Yankee Group Survey Says Windows, Linux TCO Equal

prostoalex writes "A new survey by Yankee Group analyst Laura DiDio shows Windows and Linux are viewed as equal by U.S. businesses. In the eternal OS wars, '88 percent of respondents said that the quality, performance and reliability of Windows was equal to or better than Linux.' Companies were also asked to rank the operating systems on security. On a scale of 1 to 10 'companies rated Microsoft's security at 7.6, double the rating in a similar survey conducted last year. Linux's rating was mostly the same at 8.3.' Conclusion? 'DiDio said that most companies -- whether large or small -- rarely take the huge step of replacing one operating system with another. Instead, they usually add a mix of Windows and Linux server software to expand functionality.' Microsoft used last year's Yankee Group survey results in their Get the facts campaign."

What are they using?

[fembots]

The survey needs to take into account what OS the respondents are currently using, that's the single most important factor.

You don't use an OS that you don't like, and if that's not true (e.g. you're forced to use a pre-installed OS), then you probably wouldn't know any better alternative if you've been using only one OS.

If a Linux-only user said Windows is better, or vice versa, what does that mean? How does he come to this conclusion? The most credible answers should be from Multi-OS users.

I'm not saying this study is inaccurate, but there are simly too many things to consider, and this may well lead to a simple conclusion - software choice is more on personal preference than anything else.

Re:What are they using?

[belmolis]

It's really too bad that we don't have access to the actual study. Without it it is hard to judge very much. I went to the Yankee Group web site and found their press release, which is a little bit more informative than the news item, but not much. Elsewhere on the Yankee Group site they reveal that the study will not be available until JUNE 2005. Funny that they are issuing press releases now about a study that won't be released for two months. I wonder if that is so that they can have their impact now and defer the hard criticism?

Anyhow, there was an interesting bit in the YG press release:

However, Yankee Group's survey shows Linux gaining momentum as a complementary server presence in Windows networks. More than 50% of companies surveyed said they plan to install Linux in parallel with, or in addition to, existing Windows operating systems.

I think that this gives us a hint of what is going on. If MS Windows were really perceived as better than Linux, or even equal, the cost of making a change and general inertia would presumably result in little Linux adoption. The fact that the same businesses in which MS Windows has an overall reputation of being better than Linux are adding Linux or shifting partly to Linux suggests that there is actually a perception of Linux as better and/or cheaper. I suspect that what is going on is that the reputation questions were answered largely by managers with little firsthand technical knowledge, who have, however, been pushed by their technie subordinates to allow a shift in the direction of Linux.

Re:What are they using?

[Zeinfeld]

Then again, this only works with people who know what they hell they are doing.

Which goes the same for pretty much any O/S. If you have a pinhead they will configure the machine insecurely.

No matter what I would never recommend Windows as a internet-facing server. I run a Windows 2003 server here in my home but it is just to learn it and host a small site with little traffic.

You mean even if the figures say that Windows is more secure you will never choose it? Or are you only referring to the current release?

Whatever, I think that Linux advocates should take a lesson from history, it is really hard to maintain an O/S distinction in the security area. The only reason Linux is any better is that UNIX machines have been Internet connected by default for about 15 years while with windows its only about 8. Read the CERT advisories from the 90s, they are almost all reports of UNIX vulnerabilities.

UNIX got cleaned up, Windows will be cleaned up. Back in the 90s UNIX was a byword for insecurity, people still used SUID scripts and shadow passwords were only used by a minority.

What is more interesting here is the derrivative. The perception of Windows is improving rapidly, the perception of Linux is pretty static. I don't see a heck of a lot of new security action going on in the Linux world. There is a heck of a lot going on in the Windows world.

Re:What are they using?

[AstroDrabb]

Why don't we look at this rationally. The Yankee Group doesn't do "studies" for free. The Yankee Group are a for-profit company. So basically someone paid the Yankee Group to do this "study".

Now, who could it be? Could it be Red Hat, SuSE, IBM or some other pro-Linux company? I have serious doubts about that. What about Microsoft? Well, MS has certainly paid for other "studies" to be done in the past. So I don't think there would be any major reason to not count MS in on this "study". Basically we just need to find out _who_ paid for this "study" to really see where the bias lays.

