Microsoft's Security Chief Says Windows Safer Than Linux

February 12, 2005 1 Comment

Mike Nash, Microsoft's Security Chief, recently compared Microsoft's security record this year with that of Red Hat and Novell. From the article:
“Even with the relatively large number of bulletins we released this week, we compare favorably,” he said. “Year-to-date for 2005, Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003. In the same time period, for just this year, Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities.”
Now, on to why that is a silly and meaningless comparison. First, Microsoft tends to post security patches only after a vulnerability or flaw has been made public. On the flip side, patches for Open Source programs are often preemptive. More importantly, comparing “Windows Server 2003” with a full Linux distro is a bit misleading, when used in this context. It's comparing a core OS with a full blown OS with the works. How many patches are there for a Windows 2003 install that includes Office, Visual Studio and the myriad other programs that it would take to match the functionality of the distro's they are comparing to? …and could you get security updates for such a configured Windows system from one single vendor (answer: no)? Finally, it also ignores ease of exploit and nature of exploit. It puts a local non-root exploit in mpg123 on even ground with a remote code execution with privilege escalation in IE. You put all that together and what do you get? The quoted stats are not only useless, but misleading. I'm sure that won't stop them from getting quoted everywhere though. Now, don't take this post as an indication that I think Linux security is perfect, quite simply it isn't. In fact, we still have a long way to go. It's just better than Windows, which one must admit has set the bar fairly low.
–jeremy
Tags: , ,

Filed under Main Page

Google Reveals Its Product Formula

February 10, 2005 Leave a comment

Google executives attempted to demystify the search company's product decisions during presentations with Wall Street analysts yesterday. From the article:

Google is striving to split its product investments three ways, following a formula of “70-20-10,” Schmidt told analysts gathered at the company's Mountain View, Calif. headquarters.
Seventy percent would target its core search and advertising products, while 20 percent would focus on adjacent products, such as its newer desktop and product search services.
The final 10 percent would center on the most experimental products, those “things that are truly interesting to us,”
An interesting formula, and something along the lines of how we spend our time on LQ if I had to guess. The bottom line is that when a company this successful gives you tips on how they are operating, you should listen. closely.
–jeremy

Filed under Main Page

Shipping Windows Forms Source?

February 9, 2005 1 Comment

Sparked by this post (which starts “I want to deliver Windows Forms source code to you.“), some people inside Microsoft may want to start sharing source code. Kudos to Shawn I say, but as you may have guessed, it may never happen. One of the supposed reasons? “inappropriate comments”! Now, I've left some doosies around myself, I have to admit, but I'd be hard pressed to consider that a legitimate reason not to release code (even with the netscape are weenies debacle from a couple years ago). If nothing else, the code could surely be scrubbed before release. Sounds more like an excuse really, but at least the issue is now being openly talked about inside MSFT, which is a start. The seeds may just have been planted.
–jeremy

Filed under Main Page

Linux Heavyweights Sound Off At Summit

February 7, 2005 Leave a comment

An article about the recent OSDL Linux Summithas been posted. From the article:

“I distrust people with visions,” Linux creator and Open Source Development Lab fellow Linus Torvalds said last week during a keynote at OSDL's Enterprise Linux summit. “When you look ahead at the utopia, that's when you stumble.”
Another item that was stressed at the Summit seems to be that one hurdle that Linux on the desktop is currently facing the the lack of a single UI and integration between apps. This is caused by little (and in some cases no) interaction between groups of developers.
“It's not principally a technical issue,” Kapor said. Rather, it's been a lack of motivation for these groups of developers to create a unified interface for users.
While one of open source's biggest strengths is the ability for different, and at times competing, software-development projects to emerge it also at time causes a lack of cohesion. Andrew Morton suggested “What we should concentrate on is well-defined interfaces and standards so that the projects can work together.” A step in the right direction, and I'm quite sure this is a problem we can eventually work to resolve.
–jeremy

Filed under Main Page

Myths About Samba

February 6, 2005 2 Comments

Andrew Tridgell has posted a great article over on Groklaw about a few persistent Samba Myths. An interesting read and I'll guess that almost every person who reads the article will learn at least one new thing – I know I did.
–jeremy

Filed under Main Page

2004 LinuxQuestions.org Members Choice Award Winners Announced

February 5, 2005 Leave a comment

The polls are closed and the results are in for the 2004 LinuxQuestions.org Members Choice Awards. A couple interesting points. The distribution battle continues to get closer and closer every year. Just two years ago Red Hat won with over 26% of the vote. This year the winner only had 19% and 6 distributions had over 10%. The bottom line? There are a lot of quality choices out there that appeal to different people. Another interesting point is that while OOo as a suite cleaned up with almost 85% of the vote, the individual components were no where near as popular. Once again – congratulations to every project that was nominated.
–jeremy

Filed under Main Page

Microsoft Security Bulletin Advance Notification

February 5, 2005 Leave a comment

In an interesting move, Microsoft has pre-announced 13 security vulnerabilities. From the link:

* 9 Microsoft Security Bulletins affecting Microsoft Windows. The greatest aggregate, maximum severity rating for these security updates is Critical. Some of these updates will require a restart.
* 1 Microsoft Security Bulletin affecting Microsoft SharePoint Services and Office. The greatest aggregate, maximum severity rating for this security bulletin is Moderate. These updates may or may not require a restart.
* 1 Microsoft Security Bulletin affecting Microsoft .NET Framework. The greatest aggregate, maximum severity rating for this security bulletin is Important. This update will require a restart.
* 1 Microsoft Security Bulletin affecting Microsoft Office. The greatest aggregate, maximum severity rating for this security bulletin is Critical. These updates will require a restart.
* 1 Microsoft Security Bulletin affecting Microsoft Windows, Windows Media Player, and MSN Messenger. The greatest aggregate, maximum severity rating for these security updates is Critical. These updates will require a restart.
There are a lot of critical's in there, that's for sure. If you're responsible for a Windows machine you may want to get to work early on Tuesday ;) Would seem that Microsoft is preparing for the worst on this one – they even have a webcast setup.
–jeremy

Filed under Main Page

2004 LinuxQuestions.org Members Choice Awards are now Closed

February 3, 2005 Leave a comment

The polls have officially closed and the numbers are being reviewed now. Should have the results for you, along with some commentary, in a couple of days. Thanks to everyone who voted. For the fourth year in a row we had a record turnout. If you have any suggestions on how we can improve the 2005 MCA's, please do let me know.
–jeremy

Filed under Main Page

LinuxQuestions.org Podcast – 02.02.05

February 2, 2005 Leave a comment

The latest LinuxQuestions.org Podcast. Topics include the 2004 LinuxQuestions.org Members Choice Awards, an LQ Radio and Skype update, a few LQ reminders, LQ sponsoring the OSBC, Linux kernel security, the Software Freedom Law Center and ESR stepping down from OSI.
–jeremy

Filed under Main Page, podcast

Linux Kernel Security Team

February 2, 2005 Leave a comment

Here's a quick follow up to this post. From the article:
The end result will likely be the creation of an invite-only mailing list to which people can choose to report security problems. Whether or not this list is actually used was unimportant to Linus, just that it was an available choice. “Let people vote with their feet. If vendor-sec ends up being where all the 'important' things are discussed – so be it. We've not lost anything, and at worst a 'kernel-security' list would be a way to discuss stuff that was already released by vendor-sec.”
Good to see that this issue was quickly resolved (and correctly resolved IMHO). You can read the entire proposed draft here.
–jeremy

Filed under Main Page

Older posts

Newer posts