Date: Sat, 9 Feb 2002 14:04:11 +0100 From: "Anthony Atkielski" <anthony@freebie.atkielski.com> To: "Charles Burns" <burnscharlesn@hotmail.com>, "FreeBSD Questions" <freebsd-questions@freebsd.org> Subject: Re: Security of Commercial vs. OSS. Was: Breaking permissions on Windows 2000 Message-ID: <003501c1b16a$45286710$0a00000a@atkielski.com> References: <F89WLAWhMvAXiTeLXh500005b1c@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Charles writes: > I can see your point that one must trust the > authors of the code at some point. There are really only two options: You check every line of code yourself, in which case no trust is required, or you trust the authors of the code, and you don't check every single line. But you can't have it both ways; and very few people have the time and energy to look at every single line of code. > It all comes down to who one would choose to > trust more, when it is needed. Yes. > I would not trust, say, Linux developers all > that much...nor would most people after looking > at some of the code.(comments like: "NFI how I got > this to work last night. I don't really understand > it even now. Oh well, it works :-)" as much as > other sources. That's why I don't run Linux. > I personally would trust the *BSD developers > (particularly the OpenBSD developers) far more > than Microsoft. I consider them even. FreeBSD developers may be more altruistic, but they are less accountable for their actions. Microsoft developers are not especially altruistic, but they are held accountable. Either group would be preferable to anything near Linux, of course. > Open source developers don't have any type of > financial or marketing goal, so the software is > generally released when they have it pretty well > worked out. But they also don't depend on the code to put food on the table, so they have little incentive to work at any pace other than a leisurely one, and they have no real incentive to find or fix bugs, add new features, or the like. A need to pay the rent is a strong motivation to work seriously on a projet, and software companies obviously have that motivation, whereas volunteers do not. > As a rule of thumb, I have found that open source > tends to be one step above commercial software in > quality, meaning pre-alpha open-source software > is about alpha Commercial quality, beta is final > and final is 2.0. You will also find that it is at least one step below in support, bug fixes, documentation, and new features (and I'm talking about required features, not bloat). Commercial publishers are motivated to release too early; open-source volunteers are not motivated to release at all. So you can either have your software too early, or too late. > There are, of course, exceptions such as Adobe > and Blizzard Entertainment which consistantly > churn out really rock-solid software, but I can > say that Microsoft is not an exception in many > cases having had a MSDN account and beta testing > some of their stuff. Microsoft and Adobe are even quality-wise, but Microsoft has more of a tendency to write code as if nothing else had to run in the system, whereas Adobe is forced to write code that can coexist with other programs. This gives the false impression that Microsoft code isn't as solid, but that isn't really the case; it just has its fingers in too many other parts of the system. You'll see the same phenomenon in proprietary mainframe operating systems, and even in proprietary versions of UNIX. You can also see the same thing in firmware for major hardware producers, like Compaq (famous for its weird particularities in hardware that made it difficult to run any kind of standard software). > No, because I don't use that driver nore is it > compiled into the kernel. Much (most?) of FreeBSD > and any other OS package goes unused. True of commercial software as well, including Microsoft software. > There are applications and parts of the system > that are so extremely thoroughly tested; such as > Apache, SaMBa, and the EEPro 100+ driver; software > that so many different and widely varying people > have thoroughly tested, beaten up, and looked at, > that they can generally be considered trustworthy. The same is true of just about any widely-used operating system. An OS is exercised through billions of iterations in a very short time; OS bugs tend not to last for very long. If you look at bugs for both MS and open-source operating systems, you'll see that they are actually in individual utilities, daemons, services, drivers, and applications--almost never in the deep OS code (except possibly in the case of Linux, the shakiest OS around). > Name one perfectly trustworthy source. There is none, but some are forced into a similar role, such as defense contractors. The DoD really does look at every line of code in some cases. > Surely you won't mention Microsoft. Microsoft is no more or less trustworthy than any other major vendor. No vendor is 100% trustworthy. > Err, if you don't count IIS. MS writes a lot of other products besides IIS. > I'm sorry, but IIS's security is world infamous. Like that of UNIX. > Exchange is the wristwatch? No, the