Slashdot Mirror
Microsoft Silently Backs Favorable Presentation at RSA
lildogie writes "Two researchers, from the Florida Institute of Technology and Boston-based Security Innovation Inc., 'surprised the audience at a computer-security convention last month with their finding that a version of Microsoft Windows was more secure than a competing Linux operating system' according to the Seattle Post-Intelligencer. 'This week, the researchers released their finished report, and it included another surprise: Microsoft was funding the project all along.' When will they ever learn?"
People will say whatever you want if you give them lots of money? Impudence!
These people make me sick. It's stories like this that make me realize why Microsoft is the object of so much hate. It's not because of their products, it's all about how they deal with competition.
I like Active Directory and a few other Microsoft creations, and I even have an MCSE. Hell, Exchange has a good feature-set; if it would just stay up and be easier to manage it'd be a great product too.
What I can't abide is being told that IIS is superior to Apache, and that Windows is more secure than "Linux". They send out these teams of spin-doctors with big bankrolls and try and take over the world using FUD. It's total crap.
When do you see Linus doing this? Steve Jobs? Not very often. There are occasional comments, but nothing like this steady stream of trash that comes out of Redmond. I grow tired of it, and my reasons for disliking the company have never been more clear.
dmiessler.com -- grep understanding knowledge
The article should be from the 'well-duh' dept.
If you want your product to be found safe or secure of what ever, you fund reasearch. Cell phone compinies fund research to show that they are safe, but a recently publish study buy a guy from University of Washington proved otherwise.
When will they ever learn?
When will who learn? Microsoft? They already did. They learned that funding reasearch groups is a great way to portray themselfs as they see fit and at the say time spread FUD about linux and other competitors.
Failing to learn from history dooms you to repeat it.
Linux vulnerabilities tend to get reported before there's an exploit, even when the "vulnerability" is very minor. Windows vulnerabilities only come to light when there is an exploit, because no one can see the code.
"He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
http://blogs.redhat.com/people/archive/000201.html links you to the raw downloadable data on how well Red Hat really did and a trivial Perl script to analyse it and drop out all sorts of metrics.
-- Mark Cox, http://www.awe.com/mark/
Okay, who didn't see this coming?
Only those, who follow enough news to "know" M$ tactics.
Unfortunately, there are enough middle/upper management people who don't look into matters that closely and are simply "swayed" by knowing that M$ has market dominance -- and just tell themselves that "M$ wouldn't have it if their products sucked so badly, now would they?".
As long as there is enough ignorance or even indifference on (non-technical) management levels, M$ *will* see benefits from each time they're doing that.
(Besides, there is also the issue that you can't really go on to sue them for bad security if so many security companies openly tell of Microsoft's great security and the lack of security in competing OS's.).
The fact is, M$ OS's aren't "safe", and neither is a run-of-the-mill linux installation. Both need updates and security-conscious people administrating them to keep them shut. I've had people break into my (linux) servers once or twice , and managed to evict the attackers both times and plugged the holes they used that I had been unaware of before - but by now there are so many software packages that it's hard to keep track of security issues in all of them.
But, yes, despite those experiences, I'd still run a linux box over a windows box any day, because I think that in general my linux box is safer.
C'mon now... We found faults with the methodology to begin with. The metrics they're using are completely useless for determining the relative security of an OS- they're using time to release fixes for reported exploits.
Now...
1) Microsoft waits until they actually have a fix or is forced to report/acknowledge an exploit when someone else makes an issue of it.
2) Microsoft doesn't report any other exploits that they know about and doesn't go auditing for potential issues either.
3) The Open Source community as a whole is rather paranoid compared to Microsoft when it comes to overall security so they report anything that might be a potential problem.
Given the above items, that isn't a terribly good metric for determining overall security, nor is determining how secure the OS is by the reported issues. Overall security is a measure of how many issues, how severe, how exploitable, and how well they get fixed. Microsoft consistently flunks in the overall issues (they have more than we do, we just don't find out about them until after the fact...), severity, and fixing arenas.
