Slashdot Mirror
Ask the Author of the Latest MS-Funded Windows vs. Linux Study
Last week on Slashdot you saw a (Microsoft-funded) research
study on Windows vs. (Novell) Linux reliability by Dr.Herbert
Thompson. Novell disagreed
with the study's conclusions. So did most Slashdot readers.
Thompson's work been mentioned on Slashdot before, especially his
famous five-line
script that could change electronic voting machine results
and his novel, The
Mezonic Agenda: Hacking the Presidency. He's a real,
genuine-article computer security expert (and regular Slashdot reader)
who is happy to put on his flame-resistant
suit and discuss his Microsoft vs. Linux study with you. So
ask whatever you like, one question per post. We'll send him 10 of the highest-moderated questions and publish his
answers next Monday. He'll jump into the discussion then, which ought
to make it rather lively.
Dr. Thompson:
Admittedly, I don't know who you are and I haven't read any of your books. Worse, I didn't read your study itself, only its conclusions as reported second-hand by the press. However my lack of knowledge of your backgound is probably consistant with most Slashdot readers and the IT industry as a whole. I have to give you the benefit of the doubt and assume that you are a capable, respected researcher elsewise MS wouldn't have approached you in the first place.
Could you please explain why you decided to risk drawing your objectivity into question by undertaking this project? Your findings may be 100% valid. And MS may very well have straight-up told you: "Please print whatever you find, even if it casts Windows in a bad light." However, who's going to believe it, even if it were true? If I were in your shoes, I'd be affraid that making a deal like this would ruin my career. If I don't tell MS what they want to hear, word would get out that I don't play ball. If I do report what's in the sponsor's best interest, a lot of people start accusing me of being a shill. Seems like a lose-lose proposition.
Entrepreneur : (noun), French for "unemployed"
Does it hurt?
What is the going rate for one's professional credibility?
...Will we see this as a dup on /. in about a month?
Were you paid?
How can you stay neutral when one side is funding your research?
I have a question, you know full well that most of what you said regarding the TCO issue is bollocks....so why did you say it?
Yours,
nother_nix_hacker
Is Jiminy Cricket in on this too?
[alk]
The study seemed to only compare comercial applications on the various platforms and not the alternatives. Its very common that comercial apps on Linux have poor support on Linux while the free alternatives blows most out of the water on Windows too. Its not especially hard to select a couple of apps with stellar support on Windows and SAP like support on Linux and blame Linux when the problem really lies in the lack of vendor support. Some vendors even support just one specific linux version without! any patches applied.
What care was taken in selecting applications with similar support offerings to not bias the study heavily to Microsofts advantage?
HTTP/1.1 400
How many Microsoft-funded studies have been buried because the conclusion was "incorrect"?
I find that there are too many variables plus unknowns to preemptively measure a TCO before a system has been installed and maintained and migrated to the next system. The maintenance is sometimes addressed, the end of life is rarely if ever addressed.
My personal bias is that Windows systems are good for being domain controllers and file servers for Windows clients, and the UNIX/Linux is better for your typical "headless" dull day to day server stuff like web servers, email, database servers, HPC machines, etc.
So my questions are: Are these studies worth anything more than pseudo-science advertisements, and if so why? And why is the end of life so rarely discussed?
So did most Slashdot readers.
Ya think? In related news, the sun is bright.
Have you read the Moderator Guidelines yet?
Well, now that I have more money than you ever will EVER, and now that I can afford life, and lots of toys, and even an accoridan I can play just to tick off my nebors, It feels GREAT!
Yours,
Microsoft Troll 931234AX32
We are the Borg...
Yours truly and forever, Windows.
For all the geeks here, that's called a love letter.
public class null extends java applet { System.out.print ("Tabula Rasa"); }
Microsoft and Linux distros have had a policy for some time of including more and more functionality in the base operating system, the latest example is the inclusion of "Local Workflow" in Windows Vista.
As a security expert do you think that bundling more and more increases or decreases the risks, and should both Windows and Linux distros be doing more to create reduced platforms that just act as good operating systems.
An Eye for an Eye will make the whole world blind - Gandhi
No sig for now.
Those who pick the metrics always win the pissing match.
:-)
But my questions are: What do you hope to achieve from the study? To dissuade people from Linux and somehow get it shut down? Would the world be better served by a Windows only market?
And an additional would be: How do you suppose to convince all the people who have switched from Windows to Linux and stayed there BECAUSE it met [or exceeded] their needs that Windows is actually the better technical choice?
And last would be: How does it feel to sell your soul to the devil?
Tom
N.B. Seeing how this will get modded -5, stupid I'll also add who cares what some study says. I'm sitting here RIGHT NOW at my Gentoo desktop, I work with my Gentoo computer farm daily. The study could say anything it wants but at the end of the day I get a lot of work done with my Gentoo Linux powered computers.
Someday, I'll have a real sig.
Dr Thompson,
Do you find it hilarious that slashdot, supposedly made up of "IT" know it alls, when asked to confront someone who really knows their shit, back down?
Laughable.
It seems to me that the "study" was a simulation or a model. Since such simulations are inherently simplifications of real-world environments, what conclusions should we draw from this? In other words, what are the limitations of your method regarding the conclusions we can draw?
LedgerSMB: Open source Accounting/ERP
how much ?
Doolittle :
Bomb no.20 : To explode of course.
Why would you open yourself to this? There's going to be about three thoughtful questions and three hundred variations on "Why did you sell your soul?" It just makes no sense to try and provoke intelligent discussion on slashdot. This site is just a feedback loop for left-leaning techno-weenies.
Slashdot - where whining about luck is the new way to make the world you want.
Hey, I'd sell out too, if anybody was buying.
Toronto-area transit rider? Rate your ride.
I only skimmed over the public comments and your survey. My impression was that the sample period you chose was very small. Why so small? It seemed so small that it struck me as deliberate to get a predetermined outcome. I am not saying that was your intention but it does give the appearance that it could have been.
Have you considered increasing the sample period?
Keep the Classic Slashdot.
I'm considering cashing in my credibility. How much do you think I should settle for? The current offers are around $100,000 - do you think I could get much higher? Is $200,000 realistic? Because of course nobody will be able to take me seriously after I've done the deal.
Malike Bamiyi wanted my assistance.
If the same study was not funded by Microsoft and was funded by a company that supports Open source and the linux platform say google or IBM would your results have been the same?
GL HF!
"As they attempt to increase business capabilities over time, customers are telling us that they are hitting a wall with Linux, experiencing significant reliability issues resulting in higher total cost of ownership," said Martin Taylor, general manager of platform strategy at Microsoft.
If scaling up on windows means significant reliability issues, how has google managed to avoid these despite scaling to the level they have?
Or Amazon, which I beleive also runs on linux. These are true enterprise level e-commerce apps, and despite the tons of studies saying they've picked the WRONG computing platform, places like google, amazon have amanged to create profitable businesses on non MS platforms.
What OS do you run personally - and why?
IE: If you run Windows is it because that is what they run at work? If it is an Open Source OS - is it because you believe in open source? If it is OSX - why wasn't it included in the study?
It seems that your study attempted to simulate the growth of an internet startup firm on Windows or Linux. One thing I did not see in the study was a good description of assumptions you made. What assumptions were made in both the design of the requirements and the analysis of the data? What limitations can we place on the conclusions as a result of these assumptions?
LedgerSMB: Open source Accounting/ERP
[..]Windows systems are good for being domain controllers and file servers for Windows clients [...]
Windows:
Client Access Licenses
Linux:
Samba
Additionally, software such as NIS exists to fill the role of a single-sign-on, although I've only had painful experiences with it, personally (using Solaris in a completely crazy setup).
Unfortunately for the good Doctor, Slashdot is nothing like a flash fire.
The burnination is more like a long slow fire.
You know, the kind that turns bones to ashes.
So I guess my question is: Do you have plans to upgrade to something capable of handling heavy duty heat?
[Fuck Beta]
o0t!
He was paid to evaluate two possible scenarios given a set of initial conditions. Researchers do it all the time in this place we like to call the "real world" - in engineering for example. You take a few alternative designs, apply the constraints you are given, and pick the right tool for the job.
Dr. Thompson was given a set of conditions and two contendors, he gave his evaluation, done deal. It doesn't imply endorsement. I'm an engineer - I evaluate options regularly. Sometimes I have to pick options I didn't like. But I do it because they are the right option for the given scenario. If the conditions were different the results probably would have been different.
-everphilski-
Altho I can understand that Novell are protecting their interests, the same could be said about microsoft.
Also, did Microsoft give you some procedures or methodology to follow in your study?
How much did this report earn you from Microsoft personally? How much did you company get?
Do you get extra money for spreading the news about the report like you do here on Slashdot, or is this included in your original deal?
)9TSS
How many NDAs did you have to sign before starting the study? Did anyone pull you asside to "set the record streight" before the study began? How were you first asked about doing this study? Was it something like "hey, we need a study to boost our TCO stats, here's some cash..." or was it more altruistic like "hey, we need to see how we stack up agaist the competition .. heres some cash, and dont hold any punches!"
-GenTimJS
To be sarcastic, I'd ask "who the heck actually takes these studies seriously?", but obviously *somebody* does. Who are these people, and why do these people take these inudstry analyst firms/journals/reports seriously? Are they right or wrong to do so? This isn't an attack (or endorsement :) of your research -- I'm talking about the credibility gap in industry research, and my observation that it's an industry-wide problem.
The meta-credibility question is this: Given the amount of shoddy pay-for-play research out there, does being published in an analyst journal tend to cost (a researcher, his consulting company, his financial backers) more credibility than it can gains him/her/them? If not, why not -- and more importantly, if so, is there any way to reverse the trend?
Simple one: of course I accept that Windows and Linux are a priori equally vulnerable - C programmers make mistakes. the question is which model is most likely to deliver a fix fastest. Given that the one area where Linux is probably in the lead over Microsoft's software is in the realm of the webserver - why are my server logs filled with artifacts of hacked IIS boxes but apache seems to remain pretty safe?
Everyone on /. likes to complain about microsoft security, and microsoft PR people like to point out their improvements. Here's a chance to give ammunition to both sides. What do you think are the three biggest security improvements microsoft has made in the past two years, and what are the three biggest security-related issues that still remain?
