most unsecure O/S? yup, it's possibly Linux...

[Jake the Dog]

From WinInfo Update, http://www.winnetmag.com/email :

* MOST UNSECURE OS? YEP, IT'S LINUX.
According to a new Aberdeen Group report, open-source solution
Linux has surpassed Windows as the most vulnerable OS, contrary to the
high-profile press Microsoft's security woes receive. Furthermore, the
Aberdeen Group reports that more than 50 percent of all security
advisories that CERT issued in the first 10 months of 2002 were for
Linux and other open-source software solutions. The report muddles the
argument that proprietary software such as Windows is inherently less
secure than open solutions. And here's another blow to the status quo:
Proprietary UNIX solutions were responsible for just as many security
advisories as Linux in the same time period. Could Windows be the most
secure mainstream OS available today?

"Open-source software, commonly used in many versions of Linux, UNIX,
and network routing equipment, is now the major source of elevated
security vulnerabilities for IT buyers," the report reads. "Security
advisories for open-source and Linux software accounted for 16 out of
the 29 security advisories--about one of every two
advisories--published for the first 10 months of 2002. During this
same time, vulnerabilities affecting Microsoft products numbered
seven, or about one in four of all advisories."

The stunning report makes several claims that seem to fly in the face
of widely accepted beliefs. First, the Aberdeen Group says that
Windows-based Trojan horse attacks peaked in 2001, when CERT released
six such advisories, then bottomed out this year, when CERT didn't
issue any alerts. However, Trojan horse-based attacks on Linux, UNIX,
and open-source projects jumped from one in 2001 to two in 2002. The
Aberdeen Group says this information proves that Linux and UNIX are
just as prone to Trojan horse attacks as any other OS, despite press
reports to the contrary, and that Mac OS X, which is based on UNIX, is
also vulnerable to such attacks. Even more troubling, perhaps, is the
use of open-source software in routers, Web servers, firewalls, and
other Internet-connected solutions. The Aberdeen Group says that this
situation sets up these devices and software products to be
"infectious carriers" that intruders can easily usurp.

According to the Aberdeen Group, the open-source community's claim
that it can fix security vulnerabilities more quickly than proprietary
developers can means little. The group says that the open-source
software and hardware solutions need more rigorous security testing
before they're released to customers. This statement is particularly
problematic because many Linux distributions lack the sophisticated
automatic-update technologies modern Windows versions contain.

We can rail against Microsoft and its security policies, but far more
people and systems use Microsoft's software than the competition's
software. I believe that we'll never know how secure Linux is,
compared with Windows, until a comparable number of people and systems use Linux. But despite the fact that Linux isn't as prevalent as
Windows, we're still seeing a dramatic increase in Linux security
advisories today. I think the conclusion is obvious.

------------

This report can be found at the Aberdeen Group: http://www.aberdeen.com/ab_abstracts/2002/11/11020005.htm (free registration required).

 

[GIANT]

Can you say.... PLAN 9 O/S... or UNIX re-written by its original creators?

 

[CougTek]

That Plan 9 OS? Did you try it?

(No / between the O and the S BTW)

 

[Clocker]

Interesting post, Jake. I can't say that I'm suprised, however.

 

[Fushigi]

The report muddles the argument that proprietary software such as Windows is inherently less secure than open solutions.

I don't think I know anyone who compares open source security to that of commercial OS products. Everyone I know compares product to product regardless of origin.

To me it boils down to Microsoft not making security a priority in their products until recently. Sloppy coding, bad assumptions, a lack of understanding about how their products are used, and not caring about the impact of a security flaw are all hallmarks of Microsoft products (OS, server apps, client apps).

Our MS rep send us every MS security advisory. We get at least one a week on average. Now, these cover all MS products but it still points out that MS products continue to have weaknesses.

All is not lost in the MS camp, though. So far I haven't heard of any security flaws in the Natural Keyboard or the Intellimouse. :wink:

- Fushigi

 

[honold]

eh...

i get all the ms advisories, and they're not as frequent as 1/week. the last i received was the recent ie issue, been a bit before that.

 

[ihsan]

I read it somewhere, this year, that the hackers no longer consider Windows platform a viable and "fun" endeavour, it's way too easy, they decided to go after others, UNIX and Linux primarily. Apparently, the only thing Win32s are as any good are as learning tool.

I think either the The Register or Slashdot ran a story about this but the archives weren't to be found.

