Linux Opinion: An Open Letter to a Digital World "The Windows platform is not just insecure - it's patently, blatantly, and unashamedly insecure by design"
December 18, 2004, http://www.linuxworld.com/story/47536.htm By Chris Spencer To Anyone Who Will Listen, Recently I was reading an article from Wired magazine talking about the Windows spyware problem [1]. It was unbelievable to me that people would choose to use programs that they know make all their personal information available to companies. It turns out that 80% of Windows users suffer from spyware [2]. I read many articles like these but always thought that these people have problems just because they aren't careful. Maybe they don't run anti-virus, they don't use a firewall, or they browse seedy sites and download applications for seedy activities. It turns out though that is not the case. My wife discovered that her computer had been infected by spyware and trojans despite the anti-virus, regular Windows updates, having the good sense not to open attachments, using a firewall, and avoiding any type of seedy activities online. As best we can tell someone exploited IE transparently while she searched for medical information to help our nephew. The clean up from these types of infections is great fun. I spent not less than 5 hours running about every spyware prevention program known to man. Each one searching for those pesky files and registry settings. The worst thing of all was that, once I cleared them off the disk, simply starting Internet Explorer would reinfect the whole system. Seriously, it was great fun and I did, eventually, have the satisfaction of beating the problem. That's right - a system administrator for 10 years with a degree in computer science and a RHCE CAN clean up a single spyware infection in 5 hours. I hope you see what I am really saying here. How on this earth are people that aren't trained in Information Technology going to do it? As a Linux desktop user, I had never been exposed to this type of problem. Having now battled with spyware, I am finally motivated to speak up and say something to the world. I want to get a single message across: It's time for anyone running a Windows PC to switch to Linux. You see, the Windows platform is not just insecure - it's patently, blatantly, and unashamedly insecure by design and for all the lip service to security it's really not going to get better, ever. To make matters worse, it's more expensive and gives you fewer necessary applications right out of the box than Linux. Everyone, even Microsoft, knows this - they are just too afraid to say it. The tide is coming in. Nothing on this planet can stop it. Whew. I said it. I am so happy to get that off my chest, however, for me to stop here would be unfair. I haven't really proved it to you. So if you will entertain me a bit longer here is the rest of the story. Microsoft started conducting a "Get the Facts" [3] marketing campaign against Linux. This signaled that they have correctly assessed that their competition is Linux and that they need to fight it with all they have. It even made it into their 10K filing. [4] It's really an interesting read to note that Microsoft sees Linux as a major threat It's a big enough threat to their monopoly that they say: "The Linux open source operating system, which is also derived from Unix and is available without payment under a General Public License, has gained increasing acceptance as its feature set increasingly resembles the distinct and innovative features of Windows and as competitive pressures on personal computer OEMs to reduce costs continue to increase." If Microsoft thinks this then that alone is more than enough reason to give a fair look at Linux. Of course it's just as likely that they are preparing the lawsuits to attack Linux because it is a real competitor. I am not sure which distinct and innovative features they are referencing. Perhaps it was the whole GUI concept that Apple sued them for stealing from them. Perhaps it was the Microsoft Office-like functionality that Open Office has that Microsoft took from Word Perfect. It's hard to tell and it gets me off topic to delve into it. Alright, let's talk about the "Get the Facts" marketing campaign. What happened is that Microsoft and vendors that make money on Microsoft products have all come together to tell us that we us why we should use their products. As a consumer and something of a student of history, I always question people that are highly motivated to protect their jobs and money. Did big tobacco say their products were safe long after they knew it wasn't true? Might Microsoft be inclined to say that their products provide better total cost of ownership (TCO) and security than another product despite knowing it wasn't