[Linux-aus] It's a step in the right direction, but only a step

Leon Brooks leon-olc at cyberknights.com.au
Tue Mar 23 09:32:02 UTC 2004 

    http://computerworld.co.nz/news.nsf/NL/6671974C513F31E8CC256E5B00723C21

> And in what might be a first for a senior Microsoft executive, [Peter]
> acknowledged that Linux is not going to be a passing fad. 

> “Linux is going to be part of the future. It’s going to be like Unix was.”

While I appreciate the message in there that Linux is going to rule the server 
landscape, and am frankly flabbergasted that a Microsoft exec would openly 
confess as much (bonus points for so doing, Peter), I don't appreciate the 
innuendo that Unix is in some way a "has been" or that Linux is going to join 
it in has-been land.

I can plug a Linux CD into one machine, and a minute later have a fully 
functional Linux workstation and server going there, with extensive office, 
networking and diagnostic capabilities - all without disturbing what's on the 
hard disk. I do so regularly while repairing virus-savaged MS-Windows LANs. 
The staff can be editing up documents and getting on with their lives while 
I'm still repairing their system.

I can issue one command and reboot the rest of the office into the same 
software within a very few minutes, without any extra CDs (hurrah for PXE and 
caching). I can batch-process information supercomputer-style on this 
network. I can permanently install the software onto the machines' hard disks 
while they're running and being used for day-to-day work. This is not the 
substance of a has-been, and I CAN'T DO ANY OF IT without a great deal of 
effort in MS Windows, and a great deal of licence-counting.

> For each of Red Hat, Mandrake and Debian, their websites reported more
> than double the number of security advisories of Windows 2000 and XP,
> Moore said, and while the Linux security advisory rate was rising, that for
> Windows was falling.   
 
I can speak to this with authority on Mandrake. First, account for the 
*nature* of the patches. Very few of them are for show-stopper issues. Think 
CodeRed. If what Peter infers from this were true, there should be twice as 
many attacks through Apache as through MS IIS, but day after day my Apache 
web logs show stuff like this MS IIS probe and no Apache probes:

    GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir

Next, account for what's being patched. Mandrake 10.0 ships with over 1800 
packages including three different equivalents to MS Office, three different 
equivalents to MS Exchange, two different equivalents to MS SQL Server, three 
different equivalents to MS Outlook, three different equivalents to MS 
Internet Explorer and so on ad infinitum. One would expect to see roughly 
three times as many updates based on this factor (more choice) alone.

Microsoft supports an organisation trading as "Software Choice". I hope you're 
not going to turn around and claim that more choice is now a Bad Thing. The 
workstation I'm typing on has 1458 packages installed; some for me, some for 
my wife, and some for my children.

Even allowing for the observation that those packages are generally more 
granular (call it the equivalent of roughly 500 MS Windows software 
packages), just getting all of that software installed together on MS Windows 
at one time without having it "tread on each other's toes" would be a minor 
miracle. When even such basic issues haven't been completely solved, security 
must by definition take a back seat to not rocking the boat.

> “Security is an industry issue,” Moore said, “and we’re getting better.” 
 
Security is a multifaceted thing, and blaming it principally on "the industry" 
denies that you're (Microsoft) putting sufficient weight on more important 
issues such as basic software architecture.

Fixing security aspects such as this would require Microsoft to bite the 
bullet and make statements along the lines of "OK, so the MIME handling in 
Windows is broken, and that Outlook application is a house of cards from keel 
to crowsnest. We're going to re-engineer those, *without* building in more 
DRM hooks and other junk and lock-ins designed to help us and our market 
image at the expense of customer utility."

The people best placed to help you face that are your MVPs, who are as close 
to a genuine Open Source community as Microsoft (so far) gets.

If Microsoft doesn't do something radical along those lines, and very soon, 
Linus Torvalds' flippant quip, "Really, I'm not out to destroy Microsoft. 
That will just be a completely unintentional side effect." will come to pass. 
Really. And then what of the customers stranded by Microsoft lock-ins, but 
without any source of security updates?

Meanwhile, there is no such single point of failure in the Open Source world.

Cheers; Leon

More information about the linux-aus mailing list