More FUD About Security of GNU/Linux

Gee. Millions of malware-ridden bots of that other OS later and some twit still writes, “The reality is that Linux is not more secure. It is simply less targeted. The fallacious belief that it is inherently secure is the same sort of faulty logic that’s getting Mac users in trouble now.”

The truth is you are thousands of times more secure with GNU/Linux than that other OS. The count of malwares proves that. The incidence of malware infections proves that. The prevalence of GNU/Linux servers on the web proves that. The fact that M$’s servers are becoming more like GNU/Linux machines with time is another. Heck, M$’s 2008 server can even run GUIless and uses scripting. Where have we heard of that? Oh, GNU/Linux back about 1995.

It is a standard military manoeuvre to seek out an enemy’s weakness and exploit it. If you are trying to run IT are you charging the enemy’s centre with it’s heavy artillery, enfilade fire and mines or are you going to flank him and cut his supply lines? We must do the same in IT. M$ has proven thousands of times that its software is insecure. We should run GNU/Linux. It’s the smart thing to do.

In my personal experience with thousands of PCs in schools I have seen hundreds of machines riddled with malware running that other OS and not one infected machine running GNU/Linux. That was not due to a shortage of GNU/Linux machines. We had plenty. The quality of FLOSS code has been shown to be superior to non-FREE software repeatedly per thousand of lines of code and with software bloat in that other OS, the bloat multiplies that advantage. Look at Debian GNU/Linux. Their bug count is a few hundreds for tens of thousands of packages and billions of lines of code (54 gB source code). That other OS has been shipped with no security and 50K bugs, many of which became vulnerabilities.

The whole design of that other OS is descended from a single-user system with the assumption that malware and attackers did not exist. The whole design had to be covered by layers of bloat to try to defend the weak core of the OS. This only increased the exposed edges of the system to further kinds of attack. Supposedly Vista was a rewrite to fix some of these problems but still vulnerabilities introduced in the time of Lose 3.1 were included.

see also User32.dll and Animated Cursor

M$ has a long history of adding features which later became riddled with vulnerabilities. There is nothing comparable in GNU/Linux. see ActiveX and SMB. Despite the obvious fragility of the OS, M$ did not ship a firewall until XP and did not turn it on by default until XP SP2.

To state that GNU/Linux is not more secure than that other OS is a plain lie. Security and malware is sufficient reason to migrate to GNU/Linux. Added to cost, performance and the anti-competitive nature of M$ the decision is simple. I recommend Debian GNU/Linux. It’s first priority is good software, not profits by any means.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

96 Responses to More FUD About Security of GNU/Linux

  1. Gene Kay wrote, “until I came across the first M$”

    M$ has poured an endless stream of crap on the world of IT messing with competition every way they could legal or not. “M$” is my way of dumping back on them. They deserve it. BTW, “MS” is a trademark of M$ and it’s very similar, so there’s no need to get your nose out of joint. I also refuse to name their OS because a rectangular region of a screen is a generic term in IT predating M$ by decades. M$ has no right to it no matter what USPTO says.

  2. Gene Kay says:

    I was intent on reading this article until I came across the first M$. Are you 12 years old? Is this 1998? It’s embarassing to us Linux users, grow up.

  3. oldman says:

    Mr. oiaohm

    In the end none of your massively self serving wall of text does anything to change the facts that I have presented. It is indeed possible to configure and use a windows desktop system safely on the internet – I am proof positive of this fact. It is not a lie. Nothing you said makes it go away, and none of the verbal diarrhea that you spewed in my direction is going to make me back down from that fact, Mr. Microsoft VAR.

    As far as your unbiased view of security is concerned, I present the following excerpt from your diatribe…

    “Like a information terminal does not need windows its function will never exceed what Linux offers.”

    Do you bother to provide you users with what it will take to properly secure a windows based solution? Do you look at the cost/benefit vs. the risk for the given class of data being accessed? Interesting how your only spoken of option to windows is Linux eh? From my view your bias comes through as clear as day.

    “I can accept at times that my hands will be tied and forced to use a lower grade of secuirty to achieve results but I am not going to lie to client.”

    So you do have a sense of reality sir. That is promising. I am wondering however how we got from my assertion that a desktop can be sufficiently secured to resist malware ti my lying. I never said that windows could be absolutely secured. I never said anything about what it would take. It is you that “assumes” how I advise people, when in fact you haven’t a clue.

  4. oldman says:

    “@ldman doesn’t trust Windows with the Internet so he does all his work on the Internet through GNU/Linux on the KDE desktop. Isn’t that right @ldman.”

    Nope. I use pure windows based browsers for all my internet access. The Red Hat VM on my desk is for server support and design related tasks only.

    And my workstation is directly on the internet.

    Is yours?

    And dont forget about tripwire, you never know who might have monkeyed with your system ;-)

  5. kozmcrae says:

    @ldman wrote:

    “Actually it isn’t oldman against the world, but Mr. K’s ignorance against standard security practice.”

    What security practice are you talking about that I’m supposed to be ignorant of?

    @ldman doesn’t trust Windows with the Internet so he does all his work on the Internet through GNU/Linux on the KDE desktop. Isn’t that right @ldman.

  6. oiaohm says:

    Even more fun oldman is 9 of the 12 look up 9 basic trick types of magic. Yes those 9 appear as a different form when doing secuirty.

    This leaves 2 ideas that are unique to secuirty alone.

  7. oiaohm says:

    oldman
    “Nor is their eny excuse for using your security creds as club to force windows users to linux when you know full well that it doesn’t meet all needs, AND you know that management is going to push back hard if they detect the ideological bent behind your “recommendations” and “technical assessment”

    And BTW Mr. Microsoft VAR, what is your excuse for continuing to support windows?”

    Read me again you get me wrong. I am saying Microsoft should be held to account. I like that to support something you think that I have to like it. Reality you can support something yet hate it absolutely.

    Lies help no one oldman. I do support Microsoft systems that are installed. I have no reason to lie to myself about the security quality of the solution. In fact lie is hazard to the client since you don’t understand what is missing and what weakness are in the system that need to be managed.

    So this makes you incompetent oldman.

    I can accept at times that my hands will be tied and forced to use a lower grade of secuirty to achieve results but I am not going to lie to client.

    There is no reason to excuse Microsoft for poor workmanship.

    This gets to the truth. “plenty of liability in terms of lost function/feature in the application s available.”

    You have traded secuirty away for functionality. So the fact remains Windows is lower grade of secuirty than lots of Linux distributions. Nothing you have said changes that fact. Windows might have higher grade of functionality.

    Does either side deserve to be let off for being weak the answer oldman is No. You will not let Linux off for its lower functionality. So since you will not let Linux off for its lower functionality why should Microsoft get off for lower grade secuirty.

    Really oldman what you is doing is called a bias assessment of secuirty. This topic is talking secuirty not functionality.

    You keep on presuming I give either side a free ride this is not true. Linux I am on the back over functionality in particular areas.

    Sorry oldman my management wants to know what the true risks are. So they can make a informed selection on how much risk is involved for how functionality is got. Like a information terminal does not need windows its function will never exceed what Linux offers.

    Assessment of task functionality requirements vs secuirty allows the best solution to be placed with the least long term risk.

    Your argument is still a joke. Don’t you get that I am the way I am because this is what my Management wants. That don’t want a person taking stupid risks.

    I like “ideological” claim against my “technical assessment”. Last 5 people to try that don’t have jobs any more. Reason they were proven to be ideological. There are books that document how secuirty assessments are to be done. DoD rainbow books about time you get yourself a copy and start reading oldman. The reports I produce on Windows or a Linux Distribution secuirty are not bias. Did you not notice that I have no problem ripping Ubuntu apart I have no problem ripping particular versions of debian apart.

    Does not matter the OS oldman I have check lists of features I am looking for. This is where the ideological problem falls down. Open debate on the check lists can be done. I have nothing to fear.

    Microsoft supporters don’t have the documents to back there secuirty claims. Lot of cases don’t have the documents to back the functionality requirements for the case at hand either. So they get their head handed back to them on a plate.

    My method is science. You should be able to prove requirement you should be able to test.

    Really oldman you are laughable. You take the path that you have no option bar to trade away secuirty. So you most likely never do the assessments properly because you are too focused on what you will lose in features without putting a value on what you are losing in secuirty.

    Do some proper study oldman and at long last learn to be a proper pro not a impostor.

    Really people learn anyone claiming that I am ideological has made a lethal mistake.

    Since my assessments are not based on ideological management can push back as hard as they like and find there is no room to bend what I am saying. Reality is Reality. We have to life with Reality not lies.

    Worse is that I can give them the books todo the assessments themselves that were written pre the existence of Windows or Linux. So the books are not bias to either parity. DoD rainbow books cover everything from computer secuirty to building physical secuirty. They cover basic ideas to build secuirty over and over again.

    I fact I have done an reference of ideas in the rainbow books. This normally causes management to go what the. There are only 12 key ideas that are the foundation of physical or electronic secuirty.

    Funny enough from that I understand why people think of secuirty like magic.

    One of the key ideas of building a secure system. Is Misdirection. Misdirection is the Conner stone of most magic tricks. Misdirection is key to cause attackers headaches. Goal of course is to make the Misdirection lead the attackers into giving themselves away or going way from what you wish to protect.

    Oldman that secuirty is understanding Misdirection. Against a secuirty pro trying Misdirection is foolish Oldman.

  8. Well, I could not do it and I am a lot more savvy than the typical user of a PC.

  9. oldman says:

    “In @ldman against the World, @ldman’s point of view is moot. Not even a nice try @ldman.”

    Actually it isn’t oldman against the world, but Mr. K’s ignorance against standard security practice. And there is nothing to try sir, you are ignorant of standardized security policy and practice and I am not.

    I would suggest tripwire for your workstation BTW.

  10. kozmcrae says:

    @ldman wrote:

    “Nice try, but from my point of view your labored distinction is moot.”

    In @ldman against the World, @ldman’s point of view is moot. Not even a nice try @ldman.

  11. oldman says:

    “From my point of view securing a GNU/Linux system is trivial compared to trying and failing to secure that other OS.”

    Failing where Pog? are you disputing my success in doing so?

