“I was somewhat surprised (but pleased) at the level of interest back when I published my Windows Vista – 90 Day Vulnerability Report. It was about the earliest span of time I thought might give us some indicators, and the indicators did look good. Six months is a much more interesting time frame, and gives us the opportunity to see if the early trend indicators are holding up, or if the early signs of progress were a short-term gain.”
Let the usual flamewar begin.
Cancel or Allow?
Yeah, this thread ought to get pretty nasty as the day rolls on.
I’m inclined to just think MS has indeed done a better job with Vista. Perfect? Definitely not, but MS is learning from past mistakes, and perhaps the mistakes of others as well.
I think the jury is still out on Vista over the long haul, but it certainly looks encouraging. I’m more than confident that the Stallman army will come out of the grasses to proclaim that regardless, Windows Vista is horrible, bloated and a security nightmare.
I certainly think there’s an arguement on the weight of Vista, but on security the arguements are certainly starting to even out compared to Linux, Unix and MacOS.
Horrible, is merely an opinion.
Edited 2007-06-25 23:29
Yes, and there was much expectation. I guess the solution in the long term is Linux. Period.
Here is my critical analysis of the vulnerability report (the pdf):
First of all, I wanted to know who payed for this analysis. And I was not really surprised:
“Jeff Jones is a Security Strategy Director in Microsoft’s Trustworthy Computing Group”
Second, I read in detail about the used metrics, to find the usual flaw (comparing Windows to a full Linux distro), but did not find it. They actually made some effort to strip down the distributions a little to make the feature set covered more equal (although it was not mentioned in detail how much the distros have been stripped down). Nevertheless, KUDOS so far!
Third, I wanted to see different metrics, like “Worms in the Wild” during those 6 Months, or “Number of days during which a vulnerability was actively exploited before a fix arrived”. None to be found.
So the most conclusive thing which remains is the following:
In this report Windows XP looks as if it’s security were FAR better than for any Linux distribution. As we all know, Windows XP before service pack 2 was regularly plaqued by Virus and worm outbrakes, which were almost absent for Linux. Even if only counting manual attacks on larger Machines, only 50% of the cracked machines were Linux, when they had a higher market share in the webserver business than 50%. It seems like in this report the wrong metric has been used.
So for XP my conclusion is: There have been so few vulnerabilities disclosed, because nobody who looked out for vulnerabilities had an interest in disclosing them. The crackers kept them to themselves so that they could exploit them, and Microsoft kept them to themselves to avoid bad press. On the other Hand, in an open source distribution there is no such thing as a vulnerability which is not disclosed by the vendor, only the crackers keep vulnerabilities secret.
In effect, one could even twist the conclusion of the study around: Linux had more vulnerabilities fixed than Windows, hence it must be more secure. This would be true for equal total numbers of vulnerabilities in each codebase (an unknown number of course).
I do explicitly not want to make people think that Vista has to be worse than XP because less vulnerabilities have been fixed, it is very likely that the opposite is true, but what I want to clearly say is:
This vulnerability report says absolutely nothing about the risk of beeing exploited with any of the covered systems. It does not say that Vista is better than XP or that Linux is better than Vista ,or the other way around, regarding security.
Sadly, the Microsoft public relations machine does spin it like such a conclusion would be possible. And that is the REAL reason why to be outraged.
Ms never learns, they like to make it harder for developers to make firewalls antispyware and things alike so that people rely on their flawed products , when i use windows i like to have basic functionality (load up programs/games/DC/torrent clients) System restore would make any win95 user happy back in the day when crashes were common, seems vista goes back to that when their aim is to be incompatible with most programs.
As for vunerabilities i aint surprised : basic functionality in vista is 1gb no doubt with security holes the other 9 gbs with “security features” are new vunerabilities .
I Turned off system restore/windows file protection , i even removed active desktop in XP witch resulted more security .
But if they learned from the misstakes they would long ago have made a small easy to maintain basic functionality OS where the user would make reboots to a mode where nothing except for what’s installed would run.
But then again Steve Baldmer isnt excactly famous for being very smart
Jeffery Jones, the author of this article, was a speaker at TechEd (who I quoted in the article about TechEd). He mentioned this report was coming out there; at least the number of unpatched Vista bugs has gone down in the interim from 50% to just one left.
