Two researchers surprised the audience at a computer-security convention last month with their finding that a version of Microsoft Windows was more secure than a competing Linux operating system. This week, the researchers released their finished report, and it included another surprise: Microsoft was funding the project all along.
Microsoft funding of security report decried
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
No surprise there.
No Surprises Here …
Too bad that a large number of companies/people will never (bother to) find out that the project, as usual, was funded by Microsoft.
We still can safely say that Microsoft Windows, any version, is THE single most insecure operating system in use right now. But we already knew that.
Now please put your hands together for the folks that will falsely accuse alternative operating systems of being secure by being obscure.
Here is the report linked from this site:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14…
This is the second paragraph of that article:
well before the paper’s official release, members of the IT security community have questioned the comparison, with some slamming the researchers’ methodology and others the Microsoft connection — software giant funded the research behind the favorable findings.
I suppose the reports data is accurate…
As far as I know, the only studies that have found Microsoft Windows more secure over other operating systems are Microsoft funded studies.
All the non-MS funded studies have found different results.
Published reserch always supports those who pay for it, otherwise it wouldn’t be published.
As research is always paid for by someone, then it is pretty obvious that research that is overwhelmingly in favour of a particualar commercial entity must be funded by that entity…
Simple logic…
One critical issue is whether the report had a “shelf-it” clause. Since Microsoft paid for it, did they have the option to prevent the disclosure of the report should they not approve of the results?
It’s a great option for those who want to fund reports but still give the impression that the report is independent but letting the report writer pick the methodology. If the results aren’t in line with what the funder likes, they still pay, but the report never sees the light of day.
And what would the response around here be if Red Hat funded a study that, surprise, showed that Linux was more secure?
the point of the matter is, it ISNT redhat.
it is a company that continously engages in this sort of deciet.
No way!!! That’s unpossible!!!!
Depends. More secure than what? And if we want to get mishy-mashy, then how has the Red Hat box been configured?
Renaldo, you have a point….it would show that Red Hat was more secure. Except that it would be true. Case in point is that I don’t know of ANYONE who is running a Linux system who “worries” too much about all of the problems that they might have. They put up their firewall, set up some rules, create a white/black list….close a few ports…just like the Windows machine…but then how many ACTUAL problems occur?
The proof is in the pudding.
Seems like the Windows platforms are the ones with the problems. And don’t give me that “that’s because of the numbers thing” because for SERVERS…especailly WEB servers, it’s not true. There are just about the SAME number of Linux servers as Windows servers out there.
Also, the Linux companies don’t have a track record of FUD and lying like Microsoft does. So, your point is made. The reponse would be one sided saying “I told you so” instead of “this is bull”….but fortunately it would be TRUE!!!!
If Microsoft funded the research and the researchers found Windows to be less secure than, say, Linux or whatever, so would they still publish it? The whole situation would be very very weird. I think we should read the contract to find out, guess there’s a paragraph there that has a provision for a case like that.
Seems like the Windows platforms are the ones with the problems. And don’t give me that “that’s because of the numbers thing” because for SERVERS…especailly WEB servers, it’s not true. There are just about the SAME number of Linux servers as Windows servers out there.
That comment would only be valid if Windows Server ran on a diiferent code base to the rest of the family.
This is just absolutely shocking! Who would have guessed?
Those bustards at M$ tried to pull another one over our eyes. It’s a good thing that our use of Linux has made our reasoning abilities so razor sharp that we instantly spotted it. Go! Team Linux! Go!
http://www.datanation.com/fallacies/attack.htm
Why dont Microsoft fix the damn problems and stop running helter skelter with all these campaigns and studies looking like a headless chicken.
Sarcasm notwithstanding, I’m happy to see that you know what an ad hominem attack is. I’ll be able to remind you this next time you use one in one of your posts…
That said, criticism of Microsoft in this instance has little to do with ad hominem attacks. Rather, it is justified outrage over apparent conflict of interest. Also, past history does in fact have an impact on how people will perceive this behavior: since MS has a long history of underhanded maneuvers – whether it’s astroturfing, blackmailing OEMs, etc. – then it’s quite reasonable to be critical of Microsoft in the current situation.
Now feel free to proceed with your own ad hominem attacks against me…
I like how you blame me for using ad hominem and then proceed to use it yourself in the very next paragraph. It’s very self reference-y.
You are partly right. However, since few people have the resources to follow the exact argument (1), let alone attack it, one rather finds a reliable source for arguments. Attacking the person will not attack the argument, but show doubts whether the person is a reliable source of arguments. This still leaves the argument to be attacked, though.
(1) Following and attacking the exact argument in this case means setting up windows and linux boxen and running attacks on them; establishing profiles of the typical windows/linux admins and users, their skill, and their consciousness of security and attitude towards it; finding possible coincidence between OS and type of attacks, OS and number of attacks; OS and attackers; OS and hardware; OS and companies that use it (and their exposure to attacks); and so on…
Seems like the Windows platforms are the ones with the problems. And don’t give me that “that’s because of the numbers thing” because for SERVERS…especailly WEB servers, it’s not true. There are just about the SAME number of Linux servers as Windows servers out there.
——————————-
That comment would only be valid if Windows Server ran on a diiferent code base to the rest of the family.
Depends on the context, whether it’s server-specific issues or general security issues you’re talking about.
Those people who still use Microsoft’s crappy Windows “operating system” and infest their computers with viruses and spyware don’t deserve any better.
Anyone smart is using Linux nowadays. Linux is just so much better and easier. I am using Gentoo Linux on both, notebook and desktop, and even my niece who is eight years old loves her new Linux desktop.
I see all of the predictable outrage over the fact that Microsoft sponsered the study. But what about the study methodology and results? Isn’t that what is really important? Of course one will be leery of a study sponsered by them, but has anyone found a flaw in this test that skews things towards Microsoft’s favor? I didn’t read anyone disagreeing with the results, just over the sponshorship.
Like Captain Renault “shocked” that there is gambling at Rick’s .
Of course one will be leery of a study sponsered by them, but has anyone found a flaw in this test that skews things towards Microsoft’s favor? I didn’t read anyone disagreeing with the results, just over the sponshorship.
