I don't know what you're trying to say here. I'm saying, if your argument is that there's a limit to how far Microsoft will go to ensure system security, and that limit is lower than the limit mainstream Linux will go to, you're likely to lose the argument. I can point to places where Microsoft has surrendered tens of millions of dollars to combat individual C code security flaws.
So let's stipulate that neither of us want to piss off users, neither of us are vouching for Microsoft's long term strategy, and neither of us are arguing against open source. We're not talking about whether you should use Linux or you should use Microsoft.
We're talking about, this is what it looks like when a company redlines security and code quality. Many of us have companies that ship code. It's worth knowing what the ends of the spectrum look like.
But if Microsoft will go to such huge lengths... are they actually more secure than Linux? Or are there lengths that they won't go to, no matter how much they spend?
I'm just going to say that when you slip a major release date for a multi-billion-dollar product by several weeks just to go back through all your code to see if there were any integer overflows that you might have missed, after somebody points out a new code pattern that might lead to them, you've firmly established yourself at one end of the spectrum.
I simply don't believe that any other team, open source or commercial, would do something like this. I've seen too many of both kinds of teams blow off actual documented vulnerabilities to think that they'd hurt their own progress to chase down hypothetical ones.
The rest of the discussion is academic to me. By all means, use Linux. We do for our Rails app. Hooray for open source.
And the process where developers submit their patches to a mailing list and they are reviewed by people above them is what?
A code review.
You can't measure Microsoft's expenses against the expense of developing Linux. Linux was not cheap to make either - just the time is distributed across a lot of books instead of one set.
I'm not even a little bit interested in getting into a religious argument with you, but I will take a moment to point out that the "code review" that a Linux kernel driver patch receives is nothing remotely like a security code review.
You missed my meaning. I was saying there are things microsoft won't do for security. For example adding a repository would get people out of the habit of downloading random software.
But it might be interesting to find out how much companies spend on security in the linux kernel. IBM, for example, is supposed to have spent billions on linux.
Adding a repository wouldn't alter security even a little. If as many people used Linux as use Windows today, we'd have just as much of a problem with Linux malware as we do with Windows malware.
"If as many people used Linux as use Windows today, we'd have just as much of a problem with Linux malware as we do with Windows malware."
I often hear that argument made and yet in the time I've been using Linux (since 1994) the total number of Linux users has increased by many orders of magnitude but I have seen no corresponding increase in the number of security issues. I think that it's because Linux is (much) more secure by design and process but I guess I'll just have to wait until the apocalyptic Xth user moves to Linux and I start having to worry about viruses, malware etc. to see if I'm right or wrong.
I don't understand why this is so hard for people to understand. There's virtually no Mac malware, either! But it is demonstrably trivial to create Mac malware; in fact, it's far easier to do that than to come up with a new Microsoft vulnerability.
The issue here is simple. People will target Linux when it stops being so overwhelmingly profitable to target Windows. We're nowhere near "peak oil" for Windows malware. It is, as Joel Spolsky points out, just economically irrational to target anything other than Windows.
This is the difference between safety and security. You are indeed safer on a Mac, just like you're safer living out in the country, even if your city house has a serious alarm system and bars on the basement windows.
I can't refute your argument any more than you can prove it to be true which is why I said I'll have to wait for the apocalyptic user to arrive. But if you can demonstrate some Linux malware (trivial or otherwise) it would add a lot of weight to your argument :)
What's your point? Malware is enabled by vulnerabilities. Nobody is arguing that Linux has lots of malware. Linux is safer than Windows. But it's not more secure.
I'm not so sure about that. Some malware installs itself by exploiting vulnerabilities. (Not all of it, though - there's plenty of Windows malware that gets installed by social-engineering the user.) But, in order to stay installed, most malware depends on other properties of the OS to conceal itself and stay installed. Windows makes this much easier for a programmer than Linux does.
I know that a lot of people say this, but I don't know a single professional security practitioner who --- when push comes to shove --- actually believes it. I'm not being glib or dismissive, but I'm also not going to argue the point anymore.
So let's stipulate that neither of us want to piss off users, neither of us are vouching for Microsoft's long term strategy, and neither of us are arguing against open source. We're not talking about whether you should use Linux or you should use Microsoft.
We're talking about, this is what it looks like when a company redlines security and code quality. Many of us have companies that ship code. It's worth knowing what the ends of the spectrum look like.