Slashdot Mirror
Microsoft Silently Backs Favorable Presentation at RSA
lildogie writes "Two researchers, from the Florida Institute of Technology and Boston-based Security Innovation Inc., 'surprised the audience at a computer-security convention last month with their finding that a version of Microsoft Windows was more secure than a competing Linux operating system' according to the Seattle Post-Intelligencer. 'This week, the researchers released their finished report, and it included another surprise: Microsoft was funding the project all along.' When will they ever learn?"
Okay, who didn't see this coming?
MS or researchers. One wins $$ and one wins $$...
Been there, done that.
People will say whatever you want if you give them lots of money? Impudence!
Are you saying that Microsoft funded a study that came to a M$ favourable conclusion? I'm shocked...oh wait...
These people make me sick. It's stories like this that make me realize why Microsoft is the object of so much hate. It's not because of their products, it's all about how they deal with competition.
I like Active Directory and a few other Microsoft creations, and I even have an MCSE. Hell, Exchange has a good feature-set; if it would just stay up and be easier to manage it'd be a great product too.
What I can't abide is being told that IIS is superior to Apache, and that Windows is more secure than "Linux". They send out these teams of spin-doctors with big bankrolls and try and take over the world using FUD. It's total crap.
When do you see Linus doing this? Steve Jobs? Not very often. There are occasional comments, but nothing like this steady stream of trash that comes out of Redmond. I grow tired of it, and my reasons for disliking the company have never been more clear.
dmiessler.com -- grep understanding knowledge
The article should be from the 'well-duh' dept.
"They say they had "complete editorial control over all research and analysis" involved in the project."
It was later learned that Microsoft "had complete financial control over all employees involved in the project."
Anyway, is Microsoft trying to develop a pattern here? Every time windows beats linux it's from a source microsoft paid.
If you want your product to be found safe or secure of what ever, you fund reasearch. Cell phone compinies fund research to show that they are safe, but a recently publish study buy a guy from University of Washington proved otherwise.
All these research by MS funded institutions and researchers, Alexis de Tocqueville etc... It's to predictable. Do people actually believe anything they're saying? At least this time they didn't claim Torvalds isn't the father of Linux.
"Our own requirement for the methodology was that it had to be very open and transparent." "However, during their Feb. 16 presentation at the RSA Conference, Thompson and fellow researcher Richard Ford of the Florida Institute of Technology did not mention that one of the subjects of their research was the one funding the project." Huh. As noted already, this reeks of bias. Even if the results are perfectly accurate (and the FUD surrounding the notion that "Linux" is insecure rather than a specific distro means that they aren't) suspicions are aroused irrespectively.
How to use coral cache: http://slashdot.org.nyud.net:8090/~oscartheduck
"... with 52 reported vulnerabilities for the year, compared with 132 vulnerabilities for the Linux version, according to the report. The researchers also calculated an average of about 31 days of risk for the Windows software in 2004, compared with an average of about 70 days of risk for the Linux version."
I strongly suspect, but can't prove, that more vulnerabilities are reported for Linux because more eyes are able to see them. I always took it as a matter of faith that problems were patched much faster in Linux than Windows. So, what sleazy trick have these guys pulled to make the Windows numbers look so good?
...and what a bad move. Anyone with half a brain would have looked for independent funding, separate from both sides to put their methodology beyond doubt. Instead they sold their concept to Microsoft, unbelievable naivette.
But the proof of the pudding should be in the eating: apply their methodology. Does it pan out for other Linux distributions/XP upgrades? If the methodology stands, it will be a great service to the debate.
It's just a damn shame the politics of the situation mean that probably won't happen.
insecurity asks the wrong question irritation gives the wrong answer
...to consider the possibility that if the study was unfavorable to Microsoft's position they would simply have pulled the plug and thrown away the results? Unless you can find fault with the study itself, there is nothing wrong with Microsoft financing studies which show Microsoft in a favorable way as long as the study itelf was legitimate. I realize this may be a difficult concept for many /.'ers to grasp but give it a shot.
It is hard to get a 'true' test on what is this and what is that, especially security.
What needs to be done is _not_ an independent review sponsored by MS, but a review by all parties not sponsored by anyone.
MS always use it FUD.
Why not get a panel from ALL current OS and do similar?
Tut.
We know why that will never happen.
BTW, did the guys involved have to pay the full wack on Windows server 2003 btw?
I'm so glad they did it silently so nobody would hear about it. On a different topic, I'm glad they put up that sign for warning people to stay out of that secret army base.
I don't get it.
Ironically, your rant was just as useless. You could have just written "GNAA rules".
Our other top story today: President Bush's approval rating is higher than ever, mainly because consumers are very happy about rising oil and gas prices ... reports FOX News.
Tired of FB/Google censorship? Visit UNCENSORED!
See subject
Microsoft puts pressure on discoverers of security leaks on not to disclose them.
That gives MS time to find a fix and reach a better "days-of-risk" value
He surely doesn't have to read it to understand how the system works...
-- Shameless plug for the Nuggets mobile search engine.
...but I wouldn't put it past them to test ten and use the one that makes them look best.
You guys are too skeptical. So MS paid for the study that found them to be safer. That doesn't mean a thing. Seriously, give up the paranoia and trust your fellow human beings for a change. Now, if you'll excuse me, I need to draw up plans for a toll both. A nice fellow in a trenchcoat just sold me the deed to the Brooklyn Bridge.
dmiessler.com -- grep understanding knowledge
When will they ever learn?
