU's web page.  Not very helpful.  This
is another reason I'm looking at OpenBSD.

There are only two reasons why I haven't tried OpenBSD yet:

1. My Athlon box is on Etch (testing) and until Etch is stable, I
        don't want to mess with my tool box (486, Sarge).  

2. When I try OpenBSD, it will be on the 486.  I'm working out in
        my own mind how the patches work given an old slow box.  

In any event, I _will_ try OpenBSD on the 486 once the Athlon is runing
Debian stable.  I will try to breathe through my nose and keep my
fingers on the home keys.

Doug.

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft gets the Most Secure Operating Systems award

Marc Espie-2
On Thu, Mar 22, 2007 at 03:28:29PM -0400, Douglas Allan Tutty wrote:
> Their challenge is that they need to provide choice so they
> have what they call reasonable defaults.

No, they don't need to provide choice. At least not that many. They decide
to do so.  That's most of what's wrong with OS stuff these days. Too
many choices.  Too many knobs. Every day, I see people shoot themselves in
the foot, not managing to administer boxes and networks in a simple way,
making stupid decisions that don't serve any purpose.

ACL, enforced security policies, reverse proxy setups, user accounts,
network user groups, PAM, openldap, reiserfs, ext3fs, ext2fs...
so many choices. So many wrong choices.

At some point, the people who package the software need to make editorial
decisions. Remove knobs. Provide people with stuff that just works.
Remove options. Or definitely give them the means to do the trade-off
correctly.

Okay, it's a losing battle. I'm an old grumpy fart.

Okay, a lot of IT people are just earning their wages by managing the
incredibly too complex setups we face nowadays (and not screwing too badly
in front of a multitude of stupide innane choices).

Linux is the `culture of choice'. Provide ten MTA, ten MUA. Twenty window
managers. Never decide which one you want to install, never give you a
default installation that just works. Cater to the techy, nerdy culture
of people who want to spend *days* just making choices.

We try not to be as bad, to provide default configs that work, and not
so many choices.

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft gets the Most Secure Operating Systems award

Andreas Bihlmaier-2
On Thu, Mar 22, 2007 at 09:40:57PM +0100, Marc Espie wrote:

> On Thu, Mar 22, 2007 at 03:28:29PM -0400, Douglas Allan Tutty wrote:
> > Their challenge is that they need to provide choice so they
> > have what they call reasonable defaults.
>
> No, they don't need to provide choice. At least not that many. They decide
> to do so.  That's most of what's wrong with OS stuff these days. Too
> many choices.  Too many knobs. Every day, I see people shoot themselves in
> the foot, not managing to administer boxes and networks in a simple way,
> making stupid decisions that don't serve any purpose.
>
> ACL, enforced security policies, reverse proxy setups, user accounts,
> network user groups, PAM, openldap, reiserfs, ext3fs, ext2fs...
> so many choices. So many wrong choices.
>
> At some point, the people who package the software need to make editorial
> decisions. Remove knobs. Provide people with stuff that just works.
> Remove options. Or definitely give them the means to do the trade-off
> correctly.
>
> Okay, it's a losing battle. I'm an old grumpy fart.
>
> Okay, a lot of IT people are just earning their wages by managing the
> incredibly too complex setups we face nowadays (and not screwing too badly
> in front of a multitude of stupide innane choices).
>
> Linux is the `culture of choice'. Provide ten MTA, ten MUA. Twenty window
> managers. Never decide which one you want to install, never give you a
> default installation that just works. Cater to the techy, nerdy culture
> of people who want to spend *days* just making choices.
>
> We try not to be as bad, to provide default configs that work, and not
> so many choices.

I agree with you that secure/sane defaults are very important, they are
a big pro for OpenBSD. Featurism violates KISS and we all know that KISS
is the only way to handle ever growing complexity.
BUT choices are important as well, everything else is "world domination
tour" aka dictatorship (and not the good kind).
Imagine not having a choice in hardware, wait don't just imagine look at
the high-end graphics card market.

Sorry, but I just couldn't leave the "one size HAS TO fit all" alone
without any restraints.

Regards,
ahb

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft gets the Most Secure Operating Systems award

Greg Thomas-3
In reply to this post by Marc Espie-2
On 3/22/07, Marc Espie <[hidden email]> wrote:
> On Thu, Mar 22, 2007 at 03:28:29PM -0400, Douglas Allan Tutty wrote:
> > Their challenge is that they need to provide choice so they
> > have what they call reasonable defaults.
>
> No, they don't need to provide choice. At least not that many. They decide
> to do so.  That's most of what's wrong with OS stuff these days.

That's exactly why I switched long ago.  Poking around at 1000
different little apps all doing the same thing was fun for awhile on
Linux but I eventually realized that all the choices actually reduced
my productivity.

