Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Distributions Respond to Forrester

Posted by michael on from the opinions-bought-and-sold dept.

dave writes "GNU/Linux vendors Debian, Mandrake, Red Hat, and SUSE have joined together to give a common statement about the Forrester report entitled "Is Linux more Secure than Windows?". Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, it treats all vulnerabilities are equal, regardless of their risk to users. As a result, the conclusions drawn by Forrester have extremely limited real-world value for customers assessing the practical issue of how quickly serious vulnerabilities get fixed."

15 of 262 comments (clear)

  1. IT Research shops by Anonymous Coward · · Score: 5, Interesting

    WTF? Why does anyone buy shit from these people.

    The executive management of the agency that I work for pays Meta $500/hr to evaluate project plans... they always rubber stamp whatever answer the execs want.

    1. Re:IT Research shops by Anonymous Coward · · Score: 5, Insightful

      The executive management of the agency that I work for pays Meta $500/hr to evaluate project plans... they always rubber stamp whatever answer the execs want.

      And then when the project fails, they can go the higher-ups or shareholders and say "See, the plan was sound, it was that Anonymous little shit down in IT that screwed it up. Lay him/her off and ship the job to India!"

      Then they all go celebrate their cost-cutting with booze and hookers, whilst lighting their cigars with $100 bills.

  2. no way! by Anonymous Coward · · Score: 5, Funny

    I'm sorry, but I simply can't believe that a research company, a company DEVOTED TO RESEARCH, would come out with biased opinions influenced by money.

  3. Analyst hacks will never bit the hand that feeds by darthcamaro · · Score: 5, Insightful

    And who paid for the Forrestor study?? Not Red Hat they haven't got the cash. Probably another Microsoft funded event.
    The most dramatic thing from my point of view is that SuSe, Red Hat, Mandrake and community based Debian all got together to formulate a common reply. This is the BEST news we could ever hope for - a common on unified front - no forking when it comes to security.

  4. just in case by Anonymous Coward · · Score: 5, Informative

    (site loads slowly. here we go in case of /.'ing)

    GNU/Linux vendors Debian, Mandrake, Red Hat, and SUSE have joined together to give a common statement about the Forrester report entitled "Is Linux more Secure than Windows?". Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, it treats all vulnerabilities are equal, regardless of their risk to users. As a result, the conclusions drawn by Forrester have extremely limited real-world value for customers assessing the practical issue of how quickly serious vulnerabilities get fixed.

    The security response teams of GNU/Linux distributors Debian, Mandrakesoft, Red Hat and SUSE have assisted Forrester in gathering and correcting data about vulnerabilities in their products. The gathered data was used at Forrester for a report that became titled "Is Linux more secure than Windows?". While the Linux vulnerability data that is the basis for the report is considered to be sufficiently accurate and useful, Debian, Mandrakesoft, Red Hat and SUSE, from now on referred to as "We", are concerned about the correctness of the conclusions made in the report.

    We believe that it is in the interest of our usership and the OpenSource community to respond to the Forrester report in the form of a common statement:

    We were approached by Forrester in February 2004 to help them refine their raw data. Forrester collected data about the vulnerabilities that affected Linux during a one year period and looked at how many days it took us to provide fixes to our users. Significant efforts have been put in not only making sure that the underlying dataset for the Linux vulnerabilities was correct, but also to articulate the special technical and organisational care taken in the response processes in the professional Open Source security field. This expertise is greatly appreciated by our usership since it adds a high value to our products, but we see that most of this value has been ignored in the methods used for the analysis of the vulnerability data, leading to erroneous conclusions.

    Our Security Response Teams and security specialized organisations of respectable reputation (such as the CERT/DHS, BSI, NIST, NISCC) exchange information about vulnerabilities and cooperate on the measures and procedures to react to them. Each vulnerability gets individually investigated and evaluated; the severity of the vulnerability is then determined by each of the individual teams based on the risk and impact as well as other, mostly technical, properties of the weakness and the software affected. This severity is then used to determine the priority at which a fix for a vulnerability is being worked on weighed against other vulnerabilities in our current queue. Our users will know that for critical flaws we can respond within hours. This prioritisation means that lower severity issues will often be delayed to let the more important issues get resolved first.

    Even though the Forrester report claims so, it does not make that distinction when it measures the time elapsed between the public knowledge of a security flaw and the availiability of a vendor's fix. For each vendor the report gives just a simple average, the "All/Distribution days of risk", which gives an inconclusive picture of the reality that users experience. The average erroneously treats all vulnerabilities as equal, regardless of the risk. Not all vulnerabilities have an equal impact on all users. An attempt has been made to allocate a severity to vulnerabilities using data from a third party, however the classification of "high-severity" vulnerabilities is not sufficient: The mere announcement of a vulnerability by a particular security organisation does not necessarily make the vulnerability severe - similarly, the ability to exploit a weakness over the network (remote) is often irrelevant to the vulnerability's severity.