When will who learn? Microsoft? They already did. They learned that funding reasearch groups is a great way to portray themselfs as they see fit and at the say time spread FUD about linux and other competitors.
Failing to learn from history dooms you to repeat it.
So has anyone allready taken this to the test ?
As long as there is no counterevidence (besides the obvious evidence from everyday use of both OS's), why allready pass a judgement? (Ok, this -is- Slashdot, I'm not -too- new here)
Allthough I find it dubious, to say the least, to have MS funding this research ; I still think that they should at least try to reproduce the results , and investigate what might have been left out (on purpose) to skew the outcome.
The point is that many people who matter will see this paper, they are busy people they will read the headlines and the conclusions, they won't even notice that there is something about funding. These peole are IT directors and the like.
Yes: we geeks say that the report is a joke because of the way that it is funded; learn that the joke is on us since we dismiss this paper as irrelevant when it is opinion forming.
These sell outs always surprise me. Your reputation is the most valuable thing you "have". Once that's gone, you are nothing more than some guy who lives in a van down by the river.
If you are going to derive your research from presupposed conclusions it helps to AT LEAST choose a plausible sounding conclusion.
As a genuine security researcher , I don't think anyone knowledgeable in the field believes that Microsoft has a more secure OS than a hardened version of Linux.
Speaking as an academic, it is somewhat disappointing to see this kind of spin besmirch the ivory tower of a university institution.
Let Microsoft open the source code for their operating system and then let us see who has more reported vulnerabilities!
Ouch! The truth hurts!
But at the time they weren't too worried about the long term growing threat, they were worried about the pending case. Now the big picture nightmare is being realized on all fronts and they need to go down in flames shooting off ridiculous attacks/defenses that they paid for because the net result will probably be in the black, at least beyond the slashdotters, of keeping more people from moving to linux than they drive toward linux because those people found out that MS paid for the study and yada yada. Count on that MS reads the likes of Slashdot and give them a little benefit of the doubt -- not with their ethics, but with their business sense. In this case I think the ensuing flood of "when will they learn" posts will be overstated. I should note however that MSFT has had a pretty disappointing performance and that the public is catching onto the hole they're in, and not every investor is going to stay on the ship just because Microsoft is selling video games.
But then I think, I am a Debian addict and I am defending MS's business decisions, and then I think I've been up all night perfecting my porn site and I'm beginning to hallucinate. I don't know where I'm going with this... Back to the porn!
The conclusion has to be that selling IT snake oil is an even better bet than becoming an aromatherapist or an urban shaman. No-one is likely to be able to prove you wrong, and you can continue to be paid by your vendor of choice secure in the knowledge that most publications will not print anything that upsets their biggest advertisers, and that even if a few minority interests notice the connection between your conclusions and your paycheck, the wider world probably won't notice.
The system will only fall apart if academic institutions get together and pass some suitably tough rules on the ethics of product comparisons - and history suggests that that the first one under the new rules will be a study of the aerodynamics of different breeds of pigs.
Panurge has posted for the last time. Thanks for the positive moderations.
I was handed this article from a retired researcher that was supervising me on my wifi research. http://www.washington.edu/alumni/columns/march05/w akeupcall01.html
I'm a researcher and on the editorial board of an academic journal. The cardinal rule is you disclose your funding or any conflict of interest *every* time and *any* time you make a presentation or write a paper. Such disclosures are essential in allowing others to evaluate the possibility of bias and are accepted practice.
Academia requires funding, and researchers are usually funded. Funding agencies always have a perspective (even when you're funded by the NIH or NSF or other federal agencies). The agreement that the researcher has intellectual control of the research process, data, and the right to publish is key, especially with commercial sponsors (e.g., MS, pharma companies).
These folks may well have had an agreement ensuring them that they could find what they found and freely report it. And if they reported it, others can appraise the quality of their methods. I haven't read the study, so I don't know if the comparison was fair. Did their support from MS include someone sending them specially-configured systems, for example?
But I do know that they should have known better than not to disclose the funding source in their first talk.
The worst thing MS ever did for itself is admit to competing against GNU/Linux.
They're just spreading the word further, to people who may never known of alternatives. Anyone who's semi-competent can then clarify the situation.
Keep it up Microsoft. Remember, it's a case of when - not if. You're helping to bring that date closer =)
No news here. Move along.
http://blogs.redhat.com/people/archive/000201.html links you to the raw downloadable data on how well Red Hat really did and a trivial Perl script to analyse it and drop out all sorts of metrics.
-- Mark Cox, http://www.awe.com/mark/
Are there any comments from the Florida Institute of Technology? Do they usually sell faked research?
This is not the career in research you were looking for, you can go about your business. Move along, move along.
The problem with this study isn't that it can been seen to say that Windows is more secure than Linux (which it doesn't say, specifically denies it's saying it, but with Linux users will think it's saying and flame away). The problem is that they claim to be trying to find the "most secure" OS, and then look at the % of total attacks against each type of system instead of the average per installation of each type. If I set up 5 insecure "A" machines and 100 more secure "B" machines, and find that there were 5 attacks against the A machines and 20 against the B machines, I can conclude that the B machines are least secure because they account for 80% of attacks, or that A machines are least secure because they're attacked 100% of the time vs. 20% of the time. The raw numbers are completely meaningless in the context they're presented in, and the "news alert" itself show they're either intentionally misleading people or they're incompetent and need to hire a statistician with a big clue stick.
