- Connect with us:
- |
- |
- RSS
- |
- Newsletter
-
Microsoft vs Linux Reports - Sheer Waste Of Time?|
- By Praveen Kurup, Mar 24, 2005 1523 hrs IST
- Tags : security
-
The report released by Security Innovation Inc., an application security company, comparing Windows Server 2003 security with Red Hat Enterprise Linux 3 Enterprise Server (RHEL3ES) is very interesting in its own right. Just skimming through the report reveals a few discrepancies that question its credibility.
The main page briefing about the paper states:
"Results of Independent Research Project that Microsoft Windows Server 2003 has Fewer Security Flaws than Multiple Configurations of a Compatible Linux Server."
While the researchers are clearly mentioning the Microsoft product the use the more generic term "Linux". Why generalize? It is hard to believe that these PhDs do not understand the relevance of this statement. Why couldn't they just be direct and mentioned "RHEL3ES?"
In the report:
"Aside from beliefs over the relative "security" of the closed versus Open Source development paradigms, another important contributing factor is that Microsoft develops and releases all the components in their Web server stack. This allows Microsoft more control over release cycles and vulnerability disclosures than the distributed development method."
This brings up a couple of interesting points. Firstly, according to them implementing multiple components (software) in an enterprise makes the overall system more vulnerable. Well, so we must expect enterprises to immediately take actions to ensure that ALL their ERP, SCM, CRM, and, of course, Web Servers are from a single vendor. Though we hate to repeat this but have they ever heard of something called "vendor lock-in".
Secondly, the report states that Microsoft has control over release cycles AND VULNERABILITY DISCLOSURES. Do they intend to say that the "days of risk" has been significantly affected by the fact that the vendor has control as to when the vulnerability will be disclosed?
A little later comes:
"Another factor which helps Microsoft in terms of average days of risk is that Microsoft strongly encourages a "responsible disclosure" policy - that is, the company attempts to carefully coordinate vulnerability announcement with fix announcement and actively build relationships with new security researchers."
It does seem that the report is trying to explain that the companies buying the Microsoft products are supposed to work closely with Microsoft to ensure that the vulnerability announcement and fix announcements are as close as possible to ensure that the "days of risk" are kept to a minimum. We sincerely hope that we got this one wrong.
Though a lot more can be analyzed in the report, it does appear that "independent" research seems to have been done (or should we say, written) by people who think that Enterprise IT Heads are a bunch of fools who have all the time on earth to read through tones of pages of deceptive analysis.
-
Discussion Board
- Write a message
-
-
by Ken Strand on Mar 25, 2005 02:50 AMI think the report points out the truth, which is that the Linux implementations such as Red Hat has been hiding the fact that we don't have the level of security that W2K3 does and as Microsoft focuses even more on security, Linux will have to catch up. It's very hard for an open source OS can compete on a quality level, especially in security, as a coordinated effort does. Did anybody see MSFT presentation on their Software Development Lifecycle at RSA. What standards do we have in the Linux community for this. Look, we may all hate MSFT, but let's give them some credit where credit is due. Rather they paid for it or not, other than a few minor mistakes, the report is grounded in detail and accurate. Congrats Microsoft, you have one this round.
-
Re:
by Darren R on Mar 25, 2005 03:22 AM
I might take Mr. Strand's comments more seriously if he had not commited such obvious grammatical errors. If it had been one error then I'd forgive it as written too quickly, but as there is more than one I can't overlook them. Due the lack of quality in Mr. Strand's writing, I must conclude that his comments are not worth considering. Microsoft has NOT 'one' or even won any round with regard to security. -
-
by Indrajit Shinde on Sep 19, 2005 03:40 PMLinux has risen in popularity and is being used successfully around the world. Most of the so called 'independent' reports are done by firms working with, or seeking to work with the companies. These types of research are often misleading as it covers only one side of the story.Its better to evaluate it and take out the best from it.
-
by Ivan on Sep 17, 2005 05:36 PM
-
-
by Sanjiv on Mar 28, 2005 02:25 PMEveryone has a right to express a point of view and to stand behind it. Its a bit hard for me to believe that someone would willy-nilly write reports that involve at least some form of research and a lot of time. Both sides are doing it to serve their respective interests. I dont expect the President of Timbuctoo to write these reports. Whichever side makes the point, lets not trash it because it doesnt serve our commercial or emotional interests but actually evaluate it and take the best from it.
-
by Charles Tryon on Mar 26, 2005 10:28 PMYou make a number of very good points here! One thing I would add is that, simply counting days of risk exposure, without attempting to weight them by severity is like trying to estimate the weight of a load of stones, ignoring the fact that some of them are pebbles, and others are house sized bolders...
-
by Scott Hardy on Mar 25, 2005 12:00 AMWhile I agree completely that there is a lot of very flawed "research" out there, much of it funded by Microsoft, I do find it ironic that this article appears beneath a banner ad which tells of a (MS-funded, I expect) VeriTest study which allegedly shows that Windows 2003 webservers outperform RedHat by 276%. I hope that one day cxotoday's advertising department will start showing as much sense as its writers do.
