Slashdot Mirror
Microsoft Windows: A Lower Total Cost of 0wnership
bahamutirc writes "Dave Aitel of Immunity, Inc. has written an excellent report detailing the lower Total Cost of 0wnership Microsoft Windows has over Linux. Dave takes a unique approach in comparing the two operating systems, and the results are not surprising. The paper was submitted to Bugtraq today and is available in PDF and Open Office."
I thought SCO were the ones supposed to be astroturfing on Slashdot...
Read it. It's the best TC0 analysis I've ever seen.
Scratch that, it's the only TC0 analysis I've ever seen.
(hint hint)
tasks(723) drafts(105) languages(484) examples(29106)
I imagine that yes, due to the cheap labor of script kiddies that Windows does indeed have a lower cost of '0wnership' (sic).
Mirrored here and here in case of Slashdotting.
And no, this isn't a joke, although it is kind of entertaining!
MD5:
19bd158b9e471db49acd91f0493b81ec *tc0.pdf
5ca7eb699b94967ee2d255c021e1686f *tc0.sxw
Lol I love it! I didn't actually realise that it was Total Cost of '0'wnership ;)
This is a very clever way of making a very valid point - I can forsee this report landing on a free IT purchaser's desks mixed in with all the "real" (or MS-funded) TCO reports, because it is so well designed.
And my favorite quote? "As clearly demonstrated, other than the toy OS Mac OS X, Windows has the lowest TC0 on the market." I love it!
Sunday you're Thinking Different, Monday you're a huge tool, paying too much and waiting to think like everyone else.
Your primary business is creating mal-ware!!
*narf!*
not only does Windows have a TCO, it has a TCP - Total Cost of pwn3rsh1p
... from someone who stays up all night, every night, getting drunk? Oh, Dave Aitel, not Dave Attell. Never mind.
I've never seen a paper written with L337 terminology before.
uh, the article is satirical...
A couple of definitions of "parody" for you: Google's and Wikipedia's.
tasks(723) drafts(105) languages(484) examples(29106)
Pretty interesting, though it could be argued that the article is biased/flaimbate.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
My first clue otherwise was the pie chart in the Executive Summary; "Difficulty of owning Windows vs Difficulty to make this graph".
Now, once I see the 0 in 0wning, I'm laughing my ass off...
Excellent paper!! I h0pe the Cx0's 0ut there take a l0ng hard l00k.
In my 0rganizati0n, we've c0me t0 basically the same c0nclusi0n. In fact, the c0st 0f 0wnership f0r wind0ws f0r us has been *net negative*, due t0 the tremend0us number 0f an0nym0us v0lunteers we've f0und 0n the internet wh0 are m0re than willing t0 0wn 0ur machines f0r us!
Linux can't even t0uch that!
And we should be able to mod posters as "Didn't RTFA" / "RTFA, but didn't get that it was a joke"...
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
Too bad we can't mod articles up. That's the funniest thing I've read in quite awhile.
Just in time too - bad Friday juju around the office at the moment. I think I'll forward this around and lift the collective mood before a coffee pot goes flying into a random cubicle.
Hmm, I've been in Information Security for 7 years and almost everyone I have worked with uses phrases like "sk1llz", "0wn3d" and "l33t d00d" on a regular basis.
:)
Not that it is proper terminology, but it is a lot more fun than being an anal, angry arse about every pleasant or immature phrase spoken in one's vacinity. Then again, I tend not to underestimate someone for the phrases they use. This can be a terrible mistake.
Dude, did you even read my paper? It's hardly MS propoganda. That's a zero on the front of 0wn. It's a play on words.
I try to read on in his document but I keep coming to "0wned" and I realize that I am not dealing with a professional. I suppose his intended audience (Bugtraq) might be familiar with how 31337 he is but I just can't believe he would bother to spend the time writing up a "paper" with those stupid misspellings.
:-P
Wow... you just don't get it, do you?
Can someone tell me why the heck this was modded insightful? More like -1: Don't Get It.
T-shirt: My other computer is your Windows box.
Take care,
brad
You didn't read the article did you.
No I'm not new here.