It's remarkably stupid of Microsoft to continue to fund studies slamming Linux. The choice between operating systems is not one that people make on the basis of slight opinion. They follow trends, and technological trends are influenced by people who understand the impact of their choices.
Linux has been the choice of the leading edge for several years, it is well-established as the choice for the early adopter, and it's now starting to become a serious option for the mass market.
The mass market listens to the early adopters, the early adopters listen to the pioneers. That's the way it goes with technology, and that's why marketing only helps when products are otherwise equal.
Microsoft should work on the real problem - the low quality of their products, and the real gap between their outdated expensive proprietary software and the commodity alternatives - rather than try to influence the market with propaganda. Unless, of course, they have come to the realisation that they cannot fix the problems.
It will be newsworthy when a study finds that Microsoft has made a better product than the community, and when the study is both independent and accurate.
If Apple can do it, why can't you guys at Microsoft? It's just software... infinitely plastic, and you are so smart, so rich...
Nope. They won't do it. They just don't get it. They will continue to bitch and bluster and bluff until it's too late.
It's a shame. All that talent, all that money, and all they can do is pay people to lie.
Sig for sale or rent. One previous user. Inquire within.
And since they're claiming that this is a "Linux vs. Windows" research paper, the fact that they're looking at using the boxes as web servers makes it seem more like they're comparing Apache/PHP/MySQL to IIS/ASP/SQL...
I'm rather new to the Linux world, but isn't that like looking at the engine of a car, and saying the doors don't work?
- Jack
Point 2: Linux is not an operating system. It's a kernel that various organizations build operating systems on. I haven't read the report, but if the authors include userland vulnerabilities, they're being completely dishonest. WRT to userland vulnerabilities, you have your choice of Linux based operating systems and you should exercise your choice accordingly.
Point 3: Not all security vulnerabilities are the same. Remote root is different from local vulnerabilities. It's tempting to say that experience has shown Linux vulnerabilities to be on average less severe. However I wouldn't do so because most people live in a fool's paradise when it comes to security, and it's not responsible to encourage them to continue to do so.
Final point, addressed to Linux advocates: Don't make too much of the fact the study's funding source. If you must look to anything other than the substance of the methodology, then look at the reputation and track record of the authors.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
They're talking about "Linux", and its a kernel. RedHat, Fedora, Debian, Slack, Suse... these are OSes!
So, if you get a sloppy distro (wont cite any names to avoid flames) and compare it to Windows, you can say that distro is more insecure than Windows. But you cant say "Linux is more insecure than Windows"!
If they really want to compare Linux to Windows, well... then lets compare the kernels, Linux X NT! Witch one is more secure? Has more bugs? Heh, that's something I'd like to see.
---- You know how some doctors have the Messiah complex - they need to save the world? You've got the "Rubik's" complex
Innovation Inc., 'surprised the audience at a computer-security convention last month with their finding that a version of Microsoft Windows was more secure than a competing Linux operating system' according to the Seattle Post-Intelligencer
/.
Hahahahaha..."snort" stop it! You're killing me (holds gut in pain)..
I can always look forward to a good laugh from
"I bow to no man" - Riddick
Now everyone reading TFA knows better, because you already know about /.. How about the millions of people using Windows that were trying to ceonvert away because of security reasons, who dont know about /.. Until I switched from Windows to Mandrake Linux - I never even heard of this place, much less cared about which was more secure - however now I know better, my wife OTOH, doesn't - nor doesn't care to either I might add.
Stories like this are just like SPAM, the reason they keep happening is because it WORKS. Like it or not, its making an effect somewhere with someone and Redmond knows it.
A very nice counter from RH, detailing the flaws in the original "independant" research.
People will always read what's put in front of them without checking sources, too. That fact is what Microsoft is after.
Some of us may care because we make our living as software developers, resellers, et al. We know how much competing with a giant means to our personal bottom line. We care passionately about F/OSS because it's our livelyhood. (Some may care passionately against F/OSS bacuase they see it as a threat -- go figure.)
It's that pointy-haired boss who's the target of these "studues", not the general population. We should find a way to make pointy-haired bosses irrelevant. And... uh... good luck with that.
Sure, their products suck. But on its own, that wouldn't be a problem, because people would be free to choose the best product for the job. MS would be under the same commercial imperatives as anyone else: make good products, or die.
But their business practices suck too. Because of that, the market isn't free to pick the best products.
They pay people (individuals, dealers, companies, governments) to use their sucky products, by offering discounts and other incentives -- even giving them away if necessary. They pay competitors not to make competing products, by buying them off. They pay masses in marketing to make their products seem less sucky. They pay lawyers to find ways to prevent competitors making better products. They pay dealers and distributors not to bundle competitors' products. They pay lawmakers to prevent competitors being able to compete fairly. They pay training companies to ensure that there's more expertise for their products. They pay their own developers to break competing products in various underhand ways. They pay anything they can to support their products.
And so, ultimately, we all pay...
In short, it's their immoral and illegal business practices which make their dodgy products popular. Prevent those, and their products wouldn't be a problem.
Ceterum censeo subscriptionem esse delendam.