I remember last year I had a phone call from some unknown company that was doing a "study" about MS. I was asked how I felt about MS as a company. How I felt about the products put out by MS and if I "trusted" MS. As soon as I answered that I "did not trust MS as a company", I was told my "interview" was over and "thank you for your time". So it seems as soon as one of these companies get a negative response about the company that are footing the bill, the interview dies.

Does anyone know who _paid_ for this "study"?

Re:What are they using?

[galdur]

Maybe you should take a look at those CERT advisories again:

Red Hat:
http://www.kb.cert.org/vuls/bymetric?searchview&qu ery=red*hat&searchorder=4&count=100
Microsoft:
http://www.kb.cert.org/vuls/bymetric?searchview&qu ery=microsoft&searchorder=4&count=100

Guess which list is longer?
SELinux, Novell's SUSE Linux CC EAL4+ certification (where's XP's/2003's EAL4+ cert?).

Not to mention that the French government is putting 7 million euros into creating a Linux derivative with a CC EAL5+ certification. Windows ahead? Pah.

Re:What are they using?

What you think Mandatory Access Controls are and what they realy are are 2 entirely different things from what I can tell.

Windows may claim to have some sort of limited MAC based on certain roles, but Microsoft claims a lot of things about windows which is not true.

For isntance they liked to call the NT kernel a 'Microkernel' back in the day when people cared about that sort of thing. Of course this is bullshit. It has certain aspects of a microkernel, but it is not.

NT security model follows the Unix one which is called the 'Discretionary Access Control', or DAC.

DAC is based on authentication based on identity. You login as a user and that user has certain rights to certain files. Your identity is your username, which is realy just a repsentation of your UID numbers.

You log in as root, you have unlimited access to your system.

Also any rights of programs you run is based on your UID and GUID numbers (unless the program's setuid bit is used). If you can access a file, so can your program. If you can't access a file then neither can the program your using.

In Unix this dividing line between users is VERY strong. It was designed ground up as a multiuser enviroment and if you can't do something, then neither can your programs your running (except for the setuid, or if you use sudo.)

Setuid posses big security risks and is used sparingly and is ignored for certian types of programs, such as shell scripts, which are easily perverted.

Windows, for this sort of thing, sucks. It originally was a single user enviroment and with Windows 2k/XP it has a single user API grafted onto a real Multi-user NT OS. This causes all sorts of exceptions having to be made for all sorts of programs and is one of the reasons Windows is harder to secure vs Linux/Unix.

MAC is not extend access control lists!!! ACLS != MAC.

Mandatory Access Controls are something else completely. It's NOT BASED ON UID OR GUID. In Linux it's used in addition to DAC and doesn't replace it but it allows much tighter controls.

SELinux was developed by National Security Agency (NSA) to provide a framework for building Role Based Access Control.

Say I am root, I can set it up so that under different circumstances I can and cannot do different things. If I login thru SSH I can set it up so that I have different role then if I am logged in at a local terminal.

Literally I can, with a SELinux-enabled Linux computer, give you my ROOT PASSWORD and a let you log into my computer and move around in it with no risk of you doing anything bad to me.

And this also happens to programs that run under my UID. Now with Unix you setup a fake user to run applications/services like Apache.. However with SELinux I could safely run Apache under UID 0. (root).

Even if Apache had a huge buffer overflow and the attacker was able to execute successfully some shell code and gained access as root/administrator to my machine, he would only be able to fuck with files that Apache needs to run. Any other services, any other programs would still be completely off limits.

AND this requires no reprogramming of the Apache server. This rules are set below programs, below the file system, all the way to the very core of the kernel. From hardware to the very top levels of the OS there is no way around MAC, unless the rules were designed badly.

Any violation, or unexpected activity of the Apache server would be logged and recorded.

This describes Windows's security model and gives it the military term of 'C2' security.
http://support.microsoft.com/kb/93362/EN-US/

SELinux gives Linux OS the ability to have B-level security.

Redhat ES 4 and Fedora Core 2, and Fedora Core 3 have SELinux, but are not 'trusted' OS's yet. The rules that they use are fairly liberal and are designed to provide maximum compatability with existing applications yet provide high levels of security for servi

Opinion Based

'88 percent of respondents said that the quality, performance and reliability of Windows was equal to or better than Linux.' Companies were also asked to rank the operating systems on security. On a scale of 1 to 10 'companies rated Microsoft's security at 7.6, double the rating in a similar survey conducted last year. Linux's rating was mostly the same at 8.3.'