 

[blakerwry]

You know... this has been said before... but I feel it should be said again

When there is a problem with Apache... people say.. "Oh look at that, another Linux security flaw"

or when there is a bug in Samba... people are quick to blame linux.

But I don't hear anybody saying "Microsoft sucks because winDVD crashes"

Samba was created by samba people, apache by apache people.... Linux by linux people... they are seperate groups. You can't blame one for the other's mistakes.

 

[Tannin]

Doezn't anybody read The Regizter? Microsoft have fewer security alerts now than they uzed to because they have upped the criteria for izzuing an alert. No joke!

The Good News: Microsoft Corp will be making fewer warnings of "critical" security vulnerabilities in its products from now on. The Bad News: This is because Microsoft has changed the way it advises users and administrators of vulnerabilities, raising the threshold to require a "critical" advisory.

Steve Lipner, director of security assurance at the company, said yesterday that Microsoft has overhauled its security advisory services to provide less "confusing" technical information to end users. The company has also introduced a four-tier scale to rate the severity of vulnerabilities. Critical-Important-Moderate-Low replaces the old Critical-Moderate-Low scale. The majority of formerly critical warnings would now be classed important, according to the ranking criteria published by Microsoft.

For a vulnerability to be ranked "critical", it now would have to be of the order of magnitude of the Internet Information Services (IIS) buffer overrun that allowed the Code Red and Nimda worms to propagate automatically last year. Holes that allow, for example, files to be stolen or deleted, would now be ranked as "important".

Edited from: http://www.theregister.co.uk/content/55/28191.html

 

[Cliptin]

From the same article:

The changes we've made will not affect the number of security bulletins we ship. Our goal is simply to make it easier for users to apply necessary patches with the appropriate level of urgency."

The article directly contradicts your post.

 

[P5-133XL]

Tannin,

Yes you are correct, but that has been a very recent decision by MS and the survey that counted the problems is a year-long count. Thus MS's new policy has not effected the survey signifigently.

I would argue that swapping of places is caused by two things. The first is a year-long priority that Bill Gates placed on improving security in MS products. The other is the increased popularity of Linux. The first is decreasing MS's security problems (Yes, I know it is like stopping a river with a finger. But it does matter). More signifigently is that as Linux gets more popular then the Hackers start targeting it and thus problems are being discovered that have for years gone unnoticed. Thus the number of security alerts have increased dramaticly for Linux.

 

[time]

The Aberdeen Group pops up from time to time, usually to promote Intel or bash AMD. They clearly believe in giving their employers value for money, albeit at the expense of ethics or credibility.

The attack on AMD's PR rating: http://www.theinquirer.net/?article=3029

The author's point that the rating will become obsolete is disingenuous - all benchmarks become obsolete.

From letters to The Inquirer:

If Mr. Kastner is any kind of analyst at all he well knows that MHz/GHz ratings are what the average consumer looks at when deciding whether to buy a PC with an Intel or an AMD processor.
...
I applaud Mr.Kastner's apparent concern that the customer not be deceived, however I have to wonder where his concern was last fall when Intel was matching up 2.0 GHz processors with PC133 SDRAM.
...
If he has such heartburn about PR ratings "confusing" the consumer, then what about Intel "confusing" the consumer by introducing a new processor family, the P4, with a higher clock but worse IPC and hence lower performance for the same clock speed of a P3? Intel abused the notion of price/performance with the P4 by realizing that the average consumer equates this to price/MHz.

His very comment reeks so bad of bias that he would have been better off not saying anything at all.
...
I don't get one other thing... he [Peter Kastner] says that Intel paid him nothing or whatever, yet you said that Intel told you that they did pay for it. Care to comment on that?
...
Mike Magee writes: Just after I filed my second piece on the Aberdeen Group, in which AMD responded to the report and filed midday UK time on the 27th of March, I received a call from Intel. I had asked the previous day whether Intel had funded the report and the representative said that he had investigated and his company had funded the research, although he claimed that made no difference as to the objectivity of the report.

And this is particularly interesting:

Regardless of what Aberdeen says, it's pretty obvious where/who they get their directions from.

Intel is already a market leader, Aberdeen says (Tech Web news).

Now, that's quick market penetration. The Itanium 64-bit architecture from Intel Corp. (stock: INTC) has yet to be formally launched in volume, but already one analyst group is projecting it to dominate the market.

The Aberdeen Group, Boston, projects the chip and its successors to control 42 percent of all server revenue by 2005.

Aberdeen analyst Gordon Haff predicts systems based on the Itanium architecture will be broadly deployed starting in the first half of 2002 and will span a wide range of operating systems and application environments.