Take your stinking logic crap somewhere else buddy. You’re getting in the way of the ranting.
I’m not sure anyone cares about the study or the methods, since microsoft has lost any credibility it ever had a long time ago in the eyes of anyone with at least half a brain. They have never done anything but lied and used every pathetic trick they could think of to discredit their opposition, only to ultimately in the end discredit themselves.
Why should anyone listen to a company that has used tricks like adding together all securityholes in all distributions for all packages (ie, a hole in sendmail in 4 distributions is 4 holes), and present the result as security of windows vs. linux?
Why should anyone listen to anyone who compare security by comparing a *full* installation of the red hat distribution against a bare windows installation?
It’s their own tricks that works against them, and I for one have no doubt this “study” is equally flawed.
I don’t see your logic.
He’s right though, as far as web servers go I think there’s much more Apache around than IIS. Now that is slightly complicated by the fact that Apache isn’t Apache, it’s Apache or Apache2 now; however I’m sure much of the code is still the same, and both possess a very large chunk of market.
Of course, according to secunia the security is about the same; which to my knowledge is true. But I think IIS doesn’t have quite the same reputation for stability that apache has.
This isn’t Windows vs Linux; this is a Windows server vs a often Linux server. It’s also Microsoft vs OSS; a more heated debate than Linux/Windows.
The way some of these comparisons are done is just looking at the vulnerabilities for like RedHat EL and Windows Server 2K3. We all know this isn’t fair; it’s a full OS against a shell. And they’ll headline it: Windows Vs. Linux. To be fair there, the comparison should be linux kernel vulnerabilities (in all maintained iterations, 2.6/2.4) against all maintained versions of Windows; but that’s for fairness with the headline and not a truly good comparison. Because that’s comparing a kernel against a shell (which includes the kernel!).
I think in the end it always comes to this: They can both be very secure, and they will be as secure as their sysadmin makes them. Surely even VMS had exploits!
Now, user application (think web browser) security is another matter.
The primary metric used is days of risk. This metric is defined as days between when a vunerability is [i]reported by a whiehat until the day a fix is available. This is flawed! The code/systems vunerability begins when the flaw is added to the code not when it’s discovered by the good guys.
If that’s not enough to toss the report, then realize the researchers extoled Microsoft for developing “strong” relationships with whitehat security companies to control the release of flaws, further reducing the days of risk. That means they’ve taken a broken metric and completely gamed the system!
I say we take it back.
I call on all security researchers to modify “days of risks” to be inclusive of when the defective code ACTUALLY goes into a deployed system. Since F/OSS typically maintains a complete and public track of “when/where/what” code gets into a system, it can be very accurately measured. Unfortunately for our closed source cousins, this date would have to begin at the shipping time. 🙂
How happy would Microsoft be with 700+ “days of risk” reports for Windows 2003.
This metric is defined as days between when a vunerability is reported by a whiehat until the day a fix is available. This is flawed! The code/systems vunerability begins when the flaw is added to the code not when it’s discovered by the good guys.
There’s no risk when it exists in the code and nobody knows about it, because there are no exploits available.
Why dont Microsoft fix the damn problems and stop running helter skelter with all these campaigns and studies looking like a headless chicken.
Because it is quicker to produce a study saying there isn’t a problem, than it is to fix the problem. I’m sure they aren’t so short-sighted as to ignore the problems because of the study, but they are probably using it as a short-term solution to try and maximise their sales.
“Now please put your hands together for the folks that will falsely accuse alternative operating systems of being secure by being obscure.”
Oh, like the people that say the reason Apache is the most frequently hacked webserver is because it is the most prominent
I like how you blame me for using ad hominem and then proceed to use it yourself in the very next paragraph.
Except I didn’t. I did not claim that Microsoft committed any wrongdoing in this instance. However, I did say that the company’s past misdeeds (which are a matter of record, not speculation) hampers its credibility in this case. This is not an ad hominem attack, rather a recognition that there appears to be a conflict of interest here based on past history. For your information, past history can indeed affect present judgement, even in a court of law. A recidivist will face stiffer penalties than a first-timer (and will have to work harder to convince judge and/or jury of his innocence).
So I did not in fact make an ad hominem attack against Microsoft (or against you, for that matter). It’s nice to know about logical fallacies (I regularly consult the web site you linked to), but you have to clearly understand them as well, and not just call them out at random.
Boy, this is sure fun! Keep it up, boys….or girls….I like a good drag it out fight! It sure is entertaining….
(1) Develop a “real life” configuration which needs to serve certain needs. Something like a webserver with an e-commerce application. Make a detailed requirements document of all of the things this system must do.
(2) Invite all operating system vendors/representatives to configure a system meeting all of the criteria of the configuration/scenario, using their own OS, as hardened as possible. Only the advocates/representatives of an OS get to touch the box in terms of configuring it to be secure. They alone are responsible for stuff not being configured properly. Perhaps the configurations which wind up working out and winning the contest would give some inspiration to companies and Linux projects as to what “out of the box” default configuration to go with. Why any OS (and several Linux distros are huge offenders) come with a bunch of services enabled out of the box is beyond my comprehension. No one should be running a service they can’t configure.
(3) Expose all of these to the internet for some period of time. Whether these should be covert honeypots or public “hack this system!” things, I don’t know. I think the former might be better. Have the systems say, 1 IP apart from each other too.
(4) Have these systems monitored by platform-agnostic admins for, say, 6 months. Have them tabulate the number of privilege escalations, disruptions of service, etc.
The idea here is to allow every participant to configure their machine appropriately so no one can complain about “out of the box” configs with unneeded services running insecurely, or stacked-deck administration.
There also needs to be an agreement of what constitutes, say, “Linux” since the minute something like Apache is compromised, there’s a contingent of people who blame Apache, and not Linux (This is just one example). This is a kind of cop out to me, though technically accurate. There should be a reasonable collection of GNU stuff + Linux that would constitute a “base” that we can agree is a basic Linux server.
Make it a sort of OS security olympics.
Hold it once per year.
Live with the results.
