Slashdot Mirror

mjhuot writes "Last week SearchNetworking.com announced their Product Leadership Awards for 2007. It was a pleasant surprise to see an open source project, OpenNMS, win the Gold in their Network and IT Management Platforms category. OpenNMS beat out the established players of Hewlett-Packard's OpenView and IBM's Tivoli. This was based on a user survey of all IT solutions, not just open source; it demonstrates that open source software is indeed making inroads into the enterprise."

OSS_ilation writes "IBM touted 2006 as a resurgence year for the mainframe, but not so fast. At R.L. Polk and Co., one of the oldest automobile analytics firms in the U.S., an aging mainframe couldn't cut it, so the IT staff looked elsewhere. Their search led to a grid computing environment — more specifically, a grid computing environment running Linux on more than 120 Dell servers. The mainframe's still there, apparently, but after an internal comparison showed the Linux grid outperforming the mainframe by 70% with a 65% reduction in hardware costs, Polk seemed content banishing the big box to a dark, lonely corner for more medial tasks."

Jane Walker writes "Red Hat general counsel Mark Webbink goes to the mat for his company regarding the Microsoft/Novell partnership, in this SearchOpenSource.com Q&A. 'In one year, Red Hat will be all that remains of commercial Linux, he said.'" From the article: "Between last week and this one, it is clear that the two largest software vendors in the world perceive Linux to be at least on the same plane as them. They have got to respect what we have done. Having said that, does Red Hat think either of them has taken the right approach, now that Microsoft and Novell have made 'Microvell'? They've gone off the road a bit, we think, but we are feeling good about the attention that has been brought to Linux. "

OSS_ilation writes "They say beauty is only skin deep, but when it comes to Linux and the free software movement, people like Mark Shuttleworth think looks have an important part to play. On his blog and an article on SearchOpenSource.com, Shuttleworth and a slew of open source end users say that the look and feel of open source is also a matter of wider acceptance among enterprise players who are used to Windows, yet crave Mac OS X and the functionality of Linux. 'If we want the world to embrace free software, we have to make it beautiful,' Shuttleworth said. "We have to make it gorgeous. We have to make it easy on the eye. We have to make it take your friend's breath away.' With the early success of Novell SUSE Linux Enterprise Desktop 10, Shuttleworth and company may be onto something."

BDPrime writes, "A U.S. congressional caucus has met twice to discuss proposing national legislation that would make hardware manufacturers responsible for taking back their own stuff, similar to what Europe implemented with WEEE (PDF). The story quotes David Douglas, one of Sun's eco-evangelists, reflecting on the alternative: 'If we were having to deal with local regulations and local disposition facilities in every state, to deal with every state's nuanced costs, that would clearly involve cost to our basic equipment.'" It's early days for this movement; the buzzword to watch here is "E-waste."

sunshineluv7 writes, "IT managers gathered in New York City earlier this week to get advice from experts on when, why, and how to virtualize their server environments. The takeaway from the conference: if you want to run an enterprise-class virtualization platform in production today, stick with VMware." Other wise words from this conference: "Virtualization is a journey, not a project."

Jane Walker writes "How does Linux stack up to Windows in 2006? Experts weigh in on that question in these articles, comparing the operating systems' security, reliability and usability. Get insiders' views on Microsoft's proprietary stack versus open source software, as well as Windows-to-Linux migration tips."

Jane Walker writes "On a mission to avoid paying top dollar for Cisco routers, two users say Vyatta's Open Flexible Router is a viable alternative to the proprietary norm. Find out about the pluses and minor hassles involved in deploying this alternative." This probably won't surprise the users of (much lower end) networking gear like the famously hackable Linksys WRT54G, which — like a number of internally similar routers — can be reconfigured with one of several open-source firmwares to do things impossible with the hardware as delivered.

JaneWalker6847 writes "Don Becker, co-founder of the Beowulf project, describes the inevitability of hardware administration headaches and warns users not to expect a silver bullet to solve these problems." From the article: "We're about to see another revolution, which is in network adapters -- that we [will] talk directly to [them] from application level. That's a massive change in how you interface with them. And that brings about a new round of device drivers completely unlike the device drivers we had 10 years ago. So, that part of the world isn't going to stabilize anytime soon."

sunshineluv7 writes to tell us TechTarget is running a good overview of 'why, when, and how to use virtualization technologies to consolidate server workloads.' The summary provides links to several podcasts and other articles relating real world experience with how to utilize virtualization to best meet your needs. From the summary: "Advances in 64-bit computing are just one reason that IT managers are taking a hard look at virtualization technologies outside the confines of the traditional data center, says Jan Stafford, senior editor of SearchServerVirtualization.com."

Jane Walker writes "Dave Roberts talks about Vyatta's open source router and how open source technology may soon alter the landscape of enterprise networking." From the article: "Initially, we believe that the x86 PC running Vyatta -- given the range of hardware that's available in the PC world -- can basically replace the midrange of the router market; to use Cisco terminology and model numbers, simply because it's convenient shorthand, basically from the 2800 series to the 7200 series. There's a whole host of equivalent products from Nortel and Alcatel -- but essentially in that range. I wouldn't describe it as Cisco model numbers so much as T1 branch office to gigabit LAN product categories."

Darren Rayes writes "Zend plans to release the first version of Zend Framework on Oct. 29 during the next PHP conference. The Zend Framework provides a standard as it facilitates rapid development to write applications that run on Web servers, and includes PHP software modules for tasks such as database access or Web services communications. The framework provides a clean separation of logic and presentation, along with easy maintenance and extensibility through a well-organized application structure."

Slashback tonight brings some clarifications, and updates to previous Slashdot stories including, Kent State Facebook ban reversed, exploding laptop old news to Dell, XM moves to dismiss RIAA suit, J2EE death greatly exaggerated, and Square's next MMOG not FFXI II -- Read on for details.

Kent State Facebook ban reversed. Corvaith writes "Just a few days after it was originally noted that Kent State University had banned athletes from posting on Facebook, the Kent Stater announced that the ban was reversed. From the article: 'The athletic department had previously expressed concern about athletes' personal information being available to the public, allowing for possible stalking situations. They were also concerned about athletes displaying inappropriate information on their profiles.' But, in the end, they 'had a change of heart after reviewing the privacy measures available on Facebook.' Athletes must now lock their profiles to friends only."