A second reason I switched was because of OS cohesion.

Greg

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft gets the Most Secure Operating Systems award

Jeffrey Joshua Rollin
In reply to this post by Marc Espie-2
On 22/03/07, Marc Espie <[hidden email]> wrote:

> On Thu, Mar 22, 2007 at 03:28:29PM -0400, Douglas Allan Tutty wrote:
> > Their challenge is that they need to provide choice so they
> > have what they call reasonable defaults.
>
> No, they don't need to provide choice. At least not that many. They decide
> to do so.  That's most of what's wrong with OS stuff these days. Too
> many choices.  Too many knobs. Every day, I see people shoot themselves in
> the foot, not managing to administer boxes and networks in a simple way,
> making stupid decisions that don't serve any purpose.
>
> ACL, enforced security policies, reverse proxy setups, user accounts,
> network user groups, PAM, openldap, reiserfs, ext3fs, ext2fs...
> so many choices. So many wrong choices.

Multiple user accounts and a journalling facility on a filesystem ==
wrong: Interesting perspective.

>
> At some point, the people who package the software need to make editorial
> decisions. Remove knobs. Provide people with stuff that just works.
> Remove options. Or definitely give them the means to do the trade-off
> correctly.
>
> Okay, it's a losing battle. I'm an old grumpy fart.
>
> Okay, a lot of IT people are just earning their wages by managing the
> incredibly too complex setups we face nowadays (and not screwing too badly
> in front of a multitude of stupide innane choices).
>
> Linux is the `culture of choice'. Provide ten MTA, ten MUA. Twenty window
> managers. Never decide which one you want to install, never give you a
> default installation that just works. Cater to the techy, nerdy culture
> of people who want to spend *days* just making choices.

Wrong. Unix is the "culture of choice", and that includes Linux and
OpenBSD. It's been the same ever since Berkely includled csh. That, by
the way, is why YOU have the option to run OpenBSD, and others have
the option to run Linux.

>
> We try not to be as bad, to provide default configs that work, and not
> so many choices.
>
>

I was happy with the choices in Linux ten years ago. Some still aren't
happy with it. That's the nature of people these days. If you want to
try to change their behaviour you have to provide for them in the
meantime.


Jeff
--
Q: What will happen in the Aftermath?

A: Impossible to tell, since we're still in the Beforemath.

http://latedeveloper.org.uk

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft gets the Most Secure Operating Systems award

Greg Thomas-3
On 3/22/07, Jeff Rollin <[hidden email]> wrote:

> On 22/03/07, Marc Espie <[hidden email]> wrote:
> > On Thu, Mar 22, 2007 at 03:28:29PM -0400, Douglas Allan Tutty wrote:
> > > Their challenge is that they need to provide choice so they
> > > have what they call reasonable defaults.
> >
> > No, they don't need to provide choice. At least not that many. They decide
> > to do so.  That's most of what's wrong with OS stuff these days. Too
> > many choices.  Too many knobs. Every day, I see people shoot themselves in
> > the foot, not managing to administer boxes and networks in a simple way,
> > making stupid decisions that don't serve any purpose.
> >
> > ACL, enforced security policies, reverse proxy setups, user accounts,
> > network user groups, PAM, openldap, reiserfs, ext3fs, ext2fs...
> > so many choices. So many wrong choices.
>
> Multiple user accounts and a journalling facility on a filesystem ==
> wrong: Interesting perspective.
>
> >
> > At some point, the people who package the software need to make editorial
> > decisions. Remove knobs. Provide people with stuff that just works.
> > Remove options. Or definitely give them the means to do the trade-off
> > correctly.
> >
> > Okay, it's a losing battle. I'm an old grumpy fart.
> >
> > Okay, a lot of IT people are just earning their wages by managing the
> > incredibly too complex setups we face nowadays (and not screwing too badly
> > in front of a multitude of stupide innane choices).
> >
> > Linux is the `culture of choice'. Provide ten MTA, ten MUA. Twenty window
> > managers. Never decide which one you want to install, never give you a
> > default installation that just works. Cater to the techy, nerdy culture
> > of people who want to spend *days* just making choices.
>
> Wrong. Unix is the "culture of choice", and that includes Linux and
> OpenBSD.

How many MTAs, MUAs, http servers, text editors, DNS servers, FTP
servers, etc. are included with OpenBSD?

Greg

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft gets the Most Secure Operating Systems award

Todd Alan Smith-3
In reply to this post by beck-7
On 3/22/07, Bob Beck <[hidden email]> wrote:
<snip>
> from a vegetarian at that.

The fallacy that is this clause undermines your broader argument.
Promise yourself not to spread such falsity again, and you will be
well served.

-Todd

12