NO matter what MS says, no matter how hard they yell or lie or cheat or steal, as long as LINUX is useful and continues to improve people will use it. MS still does not understand that Windows biggest enemy is itself and not LINUX. LINUX is'nt designed to "beat" windows. It's designed according to the needs of it's users. The only reason we are seeing it improve in the desktop arena is because the userbase is changing, becomming more mainstream. So don't worry! Use LINUX (or BSD if that's your fancy) and ignore the "other camp". As long as everybody likes using it it will not die.
When those "researchers" (I'd rather call them hacks) presented their methology to Microsoft and asked for funding, it was pretty much a no-brainer for MS to do so, as the metrics were clearly in their favour. Take the number of security reports, for example. The number of errors reported does not only depend on the number of errors in the system, it also depends on how available the means for finding these errors are. Compared to the number of people being able to do so witht he Linux sources, fewer people have access to Windows Server 2003 source code. That'd be one factor. To that you should add that Microsoft can decide whether or not they want to make a security problem public. It would not surprise me at all if they didn't fix a few of those holes silently with their updates.
Also, the compared systems are not equal in scope. Redhat's Enterprise Linux offers a whole lot more software than a 'naked' Windows Server 2003, and thus a lot more potential for security problems. If you coompared Windows Server 2003 with a rather bare Linux setup with no frills that offers similar functionality, then you could compare those systems.
In other words, the results of the study were already clear before the "researchers" started it. MS had nothing to lose because they could very much assume the results would be favourable to them. They didn't even need to put any pressure at all on those "researchers".
Computer science like their report does not have peer review. Which is disappointing, because proper computer science research is so much more repeatable than natural science. I'd like to see the ACM take a stand, and aggressively demand that published research either cite a peer review process upon publication, or publish auditable records of the publisher's finances. Of course, anyone can publish anything, and anyone is free to believe it. But computer science is too important not to distinguish accountable research from PR.
--
make install -not war
and not owning a PC, I used to really dig this kind of stuff. I still don't own a PC, but my two roommates do, and the more I see these kinds of things on /. the more it reads like sour grapes from the linux community.
When one of my roommates got a Dell recently, I took a look at his XP before connecting to the internet. A few clicks and the firewall was on. A few more clicks and his anti-virus software was up and running. After connecting to our LAN I downloaded Firefox, and for the past month and a half he has had no problems with any security issues on his machine. No, Windows is inherently not as secure as linux, but if you know what you are doing, you will be able to set up your Wintel box to be decently safe and hacker-free.
The downside is, of course, that Microsoft could do a lot more to make Windows more secure out of the box. But Linux (and the Linux community) has a long way to go before the average wal-sumer will feel comfortable using Linux machines, much less knowing how to run them.
http://www.walkingtaco.com
unfortunately all academic institutions fake research the pressure for money makes it hard to turn down a "grant"
Diplomacy is the art of saying "Nice doggie" until you can find a rock. Will Rogers
...and even if they beat every single one of the ten, they'd still only mention one, because doing otherwise would imply that there's choice on the "other side of the fence".
MS wants nothing of that. If, horror, they have to compete with "Linux", there will be only one "Linux", and that today is RedHat.
We'll know they're sweating when their paid shills start to rave about some other dist, or even mentions several of them at the same time.
We will all be carring heavy duty umbrellas
And everytime I see one of these "Research Papers" I reach for mine
Diplomacy is the art of saying "Nice doggie" until you can find a rock. Will Rogers
Thompson said he and Ford developed the methodology on their own and submitted a proposal to Microsoft last year. He declined to say how much Microsoft paid to fund the research, but he said the company didn't have a say in the methodology.
I'm surprised that this kind of research would get so much attention . . . reading between the lines, the research proposal was written to attract money from Microsoft. This implies an immediate conflict of interest . . . the research proposal and methodology were very possibly skewed in favor of Microsoft from the very beginning to garner Microsoft's favor and money.
This is like writing a research proposal on the effects of smoking to get money from Phillip Morris. Of course such a proposal won't be written is such a way as to build a link between smoking and cancer . . . it would likely be written to imply that the research may refute the link between smoking and cancer. Skew the proposal in favor of the benefactor and one is more likely to get money . . .
The whole process needs to be more transparent . . and all of the facts need to be issued before presenting . . . otherwise this is just irresponsible research.
Test #1 Intruders are capable of taking control over the computer. Results: Linux: The system was finally hacked (after leaving the root/administrative account w/o a password, which seems fair to windows) Windows: The system crashed... nobody was able to take control! Analysis and conclusions: Windows is much better!
MS should just create their own Linux and make it as insecure as they want. Then their claims that "Windows is more secure than one Linux" might actually be true ;)
The stories are stupid. What no one EVER comments on is the research itself, only that it is obviously wrong because M$ funded it. (Of course, that's really just icing on the cake. Any research favoring M$ is automatically wrong, we all know.)
Also, what no one ever mentions when research favors OSS is ideological bias. What's especially interesting about the second thing is that it should be obvious that it exists, because we are neck deep in it here.
What this latest flurry of anti-linux pronouncements from 'independant sources' really means is Microsoft is looking at the sales trends. Doesn't look good.
I wonder if Microsoft is going to be able to maintain the R&D spending with dropping sales and profits?
Derek
They'll make a go of claiming Linus isn't the father of Linux shortly...
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
The researchers deserve credit for disclosing their source of funding ... after all they could have laundered the funding source.
It adds credibility to the report.