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
In addition, Digital Rights Management or other copy protection schemes are becoming increasingly demanding and insidious, whether by uniquely identifying and reporting on user activity, intentionally restricting functionality, and even introducing new security issues (the most recent flap involves copy protection software on Sony CDs that not only hides content from the user but permits viruses to take advantage of this feature.)
I would like to know how you feel about the shift of control over the personal computer from the person to the software manufacturers -- is it right, and do we gain more than we're losing in privacy and security?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Since it wasn't a name, but a slightly tortuous title, I was half expecting this article would be like one of those "Ask A..." advice columns from The Onion:
Dear Author of the Latest MS-Funded Windows vs. Linux Study,
My boyfriend doesn't seem willing to commit, even though we've been dating for several years. What should I do to win him over?
Reluctant in Redmond
Dear Reluctant,
After careful analysis, we've ascertained that Microsoft Windows is superior in a final cost-benefit ratio proportionate to the effectivity of the synergy hybridized compared to the open source model.
You tested six people on two different systems; how is that supposed to yield any substantial insight into the underlying OSes themselves?
[At best, your study seems to show that the GNU/Linux distribution you selected was not particularly good at this task. But why does that show that the ``monolithic" style of Windows is better per se than the ``modular" style of GNU/Linux distributions?]
"Every decent man is ashamed of the government he lives under." - H.L. Mencken
How do you sleep at night? ;)
You are paid by a company to compare their product to the competition, and, what a surprise, you end up with the conclusion that your employer's product is superior.
Who's the target audience for that marketing speech?
You can't take the sky from me...
Oh so many trolls... so little mod points.. *sigh*
vi or emacs?
The Linux administrators faced some out of the ordinary challenges, not faced by most Linux admins, while the Windows admins faced none.
For example, most of the time difference between Windows and Linux was spent upgrading gLibC, something that you're really not supposed to do. It's comparable to trying to manually upgrade parts of a Windows 98 system to run a program that required XP, rather than actually upgrading to XP.
Then, you had the Linux admins getting updates from 4 different sources, rather than just from SuSE's repositories, which is also out of the ordinary, while the Windows admins only visited Windows Update, which only supplies patches to the base operating system, when in reality they'll have to get updates from many other sources if they wanted to keep their apps up to date.
Do you think this was a fair study?
The link to the study is for a different one, comparing RHEL to Windows. Here is the actual study and slashdot article for the right one, comparing to SUSE.
Binary-level compatibility is a far greater problem in Linux than in Windows. For example, I am able, on the latest Windows XP, run the last 4.x release of Netscape. On Linux (Fedora Core three), I need to set up a special chroot() environment that runs RedHat 6.2 to run this application.
Another example: Those old Loki games? Games of the same era (Read: The Windows versions of the same Loki games) run fine on the latest Windows XP with problem. However, to run these games on Linux requires some non-trivial contortions.
Binary drivers for Linux running between kernel versions? Forget it. It's against the religion of some kernel developers.
People still want binary-only applications and drivers. Windows beats Linux hands-down in this arena.
Another concern I have is that while your study simulates the installation and upgrade of two different systems based upon two OS's, it does not seem to simulate the real-world work needed to keep those systems running on a daily basis. In the real world systems break, worms clog the network, and regular maintenance must be done. Your study seems to completely disregard all that work and focus only on install/upgrade. Why did you not base your study on the behaviors of a real working system with a simulated network attached? It seems like the shortcut method you used to quickly evaluate only certain tasks makes the study wholly academic and loses any value as a predictor for the operation of a real network, over time, with real traffic.
Finally, I've seen it suggested that this study requires that all software be updated to the latest versions, but While Linux based servers constantly release the latest patches to each component as they become available, Windows only releases them en masse, How then can you compare the two? To be perfectly fair one would have to know what development has happened on the various components of Windows and rate all of those components as failing to be updated (since MS has not yet released that version). Barring such inside information, any comparison between a system with an open development process and one with a closed development process is critically flawed. Do you not see this as a problem with your study?
Grow up.
Hello Doctor, How many Microsoft funded studies has Microsoft published for public review where the results of the study cast a bad or negative light on the company or its products? If the answer is 0, would not this indicate they are not interested in the truth but in misinforming the public for their own benefit?
How much would it cost us to buy a study showing open source solutions are more reliable?
Seriously, I know this will be dismissed as simply "anecdotal" but in all my years of working with Windows and PC Unix machines (including sysasmining a 50 desktop business for 7 years) I've found the PC Unix boxes, once setup and running, work reliably day in and day out, whereas every Windows box has experienced some kind of 'bit rot'. I've seriously though Microsoft must put some kind of timer in there to throw random errors after three years to get people to upgrade. I have a notebook with a RedHat6.2 disk running on a 233Mhz cpu and it's just as solid and reliable as when it was first installed. I cannot say that for the Windows 2K disk that slips into the same notebook - the IP stack got seriously hosed somehow and barely works, and would need a complete wipe and reinstall except I don't want to waste time and just put up with it. (You change network setting and it works for that session but after a reboot it reverts to some weird setting). Of course that small world of experience is no match for a big bucks study but things that tell me stuff contrary to what I see smacks of advertising and other attempts at mind warping persuasions.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Looking at your research report's appendices, it seems that the requirements for Windows Administrators were somewhat different than the Linux Administrators. For instance, you ask for 4-5 years sys admin experience minimum for Windows, whereas it's 3-4 years sys admin experience minimum for Linux.
Why wasn't it equal for both? And doesn't this sort of slight Windows favoring undermine your credibility?
And how can I get so much money for a pro-MS study?
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
Hello
The alternate scenario I would like to pose to you is what if you were comparing Windows Server to OSX Server.
Regards
"The most dangerous creation of any society is that man who has nothing to lose." - James Baldwin, American author
Do you think there is reasonable evidence of vote tampering in the 2004 US Presidential election? Do you think the current batch of Diebold machines in Ohio or other electronic voting machines in use for that election are trustworthy?
Paul Grosfield - the quicker picker upper.
How is it that Diebold can make ATM machines that will account for every last penny in a banking system, but they can't make secure electronic voting machines?
Also, does the flame-resistant suit come with its own matching tinfoil hat? (don't answer that one)
He who knows best knows how little he knows. - Thomas Jefferson
"Ask the Author of the Latest MS-Funded Windows vs. Linux Study"
I thought immediately of all those surreal advice columns with similar headlines in The Onion.
Read the best of all of Slash: seenonslash.com
How do you sleep at night?
On top of a pile of money, surrounded by many beautiful ladies.
Kudos to you for braving the inevitable flames to answer people's questions here on Slashdot.
Read the EFF's Fair Use FAQ
The study, commissioned by the software giant from Security Innovation, a provider of application security services, claimed that Linux administrators took 68 per cent longer to implement new business requirements than their Windows counterparts.
Would you be willing to say that the statement, among others, found in media reports does not correctly represent your findings?
If so, are you planning on determining the source of these statements (ie. Microsoft spin doctors) and pursuing legal action?
[I can picture a world without war, without hate. I can picture us attacking that world, because they'd never expect it]
Most Slashdaughters have their heads up their ass most of the time too.
Blame the user, not the software.
Crap. I don't know who Germaine is. I meant "germane". I suck at the Internet.
The penguins here (most of slashdot) cannot seem to stand their OS got its tail handed to them here vs. a 99.999% rated OS as to uptime, but this time, about security issues!
8 af3-a63b-422b-a6d2-6a7b2b7ab7ea/Reliability_Analys is_Security_Innovation.pdf
/ 169206&tid=109
No less, in a legit test, vs. Windows Server 2003 (SP #1, & fully hotfix patched) + SQLServer 2000 (SP#3), which is not as good security-wise as SQLServer 2005 no less, beat the hell out of LINUX using Oracle OR MyPhP iirc, as the DB engine back end!
See here:
http://download.microsoft.com/download/4/a/5/4a52
& here:
http://linux.slashdot.org/article.pl?sid=05/11/16
Funniest part of it all? Most of the security issues were not with the DB engines, but the OS kernel/cores...
Linux is ok, don't get me wrong, & has it specialty/niche areas its great at (and it's MUCH better @ hardware support than it was, but still is way behind MS stuff here as well as apps for it, + being as versatile as Win32 softwares are on Win32 OS platforms)... but, for how long?
What's left?? Clustering???
Man... anyone that says that will be solely a province of Linux (or UNIX) vs. MS, doesn't understand the talent, resources, & cash MS has to make things happen for them!
E.G.-> Give MS 1-2 years (when the release of their clustering version of 2003 server comes out & it's already underway) & we'll see what's-what there even, then.
Clustering - It's a niche area that Linux has, for now, vs. Windows... keywords being 'for now'... try remember that.
APK
P.S.=> Still, it would be interesting to see you "Pro-Linux Penguins" try to get the better of the man who allegedly ran this test, just to see if you can, I would find that VERY interesting to see if you can... apk
Dr. Thompson,
How do you explain the different conclusions from studies funded by Microsoft and studies funded by Unix/Linux vendors? Shouldn't studies that essentially study the same issue inevitably arrive in the same conclusions, if the research for the study was made independently, honestly and with no systemic errors? How do you expect people to take any of these studies, whether pro-Microsoft or anti-Microsoft, seriously?
In Soviet Russia, I ruled you
According to the pdf, they had custom compiled versions of mysql and (eventually) glibc. This is concerning because the idea was to keep the system as RHEL as possible. It's very unscientific to do a study like this and deviate from the main package base on such important packages. Oh, ummm... what I said in question form.
If an officer ever threatens to taze you, say you have a pacemaker.
Mr Thompson
I've always wondered exactly how much Linux based knowlege a writer should have in order to write a report on the TCO of Linux based networks and software.
How much Real World/In the Trenches experience do you have implementing and supporting large network and software applications that run Microsoft products compared to *nix based solutions?
Exactly how experienced are you with Linux? What is your favourite distro? How long have you been running Linux?
What is the best thing Windows does better than Linux?
What is the best thing Linux does better than Windows?
Have you ever contributed to an Open Source project or been part of an Open Source community?
Thanks
John the Kiwi
After reading the executive summary and conclusion I see that you admit that the sample size (3 Windows admins and 3 Novell Linux admins) is to small to make any strong conclusions and that repeating the experiment on a larger sample set would be interesting. (Personally, 6 admins seem way to few to make any conclusions on the merits of either operating system.) The question is; do you think your report is about the merits of the operating systems or more about the method used in the report? And does the media (and /. flameboys) reflect what you're saying, or are they more interested in "flamewars"?
