Slashdot Mirror
Linux Distributions Respond to Forrester
dave writes "GNU/Linux vendors Debian, Mandrake, Red Hat, and SUSE have joined together to give a common statement about the Forrester report entitled "Is Linux more Secure than Windows?". Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, it treats all vulnerabilities are equal, regardless of their risk to users. As a result, the conclusions drawn by Forrester have extremely limited real-world value for customers assessing the practical issue of how quickly serious vulnerabilities get fixed."
WTF? Why does anyone buy shit from these people.
The executive management of the agency that I work for pays Meta $500/hr to evaluate project plans... they always rubber stamp whatever answer the execs want.
Any box in the wrong hands can become unbelievably secure, regardless of the OS.
What would be a very interesting read would be to have sys admins lock down the box (perhaps those do consulting for corporations) and then test how well they're set up.
Granted, it's up to the admin at that point so have many admins on different boxes.
No one buys reports from these companies to actually learn anything. The primary purpose these companies serve is to give companies objective sounding quotes to pepper their marketing material with and to convince risk averse managers that they are safely following the largest herd.
-_-
I think that the point that he was trying to make is that Microsoft *has* given Forrester money for a report in the recent past.
>Yes, let's instead listen to the unbiased people
> at Debian, Mandrake, Red Hat, and SUSE. Surely
> their opinions on this issue are less biased
> than those of the research company.
Damn straight I will. Why? Because one group
represents the best interests of a bunch of fat
asses who got rich off the rest of us, and the
other not only represents the best interests of
my community, it IS COMPOSED OF MY COMMUNITY.
If you can't tell the difference, then you
have my pity, and I give you some free (as in
air) advice: Go to Microsoft's Channel 9 website.
You'll be much happier there. Honestly.
All you'll find here is a bunch of strange people
that have a crazy idea that a thing like
freedom is more important than quick $$, or that
believe it is in their own best interests to work
together than to try to $crew everyone else over.
BTW, next time you see Billy, be sure to tell
him to keep wasting his money propping
up the sock puppets, but be sure to send
enough lubrication to the sock puppets. It must
hurt like hell to be a sock puppet for Billy.
From tests conducted at an observatory overlooking the skies of Los Angeles, researchers have concluded from the gathered data that the sky is indeed red.
Buried in all the hoopla, they never tell you that all the smoggy red photos were taken at around the time sunsets happen.
Statistics and numbers in general can be thrown any which way to serve the purpose of the writer. It's an unfortunate side-effect of being biased by nature. Even if someone were to WANT to be impartial, they'll often offer a slant merely by presenting data a certain way.
It's difficult to find people to trust when money is on the line somewhere. With Microsoft's track record and its acknowledged need for "Trustworthy Computing" (a marketing term), it's difficult to take their word. Unfortunately, with that money, they have enough marketing power to buy research, and flood biz execs with enough propaganda...and when they constantly hear that kind of information from what they'd consider mainstream sources, they start to believe it as fact.
Now that's dangerous.
Depends if you can pay an "IT reasearch firm" to put their name on your marketing material or not.
BTW, here's the report....if you have 900 USD to get it:
The Forrester Report
There are three types of lies: lies, damn lies, and statistics.
I see what your saying, but the way package management is going, pretty soon Linux setups will just download security updates on their own, meaning that findning a binary to exploit will get really difficult. In the Windows world, if you find a buffer overrun, you can often assume that 95% of the Windows machines out there will also have the same exploit. In Linux, this wouldn't be the case even with many more users, as package management really takes care of things automatically.
Therefore, I believe that by quantifying the vulnerabilities and response time, Forrester is on the right track, they just need to take into consideration this response, and find a better method of quantifying the data.
I agree.
Slashdot: Where people pretend to be twice as smart as they really are by behaving like children.
The popularity issue can be countered with the Apache vs. IIS deal where Apache's stability and security (and reaction to vulnerability) is much better. Just because something is popular doesn't mean it's not as safe merely because it's a bigger target.
The Open Source model definitely is an advantage as far as security goes. Having the code around can speed up bug detection and consequently, speed up fixes. There's also the fact that a programmer's name is at stake -- if you take pride in your work, you risk your reputation on it. On closed source stuff, Joe Programmer doesn't necessarily have the same reputation to lose.