The point of my post was:
I have no clue. Will somebody tell me what's really going on?
There's nothing wrong with my logic here. I fully admit my ignorance. I am hoping that someone will provide me with some 'proof'.
What the hell difference is it in a lab environment if my system is more secure than yours if there's no measure of real world elements? Dropping a couple hundred boxes on the net and plotting out the time it takes for their security to be subverted would be a good measure of the OS security.
Multiple bandwidth tests (56k-1.5mbdsl) trying to update the OS. Utilizing vendor (Dell/HP/Gateway) XP installs/Linux installs (not fully patched, but patched a *little*) In combination with hardened installations in similar configurations. You could more than likely run a hardened setup with autoupdates on Windows/Linux side by side without a successful attack the length of the survey.
Oh I don't know, something like: this
C'mon now... We found faults with the methodology to begin with. The metrics they're using are completely useless for determining the relative security of an OS- they're using time to release fixes for reported exploits.
Now...
1) Microsoft waits until they actually have a fix or is forced to report/acknowledge an exploit when someone else makes an issue of it.
2) Microsoft doesn't report any other exploits that they know about and doesn't go auditing for potential issues either.
3) The Open Source community as a whole is rather paranoid compared to Microsoft when it comes to overall security so they report anything that might be a potential problem.
Given the above items, that isn't a terribly good metric for determining overall security, nor is determining how secure the OS is by the reported issues. Overall security is a measure of how many issues, how severe, how exploitable, and how well they get fixed. Microsoft consistently flunks in the overall issues (they have more than we do, we just don't find out about them until after the fact...), severity, and fixing arenas.
Combine this all with the facts that Microsoft maintained editorial AND financial control of the entire "study" and it all becomes a farce and worthy of the derision we're all heaping up on it.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
The numbers are correct, however as they say, there are lies, damn lies, and statistics.
The problems with the study:
1. The researchers were dealing with vendor-supplied patches of RHEL3.0 and Windows 2003 Server only. If a Linux vulnerability was released, and then patched by the author on the same day, but Red Had didn't release an update until 7 days later, this would be counted as a week. (Which may or may not be the correct way to view it - it's an 'apples-to-apples' comparison of a distinct 'apples-to-oranges' problem.)
2. the researchers didn't take into account the severity of the vulnerabilities. A local DOS vulnerability was given the same weight as one that offered remote administrative priveleges. The RHEL vulnerabilities were typically not as severe as the Windows ones.
3. the researchers didn't take into account whether the vulnerabilities were theoretical or not. A vulnerability that was theoretical was given the same weight as one which was proven real. All of the vulnerabilities in Windows were real, while the same is not true of RHEL.
4. The researchers didn't take into account the fact that RHEL has *much* more software included with it than Windows Server 2003. More software == more vulnerabilities.
5. The study dealt with "public disclosures" - security researchers typically work with the vendors, giving them some period of time to produce a fix before releasing the advisory; again, as the "vendor" in OSS is the program author, and not Red Hat, MS has a distinct advantage in "number of days to fix", as they can have a fix ready before the advisory is released, while Red Hat usually cannot. (This ties back into point #1 above.)
...and found it lacking in several respects.
Some background. I work as an industry analyst for a major technology research firm you've heard of. We were asked to review the methodology and findings of the report prior to its publication---i.e., at the beginning of March.
Things I commented on, among others:
In short, the authors' claims that the methodology was "transparent" and "reproducible" are unfounded, since there is no way to inspect the data underlying their conclusions. I predicted they'd be heavily flamed by the open source crowd, and that they ought to make some changes to the report before they went public. They didn't, other than to acknowledge (but not address) a few of the methodological issues we raised.
It's really too bad, since I really liked their emphasis on "role-based" analysis; that is, look at specific "stack" for a particular use case, for example web serving. The methdology paper, in case you haven't read it, is worthwhile reading. But all that good work is sullied since we can't see the data.
Windows Server benefited in part from Microsoft's reduction of security vulnerabilities in the latest version of the software -- with 52 reported vulnerabilities for the year, compared with 132 vulnerabilities for the Linux version, according to the report. The researchers also calculated an average of about 31 days of risk for the Windows software in 2004, compared with an average of about 70 days of risk for the Linux version.
Yeah but how many people get to review M$ code and discover new vulnerabilities? Did they account for that in their bug count methodology?
It's all about limiting the avenues of attack.
I run Ubuntu, you cannot crack my machine with any worm because it does not have any ports open to you.
I can put that machine on a DSL connection and read
You believe that no matter how much care is put into designing an app, security holes will magically appear once enough people start using it.Nope. That's usually a sign of a "buffer overflow".Nice. You keep confusing software that crashes with security holes.
Whatever.And no mention of Browser Helper Objects of how IE runs with unreasonably high access rights.Well, you certainly can't argue with that "logic".
All I can do is to point out that all security issues are not the same.
#1. Remote exploit that gives root/admin rights.
#2. Remote exploit that gives non-root access.
#3. Local exploit that gives root/admin rights.
Way way way down the list is "Exploit that crashes the app". The worst you can get from that is a DoS attack.
But to you, all issues are the same. If FireFox crashes, that's just as bad as the sasser worm on Windows.
Sure, it may be impossible TODAY for someone to crack my Ubuntu desktop
MS doesnt play by the rules. they change the rules. DO NOT underestimate them.
