Re: Good reading

From: Vagabond Software (carlfenley-X-_at_-X-san.rr.com)
Date: 12/20/04 

Date: Mon, 20 Dec 2004 11:08:19 -0800

It's not really that "good" a read. It is yet another rant by a Linux user with a cursory knowledge of the Windows operating system. I'm sure he believes it is just ignorance of the wonders of Linux that keeps the droves of sheep-like computer users from flocking to an evironment where they get to tar driver source files, compile them with their own set of options, and recompile the kernel.

The premise of the article, that the Windows platform is "patently, blatantly, and unashamedly insecure by design", is simply false. Microsoft Windows has been my primary desktop operating system since the release of Windows 95, which I purchased and installed in 1996. I have also had an "always on" broadband Internet connection to my home computer since Feb 1997.

1. My last virus infection was BackOrifice in late 1997 or early 1998.
2. The last time a spyware scanner found so much as a questionable cookie on my machine (other than alexa) was last year after installing a children's game for my daughter.

In addition, I run Windows Server 2003 with IIS 6 enabled, and Windows 2000 Pro with IIS 5 before that. I don't even run virus software on those computers because I know there is no chance that they can become infected.

However, I have had issues on work-related linux boxes running the Sun Java Runtime Environment. The author of this article believes now all Windows users should immediately switch to Linux. I have news for him -- the Linux world is not yet ready to have every hacker and malicious scripter with a computer to start hammering away at the numerous vulnerabilities in a typical Linux installation.