As a side question; what results do you think you would get if you had a large sample size of administrators (a few hundreds on each OS)?
Look a monkey!
If this is a "real world" scenario why is a default install picked? Part of the job description for a sysadmin is to secure a system. If this install "attempted to simulate a "real-world" enterprise e-commerce environment over the course of a year." then how could it be the default configuration? The bugzilla example you annote is for samba, not port of a reasonable database server install.
Also is there a list of the vulnerabilities quantifued in your study?
The Linux administrators used SuSE Linux Enterprise Server 9. A majority of the problems with Linux seem to have involved SuSE's package and upgrade systems. Do you think that the results would have been significantly different if another distribution had been used?
Why does Microsoft remove preprocessing statements in XMLDocuments that pass through its web services product?
Oh, wow, your comeback strategy is go to Google, type in "cross platform multimedia libraries" and link the first four that show up... impressive. If you've ever actually *done* multimedia programming on the other hand... Allegro sucks (last time I used it... sorry) openAL and libSDL I haven't even heard of; and its been said that D3D actually outperforms OpenGL (according to gamedev.net and others...)
(myself I code OpenGL in C++...)
-everphilski-
Did Microsoft make you sign a non-disclosure agreement? If so, without saying anything to violate the NDA, were there results or findings that MS prevented from being released?
If you were a hotdog, would you eat yourself?
This too shall pass.
What commercial apps on Linux did he use, exactly? I just looked over the report, and I saw Apache, PHP, GLIBC, and MySQL. I'd argue that comparing MySQL to MS SQL Server is like comparing a bicycle to a BMW, but still, MySQL, PHP, GLIBC, and Apache are probably the best supported Linux-based apps on the planet. Did you even read the report?
Its called integrity... I take it you've never done scientific research before (and if you have, shame on you)
-everphilski-
My question is, how could we get Ms/Oracle/Red Hat/Novell/(other tech rival) to jointly fund a report? To my knowledge, there haven't been any reports from a jointly funded by rivals point of view (I'm sure someone here will try to point one out, but magazine/web "shootouts" don't count to me). How could we as customers help create a situation where competitors saying "let's see who's better - together" would be viable? I ask you because you've been through the setup process for a review and have perspective which most of us lack.
US Democracy:The best person for the job (among These pre-selected choices...)
IIRC your genius admins botched glibc during the test period. If I set a monkey loose with a hex editor on Microsoft's libc in the middle of a similar test, I doubt that Microsoft would consider that fair. We often joke about windows admins been trained monkeys and I'd say your study almost confirms this. Why did you choose to use admins who were completely unfamiliar with the linux distro they were using?
The Data Mining Software used in M1 required the Linux administrators to use MySQL 4.1, which was not part of the SLES distribution. This appears to be where the majority of the problems with the Linux servers stemmed from. Do you think the choice of Linux distribution and/or Data Mining Software biased the outcome report in any way?
From the study:
What I find lacking is the business case for upgrading the OS. And why on earth would any enterprise with even the tiniest amount of foresight and planning deploy Windows 2000/SuSE 8 knowing they will upgrade to the next gen just one year later? (Not that there aren't plenty of enterprises who fit your model, not to mention IT workers seeking to "power level" their skills...)
Now, certainly there is value in trouble-free installs. But can you say with confidence a better upgrade experience is really a fair test of value? Especially when the entire install/patch/upgrade philosophy between Windows and Linux is so disparate?
In other words: It's no surprise that Windows will perform better on the treadmill, constantly upgrading is at the very core of Microsoft's profitability.
--
If you actually read the report, you'd see that GLIBC was all mucked up because SUSE's YAST was broken. And on top of that, part of the study was to see what the administrators would do. Part of the confusion for the sysadmins was WHERE to get the sources when the standard RPM manager broke. It's not clear where they should have gotten GLIBC, and that was part of the test.
Prepare the ranch dressing hose!!!!
-everphilski-
If I understand the study correctly, the windows side had to do nothing but set up a server to do a few different tasks over time and run windows update. The linux side had to have have multiple incompatible versions of their database server running simultaneously on a single system and had to run unsupported versions of software to do it.
Why wasn't the windows side required to run multiple versions of IIS or SQL server simultaneously? In real life if you need to run multiple database versions you use virtualization or multiple systems, especially if one requires untested software. You don't run some hokie unstable branch on the same system as everything else. Why was a linux solution picked that required this level of work? My other related question is, did any of the unix administrators question why there were being asked to do such a thing? For example, did they come back and say they need a license for vmware? If they did not they do not seem like very competent administrators in my opinion.
Of course, with this audience, you might want to say FireFox, or possibly Safari. I am curious if you use MS IE. (Though I'd like to hear "Opera, of course.")
.. paranoid crackpot leftover from the days of Amiga.
they would factor in the cost of the max-spec apple xserve as part of the cost of a server running only dhcp or another low-profile server ...
does the devil cut you a check or does he pay cash?
Actually, this is incorrect. You have to provide the illusion of being neutral. True neutrality is impossible when you bread is buttered on one side, researching cannot help but know where their funding is coming from, and the human element will skew it, in hopes to get more research money from that source. Happily, bias is inherent in humanity, so everything you are exposed to is skewed one way or another.
I just wonder how specific your customer was about the configurations ?
As I see it your test was not a comparision between Windows 2003 Server and SuSE Linux... it was a comparision of a Microsoft platform and a platform based on SuSE Linux.
But the thing is why should they port to Linux? Why should I purchase Linux versions of software when I already own the Linux versions? So I can say I'm cool and run Linux? No. The cost of a windows license is next to nothing and the cost of the software will be the same on either platform; and when you are talking TCO of engineering software the engineering software costs run in the thousands to tens of thousands of dollars. When we buy our workstations from Dell/Xi/any bulk vendor the windows license runs about $10-$30. Whats the point of recoding part of the software, in the pov of the engineering vendor, to avoid $10-$30 windows license? That's absurd.
-everphilski-
The report wasn't about security issues.
Are you sure you were you reading the same report as everyone else?
If you'd read the study... then you'd know that the test was done using SUSE, and GLIBC was hand-compiled because SUSE's RPM manager was broken.
First, let's recognize that anyone experienced enough with both operating systems will have their own experiences that will tell them which OS is better in various ways. These people are unlikely to be swayed by studies. Therefore, the first thing that is critical to understand is this: these studies are aimed at people who are NOT experienced with both OS's.
As such, it seems there are two potential groups who are targeted by such studies: 1) CIO or sysadmin types who are experienced with windows systems, and who were thinking of trying linux; and 2) PHBs. For the first type, the MS studies are meant to deter. For the second type, the MS studies are meant to indoctrinate.
For example, let's say MS saturates WSJ, Fortune, and similar newspapers/magazines likely to be read by PHBs. They read it enough times, and given they have no field knowledge of the various TCO variables, they believe what they read from seemingly "objective" sources. What MS then wants is this: when an intelligent CIO or sysadmin goes to the CEO and says "Let's try linux, it's great!" the CEO says no, and considers the CIO incompetent for even considering such a blatantly horrible idea.
So basically these studies are meant to influence decision makers who don't have hands-on knowledge. It's a very good idea, really. It will keep Linux adoption a lot lower than it would be otherwise.
The first term of the NDA probably states that he can't talk about the NDA.
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-U
Boxers or Briefs?
Spelling tip:
Grammer: the last name of a TV sitcom star
Grammar: rules concerning language usage
Why does your report focus on the number of patches and not the number of vulnerabilities? Patches can be combined, vulnerabilities can remain unpatched leading to misleading results.
Why do you not make any mention of the time between a vulnerability being discovered and a patch being released?
The report does not provide details on exactly which software was installed? A standard Linux installation is made up of thousands of individual packages, many of which are not required for this type of server. This would make a big difference in the number of patches required and the time needed to install them.
I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
How do you fairly quatnify TCO in the linux realm? Do you believe the standard that has been raised on behalf of Linux is *just? *taking into account the context this study has adopted as a result of "Bob in marketing" and the quasi-technical media spin...
Dear Author of the latest MS-Funded Windows vs. Linux Study,
Several years ago, when I bought my first house, my mother pitched in a substantial sum of money to help me with the down payment. I have since paid her back; however, she still holds this favor over my head every chance she gets. How can I ask her to stop it without seeming like an ingrate?
Sincerely,
Exasperated in Topeka
*
Dear Exasperated,
Results of the latest MS-Funded Windows vs. Linux Study confirm what IT managers have known all along: The total cost of ownership of Windows XP Professional in a typical customer environment is less than half that of Linux (1). Furthermore, 76% of security professionals (2) agree that Windows XP Professional is more secure (3) than Linux when running in a server environment. Finally, for common customer workloads (4), a single iPAQ PDA running Windows CE is just as useful as an IBM Linux mainframe, and far easier to carry!
Footnotes:
(1) Fedora Core 6.0 Pre-Alpha
(2) We actually sampled the security guard at the local Wal-Mart 100 times. 76 of his responses seemed vaguely affirmative, 12 of them were negative, 6 were completely unintelligible, 5 were complete silence, and once he gave us a weird look and farted.
(3) When powered off
(4) Personal scheduling, Minesweeper
Signed,
Author of the latest MS-Funded Windows vs. Linux Study
Windows administrators are forced to wait until Windows releases a patch for known vulnerabilities to upgrade their systems. Why, then, were the Linux administrators told to attempt to upgrade their systems before Novell had released newly packaged versions of MySQL? The entire point of a package management system is that administrators rely on companies like Novell to correct dependencies prior to deployment. Since Windows administrators have the same constraint (i.e., waiting for security updates to be released), it is an unfair and arbitrary difference that caused a lot of troubles.
Why did you compare the number of patches required to apply between the systems? This is not a measure of security. Windows patches are bundled and affect many parts of the operating system while Linux patches affect individual components. The overtone in your paper implied that fewer windows patches was in some way easier or more secure; what justification do you have for this assertation?
What is the rationale behind this? Were the Linux administrators required to restart at this point? This is an incredibly contrived situation; one can simply stop and re-start the process in question after the upgrade has completed.
