Microsoft Claims Firms 'Hitting a Wall' With Linux

maxifez writes writes to tell us that Microsoft has released yet another independent study downplaying the viability of Linux at the enterprise level. The study claims that Windows is "more consistent, predictable, and easier to manage than Linux." From the article: "The study, commissioned by the software giant from Security Innovation, a provider of application security services, claimed that Linux administrators took 68 per cent longer to implement new business requirements than their Windows counterparts." Vnunet.com has also provided a PDF of the original report.

forgot the scare quotes

[ChipMonk]

Yet another "independent" study.

Re:forgot the scare quotes

[frodo+from+middle+ea]

Well they don't claim to be independent...that's a start.

Re:forgot the scare quotes

[SatanicPuppy]

I think the flood of microsoft biased studies in the last year go a long way toward bolstering linux's claims. If they weren't to some extent true, microsoft wouldn't be trying so hard to discredit them.

I don't know why they bother honestly. My bosses bosses boss recently informed me that we use Microsoft almost exclusively. I just nodded and smiled, because it was easier to do that than explain that even our DESKTOPS are mostly Mac, and our infrastructure is 90% unix (Solaris, linux, bsd). The only people who really read those studies don't know what the hell they're talking about anyway.

I don't give a damn what microsoft's studies say. I've been using unix, linux, and windows for years, and unix and linux have ALWAYS been more reliable. I've got a 250,000 dollar machine hooked up to a brand new Dell box running 2003 that goes down as often as a nickel whore, and I am SICK of hearing from Microsoft that this is just my imagination!

Re:forgot the scare quotes

[st1d]

Possibly, as they generally are put together by Linux fans, whereas MS seems destined to buy it's positive studies. From another standpoint, it's one thing to have "educated, well known, and well respected" fans produce a study, and a whole other thing to have to pay good money to get anybody to put their reputation on the line to back your product. As well, Linux studies tend to present considerable supplemental data for others to repeat their studies on their own, whereas MS's studies tend to do little more than announce a vague result the entire IT world is supposed to accept. Part of this is simply because the paid-for study house requires payment for detailed explainations of methods and results, but that's not very convincing (reeks of mail-order scams, to me, at least -- "Send in your money, and we'll make you successful!").

Part of the problem for MS, especially regarding studies, is that they are selling a "one size fits all" solution, whereas Linux allows numerous variations to best achieve your goals. MS is facing a tough battle, trying to convience everyone that they are the best solution for all situations (read as: easy to use for uncaring sheep), yet technically appealing to even the most distinct niche users.

As Mike Warnke once said as the moral of a long story: "If you try to please everyone, you're going to lose your ass." (How's that for an obscure reference?)

Re:forgot the scare quotes

[cbreaker]

It's not only the fact that some of the Linux claims must be true, but the fact that Microsoft continues to attempt to discredit Linux says one thing: It's a viable alternative to Microsoft.

They put Linux on the radar more and more with every one of these stunts. I'm with you - I really enjoy working with Unix systems. It's not because it's trendy to do so, it's because the Shit Just Works. I don't have to pour through vague event log entries on to fix problems with a clean install, I don't have to have a Microsoft tech come out and live with us for three weeks to address odd AD anomolies, and I don't have to use undocumented features to make something work.

The power of the Linux community simply can't be ignored. If you have a problem with just about anything with any OSS, you can always find a lot of information about it with a quick google search. The same is not true with Windows software - often times I get the dreaded "Sorry, no results found."

Nobody can honestly claim that Microsoft software hasn't improved in the last few years. It's a lot better then how things used to be. Unfortunately for them, it just doesn't matter anymore. They blew it. Linux is here, it's a lot more flexible, and it's not going away. It surrounds Microsoft from all sides (Very high end, embedded, very small (PDA's, cell phones)) and it's only a matter of time before it completely replaces Windows on core desktop and traditionally Windows based server environments.

It goes beyond the generic server arena, though. Have you have the chance to work with VMWare ESX server? It's awesome! Completely Linux based. Not only is the "service console" running Linux, the vmkernel itself is a customized Linux kernel which runs on top of it. VMWare ESX is so nice - you can really see what a Linux system is capable of: powerful, customizable, very easy to use.

That's the way I see it, anyways. And I do primarily Windows server work.

68% of what?

[aborchers]

"Linux administrators took 68 per cent longer to implement new business requirements than their Windows counterparts"

What the study failed to mention is that 86 per cent of the time to implement was spent convincing the executives and attorneys that using Linux was worth pursuing.

Re:68% of what?

[Nato_Uno]

"Linux administrators took 68 per cent longer to implement new business requirements than their Windows counterparts"

That's what you get for actually thinking through what a sane implementation should involve rather than clicking "Install -> OK -> OK -> OK -> OK -> Reboot Now"...