    Frankly, you your assessment of the current versions of windows as a “festering pile of garbage” is to put it nicely, an opinion not a fact. I know of quite a few people who have far more extensive credentials than YOU have in IT who say the same about Linux, yet I consider them opinionated as well.

    My real beef here is with the notion that an os can be magically immune for attack in and of itself, or that it will remain so forever. Your “better” platform is only better because of security by obscurity, and security by obscurity is as far as I am concerned no security at all.

  12. oldman wrote, “”from my point of view your labored distinction is moot. The work of defensive securing of systems still needs to be performed and maintained regardless of which platform that you are running on.

    From my point of view securing a GNU/Linux system is trivial compared to trying and failing to secure that other OS. The only one who can properly secure that other OS is M$ and they have shown repeatedly that they won’t do that. They just increase complexity and add more layers, increasing the number of vulnerabilities in the process.

    That other OS started with no concept of a multi-user, networked OS and they kept that backwards compatibility as much as they could so as not to shock their installed-base. We are decades into their use of “the registry” and still installers can botch it up. What’s with that? There’s no way that other OS can be secured as long as random software is allowed to do whatever it wants to a PC. There’s no way all the malware can be blocked from accessing that festering pile of garbage.

  13. oldman says:

    “There is no excuse for arguments this poor Oldman.”

    Nor is their eny excuse for using your security creds as club to force windows users to linux when you know full well that it doesnty meet all needs, AND you know that management is going to push back hard if they detect the ideological bent behind your “recommendations” and “technical assessment”

    And BTW Mr. Microsoft VAR, what is your excuse for continuing to support windows?

  14. oldman says:

    “True, but “No system is truly secure on the internet.” DOES NOT EQUATE TO “Linux is as insecure as Windows.” Linux was design from the start to be connected to the world safely, Windows was not.”

    Nice try, but from my point of view your labored distinction is moot. The work of defensive securing of systems still needs to be performed and maintained regardless of which platform that you are running on.

    Of course again from my viewpoint, this being the case, there is no benefit to running on linux re security at all, and plenty of liability in terms of lost function/feature in the application s available.

    BTW I hope that you know that bad guys breaking into a linux box generally know that they have to modify the system logs to erase any traces of there presence. Ususally this can be caught by installing something like tripwire

  15. Clarence Moon says:

    what is your idea what this is…

    This is the sort of Frankenstein personal electronic device that, at a price point of $999, is doomed to fail in all world markets. What kind of goon would have such a clumsy ox? You can have an iPad and an iPhone for less.

  16. kozmcrae says:

    @ldman wrote:

    “No system is truly secure on the internet.”

    True, but “No system is truly secure on the internet.” DOES NOT EQUATE TO “Linux is as insecure as Windows.” Linux was design from the start to be connected to the world safely, Windows was not.

    I’m looking forward to dropping the ‘@’ in “@ldman”. Why don’t you help me out with that. It’s easier than you think.

  17. oiaohm says:

    Clarence Moon
    “The same people who think that a phone will replace a PC? :-)”
    http://www.asus.com/Mobile/PadFone/

    Interesting question what is your idea what this is. A PC, Tablet or Phone? Remember this is Android.

    Phone replace PC maybe. Or maybe phone and PC will merge lets just say we are in flux and no one is 100 percent sure where the chips will land.

  18. Clarence Moon says:

    I use Windows 7

    At the end of the day, that is all that counts. It is just a business thing after all.

    Who …thinks that a phone interface will fly…

    The same people who think that a phone will replace a PC? :-)

  19. I am not expert enough in PHP. I have often tweaked code but this would be major surgery. I have enough work to do being retired and blogging at the same time. I could fix all my problems by using a different editor and plugging in HTML. I could do that. I think the problem with some of these quirks is not the editor itself but the CSS. I am too old to use CSS… My son is expert though. He is threatening to change the theme and fix the CSS problems. I know CSS is the issue in some cases because “view source” in my browser reveals wanted features that are not rendered properly in the browser. For example, this ul section does not render properly in my browser but is in the source sent to the browser:

    • first item
    • second item

    I see
    first item
    second item
    but “view source” shows the correct HTML.

    1. first
    2. second

    renders correctly. Chrome shows css, list-style:none; for ul but for ol shows list-style:decimal; The effect depends on whether or not I am logged in as admin or pogson… My mind boggles…

    It was a default cascading over the correct setting. Fixed that. It still looks wrong when I edit as admin, however… Could not find the rule. Too many layers…
    Finally found the CSS file causing the problem. It works now, thanks.

  20. oldman wrote, “No system is truly secure on the internet.”

    I think a site serving nothing but a single static HTML page might be secure on the Internet. To a proper firewall, add a filter cutting all requests to sane parameters (Get the particular page). Use the simplest web server available. I would guess such a site could be made immune to all attacks except DOS and DNS tweaks. Put all code in read-only memory. Put all data in read-only memory. Cold reboot after every request. Rotate sequential requests to random servers… Just as client browsers can filter using white lists, a server could do the same.

    For an interactive website the solution is much more difficult but syntax-checking all input and cutting the length of requests would go a long way. For a site requiring keywords only in input fields, I strip all punctuation and limit lengths. Putting such a stripper in hardware or ROM should be very reliable. Most intrusions I have read about exploit human factors or weird data. Having hardware eliminate both should secure anything against all attacks except internal bit-rot.

  21. oiaohm says:

    Phenom
    “Why don’t you get the source and fix these quirks yourself? Isn’t that what FLOSS is all about?”
    In fact sorry you don’t know FLOSS.

    Is the quirk a major problem or is it just an annoyance at times. FLOSS provides you with the option to fix the problem. Does not magically equal you have to. Also some of wordpress quirks trace back to supporting browsers like IE that are broken bits of work.

    Now of course Phenom it never crossed you mind that closed source that is not fixed gets in the way of FLOSS and quality software.

    Sorry Phenom if you understood FLOSS you would never made the challenge to Robert Pogson.

    Like of the bug truly does bother you Phenom you are free to pay a developer to fix it in FLOSS.

  22. oiaohm says:

    oldman have you ever read the DoD rainbow books.

    They presume your system will be pwned. They are about reducing the damage if that happens.

    They are about making it as hard as possible for the attacker todo major damage to the system.

    Its like choosing to go into battle wearing body armour instead of wearing just a normal shirt. You olds of living wearing body armour is way higher.

    None of you trying to down play oldman is going to change the fact Windows is lacking body armour against harm.

    The argument that any system can be pwned is a basic deception. Secuirty good secuirty is based on the belief that one day it may fail. The goal is to make it as hard as possible to succeeded.

    Like there is no such thing as a safe that cannot be opened by force. By oldman logic you might as well not put anything in a safe but used a unlocked draw and tell people that valuable items are in it because a safe can be broken open anyhow.

    Come on oldman for a person to claims to be so experienced your arguments are so laughable its not funny.

    What are you trying to prove to everyone that you are a completely incompetent person Oldman.

    There is no excuse for arguments this poor Oldman.

  23. oldman says:

    “I cringed. I’m sure it’s possible, but it’s much like playing Russian roulette. If you spin the cylinder and pull the trigger 500 times without eating a bullet, there’s no guarantee that the next spin-and-shoot won’t end in a bang. ”

    No system is truly secure on the internet. And in spite of what you think, there is no guarantee that a linux host wont get pwned either. The facts of my situation, however stand as they are, and no amount the vigorous verbal handwaving is going to change that fact.

  24. Phenom says:

    Hey, Mr. Pogson, you say you are a developer. WP is free, you have the source… Why don’t you get the source and fix these quirks yourself? Isn’t that what FLOSS is all about? I mean, examine the code and fix the bugs yourself? Become one of the many eyes, Mr. Pogson!

  25. The editor closes unclosed tags at the end… After using it for years, I have developed my work-arounds, like a browser extension to put in a template for quotations etc. For some reason, I cannot get unordered lists to work in comments but ordered lists work… WP is great but it has a few quirks. I took the liberty of fixing your comment as described.

  26. My formatting didn’t come out quite right. I was trying to blockquote oldman’s “I was talking about my windows installation – ALL of my windows installation[s]. No viruses, no malware, NADA!”

    My attempted link at the end works, but the text was affected oddly.

    Oh, well.

  27. I have read this thread and a couple of things come to mind as a result.

    I have been dealing professionally with malware on multiple platforms (MS-DOS, Windows, Mac, and Amiga) since the Brain virus in 1984, so I have a bit of knowledge on this subject (and it’s why I prefer Linux). When oldman wrote,

    “I was talking about my windows installation – ALL of my windows installation[s]. No viruses, no malware, NADA!”

    I cringed. I’m sure it’s possible, but it’s much like playing Russian roulette. If you spin the cylinder and pull the trigger 500 times without eating a bullet, there’s no guarantee that the next spin-and-shoot won’t end in a bang. I have seen knowledgeable, careful users have their machine clobbered by an infected advertisement on a legitimate website. I have watched in horror as a friend’s new Windows XP machine was infected within 30 seconds of being hooked up to the Internet for the first time. You can’t wave away the facts; all versions of Windows are an insecure mess.

    Windows 2000 may well have been the best version of Windows ever, yet they couldn’t sell it to consumers; instead, they developed Abomination A, Windows Me. Why? Because Win2K wouldn’t run much of the legacy Windows 95/98 software. So what did they do? They “broke” NT 5.0 to make it compatible with the old software and came up with Windows XP. They then tried to do a complete re-write of Windows in .Net with Longhorn—they worked on the project for over 3 years—but they scrapped it and went back to the same tired NT kernel used in previous versions.
    Microsoft’s Allchin on Mac praise: I was ranting to change Vista process

    So, years late, they came out with Abomination B, Windows Vista—which turned out to be little more than a placeholder for Windows 7. What does Windows 7 do for me that Windows XP didn’t? Not much, except a forced hardware upgrade. Is it more secure? Yes, but ten times virtually nil is still a small number. Don’t get me wrong—I use Windows 7. It’s not bad, but I use Linux more. I use Windows mostly because people expect me to know it and it is still the dominant OS, though it’s slipping.

    Which brings us to Windows 8. Who besides Microsoft, their paid acolytes, and fanboys really thinks that a phone interface will fly on the desktop PCs of this world.? They may (or may not) be a dying breed—but it almost seems that MS is doing its best to try to kill them. A lot of people already have a negative opinion of Windows RT (RT? How quaint. IBM stopped making those PCs around 2000); that doesn’t bode well for Microsoft.

