Microsoft security expert Roger Grimes says in his blog that being different doesn't make you secure, or at least there is nothing wrong with a monopoly. He is right that just because you are different does not mean that you are automatically safe but the rest of his argument is weak.
He is arguing that if you have a monopoly that doesn't make you insecure because everyone goes for you. What makes you vulnerable is you write poor code. He has a point in as far as it goes, but for years we have known from game-theory and biology that monoculture are more profitable targets than diverse systems and hence there is more pressure to find weakness in them, which once exploited can cause chaos.
We know that the number of defects are directly related the the size of the code base and the complexity of the system. Windows has more lines of code and is an intrinsically more complex operating system than Linux, Unix and Mac OSX, therefore Windows will have more bugs in it.
Windows tends to be run by people with little or no security training and therefore tends to run in the default state. As we know that by default Windows is less secure than Linux, that make Windows more vulnerable. Both can be made a lot more secure with proper configuration and both can be made very insecure...
The various Linux/Unix systems are all subtly different from each other. Sometime this can be annoying but in a security scenario it makes each attack on them subtly different, which puts the crackers off a tiny bit more.
The result is that:
It's not surprising that over 99% of all viruses are exclusive to Windows systems.
He is arguing that Microsoft products gets the most viruses because they are insecure and the Linux gets less because it's safe, which is the opposite of the normal Microsoft position of the "we are the most common so we get the most viruses" argument.
The truth is that security is not a single dimension problem. You just can't make sweeping statements and generalisations without looking at all the facts.
For much of the last and this week I've been working on an interface between one of our pumps and SAP. It's been not the easiest process, lots of little problems but it had mostly come together by yesterday. Today we learned that the pump in question will be manufactured for at least another 6 months with three incompatible interfaces. It means a lot of unexpected work at a time when I don't have any extra time to do more work.
I think the business will be reasonable and accept a delay - they are after all getting three times the work, but that eats into following projects which other parts of the business won't be happy with.
The Perl and Unix/Linux side of the work has been dead easy. Even the SAP development has turned out to be quite simple, I have mostly just made minor tweaks to existing code. The Windows side has - as to be expected - been the most complicated and difficult part of the development. Nothing on Windows is easy or straight forward - everything is complicated and obtuse - it's no wonder most software for Windows systems is buggy and unreliable - the underlying platform is so awkward.
The current British government is trying to convince the population that we are in the grips of deflation and that the solution to our debt problems is to borrow and spend our way out of them. Because we face deflation rather than the more typical inflation we are safe to borrow and spend - which would otherwise be dangerous - indeed borrowing and spending helps to combat deflation - they say.
It is true that deflation, or a shrinking of the money supply, which normally means that things get cheaper is not a good thing. However I don't see the same deflation that the government sees, all the things I buy such as basic food ingredients are going through the roof in price, and imported goods and foods are rising even faster.
It's all a feeble attempt to prop up the housing bubble by mortgaging the nation's future to pay for the greed and ineptitude of the current ruling classes. I'm not anti-Labour or anti-Tory but I am stridently opposed the the pocket lining politicians running the place.
Come the Liberal revolution, I know who I'd have lined up against the wall...
Yesterday we went to see Grimethorpe Colliery Band in concert. The programme was a bit short but they were still brilliant and it was a very entertaining evening.
In a recent blog Steven J. Vaughan-Nichols states that Linux and Windows are Different. He is quite correct that Microsoft software comes out with a very slow release cycle and that bug fixes come out at regular monthly intervals often after they are being exploited in the wild. In comparison open source software is released often and with a much higher frequency.
I think it's a bogus argument in the contex of Steven's blog, however he has made an observation about the frequency of change which is interesting.
The up-shot is that a typical Linux user will have a continuous upgrade or improvement cycle. Bug fixes and security patches will be made available quickly often before exploits are available. Depending on the software distribution this continuous improvement could actually be quite annoying and painful, but for most it's painless and routine.
