http://www.linuxworld.com/story/47536.htm
Linux Opinion: An Open Letter to a Digital World
"The Windows platform is not just insecure - it's patently,
blatantly, and unashamedly insecure by design"
December 18, 2004
Summary
As a Linux desktop user himself, system administrator Chris
Spencer did not relish having to clean up his wife's
infected Windows PC after it had become compromised. By the
time he'd solved the immediate problem, Spencer had become
so fed up with spyware, trojans, viruses, and spam, that he
decided it was time to write a letter to the world. It's a
simple message: it's time to switch from Windows to Linux.
"The letter serves as a guide," Spencer explains, "taking
you through some of the history of Microsoft right up to
this present day."
To Anyone Who Will Listen,
Recently I was reading an article from Wired magazine
talking about the Windows spyware problem [1]. It was
unbelievable to me that people would choose to use programs
that they know make all their personal information
available to companies. It turns out that 80% of Windows
users suffer from spyware [2]. I read many articles like
these but always thought that these people have problems
just because they aren't careful. Maybe they don't run
anti-virus, they don't use a firewall, or they browse seedy
sites and download applications for seedy activities. It
turns out though that is not the case.
My wife discovered that her computer had been infected by
spyware and trojans despite the anti-virus, regular Windows
updates, having the good sense not to open attachments,
using a firewall, and avoiding any type of seedy activities
online. As best we can tell someone exploited IE
transparently while she searched for medical information to
help our nephew.
The clean up from these types of infections is great fun. I
spent not less than 5 hours running about every spyware
prevention program known to man. Each one searching for
those pesky files and registry settings. The worst thing of
all was that, once I cleared them off the disk, simply
starting Internet Explorer would reinfect the whole system.
Seriously, it was great fun and I did, eventually, have the
satisfaction of beating the problem. That's right - a
system administrator for 10 years with a degree in computer
science and a RHCE CAN clean up a single spyware infection
in 5 hours.
I hope you see what I am really saying here. How on this
earth are people that aren't trained in Information
Technology going to do it? As a Linux desktop user, I had
never been exposed to this type of problem. Having now
battled with spyware, I am finally motivated to speak up
and say something to the world. I want to get a single
message across:
It's time for anyone running a Windows PC to switch to Linux.
You see, the Windows platform is not just insecure - it's
patently, blatantly, and unashamedly insecure by design and
for all the lip service to security it's really not going
to get better, ever. To make matters worse, it's more
expensive and gives you fewer necessary applications right
out of the box than Linux. Everyone, even Microsoft, knows
this - they are just too afraid to say it. The tide is
coming in. Nothing on this planet can stop it.
Whew. I said it. I am so happy to get that off my chest,
however, for me to stop here would be unfair. I haven't
really proved it to you. So if you will entertain me a bit
longer here is the rest of the story.
Microsoft started conducting a "Get the Facts" [3]
marketing campaign against Linux. This signaled that they
have correctly assessed that their competition is Linux and
that they need to fight it with all they have. It even made
it into their 10K filing. [4] It's really an interesting
read to note that Microsoft sees Linux as a major threat
It's a big enough threat to their monopoly that they say:
"The Linux open source operating system, which is also
derived from Unix and is available without payment under a
General Public License, has gained increasing acceptance as
its feature set increasingly resembles the distinct and
innovative features of Windows and as competitive pressures
on personal computer OEMs to reduce costs continue to
increase."
If Microsoft thinks this then that alone is more than
enough reason to give a fair look at Linux. Of course it's
just as likely that they are preparing the lawsuits to
attack Linux because it is a real competitor. I am not sure
which distinct and innovative features they are
referencing. Perhaps it was the whole GUI concept that
Apple sued them for stealing from them. Perhaps it was the
Microsoft Office-like functionality that Open Office has
that Microsoft took from Word Perfect. It's hard to tell
and it gets me off topic to delve into it.
Alright, let's talk about the "Get the Facts" marketing
campaign. What happened is that Microsoft and vendors that
make money on Microsoft products have all come together to
tell us that we us why we should use their products. As a
consumer and something of a student of history, I always
question people that are highly motivated to protect their
jobs and money. Did big tobacco say their products were
safe long after they knew it wasn't true? Might Microsoft
be inclined to say that their products provide better total
cost of ownership (TCO) and security than another product
despite knowing it wasn't true?
