I’ve expect that as soon as we get into any meaty and interesting discussions, my current place of employment (Microsoft) will come into play, combined by assertions that I must be biased. It is fairly predictable, so I thought it might be interesting to just pre-empt it and open the question myself.
I’ve been a Director at Microsoft for a little over four years now, in the security group that works to drive security improvement across the company. For that alone, some may condemn me, so let’s dig into it.
In the engineering program at Purdue University, we all used Unix accounts and to this day, my fingers remember the key “vi” editing commands. My workstation and development platform for my first four years of work was a Sun workstation. Working from home after that, I used Slackware Linux as my primary workstation for two years starting in 1994. When we turned the TISFirewall Toolkit into the Gauntlet firewall, we did it on the BSD/OS. (BTW, does anybody remember how “fun” it was to get two ethernet cards working on BSD?) Basically, I’ve used and done security analysis on most common operating systems over the past 20 years – even some uncommon and interesting proprietary ones by Unisys, Tandem and HP. In fact, over 75% of my security career came before Microsoft.
How did I end up at Microsoft? Let’s go back in time five years. At that point, it was commonly accepted by most people that Microsoft had some security problems. In contrast, most folks thought the Unix and Linux community (and vendors) historically had a better approach to security and would build on that. Around that time, I got a call from a respected former colleague (Steve Lipner), who convinced me that Microsoft management was committed to improving security across the company and was taking real steps to do it. I was skeptical, but ultimately convinced enough to join – where better to have real impact in computer security?
Still, I like to be practical about security. Does your team have deep Unix skills and no experience on Windows? If so, your risk will be better managed on some sort of Unix system, regardless of whether Microsoft security is better, worse or indifferent.
So, I’ve been around security a while and in the past four years I’ve personally participated in steps at Microsoft that, in my mind, are resulting in improved security for customers. Is it perfect? No. Are the products much better than predecessors? Certainly so. Is security improvement happening on Linux and Unix? Definitely. Who is doing better? Ah, that brings us back to the question doesn’t it – by what metric?
Am I biased? I do not think so, but let’s just all keep assuming I am, because I don’t mind. If I make comparisons, I’ll lay out my metrics. I’ll lay out my assumptions. I’ll describe the methodology. Then, if you want to dispute the results, debate the assumptions, or critique the methodology, I’ll ask the same of you. Regardless of the outcome, all sides will get presented, progress is made and that’s a win for interested readers.
Best regards ~ Jeff
So, people have found less vulnerabilities in Vista and that's why you say is more secure?? Wrong. the fact of finding more/less vulnerabilities over a period of time does not mean a product is more secure. Second, you should be talking about trust, not security. So, following your same game, if I want to have a trusted operating system, should I buy the one that has less vulnerabilities over a period of time? Man, then I should not buy any Windows product. Linux can have more vulnerabilities than Windows, but because people find more vulnerabilities in Windows, then Linux is more secure, is that right. Lesson: do not say that a product is more "secure" because of the number of vulnerabilities found, and find other valid parameters.
Greetings.
"So, I work for Microsoft. So what."
Nothing. If you're happy, all of us are happy. If words like innovation, security, responsability, honesty and truth don't mean nothing to you, that's ok: Microsoft is your place ;).
