IT security, vunerabilities, bugs, fixes, flaws, RSA conference and Infosec.

« It’s not the caffeine, it’s just me | Main | Future fortunes to be made »

The hardest thing to say

When I saw that there was a debate on the security merits of open source software and Microsoft I, and many others, figured “Debate, what debate.”

Hardly a day seems to go by without another virus or hack attack against Redmond’s software while Linux users nearly match Apple devotees for smugness over their code’s hardness.

So when Microsoft came out on top we all had to eat a little humble pie – it was almost as if Santa had turned out to be Satan.

Nevertheless don’t dismiss this study out of hand. One of the authors seemed genuinely upset at his results and he urges us all to try and mind flaws in his methodology. Please do so, because today’s finding left most delegates deeply disturbed.

February 17, 2005 | Permalink


It may be the way their findings were reported on the website but isn't this just another case of number of "official" flaws with no consideration for the true severity?

Possibly the difference is this time it is being presented by self-confessed Linux Fans. Before seeing their full report it would be rather petty of me to say so what...most people would sell their grandmothers if the price was right.

Previous reports have covered this sort of thing before: Microsoft claim fewer flaws which are repaired quicker than, say, Linux but conveniently ignore the fact the Microsoft flaws are glaringly horrible ones, or trivially exploitable.

Most sensible FOS supporters would not claim that FOS is without errors and security problems. They *would* say that on the whole flaws in FOS tend to be non-trivial e.g. those flaws that are only "theoretical" or require a highly unlikely set of circumstances to be in existance for the flaw to be exploitable. This situation arises because all development is in the open so the major (real) problems are spotted sooner before the product ever gets to market (as it were) or before it becomes a real problem.

Let's face it when was the last time a UNIX (SOlaris, AIX, Linux, etc), VMS, IBM zOS, Apple OSX(?) user caught a virus simply by opening an email? Certainly not without going through some hoops or deliberately putting themselves at risk.

There are *two* reasons why virus writers predominately target Microsoft products. The first reason is the one most people talk about - their market dominance. The second (and more important) is the fundamental design flaws in the Windows model - one which evolved from a product that had absolutely zero security of any sort. Windows provides a fertile and productive environment for virus writers to prosper and perfect their art.

Sadly at the end of the day this is all rather academic. There used to be a time that you could not be fired for buying you can't be fired for buying Microsoft.

Posted by: M Curtis | February 17, 2005 02:56 PM

Some comfort can be taken from the fact that with Open Sourse there are nearly 9,000 programs which can be attacked, whilst with the Microsoft stable we are only talking about some 270 programs. Now rework the statistics for attacks!!!

Posted by: Mike Simmons | February 18, 2005 02:40 PM

This battle will always exist, but facts are facts. I will make more money from managing Microsoft and it's products than I ever will from FOS.

Posted by: B Beatty | March 9, 2005 04:00 PM

Post a comment