Obviously I’d like to see this administered by some organization that doesn’t really have any kind of religious dedication to one platform or another but is concerned with the bottom line – how reliable and secure is a particular OS – an organization like osnews.com for example (I think several people are scoffing madly right now, but while opinionated for the most part I think OSNews is fair, and certainly not particularly religious about any OS).
Thing of it is, these Microsoft-funded studies may or may not be generating useful results but I’m not sure the point of them if people are going to dismiss them because of conflict of interest. How this serves Microsoft in the long run (which makes it look like they have to cook the books to win, even if the tests and analyses are fair and the results accurate), I am not sure.
I don’t particularly experience any kind of schadenfreude (okay not anymore) when a Microsoft security weakness or exploit becomes apparent. Windows is a fact of life, and infected Windows machines wind up making all of our lives more unpleasant in the long run. I’d like to see some kind of security olympics like this, with very publicized results, put pressure on all OS development communities to improve their processes. (The same is true of Linux vulnerabilities, by the way; my bias shows.)
It seems that some of the most common criticisms of these studies are the way systems are configured. If you allow the advocates / developers of each OS to configure their own system – and I think there should be a rather sizeable team for each OS, so that things truly are configured *optimally*, the amount of complaining about this would diminish.
I think Linux distribution teams should sincerely consider examining such configurations and using them as out-of-the-box defaults. The BSDs are often sold as secure on the basis of secure default configs. I wish more Linux distributions could be sold this way.
Quote: “but has anyone found a flaw in this test that skews things towards Microsoft’s favor? I didn’t read anyone disagreeing with the results, just over the sponshorship.”
That’s a valid point Ronin.
The problem I have with this sort of report is that it takes *all* bugs on the Linux box into account – including applications installed as part of the “default” install process. Now – Windows, really installs fuck all during the “default” process. The kernel, the windowing manager, the desktop environment itself. That’s it. A smidgen of applications like notepad, that’s it.
Want to know the other problem? Microsoft blatantly lies about bugs. It knows about them but does not “officially” announce them until it has a fix. Of course, then it’s announce bug, and then a few days later “oh look, we have a fix!”. Of course such falseness makes them look competent.
I would agree that Windows 2003 is an improvement over security. But I would disagree that in ANY holistic testing method, it would be more secure than Linux (in general). Statistics are statistics, a good statistician can make bad look great if they really want to. This is all this report is doing.
What we really need to do is for a court to issue a cease and desist ruling on this sort of sponsored report, especially when it’s blatantly sponsored by one of the groups in question that’s being “tested”, and especially when it’s been arbitrarilly rigged from the word go.
The non inclusion of viruses, worms etc in the report further makes a mockery of the results. You don’t believe me? Page 3 of the report states:
“• Threats against those vulnerabilities
Of the two factors, our own experience leads us to believe that the latter is more difficult to quantify and predict in an objective manner. This is an exciting and open field and we strongly encourage others to consider this as an area for thoughtful research. However,given that there are research opportunities in both areas, we have chosen to try and make progress in studying and measuring the vulnerability factors first; this is a critical precursor to other threat-based metrics. We thus do not consider the threat profile in this study and instead focus on underlying system vulnerability.”
This is the part where real vulnerabilities are, and where Microsoft totally and utterly falls down. And they conveniently choose not to include it. I wonder why <deep sarcasm mode engaged>.
Check your facts before you post.
Dave
Oh, I’m sorry. I thought that your comment had something to do with this story. I see now that you were just blowing a lot of hot air trying to ‘teach me a lesson’ or whatever.
I’m getting the feeling that you’re deliberately misunderstanding what I’m saying. I’ll give it one last try.
The fact that MS sponsored this study does not constitute proof of wrongdoing on their part. However, given their long history in the matter, it is very difficult not to be suspicious of them. Thus, it is similarly difficult to consider this study to be anything else than a marketing ploy. Any reasonable person should be extremely skeptical of such paid-for studies – and in fact this is what we’re witnessing here. It has nothing to do with ad hominem attacks.
And yes, I did teach you a lesson, which is why you’re not actually trying to counter my arguments, but instead try to change the focus of the debate on my motives rather than my words. You might want to check this one:
http://www.datanation.com/fallacies/subject.htm
Octavian, just because a flaw hasn’t been reported by Microsoft doesn’t mean blackhats aren’t using it to exploit systems. Why do you think they’re called hackers?
Thats surprising? Microsoft has been doing this FUD routine for years. What should be surprising is that rather than spending that money on fixing their own security problems they would rather waste it on funding “research” making false claims about competitors.
Now thats surprising!
I go to work every day to administer FreeBSD, Linux and Solaris 8/9, I have a PowerBook as a tech workstation, 2 PCs(FreeBSD and Linux) and 1 PowerPC at home, so I am by far a non-windows user. I really think that windows is still behind of most OSes when it comes to security, but MS is a big company putting effors in security and they are getting better, maybe not enought, but they are. There is a lot of Linux distros in the other hand that are getting worse because of the believe that are the “Most Secure OS” and they are doing nothing to get better. So right now Windows 2003 (NOT XP….. only Win 2k3) is really comparable to some linux distros, so please stop trolling about Windows 2003 security, w2k3 is ten times better that XP.
as some people stated that it’s not fair to compare a linux-distri with win2k3 because linux comes with much more software:
they testet a full AND minimal setup of RHEL agaist a full setup of 2k3. and even the minimal setup of linux had “worse” security than 2k3.
some even sayed that it’s not fair to count “days of risk” from the public appearance in a mailinglist/whatever till the patch for the vulnerability was released. but instead should be counted from the day the buggy code was included in the system. wasn’t there a bug last month wich effected linux back to the 2.0 kernels?
I agree that the metrics used on this topic are not perfect, but until someone comes up with something better we have to accept the results.
and that they only counted ptaches that were released by RH was the right decision too. normaly you are bound by a service contract. and the last thing you would do is install something that is not verified by your servicepartner.
and for the “standart setup” problem:
a lot of companies are too small for a separate softwaredepartment. so a lot of them run their servers in standart-mode.