Exploding laptop old news to Dell? Anonymous writes "CRN is reporting that Dell had about a dozen reports of burned laptops before they announced last year's battery recall. The recall was launched in response to a exploding laptop caught on film at a Japanese conference. Dozens more cases popped up with apparently severe overheating, melted cases, etc., according to the report."

XM moves to dismiss RIAA suit. mikesd81 writes "Apparently, XM is asking a judge to dismiss a a copy right law suit brought by the recording industry. The law suit is over the ipod-like device that can store up to 50 hours of music. XM Satellite said the 1992 Home Recording Audio act protects it from being sued over its $400 handheld device. From the article: 'In a court filing, XM Satellite said the 1992 protections represent Congress' efforts to insure that the powerful recording industry would not be able to restrict the right of consumers to record songs that are broadcast over the radio or stifle innovation by chilling the development and use of the latest recording technologies.'"

J2EE death greatly exaggerated. Peter writes "A recent Burton Group report has stated that the Java Enterprise Edition platform is 'dying due to its complexity and lack of suitability for SOA.' Major vendors supporting JEE have responded with rebuttals, stating that the complexity has arisen due to customer needs and that it is well positioned for companies to build SOA solutions on."

Square's next MMOG not FFXI II. Despite some of the rumblings around the net, it appears that the next MMOG to come out of Square will not be a sequel to the popular FFXI. While Square may have shot down this rumor, the question still remains, what MMO are they working on?

Jane Walker writes to tell us that the Christian Science Monitor is becoming quite the proponent of open source. The aggressive nature of OSS was a large part of what drew CIO Curtiss Edge into the fold, it seems. From the article: "But beyond the tangibles like open source code it was the community that made a convert of Edge. Behind all the open code, it was the forums and flexibility that were the driving forces he believes breeds better developers than those that toil away with proprietary code. Open source software makes developers more aggressive and more apt to go out into the communities that exist around the software to find solutions to their problems, Edge said, rather than holding on some proprietary help desk line while tech support looks up the answer."

opieum writes "VMware has launched Virtual Infrastructure 3.0 today which includes ESX 3.0 and a number of management utilities." Relatedly Jane Walker writes "SearchOpenSource has two authors that try to show why VMware ESX Server is miles ahead of Xen and Virtual Server. Discover what to watch out for when running ESX Server and how to avoid sprawl in your virtual data center."

Mark Brunelli writes to tell us that Oracle has released the newest version of the open source Oracle BerkeleyDB Java Edition. From the article: "The new release of the Java embeddable database is the third to come out in three years and the first new version to come out of Sleepycat Software since Oracle purchased the open source stalwart back in February. Rex Wang, Oracle's vice president of embedded systems and a former vice president of marketing at Sleepycat, said the latest release lets Java developers take advantage of a new Persistence application programming interface (API) that provides greater flexibility and new performance optimizations that enable applications to run faster."

Mark Brunelli writes to tell us that Oracle has released the newest version of the open source Oracle BerkeleyDB Java Edition. From the article: "The new release of the Java embeddable database is the third to come out in three years and the first new version to come out of Sleepycat Software since Oracle purchased the open source stalwart back in February. Rex Wang, Oracle's vice president of embedded systems and a former vice president of marketing at Sleepycat, said the latest release lets Java developers take advantage of a new Persistence application programming interface (API) that provides greater flexibility and new performance optimizations that enable applications to run faster."

Jane Walker writes "An office suite expert describes how to format documents in OpenOffice and Microsoft office using program features that will make ease compatibility headaches." From the article: "No two office suites are alike, and the more manual, highly controlled items you have in your document, the more likely the formatting will get messy when you go from one office suite to another. But if you use the formatting capabilities to indent and add spacing--well, that's more like just labeling a box Kitchen and putting the box somewhere that makes sense. The formatting tips in this article will also give you more professional-looking documents that are easier to update when the content or formatting rules change."

OSS_ilation writes "While much has been said about Novell or Red Hat as potential targets for Oracle this week, there are some in the Linux community who believe a different distro might deserve the attention of Larry Ellison. That distribution is Ubuntu, and analysts like Burton Group's Richard Monson-Haefel believed that it would be a better fit for Oracle, which is looking only for an OS and not for any of the baggage associated with Novell, like Netware. Ubuntu, with its huge community base and version 6.06 on the way, could be the perfect fit, he said."

Jane Walker writes to tell us that TechTarget has a short writeup on virtualization and some of the ins and outs of using this technology effectively. From the article: "Virtualization is a hot topic in the enterprise space these days. It's being touted as the solution to every problem from server proliferation to CPU underutilization to application isolation. While the technology does indeed have many benefits, it's not without drawbacks."

Mark Brunelli writes DBAs are talking about the merits of the open source PostgreSQL database management system (DBMS) as compared to Oracle - and their opinions truly run the gamut. DBAs responding to the interview said they liked the low cost and ease of use of the open source database, while others said that Oracle's rich feature cannot be ignored. Still others talked about how well the two systems play together. According to one DBA, a gateway product from Oracle would be a welcome offering."

Mark Brunelli writes DBAs are talking about the merits of the open source PostgreSQL database management system (DBMS) as compared to Oracle - and their opinions truly run the gamut. DBAs responding to the interview said they liked the low cost and ease of use of the open source database, while others said that Oracle's rich feature cannot be ignored. Still others talked about how well the two systems play together. According to one DBA, a gateway product from Oracle would be a welcome offering."

OSS_ilation writes "IT troubleshooting firm Splunk is using LinuxWorld Boston as a platform to formally launch Splunk Base, a global wiki that will offer IT pros a free-of-charge venue to exchange troubleshooting information, tools and fixes. Splunk is promising that the wiki is completely vendor neutral, and can be compared to Wikipedia, the online open encyclopedia that is regulated and updated by the community-at-large. Users don't even have to have a copy of Splunk Professional to use it. From the article: 'If you believe the research from firms like Framingham, Mass.-based IDC, then Splunk Base has arrived at a key moment. According to IDC, companies will spend more than $100 billion this year on managing the world's data centers. And with virtualization quickly becoming an IT buzzword in 2006, the complexity and costs could increase.'"