  28. oiaohm says:

    oldman
    “But people use applications not operating systems. While you may care about such things, most people see the operating system as that bit of color that they see as the application that they use opens.”

    Yes people care about the wrong things Funny this shows how dumb you are oldman.

    People care that applications work. If you remove operating system that application needs applications don’t work. So users are upset.

    If OS applications needs gets infected and becomes non operational users still don’t get to use there Applications.

    Secuirty is key to make sure users can have there applications work when they need them to. So that a single infected application may not effect the rest of the system. So allowing the users to keep on using there applications.

    You find a lot of businesses start caring about secuirty after there network gets crippled by an infection and there applications get made non operational.

    Security OS and Applications are not independent items. Anyone who talks about them as independent items is a moron who has not seen the big picture yet.

    Common Microsoft user defence when you start talking about secuirty is the people use applications. Of course they are that thick that the application does not operate without its OS. So people use OS’s as well just don’t admit it.

    Quality of the OS is key to ensuring that applications work when users need them to.

    Secuirty is talking about making sure you can deliver under adverse conditions. MS people want to live in a ideal world that there anti-virus software don’t fail them.

    Oldman while people like you push the idea that users use applications and neglect the fact they also use OS. The OS is responsible for particular things gets neglected.

    You say you will not use libreoffice because its lacking some key features that you need.

    Don’t you get that Windows is also missing key features you really need to make sure infections don’t spread rapidly inside the computer so crippling it.

    So Microsoft trained Oldman that the OS is responsible for nothing that you no longer have any clue of why you do secuirty in the first place.

    As a so call pro Oldman you should not be trying to defend MS poor secuirty.

  29. kozmcrae says:

    @ldman wrote:

    “I was talking about my windows installation – ALL of my windows installation. No viruses, no malware, NADA!”

    And so you have.

    What OS do you use to face the Internet?

    “ALl the rest of what I do is just standard operating procedure that I do on all my systems.”

    No, it’s not. It’s a fools task. On a real OS, all that anti-malware code is just crap. You’ve been trained to believe it’s necessary, and it is, but only on an OS that is not up to the task of being connected to the rest of the world safely. You are being had @ldman, you just don’t want to admit it.

    Think about how $big$ the “computer” security industry is. Most of that is devoted to Microsoft. All that is wasted. All that money tells you how bad Microsoft’s software is, not how good it is.

    I said I don’t take security lightly and I don’t. I don’t totally trust any computer. But I feel a lot safer with Linux. And you do to @ldman, don’t you? And not because Linux is a smaller target which it isn’t in servers, but because by design it is inherently safer. If you admit that, I’ll drop the ‘@’. You have to give a little if you want to get a little.

  30. oldman says:

    “They are being paid way more than they earned.”

    An irrelevant ad-hominem IMHO on your part Pog. The fact remains that their ISV’s and microsoft earned my business, and nothing that you can say will change that fact.

    “I have no problem finding duplicates with GNU/Linux without M$’s stuff.”

    I could care less Pog. My point was that the function was integrated, and since unlike you self I am not ideologically opposed to closed source commercial software in general and Microsoft in particular, I simply do not feel the need to have to look elsewhere, especially as I have no problem keeping my system malware free.

  31. oldman wrote, “They and their ISV’s earned my business.”

    God, Himself, only asked for 10%. How is M$ earning %60 margins ($2825/$4709 = profit/revenue for desktops)? They are being paid way more than they earned.

    “pogson@beast:~/Downloads$duff -e *.pdf
    trailer.pdf
    Remington_1100.pdf
    pogson@beast:~/Downloads$ duff *.pdf
    2 files in cluster 1 (71087 bytes, digest 44e93fba331dea9f1d156335dbef54a48d8edaa5)
    17346332-mailorder.pdf
    trailer.pdf
    2 files in cluster 2 (3120653 bytes, digest 36d97386e29d61f15e650e50fdc92923e63d6811)
    Models1100and1187.pdf
    Remington_1100.pdf”

    I have no problem finding duplicates with GNU/Linux without M$’s stuff.

  32. Clarence Moon wrote, of the business of making PCs, “Just ask HP”.

    Sure, and they replied last quarter that they made $9billion in revenue with $500 million in profit for the “personal systems” unit. HP sells about 16 million PCs per quarter. Imagine their profit if they had shipped that many with GNU/Linux instead of that other OS, $800 million more in their bank.

  33. Clarence Moon says:

    Just ask many small businesses that were squeezed out by Walmart

    Small businesses that did nothing more than what Walmart did were squeezed out due to price differences. Those who were offering a service that went beyond Walmart and was seen as a value by their customers were not squeezed out. Many small specialty businesses exist today and weathered the Walmart storm.

    I think it is in the best interests of the Walmarts of the world to sell */Linux

    Unfortunately (for you) the Walmarts of the world do not agree with you.

    For whatever reason, many don’t sell GNU/Linux but do sell Android/Linux

    No they don’t. They sell phones in kiosks from Samsung and Motorola and HTC. They are not selling Android, they are selling ‘Droid, or whatever sizzle the phone makers promote. They don’t give a fig for Linux or Android.

    The same advantages that apply to selling Android/Linux apply to GNU/Linux

    No they do not. Samsung, Motorola, HTC, and other makers do not make any Linux PCs nor are they likely to start doing so.

    Samsung and others should diversify to PCs, IMHO if the old guard will not ship GNU/Linux. It makes cents.

    Sure, Mr. Pogson, sure. It is a great business to make a new entry into! Just ask HP.

  34. oldman says:

    “You see @ldman…”

    I see you are going to continue with your infantile mangling of my handle Mr. K. Since I have promised Pog that I will behave I will let it rest. Perhaps as you continue your stupidity, he will consider that you may be more of a liability than an asset.

    “it’s not just enough to be malware free. It’s the cost you pay to maintain that state. You are being had. We know you don’t mind. In fact, you are quite willing to go out of you way to please Microsoft.”

    On a personal level the cost that I pay is about $6 per month to maintain my antivirus software. ALl the rest of what I do is just standard operating procedure that I do on all my systems.

    Thats it…

    In comparison having to do without the Data/Remove duplicates function of Microsoft office would rapidly cost me more than the cost of Office itself in terms of lost time (my group bills out my time). and wasted effort either reinventing the wheel myself or in working with a tool that isnt as integrated.

    And this is only one small piece of what I use.

    As far as being “Had” is concerned, I think not. All of the software that I use has been chosen by me with my needs and requirements in mind. From Microsoft Office to Adobe Standard to SAP Crystal Reports to Perlbuilder, to the ActiveState Perl package, to MS TechNet through personal software like Make Music Finale, Garritan Personal Orchestra and concert Band East West Symphonic Choirs. All met and meet my needs. Yes, I paid for them and I continue to maintain them and upgrade them, but that is because they work for me.

    The fact that my contribution to their bottom line might make microsoft “happy” is irrelevant. They and their ISV’s earned my business.

    And that all that counts.

  35. oldman says:

    “I want quality OS’s that are truly worthy of praise that are truly pushing security forward and truly making attackers hate getting up in the morning worrying about what the next lot of counter measures will be.”

    But people use applications not operating systems. While you may care about such things, most people see the operating system as that bit of color that they see as the application that they use opens.

  36. oldman says:

    “He was talking about his GNU/Linux installation, not his Windows installation. ”

    Wrong Mr. K.

    I was talking about my windows installation – ALL of my windows installation. No viruses, no malware, NADA!

    “Computer security is constantly evolving. No one is completely safe unless they pull the plug.”

    Exactly, No system is truly secure, which is why I consider most of the windows security bashing posts here to ultimately be pure bushwah.

  37. kozmcrae wrote, “I know it’s just a matter of time before there will be a credible threat to desktop Linux.”

    Yes, but it will be a few years yet based on installed-base/size of target. We also have several unused layers waiting to be deployed beyond a firewall for threats from the network. Internal threats are the greatest danger and I have not seen any yet. It’s probably a good thing that FireFox and Chrome have to live with that other OS. They are super-paranoid…

  38. kozmcrae says:

    oiaohm said:

    “kozmcrae you do annoy people like me. Just because you have never had an infection does not mean your computer is secure. Secure requires effort.

    You should read my words more carefully. I do not brag about being infection free. I did copy @ldman’s statement about not being infected but that was just to show that he was playing a little word game with himself. He was talking about his GNU/Linux installation, not his Windows installation.

    I do not take security lightly. I never feel totally secure. I check my logs from time to time. Once and a while I’ll see what’s going in and out of my computer with wireshark. But being security conscience with Linux, especially with the desktop, is a little like being the Maytag repair man, there’s no action. Still, I know it’s just a matter of time before there will be a credible threat to desktop Linux.

    So let me say it clear as day. Since I’ve been using GNU/Linux I have not had any malware infections. I use a firewall and follow basic computer security precautions. Anyone reading these words as “I will never have a malware infection” has a hair across his ass and should think about getting it cut.

    Computer security is constantly evolving. No one is completely safe unless they pull the plug.

  39. Clarence Moon wrote, “The individual consumer’s choice may very well be limited if their motivation to seek alternatives is so minimal as to limit them to the nearest department store.”

    Many consumers shop at the “big box” stores for price, one-stop shopping, location etc. That trumps a lot of choice. Just ask many small businesses that were squeezed out by Walmart. I think it is in the best interests of the Walmarts of the world to sell */Linux. For whatever reason, many don’t sell GNU/Linux but do sell Android/Linux. The same advantages that apply to selling Android/Linux apply to GNU/Linux: price, FLOSS, flexibility, non-Wintel etc. It could be that retailers are buying Android/Linux thingies from “consumer electronics” suppliers whereas they buy PCs from “partners” of M$. Samsung and others should diversify to PCs, IMHO if the old guard will not ship GNU/Linux. It makes cents.

  40. Clarence Moon says:

    There’s no value to using the word “choice” when every choice on retail shelves is that other OS…

    For someone claiming to have a technical education, Mr. Pogson, your reasoning ability seems rather stunted. The individual consumer’s choice may very well be limited if their motivation to seek alternatives is so minimal as to limit them to the nearest department store. An even mildly motivated buyer has the whole on-line world to seek out and select from.