Furthermore, the upgrade methodology questionable. Real companies use development and production servers and don't upgrade the production server until a reproduceable upgrade trajectory has been tested on the development server. The actions of these administrators imply that they had no such access, and that there was no possibility for backtracking or restarting after a failed step. Normally, one would expect the ability to nuke the development server and start over, rather than following a bad plan to worse conclusions.
You conclude from the study that at the enterprise level it is easier to manage Windows in regard to implementing business requirements than it is in Linux. I believe that Linux can and will be as good as Windows and to this end I ask what can we, the community and Linux vendors do to improve this failing i.e. what would you suggest that Linux could do or needs to do to be on par with Windows or even exceed it in this context?
Yes or no, is the answer to this question no? also, Any chance you'll show the developers where to fix the vulnerabilities in linux?
"If scaling up on windows means significant reliability issues, how has google managed to avoid these despite scaling to the level they have?"
Excellent question.
I agree. I am a power user, I suppose, and have had computers set up with Linux. I find certain things on Linux much better than on Windows machines, but taken as a whole and looking at the things I do everyday, Windows comes out on top. It really isn't a case of "operating system X is crap and Z is simply wonderfull" but a case of looking at what your needs are and what system works best for you. I do believe that Linux has the very strong potential of overcoming it's weaknesses and would in that case truly win over Windows. However, we are not there yet so in the meanwhile, Windows will do. Also, Windows will probably work on getting better and perhaps Apple will come closer to the proletariat equipment wise, and make it a three way match.
Some say he is made with ascii, others that he is eyeballed daily by millions. All we know is, he is known as the Sig
buttsecks?
The link was changed since the original article from here:
/ 169206&tid=109
.pdf file that was put in as the URL to refer to.
http://linux.slashdot.org/article.pl?sid=05/11/16
In fact, ask the submitter of this article or the webmasters here (there were complaints about it being the "wrong article", not the one from Mr. Thompson, while in that thread) IF that url that was in the original article submitted here was changed or not...
It was. I know it for a fact, because I saved the original
(& it was about SQLServer 2000 SP #3 in combination with Windows Server 2003 SP #1 + hotfix updated fully, being more secure than Linux + MyPHP (iirc) or Oracle as the DB engines used with Linux... & oddly? The problems in security MOSTLY were related to OS core API call issues... )
Linux? It just plain-jane had WAY more than Windows Server 2003 does. No wonder Windows Server 2003's rated 99.999% uptime reliable.
The old "arguments/F.U.D." from Linux Penguins are going away & all the old b.s. just won't cut it anymore boys. Accept it.
APK
tr.v. effected, effecting, effects
1. To bring into existence.
2. To produce as a result.
3. To bring about. (*See Usage Note at affect*).
Either way, it's wrong to say that "effect" is not a verb... in fact, it is.
This is besides the whole point that the sibling post made, that it's Grammar, not Grammer.
I am unamerican, and proud of it!
Here's my present situation at work.
I can't print. The Sysadmin says "Reboot Windows". What's the cost of that? Did Dr. Herbert Thompson measure that cost? Two weeks ago, my Windows Word was very slow popping up Formatting dialogs. The Sysadmin told me "Reboot Windows". Rebooting helped, but its quite a pain, and costs time. How much? How much on average? I don't know. Enough for me not to try it out right away.
I don't yet know whether rebooting will help with the printing problem though.
Sincerely,
Dr. Stephan Wehner
Stephan
http://stephan.sugarmotor.org
Spelling tip of the day: "Although".
Who do you think companies concerned about security hire? They hire "real, genuine-article computer security experts" like him. So, I'm not impressed: it's the current crop of "security experts" and "operating system experts" that have gotten us in the mess that we are in. The fact that these people may not like Linux and the way it's being developed is a recommendation, as far as I'm concerned.
"as to just say 'well, eveone's biased anyway' really doesn't seem like an acceptable attitude." Actually, post modernist theory uses many complicated pages to explain that indeed, everyone IS biased. Of course one could also argue, that even though a mountain looks a different shape to people standing at different angles to it, it does not mean that the mountain is shapeless or continuously reshaping. So the point is, EVERYONE is biased, but perhaps by asking everyone to describe the mountain, we can come to some conclusion as to what its true shape is.
Some say he is made with ascii, others that he is eyeballed daily by millions. All we know is, he is known as the Sig
I work with both. I have 2 boxes right here. One dual boots FC4 and XP, one runs just FC4. My home machine double boots my favorite flavor of linux and XP. I use both, fluently I might add. I'm a believer in the right tool for the right job. Sometimes that tool is windows (I'm on the windows side of my dual boot box now). Sometimes its linux (99% of my dev work is done there, depends on the job though. Some of it is cross-platform). You can't make the blanket statement "linux is better". Well, you can. But then I make the blanket statement "tomstdenis is a zealot" and I really dont give and of your arguments any impetus because you haven't said anything any of the other zealots havent already said. As I said many posts ago, its the right tool for the right job. I use linux for a lot of things, but there are a lot of things that Windows is still good for.
-everphilski-
Do you believe that the scope of the research project was intentionally engineered to favor Microsoft Windows? If so, did you make any attempts to expand the scope to be more neutral? What were the results?
I pity the foo that isn't metasyntactic
...but let me jump to some conclusions...
Humm how may times have you heard that...
All this time I thought the initials were FC and here I find out it's NDA. Where do they come up with these acronyms?
I'm talking cage match here: polar bear or tiger - which one walks out?
Come on Thomson - show us your guts!
This wasn't just plain terrible, this was fancy terrible. This was terrible with raisins in it. - Dorothy Parker
Already there are 15 +5 posts. Surely there will be 20 or 30 by the end of this. Why does slashdot have such a braindead moderation system? Why not up the comment score cap on interview threads?
autopr0n is like, down and stuff.
...has absolutely nothing to do with the quality of their products. In fact, I particularly like their mice and (older) joysticks, as well as many of the games they publish (e.g. Fury^3, Flight Simulator, Age of Empires, Halo, etc.). The problem I do have with them is their unethical business practices. This trumps any possible merit their products have, because I refuse to compromise my morals just for slightly easier to use software.
In other words, I don't care if Microsoft's fiddle is golden, because it's still a deal with the Devil!
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
What changes to linux do you recommend after performing this study?
I was wondering, why did the application installs use levels of code known to cause issues with the distribution you chose? It just seems that in a real world scenario, if a Project Manager was told the app was incompatible with the chosen os, then they would make a decision to either use a compatible OS, or pre-test the rollout in an appropriate manner.
The other thing that seemed off about the report is that the three linux administrators did some pretty nasty things to RPM, and they took seperate paths. While I know that consistency is not possible in the real world, one would of thought that a workaround of this magnitude would have been pre-documented before the install.
--WooooHoooo--
Assuming you were in a position to fix whatever you deemed to be broken in most Linux distributions, what are the top five things you would fix first to improve Linux's security and reliability?
Meldroc, Waster of Electrons
What would you suggest as the definitive standard? Instead of complaining that there isn't one, help create/support one. Maybe a single xml based file called ~/.registery is the answer?
If so, Why?
A quick read of the report shows that the real losers here seem to be the Administrators. Some of the Linux admins "could not meet business requirements", and some were judged as failures by not using vendor-supplied solutions.
Isn't one of the points of running Linux servers the freedom to use solutions NOT supplied by the vendor? Is it even possible for the Microsoft admins to make changes that aren't fed from the vendor?
When the only tool you have is the "Upgrade" button, and the button doesn't work, what then? The advantage of Linux in administration is the flexibility to Make It Happen, even if the vendor sends you something broken.
I know good admins on Microsoft, and good ones on UNIX. They seem to Make It Happen no matter what, because that is their job. Making It Happen sometimes include custom fixes, that are documented, so you can undo them when the vendor comes through (hopefully) later.
So the Final Question is, why was it bad for the Linux admins to stray from vendor-supplied fixes, and why is the lack of flexibility on the Microsoft side a "win"?
Dr. Thompson, the way you selected the administrators seems to suggest a strong bias against Linux. In Appendix 3 (page 41), you recruited Windows administrators with at least 4-5 years of Windows administrator experience, while in Appendix 4 (page 43), you recruited Linux administators with just 2 years of Linux experience.
It seems that either you're a true Linux believer thinking that a Linux administrator can out-smart, out-perform a Windows administor with twice the experience, or that your experiment was setup to pit inexperienced Linux admins against experienced Windows admins.
So which is it?
How can we take a survey seriously when it's paid for by a company you are a partner with and investigates their software.
How do your findings hold up against page 31 of the recent leaked MS Singularity OS research document found at ftp://ftp.research.microsoft.com/pub/tr/TR-2005-13 5.pdf, in which MS compares current versions of Windows XP, Linux and FreeBSD, only to show that Linux and FreeBSD outperform Windows XP?
Why do you suppose that MS would even consider building a new OS from the ground up, as they are doing with Singularity, if their current model already beats the competition?
Dr Thompson, Thanks for sticking your neck out. My question is: has your research given you enough data to provide feedback on other flavors of Linux? I suspect that Microsoft chose to pick on light-weight Novel since their flavor or Linux is one of the relative weakest. Any thought on that?
Horns are really just a broken halo.
I have seen lots of comments about the TCO of Windows being less than that of Linux, but I cannot believe it for a couple reasons.
1. When a User buys Windows XP they spend $160+ and this number only goes up for 64 bit or multi proc. systems.
Linux is free for all versions.
2. It can take all day to install Windows, get it configured, and install all the drivers and user tools, like Office. My time is worth $80-$100 an hour.
Linux installs without the need for other drivers, and comes with Office.
3. You have to purchase Office for Windows, at a cost of over $160. Add to this all the retail spyware and anti-virus softwares to make the system secure.
Linux has Office (free) and does not need any of the anti-virus or spyware softwares.
4. To set up a Server with Windows, you must purchase Server at a cost of over $400, and take all the time to set up DHCP, Active Directory, Permissions and Policies, and my time is still $80-$100 an hour.
I can set Linux up as a Server from the same disk as I can set up a client, without much more time or effort.
5. When Windows wants an update, it must be rebooted, causing downtime of my server(s).
The only down time Linux requires of me is for the replacement of hardware.
So, my question is, if I can run the TCO of Linux as substantially lower than Windows, how is it the Microsoft Sponsored Studies always show the opposite?
What are you or are you not counting into the numbers to make the difference?