It turns out they have done something strikingly similar
before. [5] When IBM OS/2 had just taken off and become
"the best selling retail software product in America" then
"sources close to Microsoft" leaked word to a columnist for
the UK edition of PC Magazine, who dutifully reported both
the rumor and source." - Computerworld, March 20, 1995,
page 118. From there it was all downhill for IBM. Despite
everything indicating that OS/2 was doing great the press
just kept printing the Microsoft party line. In the almost
10 years since that happened, have things changed? Are they
kindler, gentler, and friendlier to work with or do they
still spin, bully, and use talking heads?
Carrying on in their history we see that, empowered by
their victory over IBM, just 4 years ago Microsoft was
ordered to be split in two by Judge Thomas Penfield Jackson
because they were convicted of abusing their monopoly
market position. Then 3 years ago Judge Colleen
Kollar-Kotelly reversed the decision to split them and a
much lighter penalty was imposed. Unhappy with the results
the EU took up the case and just this year Microsoft was
convicted in the EU. Since then Microsoft has paid billions
of dollars to the companies that were aligned against them.
One by one settling the differences. Most of the companies
had little choice but to accept the money they were
offered. Because they have been so badly beat. Now they
stand with billions of dollars in the bank and a patent
portfolio that is rapidly expanding.
I don't know about you but when a convicted monopolist that
has been shown to use those monopoly powers against their
competitors says that Linux is a competitor but that it's
not as secure or cost-effective, well then I take note.
Because I know there is a good chance that a half truth was
spoken.
Maybe Linux is shoddy code just hacked together by a
college student. However, according to the four-year
analysis by five Stanford researchers [6] Linux contains
only "0.17 bugs per 1,000 lines of code" and most all of
those bugs have been fixed. Given that an earlier study
from Reasoning, Inc [7] had already shown that the Linux
TCP/IP stack had a 0.013 per 1000 lines of code defect rate
back in 2001, it is hardly astonishing that the entire
Kernel is also relatively low in defects compared to your
average commercial software application To put that in
perspective the average code seems to have anywhere from 2
to 30 bugs per 1000 lines of code. That makes the Linux
kernel between 11 times and 176 times better than your
average product. So it's certainly not shoddy software by
any stretch of the imagination.
Considering that many Linux distributions are free, it is
hard to believe that it would be more expensive than
Microsoft where a simple upgrade costs $100 and their
Office application costs hundreds more. Call me crazy but I
am having a hard time finding any truth in the "facts" as
reported by Microsoft. However, Microsoft studies the TCO
to show that other factors make Linux more expensive. Yet,
the studies that I have read seem to make crazy assumptions
like saying it takes more money to train users to push a
button on Linux than it does to push a button on Windows.
They also tend to ignore the costs associated with viruses,
spyware, and trojans that prompted me to write this.
Perhaps most unfortunately for Microsoft they also ignore
that wildly varying labor costs directly affect TCO. [8]
That means it wouldn't just be a poor decision it would be
a completely moronic decision for a government to use the
Windows platform in the third world if it wasn't absolutely
necessary. To be honest, for a long time I have wanted to
see a case study that took these types of issues into
account. I was, for this reason greatly disappointed, when
I heard about a study from Cybersource [9] that ignored
these things but still found Linux, even Red Hat Enterprise
Linux, to be at least 19% less expensive. So much for
Windows being better value, they can't even win when the
whole thing is tipped in their favor.
Maybe I missed something? Maybe Microsoft just happens to
be truly better at security than Linux? For this I had to
get dirty and dig. On the surface it did seem like Windows
had fewer security issues. Looking at Seconia, a security
research company, I discovered Windows 2000 Server has had
only 76 Advisories in all of 2003 and 2004. [10] Red Hat
Enterprise Linux 3 on the other hand has 101 Advisories
[11] and it wasn't launched until November and looking at
Red Hat Enterprise Linux 2.1 I found a whopping 145
vulnerabilities. [12] That looks pretty bad, right?
I am sure that is what Microsoft would like us to think. If
we would just ignore the elephants in the closet then we
would come to their happy conclusion. I'm not going to do
that though.
Microsoft Windows is but one component in a much larger
Windows platform. What good is the operating system without
remembering productivity software, anti-virus software,
instant messengers, media players, software to burn CD and
DVDs, and the list goes on and on? These are all things
that Red Hat and every other Linux distribution includes as
part of the package. Usually they go so far as to include
multiple applications for each function. It would be,
therefore, completely unfair if we didn't compare a
comparably equipped Windows platform to a comparable Linux
platform. How do you add it up though? Whose products do
you pick and whose products do you ignore? It's a horrible
can of worms. I tried to do it. To build the comprehensive
list so that we could compare a Microsoft Windows that's
fully equipped like a Linux distribution and I was able to
exceed the number of advisories. I just felt dirty doing it
and in the process of doing it. Besides, I came to the
realization that the bug count isn't what really mattered.