    And certainly the store owner/buyer has the ability to seek and choose. Ditto the OEM who supplies the package can do what they deem best for their product sales and overall satisfaction of their customers.

    If products are not reaching the groups that you think should be addressed, then the only fault is your own. You do not effectively reach out to those who you say have no choice. I personally do not think that Linux is a viable option in this day and age for personal computer users, but you do and you and your partners have failed to deliver that message effectively. You cannot count on Microsoft to do it for you, eh?

  41. oiaohm says:

    debated is a key point to work out if you methods are valid or not.

  42. Amen. We have a lot of circular arguments running here all the time. One of my least favourites is that people choose that other OS because people choose that other OS… There’s no value to using the word “choice” when every choice on retail shelves is that other OS. Fortunately choice is increasing. Eventually there will be enough choice that the cycle of logical violence will be broken.

  43. jack h says:

    I read the article after someone sent it to me and couldnt stop laughing. When my cubicle mates asked me what was so funny, they read the article and laughed along too.

    The reasoning was so weak that Dietrich T. Schmitz
    absolutely destroys the hapless ‘writer’ with facts in the ensuing comments.

    I loved that great line from the article about Linux security being debatable because its often debated in forums.
    Someone said it was like the old Hygrade commercial, more people eat them because their fresher and theyre fresher because more people eat them.

  44. oiaohm says:

    Robert Pogson I should have used better words.

    “Problem is end users don’t get the pain these missing features are causing.”

    This I don’t mean that the users are not felling pain.

    I am meaning that they are not aware that there is a list of features that will enable their pain to be reduced massively possibly in many cases to non existent.

    Since the users don’t understand its particular features missing from Windows is the root cause. Microsoft gets to defect the problem away from them to virus writers, Anti-virus companies…. Basically anyone bar them.

    I was meaning by the don’t get the pain these missing feature are causing. Not that they are pain free is lack of understanding of the source of their pain so don’t know what to scream at Microsoft to provide and others.

    Yes when you don’t understand the source of pain you can blame stacks of things that are not the true source. Really its like us of old praying to witch doctors to be made better by magic.

    More you understand secuirty the more crap Windows looks. Then people who don’t understand secuirty accuse you of bashing windows when ever you give a proper secuirty assessment on it. Sad but true that Windows 8 still does not pass what was called quality secuirty 30 years ago. It really should make that 30 year old model look obsolete if there was true progress.

    Yes a user controllable sandbox solution in the OS from the start line is kinda mandatory feature alone with many others.

    There is a problem with implementing proper sandboxing it also means breaking a lot of Digital rights management solutions.

    This is why oldman when people start singing praises of Microsoft I drop on them like a ton of bricks.

    I want quality OS’s that are truly worthy of praise that are truly pushing security forward and truly making attackers hate getting up in the morning worrying about what the next lot of counter measures will be.

  45. oiaohm wrote, “Problem is end users don’t get the pain these missing features are causing.”

    Oh! I disagree. I have worked with hundreds of teachers and thousands of students, who all equate malware infections with that other OS, like hairs on a dog.

    I have seen ordinary users

    1. go for coffee while XP boots or loads an app,
    2. feel real pain on dial-up when malware was pumping out spam,
    3. share a PC, which struggles with one user on XP, with hundreds of malwares, and
    4. excuse the poor performance of that other OS with malware.
  46. oiaohm says:

    oldman nothing you have said changes the fact that Windows 7 x64 has a lower secuirty provided than Linux Enterprise Distributions.

    Of course this can be ruined by stupidity.

    If you want to talk secuirty we talk secuirty properly. What is assessable. Secuirty frameworks exposed in Linux are increasing. Distribution that have moved to systemd services are wrapped in cgroups than can bend reality of what services can see.

    The am-mount control you have over a service on linux is vastly more than Windows.

    kozmcrae you do annoy people like me. Just because you have never had an infection does not mean your computer is secure. Secure requires effort.

    Phenom
    http://www.zdnet.com/blog/bott/the-malware-numbers-game-how-many-viruses-are-out-there/4783
    Notice what Ed Bott talks about here.

    That in reality there are not that many new viruses for windows using new exploits. Instead you have viruses using old exploits that are avoiding anti-virus software to exploit them.

    Most cases a run-time anti-virus should not be required. You need a working secuirty module that picks up when a program is acting abnormally that is built into the kernel. That application cannot bypass.

    This is a simple case of reality Windows is insecure because it lacks the required frameworks in its kernel that cannot be disabled. So a stack of third parties exist trying to patch over a weakness at kernel level so fail due attackers finding ways to disable anti-virus hooks.

    Reality Microsoft is the only one who can properly fix the secuirty illness that infects Windows.

    Reality is Reality. Windows suxs at Kernel level malware and virus writers are exploiting this.

    Linux/GNU distributions and OS X viruses when they do happen rarely have more than 3 to 4 versions attacking the one flaw. Because even if removal of the flaw will break some applications the flaw is removed.

    MS backwards compatibility is a security road block preventing quick death of infection paths.

    Android that is another kettle of fish. Lack of quality control in package distribution system equals sick systems. Also lack of well set out secuirty frameworks also lead to more data lost than should have been.

    Reality kicks a lot of arguments that Windows is as bad or as good as Linux straight in the teeth. You see infections exploiting exploits in windows that have been know for over 4 years that are not fixed yet.

    Also idea that flash gets an infection it not MS fault is wrong. The OS maker has ultimate responsibility to provide options to sandbox insecure software. Just try to sandbox an application in windows by command-line or the GUI.

    Sandbox feature is a feature that was a requirement 30 years ago to get DoD certification on your OS. Linux/gnu, BSD, solaris, AIX… yes a lot provide this.

    List the ones that don’t. OS X did not bother google android does not androidse does and cygongenmod does. Microsoft does not bother providing proper control options. Its up to application makers to code sandbox controls in on Windows. Not provide user with the option to straight up sandbox something that has a reported secuirty problem. Then MS sandbox is not secure.

    This is one basic parts to building a secure OS that is missing. Problem is end users don’t get the pain these missing features are causing.

  47. kozmcrae says:

    “Did you know that by Linux instance runs runs on a virtual machine that is hosted under windows 7 x64? systems, and that windows 7 desktop which is on the open internet has never been infected, nor has its predecessors?”

    Does it stand on its own or does it have help from the multi-billion dollar security industry Microsoft’s crappy OS spawned? How much money is spent on security. How many man hours maintaining it. How many CPU cycles are wasted on that extra baggage? You know you are not infected by any known malware, what about all those viruses, worms and Trojans yet to be discovered? Do you really feel safe with reactive security?

    You see @ldman, it’s not just enough to be malware free. It’s the cost you pay to maintain that state. You are being had. We know you don’t mind. In fact, you are quite willing to go out of you way to please Microsoft.

  48. oldman says:

    “We all know you had no infections on your GNU/Linux installation.”

    Did you know that by Linux instance runs runs on a virtual machine that is hosted under windows 7 x64? systems, and that windows 7 desktop which is on the open internet has never been infected, nor has its predecessors?

    “I’ll exchange the ‘@’ for an ‘o’ when you see the light of day.”

    I work in the daylight of enterprise IT sir. It is a much brighter light of day that I suspect that you would know about.

    “Call me anything that makes you feel good.”

    Whatever.

  49. kozmcrae says:

    “Its good that you acknowledge the truth for once!

    While you are at it, Please drop the @ my handle is oldman. Or wyoud you preferr that I start referring to us as Kosmacrap.”

    We all know you had no infections on your GNU/Linux installation.

    Call me anything that makes you feel good.

    I’ll exchange the ‘@’ for an ‘o’ when you see the light of day.

  50. oldman says:

    “I know @ldman, you’re the one who I was talking to.”

    Its good that you acknowledge the truth for once!

    While you are at it, Please drop the @ my handle is oldman. Or wyoud you preferr that I start referring to us as Kosmacrap.

  51. 73.38% Wikimedia, mostly en.wikipedia.org

    “Steven Sinofsky, head of Microsoft’s flagship Windows unit share views that it is an even better Windows than Windows 7. Windows 7, which was Microsoft’s previous operating system, and registered as its highest selling ever, racking up 525 million sales within less than three years.”

    Let’s see. 525million/3= 174 million per annum, way less than 80% of ~350 million PCs built per annum.

  52. kozmcrae says:

    “I’m one of those people tooo Mr. K and I use windows 7 x64 AND Linux.”

    I know @ldman, you’re the one who I was talking to.

  53. Phenom says:

    Yeah, yeah, we know. The mysterious million users of Linux, who hate Microsoft. They are just like UFOs – everyone talks of them, but no one has sees them. Except for you.

    Please quote any reliable source, where it is said directly that MS has less than 80% of marketshare. Direct source, no arcane deductions.

    Here is mine:
    http://statowl.com/operating_system_market_share.php

  54. Phenom wrote, of that other OS, “undesputable leader on desktop”.

    I dispute that. M$ lost that argument for me and mine back in 2000. They may have more shelf-space retail but fatter is not better, so I’m told. There are many things GNU/Linux does better and many millions find it satisfactory. Obviously, they don’t need to stick with GNU/Linux (no lock-in) but they choose GNU/Linux. Very few choose that other OS even though they may end up running it. That other OS exhibits no recognized characteristics of leadership. Every decision they have made for 20 years has been wrong, technically. No one would buy a car that had to go back to the shop for repair every month.

  55. Phenom says:

    This is interesting, and this “truth” is backed by what facts?

    Pretty simple. Windows is an undesputable leader on desktop. What else of a fact do you need? Probably a proof that Windows is used also on Jupiter?

  56. oldman says:

    “I’m one of those people. That’s right. Since 2005, no anti-virus software, only a firewall and no infections. That’s because I use GNU/Linux.”

    I’m one of those people tooo Mr. K and I use windows 7 x64 AND Linux.

  57. kozmcrae says:

    Viktor said:

    “And we should not forget that Linus himself calls the kernel a bloated mess these days.”

    What Linus calls bloat and what is Windows bloat are two completely different things. Linus calls 15 millions lines of code bloat. How many lines of code is Windows up to now, 40 million? You’re the man with the links, give us one the shows the current bloat of Windows.