Jane Walker writes to tell us TechTarget has an interesting article on HP's new TestDrive program. For many small business owners this new site could allow for the benefits of testing many different platforms without having to make the investment up front. From the article: "The program, called TestDrive, is accessed online via the TestDrive Web site. It allows free-of-charge access to Red Hat Enterprise Linux (RHEL) and Novell SuSE Linux and other open source operating systems like Debian, FreeBSD and OpenVMS. After registering with the site, each user is allowed 1 GB of space in which to work and is granted access to HP hardware housed at the HP Linux Expertise Center in Marlboro, Mass. Access to the system includes the use of 64-bit processors like Integrity, Alpha, and PA-RISC; and SMP x86 and Opteron ProLiant servers."

Ant writes to tell us SearchSecurity.com has an article touting the latest "reality show" idea from the Georgia Tech College of Computing, Information Security Center, and Graphics, Visualization and Usability Center. The "Tiger Team" competition promises to be an "American Idol for security geeks." Students "prep, sweat and show their stuff while a panel of critics decides their fates. But unlike the popular 'reality' TV show, judges aren't determining who can best carry a tune. Instead they weigh students' ideas for making information security more user-friendly, with $50,000 -- enough cash to fund a project for 12 months -- hanging in the balance."

abb_road writes "Wall Street responded to yesterday's report of a 42% rise in profits by pushing Oracle's stock down. Despite a 77% increase in applications business, investors are worried that Oracle's core database business remains comparatively stagnant. Though Ellison claims that the DB business will grow in double digits over the next few years, it seems that more companies are switching to open source rather than paying Oracle $40,000 a processor."

Jane Walker writes "Slashdot's own Robin 'Roblimo' Miller compares OpenOffice 2.0 and Microsoft Office in a recent interview with TechTarget and, when asked to identify one of the main obstacles facing widespread adoption, calls for the OSS community to deliver personable, usable training for new OpenOffice and open source software users."

OSS_ilation writes "Red Hat was all about virtualization in a recent announcement for an 'integrated virtualization' initiative with XenSource and chipmakers AMD and Intel. The move was seen as a way for Red Hat to bring its commitment to virtualization technology into 'sharper focus [...] with the release of a product roadmap that includes virtualization technology built into its enterprise version of Linux.' Red Hat's CTO, Brian Stevens, said the move would remove the complex 'rocket science' aspect of virtualization, and drive the technology into more enterprises as a result."

Jane Walker writes "In an effort to dispel some of the FUD surrounding this impressive product, this article puts forth several of the most commonplace reasons for a user to dismiss PostgreSQL." From the article: "While PostgreSQL's adoption rate continues to accelerate, some folks wonder why that rate isn't even steeper given its impressive array of features. One can speculate that many of the reasons for not considering its adoption tend to be based on either outdated or misinformed sources."

Jane Walker writes "The completion of pre-compiled packages and maximizing machine performance are two powerful incentives for Windows admins to use Linux and compile an OSS package." TechTarget has an article taking a look at some of the "why" behind rolling your own. What preferences have other Slashdot users developed, and why?

Jane Walker writes "Watch out, IBM, Dell and HP. Linux server vendors that have carved out a space in high-performance computing markets are taking their tailor-made servers into new enterprise markets, providing a welcome change for businesses that want to save money and get customized products."

Jane Walker writes "Take a tour of the multi-layered charting tools of OpenOffice 2.0's Charting Wizard, as you learn to create, edit and master the art of making a polished chart." From the article: "The chart features in OpenOffice are like a mystery-lover's dream vacation: a huge, mysterious old house with lots of long halls, secret bookcases, dark closets and creaky doors that, when you peer behind them, reveal wonderful secrets."

Jane Walker writes "How can vendors offer free enterprise software and be financially strong enough to provide commercial support? It's all about hybrids, says expert Julie Hanna Farris. Find out how to determine if a commercial open source vendor has the chops to support products in the long term."

Mark Brunelli writes "As the battle for business application supremacy heats up, Oracle users are standing by Larry Ellison and Fusion while SAP customers say NetWeaver will lead the way to victory." From the article: "Zoellner, who says he has worked with both Oracle and SAP users throughout his career, believes that the Nucleus Research study cited by deHenry is right on in its conclusion that Oracle's average three-year total cost of ownership (TCO) is 48% lower than SAP's. The business analyst said that the TCO issue is particularly important to companies in developing areas."

Mark Brunelli writes "As the battle for business application supremacy heats up, Oracle users are standing by Larry Ellison and Fusion while SAP customers say NetWeaver will lead the way to victory." From the article: "Zoellner, who says he has worked with both Oracle and SAP users throughout his career, believes that the Nucleus Research study cited by deHenry is right on in its conclusion that Oracle's average three-year total cost of ownership (TCO) is 48% lower than SAP's. The business analyst said that the TCO issue is particularly important to companies in developing areas."

Jane Walker writes to tell us that in a recent interview with SearchOpenSource.com Jono Bacon takes a look at why some of the reasons people give for not switching to Linux might not stand up under closer scrutiny. From the article: "For example, they fault Linux OpenOffice desktops for not having all the features in Microsoft Windows Office, even though few actually use all of the Microsoft stuff. So, in essence, they're saying they want desktops cluttered with unnecessary features."

Jane Walker writes "The push for a virtual data center and utility computing continued this week as Novell announced that SuSE Linux would have support for Virtual Iron out of the box." Novell has also guaranteed that 'that all existing independent software vendor (ISV) certifications will not be affected.' From the article: "'The applications certification [component] is huge,' said Novell director of data center applications Justin Steinman. 'Customers want to know that their existing applications are not going to break when they deploy their technology [on a virtual server].'"

joestar writes "It's not a secret that Linux has been used at NASA for a long time, and it appears that they have been using it quite extensively on the desktop. From the article: 'At the JPL, it is common to see Red Hat Inc., SuSE or Mandriva Linux running on users' desktops alongside Windows. [...] that's still a lot of Linux on the desktop.' More surprisingly, they seem to be reluctant to use Linux on servers: 'Our personal view is that Linux, period, is only for the desktop. We don't run our main servers on Linux, because there are too many flaws in main Linux kernel.'"