Here's a little more.

Aberdeen's White paper on "Who benefits from early Itanium adoption" is Google cached here.

And this, another white paper that is almost hilarious. The link is to a 21 page PDF. here.

It seems as though Aberdeen is a sophisticated press release research firm.

So now Microsoft is paying Aberdeen, obviously.

This little snippet cracks me up:

However, Trojan horse-based attacks on Linux, UNIX, and open-source projects jumped from one in 2001 to two in 2002. The Aberdeen Group says this information proves that Linux and UNIX are just as prone to Trojan horse attacks as any other OS ...

:rofl:

 

[Tea]

God damn! That's a 100% increase! Trojan attacks are out of control!!!

 

[Cliptin]

So, GNU/Linux and MS suffer from the same security holes as the French and the Trojans.

 

[Tannin]

Cliptin: rubbish. That's a selective quote you gave, from an M$ PR flunky, that directly contradicts the things that he himself announced! It was obvious PR bullshit with no relationship to the facts, and I left it out for that reason.

Mark: yes, your points are valid. However, Micro$oft have long had a policy of only releasing certain security alerts and sitting on others in the hope that if they say nothing no-one will notice. How many times have you read about a demonstrable hole being notified to M$ and then nothing happening at all? I don't pay too much attention to this stuff as none of my security-critical stuff is hosted on Micro$oft operating systems and it's not a particular area of interest for me, but just the same, any regular reader of the trade press will be familiar with this scenario. It's quite common.

Secondly, I question the methodology of comparing the number of security alerts issued by the entire open source community on the one hand, vs the monolithic Micro$oft empire on the other. What grounds do we have for believing that there is parity of any kind between these two very different reporting methods? Why, none whatever, so far as I can see. (One might infer from this that I am suggesting that a higher proportion of Linux bugs get reported than M$ ones - not so. I am suggesting that we simply have no way of comparing them and that, using this approach to attempt to do so tells us nothing useful at all.)

Third: I find it deeply suspicious that shortly after M$ suddenly discover security after decades of not having the faintest idea about it, and more-or-less simultaneously discover that Linux is a very serious threat to their monopoly, (a) they start trying to shut a few stable doors in their own software and making a lot of PR fuss about it, and (b) the number of security hole reports about the competing product suddenly increases.

I smell FUD. I'm not sure where it's coming from or how much of it there is, but there is an unmistakable hint of that sickly-sweet M$ FUD stench in the air again.

 

[Fushigi]

eh...

i get all the ms advisories, and they're not as frequent as 1/week. the last i received was the recent ie issue, been a bit before that.

Well, there's the moderate alert regarding W32.HLLW.Winevar yesterday, the ciritcal IIS bug from 11/20, the announcement of the change in reporting (what Tannin mentioned) on the 18th, moderate alert regarding W32/Braid@mm on the 4th, security bulletin MS02-061 on 10/17. Hmm, 02-061 .. could that be the 61st bulletin of 2002?

Yes, of late they do seem to be slowing down. But they still come out far too frequently.

Regardless, companies should not have to check for patches weekly. Every decently sized corporation creates a production server image that is tested against all known server apps. That image is then frozen from changes & released to production. You do not revise the image weekly or even monthly to accomodate server patches because the OS vendor released a product with more holes that a flour sifter. You can't. Besides the administrative overhead of waving out updates to 100+ servers, you have to test the patches against every known server application (or check with every application vendor) to make sure the application functionality isn't compromised by the patch.

If you think that's rubbish, I can recite at least 2 apps, critical to our business, that are prventing us from upgrading to W2K SP3 because the vendors have not certified the apps as compatible with SP3. One app is known to fail under that environment.

Our only real recourse for the moment is to have our Windows servers run AV updates nightly to make sure they're current on AV protection. Of course that can't catch everything -- not even close -- but it's all we can do.

For a bit of perspective, the other systems I manage are updated on average twice a year. Once to stay current with OS releases and the second time for the latest fixes & updates; usually for added functionality & performance and not security. They don't need AV software because there are no viruses for the platform.

I'm not arguing for or against MS, Linux, or any other product. My position is simply that security flaws continue to exist in products that did not have security seriously considered when they were developed. Bolting on security after the fact is not really adequate. Security has to be integrated into the core of the OS at the most basic level.

- Fushigi

 

[time]

I'd suggest anyone who's interested read the advisories themselves:

http://www.cert.org/advisories/

I think they well and truly prove my point about Aberdeen.