-
by John on Mar 26, 2005 03:29 AM
-
by theologu on Mar 26, 2005 02:54 AMSo called independent reports are clearly payd by Microsoft. It sucks from a mile. Please, stop this bullshit! Maybe you don`t know that Windows 2003 Server still suffers of the ancient 'land' attak. And what security? Viruses, spyware, adware, malware, backdoors make your life a living hell in Windows! And another problem is that they always compare Windows 2003 with RedHat Enterprise Server. Why? may I ask? Linux is not limited to RedHat and what RedHat people say. Linux is far more than RedHat. Why they don`t compare Windows with Debian, Slackware, Gentoo, true pure community products, wich don`t cost a cent? And don`t tell me that You have to spend much money to instruct your people to work with Linux - because nobody is born knowing Windows. From my experience, I know more IT SPECIALISTS who know Unix&Linux, than WIndows. A big part of the Windows 'specialists' are trully specialists clicking with the mouse. Evry people who has a University degree in IT domain studied Unix and Linux at school. So Linux has more specialists.
-
by Anonymous on Mar 25, 2005 01:04 PMAny security study that only looks at problems that were fixed within a timeframe are fundamentally flawed. Specifically, I know of at least one bug in Windows which Microsoft has stated will never be fixed; this is a local privilege escalation. (The effect of this is that, on Windows, all security holes which allow arbitrary execution of code are effectively administrator-level exploits; there are no 'unprivileged user only' exploits.) Now, I understand Microsoft's position - they fix this bug, and *all* of their software released before the bug was discovered (and possibly most or all of their software released since) can no longer communicate with each other. This being said, I've only seen two types of Microsoft vs. Linux analyses: Paid for by MS, and written by people who seem to think that deep down, everyone's a geek. That being said, I do think there's eventual hope - Linux distros are continuing to improve upon their default setups, both with regards to security and administration. For the short term, there's another OS, not mentioned here, normally not mentioned on cxotoday from what I've seen, which can handle the needs of the rest of the users. (Unfortunately, Steve would like to be as much the monopolist as Bill is. *Sigh*)
-
by GreyGeek on Mar 25, 2005 04:53 AMZero credibility, especially when later the true facts of these 'studies' are revealed and the public learns how they were slanted. Microsoft has been burned by this so many times you'd think they'd learn. Linux is being used successfully around the world in all sectors of industry , government and in millions of homes, and because of that Microsoft's "Get The Fud" fails because it contradicts the experiences of people using Linux in REAL situations. Seventy percent of the Internet is run on OpenSource software yet viruses and trojans are effective on only sites run with Microsoft products. I've lost count of the number of people who've asked me to replace their Windows installation with Linux, which I am all too happy to do. I NEVER have to return to remove viruses or rebuild installations. And finally, there is the fact that when Microsoft's servers, or those of its business partners, needed help in the past they call on Linux more than once to bail them out. Strange that an OS which claims to be superior to Linux has to depend upon Linux when the rubber meets the road.
-
by Patric Conant on Mar 25, 2005 02:26 AMI guess I don't understand, a paid for independent report is just a commercial right? It shouldn't be given any more credence than any other commercial. Shouldn't these be tossed in the useless bin along with "new and improved" labels on cereal. Independent of what, I guess is the question, as the entire report was dependent on Microsoft's funding, or am I missing something. Isn't the metric "days of risk" created for this paticular study. I may be wrong but doesn't anyone who uses this study in any kind of meaningful analysis deserve whatever they get. Would anyone really believe that Microsoft paid for this study to clear thier "good name" which has been unfairly tarnished by the communist zealots. Perhaps I am just naive, but I don't think anyone who hadn't already made up thier mind about what they wanted to believe would do anymore than line thier birdcage with this report.
-
by Jacobbo Belbo on Mar 25, 2005 02:25 AMI found 2 factual mistakes in the 5 lines of the report I read. That were: 1) CAN-2004-0957 does not discusses a bug in MySQL's mysql_real_connect(). It is CAN-2004-0836 that relate to mysql_real_connect(). 2) RHSA-2004:611 was not issued on the 27th of November but of October You can trivially check that on the relevant site. So what trust can you have in the conclusion when the underlying facts are misreported?
-
by Dhonn Lushine on Mar 25, 2005 01:49 AMI'm starting to think they are targeting investors. Microsoft's stock price has been on a downward trend for a long time now and they want to keep the drop at a minimum. CIO/IT management are very smart people and I don't think they fall for this kind of deceptive marketing. It surely keeps them busy though. This kind of marketing is also saying "look people you are not smart enough to do your own due diligence, we are the best!". I don't think people want to be categorized as "stupid". I want Microsoft to do a study on how much Windows is more secure against viruses, malware, spyware, trojans, and worms and I'll bet Windows will once again come on top.
-
by Robert Halloran on Mar 25, 2005 12:34 AMMost of the "independent" reports are done by firms working with, or seeking to work with, the favored vendor. As Linux has risen in popularity from "grass-roots" efforts, such reports are of little use to that market, except perhaps to convince management. The "management consulting" firms probably feel a threat to their livelihood and are responding accordingly.
-
by Robert Weiler on Mar 25, 2005 12:05 AMThere are two major problem with this particular report. They note that by default, both servers have firewalls which block all incoming ports which have to be manually opened for http/https. They make now attempt to compute the number of vulnerabilities which can not be exploited by a remote attacker simply because the required port isn't accessible through the firewall. In addition, they make no attempt to compute which vulnerabilities can be exploited by a non-local user. Given that they are restricting their scenario to web serving, this distinction is vital. The security metrics that they do use are virtually meaningless.