--E--
gentimjs, do you remember above where it said "one question per post"? Are you sure you remember that? Do you think you could do better next time?
Mr Thomson,
The study mentions that in aspect of delivering reliable customer expectations Linux hits the wall because upgrades to internal components like glibc will break dependencies to several other software packages. In the report a MySQL upgrade triggered a upgrade to glibc breaking several other dependencies. In the scenario described it occurs to me very striking to upgrade the core glibc component only for satisfying a single RPM package dependency, rather than recompiling the MySQL package myself, avoiding the so-called 'dependency hell'. This scenario would not render the machine useless. Linux by its design as platform doesn't designate a fixed path to solve problems. While solving problems like this is not supported, but it's still possible to run MySQL 4.1 on a SUSE SLES9 platform, while upgrading certains components in Windows like IIS6 still force a upgrade to Windows 2003. Enterprise customers would rather apply for a supported upgrade than an unsupported update. In respect to this, further ignoring the exaggerated scenario where core components in SLES9 where unneeded upgraded, how do you defend this position?
Jurgen Kobierczynski
Would you also believe that a study done by a third party and/or a Pro-Linux group is fair too? Secondly, how will the introduction of Vista affect these results, being that system upgrade times were included in the report?
I hear this claim often: "non-profit organizations are somehow more objective because they don't have the common goal of profit." But it simply isn't true. Non-profit organizations have OTHER goals which, on many levels, provide even greater motivation to "do whatever needs to be done" to achieve them.
By their very nature, non-profit organizations are a group of people with a specific agenda. They exist to promote, implement, and raise awareness of that agenda, whether it is protecting the environment, raising money for a specific disease or underprivileged group, or promoting some specific action like stopping smoking. The group's supporters and/or staff overwhelmingly share this common goal because they are typically volunteers. In other words, participating in these organizations isn't "just a day job" for them: they fundamentally believe in the agenda.
Next, you need to understand how these non-profits achieve these goals. Predominantly, they require public support. This means advertising (e.g., "thetruth.org"), communicating (e.g., sending "experts" to raise awareness of an issue in the media), and lobbying (e.g., capitol hill lobbyists and "voter cards" mailed to group's members) just to name a few of the operational tactics used to garner public support. These tactics bring public funding and interest to their agendas, both vital to achieving their goals.
Have you EVER heard of a non-profit organization just close up shop because an issue just isn't relevant anymore? No. They might close due to lack of interest, or lack of funding: but there will always be an agenda to promote. So that means that public attention is as critical to these organizations as profit is to corporations. Corporations go bankrupt when they fail to profit: non-profit organizations "fade away" when they lose the attention of the public. This is why they constantly seek attention.
It's important to see all of these things when you're interacting with a non-profit organization. They absolutely have agendas, and they WILL play to people to get more attention and money devoted to them. THIS is where non-profit bias comes from.
Oh.
Herbert Johnson. Never mind.
"Made up/misattributed quote that makes me look smart. I am on
Are you related to Hunter S. ??
are you daft?
The two are largely equivalent.
I use emacs gdbsrc mode to debug my code, and I can set breakpoints, conditional breakpoints, step in, step over, print any expression, or call any function I want in the debugger. If I recall correctly, you cannot really manually call functions in the Visual Studio debugger, but correct me if I'm wrong.
There are also advantages to gdb frontends though:
Please explain what extra productivity or features you gain from the Windows debugger.
As for your selection of tools:
First of all, performance varies wildly with what you are doing. Anyone can easily show that windows or linux outperforms the other just by testing the right things.
Second, the question is about credibility. The guy is outright lying. "More consistant, reliable and easier to manage"? You would have to be on serious drugs to believe that. Windows is famous for being flaky and unreliable, and its GUI tools are "acceptable" at best, "crippling" at worst. Its command line tools range from poorly documented to non-existant.
The point is people aren't deny all evidance that windows is better than linux. The point is there is no evidence that windows is more consistant, more reliable, or easier to manage. There is quite alot of evidance to the contrary though.
Q1: Are you serious? Q2: No really! Are you serious?
The point is not that Linux is inherently less powerful.
Its that for certain kinds of purposes, the current situation in the real world, is that, for no good technical reason, software only exists for Windows.
Due to this unfortunate situation, Windows is superior at achieving certain real world tasks.
People who just accept this and go through the path of ethical lazyness get bitten in the ass by the lockin they are themselves creating.
"(Even though I presume MS chooses settings & configurations which favor them, of course."
So in other words you admit that in certain situations MS is better? Look at it this way Windows has its strong points and Linux has its strong points. If they didn't there wouldn't be a market for one. If MS did stipulate settings and configurations that favor them, more power to them. You don't compare sports cars by fuel efficiency, but you do mini-vans. Same thing with operating systems, if MS is trying to market in category A they don't care that Linux does category B much better.
Dr. Thompson,
I will admit that I know very little about administering NT systems, I am basically a Unix guy. But I do work in a mixed shop, and the NT guys I work with have told me that you can't upgrade directly from 2k to 2k3. What they do is install a clean 2k3 image, then migrate services to it, then fix anything tht might have broken along the way. They assure me that this is how MS says they are supposed to do it. I am extremely curious to know more about the upgrade procedure from 2k to 2k3, could you explain what steps are taken to accomplish this operation that MS allegedly says should be avoided?
The way I've been burnt by Microsoft isn't over the short term. I believe that MS has a lot of attractive software solutions in the short term. The deployment can be fast, the solution sexy, and the cost lower than a linux implementation. In short I agree with the findings of your study.
What your study fails to address is the longer term problem often faced with MS products. The company has a history of pushing new incompatible products on existing customers, which then force an expensive upgrade. Examples are QuickBasic, and now VisualBasic, the impending Office Suite, and device drivers written in the 1990's.
If I had implemented a program on Unix in the 1990's, it would run with minimal changes today. The API is very similiar, even device drivers written 10 years ago will run or run with few changes. This kind of code reuse just isn't possible in Redmond. Windows 95/95/ME is effectively dead and any hardware or software is obsolete. I wrote a lot of stuff for that OS, and its all dead now. I later returned to write code on NT and it won't run on XP now. When will the madness end? It won't because when you saturated a market, the only way to get revenue is to force an upgrade. I'm willing to pay for new technologies - sure - but I shouldn't be forced to.
While Linux solutions might take longer, I feel better knowing that far down the road I'll be able to maintain them.
You mean the Windows Server 2003 that has 8 unpatched vulnerabilities? That Windows Server 2003? And SQL Server 2000, which has a highly critical vulnerability?
Compared to something like Red Hat Enterprise Linux ES 4, which has 0 known vulnerabilities, or Oracle 7.x, which has 0 known vulnerabilities.
Funny how all the "independant" reports that claim Windows is more secure than Linux are funded by Microsoft. That's just such a coincidence.
Which pays better, working on security-related projects or whoring?
SEO Firefox Extension
Question: Were the "underlying assumptions" and basic methodology (which you very responsibly and sensibly do report in your study) dictated to you by Microsoft or some other external entity, or did you yourself come up with the test scenario?
I ask because the consensus around here seems to be that the conditions and methodology were cherry-picked to favor systems with single-vendor provenance and ease of initial installation, and do not include any real measures of operational stability or reliability.
Dr. Thompson,
Though your study pits Windows versus Linux and claims Linux has a higher TCO, what is the actual marginal cost of implementing a Linux box versus a Windows box? Only three machines seems hardly determinant or significant. Implementing one Linux machine may be (although I don't believe it) more expensive, but several Linux machines may cost less than the same number of Windows boxes.
Also, with respect to updates, did you consider all of the upgrades in Red Hat's "up2date" as "patches" or simply as "upgrades" with a few being security patches.
Did your study favor GUI over command-line interface or vice-versa?
Did your study log each crash/reboot/system error thrown by each machine? Also, were you required to run any "system restores" on the Windows machine?
Did your study consider alternative operating systems with high security (such as OpenBSD)?
If you could "fix" Linux (or at least the distros you reviewed), what would you insert, update, or delete?
Would you consider running the same study with a very powerful package management system, such as APT?
Thank you,
Drew E.
The report seems to predominantly discuss days of risk of disclosed vulnerabilities.
But it is comparing Apples and Oranges to an extent as in the free software world it is usual, and expected that vulnerabilities will be publically disclosed early (indeed this is a core aspect of Debians developers pledge to their users, that they won't hide the bad news, because you can always do something, even if it is switch the machine off).
The simple truth is that there is no "zero day fix", except arguably where the programmers find and fix their own bugs (vendors, have been known to quietly omit mentioning the huge security flaws thus removed), there is some process, some discussion, and usually a far longer (never ending?) period of deployment following any security fix. "Zero day fix" is marketing speak, for your system has been vulnerable since you installed it, but we finally recruited someone with enough brains to understand the vulnerability report AND fix it.
So the question is "Why use a metric that will only highlight a philosophical difference?", and one on which the best experts in the field can't agree on the significant of from a security perspective. The report does include some random quotation on this, but I assume the answer is that is what they were paid to do.
If you substract out the "zero day" data, you seem to be left with Microsoft taking a long time to fix very few bugs, suggesting they aren't terribly responsive when it counts.
Your computer is not safe simply because you (or the vendor) don't know what the software bugs in it are.
I'm also wondering why vulnerability count is used as a brute statistic again. It is pretty much as discredited a measure as any can be.
For example the Kernel is seen as the most patched feature of the free software system used, and IE as the most patched feature of the Windows world. Interesting because I've seen many, many, boxes compromised by using IE, but I've only ever suspected one case of privilege escalations through kernel vulnerabilities even though it is usually in use 100% of the time the box is on. Surely then I am missing something, as are all the people out there Netcraft, and Uptime reporting as running 2.2 Kernels still, I suspect what I'm missing is realistic analysis of vulnerabilities. I see very few people using IE versions of a similar vintage despite similar vulnerability discovery rates.
Security reports should also cover more basic aspects of system management, like data security, our Windows 2003 server recently reported an error writing data to a filesystem, saying "data might have been lost", alas this error message failed to mention which filesystem data might have been lost from. These kind of experiences cut directly at the first assumption, that the Microsoft product is "Enterprise class". No point in patching it quickly, if it is so broken as to be of doubtful utility in the first place.