Honestly, I’m surprised by the numbers. I thought that when the various pack-ins included by the non-Windows competitors were taken out and they compared apples to apples, the numbers would be much closer together than they are. Then again, this could be a difference indicated by their business models: Microsoft primarially profits from their first-round sales, while Red Hat and Novell (et al) primarially profit from selling support.
Edited 2007-06-25 21:15
I wish he’d provide a full list of the actual issues in some independent tracking system somewhere. Even the full report doesn’t include these, only a more extensive analysis of the numbers which he provides and which, in the absence of references, we have to take on trust. Due to this, the report is basically impossible to verify without duplicating all his work.
“Even the full report doesn’t include these, only a more extensive analysis of the numbers which he provides and which, in the absence of references, we have to take on trust.”
Given how far up the food chain he is over at MS (executive level) I’m willing to take what he says as fact, lest he bring on a serious PR nightmare for MS’s security division.
The PDF is where the real meat is for anyone who hasn’t read through it yet.
As I said, I read the PDF, the info I mention is not there.
I’m not saying I suspect the report is intentionally misleading or in bad faith, I don’t believe that. I’d just like to take a look at what the patched and unpatched issues for each product are and see if the overall report is an accurate reflection of the actual security profile in each case.
Edited 2007-06-25 21:41
I wasn’t calling you out specifically hence why I said “for those who haven’t read it yet.” I know a lot of readers around here A) have a tendency not to open up PDF’s and B) have a tendency to comment on articles without first reading them in their entirety.
🙂
no argument there I agree entirely.
First of all, like he says in the article, he works for Microsoft as a security expert. How ever unbiased he might try to be here, he is not likely to make his own professional work look bad in any way, is here? But let’s not go into that now.
I’m not really sure how useful and practical this kind of purely quantitative security comparison (counting the amount of publicly known vulnerabilities) is in the end?
Your operating system might have just one vulnerability, but if it is bad enough, it might make it worse that a dozen smaller “critical” vulnerabilities in another OS.
Quantitative statistics just don’t often give a very reliable picture of qualitative matters, and I think that computer security is much more a qualitative than a quantitative matter.
One qualitative difference between open source operating systems and closed source operating systems is in the open/closed source thinking. It is much more likely that more eyes looking at the open source code also tend to find more weaknesses in it than those few proprietary coders looking at their own closed source code.
I also have a hunch that in the open source world code vulnerabilities might be called “critical” more easily than in the closed source world? In the open source world there’s no excuse for bad coding, somebody will notice it quite soon anyway, if the software/code is of any real significance to other people.
If, for example, Debian has a vulnerability, they readily admit it right away, warn people about it even before there’s any fix yet, and then try to fix it as soon as possible.
In the closed source world, however, how would outsiders be even capable of researching the code, when it is closed? So, who knows, there might be some big hole in the code, just waiting to be exploited. Sounds like that might have also happened quite a few times in the past, doesn’t it?
I just wanted to comment on two parts of your post.
Your operating system might have just one vulnerability, but if it is bad enough, it might make it worse that a dozen smaller “critical” vulnerabilities in another OS.
Actually, he touched on that in his TechEd lecture. In his criteria, all bugs that caused remote code execution were ‘critical,’ because those were the ones most likely to be exploited for criminal use. However, some companies don’t feel the same way — and he showed us some remote code execution bugs that in the official reports were marked as being of ‘trivial’ importance.
Unfortunately, the definition of a ‘critical’ bug is not agreed upon industry-wide, which makes this sort of analysis harder to do.
In the closed source world, however, how would outsiders be even capable of researching the code, when it is closed?
Although this doesn’t speak to closed source in general, Microsoft has a number of programs for licensing out the Windows source code:
http://www.microsoft.com/resources/sharedsource/licensing/windows.m…
Large businesses and governments are the ones most likely to get access, followed by Microsoft MVPs and OEMs. Heck, even I might be getting a copy of Windows’ source in the near future, because in a semester or two I’m going to be taking an OS class and writing an appplication to get access to the Windows Research Kernel…
Edited 2007-06-25 21:51
“Unfortunately, the definition of a ‘critical’ bug is not agreed upon industry-wide, which makes this sort of analysis harder to do.”
That’s what I meant. Until there’s common criteria for things like critical vulnerability, it is very hard to do objective quantitive comparisons. Like in politics, what someone considers a critical problem, might not be a problem at all according to someone else. For example, there are many security professionals who consider closed source to be a very big risk in itself, while, of course, some others strongly disagree.
