You are viewing harishpillay

Alas, a blog! Live life, like you give a damn!

MSFT's analysis of security

MSFT's analysis of security

Previous Entry Share Next Entry
I was asked by @tonynewling for my take on "Vista One Year Vulnerability Report". I finally got time to look at it and subsequent reports by the same author and I have to applaud the report's author for cleverly clouding the report.

To his credit, he does say that he would have still done the report even if his employer's product came out looking not so rosy. Granted that that report is over a year and a half old now (September 9, 2009), it is really passe to consider. But I am sure that MSFT would have used that report to try to make their Vista product look less vulnerable (considering how @tonynewling wanted my inputs). The author's methodology is clever. He took the first twelve months of a product's GA to analyse the vulnerability and patch efficiencies. He was also clever to say he was only going to compare Vista with Red Hat's Red Hat Enterprise Linux WS 4. And this was to have been done even though Red Hat Enterprise Linux 5 had already been out for almost twelve months. He was happy to run a test of twelve months of RHEL4 GA (which was in March 2005) to Vista which I think came out in 2007 (I am not going to check and am sure someone will correct me).

If we are to look at any software product's development methodology (open source or closed source), every study (see David Wheeler's page), shows that by being open, you are assured that if there are vulnerabilities and defects, IT WILL BE FOUND AND FIXED. Earlier last month, an eight-year-old vulnerability in the Linux kernel was discovered and fixed. Try that for ANY MSFT product. I am not begrudging their business model. What I am begrudging is the smooth "lies" that they constantly put out - including the cleverly crafted report referenced above.

Nevermind the past. Let's move forward and look at what is looming on the horizon. Vista will be dead soon when MSFT releases their Windows 7 sometime this year. And how do they intend to bring it to the market? How about with blatant lies? I did pose the question earlier today and hoping that someone from MSFT will respond. It is HIGHLY unlikely anyone will (right @osrin and @tonynewling?). Now I read that the same lies are done with Mac as well.

Why can't MSFT do an honest job in selling their product? Why do they have to resort to outright lies and misrepresentations? The whole MSFT business is an intellectual vacuum and morally corrupt.
  • um.

    "Earlier last month, an eight-year-old vulnerability in the Linux kernel was discovered and fixed. Try that for ANY MSFT product."

    Um. They do that quite frequently. XP is eight years old (released 2001) and it is still supported, in the sense that they still release security updates for it.

    Vista will similarly be supported after 7 comes out.

    Lying about what Microsoft does is hardly the best way to combat Microsoft lying about what we do...

    (Also, please don't refer to companies by their stock symbol. It just looks silly. It's Microsoft, not MSFT.)
    • Re: um.

      "Um. They do that quite frequently. XP is eight years old (released 2001) and it is still supported, in the sense that they still release security updates for it.

      Vista will similarly be supported after 7 comes out.

      Lying about what Microsoft does is hardly the best way to combat Microsoft lying about what we do..."

      Well, I don't intend to lie about their stuff - I will be happy to be corrected. One does not have to push down one's competitor to look good in turn.

      If you look here, their XP stuff reached end of life last year (or earlier this year, 2009). It does not state that there will be security updates for them.

      The Linux kernel issue I mentioned was from way back and it is exactly those kinds of security stuff that we see open source succeeding in.

      Contrast this with MS windows 2000 being abandoned because "the architecture to properly support TCP/IP protection does not exist on Microsoft Windows 2000 systems, making it infeasible to build the fix. To do so would require re-architecting a very significant amount of the Windows 2000 SP4 operating system, not just the affected component. The product of such a re-architecture effort would be sufficiently incompatible ... that there would be no assurance that applications designed to run on Windows 2000 SP4 would continue to operate on the updated system." (from MS09-048).

      Let's imagine for a moment that the windows 2000 codebase was open sourced to begin with. We can only guess if it could be fixed by the interested non-MS people. We now know MS will not. Ever.

      Yes, it is a specific example of a specific situation. But the two examples, one from the Linux kernel and the other from Windows 2000, proves the point that the open source development model is a fundamentally better way for code development and more importantly, sustainability.

      The proprietary model encourages only one thing: repeated consumption of resources to feed the revenue engine. A new version from Microsoft is a revenue event. It is one which forces users (if they agree) to upgrade. Is that how we should be consuming software? Is there a better way to consume software and yet sustain the community and the ecosystem? How about something based on subscriptions?
Powered by LiveJournal.com