    But it’s not just bloat. Windows is just a blob of layers of code. I hear things have improved with Windows 7 but Windows security is still a multi-billion dollar industry. What’s the story with that? Is that supposed to be normal? First you write an OS then a bunch of other companies supply supplementary software that sort of fixes your OS so it can sort of survive on the Internet.

    Windows cannot stand on its own. Yes, I’ve heard all about the people who don’t use any anti-virus software and haven’t had a malware attack EVER! Guess what? I’m one of those people. That’s right. Since 2005, no anti-virus software, only a firewall and no infections. That’s because I use GNU/Linux.

  58. oiaohm says:

    Viktor your at twit. “Who is there to pay for discovering a security hole in some backwater Linux distribution?”

    Redhat pays more than Microsoft for valid located secuirty flaws. So does the Linux Foundation.

    Lot of Redhat users are paying “Linux users are cheapskates” So not all Linux users are cheapskates. Generalisation this is very much like race profiling its insulting anyone doing it shows how much of a trash human they are.

    Also http://www.mozilla.org/security/bug-bounty.html and the chrome browser equal are OS netural. So there is money to be made finding the flaws on Linux.

    There are many bounties out there for particular distributions.

    Even cern pays so much on the distribution they use. That distribution is free.

    Viktor
    “And we should not forget that Linus himself calls the kernel a bloated mess these days.”
    That quote from Linus is worthless when you take it in full context.

    Yes Linux might be bloated in places but the kernel developers are aware of it. Don’t hide it. Some of the largest battles in the Linux kernel are over cases where 20 companies make a driver for the same device differently.

    That point you missed Viktor. There is more driver duplication and bloat in Windows than Linux. If Linux is a bloated Mess. Windows is a disaster zone.

    Charlie Miller
    “No, Linux is no harder, in fact probably easier, although some of this is dependent on the particular flavor of Linux you’re talking about.”

    Notice something. “dependent on the particular flavor of Linux you’re talking about.”

    Probably easier when your remember pwn2own was using Ubuntu that has a crappy secuirty rating.

    Secuirty of Linux comes down to what Linux you run. Some are way harder to break into than Windows.

    “The other thing is, the vulnerabilities are in the browsers, and mostly, the same browsers that run on Linux, run on Windows.”
    There was another secuirty research who took his hide over this comment. Redhat by the way. He demoed clearly that complier options gcc provides that MSVC does not in fact neutralised particular groups of browser bugs.

    Of course the true fact it all comes down to the quality of the Distrobution.

    It is invalid really to try to talk about Linux as a whole when it comes to secuirty. Linux is only the kernel.

    The userspace + kernel + secuirty configuration makes the secuirty space attacker will be facing.

    In fact of course Charlie Miller did not want to admit that Mozilla adds any flaw in the core browser to there testsuite. Interesting enough most pwn2own flaws even on the same generation browsers on Linux systems of the time did not work that were discovered on windows.

    Why because most of the flaws were not in Firefox source code but in functions the Windows userspace was providing to Firefox. Between redhat and mozilla latter research those comments you pulled up are voided.

    This is why Charlie Miller has never repeated that comment since. More research proved there was way more to the picture.

    Now argueing against Ubuntu because its not quality is valid. Argueing against distrobutions based off Ubuntu is valid.

    Distrobution Blood lines from Redhat that are not based off the testing branch have a great track record.

    SUSE and Debian both have a mixed record.

    Basically there are 4 major bloodlines these days.

    Ubuntu, Debian, Redhat and SUSE(that appears to be heading to death)

    You do need to talk blood lines particularly since they are where the userspace starts. If you are not talking about the userspace and kernel you are basically limited to the kernel itself.

    The Linux kernel is a very sold kernel compare to Windows kernel because it driver stack is cleaner. You don’t have hardware makers reinventing the wheel as much.

    Linux provides a better foundation to build a very solid OS than the Windows kernel.

    Of course just because I lay a solid foundation for a building does not mean that doing shoddy work above the foundation will not result in the building falling down.

    Now if you lay a crap foundation no matter how good of work you do above it the building will fall down unless you repair the foundation.

    OS Kernel is the foundation. The userspace is the building and the person in the building is the application. The attacker is the infection in the person. Yes that is scale of forces involved.

    OS kernel has limited power to the secuirty of the building but without it you don’t have a building. If the building is built poorly lacking locks in right places attacker can spread and harm the system more.

    Windows the OS kernel is bad. The fitted locks are bad. Many sections of windows Microsoft does not even have testsuites for. This came out in the EU case of Samba vs Microsoft since Samba was so sure MS would have to have a testsuite for networking. No what they have is a room full of different versions of windows and if it all works testing by the test staff the OS goes out the door. How can you say secuirty nightmare. So of course its a secuirty mess. Turns out the FOSS world has more complete testsuites for windows functionality than what MS does.

    It also explained what wine was seeing with there testsuite when it was run on windows. Why particular things would work one release be broken the next and work the release after. This is still going on.

    Ubuntu OS kernel is ok. The fitted locks are questionable. testsuite usage questionable. So less odd of secuirty mess than windows.

    Redhat OS kernel is ok, The fitted locks are high grade well made. Testsuite running is mandatory before production releases. Only problem you have is if someone leaves all the doors unlocked. Users and Admins are always a factor. Way lower odds of a secuirty mess.

    Debian currently is working threw a process to make all testsuite running mandorary like Redhat. Currently its still far to optionalal on newly added packages packages that have been in for along time not optional. Lesson was learnt from the ssl mess.. Kernel of Debian is OK in stable testing can be questionable at times with items like selinux disabled.

    SUSE kernel OK testsuite running mandorary.

    Basically there is a bit of variation here. Linux users really need to be on the backs of the Distrobutions who are not up to the redhat level.

  59. Andrew says:

    …”The truth — unbearable for you — is: nobody wanted to win a crappy Linux laptop. No security researcher plays with Linux because there’s no money to be made.”

    This is interesting, and this “truth” is backed by what facts?

  60. oiaohm says:

    Xan remember when you check Ubuntu secuirty against DoD rainbow books what is basically the bible to writing a secure OS its complete trash.

    The fact that secuirty experts were not getting far against Ubuntu. Against proper secured Linux systems its even harder on them.

    Nothing is unable to hacked at this stage. The question is how hard of a time will the hacker have once they get past the front door.

    Trusted systems like solaris, Linux running selinux properly on and aix make attackers start wishing they had more information.

    The reason for ssh on linux being targeted so much is that it is one of the rare services that on a selinux harden system that may not be restricted.

    One of the good things coming in firefox is the fact that plugins will no longer autorun when you load a site. User will have to choose to enable. This is attack surface area reduction. Hopefully this will replaced to other browsers. It should stop advertises using flash cookies as much as well.

  61. kozmcrae wrote, “It cannot be made secure in its current incarnation. It needs to be scrapped and started from scratch. We all know that will never happen.”

    M$ has made several attempts to “re-write” that other OS but they force the programmers to give in to the salesmen who run the company and nothing good comes of it. There was DOS…Lose 3.1…NT…Lose ’95…2K…XP…Vista…7, and while there was a gradual improvement in capability the complexity kept rising and the vulnerabilities just kept coming. It was all about getting another round of licences sold to the installed base of PCs rather than to provide improved IT. Give me GNU/Linux every day where security and performance are pivotal. Except perhaps for the GUI layer, no one cares about the looks of things. They want stuff that works and works well.

    At one point, M$ claimed that IE was part of the security of Lose ’95… I kid you not:
    “Why can’t you just pull IE?
    Because it breaks the lntemet connection, security, screen displays, and hundreds of apps.”

    Yeah, right. I actually worked at a place where the boss was very uncomfortable with folks using FireFox because that other OS had no control over what FireFox did. I never noticed any enhanced security in IE. In fact malware used to walk all over IE. Using an insecure layer of crap to cover an insecure layer of crap just makes a larger insecure pile of crap. In that same document they state that,
    “It is interesting to note that retail Windows ’95 has about 9.5 million lines of code, IE 4.0 has about 8.5 lines. If they were separate products, you would assume that the full product would have 18 million lines of code. However, the full Windows ’95 product, which includes IE, has 14 million lines of code.” So, M$ was willing to increase by 40% the code contained in that other OS to provide browsing with IE integrated, doubling the number of vulnerabilities most likely.

  62. Viktor says:

    Were those links supposed to prove something?

    Sure. They have proven that Koz McRae …

    1.) … can’t read
    2.) … likes to post things without knowing what they mean.
    3.) … doesn’t know what a system call is.
    4.) … is a very untalented actor.

    Windows a mess? You wish. The kernel may not be half-bad, but everything else is the home of bloatware. And we should not forget that Linus himself calls the kernel a bloated mess these days. There’s apparently one man left in the Linux world with working brain. And he’s not Koz McRae.

  63. Viktor says:

    No, Linux is no harder, in fact probably easier, although some of this is dependent on the particular flavor of Linux you’re talking about. The organizers don’t choose to use Linux because not that many people use it on the desktop. The other thing is, the vulnerabilities are in the browsers, and mostly, the same browsers that run on Linux, run on Windows.

    Says Charlie Miller. I think he knows what he’s talking about.

    The truth — unbearable for you — is: nobody wanted to win a crappy Linux laptop. No security researcher plays with Linux because there’s no money to be made. Money’s paid for security holes in Windows, Mac OS X, iOS, Android, heck, even Google Chrome. But Linux users are cheapskates. We all know it. Who is there to pay for discovering a security hole in some backwater Linux distribution? Who cares?

    Keep your illusions, go back to bed and dream about Linux being the most secure OS on this planet.

    Chuckle!

  64. kozmcrae says:

    Viktor said:

    “Only clueless people like you, Koz, could take a nearly six year old graph which has been shown to hold no validity whatsoever, and post it here as “proof”.”

    Were those links supposed to prove something? I wouldn’t know, I didn’t follow them. They’re crap. The six year old link I provided speaks volumes about the mess you call Windows. That picture is worth a thousand posts.

    Windows is a mess, there is no getting around that. It’s a blob of code. It cannot be made secure in its current incarnation. It needs to be scrapped and started from scratch. We all know that will never happen.