Good luck!!! :) :)
I love linux. Its true. I love it. But I make my living as a Windows Network Admin. Most places I've worked had dozens of windows boxes and maybe one or two linux boxes, that I added. I'm OK with that. See the problem is your facing an up hill battle. You probably understand security better because you have worked on other older OSes. And you are trying to bring some of that knowledge into Microsoft. That's great. But, you are not the main spokes person for Microsoft. You are probably not the computer expert that is cited by many of the 'Microsoft financed' reviews of other OSes. Microsoft has a bad tendency to block out any one that doesn't agree with their corporate philosophy or finds fault with their results. Many of their OEM contracts have, historically, forbidden PC manufacturers from offering other OSes as an alternative to Windows. Their PR people tend to make disparaging comment about Linux without backing it up. And they sue smaller companies, even when they know they don't have a case, because they know the little guy can't afford prolonged legal battles. Microsoft takes already established tcp/ip standards and makes them incompatible with other any other OS. Instead of using the protocols as written or creating a new RFC, they make everyone else rewrite their code to either ignore or support their changes. I don't think the fact that Linux is free makes it better. I don't think that the Open Source concept necessarily makes it better. I think its the Linux communities attitude that makes it better. Almost all of the great linux software out there is contributed by someone, who in most cases, just wanted to solve a problem. And when they got stuck or had an unsolvable problem they could ask for help without someone sticking out their hand and asking for $400. There was a time when Microsoft offered free tech support. There was a time when you could call them and actually get some of the developers on the phone to answer a really deep technical question. Most Linux developers have tried to work with Microsoft's creations to compliment or enhance their functionality. They aren't trying to stomp all over Microsoft. The work your doing is great. Keep it up. It is needed but until Microsoft's corporate philosophy changes don't expect anyone to see you as a separate entity. Maybe not all WWII German soldiers hated Jews or were evil selfish men but that is who they aligned themselves with and so we still tend to see all of them as Nazis.
I think it's probably worth while asking the question what are the end user requirements and the answer to that is a basic level of trust and reliability.
I have no problems with trusting Vista to be secure, I do have problems with an operating system that maybe disabled remotely by the vendor or some one else. I can't afford the domestic problems if other family members are unable to use email for any reason.
Reviewing the report I get the impression that flavours of Linux are now approaching XP SP2 levels of security and I think that is in the acceptable risk zone. That's why for my next home machine Linux will be given consideration, I have one program to get working on Linux but that is all and I understand this program has been be run under Linux by others.
I understand that for teleworkers they have to return their workstations physically back to the workplace every 180 days to reverify their operating system.
Cheerio John
Per the article at http://technet.microsoft.com/en-us/windowsvista/bb335291.aspx
Vista can Activate via VPN, so you do not physically have to return to the workplace.
/Jack
thanks for your forthright disclosure of information! i will be visiting your blog to read not only your articles but also the talkback, as you conduct your discourses with other professionals very tersely and with clarity. it is very refreshing as even tech/software sites lately all leave a heavy and kind of snarky taste in my mouth as if i just ate a bowl of bull. i hope more of your colleagues and professional equals visit and continue discussions and conjectures with you as it is very interesting for me to hear such things debated at an intelligent level.
thanks again!
Of course you are, Jeff! ;)
Vistas/Windows security is your baby. You and your team are working hard to improve it, so it is not only human but unavoidable to be biased.
A nice summary of what seems to be wrong with your conclusions, is to be found here.
Best regards,
Georg
Though I'm not a fan of Windows, I do find this type of reporting a fair assessment. When using valid methodology to effect comparisons, defining the metrics utilized, and restricting truly subjective assessments, you're not only providing a fair service, but also doing it (from the perspective of pro-Other/anti-Windows fans) with a reasonable knowledge of both.
I would be truly surprised, however, if your blogs on relative OS security would show Windows at a significant disadvantage. Though I believe your intent for lack of bias, I also believe that Microsoft is careful in what is allowed as public information.
The previous two comments here, though perhaps a large volume of responses, fortunately do not represent the majority of your informed opposition. Again, though I consider myself a fairly adept Windows user (work requires that), I am not an avid fan. However, all too often I see the inflamatory or defamatory posts that serve no good other than making the poster feel stronger by providing the "me too" or "you stink" comments.
Keep up the informed posts.
-bill
Very interesting article! It is truly a shame that some people have to let paranoia abound. Why do they have to assume that you are biased? The school I work for has excellent curriculum and programming for our students. But I do not have a problem stating when another district does it better. From what I read, you are as open as that. Your last paragraph is well stated - but I would add that it is not only a win for interested readers, but for the computer industry as a whole.
Stupid assh... Why telling lies? Your M$ loyality? Buy a Mac and be happy!