Bill Gates: Windows Patched Faster than Linux

petard writes "In a very interesting interview published by the Register, Bill Gates made several interesting claims about Longhorn. Many of them have been extensively covered recently, including plans to force users to patch automatically. Surprisingly, everyone seems to have overlooked his statement that Microsoft fixes bugs faster than Linux developers do. 'We've gone from little over 40 hours on average to 24 hours. With Linux, that would be a couple of weeks on average.' Either he's lying or woefully misinformed; their recent performance seems to be more on the order of 3+ months, or over 2000 hours."

Maybe?

Maybe they meant they make bugs faster?

Re:YA *I* think he's referring to...

By "time until fixed in the source tree", I'm just pointing out that Microsoft may take months to roll out a patch to users in a hotfix or service pack.

Also, to be fair, I suspect that few users immediately apply kernel patches in the Linux world. They wait until RH's up2date or Debian's apt-get sucks down the latest and greatest. A fair comparison should might say "Microsoft does not attempt to supply a 'rapid-release' patch for technical users at all, unlike the Linux community. However, it's time-to-Joe-end-user-release is comparable to that of Red Hat." or something along those lines.

I certainly feel that, at least applying the immediately obvious and most useful criteria, Microsoft does *not* fix bugs (release patches) more quickly than the Linux community.

Re:YA *I* think he's referring to...

Actually, I think he's referring to the time between Microsoft admiting there is a bug and the time a patch is available.

Example: Today's Windows bug. Microsoft announced it today and patched it today. That's less than 24 hours to "fix" it.

This type of logic makes perfect sense to the PR or marketing departments.

- Tony

Re:YA *I* think he's referring to...

My thoughts exactly. The fact is, MS usually waits until it is ready to release a patch before it announces the vulnerability, and whines loudly when someone decides to notify the user community before the hotfix is available.

The problem is, the bug may be discovered independently by some knowledgable crackers and taken advantage of for months while stolid MS works at its own pace to 'fix' the problem. (Which, incidentally, often a) doesn't fix the whole problem, or b) introduces other problems.)

Worse yet, when the user community doesn't have knowledge of a problem and a cracker does, the user, who may have been able to obviate the problem through another means (blocking RPC at the firewall, or whatever), is now left defenseless until MS gets around to telling them about the problem.

So if MS can keep everybody's mouth shut about the problem until it's ready to release the patch, of course they're going to have an incredible record for getting patches out quickly.

Re:Patching Faster vs. Patching Easier

I am not saying that the Linux patching process is cumbersome, but we gotta admit that the average users (not sysadmins) just can't begin to understand how to patch their Linux boxes.

What? Have you ever used Red Hat's up2date tool? It is easier then windows update. It is just a GUI app that you click Next in about 3 times, wait for the new packages to download and your done. What in the world could be hard about that? Red Hat even has a little icon that sits in the notification area and turns a bright red with an exclamation point when there are updates available. Clicking on that brings up the uber-newbie friendly GUI to download them. No terminal (command line) involved. No rebooting involved (unless you upgrade the kernel). You can install ALL the updates at once with NO reboot between them, unlike many MS updates, especially service packs that require a reboot. Please don't mention chain loader, no average Joe is going to be able to use that.

'Fast' Bug Fixing

Bill Gates is a very intelligent man... who is currently acting like a very intelligent trained monkey, spouting defensive FUD. But that's nothing new.

I wouldn't be surprised if MS does make pages in under 24 hours. But I bet the process looks like this.

- Microsoft notified about a problem.
- Notification email sits in Exchange server for a week due to problems with a corrupted mailbox.
- Flunky reads email, decides it would never happen in real life, demotes to low priority.
- MS Updates their problem tracking database. Issue is lost in the db move.
- Another flunky goes through and re-adds all the issues from emails.
- Smarter employee upgrades importance, flags it as 'do now!'
- Issue languishes for another few weeks.
- Vulnerability 'approved for fix!'
- Programmers fix it in under 24 hours.
- Patch enters testing queue.
- Patch is tested in an inadequate number of systems that all include only MS software an no 'unusual' configurations like, say, not using IE as default browser.
- Patch is sent to deployment team.
- Wait another week.
- Deployment team packages fix, places it on wu.ms.c.
- Fix breaks on many systems, system admins tear out hair, MS pats themselves on backs for their fine bug fixing system.