true? It turns out they have done something strikingly similar before. [5] When IBM OS/2 had just taken off and become "the best selling retail software product in America" then "sources close to Microsoft" leaked word to a columnist for the UK edition of PC Magazine, who dutifully reported both the rumor and source." - Computerworld, March 20, 1995, page 118. From there it was all downhill for IBM. Despite everything indicating that OS/2 was doing great the press just kept printing the Microsoft party line. In the almost 10 years since that happened, have things changed? Are they kindler, gentler, and friendlier to work with or do they still spin, bully, and use talking heads? Carrying on in their history we see that, empowered by their victory over IBM, just 4 years ago Microsoft was ordered to be split in two by Judge Thomas Penfield Jackson because they were convicted of abusing their monopoly market position. Then 3 years ago Judge Colleen Kollar-Kotelly reversed the decision to split them and a much lighter penalty was imposed. Unhappy with the results the EU took up the case and just this year Microsoft was convicted in the EU. Since then Microsoft has paid billions of dollars to the companies that were aligned against them. One by one settling the differences. Most of the companies had little choice but to accept the money they were offered. Because they have been so badly beat. Now they stand with billions of dollars in the bank and a patent portfolio that is rapidly expanding. I don't know about you but when a convicted monopolist that has been shown to use those monopoly powers against their competitors says that Linux is a competitor but that it's not as secure or cost-effective, well then I take note. Because I know there is a good chance that a half truth was spoken. Maybe Linux is shoddy code just hacked together by a college student. However, according to the four-year analysis by five Stanford researchers [6] Linux contains only "0.17 bugs per 1,000 lines of code" and most all of those bugs have been fixed. Given that an earlier study from Reasoning, Inc [7] had already shown that the Linux TCP/IP stack had a 0.013 per 1000 lines of code defect rate back in 2001, it is hardly astonishing that the entire Kernel is also relatively low in defects compared to your average commercial software application To put that in perspective the average code seems to have anywhere from 2 to 30 bugs per 1000 lines of code. That makes the Linux kernel between 11 times and 176 times better than your average product. So it's certainly not shoddy software by any stretch of the imagination. Considering that many Linux distributions are free, it is hard to believe that it would be more expensive than Microsoft where a simple upgrade costs $100 and their Office application costs hundreds more. Call me crazy but I am having a hard time finding any truth in the "facts" as reported by Microsoft. However, Microsoft studies the TCO to show that other factors make Linux more expensive. Yet, the studies that I have read seem to make crazy assumptions like saying it takes more money to train users to push a button on Linux than it does to push a button on Windows. They also tend to ignore the costs associated with viruses, spyware, and trojans that prompted me to write this. Perhaps most unfortunately for Microsoft they also ignore that wildly varying labor costs directly affect TCO. [8] That means it wouldn't just be a poor decision it would be a completely moronic decision for a government to use the Windows platform in the third world if it wasn't absolutely necessary. To be honest, for a long time I have wanted to see a case study that took these types of issues into account. I was, for this reason greatly disappointed, when I heard about a study from Cybersource [9] that ignored these things but still found Linux, even Red Hat Enterprise Linux, to be 19% or more expensive. So much for being less expensive, they can't even win when the whole thing is tipped in their favor. Maybe I missed something? Maybe Microsoft just happens to be truly better at security than Linux? For this I had to get dirty and dig. On the surface it did seem like Windows had fewer security issues. Looking at Seconia, a security research company, I discovered Windows 2000 Server has had only 76 Advisories in all of 2003 and 2004. [10] Red Hat Enterprise Linux 3 on the other hand has 101 Advisories [11] and it wasn't launched until November and looking at Red Hat Enterprise Linux 2.1 I found a whopping 145 vulnerabilities. [12] That looks pretty bad, right? I am sure that is what Microsoft would like us to think. If we would just ignore the elephants in the closet then we would come to their happy conclusion. I'm not going to do that