A windows user installs Windows and it stays the same for long periods of time punctuated with infrequent but usually painful upgrades. It is not uncommon for a machine to be physically disposed of rather than be upgraded. In the event of a major security flaw being discovered, Windows users are often left exposed for days or weeks before Microsoft are able to respond.
Basically upgrades and changes are painful. Microsoft aim to reduce the pain by making changes infrequently, Linux distros aim to make the upgrade painless so the frequency is no longer a problem. That is a difference.
The long period of relative stability with Windows XP has clearly caused pain for Microsoft with a lot of resistance from customers, unwilling to upgrade to the clearly superior Windows Vista.
Microsoft have dug an awfully big hole and are now standing at the bottom of it. The current economic condition is a bit like pouring a few tonnes of raw sewage on top of them...
Basically Microsoft failed to replace Windows XP quickly enough with Vista. Windows is a swine to get right and previously Microsoft's continuous moving of the goal posts prevented anyone from settling down getting things just right. Vista came out far to late and people had finally got XP working right and were not keen to start all over again getting things right.
To most non Windows users Windows Vista looks okay, it's slow and not exactly innovative when compared with Mac OSX or Linux, but it seems to work okay. To Windows users it less popular, lots of legacy Windows programs don't work and Vista is missing lots of drivers to existing hardware - it's also slower than XP and takes a lot of relearning.
Microsoft panicked and have pretty much abandoned Vista allowing people to buy Vista but actually install and run XP. They then rushed out a fairly insignificant service pack and when that failed to work, announced that a new version of Windows would fix everything.
Reports in the press now suggest that companies have no plans to migrate to Windows 7 - the current economy precludes unnecessary expenditure and even Microsoft will allow people who buy Windows 7 to freely "downgrade" to Windows XP...
It is madness, they have dug a big hole and don't know how to get out of it... Even killing off Windows XP isn't going to help Vista sales now that Windows 7 is on the horizon. Microsoft will have to kill XP and Vista and hope that something new arrives that only works with Windows 7.
Given Microsoft's appalling track record in innovation and most companies fear of them it's unlikely that anything is going to come along that will save their bacon. The best they can hope for is a destructive computer virus that XP is very vulnerable to but Vista/7 is resistant too - which isn't too outlandish Microsoft killed NT4 and 2K with that trick before...
So far this year I've not seen many people use IE8 to visit my web site. Of the IE users, IE6 is still by far the most common version with 68.5% of the IE user-base, with IE7 coming in a very poor second with only 27.5%. At the moment there are more IE5 and IE4 users out there than IE8 - that can't be good news for Microsoft.
Amongst Firefox users, 82.8% are on the latest version, which should give them the best possible user experience and the safest browsing possible with the Firefox platform.
Comparing the two and excluding all other browsers, the most popular browser on 48.1% is IE6, followed by FF3 on 24.7% and in third place is IE7 on 19.3%. The overall split of IE to FF is very much as last year - no major change. Microsoft are still holding on to their monopoly but dangerously for them they are getting very little upgrade to newer versions.
As with browsers, Windows users seem to be reluctant to upgrade to the latest version of Windows, XP still outnumbers Vista users by an order of magnitude, which can't be good news given that XP is antique and Vista it's self is due for replacement this year...
I check my server logs almost every day. I'm mostly looking for broken links or strange behaviours. For example a few years ago I spotted a lot of bandwidth theft from MySpace users so I put a stop to that and this spring I saw a lot of probing for PHP bugs (I don't use PHP myself, but other less fortunate people do). Normally I'm not usually interested in what people actually look at on the server.
The search word hits that show up are interesting though. The top word hits for 2009 are:
I host my sister-in-law's stable web site Les Ecuries d'Enguerrand, I wrote an article on how to set up Dynamic DNS and DHCP on Debian and I wrote a finding duplicate files script in Perl - an interesting subset of the site. Last year XML/RSS and XSLT were popular search terms but not this year...