Microsoft how do you get someone to say anything good about your security these days? If the study and the methodology are acceptable (and I am not saying that this study or methodology is) and the results are legit, how do you get them out there? You can't say anything positive about MS around here, or many other web sites for that matter. Do any truly "independent" testing bodies for this type of thing still exist? If a supposedly "independent" test came out and MS was still considered superior would anyone around here take it seriously or would they find another reason to cry foul?
... doesn't mean they're not after you.
Here on slashdot, whenever someone comes up with a study favoring Windows, skeptic readers ask if it was funded by Microsoft.
Well, seems we should all keep asking the question. More often than not, we'll be right in our suspicion.
In gp - s/devote/devoid/
Read it. Look at how they took the "default" settings EXCEPT where those settings would make Microsoft look too bad (firewall disabled by default).
Read it all. Then look at what they REALLY based their "finding on".
Nothing more than some other site's listing of security announcements/bug fixes.That's nice, in theory. But just read the "report".That's a given. That is why Microsoft provides the financing to these "independant" "studies" by these "independant" "researchers".Hey, here's the REAL information hidden in that report...
Look at how many security violations these to "Ph.D.'s" had to perform just to get Win2003 on par with Linux
Then look at the "research" these two "security experts" did that could have been done by any 5th grade student who can add and divide.
These "security experts" are prostituting their "Ph.D.'s" in support of a "study" that is beyond fundamentally flawed just so Microsoft will approve of it and give them paychecks.
#1. They didn't even evaluate the risk of each item they were counting AS IT PERTAINED TO THEIR DEFAUL INSTALL.
... NOT the days until a fix was publicly available.
.pdf reader that goes unpatched for a year (after being posted on public mailing list) is (by their calculations) WORSE than a remote root attack against the web server that is open on port 80 but which has a patch from Red Hat within a week (and a publicly available patch posted with the vulnerability announcment).
#2. They ONLY counted the days until Red Hat had a fix
So, a local exploit in a
WTF?!?
Or, rather, Microsoft can SIT on a vulnerability notification for YEARS and release the patch the SAME DAY they publicly admit the vulnerability and they will STILL get a better rating than the Apache vulnerability in the previous example.
There was NO research done for this "study". It is pure bullshit. Counting patches is MEANINGLESS when it comes to security.
By their "logic", MS-DOS 6.2 is even more secure than Win2003.
Research which demonstrated the superiority of software *not* written by a greedy corporation was tainted today by the revalation that the researchers themselves were not funded by a greedy corporation.
MS recently announced that it would be giving the US military 30 days to apply security patches before releasing them (and disclosing them) to the public.
So now MS will have 30 days exposure for every security breach.
I look forward to a new report from the same guys next year showing these results.
Oh, I forgot, they won't be able to get the funding from MS.
- AndrewN
Acknowledgements
This study and our analysis were funded under a research contract from Microsoft. As part of the agreement, we have complete editorial control over all research and analysis presented in this report. We stand behind our methodology and execution of that methodology to determine objective results that will be useful to customers and security practitioners.
Do they really expect us to buy an excuse that thin? Yes, a report of this type is academically viable, but only if you maintain neutrality. These "researchers" have carefully chosen their sources such that the report is biased, and out the window goes neutrality.
ACs are modded -6. I don't read you, I don't mod you, I don't see you. Don't like it? Don't be a coward.
What "test"? The whole point is how their "methods" are flawed.Here's the "counterevidence":
Scenario: You are running a web site on Linux. All ports are blocked by the default firewall except port 80.
Is a local exploit in a
By their "methods", the
They counted the vulnerabilities (X).
They added together all the days between announcement of vulnerability and Red Hat releasing a patch (Y).
They divided Y by X to find the average time between vulnerability announcement and Red Hat releasing a patch.
They did the same for Win2003.
Then they announced that Win2003 was more secure because it had let time between public announcement and public patch.
That is all they based this "report" on.
Their methodology is fundamentally flawed. You can do the same arithmetic they did and get the same results, but that does not mean that their findings are valid.
Look! Somethiny shiny over there!
If magical elves decided to hide bad code in Linux and if they had CVS access and if they wrote it right and if no one noticed
HOW is someone going to get that data into my OO.o document? Hmmmmmm?
Magic? I don't think so.
Why don't you skip the "if"s and start focusing on the "How"s?
Security doesn't rely upon "if". It relies upon "how".
What else did you expect of a corporation which engages in lies, theft and bullying tactics?
"What I can't abide is being told that IIS is superior to Apache, and that Windows is more secure than "Linux". They send out these teams of spin-doctors with big bankrolls and try and take over the world using FUD. It's total crap."
"When do you see Linus doing this? Steve Jobs? Not very often. There are occasional comments, but nothing like this steady stream of trash that comes out of Redmond. I grow tired of it, and my reasons for disliking the company have never been more clear."
"Anyway, is Microsoft trying to develop a pattern here? Every time windows beats linux it's from a source microsoft paid."
"You really can't compare a basic, unpacthed and yet to be updated, Linux install to a "complete", fully patched and updated, Windows Install. This is like comparing a '69 volkswagen to a brand new porsche."
I couldn't agree more.
This report is as "scientific" as you can get, because it is reproducable. That is, it's precision is very high. No one calculates the effect of rice prices, in China, on the effectiveness of Superbowl commercials. This is the difference between the lab and the "real world". The lab is a control group, specifically because some other guy on the other side of the planet can reproduce the results in his own lab.