carl

<anonymous@discussions.linuxworld.com> wrote in message news:017e01c4e6c2$40981890$3501280a@phx.gbl...
> http://www.linuxworld.com/story/47536.htm
>
> Linux Opinion: An Open Letter to a Digital World
> "The Windows platform is not just insecure - it's patently,
> blatantly, and unashamedly insecure by design"
> December 18, 2004
> Summary
> As a Linux desktop user himself, system administrator Chris
> Spencer did not relish having to clean up his wife's
> infected Windows PC after it had become compromised. By the
> time he'd solved the immediate problem, Spencer had become
> so fed up with spyware, trojans, viruses, and spam, that he
> decided it was time to write a letter to the world. It's a
> simple message: it's time to switch from Windows to Linux.
> "The letter serves as a guide," Spencer explains, "taking
> you through some of the history of Microsoft right up to
> this present day."
>
> To Anyone Who Will Listen,
> Recently I was reading an article from Wired magazine
> talking about the Windows spyware problem [1]. It was
> unbelievable to me that people would choose to use programs
> that they know make all their personal information
> available to companies. It turns out that 80% of Windows
> users suffer from spyware [2]. I read many articles like
> these but always thought that these people have problems
> just because they aren't careful. Maybe they don't run
> anti-virus, they don't use a firewall, or they browse seedy
> sites and download applications for seedy activities. It
> turns out though that is not the case.
>
> My wife discovered that her computer had been infected by
> spyware and trojans despite the anti-virus, regular Windows
> updates, having the good sense not to open attachments,
> using a firewall, and avoiding any type of seedy activities
> online. As best we can tell someone exploited IE
> transparently while she searched for medical information to
> help our nephew.
>
> The clean up from these types of infections is great fun. I
> spent not less than 5 hours running about every spyware
> prevention program known to man. Each one searching for
> those pesky files and registry settings. The worst thing of
> all was that, once I cleared them off the disk, simply
> starting Internet Explorer would reinfect the whole system.
> Seriously, it was great fun and I did, eventually, have the
> satisfaction of beating the problem. That's right - a
> system administrator for 10 years with a degree in computer
> science and a RHCE CAN clean up a single spyware infection
> in 5 hours.
>
> I hope you see what I am really saying here. How on this
> earth are people that aren't trained in Information
> Technology going to do it? As a Linux desktop user, I had
> never been exposed to this type of problem. Having now
> battled with spyware, I am finally motivated to speak up
> and say something to the world. I want to get a single
> message across:
>
> It's time for anyone running a Windows PC to switch to Linux.
>
> You see, the Windows platform is not just insecure - it's
> patently, blatantly, and unashamedly insecure by design and
> for all the lip service to security it's really not going
> to get better, ever. To make matters worse, it's more
> expensive and gives you fewer necessary applications right
> out of the box than Linux. Everyone, even Microsoft, knows
> this - they are just too afraid to say it. The tide is
> coming in. Nothing on this planet can stop it.
>
> Whew. I said it. I am so happy to get that off my chest,
> however, for me to stop here would be unfair. I haven't
> really proved it to you. So if you will entertain me a bit
> longer here is the rest of the story.
>
> Microsoft started conducting a "Get the Facts" [3]
> marketing campaign against Linux. This signaled that they
> have correctly assessed that their competition is Linux and
> that they need to fight it with all they have. It even made
> it into their 10K filing. [4] It's really an interesting
> read to note that Microsoft sees Linux as a major threat
> It's a big enough threat to their monopoly that they say:
>
> "The Linux open source operating system, which is also
> derived from Unix and is available without payment under a
> General Public License, has gained increasing acceptance as
> its feature set increasingly resembles the distinct and
> innovative features of Windows and as competitive pressures
> on personal computer OEMs to reduce costs continue to
> increase."
> If Microsoft thinks this then that alone is more than
> enough reason to give a fair look at Linux. Of course it's
> just as likely that they are preparing the lawsuits to
> attack Linux because it is a real competitor. I am not sure
> which distinct and innovative features they are
> referencing. Perhaps it was the whole GUI concept that
> Apple sued them for stealing from them. Perhaps it was the
> Microsoft Office-like functionality that Open Office has
> that Microsoft took from Word Perfect. It's hard to tell
> and it gets me off topic to delve into it.
>
> Alright, let's talk about the "Get the Facts" marketing
> campaign. What happened is that Microsoft and vendors that
> make money on Microsoft products have all come together to
> tell us that we us why we should use their products. As a
> consumer and something of a student of history, I always
> question people that are highly motivated to protect their
> jobs and money. Did big tobacco say their products were
> safe long after they knew it wasn't true? Might Microsoft
> be inclined to say that their products provide better total
> cost of ownership (TCO) and security than another product
> despite knowing it wasn't true?
>
> It turns out they have done something strikingly similar