Myrddin.

Re:Lots of patches lately

And NONE in the preceding month. Microsoft may (or may not) be fixing them in 24 hours. But they are now officially on a once a month patch RELEASE schedule.

Re:Someone RAM Bill

I did some research because I am a geek. The earliest post on usnet is from 1992 and it is someones sig. The closest real, attributed reference that might be the origination of this I could find is this:

It's certainly enough memory. The Mac started out with 64K, which is one sixteenth of what the Lisa started out with. Because the Mac's bit map is smaller than the Lisa's, we thought we could do something with that amount of memory. But we were pushing for 128K all the way, and about a year ago we switched to 128K. We figured out how to squeeze the applications down to that size.

When you're writing applications that are going to be simple to use, it's important to have some boundaries that prevent you from throwing in an unlimited number of features; the memory size provides that limit. Certainly what we've got in terms of Multichart, Multifile, Multiplan, and Microsoft BASIC on the Mac are as rich as on any other machine we've seen. I think the people at Apple would openly admit that Plan, File, and Chart are more powerful than their equivalents on the Lisa, and yet they run on an eighth as much memory.

When you do get more memory, you'll be able to have multiple applications active or have more data space available. It's partly those boundaries that have forced us to find more clever ways to do things and stay within the memory size. It's caused us to be more innovative than we would have been if we'd had a megabyte.

-- Bill Gates, interviewed by David Bunnell in Macworld, volume 1, issue 1, 1984, pages 44-45.

Re:Someone RAM Bill

I'm willing to concede that it's entirely possible that Bill Gates didn't say that, if your willing to concede that Bill Gates in 1996 might really not remember saying it, or might really be lying.

It's not like revisionist history is a new concept. In 1981, I could completely see, Bill Gates saying the 640K quote, and have it taken out of context. One of the Watson's (of founding IBM fame, I can't remember if it was Sr, or Jr. I'm guessing Sr), once said that worldwide we'd probably only need 5 computers ever. It's not like he's terrible stupid either.

If you really want to have fun and games, write down a particular fact that you can't remember a specific event ever happening in your childhood. Now, store that piece of paper someplace safe. Now everyday imagine that event happening. Picture in your mind how you would remember it if it happened. Over the course of time, you'll "remember" it as a fact that is just like all of your other memories from childhood. You'll know it's inaccurate, but to your mind you can't tell between a the old true memories, and the newly fabricated memories. It's a simple form of brainwashing. I've specific memories that I know for a fact never happened. I constructed a conversation I never had once for the purpose of trying this out. It's the old adage about a lie repeated often enough becomes true.

I'll willingly admit it's entirely possible Bill never said that, and he surely can't prove he never said it. However, I'll never trust Bill's memory about him not saying it. However, if you tracked down the original references to it and debunk that, now you have something. Somebody has to cite it. It's in the Usenet Archives, or in old papers and trade magazines. Find the originals and debunk them, don't cite Bill saying 15 years later that he didn't say it. That's not debunking.

Here, I'll prove it to you. "I've done some stupid things, and I've done some wrong things, but I was never born. Nobody in the human race would ever say they were born.". Does that "debunk" the fact that I was born or not? I'd say my sitting here, and typing into slashdot is pretty strong evidence I was born at some point in the past.

A number of statistics have been proven to be false, but are cited all the time in the past. If you follow all of the original citations back, you'll find they all start at one single reference. The original person who stated it, either lied, or had something wrong with the way they came to the conclusion. By the time anybody figures that out, it'll be a "fact". I know this happened on stuff reguarding sexual orientation (formely common cited stat that 10% of all men are gay), and I believe it's happened on several other occasions about other commonly cited stats.