The idea of "do one thing well" is also an advantage over "more features" because simplicity definitely reduces bugs. When things are cobbled together and interdepend on each other (IE/Outlook/ActiveX/OS), a security issue in one part can completely hose the others.
If someone were to attach a "your_paper.sh" and if someone did fire it up, it will definitely do damage...and anything that user has rights to becomes fair game. However, it'll keep enough of the system alive. If the machine is multi-user, the other users' data should not be affected.
For such instances, a clue-by-four or LART had always been the only solution I could think of. Until Peter Norton writes an Anti-Stupid, there's little hope there. (As one who has borked his machine...though not by worm/viruses, I could've used an Anti-Stupid for myself. The trick is to learn from those painful mistakes.)
I'm staying with Linux and my money goes with Linux. After two years of running Linux I've not been hacked once, I've not gotten ONE SINGLE VIRUS, I've not had to look at one single pop-up add that I didn't want to look at, I've not had to look at one single BSOD, I've not had to reboot one single time unless I chose to.
I don't have to spend all my time in a panic worried about patches and viruses and other such nonsense. Neither do my friends and family, I converted them to Linux too. Now I don't have to worry about them either.
What does Windows offer me that I can't do with Linux? Nothing. Why should I use Windows which is constant trouble and extremely high maintenence and is a constant cash drain, versus the ONE TIME PURCHASE (if I choose to purchase v. free download) of a Linux distro, in my case Suse, that is mine, with no strings attached and will cost me no further money, ever?
Once I own the $89 Suse distro I never have to spend another penny on it or any other software, ever. It works. It's secure. Anyone that says it isn't is a stupid SOB or a liar or both.
It's fair given administrators who only patch based on official distribution releases. It seems to not care that they are making Linux companies responsible for a lot of 3rd party software such as Apache. It stands to reason that their average patch release would be slower if they're maintaining thousands of applications. It's more important that they release OS updates and core software updates quickly. Their customers have to take some responsibility for updating 3rd party software even if it does come on the same CD as the distro.
Perhaps of more concern to administrators should be the nondisclosed vulnerabilities found by researchers such as eEye that are not patched. I can't find the link now, but eEye alone has dozens of vulnerabilities they've let MS know about, but haven't been patched for sometimes hundreds of days. eEye is just being courteous by non disclosing the bugs until MS fixes them. By using the disclosure time as a 'start time', Forrester is ignoring lead time developers get. It's my experience following Bugtraq and Full Disclosure mailing lists as well as many OSS projects that most major OSS developers respond quicker to their lead time before disclosure.
Forrester is completely ignoring vulnerabilities that are not public knowledge, which is misrepresenting the problem.
The global economy is a great thing until you feel it locally.
I wonder how much of this is pandering to their audience. Enterprise users are slow, stupid, and don't adapt to change very well. They have this belief that open source software == unsupported software, and no matter how much evidence to the contrary, they will take this belief to their graves. Amazing how faith works. The report by forrester is going to say whatever they think their audience wants to hear. And if they get a kick back from microsoft, all the better.
This signature has Super Cow Powers
I don't know whether to mod you funny (testicle comment) or insightful (statistics comment). We need a "Funny but True" option!
What changed under Obama? Nothing Good
This is just one of the great things about Linux (or any open source project):
...as Linux is releasing the seventeenth update since the article....
Say an article about security is published in a magazine. The article takes a really good critical look at Linux vs. Windows and genuinely points out a few areas of improvement. Well, that just prompts the open source community to rev up their engines and (should they agree with the evaluation) they'll just go out and fix it! In fact, there's a pretty good chance that the fix is available in a development version in time to send a letter to the editor for the next month's issue.
Now compare that to Windows. Microsoft would spend two, maybe three times that long debating with the media about whether or not it's a problem or a 'feature', and then whether or not it will be fixed immediately or we have to wait until 2031 for Looooooonghorn to be released. Then they'll just sit on it for a while to see if people really care about it being fixed, and how much. They might also, at this point, have their lawyers spend three weeks writing the licensing agreement for the patch, should it be created. Then they put the whole thing on hold and wait until somebody exploits the problem. Then, only if everything else has gone completely in their favor and the problem has been exploited and the existance of the problem has reached at least two major media outlets, they might work on a patch and distribute it....