Combine this all with the facts that Microsoft maintained editorial AND financial control of the entire "study" and it all becomes a farce and worthy of the derision we're all heaping up on it.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
The numbers are correct, however as they say, there are lies, damn lies, and statistics.
The problems with the study:
1. The researchers were dealing with vendor-supplied patches of RHEL3.0 and Windows 2003 Server only. If a Linux vulnerability was released, and then patched by the author on the same day, but Red Had didn't release an update until 7 days later, this would be counted as a week. (Which may or may not be the correct way to view it - it's an 'apples-to-apples' comparison of a distinct 'apples-to-oranges' problem.)
2. the researchers didn't take into account the severity of the vulnerabilities. A local DOS vulnerability was given the same weight as one that offered remote administrative priveleges. The RHEL vulnerabilities were typically not as severe as the Windows ones.
3. the researchers didn't take into account whether the vulnerabilities were theoretical or not. A vulnerability that was theoretical was given the same weight as one which was proven real. All of the vulnerabilities in Windows were real, while the same is not true of RHEL.
4. The researchers didn't take into account the fact that RHEL has *much* more software included with it than Windows Server 2003. More software == more vulnerabilities.
5. The study dealt with "public disclosures" - security researchers typically work with the vendors, giving them some period of time to produce a fix before releasing the advisory; again, as the "vendor" in OSS is the program author, and not Red Hat, MS has a distinct advantage in "number of days to fix", as they can have a fix ready before the advisory is released, while Red Hat usually cannot. (This ties back into point #1 above.)
...and found it lacking in several respects.
Some background. I work as an industry analyst for a major technology research firm you've heard of. We were asked to review the methodology and findings of the report prior to its publication---i.e., at the beginning of March.
Things I commented on, among others:
In short, the authors' claims that the methodology was "transparent" and "reproducible" are unfounded, since there is no way to inspect the data underlying their conclusions. I predicted they'd be heavily flamed by the open source crowd, and that they ought to make some changes to the report before they went public. They didn't, other than to acknowledge (but not address) a few of the methodological issues we raised.
It's really too bad, since I really liked their emphasis on "role-based" analysis; that is, look at specific "stack" for a particular use case, for example web serving. The methdology paper, in case you haven't read it, is worthwhile reading. But all that good work is sullied since we can't see the data.
It's all about limiting the avenues of attack.
I run Ubuntu, you cannot crack my machine with any worm because it does not have any ports open to you.
I can put that machine on a DSL connection and read
You believe that no matter how much care is put into designing an app, security holes will magically appear once enough people start using it.Nope. That's usually a sign of a "buffer overflow".Nice. You keep confusing software that crashes with security holes.
Whatever.And no mention of Browser Helper Objects of how IE runs with unreasonably high access rights.Well, you certainly can't argue with that "logic".
All I can do is to point out that all security issues are not the same.
#1. Remote exploit that gives root/admin rights.
#2. Remote exploit that gives non-root access.
#3. Local exploit that gives root/admin rights.
Way way way down the list is "Exploit that crashes the app". The worst you can get from that is a DoS attack.
But to you, all issues are the same. If FireFox crashes, that's just as bad as the sasser worm on Windows.
Sure, it may be impossible TODAY for someone to crack my Ubuntu desktop
#1. They didn't even evaluate the risk of each item they were counting AS IT PERTAINED TO THEIR DEFAUL INSTALL.
... NOT the days until a fix was publicly available.
.pdf reader that goes unpatched for a year (after being posted on public mailing list) is (by their calculations) WORSE than a remote root attack against the web server that is open on port 80 but which has a patch from Red Hat within a week (and a publicly available patch posted with the vulnerability announcment).
#2. They ONLY counted the days until Red Hat had a fix
So, a local exploit in a
WTF?!?
Or, rather, Microsoft can SIT on a vulnerability notification for YEARS and release the patch the SAME DAY they publicly admit the vulnerability and they will STILL get a better rating than the Apache vulnerability in the previous example.
There was NO research done for this "study". It is pure bullshit. Counting patches is MEANINGLESS when it comes to security.
By their "logic", MS-DOS 6.2 is even more secure than Win2003.