From scientific point of view, this comparison (done by a Microsoft security specialist) could be put into perspective only when compared to similar studies done by their competitors (Redhat, Apple, etc.). Until then, it cannot be called objective scientific research.
Anyway, Windows Vista should be much more secure than its predecessors, when you consider how much effort MS has seemed to put into improving their security. So congrats to Microsoft people for that.
This is just more “get the facts” FUD. I am sure there are countless vulnerabilities hidden in that bloated Vista code. A comparison of Linux and Vista code would be very amusing, but of course, MS would never show us that mess.
Supreme Dragon, just for one day I’d love to see you try to eliminate the words “Vista” and “FUD” and “Pathetic (et al)” from your vocabulary. Better yet, just stop participating (and I use that word very loosely in this case) in Windows-centric threads period.
You can do it man…I have faith in you.
Edited 2007-06-25 22:07
IF MS would finally releases a quality OS, and stop abusing their customers, people would not have much to complain about. But of course, that will obviously never happen, they would rather try to force people to buy DRM infected garbage at ridiculous prices, and spread “get the facts” lies and patent propaganda.
http://www.theinquirer.net/default.aspx?article=40533
I’m adding “garbage” to my aforementioned list of banned words for you today as well.
Look, there’s a difference between complaining (which means mentioning it once or twice through the appropriate channels) and just all out whiny bitching, which seems to be what you think OSNews is all about: Whining about Windows.
I feel Vista is a quality OS, I don’t feel abused in the least, and I certainly don’t feel forced to use MS software. Millions of other folks feel the exact same way.
Also, linking to theInstigator.net does nothing to build credibility in a debate about MS. Then again, you’d be a perfect fit as a staff writer over on their site, perhaps they are hiring?
“I feel Vista is a quality OS, I don’t feel abused in the least, and I certainly don’t feel forced to use MS software. Millions of other folks feel the exact same way.”
That is sad……. very, very sad.
Uh.. how can you be so sure? How do you know it’s a mess? How do you know it’s amusing? Please prove your assertion. I’m betting you cannot.
If anything, you’re the one spreading FUD.
Linux code is available for all to see, and Linux has an impressive record of stability, reliability, security and performance. MS won’t show the code and the reason just might be embarrassment. Windows has a horrible record of shoddy quality, and the DRM and frightening EULA makes Windows an even more wretched choice. To even suggest that Windows code could possibly match Linux is hilariously nonsensical.
That doesn’t mean everyone looks at it, less understand it.
Tell that to all the people who complain about slow distributions, random crashes and serious vulnerabilities.
In my view, Microsoft don’t show the source code because it’s their intellectual property. Why should they show it just because any particular community wishes so? Hell, why not demand every closed source product have its code made freely available. Without doubt, you wont be analysing it all to ensure it’s, “stability, reliability, security and performance.”
Maybe, though I expect you to trash the concept without any rational, Microsoft have developed a good way to protect their operating systems.
Opinion. Many would vigorously disagree with this point of view. I do agree on one of your points however.. it’s a choice.
I didn’t, but regardless how can you make such an assertion without seeing it? They’re two different products with different designs.
Comparing them, as we are so regularly told in these sorts of “conversations” is like comparing apples or oranges… or maybe it should be oranges first, since I like them more, so it just has to be better.
Supreme.Dragon may be a fanboy, but your “facts” about Linux are as weak as his “facts” about Vista. Not flaming, just pointing it out. Rebutting a fanboy without any reliable inormation is worthless.
Disclaimer:
I’m a GNU/Linux User. I’m human and I suppose I can’t avois a certain amount of bias.
Despite the fact that I consider Vista way better than any other Windows release (Not enough to go and buy it for my personal use, though), I can hardly believe that Vista has so few security issues. Even keeping out the comparisons, those are some really (too) good numbers. And no one can deny that the article lacks a lot of accuracy when talking about the GNU/Linux distros. Heck, even being an Ubuntu user I can’t believe that Ubuntu, whithout all the security enhancing features of Fedora ends up being more secure than Fedora itself!
I’d love to see more facts, more details and less numbers, but I’m afraid that that won’t happen anytime soon.
