Linux riskier than Windows?

(continued from previous page)

down into "high," "medium" and "low" severity ratings. Flaws graded as high severity include Red Hat and Microsoft's critical classifications and flaws that allow local users to gain access to system functions. Microsoft had far fewer high-severity flaws in both the default and minimal configurations, according to the paper.

Microsoft did fund the study, the researchers acknowledged. The software giant released a statement on Tuesday that indicated

I think either is infinitely securable by a skilled Jedi administrator.

--Herbert Thompson, study author

the report was part of Microsoft's "Get the Facts" campaign aimed at highlighting the benefits of Windows software.

"When Security Innovations submitted a proposal to Microsoft to research ways to measure vendor software security, we evaluated the proposal and determined that this type of analysis would be useful for our customers and funded their research," the company said in the statement. "We encourage customers to review and evaluate the data in the context of their own computing environments."

Richard Ford, a computer science professor at the Florida Institute of Technology, and Fabien Casteran, a security test engineer at Security Innovations, were the authors of the report alongside Thompson. The researchers hope to stave off criticism by publishing their methods as part of the report.

"The methodology was designed to allow others to validate it for themselves--it has to be quantitative and repeatable," Thompson said. "We didn't just want to hand people the cake; we wanted to give them a recipe as well."

While both days of risk and vulnerability counts aren't true measures of security, Thompson said that they wanted to focus on a metric that mattered to system administrators. The cumulative time they had to wait for patches is a reasonable measure, he argued.

Thompson admitted, however, that security largely depends on the expertise of the administrator.

"I think either (operating system) is infinitely securable by a skilled Jedi administrator," Thompson said. "If I have a Linux guru, then I want that guy to do the Linux web server. I am more of a Window guru, so I would use Windows."

FUD

FUD, FUD, FUD, the boys from Redmond are marching!

FUD, FUD, FUD, the lies from Redmond are marching!

[hion2000]

Agreed

This is no more than a ploy by Microsoft.

The classic LAMP stack (Linux, Apache, MySQL, PHP or Perl) has proven successful time and time again for YEARS.

If I were Microsoft I wouldn't be spreading FUD. Rather, I'd spend the time fixing bugs in my software, and actually making IE as well as IIS more than a piece of junk.

FUD

FUD, FUD, FUD, the boys from Redmond are marching!

FUD, FUD, FUD, the lies from Redmond are marching!

[hion2000]

Agreed

This is no more than a ploy by Microsoft.

The classic LAMP stack (Linux, Apache, MySQL, PHP or Perl) has proven successful time and time again for YEARS.

If I were Microsoft I wouldn't be spreading FUD. Rather, I'd spend the time fixing bugs in my software, and actually making IE as well as IIS more than a piece of junk.

[t8]

Really

Is that right! Wow.

[t8]

Really

Is that right! Wow.

[Jerry Dawson]

Advertising

Frankly, Microsoft seem to prefer spending money on advertising and lawyers rather than on producing a (long overdue) decent operating system. Talk to the hand...

Advertising

NT, 2000 & XP Pro all worked fine for me. OTOH I had plenty of issues with several versions of Redhat. AIX is fine. But my iBook with OS X sits (unbootable) on one of my parts racks, waiting to be canibalized.

OK - so I tell tell people "Whatever your problem, ME isn't the answer". But you buy a decent M$ OS & things are fine - I even had M$-DOS 3.3, and NEVER did it let me down after several YEARS.

[Jerry Dawson]

Advertising

Frankly, Microsoft seem to prefer spending money on advertising and lawyers rather than on producing a (long overdue) decent operating system. Talk to the hand...

Advertising

NT, 2000 & XP Pro all worked fine for me. OTOH I had plenty of issues with several versions of Redhat. AIX is fine. But my iBook with OS X sits (unbootable) on one of my parts racks, waiting to be canibalized.

OK - so I tell tell people "Whatever your problem, ME isn't the answer". But you buy a decent M$ OS & things are fine - I even had M$-DOS 3.3, and NEVER did it let me down after several YEARS.

[Bill Dautrive]

If yolu believe this

You are a frikken retard, plain and simple.

Perhaps if they spent more time making solid products they wouldn't have to pay people to publish bogus reports.