Yes, it’S a compromise, but one we have to life with. we all know that most of security relies on the admins. but humans are so damn hard to classify
at the end of the day this study is not immune to criticism, but it’s still one of the best i’ve seen so far.
Octavian, just because a flaw hasn’t been reported by Microsoft doesn’t mean blackhats aren’t using it to exploit systems. Why do you think they’re called hackers?
You could say the same thing about Linux. Just because a flaw hasn’t been reported it doesn’t mean that hackers can’t use it. The point is that trying to guess what ‘black hats’ might or might not know is a vague and pointless exercise. It is certainly not something you can base a security study on. The point when a flaw is publicized and widely known is the most objective starting time for measuring days of risk. Yes the flaw was there since the beginning, but you don’t know if and when any ‘black hat’ knew about it. This makes it impossible to accurately quantify any risk.
The fact that MS sponsored this study does not constitute proof of wrongdoing on their part. However, given their long history in the matter, it is very difficult not to be suspicious of them. Thus, it is similarly difficult to consider this study to be anything else than a marketing ploy. Any reasonable person should be extremely skeptical of such paid-for studies – and in fact this is what we’re witnessing here. It has nothing to do with ad hominem attacks.
So are you saying that the authors of the study are Microsoft? Or are you saying that the authors have a long history of wrongdoing and writing fake studies? How does Microsoft’s use of this study for marketing cast doubt on its validity? If I write “1 + 1 = 2” and Microsoft uses it in an ad, does that mean that there is reasonable doubt as to whether 1 + 1 = 2?
Unisys and Microsoft…
http://news.com.com/2100-1001-870805.html
Caught, then trying to cover their tracks…
http://redmondmag.com/news/article.asp?EditorialsID=5285
Unisys’s support of Linux…
http://www.unisys.co.za/about__unisys/news_a_events/04081701.htm
So are you saying that the authors of the study are Microsoft?
Of course not. MS paid for it. It probably didn’t even pressure the research group on its content. My opinion on the matter is that MS only releases studies that support its products. Others are filed away, to be forgotten.
I’ll trust independent studies. The rest is just the byproduct of marketing strategies. And yes, I would be equally skeptical of a RedHat or Novell-sponsored study.
How does Microsoft’s use of this study for marketing cast doubt on its validity? If I write “1 + 1 = 2” and Microsoft uses it in an ad, does that mean that there is reasonable doubt as to whether 1 + 1 = 2?
Either you’ve never worked with marketing people, or else you’re one yourself (which would explain a lot…).
IMHO Microsoft are rapidly defining a new meading for FUD.
Fear, Uncertanty & DERISION. (not Doubt). They seem to be using any tactic possible to draw attention away from the lackings in their own products and failure to deliver key components of Longhorn by going on the offensive and using studies like this to deride the opposition.
This and other strategies might have worked in the past.I doubt they will in the years to come.The opposing force of news and actually delivery of innovation could pose a to big barrier and MS will start decaying bit by bit.
He put his name to a rather famous CCIA-funded report slamming the “Microsoft Monoculture.” I talked about that in a series of articles on the topic.
Kind of ironic for him to declaring no one will listen to the study because Microsoft funded it. Should we follow the same line of reason and say no one will listen to his CCIA-funded report because the CCIA, a clearly anti-Microsoft organization composed of Microsoft’s competitors, funded it?
Who funds a report should matter less than whether the study is methodologically sound. Unfortunately, people like to imagine there is some idealized world where completely non-partisan funding entities fund completely non-partisan research entities. That’s about as realistic as demanding that newscasters be completely objective. Better to let people do their best to argue for what makes most sense to them, and get LOTS of people doing that. By reading lots of opinion, you have a better chance of approaching the truth.
By reading lots of opinion, you have a better chance of approaching the truth.
I wholehartedly agree.
By reading lots of opinion, you have a better chance of approaching the truth.
So what’s the value of this by Microsoft funded CCIA report? It’s not hard to make a referential fit that suits one target better then the other.As you said it we don’t live in an ideal world.So why didn’t they make a model that comes the real world much closer?They assumed a default install and based their vulnerabillity taxonomy on it.While this isn’t very realistically for obvious reasons.First of all how many systems are in exact the same state operational as after a fresh OS install?In my opinion it’s more interesting to see what can be done to achieve a more secure system which just the means at hand (being repository,install-cd’s/dvd).What does it cost?Is there enough knowledge base?Then ultimately some real scientists should in an realistically manner try to hack into each system in whatever way.There’re a lot of expoits in the wild that haven’t been discovered and/or haven’t been made public and most likely will not for years to come.All what has been taken in consideration is the inmedied thread of vulnerabillities,flaws,bugs and how long it takes to close them.While this is important i would have liked to see some procaution measurements.
Here’s an idea: Let’s not have anyone fund anyone else’s research, then watch as all research die you because they can’t afford to research anything substantial.
“die out” not “die you”
Where’s the edit function?
Microsoft blatantly lies about bugs. It knows about them but does not “officially” announce them until it has a fix. Of course, then it’s announce bug, and then a few days later “oh look, we have a fix!”. Of course such falseness makes them look competent.
You mean like linux? Ooohh, wait, the linux crowd just downplays and sweeps them under the rug and hopes no one notices, so that’s slightly different.
The problem I have with this sort of report is that it takes *all* bugs on the Linux box into account – including applications installed as part of the “default” install process. Now – Windows, really installs fuck all during the “default” process. The kernel, the windowing manager, the desktop environment itself. That’s it. A smidgen of applications like notepad, that’s it.
What planet are you living on? Windows Server 2003 installs a shitload of services in its “default” install, DISABLED. So let’s look at the so-called ‘problem’ here:
– Windows installs and enables a lot by default. Linux camp bounces around saying how ‘minimalist’ and ‘secure’ linux distros are by default.
– Windows disables most things by default. Linux camp bounces around and cries unfair because all of a sudden the default Linux is no longer ‘minimalist’.
It’s litte wonder why it’s so hard to put any faith into the linux crowd. Now that the ‘secure by default’ bubble has burst with distros admitting that they’re ‘not secure by default’, you have to find new ways to bash Windows. Whenever Windows beats linux at anything, it’s always: unfair, unfair, wah, wah. Give me a break.