Warning: possible incongruity detected!

[Trelane]

"We invite other vendors, including Novell, IBM and Red Hat, to repeat their own independent analysis based on Security Innovation's methodology."

Umm, is not "their own independent analysis" rather oxymoronic?

Well

[paranode]

I wouldn't discredit it completely. I think the conclusion is possibly quite true. Microsoft is generally easier and quicker to deploy, but then... what has that gained them over the past 5-10 years? A reputation of horrible security and systems that seem like they were thrown together by monkeys (again, because it is in fact so easy).

Linux may have more implementation overhead but the results, I would argue, are generally superior.

Re:Well

[Golias]

They are not talking about the time to deploy the server itself.

From the Summary (because who bothers to RTFA anymore?):

"...claimed that Linux administrators took 68 per cent longer to implement new business requirements than their Windows counterparts..."

That much is probably true. Implementing some new process on a Linux box probably does take a bit longer. But here's the thing: Once it's done, it's done.

I've seen enough gawd-awful in-house software and scripts in Microsoft shops to know better than to be impressed by how much "faster" it is to adapt their shit. If you count all the down-time and set-backs which can happen after implementation, you probably ultimtely save a lot of time by going with a Linux-based enterprise.

But then, I'm not some kick-ass consulting firm which a big astroturfing... er... I mean independent study commission to put in the bank.

Re:Well

[BrookHarty]

Microsoft is generally easier and quicker to deploy, but then

To be fair, you normally choose the OS and Hardware for the job. Microsoft likes to point out OEM boxes that are hard to install linux on, but then, thats like trying to put XP on all those old beige boxes and saying Microsoft sux0rs because of bad driver support.

SSDD.

Re:Well

[Wudbaer]

But is this really so different from self-proclaimed college-drop-out "Linux gurus" who whip together sucky and insecure "solutions" in MySQL and PHP using the "powerful open Enterprise OSS LAMP-stack" ? You can write good as well as bad code both on Linux and Windows, and there are more than enough examples for both on both platforms.

Re:Well

[SilverspurG]

So this explains why on my employer's laptop running WinXP SP2 I have the following problem:

Their login sequence includes loading the AV software and a few network IT notices. Sometimes this works, sometimes it doesn't.

Sometimes the volume icon appears in the tool tray. Sometimes it doesn't. I must then go to the control panels, Sound and Audio Options, disable the tooltray icon, apply, and then re-enable it.

Sometimes the Power Meter icon (userful for battery monitoring on a laptop) appears in the tool tray. Sometimes it doesn't. I must then go to the control panels, Power Monitor, disable the tooltray icon, apply, and then re-enable it.

Sometimes the icon for the automated network backup system appears in the tool tray. Sometimes it doesn't. I don't know how to cycle it if it doesn't appear.

Sometimes the icon for "Add/remove hardware" (aka hotplug) appears in the tool tray. Sometimes it doesn't. I don't know how to cycle it if it doesn't appear.

This is why Linux is both cheaper and better. Some things work and some things don't. But I have never had this "sometimes" bullshit on Linux.

Re:Nice to know

[swillden]

On the Linux side, I simply rsync software to all our of workstations. I can even upgrade software people are using right at that moment (like rsyncing the newest thunderbird to /usr/local/thunderbird-1.0.7 while they use the thunderbird in /usr/local/thunderbird-1.0.6, and then moving the /usr/local/bin/thunderbird symbolic link to point to the new version). On the windows side, I wander around bugging people to take an early lunch or whatever while I install/upgrade software on their machine.

There are plenty of ways in which Unix-style systems are easier to administer than Windows boxes, but this is not one of them. Windows actually has quite decent remote administration tools these days, including a fairly nice infrastructure for performing remote installations. Assuming you add some third party components (or are installing to a server with Terminal Services), ad-hoc remote access is also quite good.

I'm a big fan of Linux (I have seven computers at home; six run Linux, one runs OS X, no Windows, not even a dual-boot), and I'd probably drive a bus before I'd work as a full-time Windows sysadmin, but even I can't let this sort of FUD pass.

I suggest that you learn Windows first, then rant about it. You'll still have plenty to rant about, but you won't look like an idiot doing it.

Claims of security

[porkThreeWays]

In the PDF speaking about RHEL 4 including selinux compared to RHEL 3 which doesn't have selinux...

