Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Silently Backs Favorable Presentation at RSA

Posted by CowboyNeal on from the part-of-the-machine dept.

lildogie writes "Two researchers, from the Florida Institute of Technology and Boston-based Security Innovation Inc., 'surprised the audience at a computer-security convention last month with their finding that a version of Microsoft Windows was more secure than a competing Linux operating system' according to the Seattle Post-Intelligencer. 'This week, the researchers released their finished report, and it included another surprise: Microsoft was funding the project all along.' When will they ever learn?"

3 of 256 comments (clear)

  1. Re:Would somebody please refute the numbers by Fished · · Score: 5, Informative

    Linux vulnerabilities tend to get reported before there's an exploit, even when the "vulnerability" is very minor. Windows vulnerabilities only come to light when there is an exploit, because no one can see the code.

    --
    "He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
  2. Get the real stats by markcox · · Score: 5, Informative

    http://blogs.redhat.com/people/archive/000201.html links you to the raw downloadable data on how well Red Hat really did and a trivial Perl script to analyse it and drop out all sorts of metrics.

    --
    -- Mark Cox, http://www.awe.com/mark/
  3. Our firm reviewed the report pre-publication... by QuantGuy · · Score: 5, Informative

    ...and found it lacking in several respects.

    Some background. I work as an industry analyst for a major technology research firm you've heard of. We were asked to review the methodology and findings of the report prior to its publication---i.e., at the beginning of March.

    Things I commented on, among others:

    • No detailed breakdown of individual vulnerabilities. Which components were affected? How are they distributed?
    • No indication of which version of Apache being used. 1.x? 2.x? Were the vulnerabilities for both versions counted erroneously?
    • Prominence given to a dubious metric: "days of risk," which biases scores in favor of Microsoft since Red Hat, Apache et al don't follow the same "responsible" disclosure process
    • Comparison of a managed runtime script engine (CLR+ASP.NET) with one that isn't (PHP). The correct "apples-to-apples" comparison (that's the authors' phrase, not mine) would be with JRE+JSP (e.g., Tomcat). Gee, no buffer overflow problems with ASP.NET. What a surprise!

    In short, the authors' claims that the methodology was "transparent" and "reproducible" are unfounded, since there is no way to inspect the data underlying their conclusions. I predicted they'd be heavily flamed by the open source crowd, and that they ought to make some changes to the report before they went public. They didn't, other than to acknowledge (but not address) a few of the methodological issues we raised.

    It's really too bad, since I really liked their emphasis on "role-based" analysis; that is, look at specific "stack" for a particular use case, for example web serving. The methdology paper, in case you haven't read it, is worthwhile reading. But all that good work is sullied since we can't see the data.