I’ve always said the only standards the FSF and OSS movements in general are pushing for are double standards against Microsoft. People like you prove it true every time. Go spread your FUD elsewhere.
“My opinion on the matter is that MS only releases studies that support its products. Others are filed away, to be forgotten.”
And that is different from any other American corporation, how?
> And that is different from any other American corporation, how?
That doesn’t mean it’s right to do it. At least, one should be aware of it.
And that is different from any other American corporation, how?
I responded to this in the very next paragraph:
“I’ll trust independent studies. The rest is just the byproduct of marketing strategies. And yes, I would be equally skeptical of a RedHat or Novell-sponsored study.”
In other words, I’m not naive enough to believe a study sponsored by a company that “proves” that they’re better than the competition. I haven’t ever since the famous Pepsi Taste Test. 🙂
On these matters, I’ll only trust studies done by third parties who haven’t been paid by the study’s “winner”. Of course, all the MS apologists here will believe in the study, but only because it reinforces their preconceived notions
My own opposition to MS is irrelevant to this discussion (as it doesn’t concern its dismal security record, but rather the fact that it’s a monopoly and as such detrimental to innovation and the IT’s industry general economic health).
Go spread your FUD elsewhere.
Sorry, but it’s MS spreading FUD here, not the other way around. I know you like to defend the abusive multi-billion monopoly (like they really need your help), but the fact of the matter is that the study says RedHat is less secure (well, they say “Linux” as if RedHat == Linux, which isn’t true, but never mind that detail). Therefore, it is MS that is spreading Fear, Uncertainty and Doubt about Linux, not the other way around.
The fact that people react so strongly is that the probability that this study is biased towards MS is very high (due to the company’s past history of shenanigans) and thus it should be taken with a huge grain of salt.
Meanwhile, my Linux server is secure, because I admin it accordingly. A knowledgeable admin can do so with any free installation of Linux. That’s all that really matters.
Our old friends at the ADTI “think tank” keep up the fight on the “Linux and OSS infringe on copyrights” front. And, yes, the conservative “think tank” (I put quotes becaue they’re really a propaganda apparatus) is funded by Microsoft.
http://www.techworld.com/opsys/news/index.cfm?NewsID=3373&Page=1&pa…
“Sorry, but it’s MS spreading FUD here, not the other way around.”
To be completely correct, you should say that two researches spread FUD here, not the other way around.
Unless you’d like to claim that without Microsoft paying for that study the outcome of it would have been different.
Do you?
“That doesn’t mean it’s right to do it.”
Why? No, really, unless a company influences an outcome of the study, what is the harm?
I very much doubt that Red Hat was willing to pay for that study.
Linux apologists in fact would rather NOT have study done at all than done with results that don’t please them.
You see, when someone says “I believe that my Linux is more secure, by the definition” then it is unlikely he or she will finance study saying otherwise.
So, a researcher, unless he is a really wealthy man with a lot of time on his hands, can choose not to do a research at all, or ask fundings from companies that may see a benefit in it.
I’d rather have a research published, then gone through peer review, and discussed.
“At least, one should be aware of it.”
We do, don’t we? If we were not, all that lively discussion would not have happened.
Well, if it’s all so innocent why on earth did they hide the fact that MS sponsored it? If it is because people are suspicious of MS funded research who is to blame for that?
If it is because people are suspicious of MS funded research who is to blame for that?
People like “a nun, he moos” who have a clear agenda and axe to grind. People who wear tinfoil hats and base their decisions on innuendos and who’s funding whom instead of looking at the statements in the study and reasoning about them.
> “That doesn’t mean it’s right to do it.”
>
> Why? No, really, unless a company influences an outcome of
> the study, what is the harm?
Theoretically, none. Practically, one must remember who such reports are aimed at: Companies who have the choice which OS they base their infrastructure/desktops/servers on. Even if it is a techie who actually makes the decision, he will most probably not have the background to ensure that the report is rock solid (things get worse if the management decides).
This means that the wording of the article makes a difference, and there is even some randomness involved (especially with the wording). This randomness means that two articles saying the same differently will produce different results. If you take only the article with the result you like, you have skewed the result – it’s like you can make a die roll only sixes without preparing it, by not counting 1-5.
If you cannot make sure that the arguments of the report are rock solid, you *have* to choose *trusted* sources who basically make a decision for you. If you trust MS to decide about your next OS, you know the result.
> I very much doubt that Red Hat was willing to pay for that
> study. Linux apologists in fact would rather NOT have
> study done at all than done with results that don’t please
> them.
Same for MS, but it’s still not “right” in the sense that a company should rely on such reports. It may be a case of “the others do it too” but it’s still wrong.
> So, a researcher, unless he is a really wealthy man with a
> lot of time on his hands, can choose not to do a research
> at all, or ask fundings from companies that may see a
> benefit in it.
MS or Redhat cannot know in advance whether the report benefits them unless the researcher is biased. The companies who shuold fund such reports are those who are interested in a *correct* result, not a result that reinforces belief. Namely, those companies who have to choose their next OS.
Sorry, no time, i’ll repond to the rest later.
Hey, Like I said before, this sure is fun! Do any of us actually HAVE A LIFE? I mean there is an awful lot of time spent getting mad at each other. WOW. What fun! Let’s just go back to our listining to music, doing our spreadsheets, word processing, e-mail, and using our stupid little machines. But the fighting sure is fun to watch. Looks like a bunch of little spoiled children ie. “Mr. Obvious, and Smartass”….
I laughed myself off of the chair reading that one. Are all of you people really serious? Is there a bone of humor in you? Do you have wives and kids? Do you know how to have a good time? Well…I’m having one watching the children fight!
Keep it up….
“People who wear tinfoil hats…”
Sorta like this?
“I bet Red Hat has a whole department dedicated to spreading misinformation on the Internet, like the way you are doing.”
Unless you’d like to claim that without Microsoft paying for that study the outcome of it would have been different.
Do you?
Ofcourse not.The referential fit would have been most defenitely different.Why is it so hard to understand that it’s not very objective that research is sponsored by the company whose product is being digged into.Both companies would benefit from a positive outcome.An “completely” independant research is much more trustworthy and yet still not the one with the last almighty authorative end word.