mainframe. Exchange is probably the best intraorganizational mail system you have find today, by a handsome margin. Competitors such as Lotus Notes are garbage, as are all of the systems of the preceding e-mail generation, including the old Microsoft Mail (and cc:Mail, the Lotus competitor). > Seriously though, even MS still uses Qmail > for parts of Hotmail (not for security reasons, > though, but because it can handle bigger loads > than Exchange). As far as I know, a great deal of Hotmail is custom-written or custom-modified. There hasn't been much completely vanilla code running on that system in ages. Additionally, Hotmail belongs to Microsoft, but it should not be confused with Microsoft, any more than MSN. The real brains at Microsoft are in software development, not sidelines like Hotmail or MSN. > Qmail and Postfix do indeed have less users, but > consider this case study: Qmail has been around > for years and has *never* had a serious security > exploit. Ever. This is true for Minesweeper, too. > I doubt there are more than a handful of businesses > running anything else onan NT mailserver. For businesses, I recommend Microsoft Exchange Server. It is far better for internal use than any other e-mail system. The systems that rehash Internet protocols are far too feature-poor for this type of use. On the other hand, I do not recommend Microsoft Exchange Server for ISPs or for use in heterogenous, decentralized Internet environments. Even though Microsoft has worked hard to make Exchange perform in these environments, it's still easier and faster and more stable to run something simple. > Probably. I'm sure IIS has code galore. I don't recall if I've ever looked at IIS code; I think I have. It's a messy application, though--indeed, it looks like something that might be written by Win95 developers, as opposed to NT developers (the former are closer to young males with only PC desktop backgrounds, while many of the latter have large-scale production, mainframe backgrounds--and this shows in the code). > Particularly on Micorsoft platforms, huge apps that > do everything seem to be popular vs. the unixy "do > one thing and do it well" approach. Yes, but I think this is more because software on MS platforms tends to be commercial software, whereas software on UNIX platforms tends to be free stuff. Commercial software always becomes more complicated and bloated over time, in order to support the business model that forces people to "upgrade" often enough to maintain a revenue stream. Free software just has to work, and so keeping it simple is best. Also, Microsoft platforms appeal to far less sophisticated users than UNIX platforms, so they have to be more all-in-one and user-friendly. > While I certainly prefer using single programs with > a well designed interface (a la Microsoft) to a million > smaller ones, the latter does have some security > benefits in the Unix world. FWIW, I find the UNIX model easier to deal with than the Microsoft model. Greater modularity hugely reduces the number of failure modes. Apache is easily fifty times easier to configure than IIS. > Respect them for what? For being the major motor of the microcomputer revolution, and of the IT revolution in general, and by extension for being a major motor of the economy over this past decade and beyond. This is no small accomplishment, and anyone who tries to disregard it is deluding himself. Imagine for a moment where we would be if there were no Microsoft, and only Apple existed to drive the IT revolution. It's a scary thought. And people would hate Apple a hundred times more in such a case than they hate Microsoft today. > Respecting them doesn't make the products any better, > though. Microsoft's products are better than most. They did not get where they are by producing garbage. Netscape got where it is by producing garbage, despite its claims to the contrary--any webmaster or mail administrator who has had to work with Netscape trash knows this firsthand, but overcoming the mythology is difficult. Apple builds fine products, but it falls down in almost every other respect, and it is far more domineering than Microsoft. And so it is less successful. > I would say that is more true of Linux/Alternative > * zealots. There's a lot of overlap between Linux zealots and Microsoft bashers. Both groups contain a high proportion of relatively stupid, angry young males. The really sad thing is that hype is driving Linux, even though superior versions of UNIX (such as the BSD versions) are available. > As far as Microsoft bashers, it depends on what a > microsoft basher is. People who display a rabid, irrational hatred of Microsoft and constantly criticize the company with vastly exaggerated and largely unsubstantiated claims about its behavior and products. Such people are almost always angry young males. > ... quite a few people that are willing to say negative > things about Microsoft products are in that position > because of experiences with various bugs, instability, > poor tech support, etc. And virtually none of them have ever dealt with other companies in the same way. Those who have