> before. [5] When IBM OS/2 had just taken off and become
> "the best selling retail software product in America" then
> "sources close to Microsoft" leaked word to a columnist for
> the UK edition of PC Magazine, who dutifully reported both
> the rumor and source." - Computerworld, March 20, 1995,
> page 118. From there it was all downhill for IBM. Despite
> everything indicating that OS/2 was doing great the press
> just kept printing the Microsoft party line. In the almost
> 10 years since that happened, have things changed? Are they
> kindler, gentler, and friendlier to work with or do they
> still spin, bully, and use talking heads?
>
> Carrying on in their history we see that, empowered by
> their victory over IBM, just 4 years ago Microsoft was
> ordered to be split in two by Judge Thomas Penfield Jackson
> because they were convicted of abusing their monopoly
> market position. Then 3 years ago Judge Colleen
> Kollar-Kotelly reversed the decision to split them and a
> much lighter penalty was imposed. Unhappy with the results
> the EU took up the case and just this year Microsoft was
> convicted in the EU. Since then Microsoft has paid billions
> of dollars to the companies that were aligned against them.
> One by one settling the differences. Most of the companies
> had little choice but to accept the money they were
> offered. Because they have been so badly beat. Now they
> stand with billions of dollars in the bank and a patent
> portfolio that is rapidly expanding.
>
> I don't know about you but when a convicted monopolist that
> has been shown to use those monopoly powers against their
> competitors says that Linux is a competitor but that it's
> not as secure or cost-effective, well then I take note.
> Because I know there is a good chance that a half truth was
> spoken.
>
> Maybe Linux is shoddy code just hacked together by a
> college student. However, according to the four-year
> analysis by five Stanford researchers [6] Linux contains
> only "0.17 bugs per 1,000 lines of code" and most all of
> those bugs have been fixed. Given that an earlier study
> from Reasoning, Inc [7] had already shown that the Linux
> TCP/IP stack had a 0.013 per 1000 lines of code defect rate
> back in 2001, it is hardly astonishing that the entire
> Kernel is also relatively low in defects compared to your
> average commercial software application To put that in
> perspective the average code seems to have anywhere from 2
> to 30 bugs per 1000 lines of code. That makes the Linux
> kernel between 11 times and 176 times better than your
> average product. So it's certainly not shoddy software by
> any stretch of the imagination.
>
> Considering that many Linux distributions are free, it is
> hard to believe that it would be more expensive than
> Microsoft where a simple upgrade costs $100 and their
> Office application costs hundreds more. Call me crazy but I
> am having a hard time finding any truth in the "facts" as
> reported by Microsoft. However, Microsoft studies the TCO
> to show that other factors make Linux more expensive. Yet,
> the studies that I have read seem to make crazy assumptions
> like saying it takes more money to train users to push a
> button on Linux than it does to push a button on Windows.
> They also tend to ignore the costs associated with viruses,
> spyware, and trojans that prompted me to write this.
> Perhaps most unfortunately for Microsoft they also ignore
> that wildly varying labor costs directly affect TCO. [8]
> That means it wouldn't just be a poor decision it would be
> a completely moronic decision for a government to use the
> Windows platform in the third world if it wasn't absolutely
> necessary. To be honest, for a long time I have wanted to
> see a case study that took these types of issues into
> account. I was, for this reason greatly disappointed, when
> I heard about a study from Cybersource [9] that ignored
> these things but still found Linux, even Red Hat Enterprise
> Linux, to be at least 19% less expensive. So much for
> Windows being better value, they can't even win when the
> whole thing is tipped in their favor.
>
> Maybe I missed something? Maybe Microsoft just happens to
> be truly better at security than Linux? For this I had to
> get dirty and dig. On the surface it did seem like Windows
> had fewer security issues. Looking at Seconia, a security
> research company, I discovered Windows 2000 Server has had
> only 76 Advisories in all of 2003 and 2004. [10] Red Hat
> Enterprise Linux 3 on the other hand has 101 Advisories
> [11] and it wasn't launched until November and looking at
> Red Hat Enterprise Linux 2.1 I found a whopping 145
> vulnerabilities. [12] That looks pretty bad, right?
>
> I am sure that is what Microsoft would like us to think. If
> we would just ignore the elephants in the closet then we
> would come to their happy conclusion. I'm not going to do
> that though.
>
> Microsoft Windows is but one component in a much larger
> Windows platform. What good is the operating system without
> remembering productivity software, anti-virus software,
> instant messengers, media players, software to burn CD and
> DVDs, and the list goes on and on? These are all things
> that Red Hat and every other Linux distribution includes as
> part of the package. Usually they go so far as to include
> multiple applications for each function. It would be,
> therefore, completely unfair if we didn't compare a
> comparably equipped Windows platform to a comparable Linux
> platform. How do you add it up though? Whose products do
> you pick and whose products do you ignore? It's a horrible
> can of worms. I tried to do it. To build the comprehensive
> list so that we could compare a Microsoft Windows that's