"The data indicated does not seem to indicate drastic security vulnerability improvement for RHEL 4"

I usually don't get pissed off about these Microsoft studies, but this is more than FUD. It's a lie. They compared the security patches for RHEL 3 and 4 over a 2 1/2 month perdiod. RHEL 4 had more. They indicate that selinux did not make RHEL 4 more secure. The point of selinux isn't to lessen the number of security advisories. IT'S ANOTHER FUCKING LAYER OF SECURITY. It's akin to a firewall or antivirus. It's exactly like saying "the month after microsoft released Windows defender, 38 new viruses were detected in the wild. The month before only 30 new viruses were found in the wild. Windows defender seems to have little effect on spyware and viruses." There's no connection. selinux would make it so a vulnerable piece of software would have a harder time being exploited and an even harder time getting total system control. A hole is a hole. Whether or not it is easily exploited or not doesn't matter. It needs to be patched regardless. If sendmail has a buffer overflow that selinux is able to mitigate, sendmail still needs to be patched. Whether or not they will be able to successfully exploit it is another question. It doesn't stop the fact that sendmail has a buff overflow.

You'd think a "professional" security agency would have more sense than that, but aparently not.

k thx get the lies campaign.

Actually that sounds a little generous...

[eno2001]

A few years ago (admittedly my Linux knowledge wasn't what it is today) I set up a dual boot system for my girlfriend. Windows 98 and Redhat 7. It took me 6 hours to get Windows 98 installed and configured with all the apps she needed (MP3 ripper, VNC server, MP3 player, IE, Outlook Express and her dial-up connector). I also took the time to set up a custom Quick Launch bar with simple one click access to applications so it really worked a lot more like an applicance for her. It took me 6 DAYS to get Redhat configured to do the same things and a host of extra things that I couldn't afford to set up in Windows. However, when I tallied up the cost of software to do the same exact things in Windows, I was looking at about $6000 for software alone.

On top of that, the Redhat installation ticked along for four years solid with not a glitch other than an occasional fsck due to a power outage. The Windows installation needed to be fixed and re-installed at least 35 times in that same period of time. And Windows still didn't have all the functionality that the Redhat install did. She ditched Windows once it was no longer a work requirement. She's now my wife and we have several Linux boxes (she's no techie) and one XP box that only I use for the occasional video editing foray. (I've recently rediscovered Cinelerra and will likely be losing the XP box within the next year)

The point here is which would you rather have your admins doing? Spending all their time fixing ailing boxes with multiple occurences of downtime over the years? Or... spending a longer period of time getting it "right" and not having to do much with it due to the LACK of downtime for the box? I think Microsoft loses yet again.

True, but

[hkb]

It's true, generally it's a lot less timeconsuming to implement project requirements in Windows, as opposed to Linux. But, I've also found it's true that it's much easier to make future changes, tweaks, etc using Linux. The norm in Windows is to get an inflexible, easy-to-implement installer package and wizard.

So, the ease is there, but the advantage of flexibility lies with Linux/*NIX. I think this is for both a cultural, as well as a technical reason. Normally, Windows users/admins want something thats easy to get up and running, and they don't have a particular desire for real flexibility.

More patches? More software!

[jifl]

"Security Innovation also claimed that the Novell SLES infrastructure required 4.79 times the number of patches."

Looking at the PDF linked from the original article, which is actually about RHEL3, not SLES, you can see that they start making the right noises about only installing minimal software for a database server, but when you reach the detail near the end on page 41, you find they have GNOME, KDE, Editors, Graphical Internet, Development Tools, etc. selected. The excuse is no doubt that that's what Oracle list in their "deployment guidelines", but so what. If the approach is to try and install a minimal system, in the face of what the vendors may say you can get away with using, then that's what they should do.

Given the funders of the study, I would expect the SLES study to be equally flawed.

Another potayto-potahto issue is that they go with following the severity risk in Mitre etc., but that doesn't mean that that severity is relevant to their database server installation. Something may be high priority on Linux if it allows a local user to become root, but a database server should not have any old users logging in, nevermind running any old application. In fact the whole class of security issues resulting in improper raising of local user privileges is something that Windows has not really begun to tackle yet, due to not really being a very good multi-user system. They've instead been dealing with the far more serious remote exploits.

So can you compare even "high" priority vulnerabilities on Windows and Linux? I think not.

I worked faster when I was ignorant

[Just+Some+Guy]

When I was a novice, I could roll out a new production system with all the bells and whistles in a few days. Now that I'm more experienced, it often takes weeks or months.

Of course, the new systems are actually usable, as secure as I can make them, better integrated with the rest of the business environment, and much easier to maintain and expand.

It's easy to do things quickly when you get to skip the planning stage. Ask your stereotypical long-bearded Unix guy to implement web services and you'll be lucky to see the first draft during the same fiscal year - and no amount of pressure will make it happen any faster. Of course, it'll work correctly from the first day and will exceed the total workload of the quick-hack system within the first month, but that doesn't look pretty on this year's financials so a lot of managers aren't interested.

Re:I hope you get rooted like you deserve.