Where is the discussion of database functionality, as there is a huge range from MySQL to Oracle, with MS SQL pretty much at the bottom of that spectrum. Where as Oracle is going to win hands down (all however many gigabytes of it there is now). Some of these functions are relevant to security, such as backups, transactional integrity features etc.
But I'm sure you will have the answer. (btw, I will have more info in 2006, the migration of 70000 desktop computers is decided and will be done during the two next years. Not 6 but 70000 users.)
Million Dollar Screenshot
If you favour your patron you will have no credibility.
If you don't, the study will not be published (or enlighten us, when have you seen a paid for study showing the payer in a bad light?)
IANAL but write like a drunk one.
Does this include questions modded 'Funny'?
Telltale Games: Bone, Sam and Max
Do you remember any of your Microsoft-funded lobotomy?
of windows server 2000 to server 2003 and the suse enterprise server 8 to enterprise server 9.
not being familiar with the requirements of either activity, I do find it suspect to make a determination that would allow the statement:
"This study shows that IT administrators are better able to maintain the system while delivering new capabilities predictably and consistently on the Windows platform."
by limiting the scope to operating system upgrade processes.
- real hackers don't have sigs -
Dr. Thompson.
You note yourself, in your study that the sample is based upon 6 system administrators/systems. That number is, as you yourself note, too small to be considered definitive. That being the case I would argue that this makes the report viable not as a decisionmaking tool but a marketing tool. Were I a CIO I would feel unwilling to base my conclusions soley on a sample size of 6. What is your opinion on this? Do you expect further, more statistically-significant, work to take place? Or do you feel that this is not a problem?
Your study is interesting, but without knowing the 3rd party tools and applications that were used in the test how can we know the results are valid? Without disclosure the results are irreproducible. My hypothesis is that many of the applications were very poorly supported for linux and well-supported for Windows, but without knowing the applications I can't know if this is true or not.
Microsoft: We are better. ... ... ehhh, what did you say?
Linux: You lie!
Microsoft: According to studies
Linux: They lie!
Microsoft: Linux is better
Linux: Again you lie
No need to listen, they Lie!
-Mark
did M$ have to do to get you to commit this ?
Why update GLibc ? What was the point of that, to do something on Linux that you couldn't do on Winblows ? & then say Gee we had some problems !
Yet another person shilling for the great multi billion dollar monopolist...
You state in your report that the requirements were developed after interviews with "leading CIO's, CTO's,
Moreover, in appendix 5 of your study you show little overlap between the lists of popular component users. Many of the groups listed for one "popular solution" were not listed on another. Nor did you separate these lists by operating system. This give no indication whether the popular components are ever used in concert. Nor does it indicate how many groups are using each feature set or system. Nor even where these user numbers came from.
I bring these points up because they point to potential holes in your study that I am curious about. In particular:
My question is, do you see these as issues? If not why not?
You have three questions in your post.
Are you doing this to increase your karma in the ensuing discussion?
Why would you put a server online that has all of RH3 installed? You need the kernel, mysql, some libs, and iptables. Once I have the IP tables setup, where exactly is there a need to do almost any of the patches listed? There is one conduit to a specific server, in/out. There is such a minimal amount of software needed to make a LINUX server do its thing compared to Windows. I can do in less then 200megs what takes windows 1,000+megs. I seems to me the criteria was limited in your test to only favor certain vendors in a specific, I mean very specific way. Tell me, can you even install the MS server in 200megs? I think once you take the graphics interface out of the picture you really would see the true greatness of the product, its small its fast, and I can eliminate all the other stuff I do not want to maintain in the long run. This is not even an option with MS anything, they have merged thier libraries, that it would take a
My Question, from the prespective of someone involved in a current LAMP startup, and 2 past ones.
Did you actually interview companies running the servers in question, or did you just read the vendors book on how to set them up, and was that a criteria of the test?
Hello Dr. Thompson
;)
First of all, thank you for participating in this flamefest
I read the Executive Summary of your report and skimmed the rest, so pardon me if I failed to notice something vital.
It seems to me that the demand that your Linux Admins were asked to upgrade Glibc led them to fail the majority of tasks, creating an artificial bias against Linux.
Any Admin worth his weight in pizza knows that you Just Don't Do That.
If you absolutely, positively need some component, you get the version which works with your Glibc. All hell will break loose as soon as you upgrade Glibc and especially if you don't recompile the rest of the system. For an organization which needs commercial support from the OS vendor, this is unacceptable and your Admin should have refused to comply. If your web programmers need a specific component, they should get the component which works with your system.
I understand that this induces "pain" on your organization, but that pain should be much milder than the one your Admins experienced, and as a result, your organization.
My question is therefore: How can you defend the demand to upgrade Glibc when it is so obviously designed to force the Admin to fail?
Thank you very much for your answer, I look forward to reading your reply.
:p
Stupidity is like nuclear power, it can be used for good or evil. And you don't want to get any on you.
Unlike many of the slashdotters above I did take the time to read two of your studies (Role Comparison Security Report - Database Role and Reliability, Analyzing Solution Uptime as Business needs change) and I have two questions:
Question 1 (re: Role Comparison Security Report - Database Role and Reliability):
Since these reports are meant to provide guidance to businesses on their IT infrastructure I was wondering if you shouldn't have given some consideration to the likelyhood of the exploitation of some of these vulnerabilites. Although the Windows stack had fewer vulerabilities during the study period than the Linux stacks, how many vulnerabilities on each stack had commonly available exploits. After all if one system has 100 vulnerabilities that no one takes advantage of and another system has 1 vulnerability that every script kiddie on the planet exploits, all things being equal, I would have to say the first system was more secure.
Question 2 (re: Analyzing Solution Uptime as Business needs change):
This is less of a question than a real life event that occured at my place of work which I would like you to comment on. We had a business requirement to build and roll out a simple data mining application to about 300 external users. This of course was an after thought to a much larger project that was already completed and over budget so no one was willing to ask for more money. We first looked to ASP/IIS 5/SQL Server 2000/Win2K. We were able build it in a week but the cost for additional licences was over $30,000. So we built a similar solution using PHP/Apache/postgreSQL/Fedora in a week and deployed for free. Ever since little Linux projects have been poping up all over our business. I will concede that the first time we did it the Linux stack did seem like a major pain in the ass to maintain but once we developed some internal expertise the additional flexibility and freedom from licensing issues more that make up for any "pain". All innovation in our business over the last year and a half has been on Linux.
Thanks
is Roblimo Mr Thompson's press secretary?
I spent the last two hours re-writing and revising my post in order to concisely, accurately, and honestly, refute your findings, opinions, and potential biasness.
My post was most righteous, eloquent, refined, accurate, and necessary. However, my Windows XP box was both hacked, and crashed during my submission, and all I'm left with is this tired old message.
Tired and frustrating (like my operating system),
Earle Ady
Best,
url80, The Bounty Network
Hi Hugh, Dr. Thompson, I really liked reading your study. I thought it was well written and setup a nice framework for studying Business Solution Reliabilty. I would like to as you these three questions: 1) When Novell bought Suse they got pretty late into the linux game; about 1-2 years ago (not sure). I am not familiar with Novell/Suse's offering but i am familiar with Red Hat, which has been in the Linux game for a much longer period. The RHN works very well to update key components smoothly... just as well.. if not better than Windows Update. Red Hat should have been picked, but instead Suse was picked, which i believe is like comparing apple to oranges, because Suse/Novell's offering is just too new for a fair comparison. I believe, the study would have been quite different if Red Hat had been picked. -> Why was Suse picked? 2) Study fails to mention the specific software components that were installed citing them as not being relevant. This is major source of bias, since the software components themselves could have been created by software manufacturers who had a higher priority on focusing compatibility with windows than with linux. Since the software vendors were not mentioned... it is impossible to verify if the software vendors were equally committed to create good software on both platforms. -> Why is it unimportant to include the Software vendors? 3) Study fails to measure # of reboots in reliability study. It is not an opinion but a fact that windows requires a lot more reboots than linux when making changes to the system, such as updating key components. A reboot should also be considered as downtime, but wasn't included in the study at all. For example if, if every reboot takes 2 minutes, and windows required 10 reboots and linux only 2; this should be added to the timeline. -> Why were reboots not considered? I am looking forward to a response from you. warmest regards, Daniel
The Background:
View the end of this post for the question, but please read the background before responding.
I have installed Ubuntu Linux and have found it easier to install and run everyday applications than in Windows XP Pro. I have also experienced fewer lockups and random application failures when using OSS than I have when using Microsoft products. The Windows users we have switched to Linux and OSS have had fewer tech support issues, and the few they have had were remedied quicker and easier than those on a Windows based sytem. Not a single day had to be spent in training, due to the ease of use of Linux, and the similarities between most all Office suites, Open or Closed Source.
I have also noticed that migrating my Thunderbird email from a Windows machine to Linux is easier than migrating my Outlook email settings from one Windows machine to another. I have had no adware, spyware, or viruses on my Linux machine, but consistently get viruses on my Windows machine despite the enterprise virus scanner that I update daily.
As a small business owner I have switched to linux, and have already installed my operating system, vector/raster/architectural drawing applications, 3d modelling and rendering applications, multiple web browsers, an email client, audio/video editing software, CD/DVD burning software, DVD authoring software, complex accounting software, and a very functional office suite. All of these applications have cost me zero dollars, and most are easier to use than closed source alternatives traditionally provided by Microsoft.
I have also set up servers with Ubuntu Linux, and have installed a webserver, various popular scripting languages, enterprise level database applications (read: ACID compliant, standard SQL, triggers, stored procedures, views, tablespaces, etc.), and an FTP server. All of these were installed within about one hour and did not cost me any money whatsoever.
I have not had to use Microsoft support, nor have I had to use any Linux support, but from what I have been told from businesses that have requested Microsoft support, it was much more expensive than the Linux support available today.
Despite having nearly 15 years of experience with Microsoft Operating Systems and less than one year of experience with the GNU/Linux Operating System, I have not lost any data, have not run into any problems that weren't easily solved, and have gotten more work done since switching to Linux. I have also found connecting to network devices, whether they be Windows file servers, Netware File Servers, FTP servers, or printers, it is consistently easier and more trouble-free in Linux than in Windows.
By using OSS, the only people who are incapable of using the files/media I produce, are individuals who refuse to install freely available software from a variety of vendors they can choose from. The reason I cannot use files/media other individuals give me.... well, I haven't run into any of those yet, so nevermind.