Then Microsoft will brag about how quickly they've updated their software in response to the problem...
Punctanym: alternate spelling of words using punctuation or numerals in place of some or all of its letters; see 'leet'
I didn't read the report, as I am sure most of you haven't, simply because it is $899 to tell me something that I already know otherwise.
..
.. so even if that was exploited, a cleanup on a *nix machine would be significantly faster than perhaps a Windows box that does not chroot its respective DNS service.
Anyways, my question is about the severity of the vulnerabilities. When you get right down to it, Microsoft generally only offers one web server, one mail server, one database server, etc..etc..etc.. A standard distribution OTOH includes a huge array of software. For example, I can choose sendmail, postfix, qmail, exim and others for my mail server; apache, aolserver, boa, dhttpd, zope, etc for my web server; php, ruby, python, perl, cgi, etc for my scripting needs; mysql, postgresql, berkley db, firebird, etc for a database; gnome, kde, xfce, etc for a window manager
you get the point.
In addition to the multitude of different configurations that I could have for a particular system, I can also, if desired, cut out everything that is not essential to maintain as barebones of a system as possible (heck this even includes lots of kernel modules/features).. I can run everything through a localized firewall, block ports, limit IP ranges for various services, chroot/jail certain services, etc..etc..etc..
So I guess my question is:
1. Does this report simply gather up all published security issues and compare? Or do they look at "best practices" on both platforms and only compare packages that, for example, would be installed on a web server, mail server, database server, standard desktop, etc?
2. What is the true damage that could be done by successfully exploiting these issues? Ie, I'm sure most BIND installations are in a chroot/jail
Sure, raw data might indicate that a Red Hat distro has the same number of exploits as a Windows system, but I am much more interested in the applicability of those exploits to my systems and ultimately the increased chance of exploit.
Never believe anyone who refers to the use of shared public domain code as "theft".
From the rest of that article Enderle obviously has an axe to grind. It is quite possible he was threatened by a minority in the Linux community that can't seem to grow up and has obviously decided to hold a grudge against Linux as a whole.
His argument for taking SCO's side boils down to "I'm pissed at some Linux fanboys!" That's fine but I hope he doesn't expect anyone to ever take him seriously as an analyst again(if they ever did). Almost by definition Analysts and Critics must have a thick skin because there's always someone who is going to insult them. Once they lose their objectivity they are effectively washed up.
He further insults the integrity of Groklaw without actually pointing to any flaws in the facts that Groklaw presents. He ignores all the evidence mounting up against SCO and the fact that SCO has been back pedaling so fast they're tripping over themselves to get out of the way of the coming storm.
Sure information wants to be free, but how much are you willing to pay for the packaging?
While I agree with your fanboy critique your criticism that any attempt to denounce a study in favor of Microsoft is always a knee jerk reaction simply isn't relevant in this particular instance.
I don't know if you took the time to read the response from the Linux vendors to the Forrestor report but it is clear that if Forrestor conducted the analysis as described that they made a HUGE statistical error. The question naturally must be asked "how could a supposedly well funded source miss such an obvious gaff?" It takes time and money to do research, surely Forrestor has one above average statistician on staff.
To have performed such a study and in the end wasted their money would seem incredulous. This is akin to being asked to write a word processor and coming up with a spreadsheet program. A natural supposition than is to question the motives of the researchers, however this could easily be a case of "never put down to malice what can easily be attributed to incompetence."
Sure information wants to be free, but how much are you willing to pay for the packaging?
Here is the quote you're referring to -->
For me the course of events looked like the community had said once a crime had been committed that "there is no evidence", then when evidence was found they changed their tune to say "what was stolen didn't belong to SCO in the first place". If they had started with the second position and behaved reasonably I might have believed them, since they didn't, I didn't.
Not only is this guy saying that the shared public domain code is theft, but he put quote marks around it and makes it sound like a linux supporter actually said "what was stolen didn't belong to SCO in the first place". Apparently, he's paraphrasing what a linux supporter said and now he's putting quotes around it as if it was said verbatim. Am I right? I'm not a native English speaker, so if someone else has a better explanation for his use of quotes -- please let me know.