Ballmer says Linux not accountable for security

According to Steve Ballmer, the rivalry between Microsoft Windows and Linux comes down to the basic question of whom customers should trust.

There is an article in which Mr. Ballmer says that "There's no roadmap for Linux. Nobody is held accountable for security problems with Linux."

I do not see how the open development process of Linux equates to the fact we should blindly trust Microsoft. There is a definitive path for kernel development, just as there is for Windows. And, does this mean we can now hold Microsoft accountable because Steve says we can? If so, I would like to know who to send the bill to for all the overtime InfoSec people are putting in cleaning up the mess of the recent months.

Anyways, I don't have enough time in the day to criticize such erroneous thinking. I think Mr. Ballmer needs a tutorial on Crystal Box security vs. Black Box security thinking, and then equate the word "TRUST" accordingly.

You should read the article yourself. Ballmar makes the Microsoft position that they should be trusted because they have the infrastructure to properly address security patches. This is the SAME infrastructure that released the ORIGINAL code that had security issues, and the SAME infrastructure that did the "amazing code audit" as part of their Trustworthy Computing Initative.

Should we trust this SAME infrastructure? No, I think not. Want to earn my trust Microsoft? How about taking these actions:

1. Perform a 3rd Party Code Audit from an UNBIASED source. Do not pick vendors who are loyal to you and would rather FIRE an honest report rather than accept it.
   
2. Stop all new development and refactor the brittleness in your existing systems. We have to wait till 2006-2007 for Longhorn server. Why not invest 6 months bringing the NT core up to date which your own teams at Microsoft admit were not designed with Secure Coding Principles in mind? You would strengthen your system exponentialy and can carry on for use in LongHorn.
   
3. Provide an integrated patch management system that works with not only your OS, but the applications on the same platform
   
4. Release a public API for this patch management system so other vendors can use the same infrastructure. Consider looking at how well Debian's apt-get works. A customer could simply add another vendors "server" to the list of server sources and can get updated with dependancies on the fly
   

Take these steps and I will begin to consider trusting you more openly.

P.S. In all fairness, Microsoft IS getting better. But this is the type of thing where "Trust, but Verify" is in order. Blind trust is NOT an option yet.