though. Microsoft Windows is but one component in a much larger Windows platform. What good is the operating system without remembering productivity software, anti-virus software, instant messengers, media players, software to burn CD and DVDs, and the list goes on and on? These are all things that Red Hat and every other Linux distribution includes as part of the package. Usually they go so far as to include multiple applications for each function. It would be, therefore, completely unfair if we didn't compare a comparably equipped Windows platform to a comparable Linux platform. How do you add it up though? Whose products do you pick and whose products do you ignore? It's a horrible can of worms. I tried to do it. To build the comprehensive list so that we could compare a Microsoft Windows that's fully equipped like a Linux distribution and I was able to exceed the number of advisories. I just felt dirty doing it and in the process of doing it. Besides, I came to the realization that the bug count isn't what really mattered. What really matters is that the bugs are getting fixed so you aren't online without protection and that the updates were easy to track and install. Both of which Microsoft is in serious trouble with. With Linux all of the updates for all of the different types of applications come through a single path and in an automated way. It is a process very much like the Windows Update service. The key here is that one update service covers all of the products. On the Windows platform you can get the Windows updates this way but what about all of the third party applications we needed to have the same functionality as Linux? Each of those need to be searched for or are hidden inside the application themselves. In my research I found one particularly nasty Microsoft bug that really emphasizes this point. I am talking about the GDI+ buffer overflow with JPEG processing [13]. They put out a security bulletin and they released a patch for each of their affected products but they never identified who put the SDK library in their products and each of those products linked to it individually. Not only did this mean users had to be experts that researched the update on their own, but they also had to manually install it in each location. You have to admit, that sure isn't as nice as the centralized updating that Linux has. It seems more like a tidal wave to me. Then there are the issues related to actually fixing the bugs that are known. Again, Secunia makes it really easy to see. Of the 76 advisories Microsoft 2000 Sever still had a whopping 20% outstanding and one of them was rated "Highly Critical". Red Hat Enterprise Linux had fewer than 1% outstanding and it was rated only "Moderately Critical". So much for fewer security updates meaning you are more secure and let's not even talk about the Internet Explorer Web browser. Because it is so insecure that the United States government, through the Computer Emergency Readiness Team, had to issue a warning to use any browser besides IE. [14] Yet, to use Windows Update you have to use IE. It's just not fair. Then there is the issue of design. Linux was designed to be in a hostile Internet centric world. As people were programming it they knew this and it no doubt played a role in the designs of their products. With Linux you will find that firewalls are enabled by default, users rarely login as administrators, server applications run as users that have limited rights, etc. In Windows these obvious things were an afterthought. Finally put into Windows XP with the creation of SP2, well mostly. I think it's because of the mindset that Windows is for end users on either private networks or no network at all that Microsoft has been hit so hard by security issues. It's of course equally possible that the issue is entirely different. Maybe they don't fix the security holes because it's considered a feature. I know they said as much about the Windows Messenger Service [15] even though it was being actively used to send banner advertisements to desktops around the world. Perhaps Microsoft is finding that the standard software wisdom about bugs [16] being less expensive to fix before a product ships is true because after several years of having security as the number one focus they are as plagued or more plagued by security issues than ever before. Maybe pouring money on the problem won't fix it? I mean come on Even before Windows XP [17] - we knew these things but it still shipped with the stupid default settings and we STILL have 20% of their advisories unfixed. How can anyone feel safe running on a Microsoft platform? Linux provides a better paradigm. It costs less, it is more secure, and perhaps most importantly of all it isn't controlled by a single vendor. While