Yankee Group Survey Says Windows, Linux TCO Equal

prostoalex writes "A new survey by Yankee Group analyst Laura DiDio shows Windows and Linux are viewed as equal by U.S. businesses. In the eternal OS wars, '88 percent of respondents said that the quality, performance and reliability of Windows was equal to or better than Linux.' Companies were also asked to rank the operating systems on security. On a scale of 1 to 10 'companies rated Microsoft's security at 7.6, double the rating in a similar survey conducted last year. Linux's rating was mostly the same at 8.3.' Conclusion? 'DiDio said that most companies -- whether large or small -- rarely take the huge step of replacing one operating system with another. Instead, they usually add a mix of Windows and Linux server software to expand functionality.' Microsoft used last year's Yankee Group survey results in their Get the facts campaign."

What was their sample?

[Admiral+Trigger+Happ]

It would be easier enough to get a "mathmatically" representative sample with very small number of people who have never used linux. I have worked for or with Business that have setup Windows and Linux Networks also mixed enviroments, and for some of them it windows had a lower TCO (thats because they would have had to train too many staff to use Linux and that was awhile ago) Other people find that a Linux network as a significantly lower TCO than Windows. On the topic of training we have got people to sit down on a linux box (properly configured) with no prior linux exp, and they thought it was better than windows. ------ Admiral Trigger Happy

Of course she did

We didn't always think of her as a 'whatever'. She had to work hard to earn her reputation.

Some readers may not be familiar with her work since SCO has pretty much fallen off the pages of Slashdot. Those of us who frequent www.Groklaw.net are quite familiar with her. Her 'reportage' on the SCO story has been so slanted and devoid of reality that some of us wonder if she's from the same planet we are. To put this in context: Groklaw is Pamela Jones' blog. Pamela will delete a post if she thinks the poster was even thinking rude thoughts. Pamela is really really polite. Pamela was once reduced to calling this lady Didiot. You really have to be something to get Pamela that riled!

Re:What are they using?

[mboverload]

Windows XP is pretty secure if you know what you are doing. Disable the services, get antivirus and a firewall and you are set. Don't forget the router firewall, probably the most important part of securing your machine. I have never gotten a virus doing this.

Then again, this only works with people who know what they hell they are doing. No matter what I would never recommend Windows as a internet-facing server. I run a Windows 2003 server here in my home but it is just to learn it and host a small site with little traffic.

Re:DiDio. Why am I not surprised?

[wct]

In fact, her position has often been more anti-Linux than pro-Microsoft. This is the same Laura Didio that signed the SCO NDA back in 2003 and came back to report:

"The courts are going to ultimately have to prove this, but based on what I'm seeing ... I think there is a basis that SCO has a credible case," and "This is not a nuisance case."

I don't buy this.

This result seems very dubious. I had an experience in our lab that lead me to belive that linux TCO is lower than windows. We recently bought a dual processor server with windows 2003 on it. The system administrator spent a whole month to stabilize the system. In the due process, he has to erase the partitions for atleast 4 times. This was because of the viruses that were infecting the system as soon as it has been hooked up to the network. This was not the case when we bought a *nix based system. It took him a week to do the proper configuration of the system and that was it. It's still going on strong without any problems (from > three years). Where as with our new windows system, we are keeping our fingers crossed for everyday, literally everyday. We don't know when it going to be infected. The twist in the tale is the windows system has been bugged with viruses even though there was a firewall. Now from my prespective, it is clear that TCO of windows is not at all equal to *nix.

Re:equal?

[node+3]

That's not something you see very often,

What do you think the odds are that Windows and Linux are actually both equal?

"TCO" is completely subjective--it's not a universal value. It's like trying to define the 'universal frame' in physics. There is no such thing.

Does your company require the features of Exchange? Is the cost of *not* having those features higher than the cost of the support and licensing for the Exchange server? Is your company a science/engineering centered one? In that case, Unix is more of a requirement than having a nice, simple, start menu or the ability to run word macros.

TCO is more myth than fact. As an organization, you have to look at your needs, your limitations and your strengths, and go from there. "TCO" is about as meaningful as "best in its class", for which the proper response is, "says who?"

Laura DiDio is well known at Groklaw

[Nice2Cats]

Anybody interested in this study should wander over to Groklaw and read up on what they have collected on Laura DiDio -- she's not an unknown in the Linux and especially SCO world. Also, it is interesting that Reuters sold Yankee Group, which I don't take as a sign that some of the world's best financial journalists are too impressed with their work.

But then, maybe they're all wrong and Mrs. DiDio is right. After all, she's an analyst, right?