For what it's worth, I counted the following:

Alerts involving Linux platforms but not Microsoft:

#15 Denial-of-Service Vulnerability in ISC BIND 9
#18 OpenSSH Vulnerabilities in Challenge Response Handling (all but one of the distros said it didn't affect them)
#19 Buffer Overflows in Multiple DNS Resolver Libraries
#23 Multiple Vulnerabilities In OpenSSL (5 vulnerabilities)
#7 Double Free Bug in zlib Compression Library (not confined to open source software - even affected Novell's JVM)

I didn't include the two Apache alerts - after all, it's available for Windows as well. Conversely, I excluded the Macromedia JRun problem, although it is specific to IIS.

I also didn't include the two PHP advisories because they affect any web server, including IIS.

Radius is also used with Microsoft servers, so it didn't count.

Four alerts appear to be more or less Sun-specific, and there's a couple that affect particular Unix systems.

Kerberos and XDR issues affect everyone.

AOL, Yahoo and Oracle got their names up in lights.

The two trojans don't attack production systems at all! Downloadable source code was hacked to include a trojan horse, but in both cases this was discovered and corrected, and the code never made it into any kind of distribution.

That leaves four Microsoft advisories:

#4 Buffer Overflow in Microsoft Internet Explorer ("This vulnerability could allow an attacker to execute arbitrary code on the victim's system when the victim visits a web page or views an HTML email message")
#9 Multiple Vulnerabilities in Microsoft IIS (This links to ten separate "vulnerability notes"!)
#13 Buffer Overflow in Microsoft's MSN Chat ActiveX Control
#22 Multiple Vulnerabilities in Microsoft SQL Server ("Since December 2001, Microsoft has published eight Microsoft Security Bulletins regarding more than a dozen vulnerabilities in the Microsoft SQL Server. This document provides information on the five most serious of these vulnerabilities; references to the remainder are provided in Appendix B.")

You can see how Microsoft has 'reduced' the number of CERT alerts. If you tally the vulnerabilities (which is unscientific), you get 9 for Linux and 20 or so for Microsoft.

Lies, damned lies and statistics.

 

[Cliptin]

Cliptin: rubbish. That's a selective quote you gave, from an M$ PR flunky, that directly contradicts the things that he himself announced! It was obvious PR bullshit with no relationship to the facts, and I left it out for that reason.

Stamping your feet and making things up do not an argument make. I suggest you re-read the article.

 

[Mercutio]

Tannin is correct in saying that Microsoft upped the criteria for issuing a security notification. Microsoft also has instituted some other interesting practices, like not notifying the public of severe bugs/security problems until after a patch has been made, and not acknowledging that some behaviors are, in fact, problems.

Let us not forget, however, that most bugs (security related or not) in Linux or any other open software, are fixed in a matter of hours, rather than days or weeks. Microsoft, as a monolithic vendor, fixes problems only when it suits Microsoft to do it, which is why, on a recent list of IE and Mozilla bugs, 9 of the 10 bugs for Mozilla were fixed by the time the list was published, while several (five? six?) of the IE bugs remain unfixed to this day.


Lastly, I'd like to say that the Aberdeen group is generally considered to be a mouthpiece for its employer. Unbiased surveys and evaluations are very hard to come by in the IT world. I really can't think of any, to tell the truth.

If its any consolation, Microsoft and Novell used to fling similar studies at each other, and not too long ago, Microsoft and Sun did, likewise. And of course there's "Oracle vs. the World" in the database realm. None of this is anything new.

In the end, the only evaluation that matters is that of the guy who decides which systems should be invested with time and/or money.

 

[zx]

I think there is no way to evaluate which OS is more secure. Windows gets bashed because there are many attacks on it. But there are more people running windows, and I believe that there are more people who will take windows as a target. That must be considered.

However, I agree that the report is somewhat flawed. Take the quote :

"This statement is particularly
problematic because many Linux distributions lack the sophisticated
automatic-update technologies modern Windows versions contain. "

Hummm....being a part-time IT professionnal, I can't remember when our windows server took advantage of windows auto-update. Usually, if a server runs a mission critical application, auto-update is useless. Updates will get applied much after they have appeared since the server can't reboot. That's the same thing as manual update.

Anyway, windows or not, patches should be kept to a strict minimum. I don't use/administer linux much, so i can't comment on that. However, since i use windows often, i can say that i'm not satisfied with microsoft's approach with security. I got infected with trojan horses 2 times during the summer (yes, with SP3, auto-update, and all patches installed). It mixed up all my security settings. I had to make add everyone to admin group to make file sharing work. Fortunately, that's just my home computer. Imagine that happening in a server!!!

