Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yankee Group Survey Says Windows, Linux TCO Equal

Posted by timothy on from the don't-trust-statistics-unless-they-apply-to-you dept.

prostoalex writes "A new survey by Yankee Group analyst Laura DiDio shows Windows and Linux are viewed as equal by U.S. businesses. In the eternal OS wars, '88 percent of respondents said that the quality, performance and reliability of Windows was equal to or better than Linux.' Companies were also asked to rank the operating systems on security. On a scale of 1 to 10 'companies rated Microsoft's security at 7.6, double the rating in a similar survey conducted last year. Linux's rating was mostly the same at 8.3.' Conclusion? 'DiDio said that most companies -- whether large or small -- rarely take the huge step of replacing one operating system with another. Instead, they usually add a mix of Windows and Linux server software to expand functionality.' Microsoft used last year's Yankee Group survey results in their Get the facts campaign."

7 of 351 comments (clear)

  1. Of course she did by Anonymous Coward · · Score: 5, Informative

    We didn't always think of her as a 'whatever'. She had to work hard to earn her reputation.

    Some readers may not be familiar with her work since SCO has pretty much fallen off the pages of Slashdot. Those of us who frequent www.Groklaw.net are quite familiar with her. Her 'reportage' on the SCO story has been so slanted and devoid of reality that some of us wonder if she's from the same planet we are. To put this in context: Groklaw is Pamela Jones' blog. Pamela will delete a post if she thinks the poster was even thinking rude thoughts. Pamela is really really polite. Pamela was once reduced to calling this lady Didiot. You really have to be something to get Pamela that riled!

  2. Re:DiDio. Why am I not surprised? by wct · · Score: 5, Informative

    In fact, her position has often been more anti-Linux than pro-Microsoft. This is the same Laura Didio that signed the SCO NDA back in 2003 and came back to report:

    "The courts are going to ultimately have to prove this, but based on what I'm seeing ... I think there is a basis that SCO has a credible case," and "This is not a nuisance case."

  3. here's the survey by kpharmer · · Score: 4, Informative

    http://www.sunbelt-software.com/surveys/040213_Lin ux.htm

    oh, and btw - it was sent out to readers of the w2k news magazine:
    http://www.w2knews.com/index.cfm?id=463

    So, the sample of survey respondents was about as controlled as a george bush or saddam hussein political ralley.

    More at: http://www.groklaw.net/article.php?story=200403240 85956154

  4. Re:What are they using? by galdur · · Score: 5, Informative

    Maybe you should take a look at those CERT advisories again:

    Red Hat:
    http://www.kb.cert.org/vuls/bymetric?searchview&qu ery=red*hat&searchorder=4&count=100
    Microsoft:
    http://www.kb.cert.org/vuls/bymetric?searchview&qu ery=microsoft&searchorder=4&count=100

    Guess which list is longer?
    SELinux, Novell's SUSE Linux CC EAL4+ certification (where's XP's/2003's EAL4+ cert?).

    Not to mention that the French government is putting 7 million euros into creating a Linux derivative with a CC EAL5+ certification. Windows ahead? Pah.

  5. Re:What are they using? by Anonymous Coward · · Score: 5, Informative

    What you think Mandatory Access Controls are and what they realy are are 2 entirely different things from what I can tell.

    Windows may claim to have some sort of limited MAC based on certain roles, but Microsoft claims a lot of things about windows which is not true.

    For isntance they liked to call the NT kernel a 'Microkernel' back in the day when people cared about that sort of thing. Of course this is bullshit. It has certain aspects of a microkernel, but it is not.

    NT security model follows the Unix one which is called the 'Discretionary Access Control', or DAC.

    DAC is based on authentication based on identity. You login as a user and that user has certain rights to certain files. Your identity is your username, which is realy just a repsentation of your UID numbers.

    You log in as root, you have unlimited access to your system.

    Also any rights of programs you run is based on your UID and GUID numbers (unless the program's setuid bit is used). If you can access a file, so can your program. If you can't access a file then neither can the program your using.

    In Unix this dividing line between users is VERY strong. It was designed ground up as a multiuser enviroment and if you can't do something, then neither can your programs your running (except for the setuid, or if you use sudo.)