OSS_ilation writes "In an interview over at SearchOpenSource.com, IP attorney Thomas Carey shoots down SCO's cases against IBM and Novell, but predicts that SCO will fight a losing battle to its last. IT directors shouldn't worry about SCO Group's latest sallies in its legal war on Linux vendors IBM Corp. and Novell Inc., Clarey says, and explains why SCO has no case, predicts the open source legal fields of battle for 2006 and discusses SCO's claims against Novell. Carey chairs the Business Practice Group of Bromberg & Sunstein LLP, an intellectual property law practice in Boston, Mass." Groklaw, as always, has additional details and commentary on this.

frankie writes "ZDNet is reporting on the latest dire pronouncements about the WMF vulnerability. The problem is so serious that security experts are urging IT firms to use the unofficial patch. Microsoft's current goal is to release the update on Tuesday." From the ZDNet article: "This is a very unusual situation -- we've never done this before. We trust Ilfak, and we know his patch works. We've confirmed the binary does what the source code said it does. We've installed the patch on 500 F-Secure computers, and have recommended all of our customers do the same. The businesses who have installed the patch have said it's highly successful" It's big enough that even mainstream media is covering the flaw.

Anonymous Anonmenon writes "Big Blue was at it again today after it promoted the two leading commercial Linux distributions to the highest level tier of its Strategic Alliance Program. From the article: '[The Strategic Alliance Program] is designed to allow independent software vendors (ISV) work through one point of contact within IBM as opposed to navigating through several relationships with representatives from different divisions. The move was billed by executives from all companies as a means to make it simpler for clients to acquire open standards-based Linux hardware, software, and services through integrated sales, distribution and services channels.' The announcement was also heavy on the Java side, with both Red Hat and Novell pledging a 'reinforced commitment' to the Java developer community and J2EE."

Last week you submitted questions for Dr. Herb Thompson, author of the latest Microsoft-sponsored Windows vs. Linux study. Here are his answers. Please feel free to ask follow-up questions. Dr. Thompson says he'll respond to as many as he can. He's registered a new Slashdot username, FFE4, specifically to participate in this discussion. All others claiming to be him are imposters. So read, post, ask, and enjoy. 1- A better way of putting it:
by einhverfr

It seems that your study attempted to simulate the growth of an internet startup firm on Windows or Linux. One thing I did not see in the study was a good description of assumptions you made. What assumptions were made in both the design of the requirements and the analysis of the data? What limitations can we place on the conclusions as a result of these assumptions?

Dr. Thompson

This is a really important question. I think there are two sections of the study: the assessment methodology and then the experiment we undertook to illustrate how to apply that methodology. I'll answer the assumption question for both parts:

Methodology - For the methodology, we wanted to provide a tool that organizations could use and apply their own assumptions. Maintaining a system is all about context; some environments favor Linux, others Windows. The question is, how do you know what's likely to be the most reliable (which includes manageable, secure and supportable) solution for your environment? We proposed a methodology a recipe - that looks at a solution in its entirety instead of just individual components. Policies like configuration control vary from organization to organization and to get something that's truly meaningful in your environment, the methodology needs to be carried out in your context. Enterprise customers can and should do this when they are about to trust their critical business processes to a platform. That said, the basic assumptions of the methodology are that patches are applied at 1 month intervals and that business needs evolve over time. How those business needs evolve depends on the scenario you're looking at (in our experiment we looked at ecommerce for example). The methodology doesn't cover steady state reliability, meaning the uptime of a system that is completely static. While this is important, our conversations with CIOs, CTOs, CSOs and IT folks lead us to believe that this was a smaller contributor to pain in a dynamic environment. In an appliance for example, though, steady state reliability is king, and I think an important limitation of this methodology is that we don't capture that well, and I think it's amazingly difficult quality to measure in a time-lapse way.

The purpose of the experiment was to illustrate how to apply the methodology and to begin to get some insights into some of the key model differences between two platforms. For the experiment we picked the ecommerce scenario, for no other reason than there has been a clear shift in how ecommerce sites have serviced their customers in recent years moving from static sites to personalized content. Some specific assumptions were:

* The transition from a basic purchasing site to a personalized portal based on order/browsing history takes place over a one year period.

* The period we looked at was July 1st, 2004 to June 30th, 2005 (the most recent full year at the time of the study).

* A configuration control policy exists that mandates OS version but not much else meaning administrators had fairly free rein to meet business requirements.

* All patches marked as critical or important supplied by the vendor are applied.

* We assume the system to be functioning if the original ecommerce application is running and meets some basic acceptance tests (same for both platforms see Appendix 1 of the report) and the new installed components are also running.

* To add new capabilities, we use leading 3rd party components as opposed to building custom code in-house.

* The business migrates operating system versions at the end of the one year period to the latest versions of the platform.

* The administrators that participated in the experiment reflect the average Linux (specifically SuSE) and Windows administrators in skill, capability and knowledge. While this was strived for, it's important to recognize the small sample size in drawing any conclusions from the data.

As far as limitations, the experiment looks at one specific case with a total of six administrators. I'd love to have done it with a hundred admins on each side on a wide range of business requirement scenarios and my hope is that others will do that and publish their results. Our experiment, however, shows that for this particular, clearly documented scenario, experienced Linux Admins had conflicts between meeting business needs and a recommended best practice like not introducing out-of-distribution components. If one is aware of potential conflicts and challenges upfront, I think you can put controls in place to make reasonable tradeoffs. In the linux case, a precise and specific configuration control policy may have prohibited the problematic upgrade of one of the components that the 3rd party solutions required. This would have likely reduced the number of failures but would have put some hefty constraints on 3rd party solutions. To understand the implications for your environment you really need to run through the methodology with the assumptions and restrictions of your organization and I hope that this study either prompts or provokes people to do that.

************************

2 - Meta-credibility?
by Tackhead

Where I come from (non-management, grunt-level techie), appearing in any of these analysts' journals *costs* an author more credibility than it gains him or her. For example, if $RAG says that $CORP has the best customer support, I immediately assume that $CORP has such horrid customer support that they had to pay someone to make up some research that proves otherwise.

To be sarcastic, I'd ask "who the heck actually takes these studies seriously?", but obviously *somebody* does. Who are these people, and why do these people take these industry analyst firms/journals/reports seriously? Are they right or wrong to do so? This isn't an attack (or endorsement :) of your research -- I'm talking about the credibility gap in industry research, and my observation that it's an industry-wide problem.