Debunking involves getting reasonable close to the source and debunking it. Not asking somebody 20 years later, who has a vested interest in not looking like an idiot, if he said something that's blatantly stupid 20 years ago. Read up on what Bill has said about what he thought of the internet.

I believe it was Cringely who pointed out that Bill always proclaims he was a visionary about the net, and saw ahead of everyone how much that could change the world. Yet when you read his book from that time where he was spouting off about what he thought was the next big things in computers, just as the internet went mainstream he never mentioned it once. Bill's in a position where he can't afford to say, I missed that huge new technology. He's Bill Gate's, he thinks Microsoft single handedly invented the Personal Computer. Just read the end of the article.

Kirby

Re:Someone RAM Bill

Now I'm no Gates apologist -- I haven't even used Windows for years, except when I am forced to kicking and screaming -- but harping on these statements bothers me.

In 1981, NOBODY needed 640k on the desktop. IBM PCs shipped with a tenth [computercloset.org] that amount of memory. Even assuming memory growth is exponential in the same manner as Moore's Law, this meant that the average user probably wouldn't need 640k for five years or more. Even in 1987, I remember programs (such as WordPerfect 4.2) that could fit on a single 360k floppy -- so the 640k prediction held for several generations of machine. Not a bad prediction in the computer industry.

There were good reasons for making the 640k assumption. All I'm saying is, don't fault an engineer for making a design decision, even if you don't like him personally.

Having said that, you want a desktop application that takes up more than 4 GB of physical memory? Go download the OpenOffice source and add a line:

calloc(4294967296,sizeof(char));

Take THAT, Bill!

Linux the kernel or Linux the system?

It seems that Microsoft is attacking the system, not the kernel.
I havent really heard anything about Linux, really.
I have heard about the SSH issues, ect, but never about Linux. SSH, OpenSSH,ect. are just parts of a Linux system, or BSD for that matter.
has there actually been a Linux KERNEL exploit in the last few years?
and besides, when there is a Linux KERNEL exploit its fixed in hours, or minutes! I think it would be impossible for M$ to match that.
this article qualifies for more M$ Fud.

Re:Linux the kernel or Linux the system?

When is the last time a vulnerability in the windows kernel was found? To be fair, we will include vulnerabilities in the HAL, since in Linux the kernel contains that functionality as well.

OpenSSH is a part of Linux as much as RPC or Windows Messaging is a part of Windows.

If a linux kernel exploit is fixed in minutes, then it was a pretty dumb bug. Microsoft has been good lately about doing proactive security reviews, and they often find holes before anyone else does. Linux mostly seems to do reactive fixes, at least from where I'm sitting. Which is to say, at a Windows XP machine, but right next to a gentoo Linux system.

Bah! The suits at Microsoft are running scared

Why do you think they are giving Linux so much attention these days? I think this means we are now in between the "They laughed at us" and "They tried to fight us" part.

And if we follow Mahatma Gandhi's approach, the best approach is to keep doing what we do while letting MS bash away. Eventually it will become quite evident as to which side is interested in doing good for their fellow man.

Who Solves Security Problems Faster?

My favorite study on this question was "Linux vs. Microsoft: Who Solves Security Problems Faster?" [csoinformer.com] by Jim Reavis [csoinformer.com]. The data is from 1999 and 2000, but it is nicely systematic. At least back in 2000, Linux was much faster than Microsoft, averaging 11 days vs. 16 days.

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, Immunix Inc. [immunix.com]
Immunix: [immunix.com] Security Hardened Linux Distribution

What are his start/end times?

We've gone from little over 40 hours on average to 24 hours

I'd like to know what part of the process he is talking about? Is that the time between when the hole is made public and when the patch is released? That would explain things a bit... since MS typicaly can keep the news under wraps until they release the patch simultaneously.

Including a lot of "0 seconds between bug announcement and patch release" is bound to give you a much lower average. So, it would be possible for MS to receive 85 bug reports, surpress all but one for three months, release 85 patches and average just a bit better than 24 hours between public announcement and patch.

he's probably not lying...

Most likely, he's just reporting what he's being told. And most likely, it's being mis-measured by someone.