    Setuid posses big security risks and is used sparingly and is ignored for certian types of programs, such as shell scripts, which are easily perverted.

    Windows, for this sort of thing, sucks. It originally was a single user enviroment and with Windows 2k/XP it has a single user API grafted onto a real Multi-user NT OS. This causes all sorts of exceptions having to be made for all sorts of programs and is one of the reasons Windows is harder to secure vs Linux/Unix.

    MAC is not extend access control lists!!! ACLS != MAC.

    Mandatory Access Controls are something else completely. It's NOT BASED ON UID OR GUID. In Linux it's used in addition to DAC and doesn't replace it but it allows much tighter controls.

    SELinux was developed by National Security Agency (NSA) to provide a framework for building Role Based Access Control.

    Say I am root, I can set it up so that under different circumstances I can and cannot do different things. If I login thru SSH I can set it up so that I have different role then if I am logged in at a local terminal.

    Literally I can, with a SELinux-enabled Linux computer, give you my ROOT PASSWORD and a let you log into my computer and move around in it with no risk of you doing anything bad to me.

    And this also happens to programs that run under my UID. Now with Unix you setup a fake user to run applications/services like Apache.. However with SELinux I could safely run Apache under UID 0. (root).

    Even if Apache had a huge buffer overflow and the attacker was able to execute successfully some shell code and gained access as root/administrator to my machine, he would only be able to fuck with files that Apache needs to run. Any other services, any other programs would still be completely off limits.

    AND this requires no reprogramming of the Apache server. This rules are set below programs, below the file system, all the way to the very core of the kernel. From hardware to the very top levels of the OS there is no way around MAC, unless the rules were designed badly.

    Any violation, or unexpected activity of the Apache server would be logged and recorded.

    This describes Windows's security model and gives it the military term of 'C2' security.
    http://support.microsoft.com/kb/93362/EN-US/

    SELinux gives Linux OS the ability to have B-level security.

    Redhat ES 4 and Fedora Core 2, and Fedora Core 3 have SELinux, but are not 'trusted' OS's yet. The rules that they use are fairly liberal and are designed to provide maximum compatability with existing applications yet provide high levels of security for servi

  6. Bzzzt. Wrong. by Anonymous Coward · · Score: 5, Informative

    Windows never had Mandatory Access Controls. And never had. NT didn't have it.

    Unix and Windows use what is called 'Descresionary Access Controls', or DAC.

    What your talking about is, probably, ACL. Access Control Lists.

    ACLS are normal, Windows has ACLs so does Linux.

    What you mean are extended ACLs. Windows NT had support for Extended Access Control Lists. Which goes beyond the model created for Unix which is:
    user, group, everybody else (world)...
    read, write, execute.

    EACLs are NOT MANDATORY ACCESS CONTROLS. Mandatory access controls are something else completely and is not based on your username or what groups your user belongs to. Windows simulates certain role based authentaction, but it's not realy MAC.

    MAC in SELinux are also RBAC. It allows a framework to be developed so that you can have a truly 'trusted linux' setup and is used in addition to the normal DAC that is used in Windows and Linux already.

    NT does not, nor ever had, MAC.

  7. Mod parent down: -1 WRONG by swillden · · Score: 4, Informative

    You obviously do not know what Mandatory Access Controls are.

    Sorry, you're the one who doesn't know what they are. Windows does not have them, and neither did VMS. MACs are not ACLs (which VMS had, NT has and Linux and Unixes now have, but only acquired fairly recently and don't much use).

    MACs are a tool for setting up other access restrictions, based on how you access the system (console, SSH, HTTP, etc.) and are orthogonal to user identity-based access controls. If I configure the system to disallow anyone who logged in via SSH from touching any system or user files, I could give you my root password and you couldn't do any damage. More importantly, I could rest easy about remote root exploits in OpenSSH, or any sort of privilege escalation attack. Even if you manage to fool the OS into thinking you are a different user, you're not going to be able to fool it about how you're talking to it.

    I repeat: Windows does not have Mandatory Access Controls.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.