The varibles in the real world, like having flash and java content, like having people using unsecure passwords or keeping post-it notes in their purse/wallet, changes everything.
And it is this very (real-world variables) reason why the Linux and Unix and FreeBSD servers get patched. The admins running the Windows servers are hesitant to just load up a service pack, because in the past, their machines have not survived the reboot.
Linux is open source, meaning lots of unbiased eyes are looking at the source code trying to find problems. When a problem is reported, it is fixed - usually before there is an exploit.
Windows is closed source, meaning that only Microsoft employees and contractors can see what the OS is doing "behind your back". Usually a problem is not fixed until after there has been an exploit.
If Windows is sending my private info (credit card info, Social Security number, keystroke logs, etc.), or downloading and installing software without my knowledge and permission, how would I know? Microsoft employees are not going to say anything because this would benefit the company they work for. Keeping silent about your boss's unethical activity is known as job security.
I'd trust an open source OS, such as Linux, before I'd even consider a closed source OS such as Windows.
This is just one of the many reasons that Linux is a better operating system.
Why doesn't Microsoft just open the entire source code of all its products and charge money for service and support?
Microsoft has, what... billions and billions of dollars? Can't they afford to do this? Are they afraid of what might be found in their code?
Every other Nitch has to use Truth in advertising or face the wrath of the government.
Why is miscrosoft not being held responsible for their blantant lies and misrepresentations.
This is Discusting
Employees are expensive but running a company with integrity is priceless!
Different order but it fits. Crete you own commercial...
BLAH BLAH BLAH priceless. For every other debt there's Mastercard.
Those signs are not because the gas station or hospital cares if you get cancer. They are because cell phones can have a negative effect on the businesses' operations. Gas stations put up "no cell phones" signs because electronic devices can cause sparks that will ignite gas fumes. It's the same reason you're not supposed to get in and out of your car while filling 'er up.
Hospitals put the signs for a similar reason--in the presence of elevated oxygen levels (common in parts of hospitals) sparks can cause major flames.
Just let me note, regarding your drug company example, that medicines generally doesn't make it unhealthy for everyone in a corporation to use alternative drugs from another company... :-)
The rest is a bit off topic. I commented instead of using mod points.
Karma: Excellent (My Karma? I wish...:-( )
Every single fucking article favoring microsoft you jackasses claim was sponsored by MS. You guys are just too damned insecure, pun intended
with their methodology, the proof of the pudding is this:
all MS has to do to make their OS more secure as part of their 'trustworthy computing' is to announce the service pack and what it fixes one day *after* releasing the said service pack as the study uses a metric called 'days of risk'. can't beat the resulting -ve 'days of risk' unless the competitors did some serious time travelling to issue the patch. sure seems that if you actually make early disclosures it counts against you. some trustworthiness.
and start developing? :D
Instead of funding FUD, how about spitting discretely downwind and downward (strengthening the OS)?
Holy crap, MS has been funding the research? That makes it so OBVIOUS the research is invalid! Y'all don't waste any time going for the ad hominem, do you?
You have tried to support your argument with faulty reasoning! Go directly to jail; do not pass Go, do not collect $200!
If they did reveal their funding during the RSA presentation .......
t linux17.html
.... How about we do some of our 'research' to find out who has better security then?"
r estrictedtomicrosoftsapprovalandallfindingswillreq uiremicrosoftsapprovalbeforebeingpublished"
... Get The Facts ... you find that Windows isn't as bad as the urban myths would have you believe. It's actually more secure than Linux." smiles at audience.
http://seattlepi.nwsource.com/business/212384_msf
Linux vs Windows Security
(a Microsoft production)
Thompson and Ford walk on onto the stage.
Thompson: "My name is Thompson and I love Microsoft."
Ford: "My name is Ford and I love Linux. Hey Thompson, how many Microsoft programmers does it take to change a light bulb?"
T: "I don't know, Ford. How many Microsoft programmers DOES it take to change a light bulb?"
F: "None. They just declare dark to be the new standard. Ha ha!"
T: "Ha
F: "Sure. I am sure that Linux will have better security than Windows, after all, I am Ford and I love Linux."
T: "Because we are security professionals, we will choose only the default settings of both systems. Is that okay with you my fellow security expert?"
F: "Yes, we should only choose the default settings because we are security experts."
T: "And then we should count how many security patches were released and how long it took to release them (after the public announcement)."
F: "That sounds like a very reasonable and fair way to determine who has better security. We should only count the days and number of vulnerabilities. We should under no circumstances do any comparision of vulnerabilities or determination of actual attack vulnerability. That would be very difficult and I'm only a Ph.D."
T: "Yes, that would be very difficult for I also am only a Ph.D. But even this limited scope will be expensive. In only we had someone willing to fund our 'research'."
Bill Gates walks on stage with a huge cardboard check.
BG: "Hi! I heard about your 'independant' 'research' project and I thought I'd give you some money to fund it. But please do not feel that this in any way obligates you to find that Windows is superior in every way to Linux. byacceptingthischeckyouagreethatallfindingswillbe
F: "What was that last part?"
T: "Never mind. It can't be that important if he said it so fast. How about we make a small wager on the outcome of this Microsoft funded research program concerning Linux vs Windows security?"
