Language Selection

English French German Italian Portuguese Spanish

Windows vs Linux security report card redux

Filed under
Security

Jeff Jones has expanded his project to count security flaws (publicly reported and fixed) in the major workstation operating systems and his latest numbers show Windows Vista has by far the best security profile when compared to the major Linux distributions.

eff Jones, security strategy director in Microsoft’s Trustworthy Computing group, led a TechEd 2007 discussion on the metrics and techniques used to keep track of vulnerabilities and offered a glimpse at his upcoming report card that compares flaws found/fixed during Vista’s first six months on the market against Windows XP, Red Hat Enterprise Linux 4 WS (full), Ubuntu 6.06 LTS (full), Novell SUSE Linux Enteprise Desktop 10 (full) and Mac OS X 10.4 (Tiger).

Full Post.



The Master of All FUDMeisters

This series of 'studies' gets smashed to pieces time after time and time (see comments in the article for example), but it doesn't stop Microsoft from publishing false figures (READ: lies) and sticking them in pamphlets. Some industry supervision ought to step in and handle this case of misleading benchmarks. They got caught before (e.g. cheating in IBM benchmarks in the most ridiculous of ways. They more recently did this to Novell).

Oh look, another "study"...*yawn*

*Switches to salesman voice*

Do you have a problem with a competitor?

Are you having a difficult time keeping up with them?

Well, don't worry! If you can't compete fairly, attack them publically!

With the new FUDMASTER-2000!

Order yours now, and we'll throw in a free DVD tutorial!

In the DVD, get great hints and tips to FUD your competitors! They won't know what hit them!

If you call in the next 10 minutes, we'll throw in a complementary "throwing chair"! Its a great stress reliever when your competitor annoys you! This is the same one used and certified by Microsoft CEO, Steve Ballmer!

Only 12 easy payments of US$29.95!

Act now!

*Switches OFF salesman voice*

Seriously though, we've been here before.

A Microsoft rep or a paid third-party presents a study which favours them.

They're done it with:

(1) "Get the Facts" website. (LOTS there!)

(2) Bill Hilf (Head of MS's Linux Lab) did it in an attempt to show Linux uses just as much as hardware resources as Windows...This failed miserably when you realise the system you need to run Vista (with all the eyecandy) smoothly.

(3) Attack GPL v3!
http://arstechnica.com/news.ars/post/20070522-microsoft-funds-questionable-study-attacking-gpl-3-draft-process.html

(4) And now this!

The fact is, such studies don't work on us. And how we beat them is to question and explain to others why one should be very skeptical. Any opensource geek knows charts and statistics can be manipulated to favour anyone. All one needs to do is select the right influencing factors to affect the result.

To be honest, you should ignore it. (like the other ones that fade into memory).

Come to think of it, we should file every study MS conducts or pays to be conducted in an archive.

Better yet, we should start a website that collects all MS's propaganda and document the tricks they do! It'll help MS's future competitors! (Gives them a clear view of what to expect!)

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

mesa 20.1.0

Hi all,

I'd like to announce Mesa 20.1.0, the first release for the 20.1 branch.

Being the first release of this new branch, there can be issues that
will be discovered now that the new code will be widely used, so you may
want to stay on the 20.0.x releases until the 20.1.1 release, scheduled
for 14 days from now on 2020-06-10.

One already known issue that I want to point out is that Unreal Engine 4
has a bug in its usage of glDrawRangeElements() causing it to be
called with a number of vertices in place of the `end` parameter,
that was recently revealed. This is an annoying bug that we haven't
worked around yet. For more details:
https://gitlab.freedesktop.org/mesa/mesa/-/issues/2917

Eric

---

Andrii Simiklit (1):
      i965/vec4: Ignore swizzle of VGRF for use by var_range_end()

Bas Nieuwenhuizen (4):
      radv/winsys:  Remove extra sizeof multiply.
      radv: Handle failing to create .cache dir.
      radv: Do not close fd -1 when NULL-winsys creation fails.
      radv: Implement vkGetSwapchainGrallocUsage2ANDROID.

D Scott Phillips (1):
      anv/gen11+: Disable object level preemption

Danylo Piliaiev (3):
      meson: Disable GCC's dead store elimination for memory zeroing custom new
      mesa: Fix double-lock of Shared->FrameBuffers and usage of wrong mutex
      intel/fs: Work around dual-source blending hangs in combination with SIMD16

Dave Airlie (1):
      llvmpipe: compute shaders work better with all the threads.