 

[blakerwry]

I find it funny that all of those openSSL problems were fixed before CERT posted anything about them.... same with the ISC BIND 9. A patched version that fixed this problem was available months before CERT posted about the vulnerability.

These kind of things speak clearly to me that open source programs are often more quickly patched when there is a problem, and are often more secure by their very nature(everybody can see the code, so you can't realase crappy code and expect that nobody will find the flaws).

 

[Mercutio]

Usually, if a server runs a mission critical application, auto-update is useless. Updates will get applied much after they have appeared since the server can't reboot. That's the same thing as manual update.

Just to amplify...
A server is, or should be, a controlled environment. Ideally, nothing should be installed on one that has not been tested first. Blindly applying patches and updates is a great way to get fired from a job.
In the worst cases, such as the case with one of the servers I administer right now, a single server-side application can break from even minor changes in environment; on that machine, I can't install updates until a new version of my app is released that tells me which updates I can install, how, and in what order to install them. That's even worse than manual updates, IMO.

 

[Cliptin]

... Microsoft upped the criteria for issuing a security notification.

Can you cite a reference so I can file it away for future reference? How are you defining "security noticication"? Where does CERT get its information from to issue bulletins?

 

[Fushigi]

Here's the message about the change in notification. Names have been Xed out:

From: xxxxx xxxxx [SMTP:XXXXXX@MICROSOFT.COM]
Sent: Monday, November 18, 2002 10:11:21 AM
To: xxxxx xxxxx
Subject: IMPORTANT: Changes to the Microsoft Security Bulletin Severity Rating System
Importance: High
Auto forwarded by a Rule



Greetings:

The Microsoft Security Response Center is modifying the severity rating scheme for Microsoft issued security bulletins. These changes will be announced on Monday afternoon, November 18, 2002. Please review the following changes.



Microsoft Security Response Center Security Bulletin Severity Rating System (Revised, November 2002)

The mission of the Microsoft Security Response Center (MSRC) is to help our customers operate their systems and networks securely. A major part of this mission involves evaluating customers' reports of suspected vulnerabilities in Microsoft products and, when necessary, ensuring that patches and security bulletins that respond to bona fide reports are produced and disseminated.


The MSRC issues a bulletin for any product vulnerability that could, in our judgment, result in multiple customers' systems being impacted, no matter how unlikely or limited the impact. However, this conservative approach to identifying vulnerabilities that require action on our part may also have made it more difficult for many customers to identify those vulnerabilities that represent especially significant risks.


All too often, customers fail to install the security patches that would protect their systems. In industry experience – graphically illustrated by the Code Red and Nimda worm viruses – attacks that impact customers' systems rarely result from attackers' exploitation of previously unknown vulnerabilities. Rather, such attacks typically exploit vulnerabilities for which patches have long been available, but never applied.

Not all vulnerabilities have equal impact on all users. This document presents our security bulletin severity rating system. This system, which we revised in November 2002 based on customer feedback, is intended to help our customers decide which patches they should apply to avoid impact under their particular circumstances, and how rapidly they need to take action. Customers have encouraged us to include this information in our bulletins to help them assess their risk.


The Severity Rating System:
The severity rating system provides a single rating for each vulnerability. The definitions of the ratings are:

Critical:
A vulnerability whose exploitation could allow the propagation of an Internet worm such as Code Red or Nimda without user action


Important:
A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users’ data, or of the integrity or availability of processing resources.


Moderate:
Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation


Low:
A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.

We will, where appropriate, point out cases where the severity of a vulnerability depends on system environment or use. The ratings will make the conservative assumption that the vulnerability is known and that code or scripts that exploit the vulnerability are widely available.

Using the System:
We will apply this severity rating system to each newly-issued security bulletin from this point forward. With regard to patches that address multiple vulnerabilities, we will label each according to the most serious new vulnerability that it eliminates. In addition, the associated bulletin will always provide ratings for each issue described.


We believe that customers who use an affected product should almost always apply patches that address vulnerabilities rated “critical” or “important.” Patches rated “critical” should be applied in an especially timely manner. Customers should read the security bulletin associated with any vulnerability rated “moderate” or “low” to determine whether the vulnerability is likely to affect their particular configuration. We believe that patches rated “low” are less likely to affect most customers.