The meta-credibility question is this: Given the amount of shoddy pay-for-play research out there, does being published in an analyst journal tend to cost (a researcher, his consulting company, his financial backers) more credibility than it can gains him/her/them? If not, why not -- and more importantly, if so, is there any way to reverse the trend?

Dr. Thompson

This is a really interesting question because it cuts to the heart of what a real research study should provide to the reader. It should provide a baseline and I think research should always be questioned, scrutinized and debated because one can always find reasons for bias. Particularly, if a subject of the study (vendor for example) is behind its funding, whether directly (as in this study) or indirectly (meaning that they are big clients) I think it's critical that the study not provide just a baked cake for readers but the recipe as well. The recipe has to be inherently fair and simple, meaning that it has to map directly to a the quality or pain one is trying to measure without taking into account how the subjects try and provide that service or mitigate that pain. I think slanted opinion pieces, with no backup for those opinions, seriously hurts credibility, at least in my book. If you're presenting facts though and encouraging others to question them then I think that actually helps credibility, even if the search for those facts was paid for.

I agree though that one is tempted to dismiss research a priori though because of funding or some vendor tie. I think a good way to reverse the trend is to open the process up to public scrutiny; that's probably the main reason I came on Slashdot. To use this specific study as an example, some folks disagreed with several points in the experiment from counting patches, to reasons for upgrading key components, to the ecommerce scenario we used. For me, the study's key value is the methodology. Could different applications/scenarios have been chosen: absolutely!

The value I think that this study gives to the practitioner is arming them with a tool to help measure in their own environment. By applying the methodology, the results should take into account things like administrators skillsets, support policies, configuration control policies and the tradeoffs between customizability, maintainability, visibility, security and usability. It's only by looking at this stuff in context can one make a sound judgment; and a true research paper, especially one where funding is in question, needs to fully disclose the method and the funding source. In our case, the methodology has been vetted by industry analysts, IT organizations and several academics. That doesn't mean much, though, if you don't find the methodology meaningful for the questions you want answered. One reason I've come on Slashdot is to get the thoughts, opinions and assessments of the methodology itself from administrators in the trenches. I'm really pleased with the great questions and comments amidst the inevitable flames and I'm looking forward to this being posted so that others can weigh-in with their feedback and I can jump into the threads to get some discussion going.

If the research helps give real insight, and the methodology makes sense, I think there's real value no matter who paid the bill. At the end of the day, you need to decide whether or not you can extract any value from the information presented to you. In the case of this study, my hope is that it will leave you thinking hmmm.... maybe we should actually run through a process like this and check out how this works for ourselves. My more ambitious hope is that you'll implement it and tell me what challenges you faces on Windows, Linux, OSX, BSD, whatever platform you choose to compare. It may not even venture into the perennial Windows versus Linux battle; maybe you're a linux shop trying to decide between multiple distributions for example. Either way, if it's got people thinking about the topic and asking questions, well, that's all any researcher can really hope for.

************************

3 - Weak setup
by 0xABADC0DA

If I understand the study correctly, the windows side had to do nothing but set up a server to do a few different tasks over time and run windows update. The linux side had to have multiple incompatible versions of their database server running simultaneously on a single system and had to run unsupported versions of software to do it.

Why wasn't the windows side required to run multiple versions of IIS or SQL server simultaneously? In real life if you need to run multiple database versions you use virtualization or multiple systems, especially if one requires untested software. You don't run some hokie unstable branch on the same system as everything else. Why was a linux solution picked that required this level of work? My other related question is, did any of the unix administrators question why there were being asked to do such a thing? For example, did they come back and say they need a license for vmware? If they did not they do not seem like very competent administrators in my opinion.

Dr. Thompson

The Windows Admins and Linux admins were given the exact same set of business requirements which doesn't necessarily translate into the same tasks as they went about fulfilling them. The 3rd party components installed were chosen solely based on their market leadership position and any upgrades of OS were unknown at the time of selection. That said, on the Windows side, it turned out that no upgrades of IIS were needed (except for patches) and SQL Server was upgraded to SP4 as part of patch application. On the Linux side, at a high-level there were two main classes of upgrades: MySQL and GLIBC and they were both prompted by the installed components. After the experiment, the administrators were asked on both sides if this kind of evolution of systems met with their real-world experience. They said yes, with the caveat of if they were asked to install a component that required an upgrade of GLIBC that they would likely upgrade the operating system as long as their configuration control policy allowed it.

You make a great point about installing components on some sort of staging system (which is almost always done) as opposed to live running systems. That still means that the problems that the administrators had equal real IT pain. If something weird had to be done to get the system running but it does run and it's then put into production it's like a fuse that gets set on a bomb. A careful configuration control policy would almost certainly help and thats why I think it's so important to conduct this kind of experiment in your own environment with your own policies.

As far as selection of the Linux administrators go, they all had at least 5 years of enterprise administration experience, and two years of experience on SuSE specifically. With three people there's certainly likely to be a lot of variability and to get some conclusive results, I'd love to get a huge group of administrators across the spectrum in terms of experience. I'd also love to do it across multiple scenarios, beyond the ecommerce study. For this experiment, basically the bottom line is that we Illustrate one clearly documented scenario with six highly qualified admins that we selected based on experience. We cant ensure equal competency levels, but there was nothing in our screening that would lead us to believe there were gaps in knowledge on either side. When it comes down to it though, the really meaningful results are the ones you get when you perform the evaluation in your environment. Hopefully this study provides a starting point for asking the right questions when you do that.

************************

4- Who determined the metrics
by Infonaut

Did Microsoft come to you with a specific set of metrics, or did you work with them to develop the metrics, or did you determine them completely on your own?

Kudos to you for braving the inevitable flames to answer people's questions here on Slashdot.

Dr. Thompson

Great question! The metrics and the methodology were developed completely on our own and independent of Microsoft. They were created with the help and feedback of enterprise CIOs as well as industry analysts. I think that this relates to a couple of other questions on Slashdot with the gist of if Microsoft is funding the study aren't you incentivized for them to come out ahead. Besides the standard we would never do that and that would put our credibility at risk which is our primary commodity which are both very true, let me explain a little more about how our research engagements work.