[catchall]

Ah, the zelot knee-jerk reaction

As someone in this thread pointed out, Nothing devious has happened; the study is fully documented. This is just marketing.
Instead of calling folks names, attempt to actually articulate your side of the debate. Document how Linux beats Windows, and why. Keep careful records, and prove your point, by the numbers.
If you can, that is. The nasty reality of what companies already own, where their data already lives, what skill sets are available, where management wants to go, ect. have a way of making simple decisions very complex.

[Bill Dautrive]

If yolu believe this

You are a frikken retard, plain and simple.

Perhaps if they spent more time making solid products they wouldn't have to pay people to publish bogus reports.

[catchall]

Ah, the zelot knee-jerk reaction

As someone in this thread pointed out, Nothing devious has happened; the study is fully documented. This is just marketing.
Instead of calling folks names, attempt to actually articulate your side of the debate. Document how Linux beats Windows, and why. Keep careful records, and prove your point, by the numbers.
If you can, that is. The nasty reality of what companies already own, where their data already lives, what skill sets are available, where management wants to go, ect. have a way of making simple decisions very complex.

Microsoft-funded ;)

"Microsoft-funded study". Word "study" may suggest scientifcal methodology but in combination with "Microsoft-funded" it looks for my like oxymoron.

Pozdrowienia z Ciechocinka

Bardzo miły był ostatni telefon od Pana ;-) Niestety nie wolno mi rozmawiac prywatnie w godzinach pracy. Pozdrawiam

Microsoft-funded ;)

"Microsoft-funded study". Word "study" may suggest scientifcal methodology but in combination with "Microsoft-funded" it looks for my like oxymoron.

Pozdrowienia z Ciechocinka

Bardzo miły był ostatni telefon od Pana ;-) Niestety nie wolno mi rozmawiac prywatnie w godzinach pracy. Pozdrawiam

Just my 2 cents..

I would have to agree that being "funded" by Microsoft makes this study hard to believe. But, as Linux/Netware/Mac proffesionals we should look at the positives to this type of media.

First, Microsoft never engages their marketing propaganda machine unless they feel a threat. This isnt a bad thing, its a good thing. This mean Microsoft is for the first time publically, acknowledging that Linux based systems are a threat to what it percieves as its dominence in the market. And, as typical with MS, when it cant gather enough hard facts to support its position, it engages its marketing propaganda engine and attacks in the media.

Second, attacks and name calling as in previous posts should be refrained from. Not for the obvious reasons, but for the good of the open-source community. Many decision-makers in these on-the-fence companies are reading these stories and the posts to them while trying to decide if open source is the way to go, or the MS monopoloy should remain in their organizations. MS would portray open source initiatives as a bunch of "high-schoolers" coding immature applications not ready for the "real" world. Lets not give them ammunition to believe we arent at the top of the game along with the proprietary-source market.

We all know how good, and in some cases better open-source software is than the MS stuff.. and this is due to our ability to work as a disconnected collective. Lets present this as a mature, intellegent position in responses to "studies" done by MS paid "researchers".

Because as we know.. When the facts are all presented, we have the winning products.. in the Linux/Novell/Mac arena.

Bob.
---------------------------------------------
"We can never see past the choices we dont understand." - You should know who said this and why.
---------------------------------------------

[Earl Benser]

How refreshing...

.... a contributor with intelligence, skill, and worthwhile ideas.

[aabcdefghij987654321]

Not the first recognition of Linux

This isn't MS's first salvo against Linux, this is just the latest of many. What is does recognize for the first time is that the overall security of a solution should be considered.

Of course a smart company will make that a part of their decision process, but only part.

[hion2000]

Just to point out..

There was a brief mention in the article about their "Get the Facts" campaign where they claim Windows servers are better than Linux servers [http://www.microsoft.com/windowsserversystem/facts/default.mspx].

This has been disputed in great detail by Novell.
[http://www.novell.com/linux/truth/response.html]

To be funded

I belive that everybody see the difference between scientifical study and commercial material. I would like only to remid C|Net editors to use proper quotation sometimes;)

Thank you for your care for "the good of the open-source community". However if you look more general on the posts here you will find something else than threats for open-source community.

have nice day :)

Just my 2 cents..