    The Windows era is coming to an end. Thank God. You will be left with nothing to defend. Maybe you could then do something useful with your time like taking up yoga.

  65. Exactly, Xan! Great comment! Thanks.

  66. Xan says:

    Wait, wait, wait…

    This was about linux security, right?
    Ok, so if offered thousands of dollars to hack either of the systems, as a security professional, hell gather lots of security hackers and professionals and make it a contest, what do you think the outcome would be…? hmmm, whats that? It’s already been tried?

    http://en.wikipedia.org/wiki/Pwn2Own#Outcome_2

    The laptop running OS X was exploited on the second day on the contest with an exploit for the Safari browser co-written by Charlie Miller, Jake Honoroff and Mark Daniel of Independent Security Evaluators. Their exploit targeted an open-source subcomponent of the Safari browser. They won the MacBook Air laptop and submitted the vulnerability they discovered to ZDI for a $10,000 prize.

    The laptop running Windows Vista SP1 was exploited on the third day of the contest with an exploit for Adobe Flash co-written by Shane Macaulay, Alexander Sotirov, and Derek Callaway[15][16]. They won the Fujitsu U810 laptop and submitted the vulnerability they discovered to ZDI for a $5,000 prize. After the contest, Adobe disclosed that they had co-discovered the same vulnerability internally and had been working on a patch at the time of Pwn2Own.

    The laptop running Ubuntu was not exploited.

    Bwaaa haa haa haaa haa, suck it!

    The windows system was actually secured, the mac as well, the ubuntu system was just a basic install and it was still unhackable.

    unh, take it! Yeah! unh! yeah!

    Some more dip for your doodle:

    http://www.focus.com/fyi/50-places-linux-running-you-might-not-expect/

    how about supercomputers:
    http://www.forbes.com/2005/03/15/cz_dl_0315linux.html

    the windows one runs the trash can…

    All of this has been gone over many times and any argument for windows has already been debunked:

    http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux/

    You want to hack my system, you gotta be sitting in my chair watching me type in my passphrase. You want a secure windows system, you better disable everything, unplug it, power it off and put it in a safe buried underground.

  67. iLia wrote, of mono, “please tell me which of the most popular Linux distributions also don’t use it, and thus are crap.”

    I have 2K+ packages installed on my GUI Debian system and none are mono.

    “beast:/home/pogson# dpkg –get-selections|grep mono
    beast:/home/pogson# cat /etc/debian_version
    wheezy/sid
    beast:/home/pogson# dpkg –get-selections|grep wm
    libglewmx1.5 install
    libwmf-bin install
    libwmf0.2-7 install
    xfwm4 install
    xfwm4-themes install
    beast:/home/pogson# dpkg –get-selections|wc
    2070 4140 55586″

  68. oiaohm says:

    Viktor A HIPS done on a OS kernel lacking the protection to protect the HIPS from attack is pointless it does not work.

    Viktor I have pointed out reading secunia.com like Richard from howsoftwareisbuilt is a sign of a idiot.

    Apache reports more minor bugs to secunia than MS does. In fact large number bugs on secunia for appache have no exploit code at all. Where all IIS ones on secunia do contain real exploit code. So statistics and lies. You have to make sure you are comparing same to same. This case its comparing apples to oranges and trying to draw a result.

    Dave Aitel point also are not exactly correct. Anyone who sat through NSA talk on selinux and what is required for secure programs would know Dave Aitel is talking out its ass over the idea that less system calls is not better.

    There are limited ways to make secure code. One of them is not having your processing of input spread all over you code base like a shot gun had been fired at your code base.

    If you look at apaches graphic it clearly shows data going into a clear processing engine.

    IIS does not. So the odds of a major secuirty breach someone where is higher in IIS.

    selinux and cgroups are proactive secuirty. Interesting point is with real-time proactive secuirty less system calls equal less points you have to police. So the simpler it is to proactively shield the application. Reason any added code using any system call the application does not normally use can allow the proactive shield to detect tampering and shut the application down before attacker gets too far. So more system calls used more attacker can do without tripping the real-time proactive defence.

    So IIS less secure compared to apache when it comes to the means to be protected real-time as effectively. Of course this does not mean IIS might do something else better that counters this out.

    With proactive less system calls also give attackers less to work with.

    Thinking Sana Security was trying to replicate what selinux and cgroups does. So less is simpler to secure in real-time proactive.

    All graphics have to be taken for what they are talking about. Sana Secuirty was talking about a particular area. Real-time proactive responses to intruders. Yes its a cat of secuirty that is important.

    Now proactive in the development cycle is hidden where you would not think. Gcc and other compliers are adding more and more methods to detect design flaws. Yes this is why the Linux kernel will not accept any code that throws a gcc warning or other complier warning. Apache is also the same.

    So development these days are part proactive part reactive. As compliers are becoming more advanced in optimisations they are providing more proactive options.

    One from llvm is very interesting http://klee.llvm.org/ This is an attempt at auto testsuite generation to make sure all code paths in an application get tested. Currently its insanely slow. But will find bugs that may never be found. This is a form of proactive as well. Not depending on coder to dream up all possible nightmare issues.

    Now this is one of the advantage of open source. As compliers advance and provide more proactive options you can re run them over you code and find out if you have missed something an attacker has out found yet.

    Coverity Static Analysis is also part of most major FOSS projects development process. This again is another proactive search for bugs not depending just on at test suite.

    Basically Richard from howsoftwareisbuilt is talking more how IIS is developed not apache.

    “Implement the software.
    Test the software for bugs, including security vulnerabilities.
    Fix the important bugs found.
    Release the software.
    As security vulnerabilities are discovered in the field, fix them in the code and release patches that repair the installed base.”

    Last section is wrong for appache. As secuirty vulnerabilities are discovered by builtbots rebuilding code fix.
    As secuirty vulnerablities are discovered by Static Analysis system fix.

    The “Implement the software” includes fix all complier warning where complier warns you of bad code issues. Most of these have habit of turning into future secuirty issues. Yes complier errors come before testing if the program even works.

    This is a window user.
    “Replacing those API calls with calls to newer APIs that don’t expose the same potential, results in lowering the potential vulnerability of the program as a whole.”
    Enable mudflap on gcc and those potential vulnerabilities get neutralised on any code you miss fixing.

    There is no need to replace the API to address the problem use a smarter complier that auto converts and adds safe guards. Smarter complier is always a help it is part of the proactive system. Find faults before they leave.

    So really it would be great of someone rated how great different compliers were at preventing programmer stupidity.

  69. iLia says:

    Also under Linux there are very few mono .net applications. Most people the first thing they do is get rid of them.

    The problem with Mono and Java is that they are the only things in the Linux universe that can be called “a platform”, the rest is nothing but a bunch of strange libraries written in different languages, using different naming conventions. Just a zoo, or a bazaar. You know, centralized development has some advantages.

    I guess crap Ubuntu

    If Ubuntu is crap because it doesn’t use DoD rainbow book secuirty, please tell me which of the most popular Linux distributions also don’t use it, and thus are crap.

    1 Mint
    2 Ubuntu
    3 openSUSE
    4 Fedora
    5 Debian
    6 Mageia
    7 Arch
    8 Puppy
    9 Ultimate
    10 Pear
    11 CentOS
    12 Bodhi
    13 Gentoo
    14 Fuduntu
    15 Lubuntu

    And I am sure that the most popular Linux distributions don’t use it, and thus an average linux installation is crap.

    Yes, XP is not very secure, actually it is very insecure, but what you expects from an OS shipped 11 year ago?

    By the way, there are some ways to make Windows 7 much, much more secure. Just bing it.

    Also the computers I run Linux on are not random-ally picked stuff they are Linux Workstations. Hardware from IBM Dell HP… That out box was built to run Linux.

    I see, unfortunately for Linux, most users have randomly picked computers, and thus will have some problems. Linux is no good option for them.

    If you are using a PC class hardware with some random motherboard that was not approved for usage with Linux and having hell you should have expected it.

    Yes, I am using such a computer, with a such motherboard, as many, many millions normal users.

    But, wait, linux-propaganda tells us that Linux has a good support for different hardware.

    Someone is telling lies.

    iLia use GnuWin32 some time and compare its performance to the same programs running on native Linux. Its slower by a large margin.

    Use them? But why? There is such thing as PowerShell in the Windows universe. And who is to blame for that? MS or amateur GNU developers?

  70. Viktor says:

    Ah, our resident “expert”, Koz McRae has weighed in, after a night of trying to remembering lines for “Cult Dude”-like roles.

    http://www.visualcomplexity.com/vc/project_details.cfm?index=392&id=392&domain

    That’s a real gem you found there. Unfortunately you forgot to add something:

    Sana Security, when they were still in existence, tried to sell a HIPS product for Windows that supposedly was to detect “bad” software by detecting “abnormal” system call sequences. You can still read the relevant research article of Sana Security’s founder online:

    http://www.cs.unm.edu/~steveah/jcs-accepted.pdf

    Real security experts are/were not impressed by these graphs:

    http://seclists.org/dailydave/2007/q1/144

    Also note, that the original article is still available here:

    http://web.archive.org/web/20060615055607/http://blogs.zdnet.com/threatchaos/?p=311

    Can you actually SEE the names of the system calls in the enlarged images? No, you can’t. For good reason. Because not every system call is equally dangerous. Read about it here, for example:

    http://howsoftwareisbuilt.com/2007/05/14/security-proactive-vs-reactive/

    Only clueless people like you, Koz, could take a nearly six year old graph which has been shown to hold no validity whatsoever, and post it here as “proof”.

    Go back to your acting lessons.

  71. oiaohm says:

    iLia use GnuWin32 some time and compare its performance to the same programs running on native Linux.

    Its slower by a large margin. When you are doing firmware image builds like I do a few percent slower adds up to many extra hours.

    Any platform where you have to use gcc to cross build with. Go to Linux or BSD or OS X don’t go windows. You take a huge speed hit on windows and it also crashes.

    Digikam that I use a lot does have a windows port but the windows port cannot auto download from cameras. What kinda undermines the point of a camara management and image storage bit of software.

    This is the problem iLia even if you do have the windows version of something it does not always behave right. Also under Linux there are very few mono .net applications. Most people the first thing they do is get rid of them. Tomboy vs gnotes for example. Both do the exact same thing. Tomboy is .net gnotes is c++.