Company X (in this case Microsoft) comes to us and says can you help us measure quality Y (in this case Reliability) to get some insight into how product Z stacks up. We say, sure, BUT we have complete creation and control of the methodology, it will be reviewed and vetted by the community (end users and independent analysts) and must strictly follow scientific principles. The response will either be: great, we want to know whats really going on or um, heres some things to focus on and I think you should set it up this way. In the first case we proceed, in the second case we inform that company that we don't do that kind of research. We are also not in the opinion business, so we present a methodology to follow and illustrate how that methodology is applied with the hope that people will take the methodology and apply it in their own environment.

All of our studies are written as if they will be released publicly BUT it is up to the sponsor if the study is publicly released. The vendor knows that they're taking a risk. They pay for the research either way but only have control over whether it is published, not over content. So if their intent is to use it as an outward facing piece, they may end up with something they don't like. Either way, I think it's of high value to them. If there are aspects of the results that favor the sponsor's product, in my experience, it goes to the marketing department and gets released publicly; if it favors the competitors product it goes off to the engineering folks as a tool to understand their product, their competitor's product, and the problem more clearly. Either way, we maintain complete editorial control over the study and there is no financial incentive for us if it becomes a public study or is used as an internal market analysis piece. The methodology has to be as objective as possible to be of any real value in either case.

************************

5 - ATMs vs. Voting Machines
by digitaldc

How is it that Diebold can make ATM machines that will account for every last penny in a banking system, but they can't make secure electronic voting machines?

Also, does the flame-resistant suit come with its own matching tinfoil hat? (don't answer that one)

Dr. Thompson

This is a question that has passed through my mind more than once. The voting world is very interesting. I don't have experience with the inner workings of Diebolds ATM machines but I can say that the versions of their tabulation software that Ive seen have some major security challenges (see this Washington post documentary for some of the gory details). I'd say I'm concerned about the e-voting systems Ive seen but that would be a serious understatement.

I question whether the economic incentive is there for them to make their voting systems more secure. Take an ATM for example. Imagine the ATM has a flaw and if you do something to it, you can make it give you more money than is actually deducted from your account. Anything involving money gets audited and sometimes audited multiple times and chances are good that the bank is going to figure out that they're loosing money. On the flip side, if there was a flaw in the ATM in the banks favor, someone balancing their checkbook is going to notice a discrepancy. The point is that there's always traceability and there's always someone keeping score. If you think about voting tabulators though we've got this mysterious box that vote data gets fed into and then, in many states, only a fraction of these votes are audited. That means we don't really know what the bank balance is other than what the machine tells us it is. If the system is highly vulnerable and its vulnerability is known by the manufacturer *but* it's going to be expensive to fix it and shore up defenses, there seems to be no huge incentive to fix the problems. I think the only way to get some decent software that counts votes that people can have confidence in is to allow security experts to actually test the systems, highlight potential vulnerabilities, and put some proper checks and balances in place. That would give the general public some visibility into a critical infrastructure system that we usually aren't in the habit of questioning and will hold voting manufacturers directly accountable to voters.

As for the tin foil hat to go with the flame resistant suit; it hasn't been shipped to me yet - apparently the manufacturing company is still filling backorders from SCO :).

************************

6 - Why are the requirements different?
by altoz

Looking at your research report's appendices, it seems that the requirements for Windows Administrators were somewhat different than the Linux Administrators. For instance, you ask for 4-5 years sys admin experience minimum for Windows, whereas it's 3-4 years sys admin experience minimum for Linux.

Why wasn't it equal for both? And doesn't this sort of slight Windows favoring undermine your credibility?

Dr. Thompson

Short answer: Typo. Long answer: We originally were looking for 4 years of general administration experience for both Linux and Windows which is what is reflected in the desired responses to the General Background questionnaire for Linux. We then raised it to 5 years for both Linux and Windows which is reflected in the General Background of the Windows questionnaire. The difference in the two was just a failure to update the response criteria on that shared section of one of the questionnaires. On page 5 though we've got the actual administrator experience laid out:

Each SuSE Linux administrator had at least 5 years experience administering Linux in an enterprise setting. We also required 2 years minimum experience administering SuSE Linux distributions and at least 1 year administering SuSE Linux Enterprise Server 8 and half a year administering SLES 9 (released in late 2004). Windows administrators all had at least 5 years experience administering Windows servers in an enterprise environment. These administrators also had at least 2 years experience administering Windows Server 2000 and at least 1 year administration experience with Windows Server 2003.

************************

7 - Scalability of Results?
by hahiss

You tested six people on two different systems; how is that supposed to yield any substantial insight into the underlying OSes themselves?

[At best, your study seems to show that the GNU/Linux distribution you selected was not particularly good at this task. But why does that show that the ``monolithic" style of Windows is better per se than the ``modular" style of GNU/Linux distributions?]

Dr. Thompson

First, let's look at what we did. We followed a methodology for evaluating reliability with three Windows admins and three Linux admins. This is small sample set and it looked at one scenario: ecommerce. Is this enough to make sweeping claims about the reliability of Linux/Windows? No way. I do however think the results raise some interesting questions about the modularity vs. integration tradeoffs that come with operating systems. I don't think that either the Windows or Linux models are better in a general sense but they *are* different; the question is which is likely to cause less pain and provide more value for your particular business need in your specific environment. Hopefully these are the questions that people will ask after reading this study, and with any luck it will prompt others to carry out their own analysis within their own IT environment, building on what we started here. I think the methodology in this paper has provided a good starting point to help people answer those questions in context.

************************

8 - Convenience vs. security
by Sheetrock

Lately, I've felt that Microsoft is emphasizing greater trust in their control over your system as a means of increasing your security. This is suggested by the difficulty of obtaining individual or bulk security patches from their website as opposed to simply loading Internet Explorer and using their Windows Update service, the encouragement in Service Pack 2 of allowing Automatic Update to run in the background, and the introduction of Genuine Advantage requiring the user to authenticate his system before obtaining critical updates such as DirectX.

In addition, Digital Rights Management or other copy protection schemes are becoming increasingly demanding and insidious, whether by uniquely identifying and reporting on user activity, intentionally restricting functionality, and even introducing new security issues (the most recent flap involves copy protection software on Sony CDs that not only hides content from the user but permits viruses to take advantage of this feature.)