    We believe the report does not treat the open source vendors and single closed source vendor in th

  5. Money talks by Angelonio · · Score: 5, Insightful

    "Microsoft Corp., however, fixes security problems the quickest"
    how can they claim that since Micro$oft receives bug reports that are not publicly announced???
    It is easy to announce the bug along with the patch after having it hidden for 6 months...

    1. Re:Money talks by awkScooby · · Score: 5, Informative
      Microsoft has 2 critical vulnerabilities which they have known about for 209 days. Another one they've know about for 182 days. I don't know of any open source security holes which have sat for 209 days!

      reference

      I don't buy for a minute that 1) Microsoft releases patches faster or 2) that Microsoft even gives a damn about security, except for the black eye it gives them.

  6. The cold-hard turth about Forrester and Gartner by TempusMagus · · Score: 5, Interesting

    No one buys reports from these companies to actually learn anything. The primary purpose these companies serve is to give companies objective sounding quotes to pepper their marketing material with and to convince risk averse managers that they are safely following the largest herd.

    --
    -_-
  7. Re:Slant by Spyro+VII · · Score: 5, Insightful

    Have you ever considered that all of the media that you read and watch is biased? And actually if you'd read the article, you'll notice that what they say is perfectly reasonable. Basically, the forrester report was much to narrow focused to have a fair assessment of the data. The simplicity of the initial report is actually laughable. MS fixing 100% of its bugs? Now, remember that Microsoft's code is *not* open source, so they can wait until some poor sap gets bit a bug before they fix it. The initial report by forrester was faulty and relied upon obscurity and simplicity to blatantly shift the report in Microsoft's favor. And before anyone says that forresster is a research company and as such is unbiased, I recommend that you look to SCO for an example of MS's cleverness.

  8. Re:Analyst hacks will never bit the hand that feed by SKPhoton · · Score: 5, Informative

    Probably another Microsoft funded event.

    you would be correct

    From the article:
    "In 2003, Microsoft Corporation commissioned Forrester Research, Inc., to conduct a study to measure the potential market of people in the United States who are most likely to benefit from the use of accessible technology for computers."

  9. Missing Distributions? by binary_life · · Score: 5, Funny

    Hey why aint gentoo on the list? I guess they're still compiling their response ,p (PS I love gentoo, so don't go flaming me!)

  10. Malleable Statistics by The+Monster · · Score: 5, Insightful
    It's so easy to do, too.
    Forrester collected security vulnerability data
    What vulnerability data? The Linux vendors have an open process. Every one knows what the vulnerabilities are. Can the same be said for Windows bugs? Or are there issues known within MS that simply aren't put on the Bug List until a fix is in the works? Is it a bug if MS doesn't officially admit that it's a bug yet?
    --

    [100% ISO 646 Compliant]
    SVM, ERGO MONSTRO.

  11. MS-Funded Research States Sky Is Red by Eberlin · · Score: 5, Interesting

    From tests conducted at an observatory overlooking the skies of Los Angeles, researchers have concluded from the gathered data that the sky is indeed red.

    Buried in all the hoopla, they never tell you that all the smoggy red photos were taken at around the time sunsets happen.

    Statistics and numbers in general can be thrown any which way to serve the purpose of the writer. It's an unfortunate side-effect of being biased by nature. Even if someone were to WANT to be impartial, they'll often offer a slant merely by presenting data a certain way.

    It's difficult to find people to trust when money is on the line somewhere. With Microsoft's track record and its acknowledged need for "Trustworthy Computing" (a marketing term), it's difficult to take their word. Unfortunately, with that money, they have enough marketing power to buy research, and flood biz execs with enough propaganda...and when they constantly hear that kind of information from what they'd consider mainstream sources, they start to believe it as fact.

    Now that's dangerous.

  12. Re:Slant by aardvarkjoe · · Score: 5, Funny

    Well, of course the news here is slanted. Otherwise they'd have to call it "Pipedot."

    --

    How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
  13. No matter who says what by pair-a-noyd · · Score: 5, Interesting

    I'm staying with Linux and my money goes with Linux. After two years of running Linux I've not been hacked once, I've not gotten ONE SINGLE VIRUS, I've not had to look at one single pop-up add that I didn't want to look at, I've not had to look at one single BSOD, I've not had to reboot one single time unless I chose to.

    I don't have to spend all my time in a panic worried about patches and viruses and other such nonsense. Neither do my friends and family, I converted them to Linux too. Now I don't have to worry about them either.

    What does Windows offer me that I can't do with Linux? Nothing. Why should I use Windows which is constant trouble and extremely high maintenence and is a constant cash drain, versus the ONE TIME PURCHASE (if I choose to purchase v. free download) of a Linux distro, in my case Suse, that is mine, with no strings attached and will cost me no further money, ever?

    Once I own the $89 Suse distro I never have to spend another penny on it or any other software, ever. It works. It's secure. Anyone that says it isn't is a stupid SOB or a liar or both.