Users Reject MS Independent Study Claims

PenguinCandidate writes "End users from various corners of the Web have whole-heartedly rejected Microsoft's claims that an independent TCO comparison between Linux and Windows would be something akin to the second coming. Said one senior Linux architect: 'With Linux and open source, it is possible to arrive in a position where the organization has increased control over its situation [and reduced] its long-term costs. That's a highly desirable outcome and I doubt we'll ever see a Microsoft-funded study which will come to that conclusion.'"

Seriously...

[vidarlo]

No news to see, please move along.

There is nothing new here. The article says that MS studies is bullshit, and that Linux-vendors funded might be bullshit too... This is the only thing close to a neutral study I've seen about Linux and Windows, and that is about security, not TCO. TCO is not easy to measure.

There's also the excellent report on Total Cost of 0wnership, which concludes that it's less work to 0wn a windows-based computer. Mac scores good on the scale of 0wnership.

Re:Seriously...

[n0-0p]

I really have to disagree if your implication is that relative security is easy to measure between two systems. I also wonder why you would take Aitel's shameless pandering to mean anything more than he's a self-serving mercenary. That TC0 paper is just an advertisement for Immunity and their tools.

Back to the more important topic, switching from MS to a completely Open Source platform normally requires changing the whole software stack. In such cases you can't do a line by line comparison between the two different implementations. Handling of layered defenses and hardening measures vary too much between environments. Any valuable asessment has to view the system as a whole, including it's environment.

I've seen good and bad implementations on both sets of platforms. I admit that I like the freedom of Open Source and the ready access to code makes evaluation easier. It is my personal preference but I don't see it as a panacea of security and I'm sick of both sides slinging mud at each other.

Re:Seriously...

[ergo98]

This is the only thing close to a neutral study...

ARE YOU KIDDING? That piece of Slashdot karma-whoring claptrap was universally panned as being rife with terribly amateur errors and omissions, and the only people who took it seriously were the people who felt it vindicated their position. Petreley is an absolute laughing stock moron whose only readership is a couple of die-hard Linux zealots.

Re:Seriously...

[NickFortune]

I really have to disagree if your implication is that relative security is easy to measure between two systems.

I didn't think that was the GPs point at all. I took the point as

In general, Linux machines are more resistant to cracking than are windows boxes.

I think we can agree that it's possible to discuss generalities here. Few would quibble if I said

In general, systems that set a password are more secure than those that do not.

I don't think you can support that implicit assertion that only comparisons of specific systems are valid : feel free to argue the case to the contrary.

switching from MS to a completely Open Source platform normally requires changing the whole software stack. In such cases you can't do a line by line comparison between the two different implementations.

mmm... and if you have a context where it is necessary to compare two specific systems, a line by line comparison is arguably essential. But, given that we can legitimately discuss general relative security, it seems unwise to insist on a discussion only of specific systems.

Linux allows the user to have a far greater degree of confidence for a relatively small expenditure of effort. For example: It is possible to understand your firewall's operation and to validate that there are no vendor supplied backdoors and that there are no port knocking exploits other that those you may choose to define yourself. That is not so easy under Windows. Another example: on windows, it is difficult to avoid internet explorer. Even if you use (say) firefox, the filer windows still use IE dlls and sooner or later one of the IE security holes will make itself manifest. This is far easier to avoid on Linux.

I admit that I like the freedom of Open Source and the ready access to code makes evaluation easier. It is my personal preference but I don't see it as a panacea of security and I'm sick of both sides slinging mud at each other.

Obviously there are no panaceas in the security world, and I'd agree that mud slinging is a waste of everyone's time. But we can, and should, have civilised discussions of the relative merits of both systems - security included. And since security is one are where Linux historically does much bette than Windows, it seems a little unfair to say "come on chaps! let's keep restrict security discussion to specific installations".

LOL News from the 1860's

[Crashmarik]

You can fool some of the people all of the time, and all of the people some of the time, but you can not fool all of the people all of the time.
Abraham Lincoln, (attributed)
16th president of US (1809 - 1865)

But what is TCO anyway?

[Rosco+P.+Coltrane]

Suppose Microsoft demonstrates with a (real) independant study that Windows is, say, 30% less expensive than any other OS. Is it really all that counts? What if 5 years from now Microsoft pulls another one of its format-change trick and my company can't read the documents it produced 5 years ago reliably?