Uhm, you do realize that this is a joke report. It's TC0 (zero), not TCO. This report is about how 0wn1ng W1nd0z3 is easier than Linux, not "owning Windows." That should teach you to at least puruse the article before posting nonsense. To repeat: This is a JOKE!!!
In the same way that IE is faster than IE (because it's part of the OS), Windows has a lower TOC because a lot of the training costs have been absorbed by the Government - the average high school student gets hundreds of hours of Windows specific training, and no Linux training.
Let's not forget that one can hate his government, but love his country.
What a difference a 0 vs an O can make. So I can assume that my board has no clue what it means to 0wn a system, show them the PDF, and get a pat on the back for choosing Windows. Or, I can show them this huge satire and have them ask why I chose Windows when Linux is clearly more secure, then have them fire my rear. Ah, the perplexities of IT...
Come on people, are we so paranoid that we cannot understand a parody anymore? Don't get so serious, it was one of the most fun thing I've read in a long time. And we get angry when they call us "zealots". Our advantage over the rest is that we are FREE to mock up ourselves (and mock with others, for sure) and this "paper" was amazingly competent in doing that.
Good job! I do expect people realize it's unique "point of view".
It's a TC0, not a TCO- and I doubt you could come to any other conclusion with a TC0 comparing Linux to Windows. Total cost of 0wnership- that is, total cost to hack the box and get it to send out a bunch of spam or viruses.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
I can't find the -1 didn't get the joke mod anywhere
Mod parent up!
All the colors of the rainbow! (well, i guess maybe not all ;)
Pretty greeen
Nice and red
Pasionate purple
A nice dull grey
uhhh, brown?
All of them easier on the eyes than puke color.
It's easier to fight for one's principles than to live up to them.
I avoided using mod points just so I could post this tidbit:
:)
If you think it means Total Cost of Ownership, as it relates to some BS middle-to-upper-management measurement, then you didn't RTFA.
That is all.
Yeah, and the post was a joke (as some people have so kindly noticed). Sadly most people are too clueless to see the humor.
Okay, for those of you out there like me that don't live and breath jargon, this paper is a joke, a satire, a ha-ha (and a very good one from what I can tell).
By Lowest Total Cost of 0wnership (spelled with a zero), they mean that Windows is easier to "0wn" i.e. hack into.
0wning (with a zero instead of an O) a computer is high-falutin' jargon meaning that you have hacked into it and can do as you please.
So the point here (joke explained): that the cheapest, easiest system to hack is Windows. That's not exactly a joke (since it's true), but it's a joke since they're using the Total Cost of Ownership metric...just redefining Ownership to be 0wnership (with a zero).
Why is it spelled with a zero? That's because that's the way (cue menacing music) the hackers do it.
Clever paper, but too clever for people who don't use the terminology. Extra points for the in-jokes.
No astroturf here. Well done!
Ok, a funny joke, but still.
I notice this paper still uses terms like "vulnerability." Instead of calling these things holes or vulnerabilities, the term I prefer is "window." As in, "Somebody found a window into the IIS web server" and so on.
The plural is left as an exercise to the reader.
Has it been over a year since you last donated to the Electronic Frontier Foundation
Apparently a large portion of the Slashdot commenters aren't aware of what '0wn' means in the hacker/cracker sense of the word. If you root a machine, you 'own' it. "I got 0wned" means "I got hacked/broken into". Now look at the title of this report, total cost of '0wnership', not 'Ownership'. Now do you understand the joke/point of the paper?
You seem to have missed the joke....
FTFA:
Summary
Immunity's findings clearly show that the best platform for your targets to be running is Microsoft Windows, allowing you unparalleled value for their dollar. This result reinforces the fact that its important to consider more than just licensing fees when your targets choose their OS. Indeed, a variety of factors go into their choice, and over time, Windows has demonstrated itself to be the top contender in the, in both the server and the desktop space for Total Cost of 0wnership.
(Emphasis mine)
I will not be pushed, filed, stamped, indexed, briefed, debriefed, or numbered. My life is my own.
Trying to ever take it seriously in the first place was your mistake.
I'm quite amused at the number of sub-6-digit Slashdotters being reeled in on this hook...