I would like to know how you feel about the shift of control over the personal computer from the person to the software manufacturers -- is it right, and do we gain more than we're losing in privacy and security?

Dr. Thompson

This is an interesting problem because manufacturers have to deal with a wide range of users. If there was real visibility and education for users on the security implications of doing A, B or C then we'd be ok. It's scary though when that line gets crossed. Sony's DRM rootkit is a good example. But if you think about it, we are essentially passively accepting things like this all the time. Every time we install a new piece of software,especially something that reads untrusted data like a browser plugin,we tacitly accept that this software is likely to contain security flaws and can be an entryway into your system; NOW are you sure you want to install it? The visceral immediate reaction is no but then you balance tradeoffs of the features you get versus potential risks. Increasingly, were not even given that choice, and components that are intended to help us (or help the vendor) are installed with out our knowledge. This also brings up the question of visibility; how do we know what security state were really in with a system? Again, there are tradeoffs, some of this installed software may actually increase usability or maintainability but it's abstracting away what's happening on the metal. So far, it seems as though the market has tended towards the usability, maintainability, integration that favors bundling on both the Linux and Windows sides. It's kind of a disturbing trend though.

As another example, think about how much trustaverage programmers put into their compiler these days. Whenever I teach classes on computer security and then go off into x86 op codes or even assembly, it seems to be a totally foreign concept and skillset. We've created a culture of building applications rapidly in super high-level languages which does get the job done, but at the same time seems to have sacrificed knowledge of (or even the desire to know) what's happening on the metal. This places a heavy burden on platform developers, compiler writers and even IDE manufacturers because we are shifting the cloud of security responsibility over to them in big way. Under the right conditions it can be good because the average programmer knows little about security, but we need to make sure that the components we depend on and trust are written with security in mind, analyzed by folks that have a clue, and are tested and verified with security in mind. This means asking vendors the tough questions about their development processes and making sure they've got pretty good answers. Here's what I think is a good start. If that fails, theres always BSD. :).

************************

9 - Apache versus IIS
by 00_NOP

Simple one: of course I accept that Windows and Linux are a priori equally vulnerable - C programmers make mistakes. The question is which model is most likely to deliver a fix fastest. Given that the one area where Linux is probably in the lead over Microsoft's software is in the realm of the webserver - why are my server logs filled with artifacts of hacked IIS boxes but apache seems to remain pretty safe?

Dr. Thompson

You bring up a couple of interesting points. The first is patch delivery. It's true that on Linux if there's a high profile vulnerability you're likely to be able to find a patch out on the net from somebody in a few hours. Sometimes the fix is simple, a one-liner, and other times it may be more complex. Either way, there could be unintended side effects of the patch which is why there's usually a significant lag between these first responder patches and a blessed patch released from the distribution vendor. Most enterprises I know wait for the distribution patch as a matter of policy, and even then, they go through a fairly rigorous testing and compatibility verification process before the patch gets deployed widely. In the Windows world, one doesn't get the alpha or beta patches, just the blessed finished product. So the question is which solution is likely to provide a patch that fixes the problem and doesn't create any more problems the fastest. That's a tough one to answer. I think theres something to be learned by looking historically and that in general theres a big discrepancy between perception and reality. Here's a (pdf) link to a study we did earlier this year based on 2004 data that I think provides a good starting point for answering that question.

As far as why you've got so many attempts on your Windows/IIS box, I think there are two distinct issues: vulnerability and threat profile. In the past, I would argue that the path of least resistance was through Windows because desktop systems were often left unprotected by the home computer user. Bang-for-the-packet favored creating tools that exploited these problems and some of the attacks actually worked on poorly configured servers as well. Then there's the targeted vs. broad attacks. Theres no question that the high-profile worms and viruses in the last several years have favored Windows as a target. The issue gets even more complicated when you look at targeted attacks. These targeted attacks are much harder to measure, even anecdotally, because either an organization gets compromised and doesn't disclose it (unless they're compelled to by law) or the attack goes undetected because it doesn't leave any of the standard footprints, in which case no pain is felt immediately. That may help to explain it but the truth is that there's a lot of conflicting data out there. I remember reading this on Slashdot last year which claims Apache was more attacked than IIS but I've also read reports to the contrary. The reality is that any target of value is going to get attacked frequently. If there is an indiscriminant mass attack like a worm or virus, that's pretty bad and can be really painful. What's scarier though is the attack that just targets you.

************************

10 - Do you agree with Windows Local Workflow
by MosesJones

Microsoft and Linux distros have had a policy for some time of including more and more functionality in the base operating system, the latest example is the inclusion of "Local Workflow" in Windows Vista.

As a security expert do you think that bundling more and more increases or decreases the risks, and should both Windows and Linux distros be doing more to create reduced platforms that just act as good operating systems?

Dr. Thompson

Three years ago I bought my mother a combination TV, VCR and DVD player. It was great; she didn't have to worry about cables or the notorious multi-remote control problem. She didn't even really need the VCR because she hardly ever watches Video tapes, but I thought, why not. It worked great for two years, mom watched her DVDs, and on a blue moon a video tape from a family vacation would find its way into the VCR. All was well at the Thompson household. This past year, tragedy struck. The VCR devoured a videotape, completely entangling it in the machine. This not only knocked out the VCR but the television too (it thought it was constantly at the end of a tape and needing to rewind it). So here's the issue: mom probably only needed a TV and a separate DVD player. I probably could have gotten better quality components individually too, and with some ebay-savvy shopping, the group may have been cheaper. For my mom though, the integration and ease of operation of the three were key assets. The flipside of that is that the whole is only as strong as the weakest of its constituent parts, and by the manufacturer throwing some questionable VCR components into the mix, it caused the whole thing to fail. The meta-question: did I make the right choice, going for the kitchen-sink approach versus individual components? I think for mom I made the right call. For me, my willingness to program a universal remote and my love of tweaking the system would have lead me down a different route.