That doesn’t mean the research paper doesn’t present correct figures.On the contrary,but there’s a certain danger people misinterpret them.Analogue to testing branch N OS against I OS under such conditions ( for eg specific games depending on specific libraries) that you could allmost predict the outcome.
One part of the security process they didn’t mention at all which is risk management.What does it take (explicit cost,training,time,knowledge,support,extra hardware…) to make both individual systems more secure in the best possible way and in the least amount of time.And is the data that is going to be protected worth the trouble.,or to what extent.The paper is somewhat narrowminded and incomplete to say the least.
You are a clown, however, even clowns get tiresome after a while. Go back to kindergarten.
Yeah…..Ha Ha Ha Ha….
Maybe we ALL belong in kindergarten!!!! Might be nice going back no?
Hey, HAPPY EASTER everyone!..THERE…not THAT’s religion!
So basically you’re arguing that people in IT departments are really stupid and can’t think for themselves (especially those stupid and ignorant pointy-haired bosses). So therefore, we must have these utopian, God-like, and ‘impartial’ organizations to do their thinking for them. It would be immoral for anyone else to fund any study because, as everyone knows, doing a study is like rolling a die. Their conclusions sway aimlessly with the wind. If any insidious evil company funds it then black becomes white and white becomes black.
I find it interesting how everyone here talks about everything except the study itself. Everyone seems to desperately cling to their own little hypothetical imagined world that fits their preconceived notions. They talk of imaginary statements in imaginary studies that are vague and could be interpreted many ways, but fail to provide any concrete examples in the study the article discussed. I guess looking at the study and thinking about it is just too much work.
A MOMENT OF TRUTH!!!! You hit it on the HEAD…we live in a truly POSTmodern world! Anyone for some Derida?
OOps…I meant Derrida
“People who wear tinfoil hats…”
Sorta like this?
“I bet Red Hat has a whole department dedicated to spreading misinformation on the Internet, like the way you are doing.”
Yeah. Exactly like that.
I laughed myself off of the chair reading that one. Are all of you people really serious? Is there a bone of humor in you? Do you have wives and kids? Do you know how to have a good time? Well…I’m having one watching the children fight!
Hey! Were all serious people here having a serious discussion about a serious issue with serious consequences to the serious world. Seriously.
Yes, thank-you…I know that…but let’s have some fun with the “seriousness!” I feel your pain! I see the seriousness in the IT department at work…always putting out fires instead of getting any real work done! BUT NOW, I see that you DO have at least a little sense of humor….maybe we can lighten up a little even while being serious!
But there have been a LOT of good points (and pointless ones too) in this discussion on BOTH sides, if you think that there are “sides”…it becomes ideological, which you mentioned before. For us humans, it’s HARD NOT to be sometimes. Then throw EMOTION into the picture and ALL HELL breaks loose! THANK GOD for HUMANITY!!!!!
Anyway, I forgot to meantion through all of this that Microsoft Sucks and everyone knows it. Oh….I’m not ideological now, AM I?
I think that your point above is very valid. The STUDY should be STUDIED…and if it IS flawed, there can be a lot of other studies that can debunk the other study. I think it’s what people EXPERIENCE which is really what matters, but that isn’t really documented and won’t be.
For me, the move to Linux has been very satisfying, however I had very little trouble with Windows because of the “precautions” taken (I think)…but I HAVE REPAIRED too many “broken” Windows machines because of the virus/spyware/malware/whatever problem. This IS serious, especially for enterprise.
But it’s the STUDY, which may or may not be a study. I don’t know and don’t care right now. Ultimately TRUTH will prevail no matter how muchy FUD is being spit out from whatever side. We ARE ALL guilty of it. But, we are human too. “Oh…the HUMANITY!!!!”
So….keep the fighting up as it IS fun and funny even in the context of “seriousness”
To be completely correct, you should say that two researches spread FUD here, not the other way around.
Actually, it’s one study and one ADTI article (which is closer to an editorial than a study).
Unless you’d like to claim that without Microsoft paying for that study the outcome of it would have been different. Do you?
In the case of the actual study, it’s hard to say for sure. My guess (which I’ve made clear in numerous on this thread) is that MS only keeps the studies that support its views. So it’s not outright lies, rather it’s “selective” truth. Bias comes in selecting the material that gets released.
In the case of the Ken Brown “editorial”, it’s different. It’s clearly an ideological piece from an institute that is funded by MS. MS isn’t buying a study here – rather, they are getting positive spin from a organization whom they large sums of money to. So in the case of the ATDI I think the fact that MS pays the bills does indeed affect its “outcome”. The bias is intentional (and the misrepresentation of truth quite shameless – I wouldn’t be surprised if Kenneth Brown moonlighted as one of the anti-OSS trolls here…)
People like “a nun, he moos” who have a clear agenda and axe to grind. People who wear tinfoil hats and base their decisions on innuendos and who’s funding whom instead of looking at the statements in the study and reasoning about them.
Now, see, that’s an ad hominem attack. You’re not actually challenging my arguments but rather attacking my credibility and misrepresenting my motivations and my character.
And all of this bile, for what? Stating that obvious, i.e. that Microsoft’s credibility in the matter is shaky at best.
I knew you’d quickly return to your old ways. Here, I’ll post it again so we don’t have to click to an earlier section:
http://www.datanation.com/fallacies/attack.htm
Do you work for Red Hat?
Nope. I work for a game development studio.
Because you sound like one of the many Red Hat shills I talk to every day.
Well, you sound like a MS astroturfer.
I hope you don’t actually believe any of the FUD that you are spreading. People like you convince me how desperate the OSS crowd have become lately.</i
Except that I’m not spreading any FUD, rather I’m stating the obvious. And it’s not the OSS crowd that’s desperate, it’s MS – hence its attacks against Linux in the media.
[i]Every day, more and more evidence is produced showing how open source software is over-hyped.
I’d like to see some of that “evidence” coming from sources that aren’t on Microsoft’s payroll, once in a while.