For God sake. You guys who are so confident of your awsome intelligence just don't get this!
0wned = hacked
Owned = purchased
High cost of 0wnership = good thing
High cost of Ownership = bad thing
Now RTFA again.
Kinda puts your nick in a new light, eh? ;-)
Nono, didn't you hear? The moment you start using Linux, your IQ jumps up 40 points.
I thought perhaps, that some reading this may not like to have to open up acrobat or Open Office... Enjoy:
Microsoft Windows: A lower Total Cost of 0wnership
August 12, 2004
Introduction
Microsoft has long asked third party analysts for accurate assessments of the total cost of ownership of Microsoft Windows deployments, especially against the Linux deployments commonly going into all segments of the market. However, Immunity, Inc. as a third party assessment provider has, until now, not done a thorough analysis, using Immunity proprietary data to tell the true story about the costs of Open Source.
Other sources of 3rd party information can be found here: http://www.microsoft.com/mscorp/facts/default.asp
The point of contact for this paper is Dave Aitel, Vice President of Media Relations, Immunity, Inc. He can be reached at mailto:dave@immunitysec.com. Further information on Immunity, Inc. is available at http://www.immunitysec.com/ .
Executive Summary
Based on our analysis, Microsoft Windows has one half the Total Cost of 0wnership (TC0) of modern Fedora Core Linux based technologies.
Immunity's Methodology
Immunity has four major services: Training on exploit development and vulnerability analysis, Application Security Consulting, the CANVAS assessment product, and the Immunity Vulnerability Sharing Club. In each of these, the costs to penetrate (0wn) systems based on Microsoft Windows Technologies was compared to the costs against a modern Linux system. In general there are three aspects to 0wning a system. These three things, Vulnerability Detection, Exploit Development, and Attack Execution, were used by Immunity to determine the costs to 0wn the different operating systems in configurations encountered during Immunity engagements. As Immunity is not in the rootkit (http://www.rootkit.com/) writing business, this paper does not cover the costs of maintaining 0wnership over a given OS.
Vulnerability Detection
There are several factors that affect how difficult it is to find vulnerabilities on a target platform. Some of these are listed below. Immunity's judgments are drawn from our current collection of remote 0day in the VSC, countless 0day in custom applications for Immunity Consulting customers across many different operating systems and over 80 remote exploits in CANVAS.
Portability of common exploit development tools
IDA-Pro, the premier disassembler and reverse engineering tool (a database and a disassembler together make for a powerful combination) is able to disassemble both Linux and Windows binaries, but only runs on Windows. A Linux version is, however, rumored to be in the works.
PDB (Python Debugger), Immunity's newest tool in the armory, is available only for Windows (although the client is available on both Linux and Windows). This tool allows for many advanced scripts to be run, widely automating the exploit development process.
Ollydbg (Visual Debugger), is far superior to GDB in many ways needed for exploit development. In addition, windbg and Softice provide valuable options for debugging at the kernel and user level.
The TC0 advantage is clearly obvious for the Windows platform.
Availability of Fish
Finding a vulnerability is like finding a fish. If the pond is overfished, it's harder to find them. Hackers are rather evenly split between running Linux and running Mac OSX. As much as few professional NASCAR drivers drive Dodge Neons, a negligible amount of skilled hackers use Windows as their primary OS.
Not to mention, many Win32 fish are given out for free by Microsoft when releasing patches. (See
Help a college student
I've worked IT for over two decades, and only the young'uns use "l33t speak," and even then it is only when they are feeling playful.
I tend not to underestimate someone for the phrases they use.
I try not to underestimate anyone, but I do use the words that come out of their mouths to gauge them. If they sound like cretins, they usually are, which isn't a dangerous thing to know, but a useful one.
Neopets - the best free game on the Int
You have a very low cost of 0wnership...
Analogies don't equal equalities, they are merely somewhat analogous.
Um, 2^12 * 5^10?
I'm quite amused at the number of sub-6-digit Slashdotters being reeled in on this hook...
Its old age rearing its ugly head. We're gonna have to start putting sub-6-digit slashdotters in geek nursing homes soon. Poor bastards.