This says it all:

[Sweetshark]

http://www.microsoft.com/windowsserversystem/facts /videos/didio_video.wvx

com'on guys, microsoft.com needs some traffic ...

here's the survey

[kpharmer]

http://www.sunbelt-software.com/surveys/040213_Lin ux.htm

oh, and btw - it was sent out to readers of the w2k news magazine:
http://www.w2knews.com/index.cfm?id=463

So, the sample of survey respondents was about as controlled as a george bush or saddam hussein political ralley.

More at: http://www.groklaw.net/article.php?story=200403240 85956154

Re:What are they using?

[GlassUser]

I'll never consider XP a secure OS as long as it is required to have administrator/enhanced privileges to run consumer-level software

Sounds like you need to stop using crap software. Everything I use (including a lot of MS software like office, project, etc) works just fine in a proper configuration.

Re:What are they using?

[galdur]

Maybe you should take a look at those CERT advisories again:

Red Hat:
http://www.kb.cert.org/vuls/bymetric?searchview&qu ery=red*hat&searchorder=4&count=100
Microsoft:
http://www.kb.cert.org/vuls/bymetric?searchview&qu ery=microsoft&searchorder=4&count=100

Guess which list is longer?
SELinux, Novell's SUSE Linux CC EAL4+ certification (where's XP's/2003's EAL4+ cert?).

Not to mention that the French government is putting 7 million euros into creating a Linux derivative with a CC EAL5+ certification. Windows ahead? Pah.

Re:What are they using?

What you think Mandatory Access Controls are and what they realy are are 2 entirely different things from what I can tell.

Windows may claim to have some sort of limited MAC based on certain roles, but Microsoft claims a lot of things about windows which is not true.

For isntance they liked to call the NT kernel a 'Microkernel' back in the day when people cared about that sort of thing. Of course this is bullshit. It has certain aspects of a microkernel, but it is not.

NT security model follows the Unix one which is called the 'Discretionary Access Control', or DAC.

DAC is based on authentication based on identity. You login as a user and that user has certain rights to certain files. Your identity is your username, which is realy just a repsentation of your UID numbers.

You log in as root, you have unlimited access to your system.

Also any rights of programs you run is based on your UID and GUID numbers (unless the program's setuid bit is used). If you can access a file, so can your program. If you can't access a file then neither can the program your using.

In Unix this dividing line between users is VERY strong. It was designed ground up as a multiuser enviroment and if you can't do something, then neither can your programs your running (except for the setuid, or if you use sudo.)

Setuid posses big security risks and is used sparingly and is ignored for certian types of programs, such as shell scripts, which are easily perverted.

Windows, for this sort of thing, sucks. It originally was a single user enviroment and with Windows 2k/XP it has a single user API grafted onto a real Multi-user NT OS. This causes all sorts of exceptions having to be made for all sorts of programs and is one of the reasons Windows is harder to secure vs Linux/Unix.

MAC is not extend access control lists!!! ACLS != MAC.

Mandatory Access Controls are something else completely. It's NOT BASED ON UID OR GUID. In Linux it's used in addition to DAC and doesn't replace it but it allows much tighter controls.

SELinux was developed by National Security Agency (NSA) to provide a framework for building Role Based Access Control.

Say I am root, I can set it up so that under different circumstances I can and cannot do different things. If I login thru SSH I can set it up so that I have different role then if I am logged in at a local terminal.

Literally I can, with a SELinux-enabled Linux computer, give you my ROOT PASSWORD and a let you log into my computer and move around in it with no risk of you doing anything bad to me.

And this also happens to programs that run under my UID. Now with Unix you setup a fake user to run applications/services like Apache.. However with SELinux I could safely run Apache under UID 0. (root).

Even if Apache had a huge buffer overflow and the attacker was able to execute successfully some shell code and gained access as root/administrator to my machine, he would only be able to fuck with files that Apache needs to run. Any other services, any other programs would still be completely off limits.

AND this requires no reprogramming of the Apache server. This rules are set below programs, below the file system, all the way to the very core of the kernel. From hardware to the very top levels of the OS there is no way around MAC, unless the rules were designed badly.

Any violation, or unexpected activity of the Apache server would be logged and recorded.

This describes Windows's security model and gives it the military term of 'C2' security.
http://support.microsoft.com/kb/93362/EN-US/

SELinux gives Linux OS the ability to have B-level security.

Redhat ES 4 and Fedora Core 2, and Fedora Core 3 have SELinux, but are not 'trusted' OS's yet. The rules that they use are fairly liberal and are designed to provide maximum compatability with existing applications yet provide high levels of security for servi

Bzzzt. Wrong.

Windows never had Mandatory Access Controls. And never had. NT didn't have it.

