kluner.net

We’ve come to expect some great deal of FUD from Steve Ballmer, CEO of Microsoft Corporation. But his minions (no offense intended) seem to have picked up on the art, and are doing so quite nicely.

According to Jeff Jones, strategy director in the Microsoft Security Technology Unit, Windows vista beats Sun Solaris and Linux when it comes to security.

Well, I would hardly expect him to blog about it, if the outcome would have been in favour of the other side of the software industry.

Still, this is FUD. Why? because you can’t just compare security leaks waiting to be fixed. It’s like counting dents on one car, and comparing it to a seriously shot up Hummer from Iraq, and then saying that the Hummer is badly manufactured, because the other car only has some dents, while the Hummer has holes. The same deal just about applies to security issues.

One security issue that needs to be fixed within hours of discovery, for example, is an issue that is remote exploitable. Say you (for some dark reason) have an Oracle box connected to the internet, without any firewalling (this happens more often then people would like to know or admit to). This Oracle instance is listening on a certain TCP port, so application can make a connection to the Oracle server, and fire off some queries. Then, someone discovers that there is a buffer overflow in the networking code of Oracle, which can result in the same privileges as the user Oracle is running under, including shell access, which could be used to further advance privileges.

Fine, I think we can all agree on that. (note: it’s still hypothetical – nobody runs Oracle like that).

Now, say we have an issue with a buffer overflow inside one of the command-line tools Oracle provides. This tool is only accessible from the system the tool is installed on, it does not open any network connections, other then a link to the socket Oracle is listening on. With some specialy crafted commands, you can trigger the buffer overflow and gain privileges. But(!) you already have those privileges. Otherwise you wouldn’t be able to execute the binary. There would however be a danger, if the binary would be installed setgid, or setuid, or run through sudo. But in such case, if the problem is announced, a sysadmin can take away those rights.

Not so hypothetical that one. Happens quite a lot.

Now, from a security officer standpoint, the second issue really doesn’t bother me that much. The system is behind a firewall, and almost nobody has actual access to the box.

Jeff Jones however, sees those two as equals, and states that the second issue is much a big deal as the first. While anyone can tell you the second issue isn’t much of a big deal. Unix land does not feel much urgency to fix that issue, there are more important issues to deal with. (like the one in the first example).

So, once again, it’s a matter of personal perception. In the case of Jeff Jones, this perception is dictated by corporate policy. That makes this whole research report flaky at best, and downright biased at worst. And that my dear readers, makes it FUD.

War on FUD is a series of blog posts I have made, concerning all manner of FUD and why inteligent lifeforms should not pay attention to it.

war on fud

One of the nice things about Steve Ballmer, the CEO of Microsoft Corp. is that he always is full of FUD.
This time, he continues on the subject of my previous ‘war on fud‘ post, where he stated that “linux users owe Microsoft“.

According this article on Zdnet, he repeats his threats against Linux, and states:

“I would not anticipate that we make a huge additional revenue stream from our Novell deal, but I do think it clearly establishes that open source is not free, and open source will have to respect the intellectual-property rights of others, just as any other competitor will,”

So, let us first focus, once again, like I have done countless of times over the last 8 years in this business, on the word “FREE“, and what better then to quote Richard Stallman (once again), who’s most famous words are without a doubt:

“Think Free Speech, not Free Beer”

No one ever said opensource software is free of charge, no one ever said you can not make a lot of money on opensource. You are allowed to charge people for using your opensource product. You may NOT however, withhold the source code of your product from them. That is what opensource is all about, giving your customers and users the ability and right to review, modify, and analyse the product they are paying for.

Now sure, a lot of open source software comes free of charge. Ubuntu is a mere download away, and can be used without having to pay anybody. Red Hat Enterprise Linux comes for a fairly (and if you ask me, unreasonably high) hefty price, but there’s always the Free-of-charge variant: CentOS. However, does this mean that the software you download is actually for free? No, someone spent time on it, which gives it value. You need to download, install it, and configure it. Which makes it costly. Though a good engineer can do this in little time, with little effort, and yes, as little cost as humanly possible. It’s still cheaper (and arguably faster) then installing windows 2003, configuring, deploying all the hot fixes and security patches.

So once again Steve, you missed the boat, the car, the plane, the space shuttle, and most importantly of all: the message! Go back to school, and learn. I’m not saying Open Source is better then Windows, though I clearly have my preference plastered all over this website. I am saying however:

The modern internet and IT infrastructure on a global scale will consist of both closed software and open software working together and existing together. Each have the strengths and weaknesses, and their applied purpose in the field.

So can we please, for once and for all, stop with all the marketing BS, and focus on making software better, faster, more secure, whether or not it is open or closed software? they will have to exists together anyway, so better join forces. (Like Microsoft already has since they used the FreeBSD TCP/IP stack for windows ever since windows 2000 – not so shy of Open Source when it’s needed hey Steve?!)

Hypocrisy has no place in business, it clutters our vision from the truly important matters: building good software and environments with which to serve our respective customers.

So why is this statement from Steve Ballmer FUD?

It’s quite simple, if Linux had truly contained patented (oh, we don’t have software patents in Europe, thank goodness) technology from Microsoft, Microsoft would have sued individual developers, Linux Distributions (Ubuntu, Red hat, Suse) a long long time ago. The purpose of this statement is simply to discourage American companies from considering the switch to an Open Source product like Linux. Fear, Uncertainty and Doubt, in it’s most vicious, disgusting form.

War on FUD is a series of blog posts I have made, concerning all manner of FUD and why inteligent lifeforms should not pay attention to it.

war on fud

At least, that is what Steve Ballmer claims in an interview. This so smells like another round of FUD from Microsoft.

Mind you, he does not deliver any form of proof, but it’s more a continuation of the deal with Novell earlier this week, where Microsoft agrees not to sue users of Novell products. ( like SUSE linux).

Oops, big mistake Steve. Not only you’re putting your personal petty issues with Linux as a competitor on record, but you could also easily get the full wrath and anger of IBM on your neck. I think companies, and certainly management should refrain from such remarks, certainly if they come without a shred of evidence.

Instead of focussing on creating FUD like this among your customers (plenty of companies use Linux, FreeBSD, Mac OS X, and windows side-by-side), you should work on improving interoperability. Most of the code for Linux was written in countries where your silly software patents do not apply anyway, so suing will most likely win you nothing, and will cost you a lot.

I thought you understood by now that FUD is something warmongering nations do, and after being convicted of illegal business practices, Microsoft understood the importance of having good relationships with the open source community. But no, the corporate mentality of Microsoft has once again prevailed over common sense. Steve, you can not fight open source, it would be fighting breathing. Every now and then in human history a group of people (the open source community) will rally behind a common idea to make things better, and that is a thing which is hard to beat.

War on FUD is a series of blog posts I have made, concerning all manner of FUD and why inteligent lifeforms should not pay attention to it.

war on fud