It could be just that Ubuntu doesn’t get good security testing directly in their distro so they put out fewer patches? All of his numbers are based on what he sees in the patch data…
I will tell you that I can believe Windows has few security issues. Microsoft hired a huge number of penetration testers in addition to having a large and onerous security process in developing their software. Vista is the first consumer OS released that was developed under the security regime, so it is expected to be a significant leap over XP. Read Michael Howard’s blog sometime…
“but your “facts” about Linux are as weak as his “facts” about Vista”
Sorry? What facts are weak? That not everyone who uses Linux looks at the code? That there are people complaining about slow distributions, random crashes and serious vulnerabilities? That you can’t compare the quality of open Linux code with unknown MS code that you haven’t seen?
Which of these statements aren’t true? I’d really like to know.
I haven’t seen anyone complaining about serious vulnerabilities lately (where have you?), and the “not everyone looks at the code” point is a straw man: no-one ever said every user of open source looks at the code, and that doesn’t _need_ to happen for open source to be useful.
“I haven’t seen anyone complaining about serious vulnerabilities lately (where have you?)”
Maybe you’re looking in the wrong place? Of course there has been serious vulnerabilities and people complaining about it. Heck, just read some osnews postings.
“not everyone looks at the code” point is a straw man:”
That wasn’t the point. Not everyone does look at the code. It’s a fact. It’s not a good argument but it’s no untrue.
The original statement was that the fact that the code was available for all too see automagically made it better. That’s untrue. Being freely available does not in itself make the code better.
Sorry? What facts are weak? That not everyone who uses Linux looks at the code? That there are people complaining about slow distributions, random crashes and serious vulnerabilities? That you can’t compare the quality of open Linux code with unknown MS code that you haven’t seen?
Which of these statements aren’t true? I’d really like to know.
English isn’t my native tongue, but I think that “weak” isn’t exactly the same as “false”. I might be wrong, though. My point was that you were pulling those facts out of nowhere, just like him (ok, he was quoting The Inquirer ).
But whatever man, sorry if I interrupted your flamefest, maybe that is more fun than actually discussing the topic.
One Windows-specific measure or metric of security is the number of worms sweeping the world’s computers right now. In the earlier part of this decade, Windows-specific worms were rampant, even bringing parts of the ‘net down. We haven’t had such an attack in a long time, and that, IMHO a sign that Microsoft truly is learning and gettiing better. I call this the Finger in the Air metric.
As to comparing Windows with others, I have my doubts like the discussion above – what is a critical bug, what does patching it really mean (i.e. what if later on the patch turns out to have opened a new hole?), and when that’s decided, I’d like to see the full list of bugs considered for a report, what their classification was and why.
As for which OS is the most secure, it’s the one you know best. I have little experience in fully locking down Linux but can lock down Windows very well. Even if someone argues it takes more steps for me to secure Windows, the end result will still be better with Windows. Likewise for someone who knows Linux (or anything else) better.
>>I call this the Finger in the Air metric.
Haha, this one made me laugh … just wondering what finger it is that is in the air though 🙂
Disregarding Vista for the moment, given this comparison, why is it that Windows XP still has more real world security problems than Linux and Mac? Given his numbers (and I have no reason to doubt them), Linux looks to be an absolute disaster with respect to security compared to Windows XP.
So now the question is, why is this not reflected in the real world? Why would Linux be so widely used on servers if it was as insecure as this paper seems to indicate?
I don’t know the answer to that question, but I do have a question about the paper. His methods seem solid, except for the reduced Linux configuration. He mentions he excludes Openoffice and some graphics packages and calls that the “reduced” linux.
I’m not sure about RHEL, but I know that Ubuntu comes with a lot more packages installed than that, and most of those have no equivalent in a base Windows install. Also, many of those security vulnerabilities will be very low risk, even though they are rated as critical. If you PDF viewer has a code execution vulnerability, it is not nearly as serious as your web browser having the same problem.
Now he mentions that he did not remove other packages because he did not think that users would remove packages in the default install. While that is a fair observation (more packages increase risk), it also makes the final verdict pretty useless. For a balanced comparison, he should set up his Linux workstations such that they have one equivalent application for each piece of extra software that Windows XP ships with. Take out everything else and then compare vulnerabilities. I would be very interested to see the result.
Edited 2007-06-25 22:52
Disregarding Vista for the moment, given this comparison, why is it that Windows XP still has more security problems than Linux and Mac?
I would guess that it’s because they’ve put Windows XP into the ‘extended support’ phase of support (after 5 years but less than 10 years), where only critical bugs are patched immediately and some aren’t patched at all, while Vista is deep into its ‘primary support’ phase (release to 5 years), where all bugs are patched ASAP.