I would also like to shoot down the hardware support myth by stating this is being posted on a widescreen laptop over a wireless network connection, and that the 64 bit version of linux supports more hardware on this laptop than the 64 bit version of Windows XP Pro.
The Question:
"Now the trouble about trying to make yourself stupider than you really are is that you very often succeed." -C.S. Lewis
Dr. Thompson:
According to what I have read, you did not use the most recent version of Redhat Linux in your comparison. Also, the specific hardware build you selected was one that is publicly known to give very poor performance with Redhat Linux.
Why did you select this version of Linux, and why this particular hardware build? More to the point, what decision-making process do you use to ensure that the OS and hardware configurations you use for your studies are good matches for one another? I guess what I am really asking is, what measures do you take to prevent the "bad match" of which you have been accused here on slashdot? And please do be specific, we love the details.
Thank you.
Dr. Thompson
Selecting the methodology for performing research like this must have been difficult. I believe there is already numerous questions that ask you about the various inputs to your methodology.
So my interest is in a different area. The scenario described is based purely on E-Commerce and your conclusions reflect that a Windows Server solution will cause less "IT pain" than a SUSE Linux Solution. My question is thus:
Are there any scenarios in which you suspect a Windows Server Solution is more likely to cause more IT pain? And consequently have you any more research "in the pipe" to test this?
Regards
Darrell
Let's see, you essentially become MS's whore, doing your little hatchet job like a good slut. Then, as if that WEREN'T ENOUGH, you come back next week to rub it all in our faces. Are you by any chance contemplating suicide?
And second, isn't it remarkable that the only people who ever have anything good to say about Microsoft at all are the people who make money if they do so, and all the people who swear by open source do so because they sincerely mean it?
Why?
This sig is neither interesting, nor humorous. Including meta-humor.
Dr Thompson,
First let me state that I often find myself working both sides of the field doing forensics and analysis. More often than not, its doing such things post-mortem on windows machines, however I do chalk this up mostly to the user base.
My question now is this, Windows vs. Linux on the issue of security. I've recently dealt with a rather large incident where nearly every pawn in the windows security model was circumvented, from trusted processes being hijacked, to windows update being made into a reverse/connect back shell, to even 'interception' of the Secure Attention Sequence (SAS) [aka ctrl+alt+dlt in laymens terms].
My general sentiment is that windows is over-integrated, but generally has a superior API (in regards to ability, not style. I can't stand the hunarian notation). Under normal circumstances, any user, even the administrator account-- when they try to OpenProcess() one of the trusted system processes (which as a result of being trusted have superior abilities to that of the Administrator), it fails with Permission Denied; however if one is to adjust their priviledges to allow for Debugging, then the system will happily OpenProcess() any of the trusted processes. Once this hurdle is overcome, it is trivial to allocate memory inside of the process, write to it, then create a remote thread inside of said process, allowing total circumvention of any concept behind a trusted process; with this you could say, enumerate all the network users and obtain their password hashes, which is an operation typically reserved for the LSASS program.
Simiarly, one can register a DLL in the registry to allow one to extend the appearance or functionality of the login, this is known as GINA, and the key is GinaDLL if I remember correctly. Once this is realized, you are no longer 'intercepting' the SAS, but have rather altered and 'extended' its functionality. If one was so inclined, you could break the login, effectively killing the computer for probably at least 95% of the microsoft userbase. As I am sure you are aware, the SAS is the 'crown jewel' of the security model, and trivially allowing an Administrator to do this is a massive failure, in my humble opinon of course.
Additionally, the system account runs with the most critical of priviledges, the ability to not only read, but write to the Physical Memory object (in systems older than Windows 2003 SP1)
Then finally, we have instances where one can register a DLL, again in the registry, for certain system services, windows update is a prime example. With this done, you now have a service that runs (regardless of whether you have automatic updates turned on or off) that will do your bidding, turning the thing that is supposed to keep users up to date and safe into another piece of hard to diagnose malware.
Surely at this point, you must be saying a few things, I will try to cover them.
1) Once the administrator account is obtained, the game is up.
This is very true, however when one starts adding in domains and the likes, things of this nature are the difference between a few compromised boxes, and several hundred. Additionally, if the premise was not to protect the system from the user, why include the extra hurdles for one to jump through?
2) These are just extra protections, in Linux you can just do all of the above or similar directly, without having all the extra hoops
True, but in Linux I also have the option of any number of systems that will allow me to disallow such actions, for instance, GRSec, or SELinux, with GRSec I can not only enable Mandatory Access Controls (MACs), but also Role Base Access Controls (RBACs), and even comes with integrated PaX, one of the best buffer overflow protection schemes out there, especially when coupled with ProPolice/SSP, as in Hardened Gentoo; with such a setup, a user, or even root can accomplish very little.
and finally, the most valid point:
3) So? All of this can be accomplished more directly with a driver.
Absolutely correct.
What are your comments on the above statements, and what do you feel is a step in the right direction to secure such problems on the windows platforms?
While that's true, it's also often worth preferring the vendor's offerings where possible. For example, if I found that I had an admin who was trying to patch MySQL by pulling down the latest upstream version and installing that instead of the version provided by the vendor, I'd be very unhappy indeed. Security patches are best handled through the vendor channel unless _extremely_ critical (think "OpenSSH remote root"), in which case I'd probably do a temporary fix until the vendor caught up.
In other cases, I'm right with you. I recently converted my core server here to Xen, splitting it into two partitions based on role. I could've upgraded to an experimental distro like FC4 to do this, but it was quicker and safer (thus cheaper) to retrofit Xen into Debian 3.1 .
Linux gives you the freedom to use vendor supplied options where it best fits your needs, and to do it yourself where that's better for you. Knowing which to pick isn't always easy, but if you make the right decisions it goes very well indeed.
Which of Novell's points do you think has merits, and what is your response to those points?
"he drew his sword Ringil that glittered like ice... and he wounded Morgoth with seven wounds..."
Whose pic is that in place of Dr Thompson, in the link supplied in the story?
e cure.com/images/portrait_forlando.jpg&imgrefurl=ht tp://sisecure.com/company/management.shtml&h=142&w =108&sz=6&tbnid=FUDw9wmh-38J:&tbnh=88&tbnw=66&hl=e n/
Check
http://images.google.com/imgres?imgurl=http://sis
for a comparison. Ouch.
Why is it that most of the posters to /. have the basic English skills of most 3rd world morons?
"So did most Slashdot readers. Thompson's work been mentioned on Slashdot before, especially his famous five-line script that could change electronic voting machine results and his novel, The Mezonic Agenda: Hacking the Presidency."
"Thompson's work +HAS+ been mentioned on Slashdot before"
I see posts often with misspellings, left out words, and sentences that well, don't even fit the definition of a sentence. Then there are the responses that are even worse. Is this what, "We" the IT professionals have amounted to, illiterate techno-geeks?
USE YOUR FREAKING SPELL CHECKER if you don't know how to spell, type, or can't form a sentence.
This has probably already been put in the responses to the article already, but just in case it hasn't:
Why should anybody give any weight to a study that is funded by a party which has a direct interest in the outcome of the study and sets up the conditions of the study?
I don't have too much experience as a network administrator, but I find it strange to use the number of vendor-released patches as a metric to reliability. Yes, in a perfect world this would be normal, but I think it's obvious that Microsoft doesn't release patches immediately the after the problem is reported but, in the best case, a few weeks later. Also, AFAIK there are still unpatched vulnerabilities in Windows that have been waiting for an awful amount of time. And consider badly written patches that don't fix the root of the problem. Technical support? Consider that old story of a Microsoft employee that encountered crashes after installing a hotfix. (I can't find the address anymore). He reported on his blog how he barely managed to explain the one at the end of the line that he'd encountered "a STOP error" and that he couldn't see his mouse.
p df]. Three weeks ain't enough. Even three days could be too much.
When coming to security, this interval (weeks or months) is huge. Think of Tom Vogt's study about worm propagation. [http://web.lemuria.org/security/WormPropagation.
About "implementing the business requirements".. I admit I only skimmed through the report, but I didn't see any direct referenced to the technology used for that.
And when it comes to problems after upgrading.. RPM is not the only package management system. I don't want to start a RPM vs. Portage vs. APT flame. I only want to show that Linux is not RPM (no pun intended). And the same for distributions. I don't have anything personally with SUSE. Again, Linux does not mean SUSE.
Disclaimer:
Yes, I do use Windows on my desktop system. Yes, I use Linux too, but Windows is my primary OS. No, I am not "pro-Microsoft". I only want to see better software. And I hope I'm not the only one who thinks like that.
There are many good questions, but, if I may, I would be interested in how you would apply your own personal experience as a security programmer to a question which goes beyond the inherent technical differences between the two systems you examined.
... ) ), I would be interested in your deepest possible thoughts, on the social, economic and evolutionary predicates within the two systems you examined ...
Without using the words "open source" (or, that is to say, without morphing the predicate of this question into the usual predicates of the so-called open-source question (business model, efficiency, security,
If you have difficulty with that, then, what is your concept of the idea of ownership?
And, how do you see that concept or "model of ownership" evolving, in the broadest possible context you can imagine? As security expert, where are the DNA-forces at work, which are responding to and then causing that evolutionary change, tracing that model of ownership from your grandparents generation up until now, and then extend the model forward into your grandchildren's generation?
Using that model for evolution of the concept of "ownership," how would the choice between the *specific non-technical predicates of one system you examined, versus the other, effect that evolution of that concept?
It's just fact based on what was found is all. Accept it.
(After all - the rest of the planet seems to, given that Win32 based Operating Systems (by now, I would wager mostly Windows NT-based OS', such as Windows 2000/XP/Server 2003, & software run on 95-99% of all the personal computers on the planet, & not just restricted to laptops/desktops, but servers as well).
Don't get me wrong - Linux isn't bad, it's come a LONG ways. It just isn't quite as versatile as Win32 based OS &/or software (of which there is more of this than there is in the Linux world period and for more purposes), & doesn't support as much hardware-wise either.
Care to argue with the numbers/facts on that last statement?
APK
But the bug reports from Securia, which is not sponsored by Microsoft or Linux, show quite clearly that Windows Server 2003 and SQL Server 2000 have more known vulnerabilities than Redhat and Oracle. How can Windows Server 2003 be more secure when it is clear that it has more vulnerabilities?
