[Linux-aus] Ballmer on Linux

Jon maddog Hall maddog at li.org
Mon Jul 28 21:22:02 UTC 2003 

When I worked for Digital, a lot of the times the engineers would see a
possible security condition, but determine that it should not be announced
to the CERT community because it was better to fix it quietly and patch
it in a future release than to announce it to the world and have it exploited
in non-patched systems.  A lot of this had to do (of course) with whether the
code belonged only to Digital or whether it was common code, and also the
probability that the condition would be exploited.

The open source community tends to deliver a lot more of those CERT advisories
to the CERT board simply because:

	o they may exist across multiple distributions
	o they may be visible to crackers
	o it is an effective way to alert those people whose concerns about
	  security are paramount to their business
	o we have a lot more code in a given Linux distribution than "just
	  windows"

It would be interesting to see how many of those Microsoft CERT advisories were
generated first by a customer who had been compromised, or by Microsoft
itself.  And it would also be interesting to see if those vulnerabilities were
in "just windows" or inclusive of Microsoft Office.

It could well be that the Open Source "vulnerabilities...growing 21 per cent"
was just due to an effective job by the Open Source people finding
vulnerabilities.

As to Red Hat releasing nine security patches a month after "other vendors"...
....I am willing to bet that those patches were available through other
means in the Open Source community if the patches were that critical.  When
you need a Microsoft patch, the ONLY people you can get it from is Microsoft.

Finally, if one has a copy of Office 97 (and from informal questioning at
trade shows, a lot of people are still using it), you can not get Microsoft
to fix a major hole in its security due to the fact that they have "dropped
support" for it. Of course you do not have the source code for Office 97.
If you did have the sources for Office 97, you could make the business
decision to hire a consultant to fix it, or not.  Microsoft would tell you to
"upgrade" for the fix, but that is often economically not feasible.
-- 
Jon "maddog" Hall
Executive Director           Linux(R) International
email: maddog at li.org         80 Amherst St. 
Voice: +1.603.672.4557       Amherst, N.H. 03031-3032 U.S.A.
WWW: http://www.li.org

Board Member: Uniforum Association, USENIX Association

(R)Linux is a registered trademark of Linus Torvalds in several countries.
UNIX is a registered trademark of The Open Group in the US and other countries.

More information about the linux-aus mailing list