You can mod your friends, you can mod your nose, but you can't mod your friend's nose.
Keep in mind, that CANVAS has an entire compiler and gas-compatable assembler into it. We didn't write that because we thought it would be fun - we thought it added a lot of value to the product in terms of reliability and features no other product can have (as hinted at by the paper.) These components are available under the LGPL, and we fund and support two other GPL projects.
:>
Our exploit code is all custom written by Immunity - so it plays nicely with the engine itself and, we like to think, is better than things like Metasploit. (Which makes sense, since we have 4 people on full time salaries to do so!)
There's a lot of other stuff to it, but let me just say that cutting and pasting is certainly something that is not a part of our development process, for many reasons.
0wnership= box hacked and turned into a zombie. Understand now?
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
....hence, why it says it's cheaper to 0wn a Windows box than Linux.
It mentions nothing about Total Cost of Ownership.
It does, however, mention Total Cost of 0wnership, which is completely different....
"City hall" in German is "Rathaus" Kinda explains a few things......
So tragic that the partial l337 mis-spell ruined it.
I can see the author mentally doing "lines"... .....
I must spell it 0wn3d I must spell it 0wn3d
See that long UID - that's what you get for lurking too long
IMHO the problem isn't with SELinux vs traditional root stuff; it's that all the damn package managers require root to run.
I'd love to see a distro where all the non-core (anything beyond the kernel and /sbin?) packages installed under /usr/local/bin/ as some user other than the root user; instead of requiring root access just to install a web broser in the default location.
One wonders - if articles like this come up more often, how long until it becomes the norm (ie >50% of people do it) for people to RTFA? Maybe we'll just end up with a new class of "Glanced At The Fantastic Article"...
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
I would have to say.. /. is actually windows users.
The reason these guys are not getting the joke is that about 85% of
They might have been able to get the joke if they had not been busy installing service packs, fending off viruses and email trojans, having their browser constantly puking popups and getting hijacked, dealing with network popup spam and the million other things that bother them on a daily basis before it bluescreens and they shut it down out of frustration at the end of the day.
So, I enjoy sitting here watching the Mac and windows guys (both of whom didn't understand the joke it seems) posting away about not understanding it, or trying to defend that macos as toy comment. (which we used to call macs "beige toasters" on usenet.. that was a popular flame war that went on for years.)
back to work I guess..
anime+manga together at last.. in real time.
Because there are so many jobs available for Windows admins, more people who are not skilled are operating as Windows admins.
I'm not sure I agree with that. I'm the only IT guy where I work. We have Windows,Linux and some BSD here. I'll agree that it is easier to find compitent Linux people but why?
Part of it is because of the "MS Money train". You have to pay to get certified. Probably pay for books for useful documentation. Probably pay for windows just to mess with what they ALLOW you to mess with. Topple onto that the fact that in many aspects, Windows is just far too complex for it's own good.
I'm not all that smart, but I find I can learn problems with Linux and fix them. I can generally troubleshoot problems because of easily available free documentation, and giving you the TOOLS to troubleshoot. And Linux is just more comprehendable in how many parts interact. I'm not sure many of those Windows admins are all that stupid, it's just that it doesn't justify itself by spending years studying the guts of MS internals with a million books on the subject when 90% of the time you just point/click/drool anyway.
also, couldn't he have just submitted the paper in fricken HTML like a normal person?
"Music is everybody's possession. It's only publishers who think that people own it." - John Lennon.
Well, you seem to be pretty bad at getting jokes. The article isn't about cost of ownership, it's cost of 0wnership.
Any company that needs the ability to procure hardware on less than 2 months notice is foolish to use an XServe for their operations.
It is a wonderful machine (lacking only redundant power supplies and the damn hardware RAID card listed in the options). However, Apple cannot meet demand. And while that sounds great for Apple, it sucks ass for companies that depend on their servers.
I'm beginning to think the only people that can write and get jokes like this are the stereotypical, jaded, cynical, Daily Show watching, The Onion reading, Simpsons quoting Gen X'ers like myself. And I base this conclusion on absolutely nothing. :)
I think we've raised satire into high art that only few can appreciate or even comprehend. From my point of view, I can't believe anyone that actually read the paper couldn't at least know it was intended to be joke even if they didn't actually understand it or why it was suppose to be funny.
