Ok, I'll bite. (FYI, I work at MS on Windows, but the viewpoints here are my own, and don't represent any official satement from MS, etc, etc...)
<rant>
https://rhn.redhat.com/errata/rh9-errata.html
Linux posts/fixes at least at many security holes as Windows (usually more), it's just that crackers aren't nearly as aggressive at exploiting them, because:
1) There aren't nearly as many users
2) Linux users, on the whole, are probably better about patching
Do you have any idea how frustrating is that hackers / crackers
reverse engineer our security patches to figure out how to exploit the users that haven't updated. Often times they do it in days to a few weeks. It doens't always work this way, but in the case of Blaster, the fix had been out for quite a while. The Linux situation would be no different if they had an installed base of a few hundred million or so casual users, instead of a small installed base of primarily servers and power users.
As for the source leak, that is also frustrating, possibly not just for MS. Our code often contains a lot of licensed IP, trade secrets, etc, and so there may be a lot of things in there that a
lot of companies weren't ready to give away. For what it's worth though, it sounds like it's not the complete source, since a full source enlistment is many GB, and this is only a few hundred MB extracted. I'm not going to guess at the fallout, but as someone who pours my heart and soul into building that code, sometimes 80 hours a week, well, I'm proud of what I write, but I'm still quite upset with the fact that it was
stolen. We do license it out to educational institutions and other entities. The notion that we believe in security through obscurity is very debasing, and with the effort that all of us put in at MS, I take that personally and am quite hurt. You have no idea the amount of effort we put in at all stages of the process to keep the OS trustworthy. I don't think some people outside MS appreciate how challenging it is, or to what lengths the crackers out there go to in attempting to beat us.
Oh yeah, to our credit, it appears what code has leaked has held up to some fierce slashdot scrutiny of our respect for intellectual property.
Of course, Linux seems to be doing OK against SCO scrutiny at the moment too.
I work at MS, and I take a lot of pride in the work I do. The flames about security through obscurity are unfounded, unfair, and ill-informed. Despite the fact that I know all this, they still hurt like hell, because I (and everyone I work with at MS) take the topic very seriously, and devote a lot of effort to it.
</rant>
Well theres a waste of a good morning... oh well, sometimes I just gotta get it out of my system... FYI, no need to flame, it's all out of my system. I don't feel like getting into it, and anyway need to get some work done now.
- Ben
Some are more secure than others, yes. But none are absolutely secure.
- That's funny.