> fully equipped like a Linux distribution and I was able to
> exceed the number of advisories. I just felt dirty doing it
> and in the process of doing it. Besides, I came to the
> realization that the bug count isn't what really mattered.
>
>
> What really matters is that the bugs are getting fixed so
> you aren't online without protection and that the updates
> were easy to track and install. Both of which Microsoft is
> in serious trouble with.
>
> With Linux all of the updates for all of the different
> types of applications come through a single path and in an
> automated way. It is a process very much like the Windows
> Update service. The key here is that one update service
> covers all of the products. On the Windows platform you can
> get the Windows updates this way but what about all of the
> third party applications we needed to have the same
> functionality as Linux? Each of those need to be searched
> for or are hidden inside the application themselves.
>
> In my research I found one particularly nasty Microsoft bug
> that really emphasizes this point. I am talking about the
> GDI+ buffer overflow with JPEG processing [13]. They put
> out a security bulletin and they released a patch for each
> of their affected products but they never identified who
> put the SDK library in their products and each of those
> products linked to it individually. Not only did this mean
> users had to be experts that researched the update on their
> own, but they also had to manually install it in each
> location. You have to admit, that sure isn't as nice as the
> centralized updating that Linux has. It seems more like a
> tidal wave to me.
>
> Then there are the issues related to actually fixing the
> bugs that are known. Again, Secunia makes it really easy to
> see. Of the 76 advisories Microsoft 2000 Sever still had a
> whopping 20% outstanding and one of them was rated "Highly
> Critical". Red Hat Enterprise Linux had fewer than 1%
> outstanding and it was rated only "Moderately Critical". So
> much for fewer security updates meaning you are more secure
> and let's not even talk about the Internet Explorer Web
> browser. Because it is so insecure that the United States
> government, through the Computer Emergency Readiness Team,
> had to issue a warning to use any browser besides IE. [14]
> Yet, to use Windows Update you have to use IE. It's just
> not fair.
>
> Then there is the issue of design. Linux was designed to be
> in a hostile Internet centric world. As people were
> programming it they knew this and it no doubt played a role
> in the designs of their products. With Linux you will find
> that firewalls are enabled by default, users rarely login
> as administrators, server applications run as users that
> have limited rights, etc. In Windows these obvious things
> were an afterthought. Finally put into Windows XP with the
> creation of SP2, well mostly. I think it's because of the
> mindset that Windows is for end users on either private
> networks or no network at all that Microsoft has been hit
> so hard by security issues. It's of course equally possible
> that the issue is entirely different. Maybe they don't fix
> the security holes because it's considered a feature. I
> know they said as much about the Windows Messenger Service
> [15] even though it was being actively used to send banner
> advertisements to desktops around the world.
>
> Perhaps Microsoft is finding that the standard software
> wisdom about bugs [16] being less expensive to fix before a
> product ships is true because after several years of having
> security as the number one focus they are as plagued or
> more plagued by security issues than ever before. Maybe
> pouring money on the problem won't fix it? I mean come on
> Even before Windows XP [17] - we knew these things but it
> still shipped with the stupid default settings and we STILL
> have 20% of their advisories unfixed. How can anyone feel
> safe running on a Microsoft platform?
>
> Linux provides a better paradigm. It costs less, it is more
> secure, and perhaps most importantly of all it isn't
> controlled by a single vendor. While Red Hat is the largest
> distributer of Linux and does provide a comprehensive
> support system and legal protections for their customers,
> they aren't alone. Major companies like IBM, HP, and Novell
> are all deeply involved with Linux but none of them are in
> control of it.
>
> Because of Linux, the future of computing is commodity. By
> the year 2000, Linux already represented billions of
> dollars worth of development effort [18] and it's owned
> collectively by each one of us. The savings will follow and
> you can count on getting what you pay for or there will be
> someone else that is there for you on the terms that you
> want. The tide has turned and Microsoft is going to get
> wet. From my perspective they already are all washed up.
>
> It's all an issue of attitude. Linux follows the share and
> share alike [19] mindset where as Microsoft seems to have
> the greedy mindset of it's all mine and I want to get paid
> for it now [20]. Well Bill, Steve, and talking parrots,
> that's not very nice. As I have shown there are good
> reasons for using Linux as the better alternative to
> Windows. Give my friends at Red Hat a call. I am sure they
> could comp. you a copy. Anyway.....
>
> Like I said: It's time for anyone running a Windows PC to
> switch to Linux.
>
> I really appreciate you taking the time to read my letter
> and I hope that it gets you motivated to make the switch
> or, if you already have, that it just makes you feel all
> warm and fuzzy inside.
>
>
>
>
> Sincerely,
>
>
> Chris Spencer
> chris at digitalfreedoms dot org
>
>