Why would Linux be so widely used on servers if it was as insecure as this paper seems to indicate?
Years of legacy UNIX support, from back when actual UNIX (not *nix) ruled the field?
His methods seem solid, except for the reduced Linux configuration. He mentions he excludes Openoffice and some graphics packages and calls that the “reduced” linux.
Earlier, he was criticized for not comparing ‘apples to apples’ — i.e., Windows only has a base set of software included, while Linux distros can include lots of third-party software in their default installs, some of which (like Open Office) have so many vulnerabilities that it markedly biases the results against Linux if their vulnerabilities are included with the base OS. He tried to eliminate that factor in this report, probably to compare the security of the underlying OSs.
If you have a little look at page 10 you can see something very interesting.
Vista has the worst percentage fixrate for disclosed vulnerabilities, XP actually comes out top.
You can see why the graph for critical vulnerabilities was chosen to show Vista in its best light.
Nice observation, I never noticed that. Thanks
Lets talk about ‘Lies, damned lies, and statistics’.
It seems a bit strange that this report seems to be in major conflict with Secunia .. anyway .. it may be defective afterall. BUT one should ask: ‘where is that damned list?’
Because in report (pdf vesion) there are only some links to security-focsed sites and some rules, which are used (or at least he writes so) to count vulnerabilities. I really couldn’t find the list nor analysis.
And one question remains : if RedHat is so buggy and filled with holes … why each server out there hasnt been hacked ? But corporate servers are still spinning and internet aint stoped too … just curious.
p.s. They say that 83% of all statistics are lies. Think about that for a second.
>>p.s. They say that 83% of all statistics are lies. Think about that for a second.
:-p Liar !
Hold on, this guy was running Vista. There’s an obvious bias right there.
The problem there is no good way to determine how secure or unsecured a program/OS is. A Company who tries extremely hard to insure their OS is secure may in fact have more vulnerabilities reported and fixed, because they are actively looking for them, and companies that are not strong on security will leave it alone and wait for reports.
Then there is the Issues of degree of security. Most Linux Security problems are Local Security Holes which allows the user to get access after they have logged in. Windows XP and Vista in many ways still recommends users to have higher level access for proper running of the OS, thus making total security value higher for Linux, but having a higher security value makes more security vulnerabilities. It is like saying Windows is less secure then DOS because DOS has less security fixes. While DOS has no security and Windows has much more.
Then there is the popularity factor hackers will target windows more then Linux or Mac OS just because if they are going to get a blind System chances are it will be Windows so they make hacks for that platform.
It only takes one known hole to cause damage.
I know someone who worked at Microsoft on the Windows Vista project. He told me that, besides adding new features to the OS, Microsoft spent the last couple years running sophisticated static and dynamic code analysis tools. These tools do all kinds of path analysis and detect buffer overflows, identify “banned” APIs, find numeric overflows/underflows, and other dangerous calling patterns. Microsoft apparently set a very high bar for shipping Vista by requiring that all of the generated bugs be fixed prior to shipping. I think that Microsoft has taken a lax attitude toward security in the past, but they have definitely got religion now. Frankly, I applaud any effort on their part which improves security. It’s still probably a little too early, and I’m sure that people will continue to do analysis. HOWEVER, really people, do all of these discussions have to degenerate into “my OS is better than your OS” flamewars?
I also think Microsoft did their homework regarding code quality. But this is only one step on the way to good security.
What should have been done with Vista is getting the basics right, the design. They made way too many compromises regarding backwards compatibility. Like still allowing applications which insist on writing into system folders.
This leads people to switch off many privilege escalation prevention features.
Security of an operating system, especially a widespread one is as much a social task as it is a technical one. People have to be forced to a more secure behaviour, and it would be Microsoft’s task to apply that pressure.
They should have made some sort of “virtual machine” running XP in a sandbox for backwards compatibility.
With Vista now on the market, the door to a more secure design is closed again for several years.
with Vista high security level so I’m going
to ditch my Linux machines and grab my copy of Ultimate OS…
…once I have 400 $ for OS
and around 1,000 $ for new hardware !
And it’s not going to happen any time soon.
I like to be insecure with my tux boxes!
Yet another “this is kinda looking like a professional survey as long as you don’t read the PDF” ‘research’ done by the an “unbiased” MS employee.