I would have to agree that being "funded" by Microsoft makes this study hard to believe. But, as Linux/Netware/Mac proffesionals we should look at the positives to this type of media.

First, Microsoft never engages their marketing propaganda machine unless they feel a threat. This isnt a bad thing, its a good thing. This mean Microsoft is for the first time publically, acknowledging that Linux based systems are a threat to what it percieves as its dominence in the market. And, as typical with MS, when it cant gather enough hard facts to support its position, it engages its marketing propaganda engine and attacks in the media.

Second, attacks and name calling as in previous posts should be refrained from. Not for the obvious reasons, but for the good of the open-source community. Many decision-makers in these on-the-fence companies are reading these stories and the posts to them while trying to decide if open source is the way to go, or the MS monopoloy should remain in their organizations. MS would portray open source initiatives as a bunch of "high-schoolers" coding immature applications not ready for the "real" world. Lets not give them ammunition to believe we arent at the top of the game along with the proprietary-source market.

We all know how good, and in some cases better open-source software is than the MS stuff.. and this is due to our ability to work as a disconnected collective. Lets present this as a mature, intellegent position in responses to "studies" done by MS paid "researchers".

Because as we know.. When the facts are all presented, we have the winning products.. in the Linux/Novell/Mac arena.

Bob.
---------------------------------------------
"We can never see past the choices we dont understand." - You should know who said this and why.
---------------------------------------------

[Earl Benser]

How refreshing...

.... a contributor with intelligence, skill, and worthwhile ideas.

[aabcdefghij987654321]

Not the first recognition of Linux

This isn't MS's first salvo against Linux, this is just the latest of many. What is does recognize for the first time is that the overall security of a solution should be considered.

Of course a smart company will make that a part of their decision process, but only part.

[hion2000]

Just to point out..

There was a brief mention in the article about their "Get the Facts" campaign where they claim Windows servers are better than Linux servers [http://www.microsoft.com/windowsserversystem/facts/default.mspx].

This has been disputed in great detail by Novell.
[http://www.novell.com/linux/truth/response.html]

To be funded

I belive that everybody see the difference between scientifical study and commercial material. I would like only to remid C|Net editors to use proper quotation sometimes;)

Thank you for your care for "the good of the open-source community". However if you look more general on the posts here you will find something else than threats for open-source community.

have nice day :)

[axslinger]

Of Course

MS gets thrashed so often for their "swiss cheese" OS's they have to make a major news event out of studies such as these. And a news event it is! While they are normally spending all of their time patching gaping holes, for once there is an upside.

[axslinger]

Of Course

MS gets thrashed so often for their "swiss cheese" OS's they have to make a major news event out of studies such as these. And a news event it is! While they are normally spending all of their time patching gaping holes, for once there is an upside.

[System Tyrant]

Lies and the Lying Liars who tell them.

As far as this report goes it could be full of truth, but the problem is who paid for it. In my opinion how can you believe a company like Microsoft who has lied to people for years. When it comes to waying the BS factor Microsoft still outways Open Source.

Now I'm not trying to attack the validity of the report. I am saying that it's hard to believe it when it was commissioned from Microsoft. Guilt by association I suppose.

I haven't read the report, but plan to when I get time. My question is did Microsoft help them properly configure Windows? Did they run Linux straight out of the box without modifing it's configurations? Did they run Windows straight out of the box without reconfiguring security?

I would like to see a report done that wasn't commissioned by Microsoft or a Linux Group that configured each server for it's optimal security and performance. Although no report is every truly going to be unbiased this would come closer.

As long as the methodology is good

true, it may/may not have been funded by MS. But who else would fund such a study? Coca-Cola? As long as the methodology was good and the full results are available for inspection, that should be ample to offset that.

[System Tyrant]

Lies and the Lying Liars who tell them.

As far as this report goes it could be full of truth, but the problem is who paid for it. In my opinion how can you believe a company like Microsoft who has lied to people for years. When it comes to waying the BS factor Microsoft still outways Open Source.

Now I'm not trying to attack the validity of the report. I am saying that it's hard to believe it when it was commissioned from Microsoft. Guilt by association I suppose.