In operating systems, it depends what you're looking for and what the risk vs. reward equation is for you, and I would argue that the answer varies from user to user. The ideal would be something that gave you integration, ease of use, visibility, manageability and the ability to truly customize and minimize functionality and maintenance requirements. No operating system I've ever seen strikes that balance optimally and for every user. As far as bundling functionality with the distribution, I think it's a question of market demand. There's no question though that from a simple mathematical perspective, the less code processing untrusted data the better. That means if I need a system to perform one specific function, and that function was constant over time, then from a security perspective I only want the stuff on that box that does what I need to serve that goal. For example, I don't ever want X Windows on my linux file server. I just want the minimal code base there because as long as the code itself is reliable, I'll only have to mess with the box to apply patches (and much fewer patches if I strip the system down). That's true of my home fileserver. If I have an army of systems to manage though, my decision is going to come down to which platform is reliable and extends me the most tools to manage it efficiently and effectively. That's a question that can only be answered in context. I can tell you what I run at home though. File server: Red Hat EL 4 (no X windows). Laptop: Windows XP SP2. Desktop: Windows Server 2003 with virtual machines of everything under the sun from Win 9x to SuSE, Red Hat and Debian.

mstansberry writes "In the final article in a series on the price of power in the data center, IT pros weigh the pros and cons of direct current-powered servers. A limited number of companies make servers with the power supplies removed with DC power distributed to multiple machines from a single unit. It saves power by skipping an extra conversion from alternating current (AC). Telcos have been using this method for years, but some data center pros are leery of taking on the new systems. It's not something people are familiar with and if they break down, you have to hire a specialized engineer to come fix them. But if they're saving even half of what they're reported to save on the electric bill, companies could afford to hire the engineers." We've reported on previous articles in the series.

OSS_ilation writes "Google uses it, and Microsoft is pursuing it, so there's a lot of hype and hubbub surrounding AJAX (Asynchronous JavaScript and XML). AJAX brings together some hot properties, JavaScript, HTML/DHTML and HTML, according to Julie Hanna Farris, founder of Scalix, a Linux-based, e-mail systems vendor. Scalix is using AJAX in Scalix Web Access (SWA), a Web-delivered, e-mail application. AJAX enables advanced features like drag 'n drop, dropdown menus and faster performance capabilities, which are now making their way into Web applications, she said. These kinds of capabilities represent a significant leap in the advancement of Web apps."

Slashback tonight brings a few corrections, clarifications and updates to previous Slashdot stories, including several updates to the Sony DRM rootkit fiasco, another school system's take on intelligent design, some of the first pictures of the much talked about avian flu virus, a sentencing that gives us the first torrent user to get jail time, Bernard Golden weighs in on the continuing Massachussetts OpenDocument debate, and one users commentary on recent announcements to start pay-per-download services for TV shows. Read on for the details.

Sony still not "getting it". c writes "Mark Russinovich continues his investigation of Sony's DRM as he tries out the official uninstaller. His verdict? 'I've analyzed virulent forms of spyware/adware that provide more straightforward means of uninstall.'" Relatedly Cronos1388 writes "According to the Inquirer an Italian group is also suing Sony over the rootkit." Also, an unexpected side effect of this technology is that script kiddies have been able to leverage Sony's tool to hide unauthorized cheat programs from the watchful eye of MMO creators.

Intelligent design supporters ousted. PMuse writes "The Register and others are reporting that all eight of the members of the Dover, PA school board that had required Intelligent Design to be taught alongside Evolution have been canned by voters in yesterday's election."

What does avian flu look like? DevL writes "Swedish photographer Lennart Nilsson has managed to capture images of a H5N1 (bird flu) virus entering and taking control of a cell. While the text is in Swedish, the images speak for themselves."

Torrent user goes up the river. stinerman writes to tell us that the Hong Kong man who was recently arrested for making several movies available via BitTorrent has had his sentence handed down. Chan aka "Big Crook" uploaded Daredevil, Red Planet, and Miss Congeniality which landed him 3 months in jail.

Golden weighs in on OpenDocument debate. OSS_ilation writes "With so much FUD and anti-FUD flying in the face of Massachusetts' decision to go with OpenDocument, it's no surprise that open source advocate Bernard Golden weighs in with his take on current events."

User says new downloadable television just plain "sucks." Thomas Hawk writes "In the past few weeks the three major studios have all announced deals to begin offering downloadable television for consumers -- Apple/ABC, DirecTV/NBC, and Comcast/CBS. The problem with each of these respective offerings is that they largely suck. Apple sells expensive low res limited television from ABC. NBC's new service will only work on DirecTV DVRs (uh hello McFly, why pay money for this service when I can just record it for free). And CBS' downloadable programming could contain commercials."

mstansberry writes "At the Open Source Business Conference last week, Microsoft's Shared Source mouthpiece Jason Matusow argued the point that open source isn't really open. He said you can't just go changing code on supported Linux offerings without paying extra to companies like Red Hat or Novell. So as Linux is commercialized, it becomes less open. While Matusow made good points during his presentation, many in the open source community are skeptical of the idea at best."

mstansberry writes "In part three of a series on the price of power in the data center, experts debate the merits of raised flooring. It's been around for years, but the original raised floors weren't designed to handle the air flow people are trying to get out them today. Some say it isn't practical to expect air to make several ninety-degree turns and actually get to where it's supposed to go. Is cooling with raised floors the most efficient option?"

Mark Brunelli writes "A public hearing concerning Massachusetts' plan to dump Microsoft for OpenDocument featured a fair share of controversy as the state's CIO tried to fight off naysayers. Linda Hamel, the general counsel for the Massachusetts Information Technology Department (ITD), suggested that groups that oppose the OpenDocument file format standard might be influenced by Microsoft." We reported on the bounce back against the OpenDocument move this past weekend.

Mark Brunelli writes "A public hearing concerning Massachusetts' plan to dump Microsoft for OpenDocument featured a fair share of controversy as the state's CIO tried to fight off naysayers. Linda Hamel, the general counsel for the Massachusetts Information Technology Department (ITD), suggested that groups that oppose the OpenDocument file format standard might be influenced by Microsoft." We reported on the bounce back against the OpenDocument move this past weekend.

OSS_ilation writes "Analysts and users agree -- if the layoff rumors at Novell prove true sometime soon, SuSE Linux has nothing to fear. Over at SearchOpenSource.com the word is that the popular SuSE Linux operating system has both the community support and technical chops to weather any personnel-related storms that may be lingering on the horizon. However, the point is also made that should Novell go south, there are those who believe SuSE could prove to be an appealing acquisition target."