[Mad_Rain]

This attitude of "I'm not going to maintain my servers because I try to compensate for my tiny penis with a long uptime"

Okay, so the parent poster was CLEARLY flamebait. I think that they do have a point - the grandparent poster running "4 red hat 7.3 DNS servers" and "1 red hat 6 machine that lasted 6 years without an OS related reboot" does seem to be emphasizing uptime over security though. Either you take an hour or two to back up your data, set up redundant services, and upgrade according to your schedule, or someone might force you to update at a "less convinient" time.

Windows upgrades easier.

[sgt+scrub]

Interesting.

The study compared two teams of experienced IT administrators running Windows Server 2000 and Novell SUSE Enterprise Linux 8, then monitored their progress as they upgraded to Windows Server 2003 and Novell SUSE Enterprise Linux 9.

I upgraded our 3 Debian servers to Sarge "apt-get distro-upgrade" in about 2 hours. With the exception of the mail server we had no significant down time. The mail service was turned off during the upgrade to avoid any errors.

Every one of our WindowsXP machines (no servers) were virtually unusable after the Service pack 2 upgrade for most of a day.

Re:Bad Science

[Zathrus]

Days to resolve a vulnerability are dangerous guides. First, a vulnerability has to be reported, then verified. We are dependent upon the vendor (MS, Oracle, etc) to correctly reflect these. However, almost anyone can and does report one for OSS - and that is a good thing.

This is a huge thing, particularly if you rely upon the vendor to acknowledge the vulnerability. There are a lot of vulnerabilities out there that are known (and sometimes even "in the wild") that the vendor refuses to acknowledge for various reasons. Often they'll finally acknowledge it shortly before (or on the day of) having a patch ready for it -- that way they look like they're "on the ball" to management even if the IT geeks know better. This is not a purely MS problem, nor is it unique to commercial/closed-source software, but it certainly seems more prevelant in closed source than open source.

I just do not see a 68% difference anywhere for an experienced admin.

I think this is what it always boils down to -- familiarity with one platform over another. I certainly know how to do certain things in Unix/Linux better than in Windows, and vica versa. That doesn't necessarily mean that Windows is better than Linux for a certain task -- it merely means that I'm more familiar/comfortable with one than the other. And that is a significant factor to base business (or personal) decisions on.

Re:Nice to know

[swillden]

You just copy the files, move a link (guaranteed to be an atomic operation), and any new instances of the program are running the new code.

It's simpler than that, actually, if you don't mind the program being inaccessible for a few milliseconds. You just 'mv' the new file in place of the old one. New instances are running new code, old instances keep running old code. I never said Linux/Unix wasn't *better*, just that Windows wasn't as bad as the other poster made it out to be.

In Windows-land, you need to set locks, twiddle bits, edit the registery, God knows what. Sure, some "wizard" hides all this for you, but it's nothing like the simple equivalent Unix version. What happens if there's a power failure right in the middle of all this, for instance? Or if the computer runs out of RAM or disk? Yeesh. I just wouldn't trust it, no matter what the software author claims.

Actually, if they use the MS installer toolset, the installer will roll back the changes in the event of a power failure or other installation problem.

It's a prototypical Microsoft solution, actually. Compare them:

• Because Windows has traditionally been usable only from the console, Microsoft had to provide a sophisticated toolset for initiating and managing remote installations.
• There's no difference between local and remote access to a Unix system.

• Because Windows can't replace in-use files, Microsoft provides a system that allows the installer to register changes so they get applied at the next reboot. This registry is pretty sophisticated, and can do the right thing even if the power goes out at a bad moment.
• On Unix, you can replace an in-use file, so you do.

• Because Windows manages most all system configuration in one large, brittle, binary pile, Microsoft's installation system provides automatic rollback support, so that installations can be atomic. Just in case, Microsoft's OSes also provide a "revert to last known good state feature".
• On Unix, configuration info is in many small, human-readable text files, so you just tweak what you need to. If you break it, you can fix it with 'vi'.

Of course, some of the added functionality that MS provides, like the system for centrally managing updates of many machines through a simple GUI, really is nice, so it has been implemented for Unix systems as well. But a Unix admin can get a hell of a lot done with nothing more than some shell scripts and ssh, including things that the authors of the fancy GUIs never thought to implement.

Comparing apples and pears !

[udippel]

Did you guys *read* the paper ? I did as long as I didn't have to vomit.

On Windows they applied some normal patches; while the 'milestones' on Linux included real heavy stuff: upgrading glibc, upgrading mysql. Plus patches.
When I upgrade mysql and glibc I upgrade from W2K to Server2003; so to say.
Serious upgrading and normal patches cannot be compared.

So, to me, it is and remains FUD.
On purpose they would not use a period including an update from W2K to 2003; or XP. Even less one when you migrate Exchange from 5.5 to 2000 or similar.

They feel the pain and now spend some big money to some Herbert, PhD, to invent a useless situation.
Deception.

[ends]