I'd say having control of your software, giving you better control over the data that is produced and a fighting chance against malware, as opposed to being enslaved to a software manufacturer, benevolent as it might appear to be, is a big part of the decision too. The problem can't be presented simply as a pure immediate or mid-term savings proposition. Possible loss of data, loss of services, and loss of business due to them are a big part of the equation, but of course it's not as easy to sell as "look, this costs less".

Re:But what is TCO anyway?

[n0-0p]

When the software is no longer supported by MS and you need security updates you don't really have a choice. I ran a pen-test against a business unit of large organization that chose not to upgrade from Office 96 to 2K. They figured they could safely skip a version to 2003 because there were no compelling new features and it wasn't really worth it.

Unfortunately there were several security vulnerabilities discovered in late 2000 including macro execution vulnerabilities for Word, Powerpoint, and Excel. MS was not providing patches for these issues on anything below Office 2K and their only response was to disable macros in all of the applications or upgrade. Neither was on option for them because they had apps that needed macros and the software budget couldn't cover the upgrade cost at that time.

During the pen-test we determined that these guys had a pretty good DMZ setup and very limited Internet presence. We still wanted the keys to the kingdom so we just ended up harvesting email addresses and firing macro exploits with callback trojans. In the end we owned the whole network and they looked really bad. And all of this occurred because they chose not to follow their vendor's forced upgrade path.

Re:But what is TCO anyway?

[einhverfr]

TCO is the lazy person's attempt to measure return on investment. I.e. how much will you have to pay to get x back in better productivity etc.

In my experience Linux-based businesses pay me more as a consultant (at the same hourly rate) than Windows-based businesses. However, this is often because they are getting a *higher* return on investment by being able to have solutions that do exactly what they want. I close reading of the IDC study on the Microsoft site may indicate that others are having similar experiences.

I.e. that you pay a consultant not because you can't make it work adequately in-house, but rather that you would like the product to do X, Y, and Z (which may not be available on Windows) and are willing to pay more for those features because you get a net benefit as a business.

For example, if you cannot adequately impliment a Linux-based file and print server inhouse, you are not going to pay a consultant to tweak the system for you. You will simply go back to Windows (Windows file and print sharing isn't that expensive). If you can, but you realize that it would be cool if (insert idea here) then you might pay a consultant to make that dream a reality.

What I am trying to say is that essentially all of the evidence I am seeing is that those customers who can and do move to Linux are spending more in part because they are investing in an infrastructure that they can use to build their business in very unique ways. As a result, they may be paying a bit more than they would with Windows, but it is not that they are getting a lesser deal. Instead, they are paying more because they are getting a *better* deal.

Lies, Damn lies, and statistics

[Safe+Sex+Goddess]

Sounds like they made the right decision. The article makes the great point that it's the definitions that make all the difference. It sounds very balanced. It just seems so natural that Open Source is the way to go. As with art and culture, many creative people would have you believe that everything new is created from nothing but their own creative spirit. However, it's possible to trace the historical influences on the evolution of arts and culture. Everything created is based on thousands of years of art and culture that belong to all of humanity. Even new scientific and technological developments are based on the entire history of human scientific knowledge that provides the foundation for new knowledge to be added to. And isn't that what Open Source is all about?

This will never be resolved

[Crixus]

A topic like this will never be resolved to anyone's satisfaction. The simple fact of the matter is that many huge corporations are using linux corporate wide, and many users on this blog use linux daily with an incredibly low TCO, and a huge satisfaction factor. :-)

That's all that matters.

Re:Linux and Windows

These studies are targetting corporate I.T. decision-makers, not home users like yourself. An I.T. department is likely to have the luxury of planning for the hardware that will be deployed in the future, and can thus make hardware incompatibilities a minimal concern.

Your claim of 800 hours is also completely off base from a corporate perspective. By setting a few GUI preferences, you could make it look and feel close enough to Windows that the majority of the Win32 workforce wouldn't care. The real work is done by the I.T. department, which probably already has significant in-house Linux muscle.

I won't even get into the benefits of improved manageability/lower licensing...

Gaming the cost of migration

[starfishsystems]

These Microsoft TCO studies present an analysis that seems ready to backfire on them.

The reason there's a high cost of migration off Microsoft systems is because Microsoft intentionally planned it that way. The "embrace and extend" strategy and many similar practices have been found in law to be designed for the purpose of making migration expensive.