I haven't read the report, but plan to when I get time. My question is did Microsoft help them properly configure Windows? Did they run Linux straight out of the box without modifing it's configurations? Did they run Windows straight out of the box without reconfiguring security?

I would like to see a report done that wasn't commissioned by Microsoft or a Linux Group that configured each server for it's optimal security and performance. Although no report is every truly going to be unbiased this would come closer.

As long as the methodology is good

true, it may/may not have been funded by MS. But who else would fund such a study? Coca-Cola? As long as the methodology was good and the full results are available for inspection, that should be ample to offset that.

And one of these days I might learn how not to triple post

While proofreading my content

And one of these days I might learn how not to triple post

While proofreading my content

[HansinYabutay]

My Own Study of Myself

Today, I'm releasing my own study of my best product, namely ME. My study finds that (1) I'm the smartest guy in my zip code, (2) I'm better looking than Brad Pitt, and (3) I have more money than the Pope. Add to that my numerical superiority over Ron Jeremy, and I'm ready to hit the market.

[David Arbogast]

Interesting Study

As soon as you release your methods and assumptions for review, your study can be taken as seriously as the one Microsoft funded.

[HansinYabutay]

My Own Study of Myself

Today, I'm releasing my own study of my best product, namely ME. My study finds that (1) I'm the smartest guy in my zip code, (2) I'm better looking than Brad Pitt, and (3) I have more money than the Pope. Add to that my numerical superiority over Ron Jeremy, and I'm ready to hit the market.

[David Arbogast]

Interesting Study

As soon as you release your methods and assumptions for review, your study can be taken as seriously as the one Microsoft funded.

[Bill Dautrive]

I did, but you didn't understand it

The study is flawed. Like others have pointed out, it doesn't really take into account severity, nor the fact that MS hides/ignores/dismisses many flaws for a considerable time.

[landlines]

Right on! The "count" is suspect!

Our experience is that only the phone company is more stubborn than Microsoft when it comes to acknowledging the existence of a problem!

So unless we start with totally neutral, objective, and COMPREHENSIVE counts, all of this 'study' is "..a clanging of symbols and crashing of gongs....signifying NOTHING!!!"

Last I heard, Microsoft had PRECLUDED this type of study in all of its EULA's!

[Bill Dautrive]

I did, but you didn't understand it

The study is flawed. Like others have pointed out, it doesn't really take into account severity, nor the fact that MS hides/ignores/dismisses many flaws for a considerable time.

[landlines]

Right on! The "count" is suspect!

Our experience is that only the phone company is more stubborn than Microsoft when it comes to acknowledging the existence of a problem!

So unless we start with totally neutral, objective, and COMPREHENSIVE counts, all of this 'study' is "..a clanging of symbols and crashing of gongs....signifying NOTHING!!!"

Last I heard, Microsoft had PRECLUDED this type of study in all of its EULA's!

Numbers are inline with my own experience

FWIW, the published numbers are in-line with my own experience with 2 recently installed web servers based on vulnerablity measurements done by the ScanAlert service. ScanAlert is by no means a final say on vulnerability measures, but the relative problems with out-of-the-box Windows 2003/IIS 6.0 and Linux/Apache installations was in the same ballpark as the MS study suggested.

Numbers are inline with my own experience

FWIW, the published numbers are in-line with my own experience with 2 recently installed web servers based on vulnerablity measurements done by the ScanAlert service. ScanAlert is by no means a final say on vulnerability measures, but the relative problems with out-of-the-box Windows 2003/IIS 6.0 and Linux/Apache installations was in the same ballpark as the MS study suggested.

Misinformation from Microsoft funded organizations

Use of "Public Release of Vulnerable Disclosure Announcements" to prove the security of Microsoft products is similar to the Tobacco industries arguments that Tobacco does not cause Cancer" in the 1940-1990. By suppressing the real records, the ability to hide the truth becomes evident.

The truth is Microsoft has the ability to suppress, for a long periods of time, the Public Disclosure of Vulnerabilities with the use of Responsible Disclosure, National Security --- time of war and the Patriot Act. Once the vulnerability is release, Microsoft has a history of attacking the security researcher and dismissing the criticality of the vulnerability, until it impacts the customer. Then, if a worm/virus does impact the community, Blame it on Hackers or the Users for not taking some action.