Microsoft is a big company, and Windows is a very complex beast. My initial thought is that perhaps the security developers do indeed code and submit a patch within 24 hours.

But then the patch has to wend its way through the labyrinth of QA and regression testing. Because Windows is so highly integrated, even small changes can have big unforeseen consequences, so they can't rush patches out the door without breaking things. I believe Microsoft makes patches available via their support pages well before it hits Windows Update. What *we* are measuring is the time from bug report to being in Windows Update; what *they* are probably measuring is time to patch submittal or time to initial availability via support.

I really, really prefer the improved code separation in the Unix environment; if, say, BIND has a problem or exploit, it's highly unlikely that a patch it will break Postfix or Apache. Because things are better-separated, the developers understand their packages better and can more confidently push patches into their stable branches.

I worry a little about the way the Unix desktops are becoming increasingly interdependent, with lots of libraries and lots of integration... are we going to end up in the same place, eventually? Microsoft doesn't employ idiots, and considering the amount of trouble they've had scaling, well.... I just hope the free software developers are thinking about this.

Re:he's probably not lying...

"And most likely, it's being mis-measured by someone."

It's certainly being mismeasured by the Linux community. While I haven't done a thorough study, I make note of a Konqueror patch that came out last year.

- Linux community touted it as proof patches were fast, because it was into the source tree in 90 minutes
- It took one month before KDE released a new binary compiled with the patch
- It took an additional month before Redhat incorporated this into a patch for their Linux distribution.

The issue also impacted IE, and it took Microsoft two weeks to release a binary patch on Windows Update.

The Linux community claimed 90 minutes, when it was really two months.

Microsoft counted it accurately as two weeks.

Just reporting good news to yourself doesn't make you better.

Re:he's probably not lying...

- Linux community touted it as proof patches were fast, because it was into the source tree in 90 minutes
- It took one month before KDE released a new binary compiled with the patch
- It took an additional month before Redhat incorporated this into a patch for their Linux distribution.

The Linux community claimed 90 minutes, when it was really two months.

Or overnight for those of us using Gentoo.

Phillip.

Everyone's talking, but...

..no one is posting any hard data, any more than he is. This post [slashdot.org] references actual numbers, but other than "what a freaking liar/what a misinformed idiot" no one is offering proof on the matter.

Marketing

Tricks. It's all tricks.

I recently was in a Microsoft webinar regarding patch management. If you are interested, or a glutton for punishment, this [microsoft.com] was it. At one point they showed a histogram on the screen that was intended to show vulnerabilities in operating systems and how MS was beating everyone on the planet. Major Microsoft products were all broken down by release, e.g. Windows 20003, Windows XP, Windows 2000, Windows NT, etc.. Linux and BSD were categorized by distribution only, e.g. Redhat, Debian, BSD etc...

Windows 2003 appeared at the far left with only a few vulnerabilities. Windows 2003 was actually the "winner". It even "beat" BSD! Now think about that histogram for a minute. It created false divisions that did an apples to oranges comparison. The sum total of Debian vulnerabilites likely refer to all released versions of a Debian distribution with all possible packages installed while Win2003 likely refers to only a Win2003 retail box installed with the bare minimum options.

Marketing is a black art. I have some personal experience, but NDAs to bind me. It's an art of trying to create and/or shape ideas in the mind of your customers, critics and competitors. The most successful marketing is that which makes them believe they came to the ideas you wish them to hold of their own volition.

Two quotes

--------
Gates also doesn't seem to have a lot of faith in 64 bit technologies in the consumer space. "64 bit is coming to desktops, there is no doubt about that," he said. "But apart from Photoshop, I can't think of desktop applications where you would need more than 4 gigabytes of physical memory, which is what you have to have in order to benefit from this technology. Right now, it is costly."
---------
This coming from the same person who said 640kb is more then enough for anyone?

and this one
---------------
Gates is optimistic about meeting the challenge of the new security threats, he told reporters. "We have to. We invented personal computing. It is the best tool of empowerment there has ever been. If there is anything that clouds that picture, we need to fix it."
---------------
I thought apple invented personal computing?