If I were running a fair and objective TCO comparison, I would seek to measure the cost of migration both on and off each platform. Ideally, this would track costs not just once, but over several cycles. Since computing infrastructure is constantly evolving, a realistic TCO analysis has to deal with this scenario.

Security

[WindBourne]

just once, it would be good to see a single MS TCO study include the costs of virus, worms, etc.

Intangible costs

[HangingChad]

I know for a fact there are intangible costs associated with MSFT products that can't be documented in a TCO study.

For instance, one customer had SQL server go offline, taking down one of their primary applications, after the last round of security patches. I tell them to test the patches, but they don't want to spend the money. Go figure. Instead they pay me money to come in a fix what stops working. Every time there's a security patch update, I know I'm going to be busy.

For the Linux/MySQL installs I have to keep a book of SOP's next to the server because it's so seldom that anything goes wrong. If I don't make notes how to do stuff, I have to learn all over again the next time.

So, yeah, if you don't make notes then OSS does take more time because you forget what you did last year when X happened. And that information probably won't be on a tech support site somewhere.

With MSFT it seems like you're dorking with your servers all the time. I work on Windows and Linux servers and my opinion is that the Linux servers are more reliable and cost less to operate. That's hard to quantify but every time I see a MSFT TCO study I keep wondering how they get the numbers to come out in their favor.

I have a stupid question...

[SeventyBang]

Microsoft's efforts in these studies is obviously part of their marketing efforts. Microsoft's strongest suit is marketing, not technology development. After all, look at how many companies they've purchased vs. original technologies which have been developed in-house.

I will qualify my question with this: I like Linux, but I make my bread & butter off of Windows - like it or not, it's easier to find income [here] with Windows. n.b. I said easier. I didn't say the work was better.

Now:
If Windows is such a great product, why is Microsoft plucking out their own short hairs (one-by-one) in frustration because they cannot convince tens of thousands (hundreds of?) of corporate licenses to move from Windows 2000 when it went out of service on June 30 '05; well-covered by the media, no less? It would seem businesses|corporations are well aware the various flavors of 2K are (relatively speaking) arguably the most stable of Microsoft's O/S products. Office 2000 and Visual Studio 6.0 dovetail quite well with 2K, creating a very cozy ménage à trois.

The TCO certain is dropping over time. No need to upgrade software, no need to purchase an assload of new hardware to support upgraded software. Microsoft may have to break one of their "rules" re: backward compatibility. It's been said IE 7.0 won't work on pre-XP systems, although I don't think that's going to make corporate accounts give a rat's posterior because there are some fine, decaf browsers which work quite well and don't make anyone miss IE at all.

As I said, MS could easily prove TCO of Windows is low(er), but to do so would admit loudly businesses don't want to budge. So the question remains: how do they motivate the 2K users to pry open their accounts payable budget and upgrade? Until they answer that, it doesn't matter what they say about TCO.

Re:This will never be resolved, and here's why

[typical]

The Amish.

Re:I'm still weary.

[Hiro+Antagonist]

As a skilled Unix admin (according to your definition; I still consider myself to be a neophite, as there are always new things to learn), I rather resent your comparison, as 'Unix admin' and 'Windows admin' are not equal.

I've dug through kernel code and stack traces of buggy applications, conferred with developers, worked with Sun engineers to fix failing hardware, and generally dug very deep into the OS to find and fix problems. Only, I do this before the problems become problems, so that my userbase never sees my efforts.

It's kind of sad, really. They only know I exist when things go wrong, which is pretty rare.

Moreover, I am capable of, and have done, management of hundreds of servers at once. This is without any fancy clustering, expensive support contracts, or any other assistance. Just me, all by my lonesome. Sometimes things got hairy, of course, but overall, the systems I administrated just kept running, even through patches and upgrades galore.

Any problems that cropped up, other than hardware failures, I could fix remotely, saving me an hour-long trip into the office. What was great was when there was another admin, we had time for all sorts of things. The backup system got improved, a whole new security model got put in-place, vacations were took, a new monitoring system got installed...it was great.

One admin. Two hundred servers. That's five milliadmins per server, for the mathematically impared. With no clustering or vendor support, other than for failing hardware, and in a dirt-cheap bare-bones budget environment. Can a Windows admin, even an experienced one, make that claim? I think not.