I suppose it's like that with anything though. Like someone who is an art expert sees some piece of abstract piece as brilliant, but most people wouldn't even recognize or know it was even suppose to be art.
"Are you being sarcastic?"
"Dude, I don't even know anymore."
When I was your age we had to hack sendmail to get access to our accounts.. during a DDoS! Blindfolded! And also.. uh.. what was I saying again?
There are two kinds of people: 1) those that need closure
Sure the article is a joke, but actually there is some serious stuff in it as well. If you made it all the way to page 6 and read the section about ExecShield and PaX, you would notice, that this section is not a joke. It actually explains about some real security meassures that exists in Linux. Of course there are large parts of the article, where I'm not sure if it is a joke or just talking about some stuff I don't know about.
Do you care about the security of your wireless mouse?
This is clearly an attempt at SATIRE. It's supposed to use lame script kiddie speak. The article has its tongue planted so firmly in its cheek, half the Slashdotters missed it completely.
Go back and read the article again. Slowly. Run off the assumption that it is not serious. Apply a bit of reading comprehension and critical thinking. For the love of god...
--LordPixie
Its an attempt at satire. Unfortunately, it a total failure. About as funny as famine.
Yeah, but in this case a compromise had to be made and only change the O in order to fool more people into misinterpreting the meaning, thus enhancing the joke overall. :)
An excellent article. Highly informative and well researched. However, the author made a blatant spelling mistake in the fourth word of the title. How anyone can mispell "0wnz0rship" so baddly is beyond me... :-)
Actually, everything I've said is with the exception of the Xserve. Haven't known anyone that didn't have some problem with them.
I was getting ready to try out Mandrake 10 for my business, but then I realized that it often makes Windows XP unbootable on a dual boot machine.
Hell, you don't need Mandrake! XP will make itself unbootable!
True story - recently had an XP system with NTFS boot partition. It would not boot; gave an error message about corrupt NTFS. A call to Microsoft confirmed that this was "by design". Evidently booting on a corrupted NTFS partition may make data unrecoverable.
"Well, then, how do I recover it?"
"Reload with the recovery disk."
"Hmmm, you realize that the recovery disk, from this OEM anyway, overwrites everything, don't you? How do I recover the data?"
"There is no way."
Bringing up a Linux live disk with NTFS read capability got all the user's data back. Memory and disk diags showed no problems, so I used the recovery disk, reloaded user data and it's been running 2 weeks now.
However, seeing it in .swx and .pdf makes us realize that he's talking about the total cost of overrunning a system, not the total cost of maintaining a system. It makes us Slashdotters actually RTFA. And if you haven't, you definitely should. It's hillarious. Though, I would have called it the Total Cost of Pwnzrship myself.
My, how humor is lost on some people.
Haec merda tauri est. Ceterum censeo Carthaginem esse delendam.
Its actually a bug in windows xp. GRUB creates a proper boot sector, which on rare occasions, windows XP cant understand (like i said, its XP apparently thats a fault). no, i dont have to back this up - if you care, research it yourself.
I have earned the NT4 MCSE, the Windows 2000 MCSA, the LPI certification level 2, and numerous other certs from CompTIA.
Linux and Windows are from very different worlds of administration and troubleshooting. In general, I have found Linux to be easier to troubleshoot (with exceptions). Most mature Linux applications give one actually useful error messages (much more useful than similar messages from Windows software). The time I take to troubleshoot such a product is very low.
There are exceptions (XFree86 comes to mind) where error messages such as permission or disk space errors are not transparent or easy to comprehend. Of course this has improved heavily in the last four years, but X is still one area where I really don't relish troubleshooting. Not long ago, I spent 2 hours troubleshooting an XFree86 problem where the mouse and/or keyboard stopped working when I moved the hard drives from one computer to another (everything worked elsewhere). I eventually figured it out with the help of Google, but it was not easy.
But these problems are rare. In general the problems I have had on Windows software *are* harder to troubleshoot and repair.