Notice, it doesn't say security professionals for security, it doesn't say economists for TCO, it says companies. I'm sorry, but the first thing to enter my mind in this situation is a "Pointy Haired Boss" filling these things out. It's basically an opinion survey, pointless in anything but spreading FUD.

Re:No comment...

[wasted]

From the Article: "Server operating systems are largely commoditized," DiDio said, adding that many companies were not tracking their operating costs closely enough to base their decisions on total cost of ownership, or TCO, the main cost metric when comparing Linux and Windows.

So, they ask the bosses "What is the TCO for Windows-based servers?"
"I don't know"

Then, they ask the bosses "What is the TCO for Linux-based servers?"
"I don't know"

Since "I don't know" equals "I don't know", the conclusion is that the operating systems have equal TCOs, at least in the eyes of the business managers.

Re:DiDio = Shill

[gnasher719]

Does she have credibility? About as much as Ken Brown ("A swedish student named Linux Torvald copied Linus from Minux which his professor Tannenbaum copied from Unix"), Rob PretEnderle (the one with the Ferrari Notebook that makes Vroom Vroom noises) and Maureen O' Gara (Linux is completely stolen from SCO) together. Minus infinity + Minus infinity + Minus infinity = Minus Infinity.

Of course she did

We didn't always think of her as a 'whatever'. She had to work hard to earn her reputation.

Some readers may not be familiar with her work since SCO has pretty much fallen off the pages of Slashdot. Those of us who frequent www.Groklaw.net are quite familiar with her. Her 'reportage' on the SCO story has been so slanted and devoid of reality that some of us wonder if she's from the same planet we are. To put this in context: Groklaw is Pamela Jones' blog. Pamela will delete a post if she thinks the poster was even thinking rude thoughts. Pamela is really really polite. Pamela was once reduced to calling this lady Didiot. You really have to be something to get Pamela that riled!

Not FUD!

[CaymanIslandCarpedie]

I don't see how this survey can be considered FUD. They aren't saying anything either is better or worse than the other. They simply relay feelings of their respondants.

The whole point of this of course isn't to compare the platforms or make a suggestion on which is better, it just conveys the feelings of their respondants.

Should this be used as a basis for a decision for what to use? Of course not!!! Is this an interesting insight into the current thinking of corporate IT departments? Yes.

It isn't FUD and isn't pointless, but if you take any of this as FACT, thats your mistake. This is simply an interesting look at current thinking. If this thinking is correct or not isn't the point. Its like saying a poll finding 80% of people are against the war in Iraq is FUD. That poll wouldn't wouldn't mean we should or shouldn't be there (as the respondants may not really be qualified to know), it would just give an interesting view of what people are thinking.

Read this article as such.

Re:DiDio. Why am I not surprised?

[wct]

In fact, her position has often been more anti-Linux than pro-Microsoft. This is the same Laura Didio that signed the SCO NDA back in 2003 and came back to report:

"The courts are going to ultimately have to prove this, but based on what I'm seeing ... I think there is a basis that SCO has a credible case," and "This is not a nuisance case."

A guess?

...the study says 88% said windows was equal or better - but how many said it was better versus equal?

A quick guess -

1% preferred Windows, rather than an office in the middle of the building with no natural light.
87% didn't really understand the question or were afraid to show they didn't know, and said they were equal.
12% said Linux was better.

Bzzzt. Wrong.

Windows never had Mandatory Access Controls. And never had. NT didn't have it.

Unix and Windows use what is called 'Descresionary Access Controls', or DAC.

What your talking about is, probably, ACL. Access Control Lists.

ACLS are normal, Windows has ACLs so does Linux.

What you mean are extended ACLs. Windows NT had support for Extended Access Control Lists. Which goes beyond the model created for Unix which is:
user, group, everybody else (world)...
read, write, execute.

EACLs are NOT MANDATORY ACCESS CONTROLS. Mandatory access controls are something else completely and is not based on your username or what groups your user belongs to. Windows simulates certain role based authentaction, but it's not realy MAC.

MAC in SELinux are also RBAC. It allows a framework to be developed so that you can have a truly 'trusted linux' setup and is used in addition to the normal DAC that is used in Windows and Linux already.

NT does not, nor ever had, MAC.