Red Hat is the largest distributer of Linux and does provide a comprehensive support system and legal protections for their customers, they aren't alone. Major companies like IBM, HP, and Novell are all deeply involved with Linux but none of them are in control of it. Because of Linux, the future of computing is commodity. By the year 2000, Linux already represented billions of dollars worth of development effort [18] and it's owned collectively by each one of us. The savings will follow and you can count on getting what you pay for or there will be someone else that is there for you on the terms that you want. The tide has turned and Microsoft is going to get wet. From my perspective they already are all washed up. It's all an issue of attitude. Linux follows the share and share alike [19] mindset where as Microsoft seems to have the greedy mindset of it's all mine and I want to get paid for it now [20]. Well Bill, Steve, and talking parrots, that's not very nice. As I have shown there are good reasons for using Linux as the better alternative to Windows. Give my friends at Red Hat a call. I am sure they could comp. you a copy. Anyway..... Like I said: It's time for anyone running a Windows PC to switch to Linux. I really appreciate you taking the time to read my letter and I hope that it gets you motivated to make the switch or, if you already have, that it just makes you feel all warm and fuzzy inside. Sincerely, Chris Spencer chris at digitalfreedoms dot org Links (in order used): [1] "Spyware on My Machine? So What?", Michelle Delio, December 6, 2004, http://www.wired.com/news/print/0,1294,65906,00.html [2] "Your PC May Be Less Secure Than You Think", Paul Roberts, October 25, 2004, http://www.pcworld.com/news/article/0,aid,118311,00.asp [3] "Get the Facts Home", December 14, 2004, http://www.microsoft.com/windowsserversystem/facts/default.mspx [4] "Microsoft 2003 Form 10-K", Retrieved December 16, 2004, http://www.microsoft.com/msft/ar03/alt/item_one.htm [5] "The Warped Perspective", Tom Nadeau, June 28, 2001, http://www.os2hq.com/archives/wp38.htm [6] "Linux: Fewer Bugs Than Rivals", Michelle Dellio, December 14, 2004, http://www.wired.com/news/linux/0,1411,66022,00.html?tw=wn_story_top5 [7] "Comparing free and proprietary defect rates", Joe Brockmeier, Retrieved December 16, 2004, http://lwn.net/Articles/22623/ [8] "License fees and GDP per capita", Rishab Aiyer Ghosh, Retrieved December 16, 2004, http://www.firstmonday.org/issues/issue8_12/ghosh/index.html [9] "Study: Linux Is Still Cheaper Then Windows", Matthew Broersma, December 14, 2004, http://www.pcworld.com/news/article/0,aid,118937,00.asp [10] "Secunia - Vulnerability Report - Microsoft Windows 2000 Server", Retrieved December 16, 2004, http://secunia.com/product/20/ [11] "Secunia - Vulnerability Report - RedHat Enterprise Linux ES 3", Retrieved December 16, 2004, http://secunia.com/product/2535/ [12] "Secunia - Vulnerability Report - RedHat Enterprise Linux ES 2.1", Retrieved December 16, 2004, http://secunia.com/product/1306/ [13] "Microsoft Security Bulletin MS04-028", Retrieved December 16, 2004, http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx [14] "CERT recommends anything but IE", John Oates, June 28, 2004, http://www.theregister.co.uk/2004/06/28/cert_ditch_explorer/ [15] "Microsoft's Help System Needs Help", Stuart J. Johnston, Retrieved December 16, 2004, http://www.pcworld.com/reviews/article/0,aid,113742,pg,2,00.asp [16] "Software Testing", Retrieved December 16, 2004, http://en.wikipedia.org/wiki/Software_testing [17] "Microsoft: Bad security, or bad press?", Elinor Millis Abreu, September 28, 1999, http://www.cnn.com/TECH/computing/9909/28/ms.security.idg/ [19] "Counting Source Lines of Code (SLOC)", Retrieved December 17, 2004, http://www.dwheeler.com/sloc/ [19] "GNU Operating System - Free Software Foundation", Retrieved December 16, 2004, http://www.gnu.org/ [20] "Desktop Linux is Windows piracy aide", Michael Kanellos, September 30, 2004, http://www.cnn.com/TECH/computing/9909/28/ms.security.idg/ Vendor Links (for any vendors mentioned, in alphabetical order): CERT: http://www.us-cert.gov Cybersource: http://www.cyber.com.au/ IBM http://www.ibm.com/ Microsoft http://www.microsoft.com/ Red Hat http://www.redhat.com/ Secunia http://www.secunia.com/ License: Creative Commons Attribution-NonCommercial-ShareAlike 2.0 About the author Chris Spencer has been a Unix systems administrator for a decade, a Linux enthusiast since 1993, and Linux has been his desktop OS since 2002. He works for Western Illinois University ... but my opinions in no way represent them (they still use Windows). Above all he believes that open source software will cure the piracy problem. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