    Gnotes behaves better. Why its so simple. Mono does JIT into memory. Anything generated into memory ends up being to pushed to swap under load.

    Where Gnotes the main binary parts that come from the executable file on disk can be cleared from memory. To swap adds an extra writes so makes system stress worse when you do run out of ram.

    Basically .net and java JIT don’t work if you run out of ram with them. OS design prevents them from ever being able to work right in case of running out of ram. So yes you are better to avoid Java and .Net applications in JIT mode were you can.

    iLia
    “And you will not need to spend hours on Internet searching for solutions to problems which should not exist in a normal OS.”

    What distributions are you using. I guess crap Ubuntu. I use enterprise grade stuff this is why I insist DoD rainbow book secuirty.

    Also the computers I run Linux on are not random-ally picked stuff they are Linux Workstations. Hardware from IBM Dell HP… That out box was built to run Linux. Yes the serous Linux machine are called Workstations not PC’s.

    If you are using a PC class hardware with some random motherboard that was not approved for usage with Linux and having hell you should have expected it.

    There are motherboards that are Linux only in some Linux workstations so beware converting them back to Windows is not always possible. Yes the problem cuts both ways. Some computers that ship out door with Windows cannot run Linux and some computer that ship out door with linux cannot run windows.

  72. oiaohm says:

    Clarence Moon
    “The efforts of the SFLC to harass manufacturers such as D-Link, Cisco, and Linksys have resulted in those makers shying away from Linux, BusyBox, and FOSS in general.”

    Lovely FUD Clarence moon. D-Link is releasing more Linux based stuff than when SFLC got up there ribs. So where is the shying away its a pure myth on your part.
    http://tsd.dlink.com.tw/GPL.asp
    I can also direct you to the Cisco and Linksys as well as Tp-link netcomm and others with GPL sites these days. In fact today they are all making more Linux devices than ever before SFLC sabre rattled.

    There is a problem the Linux kernel has one of the most advanced network stacks of any OS out there. Vxworks network stack is quite limited even QNX network stack has become quite poor.

    Its a simple case they don’t have a choice if they want to feature match there competitors they have to use Linux. Its turned out that Linux and GPL is not that much of a boggy man. Bad internal tracking of software turns out to be a huge boggy man that SFLC got companies to fix.

    The reason for more Linux usage now is the simple fact GPL usage is simpler to deal with. Release the source code once print as many copies as you want. Compared to items like vxworks where you license is only for so many copies and if you forget to buy enough you are in trouble.

    So lot of the companies infringing GPL were also infringing other closed source products. Internal processes being poor was the cause of this. So even if they stopped using GPL they would still have to maintain the processes tracking licensing of stuff.

    Scary as it sounds there was a serous case of incompetence in process leading to lots of hardware makers releasing devices containing infringing firmware. This was not good for the industry.

    After the SFLC case lot of hardware makers settled with Wind River over underpayment for the use of vxworks.

    Of course it has to be GPL in wrong when SFLC comes up and beats the heck out of a company for failing to follow GPL. It could not be a case that companies were not effectively tracking there complete software usage so leading to the problem. Since if it is the latter SFLC action is not going to hurt Linux at all. In fact when they have to now pay for everything. Linux looks even better.

    Lot of companies did not like the SFLC probe into there books of there license tracking. They said SFLC did not need to know. SFLC won they they were allowed to look to see if it was a willful breach of GPL or just incompetence of some form. This in fact reduced how much the companies would have to pay up for infringement.

    So yes from a make money point of view SFLC was going to gain nothing more by looking at businesses internal processes. They were only going to loss. SFLC wanted to know what the problem was so they should never need todo enforcement on those companies ever again..

    This shows that SFLC is in fact not out for blood. They are only after conformance and will even lose money to find out what the conformance problem is so the company they have had to attack can fix it forever.

    SFLC lot of cases will not even bother taking you to court if you answer there requests about issues.

    In fact it gets funnier some of the companies SFLC sued are willing providing staff to SFLC without any obligation todo so. So where is your idea that SFLC has scared companies. Some companies pay some of the SFLC to inspect there license tracking systems even that they don’t handle any GPL or copyleft items.

    Clarence Moon basically your boggy man idea is a made up lie. Companies would not be releasing more devices using GPL if they feared it too much. They would just limit to BSD and closed source. The real issue is you must track your licenses of software closed or open source that you are not in breach of them.

    Some closed source that you got access to the source code under NDA you must make sure you never release a single bit of. Yes the reverse to GPL. GPL you must release the NDA stuff you must not release. If you don’t have good tracking of both you are walking you self threw a mine field without a map. Sooner or latter you are going to step on a mine.

    SFLC is one of the softer hitting mines if you are gently with them you can defuse them. You step on a NDA mine because your processes are not correct these will go for blood will require cash to settle.

    SFLC vs stuff aquire by NDA. SFLC is more friendly.

  73. kozmcrae says:

    iLia the comedian said:

    “Highly secure, nicely looking, with a lot of hight quality software, new fantastic games, good drivers and a lot of cool hardware.”

    He, he, he, he… SNORT!

    Not Internet Certified.

  74. Clarence Moon wrote of Lose 2K, “it was the master stroke that ended the game for anyone else.”

    Nope, that was exclusive dealing with OEMs and that happened several years earlier (April 1993).
    “We are very pleased that Compaq has selected Microsoft as th exclusive supplier operating system software for your hand-held computer products. This new relationship extends the ties between Compaq and Microsoft in very signilicant ways that give us a great opporrtunity to work together to develop this emerging market.

    I want to give you my personal assurance that Microsoft is committed to making this relationship successful during the development phase, product launch and into the future. ln particular, I want to reiterate our intent to support Cotnpaqs efforts to establish sustainable differentiation in your prot.1ucL Our development team will work closely with yours to identify areas where we can support your plans wherever possible. This includes making sure that we uy to incorporate Compaq’s feedback on our APIs and make any necessary changes which would better support your development efforts.

    I appreciate the time you have personally invested in establishing this relationship. I‘m sure it will
    prove rewarding for both companies.

    Best regards,
    Bill Gates

    Chairman “

  75. iLia says:

    On that other OS I would have to find a substitutes for grep, less, vim

    Sorry, do we live in the same universe?

    If so, You can try GnuWin32.

    And You can use windows versions of your favorite grep and less and even sed absolutely for free.

    Vim for windows can be found here.

    Maybe You will be surprised, but there are Windows versions of almost every popular open source software, Gimp, Inkscape, Open/LibreOffice, Firefox, PHP, Python, Ruby, Eclipse, Java, Mono.

    So now, when you know all this, you can switch to Windows 7, and use your favorite FOSS and have a good, hight-quality, highly secure operating system, it will cost you almost nothing.

    You pay $100 per a copy, but you will be able to use it during next 5-7 years, thus it will cost you only $20 a year of 40 cents a week.

    Oh yeah, Windows will cost you only 40 cents a week.

    And you will not need to spend hours on Internet searching for solutions to problems which should not exist in a normal OS.

    Think about it, just 40 cents a week for a desktop operating system written by professionals. Highly secure, nicely looking, with a lot of hight quality software, new fantastic games, good drivers and a lot of cool hardware.

    Oh yeah, i am speaking about Windows!

  76. Clarence Moon says:

    They care enough to lose $billions fighting GNU/Linux

    I doubt that you could even devise one of your 3-rail indirect shots on that point, Mr. Pogson. Where on earth are they spending anything at all “fighting” Linux? They are reportedly reaping hundreds of millions in license fee collections from Android phone makers such as HTC and Samsung, though. Free money, it seems to me, free as in beer to be specific.

    the motivation in developing NT5 was making it pretty for consumers

    NT5, of course, became Widows 2K and was a watershed for propelling Microsoft into the lead position in server sales as well as totally cementing their position into place on the desktop. Perhaps it satisfies your ego to demean it as some crazy aggregation of junk, but it was the master stroke that ended the game for anyone else.

  77. Clarence Moon says:

    Routers and Modems containing Linux are particularly popular

    There are a couple of things wrong with this, the first being that it does not bear on the original issue which was whether or not there were any applications that were Linux only and would possibly be an incentive for someone to switch to Linux (from Windows, of course). The second problem is that it is not true at all. Perhaps your memory is too short or it was a disagreeable situation that you are trying to forget, but very few of the routers on the market today embed Linux. The efforts of the SFLC to harass manufacturers such as D-Link, Cisco, and Linksys have resulted in those makers shying away from Linux, BusyBox, and FOSS in general.

  78. kozmcrae says:

    Gee Robert, you sure know how to get the Cult of Microsoft all stirred up. I love it when they come out to defend Microsoft’s “security”. Their words are good fodder for a comedy routine.

    Hey you Microsoft guys, haven’t you ever wondered why Vista’s gestation period was so long? Why it was scrapped and started again from scratch? Because every time the Microsoft coders change a line of code they have no idea what the hell it’s going to do. Those are their own words. That’s how messed up Windows is.

    http://www.visualcomplexity.com/vc/project_details.cfm?index=392&id=392&domain

    Thanks for coming out to play and being such sore losers.

  79. Viktor wrote, “You claim — how many times now? — that Windows descends from a single-user OS, which is just laughable. Windows NT came out in 1993, it was multi-user from the start.”

    That’s true, but M$ took that reasonable OS and made it as backwards(-compatible) as they could. It did not displace the DOS-based stuff for years while M$ was busily copying the mistakes to the “new technology”. Look, Vista had vulnerabilities that were introduced in 3.1. M$ copied the vulnerability because they did not want to give users a “jarring experience”.

    For example, IE 4, which was an insecure monstrosity, was integrated into both Lose ’95 and NT, making both terribly insecure. So, the mistakes of 3.1 which treated networking as an application, extended into the world of NT with no regard to security at all. For NT5, M$ pressured ISVs to make IE4-compatible HTML.

    M$ was extremely concerned about upgrading Lose ’95 units rather than replacing them with NT clean installs:

    1. The business opportunity for the Cairo client is relatively small: 9M units in medium, large and govemment accounts compared to OEM consumer un1ts(8·l5 MB systems); 34% of 16 MB -*- systems
    2. 1/2 the 9M units are Pentium/Pentium Pro and could be upgraded to 16MB, NT-capable systems
    3. ln terms of dev/test tradeoff, we`ll get more ROI investing in making l) Cairo appealing to consumer space and 2) a consumer add-on for the 8-15MB space. Any distraction from these primary goals will cost us $$.