What really matters is that the bugs are getting fixed so
you aren't online without protection and that the updates
were easy to track and install. Both of which Microsoft is
in serious trouble with.
With Linux all of the updates for all of the different
types of applications come through a single path and in an
automated way. It is a process very much like the Windows
Update service. The key here is that one update service
covers all of the products. On the Windows platform you can
get the Windows updates this way but what about all of the
third party applications we needed to have the same
functionality as Linux? Each of those need to be searched
for or are hidden inside the application themselves.
In my research I found one particularly nasty Microsoft bug
that really emphasizes this point. I am talking about the
GDI+ buffer overflow with JPEG processing [13]. They put
out a security bulletin and they released a patch for each
of their affected products but they never identified who
put the SDK library in their products and each of those
products linked to it individually. Not only did this mean
users had to be experts that researched the update on their
own, but they also had to manually install it in each
location. You have to admit, that sure isn't as nice as the
centralized updating that Linux has. It seems more like a
tidal wave to me.
Then there are the issues related to actually fixing the
bugs that are known. Again, Secunia makes it really easy to
see. Of the 76 advisories Microsoft 2000 Sever still had a
whopping 20% outstanding and one of them was rated "Highly
Critical". Red Hat Enterprise Linux had fewer than 1%
outstanding and it was rated only "Moderately Critical". So
much for fewer security updates meaning you are more secure
and let's not even talk about the Internet Explorer Web
browser. Because it is so insecure that the United States
government, through the Computer Emergency Readiness Team,
had to issue a warning to use any browser besides IE. [14]
Yet, to use Windows Update you have to use IE. It's just
not fair.
Then there is the issue of design. Linux was designed to be
in a hostile Internet centric world. As people were
programming it they knew this and it no doubt played a role
in the designs of their products. With Linux you will find
that firewalls are enabled by default, users rarely login
as administrators, server applications run as users that
have limited rights, etc. In Windows these obvious things
were an afterthought. Finally put into Windows XP with the
creation of SP2, well mostly. I think it's because of the
mindset that Windows is for end users on either private
networks or no network at all that Microsoft has been hit
so hard by security issues. It's of course equally possible
that the issue is entirely different. Maybe they don't fix
the security holes because it's considered a feature. I
know they said as much about the Windows Messenger Service
[15] even though it was being actively used to send banner
advertisements to desktops around the world.
Perhaps Microsoft is finding that the standard software
wisdom about bugs [16] being less expensive to fix before a
product ships is true because after several years of having
security as the number one focus they are as plagued or
more plagued by security issues than ever before. Maybe
pouring money on the problem won't fix it? I mean come on
Even before Windows XP [17] - we knew these things but it
still shipped with the stupid default settings and we STILL
have 20% of their advisories unfixed. How can anyone feel
safe running on a Microsoft platform?
Linux provides a better paradigm. It costs less, it is more
secure, and perhaps most importantly of all it isn't
controlled by a single vendor. While Red Hat is the largest
distributer of Linux and does provide a comprehensive
support system and legal protections for their customers,
they aren't alone. Major companies like IBM, HP, and Novell
are all deeply involved with Linux but none of them are in
control of it.
Because of Linux, the future of computing is commodity. By
the year 2000, Linux already represented billions of
dollars worth of development effort [18] and it's owned
collectively by each one of us. The savings will follow and
you can count on getting what you pay for or there will be
someone else that is there for you on the terms that you
want. The tide has turned and Microsoft is going to get
wet. From my perspective they already are all washed up.
It's all an issue of attitude. Linux follows the share and
share alike [19] mindset where as Microsoft seems to have
the greedy mindset of it's all mine and I want to get paid
for it now [20]. Well Bill, Steve, and talking parrots,
that's not very nice. As I have shown there are good
reasons for using Linux as the better alternative to
Windows. Give my friends at Red Hat a call. I am sure they
could comp. you a copy. Anyway.....
Like I said: It's time for anyone running a Windows PC to
switch to Linux.
I really appreciate you taking the time to read my letter
and I hope that it gets you motivated to make the switch
or, if you already have, that it just makes you feel all
warm and fuzzy inside.
Sincerely,
Chris Spencer
chris at digitalfreedoms dot org