LedgerSMB: Open source Accounting/ERP
Well my windows experience hasn't been that good. Just about every windows network I've seen has been slapped together backwards. Shit is totally installed wrong. And quite often people just barely got it working. As an aside I've also noticed that there are a lot of Windows programming shops that slap together some really crappy code with no error checking.
But of course Linux could just as easily be in the same position, but for some reason I have yet to see it. Maybe it's because I deal with smaller businesses that can't afford an uber admin, or may not no any better on who to hire?
I've had my share of problems on Linux as well, and at times they took WAY too long, but with that knowlege under my belt I was always able to easily fix similar problems much faster. The other problem with Linux is - which distro do you use. Half the time you chase down documentation that explains how distro X does it, but distro Y apperently does something different. With MS it always seems like a new mysterious - and sometimes totally random issue. Maybe I'm just unlucky, I donno =P
For me, I use the same method for getting information on Windows and Linux. For example, if I need some info on Windows, I first check the help files, then the MS Knowledge Base, and then resort to a gooogle research if I don't get a satisfactory answer. For Linux, I first check the man pages and README files, then the usual how-to sites, and then move on to the google search.
I grew up using Windows so it's natural that I'm more proficient with Windows than Linux and thus, Linux skills have some major catching up to do. I'm currently at a point where I'm comfortable using Slackware (one of more difficult Linux distro to use, especially for someone who's used to doing everything via GUI way) as a workstation.
You really can't learn anything by giving up when you hit a wall. Whatever problem you may have, there are many others who have experienced the same problem and came up with a solution for it. For example, I learned that you can indeed use the 5-button + wheel MS IntelliMouse Explorer and have all of those buttons work on Slackware. It wasn't quite easy as plug and play but after some vigilant searching, I found a solution for it.
Besides, it never hurts to be proficient with multiple OSes.
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
I wonder if this will motivate /.ers to read the article before posting.
This sig space intentionally left blank.
Actually, I think a lot of it has to do with one specific thing, in today's world and yesteryear, you have to be at least capable of writing a shell script to properly administer your box.
Maybe I am the exception here, but I can't think of a single person that I know, who gets paid to administer unix machines, that doesn't know how to write at least a shell script, and the vast majority of them know how to write a program in C, Perl, Python, etc. Some of them are very skilled programmers and choose to administer boxes because they enjoy it more, not because it's the only thing they can do.
I know several windows admins who couldn't program their way out of a wet paper bag, but make competitive wages with the unix admins described above.
Of course, there is a huge shareware community on the windows side, but when I build a box, I normally write several tools to accompany it to make my life easier. I throw several of them in cron, and never have to worry about them again. I know I am not the exception when it comes to this. Most unix ISP's and web farms (small and large) have a vast array of tools to accompany their systems, if not for just the admins, the users as well.
I'm not saying that the good windows admins aren't doing this as well, or anything like that. However, the culture is vastly different: I find in the windows world it's, "buy something that does what you want". In the unix world, it's: "write it yourself".
Necessity breeds many things, education is not in the least. Several times I have been in a pinch and had to learn some new feature of the shell I was using, or a system call, just to get the job done. This is "standard practice" as far as I've experienced in the unix world.
The total cost of developing and using and maining hacks to "0wn" Windows is far lower than the cost of pulling off an attack against a Linux machine.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
not to mention the very nice graphic to start the ball rolling. "Cost of 0wning Windows vs Cost of Making This Graph" or something like that. Even if a person isn't hip to 0wning etc, that certainly should raise an eyebrow. Sheesh
189k?? Heck, most website's home page is bigger than that these days.
This sig is the express property of someone.
I have had no problems with my xserves except the shipping delays. Thankfully, my business does not require quick delivery.
George Orwell said it best in his Politics and the English Language essay. You can find it on Project Guttenberg and other sites, here is the Australian link : http://gutenberg.net.au/ebooks02/0200151.txt
Personally, when I see such buzz-word-infested langiage, I imagine an avalanche sliding down the mountain valley, long stripped of vegetation to stop it. That is the purpose of such a language - to get you in a programmed channel of thought.