I bet Red Hat has a whole department dedicated to spreading misinformation on the Internet, like the way you are doing.
Actually, I don’t think RedHat can affor this. Microsoft, on the other hand…
It’s becoming clearer every day how the OSS companies have become disconnected from their customers and are totally pre-occupied with politics and religion.
Right. Tell that to Novell and IBM.
I fully trust that people will clearly see how you are spreading FUD.
MS is spreading FUD through its proxies. No matter how much you’ll try to divert attention from this, it’s really no secret to anyone.
Creating a vague cloud of doubt and insinuating that this study or anyone associated with it is somehow manipulated by ‘sinister forces’ like Microsoft or the Illuminati or whatever is pure FUD.
No, no, it’s the Servants of Cthulhu, or maybe the Bermuda Triangle. And I’m an agent of the Discordian Society. Hail Eris!
Sorry about that.
NOW the sense of humor is showing!!!! Keep it up!!!!!
This is FUN! I was going to watch a movie tonight, but maybe this will be more entertaining! Do you guys get paid for stand-up acts? You would be a great dualing duo, kind of all in jest, you could work up a really nasty routine. If done right it could be hilarious. You guys could go to these computer shows and be the comic relief!
…but you’re kinda off-topic.
I think going to see a movie is a great idea. I know that’s what I’ll be doing. OB surprised me by trying to argue respectfully, but now he’s back to his old attack routine, so I’ll think I’ll bow out of this one. Happy Easter y’all.
I know I’m off topic a little, I’m just having some fun…it is a GREAT weekend! The sun is going to shine here (Chicago) and Spring is near! So, I’m just trying to lighten things up a little…and the comedy act WOULD be fun, wouldn’t it?
HAPPY EASTER TO EVERYONE!!!!
For a second there I couldn’t understand what you were saying with you post. But you quickly followed it with another point-by-point rebuttal. That is good. You see, I only understand point-by-point rebuttals.
Well, you sound like a MS astroturfer.
Well you sound like someone who likes making false accusations.
Except that I’m not spreading any FUD, rather I’m stating the obvious. And it’s not the OSS crowd that’s desperate, it’s MS – hence its attacks against Linux in the media.
The little bit of attacks against OSS by MS is dwarfed by the sheer amount of incoherent hatred displayed by yourself and others like you.
I’d like to see some of that “evidence” coming from sources that aren’t on Microsoft’s payroll, once in a while.
Everyone is on Microsoft’s payroll. Microsoft donates to all major Universities.
Actually, I don’t think RedHat can affor this. Microsoft, on the other hand…
Red Hat bums free zealotry from the “community”. It is benefiting from the effect of a million clueless loudmouths loosely connected throughout the world by the Internet. It is open source at work.
Right. Tell that to Novell and IBM.
Oh right, like you know anything.
MS is spreading FUD through its proxies. No matter how much you’ll try to divert attention from this, it’s really no secret to anyone.
Red Hat doesn’t need to spread anything. Its FUD is already spread everywhere and everyone is buying into it.
No, no, it’s the Servants of Cthulhu, or maybe the Bermuda Triangle. And I’m an agent of the Discordian Society. Hail Eris!
So I was correct in grouping you with the conspiracy nuts.
Well you sound like someone who likes making false accusations.
You started it, by saying I sounded like a RedHat employee. I only followed your lead, as anyone who has followed the thread can attest.
The little bit of attacks against OSS by MS is dwarfed by the sheer amount of incoherent hatred displayed by yourself and others like you.
That’s your opinion. My own opinion is that the “official” MS FUD (i.e. the studies they fund and opinion pieces they sponsor), added to the sheer amount of incoherent hatred of OSS by yourself and others like you is greater than whatever FUD may be spread by the OSS camp. That said, I did not utter a single word of FUD here. I merely expressed a (very common) opinion that MS does not have a lot of credibility when it comes to this, based on their past actions. Instead of providing counter-arguments, you instead tried to attack my credibility, a typical ad hominem attack.
Oh right, like you know anything.
Now you’re just being childish. You should have quit when you were ahead.
Red Hat doesn’t need to spread anything. Its FUD is already spread everywhere and everyone is buying into it.
Well, if everyone is buying into it, why did you say earlier that OSS companies were getting “desperate”? That doesn’t make much sense. In fact, you haven’t been making much sense in these past couple of posts; you should try to calmly and respectfully present counter-arguments instead of desperately looking to find the “killer line”. So far all you’ve done (after a reasonable start, I must admit) has been to resort to personal attacks. What you fail to realize is that your awkward attempts to challenge my credibility have in fact been far more damaging to your own.
I think at this point there’s little else to do than agree to disagree.
So I was correct in grouping you with the conspiracy nuts.
No, I’m simply an occasional player of Illuminati and Illuminati: New World Order, by Steve Jackson Games. As it happens, I’m somewhat knowledgeable about many conspiracy theories, but I don’t actually believe in any of them. MS, however, has a well-documented history of underhanded tricks and acting through proxies. That’s not “conspiracy theory”, but recorded, verifiable facts.
Meanwhile, you’re the one who said he was certain that RedHat had a department dedicated to spreading FUD.
Quote: “You mean like linux? Ooohh, wait, the linux crowd just downplays and sweeps them under the rug and hopes no one notices, so that’s slightly different.”
Bullshit.
Quote: “What planet are you living on? Windows Server 2003 installs a shitload of services”
Did I fucking mention services dipshit? I said applications. Go learn to read.
Quote: “Go spread your FUD elsewhere.”
No, that’s Microfuckups, oops I mean Microshaft, oops I mean Microsuck, oops I mean Microsoft’s job.
Go play with your shiny Windows toy. Oh and at least don’t post as an AC, it really just shows what a coward you are.
Dave
Quote: “Microsoft donates to all major Universities.”
Donates? You mean bribes?
Quote: “It is benefiting from the effect of a million clueless loudmouths loosely connected throughout the world by the Internet.”
Normally i’d just click the report abuse button for this type of drivel, but since i’m feeling kind, I didn’t. I’ll tell you one thing, there’s more than a million clueless Windows users out there. Get it? Just in case you didn’t get it, i’ll spell it out for you. Slowly. Point by point, since it seems that is all you’re capable of.