dealt with IBM, AT&T, and others in the past realize that Microsoft is no better or worse than its predecessors. > I have little doubt that if they could increase their > bottom line by one cent by ruining 500 peoples businesses/ > lives/savings, that they would not hesitate. You have some odd ideas about Microsoft. Just what sort of people do you think actually work for the company? They are IT people just like anywhere else, except that Microsoft tends to prefer the smartest IT people it can find. > Whether or not Microsoft is a great company with > great products, being in a leadership position does > not make the company great or have great products. It is extremely hard to get into a leadership position _without_ great products and a great company. All the much-maligned leaders of various ages in business have attained their leadership positions through good products and good business practices. > That said, is it really even possible to overcome > Microsoft as 'the leader'? It's already happening. Microsoft's golden age passed some years ago. In the future it will continue to be large and profitable, but it will never again enjoy the same prestige and leadership it has had in the past. This is the cycle that all such companies go through. Microsoft right now is probably where IBM was in its golden age of the early sixties or thereabouts (if I recall correctly). > Isn't that what the whole antitrust ordeal is about? The whole antitrust deal is a waste of time. It moves too slowly and remains too irrelevant to affect anything. Other market forces have already affected Microsoft and the IT industry much more during the short period of the antitrust proceedings alone, and they will continue to do so. It's interesting that the DoJ and its lawyers never seem to figure this out, no matter how many times they try to bring companies to court for antitrust. > If a skilled salesman sells you a mediocre product > for the majority of your budget for that type of > product ... Not applicable here. In fact, I've seen just the oppposite with Microsoft: I've seen customers come looking for the product even though MS was too incompetent to sell it effectively. Mediocre products don't sell that way, so clearly these are not mediocre products. > Additionally, once you take the bait (be it a good > or bad thing), Microsoft does their damndest to > lock you into the Microsoft way. So does everyone else. And traditionally Microsoft has not been very good at it. They've succeeded mostly on the basis of their products, not their marketing and sales, despite popular opinion to the contrary. It's essentially a company of geeks, although that has changed in recent years as more marketroids and other deadwood join the ranks. > Example: If you have to submit a document on Word > format, does the fact that you use word make you > happy with it? No, but you may not be sad with it, either. > Solaris/x86 isn't a particularly good idea and > Irix/x86 doesn't exist. Okay, but why Linux instead of FreeBSD (or any BSD)? > It never fails to amaze me how many companies > host important data and even huge websitesfrom > Access. If only they knew how fragile that arrangement can be. One of the historic problems with Microsoft Exchange Server is that it has been hosted on an Access-based DBMS. This was done because the Access architecture was fast, flexible, and efficient; unfortunately, it is also far less reliable and maintainable than the SQL Server architecture. Even with a lot of customized tweaking, this destabilized the product, although they've got it working well enough. it would be a lot more stable on SQL, but it would run even slower, so I guess they opted for speed. > Makes a good "Do not work here, either management > or the IT department is incompetant" red flag. Yes, one of the danger signs that the seasoned IT professional recognizes. Some jobs are just not worth the salary offered. > Whatever it is, it happens more on Windows than on, > say, FreeBSD. Windows software tends to be bloated and overcomplicated, which destabilizes it. If you run an X server on UNIX, however, you can destabilize it to roughly the same extent as Windows. Then again, if you're smart, the UNIX machine is in the computer room, working as your tireless server, while the desktop is Windows. > Oddly, Microsoft seems to be the only company that > can consistantly make good drivers for other company's > hardware. It's not odd at all. Microsoft has extremely competent developers who can write software with a minimum of bugs; writing software is their business. Hardware companies, in contrast, specialize in building hardware, and very often their software development staffs are woefully incompetent; as a result, they write drivers that are really buggy. And buggy drivers crash operating systems. This is a very consistent rule in my experience, which is why I often would rather use a generic driver with limited features from Microsoft for a piece of hardware than risk the fancy, bug-laden drivers provided by the hardware vendor. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003501c1b16a$45286710$0a00000a>