    So, the motivation in developing NT5 was making it pretty for consumers. So much for security. The weakness of that other OS spread over DOS/NT versions for reasons of marketing above all considerations of security.

  80. iLia wrote, “So why M$ should care about Linux if 3/4 of linuxoids buy Windows anyway?”

    Ask M$. They care enough to lose $billions fighting GNU/Linux.

    3/4 of users of GNU/Linux don’t “buy that other OS” anyway. Why would they? Most people need an OS to manage resources and to provide a nice user interface. GNU/Linux does that very well and it is extra expense, bother, waste of resources to have a second OS kicking around. GNU/Linux is much more flexible than that other OS and that makes it easier to do unusual stuff, like creating this blog. On that other OS I would have to find a substitutes for grep, less, vim and sed for instance, without which I could not quickly analyze files of text and generate HTML and CSV in bulk. I could use some full-text indexing but that would slow me down sometimes. I want to analyze files I create of download instantly, and not wait for indexing. I also don’t want to slow down by having to know where files are to use them. A file-tree is so much more usable than a bunch of drive: thingies. Then there’s SSH to make my other systems seem part of my own.

    Where I last worked only two of the teacher still used that other OS when I left. Both found it limiting except that they had something particular that they wanted to do. So, in my world 3/4 of GNU/Linux users don’t buy that other OS anyway, but perhaps 5%.

  81. oiaohm says:

    OpenSolaris implementation of zones far exeeds Linux cgroup implementations at this stage. Solaris trusted mode also passes DoD rainbow books very much in common with selinux.

    So OpenSolaris does have some merits from a secuirty point if view.

    Freebsd quality of code auditing has some merits. Secuirty implementation of Freebsd is a bit lacking. Trustedbsd freebsd equal to selinux is trying to catch up.

  82. oiaohm says:

    Clarence Moon
    “Nothing that is particularly useful or popular, though. Else people who wanted it would switch to Linux.”

    Particularly useful and popular. I would not say that is exactly true. Routers and Modems containing Linux are particularly popular.

    Load balances using Linux are particular useful.

    Some of the simulation software is highly useful that it works right on Linux where its unstable on windows.

    Particular useful is wrong. Not in highly popular market segments you may have a case.

    If it was not useful Clarence Moon I would not be using it. What I require might not be particularly popular I can live with that.

    Basically people like me who find it Useful have switched basically Clarence Moon. This is why even in Ubuntu numbers you find people who use nothing else.

  83. oiaohm wrote, “Windows is on the bottom end of scale with its secuirty implementation.”

    Amen. I have long believed that GNU/Linux should be the default OS in every case unless there is some essential application which only runs on that other OS. I have yet to encounter such an essential application in 40+ years of computing. I would probably write my own application before choosing that other OS. For servers, I would accept OpenSolaris or FreeBSD on their merits but I doubt there is much advantage there. I think I have only run a *BSD a few times in my life under MacOS and perhaps FreeBSD a few times in web applications. Only a few times have I encountered hardware I could not use with GNU/Linux: twice a printer, a couple of dial-up modems and once a wireless thingy. Out of many hundreds of PCs that’s not even on the radar. I have many times had worse performance and security from that other OS, a constant negative noise in IT.

  84. I partied last night until 0300. I was asleep at 0528.

  85. FLOSS is by nature easily portable. That detracts nothing form GNU/Linux which is useful for many reasons: price/performance, flexibility and security being some of the most important.

    Many users of IT need little more than a browser and an office suite. They can easily choose GNU/Linux for its price. Thin clients, for instance, can run GNU/Linux no matter what the application being used on the server.

  86. Clarence Moon says:

    There is software that is Linux only

    Nothing that is particularly useful or popular, though. Else people who wanted it would switch to Linux.

  87. oiaohm says:

    Compared to your normal Linux install windows featureless in a normal install configuration.

    So number of features equal Linux at higher risk of attack. There is software that is Linux only. This becomes a problem at times.

  88. Andrew says:

    “There are a lot of hight quality software for Windows with no analog for Linux, and even users don’t like Windows they have to use it!”

    Why do they have to use it if they don’t like it?

  89. Viktor says:

    Hey, Pogson, if someone points out your FUD, at least have the decency to post it.

  90. oiaohm says:

    iLia There are a lot more features in your Linux Distrobutions than windows. Yet critical bug counts that are exploitable are lower on Linux.

    Yet as I have pointed there are different grades of distributions with different levels of resistance to bugs doing harm.

    Windows is on the bottom end of scale with its secuirty implementation.

    Please stop trying to stick head in sand. How to reduce how much damage a bug can do was design 30 years ago and Microsoft does not implement the containments so Microsoft is gulity of making a poor grade OS.

    iLia I in fact don’t use windows because the programs I need don’t run under windows. Reason I am doing something unusual some of the time.

    The blade cuts both ways.

    Yes there is software for Linux with no analogue under windows. Or the windows analogue is unstable.

    And people using Ubuntu don’t care about secuirty. So are most likely the ones with virus infected windows. So Ubuntu studies before me are asking for your ass kicked basically iLia.

    A study from debian or redhat on what there users were using would not get you kicked for wasting my time with Users who are not worth a cracker in my eyes.

  91. iLia says:

    Nice rant!

    Despite the obvious fragility of the OS, M$ did not ship a firewall until XP and did not turn it on by default until XP SP2.

    So it was in October of 2001? 11 years ago? And still XP is installed on almost half of all desktops. But why?

    M$ has a long history of adding features which later became riddled with vulnerabilities.

    That is the answer! There are a lot of features in Windows, and users like it more than security, many people don’t worry much about security. That is why extreme sports are so popular.

    There are a lot of hight quality software for Windows with no analog for Linux, and even users don’t like Windows they have to use it!

    Maybe Linux can satisfy 95% needs of 95% of users, but when a user has to do something unusual he has to go back to windows, that is why 76.9% ubuntu users use windows and 16.7% use Mac OSX!

    76.9% + 16.7% = 93.6%

    So why M$ should care about Linux if 3/4 of linuxoids buy Windows anyway?

  92. Viktor says:

    Get real.

    Coming from you? How ironic.

    You claim — how many times now? — that Windows descends from a single-user OS, which is just laughable. Windows NT came out in 1993, it was multi-user from the start.

    Despite your constant attempts at misleading your readers, Windows 2000, Windows XP, Windows Vista, Windows 7, and Windows 8 do not descend from Windows 3.11 or Windows 95 or Windows 98 or Windows ME.

    You attempt — again — to mislead your readers by suggesting that a minuscule market share when it comes to individual PC users doesn’t play a role in what OS criminals target.

    You attempt — again — to mislead your readers by suggesting that the mere existence of Linux web servers is a proof of Linux being secure, ignoring in the process that web servers in most cases are (at least they should be) administered by professionals who can be assumed to know their stuff, ignoring in the process that Anonymous and other groups have hacked plenty of Linux web servers to do what they do.

    You attempt — again — to mislead your readers by suggesting that a whole Linux distribution is by definition secure, ignoring in the process that the “many eyes” coverage of all software included in your average distribution is not distributed equally. You don’t know if the code quality and security is high throughout every program in a distribution. You claim that you know it because the Debian bug tracker says so.

    To state that GNU/Linux is not more secure than that other OS is a plain lie.

    Suggesting that Linux is more secure without presenting any kind of hard evidence is an attempt at fraud.

    If Linux had the same kind of exposure like Windows, it would fall into the pits of security hell. Good for you that it can never be tested, because Linux’s market share won’t rise. Luckily we have Android with security holes aplenty.

  93. I provided a link to release-critical. Those are the bugs worth delaying the release of Wheezy.
    “Release Critical Issues for Wheezy
    ==================================

    The purpose of this document is to be a correct, complete and canonical
    list of issues that merit a “serious” bug under the clause “a severe
    violation of Debian policy”.

    In addition to the issues listed in this document, an issue is release
    critical if it:

    * makes unrelated software on the system (or the whole system)
    break
    * causes serious data loss
    * introduces a security hole on systems where you install the
    packages
    (these issues are “critical” severity)

    * makes the package in question unusable or mostly so
    * causes data loss
    * introduces a security hole allowing access to the accounts
    of users who use the package
    (these issues are “grave” severity)

    * in the maintainer’s opinion, makes the package unsuitable
    for release
    (these issues are “serious” severity)”

    Here are some searches:
    * Squeeze confirmed 9 bugs classed as important, normal or wishlist. Two have been forwarded upstream.
    *Wheezy confirmed 18 bugs

    The 70K number is bugs of any type for any release fixed or not. That includes unreproducible and wishlist bugs. Get real.

  94. oiaohm says:

    Ivan almost right close. F&P are Fixed and Policy Alterations for how debian is managed. Not exactly bugs any more or was not really a package bug in the first place.

    So 1155 has to come off that number at a min.

    minor, wishlist what is 29139. You could remove as well. Mostly annoyances not true bugs.

    So yes claiming about 40925+1250 For normal, important release critical would be more the valid number.

    Yes Robert was low. But you went high Ivan.

    Its works out less than 1 bug per package in active branches no matter what.

    Here is the sizes of the current active debian branches.
    Debian stable branch is 35907 allpackages.txt – 6 for the debian header. So 35901 in stable.
    http://packages.debian.org/stable/allpackages?format=txt.gz
    Debian testing branch is 46440 in allpackages of course -6 again for header. 46434 packages.
    http://packages.debian.org/testing/allpackages?format=txt.gz
    And unstable also known a sid 57714 – 6 for header again so 57708.
    http://packages.debian.org/sid/allpackages?format=txt.gz

    Given a scary number of packages to have bugs reported on of 35901+46434+57708=140043

    So each package has about half a bug. So there has to be some packages with zero bugs even using the wrong numbers.

  95. Ivan says:

    Their bug count is a few hundreds for tens of thousands of packages and billions of lines of code (54 gB source code).

    Could you at least attempt to be honest with your propaganda?

    Those are bugs that are marked “release critical” not the actual bug count. The actual bug count at the time of my posting is at 72,469.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>