F: "Of course. I will bet $20 that Linux is more secure than Windows. After all, I hardly see how Linux can lose a security comparision in a Microsoft funded 'research' program." winks at audience.
T: "I agree. This 'research' will be completely independant and verifiable."
F: "On with the counting!"
Both of them pull out calculators and furiously punch buttons.
F: "Oh the shame! How could I ever be so WRONG?!?"
T: "It does seem that our Microsoft funded 'research' has determined that Win2003 is more secure than Linux."
F: "Yes, the fact that Red Hat took longer to release patches for publicly known vulnerabilities in software included in our default installations does show that I was wrong about Linux being superior to Win2003."
T: "Once again, when you
This has been a dramatization of an actual event.
We would like to thank Microsoft and Bill Gates for their generous contribution without which this "research" could not have been possible (it costs a lot of money looking up vulnerabilities on a website).
We get long discussions about TCO and security and others but never about what we are allowed to do with the software.
The problem with freedom is that it's difficult to explain to people that never experienced it. As the old joke goes when the american explained to the russian that in the USA you can criticize the president as much as you like the russian replied: you can criticize the american president in Soviet Russia as well, there's no restrictions on that.
Yeah, it's a shame that funding makes the research tainted. Why can't FIT be more like that other technical college that did a research study between Linux and Windows in security that was funded by that unbiased party...oh wait, that's right. It didn't happen. And if it did, with the grant being provided by, oh, I don't know, IBM, it's just as easy to say it's biased in the other direction.
I applaud the university for this study. Academic research is all about how to get more funding. This study shows they have been taught well. Getting more funding is more important than the study itself. I see follow up studies.
In academic circles, tainting data to impress your sponsor, regardless of who it is, is a serious ethics violation. I haven't seen any evidence in the article to show that there was any bias. Assuming there is bias because of the funding source is not good enough. Show some proof before making such accusations.
Vote for Pedro
(4) How many fixes do Microsoft roll into their bulk-patch updates that they have managed to keep quite about?
Sure Micrsoft's numbers are going to look low if they never admit most of security holes and patches?
I just had an interesting thought. It would be a facinating project to reverse engineer Microsoft released patches and identify what portions of them fix the declared vulnerability and count how many concealed changes it makes at the same time. A tricky thing to evaluate, but it should be able to turn up a pretty good estimate of the ratio between disclosed bugs and patches and covert bugs and patches. Then you just multiply announced bugs and fixes each year by the ratio to get a good estimate of the total number of yearly security holes.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Look at their "report".
...
... in theory, the REALITY is that, from a security standpoint, the Open Source model works as well or better than the closed model for 99% of the software out there.
Their sole criteria (days between public announcement and patch release) is specifically designed to fault any system with an Open discussion of security and/or code.
They are faulting Linux for being Open Source and, as a result, attempting to show that the Open Source development process is less "secure" than the closed model.
We've seen this argument many times over the years. It's usually presented along with
"if they can see the code, they can find exploits"
and
"bad people can put exploits in the code".
While I can acknowledge the validity of those 3 points
This "report" is nothing more than a Microsoft funded attack on the Open Source software development model.
Isn't this the same one that was done by two amateurs, comparing RHLE and Windows Server 2000? The ones who didn't follow any type of real scientific method? The ones who based their experiment entirely on the "window of opportunity" between bug announcements and official bug patches? FUD is what this is: Fucked Up Dumb.
Tluin natha Linux xxizzuss uriu olt bwael mon'tun.
All this aside, what really worries me is the fact that "presentation" like this made it to RSA conference. C'mon, RSA conferences used to be "the thing", where you wouldn't have 2 anonymous guys (it's not like they're known for their research, or their skills, or anything) bleating about "Which one is safer?" topics.
Now, we have mediocre 'presentation', we also have information that it was sponsored by Microsoft.
I wonder who pushed for such silly and meaningless presentation to show up at RSA conference, hmmm...
In part, [Thompson] said, the idea was to avoid some of the divisiveness that often characterizes the Windows vs. Linux debate.
What BS. How stupid do they think everyone is? They didn't disclose because they knew that without the disclosure the story would be all over the tech press, and the followup revelation would be mostly confined to a thread on Slashdot.
"Researchers", hah.
Hi, how is Ballistics networking going?
With the default install of RHEL3 verses Win2k3 I'd wager that RHEL3 is less secure. RHEL3 is really old though. Both were released around the same time but the thing about Linux is that it's a faster moving OS than Windows.
I would have preferred to see a comparision of SLES10 and Win2k3 or for them to compare a RHEL4 beta to Win2k3. Heck, compare it to a Longhorn beta for all I care.
It doesn't seem fair to do comparisions on things that aren't the best version available.
Is it any wonder that a well configured Windows system can be more secure than a poorly configured Linux system? I can easily turn my linux system into a security nightmare by enabling all services with default passwords, etc.. Or I can turn my Windows system into fort knox by disabling everything under the sun.
Since they are not a monopoly at all, such a conviction is not correct.
' Any company that can be proven to be lying during a trial (perjury), as Microsoft was, and still get off without a penalty is far more powerful than any drug company. '
Since all they are "guilty" of is making a better browser than Netscape did, there is no injustice. Don't like Microsoft? Use something else.
MS, yet again, uses dirty, no, immoral tricks, but, hey, to criticize that is not because MS deserves the criticism, but because it make us look cool in Slashdot.
Moron.
IANAL but write like a drunk one.