TCO is important

[typical]

The problem is that for a long time, somewhere, it was hammered into people's heads that "TCO is important". That's a pretty simple, important concept. The idea is that the vendor can hide costs, and that the customer's up-front cost may be less than what they will actually wind up paying.

However, the entire concept of having a bloody vendor doing a TCO study and presenting you with the results is absurd -- it's the vendor presenting you with *another* set of up-front costs. Who is to say that they don't have *more* hidden costs? Unless they are providing you with a guarantee that you will not have to pay a single cent above the TCO that they are claiming, that they will pay every cent in your related costs above claimed TCO, a vendor-supplied TCO is simply meaningless.

The concept of TCO is important. The idea of slapping an absolute value for TCO on product packaging is quite silly.

I think that there's one pretty simple argument in favor of Linux. Any time a vendor provides any possibility of lock-in, be it user familiarity with their software, format incompatibility with thier software, whatever, there is a cost to migrate. At some point, if they are doing a good job of running their business, they will wind up extracting from you $COST_OF_MIGRATION - 1. That's an ideal case, but that's the way it is. Look at software packages from people like IBM, Novell, and so forth. They *will* get more expensive, have expensive things to interface their software and so forth, and the further on in the lifecycle the software is (the more entrenched their remaining customers are and the harder it is to move away from the product) the more expensive the prices. IBM makes a tremendous amount of money from simply providing compatibility with their old systems -- IBM's systems are *not* cheap. Look at SCO if you want to see an even more towards-the-end-of-the-life example.

Now, Microsoft has a great deal of lock-in potential. They provide the primary application suite, have a number of closed formats and protocols, the operating system, and the server-side apps to interface with the application suite. Now, if you go with Microsoft, you are gambling that either (a) someone will come along and reduce cost of migration to a nominal amount (not that likely, especially when it is in Microsoft's interests not to allow this), or (b) that Microsoft will screw up extracting money from their locked-in customers at some point in the future (which seems unlikely, because Microsoft has done a pretty decent and aggressive job of being a business thus far).

Now, I expect Red Hat to do the same damn thing at Microsoft at some point in the future, someday. The point is that it's not very hard to transition from Red Hat to something else if necessary, be it as simple as to White Box Linux or even more extreme (SuSE, Debian, etc). At least in the current state of things, it is extremely difficult for a Linux vendor to achieve any significant degree of lock-in. Start worrying if a vendor starts shipping non-open-source GUI apps (build user familiarity with them, making it harder to switch away), servers (closed protocols, leveraging incompatibility), or so forth. Aside from TrollTech, though, I've seen few attempts to "get a lock" on the Linux distro world, and it looks like there will be a multi-vendor environment for a long time to come. Seems like a pretty attractive option.

Re:I'm still weary.

[SaDan]

I used to manage over 2500 Windows desktops and servers in 17 locations in North America. I also managed over 200 Linux and Solaris servers at the same time.

Both were equally time consuming, but for very different reasons. Hardware failures on the cheap Dell workstations caused me a lot of grief with the Windows workstations. Constant software updates, installs, and hardware upgrades consumed most of my time with the *nix machines.

I also had no clustering or vendor support, except for Dell techs who were dispatched onsite to replace hard drives and motherboards.

Personally, I prefer working with Solaris and Linux, but that doesn't mean I won't administer Windows boxes to the best of my abilities either.

The point is, it depends on what you do with your Windows machines, and what you do with your Linux/Unix machines. In my case, 2500+ Windows machines didn't take a lot of time to manage once they were set up and locked down. The 200+ *nix servers did take a lot of time to manage, but they also did all of the heavy lifting for the company.

Not entirely accurate

[WindBourne]

Not only are the users clued up, but so are the developers. Quite honestly, almost all, if not all Linux distros are superior to Windows for security. If the day comes that Windows is more secured then Linux (i.e. far less bugs and comes secured out of the box), then Linux will have issues.

With that said, I noticed in my logs today that somebody was making a concerted effort to kill my home server and 5 other servers that a company that I help with owns. In a 5 hour period, there were no less than 20,000 attempts, mostly aimed at root via sshd (which was shut down ages ago). Most of the systems( there were 20) that were coming at these boxes were Windows, but 3 of them appear to be macs. I thought that was interesting.