Unix and Windows use what is called 'Descresionary Access Controls', or DAC.

What your talking about is, probably, ACL. Access Control Lists.

ACLS are normal, Windows has ACLs so does Linux.

What you mean are extended ACLs. Windows NT had support for Extended Access Control Lists. Which goes beyond the model created for Unix which is:
user, group, everybody else (world)...
read, write, execute.

EACLs are NOT MANDATORY ACCESS CONTROLS. Mandatory access controls are something else completely and is not based on your username or what groups your user belongs to. Windows simulates certain role based authentaction, but it's not realy MAC.

MAC in SELinux are also RBAC. It allows a framework to be developed so that you can have a truly 'trusted linux' setup and is used in addition to the normal DAC that is used in Windows and Linux already.

NT does not, nor ever had, MAC.

Re:What are they using?

[LizardKing]

The joke is on Thompson, he reinvented VMS badly.

VMS wasn't to be available for another eight years when Unix was conceived.

Re:What are they using?

Quantum typically means small, at least as it relates to physics.

Er, no. Quantum means (not "typically means") discrete, or packetized. From Wikipedia:

The term quantum (Latin for quantity) refers to the discrete units that the theory assigns to certain physical quantities, such as the energy of an electromagnetic wave.

"Quantum leap" refers to the process of an electron moving from one quantum shell to another, which has always been visualized as a very rapid transition to a much different level. Just as is happening with Linux development, in fact.

The rest of your post was right on par with your understanding of quantum physics.

Mod parent down: -1 WRONG

[swillden]

You obviously do not know what Mandatory Access Controls are.

Sorry, you're the one who doesn't know what they are. Windows does not have them, and neither did VMS. MACs are not ACLs (which VMS had, NT has and Linux and Unixes now have, but only acquired fairly recently and don't much use).

MACs are a tool for setting up other access restrictions, based on how you access the system (console, SSH, HTTP, etc.) and are orthogonal to user identity-based access controls. If I configure the system to disallow anyone who logged in via SSH from touching any system or user files, I could give you my root password and you couldn't do any damage. More importantly, I could rest easy about remote root exploits in OpenSSH, or any sort of privilege escalation attack. Even if you manage to fool the OS into thinking you are a different user, you're not going to be able to fool it about how you're talking to it.

I repeat: Windows does not have Mandatory Access Controls.

Easy

[iehnll]

W2Knews readers are not representative of all administrators. Therefore, Yankee group can only make conclusions about W2Knews readers. It's also a voluntary response, which is a problem. In no way should it be taken seriously. Hey why don't we take a poll of slashdot admins to see if they prefer windows or linux! What? 90% Of administrators who read slashdot thinks linux rulz0rs and windows blowz0rs 10% Run windows because their boss said to Wow that must mean 90% of ALL administrators LOVE linux. They aren't just bad statisticians, but liars! But Dirty, stinking liars too.

Re:What are they using?

[drsmithy]

For isntance they liked to call the NT kernel a 'Microkernel' back in the day when people cared about that sort of thing. Of course this is bullshit. It has certain aspects of a microkernel, but it is not.

I don't think NT has ever been called a "microkernel". I've only ever seen it called "microkernel based".

NT security model follows the Unix one which is called the 'Discretionary Access Control', or DAC.

This is true from a very broad perspective, but on a closer inspection there are some major differences. The (typical/traditional) unix security model is fundamentally only divided into "root" and "not root". On a somewhat higher level, it's user/group/other, but that only applies to the "no root" side of the equation and. basically, only to things that are accessed via the filesystem.

In NT, individuals ACLs are applied per user - there is no concept of a "superuser" - and to objects within the OS. So stuff like IPC has ACLs. It's far, far more fine grained and pervasive.

Windows, for this sort of thing, sucks. It originally was a single user enviroment and with Windows 2k/XP it has a single user API grafted onto a real Multi-user NT OS.

Bollocks. "Windows 2k/XP" *IS* the "NT OS" - just different releases - and Windows NT was designed to be multiuser from day 1.

This causes all sorts of exceptions having to be made for all sorts of programs and is one of the reasons Windows is harder to secure vs Linux/Unix.

The biggest problem on Windows is lazy and/or ignorant software developers writing their software under the assumption that a) it's running on Windows 95 and/or b) anyone who runs it will be an Administrator. So they do dumb things like write to the program's installation dir, or try and store per-user settings in the part of the registry reserved for global settings (both places which, obviously, regular users can't write to).

This has nothing to do with the API, it's just bad software development. Many developers who should know better do the wrong thing as well. With Doom 3, for example, id have written their software to write to files in the application's installation path. This has *nothing* to do with the Win32 API.