After reading the PDF, here’s what is missing:
A. A complete list of the vulnerabilities categorized by risk level. (Read: Firefox crash doesn’t equal arbitrary code execution when opening a PDF, let alone IP teardrop like exploit.)
B. A complete list of the software installed in Windows Vista and the rest of the Linux bunch. “Reduced install” is pure marketing, nothing more. (E.g. Does vista include a PDF reader? Which editors are included? In Linux? Does emacs/vim equal notepad?)
C. It would have been nice if the reported wasn’t being getting his paycheck from MS. (Gee wiz. I wonder if he would rush to publish his results if the results were less favorable to MS…?)
D. Oh, and OSS tends to have an open development model that usually prevents sitting on open exploits. Would you bet your life that MS isn’t sitting on open exploits that it cannot or doesn’t want to fix? Didn’t think so…
In short, wake me up when someone professional/unbiased does this survey. Until it does, I’m staying away from Vista like plague.
(That, until I’m forced to port my software/drivers to Vista)
– Gilboa
Edited 2007-06-26 10:26
No matter what weaknesses or strengths of Jeff Jones’s work (and there are plenty of weaknesses), he has negated any credibiliy by changing the parameters he used between the ’90 Day’ and ‘6 Month’ vulnerability reports. He should have revisitied his earlier work applying the same comparisons (3 Linux distributions “Reduced”), left the conditions unchanged, or removed the earlier work from his comparisons. All he has done is take a weak and biased study, and further clouded his “efforts”.
http://www.microsoft-watch.com/content/security/microsoft_is_counti… has a good analysis of Microsoft’s unbiased Vista claims.
In reality, you would have to compare server OS’s vs Desktop OS’s.
I would think that there are very little servers running Vista as their main OS. Most likely they’re running some sort of Unix based system (let’s say RedHat Enterprise).
I’ve been a linux and a windows user since I can remember. Windows mostly for graphics work (I’m a photographer) and Linux for some developing and various tasks. I’ve never had a problem with Windows OS’s. If you know how to secure your computer properly and you have a reliable hardware firewall – then you should be OK.
The data provided in the article would make sense if you think about it this way. Open source is open to everyone, obviously, hence there are many developing styles and sources that, when put together, might have certain vulnerabilities. Windows OS, being a closed source, was written by a smaller team, that had a preset format that they followed, hence fewer bugs.
Why are there more “insecure” Windows machines? Because Windows is the major OS, running on majority of computers in the world. And assholes, who want to break them, will hack Windows. If, say, Mac OSX was running on major machines, then it would be the target for the assholes. And yes, I know that a unix system is a lot harder to break than Windows. But if someone really needs to break something, they will. After all, there is always a way.
I’ve been running Vista since January and I haven’t encountered any problems, except a bug with Nero 7 dll file that prevented Vista to display thumbnails of video files correctly (easily fixable). And don’t get me wrong, I use both Unix based systems and Windows based, I like them both for certain tasks. As a photographer, Unix (except Mac OSX) is not a solution.
So now, please flame me
Sadly, many here *want* Vista to be insecure.
Ask them, “Which would be more likely to put a smile on your face, a report saying ‘Vista Shown To Be Secure’ or a report saying ‘Vista Proven To Be Most Insecure OS Ever’?”. If they’re honest, they’d choose the latter.
You can see it even here, people are actually upset to see a report putting Vista in a good light, immediately rushing to find ways to discredit such a report. But if a report is released showing Vista in a bad light, you can easily imagine these people pumping their fists and yelling “YESSS!!!” as if their favorite soccer team just scored a goal.
Real tech geeks would want all products to be good. There’s not much to say for someone that roots, hopes, wishes, and/or prays for a product to be bad.
These people claim that reports they don’t like are “biased” as if they themselves are objective. The fact is, these people are just as “biased” as they claim that the report writers are. And therefore their analyses of said reports are just as questionable as the reports themselves (likely more so, since their analyses are based on knee-jerk reaction rather than thorough study).
Edited 2007-06-26 19:09
I don’t generally disagree with you, but I tend to think it is not as much many here “want” Vista to be insecure, rather more like many here “expect” Vista to be insecure. Given Microsoft’s history, lack of focus on their customers, predatory practices, and general business model, etc., skepticism is the natural reaction.
There will always be detractors, nay-sayers, and fanboys, but quite frankly Microsoft made thier own bed and have to sleep in it.