1. The majority of Linux users are advanced computer users.
2. Advanced computer users aren’t usually morons.
3. Advanced computer users generally are quite capable of administering their own systems quite nicely.
4. Point 3. results in a nicely secure system.
Did you get all of that? Since you’re seemingly a bit slow i’ll repeat it again for you:
1. The majority of Linux users are advanced computer users.
2. Advanced computer users aren’t usually morons.
3. Advanced computer users generally are quite capable of administering their own systems quite nicely.
4. Point 3. results in a nicely secure system.
now hopefully you got it the 2nd time around. 3rd time is for dopes.
Now – we’ll compare the number of virus infected/spyware infected/malware infected Linux PCs that i’ve seen in my experience, to the number of Windows PCs – and oddly enough, guess which one wins! And it’s not even a matter of numbers, so don’t give me that bullshit argument that Microsoft has a lot more because 95% of the world uses it. If that’s the case, for every 19 fucked up Windows PCs I see I should see one fucked up Linux box (due to viruses/worms/trojans/spyware/malware etc). Guess what? It ain’t happening. Now, pray do tell, why is that?
And you know what? I don’t have to run spyware detectors on my Linux box. I have f-prot installed but I honestly can’t remember the last virus it ever reported 😉 Firewalls have been built into most Linux distros since Redhat 7.2 (from memory), that’s like, lemme see, 4 years ago? Microsoft only started doing that with Windows XP SP 2 if memory serves me correct, that’s about six months ago.
Octavian, do you work for Microshaft, oops I mean Microsoft. Cos you sure do as hell sound like a MS astroturfer to my eyes. Is your middle name ‘fud’ by any chance? Or possibly your last name…mmm…
a nun, he moos – I haven’t always agreed with your comments, but on this one, we’re on the same side 🙂
Anyways, back on topic. This report is a Microsoft funded report, and in due respect should be looked at as being tainted. Whilst the data might be correct, the report has solely decided to focus on areas that it knew Microsoft would look good in. Selective choice I believe they call that. By omitting viruses, worms, spyware etc they are ignoring the one MAJOR area that Microsoft falls down on every single time.
Dave
Hey, this is still fun! I was looking for the DVD I was going to watch tonight, but can’t find it! This is entertaining enough! WE might have to add to the comedy team!
Looks like we have a new contender. So far ‘a nun, he moos’ has been leading the pack but David Pastern has given a really strong performance with his last post. Right now, it’s neck-and-neck.
Now you’re just being childish. You should have quit when you were ahead.
Am not. You are.
LMFAO! Another own goal..
LMFAO! Another own goal.
I know. I was going to respond, but at this point I think it’s a lost cause.
I know. I was going to respond, but at this point I think it’s a lost cause.
Now you know how I feel.
It depends on the researchers methodology. Redhat packs so many programs in their distro. Researchers can easily pick less secure one. Easy example, pick wuftpd rather than vsftpd than compare to windows relatively secure ftp product.
I have no problems with the fact that Microsoft funded the study. It doesn’t prevent someone from applying critical thinking to the methodology and results.
I do have a problem with the metric behind the methodology to get those results. Length of time from announcement of the vulnerability to the availability of a patch is a very narrowly focused metric and tends to ignore minor details like how critical the vulnerability is, whether it can be exploited remotely or not, and the length of time between the vulnerability being discovered and it being announced. The last part is very important because, once a remotely exploitable vulnerability is discovered; the prudent thing to do is assume that it’s being utilized.
I’ve noticed a lot of vulnerabilities for Microsoft OS’s are rarely announced before a patch or hot-fix is made available. Security through obscurity until there is a patch if you will, but no option to mitigate the risk without knowledge in the mean time. Many (no all) open source projects practice full disclosure even if a patch hasn’t necessarily been made available yet. This can cut both ways, but it also gives the person administering the systems awareness of the problem and allows them to take action to mitigate the risk until there is an actual patch (close ports, remove offending software, chroot daemons to limit potential damage, set harsher permissions, tune IDS’s, etc.). Speaking of disclosure, I favor the latter option.
The bottom line in this case:
Researching (it was just simple math) with one narrowly focused metric, skews the results in favor of the one not practicing full disclosure.
Yeah, I read this argument on Slashdot too. It is similar to Sharper56’s argument. Any risk before a flaw is reported is too vague to base a study on. How critical the vulnerability is can change with the context and is therefore another vague metric that is impossible to use in a study (unless you go to every PC in the world and determine how every vulnerability you use in the study affects it).
Researching (it was just simple math) with one narrowly focused metric, skews the results in favor of the one not practicing full disclosure.
If a development methodology results in more days of risk (measured objectively) then maybe that development methodology is not so good when it comes to security. It seems obvious to me that helping ‘black hats’ by announcing flaws before they are fixed will increase the risk to your users. Simply because it creates a period of time when ‘black hats’ can exploit it without having to put any effort in dicovering it. The users may or may not be able to mitigate that risk (again, too vague to use in a study), but that doesn’t mean that the risk is not there.
Is there even anything to debate or talk about here ?
What other results is a MS funded project supposed to produce ?
You’d be high to think they would release something that shed bad light on their product.
I didn’t read anyone disagreeing with the results, just over the sponshorship.
Because none of the bleating sheep decrying the funding has actually read the report.
No offense but who the heck is going to pay for and release the results of an analysis favoring a product? I’m not going to pay for a study of MS windows vs linux security. The money has to come from someone with some interest in the results. Maybe a government or professional organization migh fund it but someone has to pursuade them that there is a reason to fund it.
Because none of the bleating sheep decrying the funding has actually read the report.
Actually, some people did criticize the contents of the study. Some criticized both the methodology and the sponsoring.
To me, the biggest failure of the study is to ignore the actual nature and severity of the security bugs, and to base its metric solely on number of vulnerabilities. This sentence is quite telling:
“We thus do not consider the threat profile in this
study and instead focus on underlying system vulnerability.”
The bottom line, though, is that MS (and other companies) only releases studies that support its views. As such these types of studies should always be taken with a very large grain of salt.