| Vista security baloney |
Jun. 28, 2007
If you believe Jeff Jones, Microsoft's security strategy director, then Vista is much more secure than XP, Mac OS X, and Linux.
Why, oh why, is anyone paying any attention to this man outside of the walls of Microsoft? His paychecks are signed by Bill Gates, people!
What do you think he's going to say? "Really, when you get right down to it Windows is a fatally flawed operating system that no one in their right mind would ever use for truly secure computing?" He wouldn't just be fired; he'd be carried out by the real Microsoft security: the Microsoft cops.
Or, let's say he said something more politically correct, such as, "Really, Windows, and now Vista, still lag behind both Linux and Mac OS X when it comes to security, but we have gotten better." Much nicer, but still true and he'd still end up fired.
Anyone who believes a word out of Jones' mouth when it comes to Vista security is a fool. You want to find someone who does say nice things about Vista security from time to time that you can believe in? I suggest Larry Seltzer's Cheap Hack blog.
Jones also goes on to explain that in the past he's worked with Unix and the BSDs. He's also willing to admit that security improvements are happening on Linux and Unix, but that Microsoft is doing it better. He then asks, "Am I biased? I do not think so, but let's just all keep assuming I am, because I don't mind. If I make comparisons, I'll lay out my metrics."
As it happens, Joe Wilcox, my compatriot over at Microsoft Watch, took a look at Jones' metrics. Guess what he found.
He found that Microsoft gets its great Vista numbers by not counting all of Vista's security problems. Jones also doesn't count any silently fixed vulnerabilities. In other words, if Microsoft fixes a problem, but assumes no one knew about it, they don't admit to there being a flaw in the first place.
As Ryan Naraine notes in his security blog, Zero Day, "Microsoft routinely ships silent fixes within its security bulletins if flaws are discovered internally. These are never assigned CVE numbers and will never appear in these comparison reports from Jones."
Jones and other Microsoft security staffers, according to Naraine, also argue that everyone, including Linux distributors, issues patches with silent fixes. They do? You can fix a problem in "open source poster child" Linux without everyone knowing about it!?
One of Linux's problems, which Mark Shuttleworth, Ubuntu founder and CEO of Canonical Ltd., is trying to fix is that Linux doesn't just publicly track and fix its problems, it does so in so many places and in so many ways that it's hard for developers to keep track of what's already been fixed. Unlike with Microsoft, where if a security tree falls in Windows no one will ever hear it, in Linux, when a security tree falls everyone hears it.
You see, that's the real difference between Linux and Windows security. In Linux, everyone sees the problems, everyone works on the problems. In Windows, Microsoft hides the problems and hope you silently accept the company's self-serving explanations for its problems.
-- Steven J. Vaughan-Nichols
Do you have comments on this story?
Talkback here
NOTE: Please post your comments regarding our articles using the above link. Be sure to use this article's title as the "Subject" in your posts. Before you create a new thread, please check to see if a discussion thread is already running on the article you plan to comment on. Thanks!
(Click here for further information)
|
|
|
7 Advantages of D2D Backup
For decades, tape has been the backup medium of choice. But, now, disk-to-disk (D2D) backup is gaining in favor. Learn why you should make the move in this whitepaper.
4 Legal Reasons to Control Internet Access
The Internet is obviously a valuable resource for many organizations. However, many are exposed to legal liability concerns because they fail to control Internet access. Learn if you're safe in this white paper.
Rapidly Resolve J2EE Application Problems
Whether you are in the process of building J2EE applications or have J2EE applications already running in production, you must ensure that they deliver the expected ROI. Learn how in this white paper.
Load Testing 2.0 for Web 2.0
There are many unknowns in stress testing Web 2.0 applications. Find out how to test the performance of Web 2.0 in this white paper.
Build Better Games Online
For the game infrastructure providers, life is complex. Making money from games has become more complicated. Why? Find out in this white paper.
Building a Virtual Infrastructure from Servers to Storage
This white paper discusses the virtual storage solutions that reduce cost, increase storage utilization, and address the challenges of backing up and restoring Server environments.
Gaining Faster Wireless Connections with WiMAX
Welcome to what is quickly becoming the hyperconnected world where anything that would benefit from being connected to the network will be connected. Learn more in this white paper.
Is Your Desktop a Security Threat?
The new wave of sophisticated crimeware not only targets specific companies, but also targets desktops and laptops as backdoor entryways into those business’ operations and resources. Learn how to stay safe in this white paper.
Increasing SAN Reliability by 100 Percent
Storage area networks (SAN) are a strong part of storage plans. Learn how to increase your reliability and uptime by 100 percent in this case study.
|
|
|
|
|
news feed