While this severity rating system is intended to provide a broadly objective assessment of each issue, we strongly encourage customers to evaluate their own environments and make decisions about which patches are required to protect their systems. This information will be available on Monday, Nov 18, 2002 at http://www.microsoft.com/technet/security/policy/rating.asp

If you have any questions regarding this please contact your Technical Account Manager or Application Development Consultant.

Thanks.

-xxxxx

----
xxxxx xxxxx
Field Technical Account Manager
Microsoft Corporation -- Midwest District
(xxx) xxx-xxxx - Office
(xxx) xxx-xxxx - Mobile
E-mail Hours: 9a-10a | 4p-5p Central

 

[Tannin]

Cliptin, you are talking nonsense.

 

[Prof.Wizard]

Your source is kinda biased Jake... :roll:

 

[Cliptin]

Cliptin, you are talking nonsense.

Hey, I'm not on a crusade here I just thought you might want to be accurate. :eekers: It certainly takes less of my time for you to read the article again and see your mistake but if It's important to you and you want me to I can spell it out. Otherwise, consider it dropped.

 

[time]

Microsoft Corp will be making fewer warnings of "critical" security vulnerabilities in its products from now on.

"Critical" vulnerability = Warning = Alert
"Important" vulnerability = No Alert

Cliptin, I give up - which part don't you understand?

 

[Cliptin]

It seems that they are reducing the number of "critical" reports but introducing a new catagory of "important". Is there any reason to believe that there will be fewer security reports overall as Tannin has opined?

Who thinks that stuff labeled important is not important but only things labeled critical are important?

This is besides the fact that CERT has different criteria for their levels.

 

[zx]

Usually, if a server runs a mission critical application, auto-update is useless. Updates will get applied much after they have appeared since the server can't reboot. That's the same thing as manual update.

Just to amplify...
A server is, or should be, a controlled environment. Ideally, nothing should be installed on one that has not been tested first. Blindly applying patches and updates is a great way to get fired from a job.
In the worst cases, such as the case with one of the servers I administer right now, a single server-side application can break from even minor changes in environment; on that machine, I can't install updates until a new version of my app is released that tells me which updates I can install, how, and in what order to install them. That's even worse than manual updates, IMO.

Yes, it's almost ridiculous that they think auto-update will make windows more secure. Not only auto-update is useless for servers. In an enterprise environment, users cannot install updates themselves on their workstations. I remember that we deployed the auto-update feature to users, but it was useless because a regular user does not have privileges to run auto-update. The update runs only when an admin is logged in, in other words, it's the same thing as running windows update...

The only ones who benefit from auto-update are home computers or very small networks (workgroups). In an enterprise environment with a windows domain, auto-update is almost useless.

 

[Tannin]

Lapdog Aberdeen is barking to the sound of his master's voice once again, it seems.

 

[Cliptin]

Lapdog Aberdeen is barking to the sound of his master's voice once again, it seems.

IBM is big enough to develop its own distro. Does anyone see a problem with this? As long as the open source stuff stays open, I don't.

 

[Tannin]

I don't see a problem there. The question, I guess, is would the cost be justifiable for IBM? And also, now that I come to think of it, time to market. IBM are absolutely brilliant at producing great, superbly engineered software of design spec A about two years after the need for A has dissapeared and everyone wants B. There are people who think that tainting the virginal purity of open source with actual commercial success is immoral and probably makes you go blind. I think these people are blind, and probably got that way through an excessive application of the usual method.

 

[Buck]

Yes it would be justifiable if IBM and their partners are truly interested in leveling the software playing field with Microsoft. The initial investment would eventually pay off if they stuck to their guns and reloaded when the round was depleted. Although the computer world works in very short time periods, looking 5 to 10 years into the future is still critical.

 

[Cliptin]

It would be perfectly legal to start with say RH. IBM could clean out the fluff (programs that duplicate each other) in favor of a singular experience that is easy to install and support. They have the name recognition to get the ball rolling and they are already working with it.

Who cares what their motivation is! As long as they abide by the appropriate licenses.

Perhaps they should start with FreeBSD instead. It has a much more open license. OS X is based on it.

 

[Tannin]

Of course, they would have to come up with a name for it, and market it effectively. Anyone for OS/3?

 

[blakerwry]

lol

 

[Buck]

Of course, they would have to come up with a name for it, and market it effectively. Anyone for OS/3?

OS/3 Irrefutably Warped!

 

[Buck]

IBM continues with their software game:

IBM Buys Rational Software for $2 Billion - the inquirer
© 2002 Breakthrough Publishing Ltd.