Eric Engestrom (4):
      .pick_status.json: Update to a91306677c613ba7511b764b3decc9db42b24de1
      tree-wide: fix deprecated GitLab URLs
      docs: Add release notes for 20.1.0
      VERSION: bump to 20.1.0 release

Erik Faye-Lund (1):
      zink: use general-layout when blitting to/from same resource

Gert Wollny (1):
      r600: Fix duplicated subexpression in r600_asm.c

Hanno Böck (1):
      Properly check mmap return value

Icecream95 (1):
      panfrost: Fix background showing when using discard

Jason Ekstrand (3):
      nir/lower_double_ops: Rework the if (progress) tree
      nir/opt_deref: Report progress if we remove a deref
      nir/copy_prop_vars: Record progress in more places

Kristian Høgsberg (1):
      freedreno: Use the right amount of &'s

Nataraj Deshpande (1):
      dri_util: Update internal_format to GL_RGB8 for MESA_FORMAT_R8G8B8X8_UNORM

Pierre-Eric Pelloux-Prayer (1):
      amd/addrlib: fix forgotten char -> enum conversions

Rhys Perry (1):
      nir: fix lowering to scratch with boolean access

Rob Clark (1):
      freedreno: clear last_fence after resource tracking

Samuel Pitoiset (2):
      radv: handle different Vulkan API versions correctly
      radv: update the list of allowed Android extensions

Timothy Arceri (2):
      glsl: stop cascading errors if process_parameters() fails
      glsl: fix slow linking of uniforms in the nir linker

Vinson Lee (3):
      r600/sfn: Initialize VertexStageExportForGS m_num_clip_dist member variable.
      r600/sfn: Use correct setter method.
      freedreno: Add missing va_end.

git tag: mesa-20.1.0
Read more Also: Mesa 20.1 Released With Numerous Linux Graphics Driver Improvements

Android Mirroring App ‘Scrcpy’ Just Added a Bunch of New Features

If you read this blog regularly enough you’ll be familiar with scrcpy, an ace root-free way to mirror your Android smartphone on your Ubuntu desktop and interact with it. Scrcpy is free, it’s open source, it’s awesome. Oh yeah, and it’s updated regularly! Which is what this post is about: telling you what’s new and notable in the latest release, scrcpy 1.14 — so let’s get to it! Read more

GTK 3 Software: Screenkey and Sunflower

Security Leftovers

  • Security updates for Wednesday

    Security updates have been issued by Debian (drupal7 and unbound), Fedora (libEMF and transmission), Mageia (dojo, log4net, nginx, nodejs-set-value, sleuthkit, and transmission), Red Hat (rh-maven35-jackson-databind), SUSE (dpdk and mariadb-connector-c), and Ubuntu (thunderbird).

  • Security flaw in ARMv7 allows hackers to gain control over smart cars

    Security vulnerabilities are quite commonly found in autonomous and semi-autonomous vehicles that feature a number of smart technologies and applications to improve vehicle safety and driving experience. Last week, security researcher Till Kottmann discovered a misconfiguration in the Git web portal of Daimler AG, the automotive company behind the Mercedes-Benz car brand, that allowed him to create an account on Daimler's code-hosting portal and download more than 580 Git repositories containing the source code of onboard logic units (OLUs) installed in Mercedes vans. According to Kottmann, there wasn’t any account confirmation process in the company's official GitLab server, which allowed him to register an account using a non-existent Daimler corporate email. He was able to download 580 Git repositories from the company's server and made it publicly available by uploading the files in several locations such as file-hosting service MEGA, the Internet Archive, and on his own GitLab server. Last year, researchers at Pan Test Partners uncovered critical security holes in popular car alarms that could have been exploited by cyber criminals to unlock car doors, activate car alarms, and turn on car engines, all of which could allow criminals to steal cars with great ease. The firm found how certain third-party car alarms, whose sellers claim to offer enhanced security to owners of keyless entry cars, featured gaping security holes that allowed criminals to geo-locate cars in real time, find out the car type and details of their owners, disable car alarms, unlock cars, disable immobilisers, and even kill car engines when they were running.

  • Meet unc0ver, the new jailbreak that pops shell—and much more—on any iPhone

    Unc0ver, by contrast, works on any device running any version of iOS released since September 2017 or later. The flaw the new jailbreak exploits is located in the OS kernel. That means that unc0ver is less capable then Checkm8 is of disabling or bypassing certain iOS restrictions and security mechanisms. For example: the unc0ver provides no access to JTAG, an interface for debugging and emulating processors.

  • Josh Bressers: Broken vulnerability severities

    This blog post originally started out as a way to point out why the NVD CVSS scores are usually wrong. One of the amazing things about having easy access to data is you can ask a lot of questions, questions you didn’t even know you had, and find answers right away. If you haven’t read it yet, I wrote a very long series on security scanners. One of my struggles I have is there are often many “critical” findings in those scan reports that aren’t actually critical. I wanted to write something that explained why that was, but because my data took me somewhere else, this is the post you get. I knew CVSSv3 wasn’t perfect (even the CVSS folks know this), but I found some really interesting patterns in the data. The TL;DR of this post is: It may be time to start talking about CVSSv4. It’s easy to write a post that made a lot of assumptions and generally makes facts up that suit whatever argument I was trying to make (which was the first draft of this). I decided to crunch some data to make sure my hypothesis were correct and because graphs are fun. It turns out I learned a lot of new things, which of course also means it took me way longer to do this work. The scripts I used to build all these graphs can be found here if you want to play along at home. You can save yourself a lot of suffering by using my work instead of trying to start from scratch.