I'm unable to find any statistics for 2005, but back in 2000, Linux accounted for 36% of webservers, and Windows only 21%, according to Netcraft. It's likely that this hasn't changed.
Windows is certainly more compatable with hardware and the majority of software binaries about, but more versatile? In what way?
Dr. Thompson, I am happy to see the summary tout your Slashdotism and willingness to jump into the fray, as it were. However, the conditions for doing so are in the mode of a semi-open format where a) A new post is made to solicit questions which are peer-ranked b) Answers are crafted at your own pace and published in yet another new post and c) finally the standard madness ensues where people respond to one another... only this time you, apparently, will participate to one degree or another in the melee.
/. to create some organized circus out of it?
My question is: If you are a Slasher, why didn't you just voluntarily wade into the original, 'fully open format' discussion back when it occurred and thinking was fresh, thus obviating the need for
I never denied that non-profits have agendas. It just another way of saying they have a vision or some need to be fulfilled. It could even be founded on the notion that our lives ought to be entirely monetized, with profit-seeking transactions defining our lives. So there's good and bad in many degrees.
That does not make a non-profit necessarily driven by simple, irrational bias (the only kind worth highlighting). A 'bias' for facts which may reflect certain trends (like a monopolized market) is not the kind you throw in someone's face to dismiss their good judgement; That is an intellectually dishonest smokescreen.
In contrast, the profit motive is undeniably an indication of bias toward self-interest, with plenty of examples of that getting out of hand. Pushing an assumption that "markets" are rational is a sham that cannot cover-up this simple fact of life.
Microsoft has killed-off or neutered all other OS/Officeware entities resembling its own business model (for-profit corporations); they ARE those markets. So why is there so much manipulation, abuse and crime associated with them? Is this market rationality revealing itself to the consumer? The situation is so extreme, that its only real competition is based on volunteer effort and donations (although not single-mindedly).
Microsoft's AGENDA is the same as other behemoths in this regard: To push the ideology of monetization, that the only trustworthy and 'good' processes in our lives are those that are based on for-profit transactions. Whatever restructuring, investments, manufacturing or lobbying that will get their 'services' in between you and your pursuits and coexistence with others is a 'good thing'. Ideally all decisions are made in the consumer mode, and everything must have a pricetag on it to ensure they can buy it up and monopolize it. And if you want a say in how any of this is executed, you get to vote with your wallet and preferably nothing else.
Studies like the cited one focus on specific issues like security, as if that were the one decision-point for users. For me, it goes far beyond that, to the culture of the developers writing for the OS. Specifically, I'm far more likely to choose an OS based on the availability of open-source software for one reason: the availability of the developer(s) to resolve problems.
With Microsoft, if you notice a problem with the software, there is nothing you can do about it. Microsoft doesn't listen to individuals, nor communicate with them, so your options are a) suck it up, b) buy something else, or c) switch to open source.
Example: if you copy a row in Excel, you can't go to another sheet, insert a blank row, and then paste in your row. As soon as you did an intervening command, Excel forgot about your clipboard contents. Why? Is it because Microsoft thinks we're too stupid to remember what we're doing? No, it's because they decided to use the clipboard for holding command information! (I checked the API). I want them to fix this broken design, but there is no one at Microsoft to listen to me, or care.
With most open-source software, if you find a problem, you can contact the developer, and frequently get a response in days. And if the developer can't help you, you can usually help yourself. Recently I noticed that the DrPython IDE didn't have a Save Copy feature. I was able to download the source code, add the feature, and have it incorporated in the subsequent release, one week later. Meanwhile, the Microsoft Excel bug has existed for years, with no sign of a fix in sight.
- midtoad
Umwelt schützen, Fahrrad benützen
Thanks to everyone who submitted or moderated questions for Dr. Thompson. Any posts or moderations after this post's time stamp will not count. This is the cut-off.
- Robin
I saw a number of points referencing the apples to apples comparision. What I did not see is discussion on particpant(I believe, the Rosenthal effect), bias-most would assume there would be none but there was not discussion in the methods on how to control for this. Experimenter bias (I believe the Hawthorn Effect-could of mixed up with Rosenthal effect)- experimenters are aware of what they looking for inadvertently skew the test results. Also, it would make for a better test of the OS support and administration if both systems ran Apache, mysql, and tomcat, since these will run on windows systems (IIS will only run on Window), and both used PHP. In experinments, the only difference should be what experimentally is being controlled for, in this case it would OS support. It can still represent the real world since one may use open source software with Microsoft OS. Also, it is a bit odd that the 3rd party vendor products were not provided. Irregardless of what the researches point out (protecting the vendor), you can't replicate the study with out that exact methods used in the study and that includes 3rd party apps (poor research practice which brings in to question the researches motives). Also, the results as some point out really don't provide much in regards to proof of differences other than some odd numbers, the size of the subject pool is to small to run statistical analysis so what number they did capture cannot indicate causality not even a relational association. All conclusions are subject and have not statistically backed. So how do we know if 34% is really difference for each administration. I would think the bias alone would need to be adressed if we are to believe the data let along the weak experimental controls used in the study that would need to be rectified as well... How does the Doctor defend against these (what some would consider catastrophic) failures in research protocol? If I am off base here, sorry.
Your "Recruiting Questionnaires" are full of discrepancies: first the Windows administration experience requirement is 4-5 years, then only 3 years in another question. Requirements for Linux administrators were also greatly lower for some (not very) odd reason.
How can you make ANY conclusions on OS differences when the error margin created by the variance in administrators' abilities is so big?
You thought you were comparing Linux and Windows systems, but you were actually comparing 3 Linux administrators to 3 Windows administrators. There is a big difference.
You posted the names of the operating systems involved. Why didn't you post the names of the administrators?
Is it really plausible that a Linux Admin with 2 years experience decides to upgrade glibc? Come on. That's not like say: A trivial task. How did some newbie go and dig up glibc/untar it/compile it/install it? Really? And then have problems? I bet. It seems more likely that the admin got prodded in that direction. You'd have to be *trying* to waste as much time as possible if you go to build your own version of glibc.
:)
No one would ever let a junior linux admin decide to "just upgrade" glibc. If you got a job as a Linux Admin and you downloaded, built & installed glibc on a server without getting permission; you'd almost certainly be fired. If you asked if you could; you'd be told no. Never. If you asked, you'd prove you were clueless. If you did it, you'd prove you were clueless. That the details of this study reveal that this is done is so unbelievably screwy that it's it's hard not to assume that the whole thing was fraudulent in the first place.
Building and upgrading your own version of glibc (tell me they didn't really grab a raw upstream version) is far more of an _engineering_ task and outside the realm of "what some random sys admin" does. There are several million lines of code in glibc. For most of the life of the free software movement, it's been in the top of the packages in size and complication. It's been more stable over the last couple of years than it ever was in the past. I suppose now days, a new user could grab a tarball, build it and your machine would at least still boot. Needless to say, distributions apply lots of patches. It's certainly not wise to decide you are smarter than your distribution's glibc maintainers and just go dropping all the patches they applied.
Is there even anything equivilent to this under Windows? I'm having a problem with W2K; but instead of just upgrading to XP, I'm going to rebuild major.dll from the XP sources to see if that fixes my problem on W2K. WTF?
Is the void between admin'ing a linux vs windows box so bad that they have to pad it with: "oh, ya, aaaahhh, ya, we rebuilt glibc at one point"? Luckly I'm not in charge in that shop; the first thing I'd do in my IT department is go through and fire everyone in charge still running Windows on their desk. You can be sure they aren't needed. take that!
Any study in TCO between Windows and Linux that involves system admins compiling core OS components is absolutely invalid. System Admin's install & configure things; if they build anything from scratch they need permission; at the very least from a more senior admin. These stupid TCO studies are getting old. Linux is easier. Q.E.D.
"Study Conducted by Windows Admins concludes Linux Sucks to Admin!" or "Longtime Windows fanboy try to keep job by concluding Linux sucks to Admin!".
Have you done the audit of MS Windows kernel code versus Linux kernel code?
Slashdot = Sarcasm
Versatile is a word people throw around. It doesn't mean what he thinks it means.
"I'm unable to find any statistics for 2005, but back in 2000, Linux accounted for 36% of webservers, and Windows only 21%, according to Netcraft. It's likely that this hasn't changed." - by arevos (659374) on Tuesday November 22, @07:43AM
w sleads_1.html?source=rss&url=http://www.infoworld. com/article/05/11/23/HNwindowsleads_1.html
:)
0
Oh, really? Read this, from TODAY:
http://www.infoworld.com/article/05/11/23/HNwindo
"Sales of Windows systems accounted for 36.9 percent of all server revenue in the quarter, versus 31.7 percent for Unix and 11.5 percent for Linux (Overview, Articles, Company), Eastwood said. Enterprises increasingly are using Windows-based servers for applications such as ERP (enterprise resource planning) in addition to traditional uses such as e-mail and Web hosting. Migration from Windows NT to newer versions of Windows also is driving sales, he said."
That good enough for you? I think so!
"Windows is certainly more compatable with hardware and the majority of software binaries about, but more versatile? In what way?" - - by arevos (659374) on Tuesday November 22, @07:43AM
Well, for one, apparently for end users (since a good 95-99% of systems that are desktops/laptops in BOTH corporate/business AND home users are Windows, & most likely 2000/XP/Windows Server 2003 by now).
Secondly, read that quote - seems @ the server level? Windows Server 2003 is 'rocking the planet' vs. its competition, period.
And, lastly, how you mention... can't you understand what you JUST said? It only seconds my viewpoint!
*
"But the bug reports from Securia, which is not sponsored by Microsoft or Linux, show quite clearly that Windows Server 2003 and SQL Server 2000 have more known vulnerabilities than Redhat and Oracle. How can Windows Server 2003 be more secure when it is clear that it has more vulnerabilities?" - - by arevos (659374) on Tuesday November 22, @07:43AM
You should take a look @ ALL the kernel level vulnerabilities Linux has, right here, & tell us all what you just did:
http://secunia.com/search/?search=Linux+Kernel&w=
And, from the SAME site you seem to worship, no less... some are "remoteable" exploits, other not classified as such, but are 'local' in nature (many of them remain unpatched as well).
The thing about 'local' exploits is, that once you run an app that has a buffer overflow exploit possible in it? It BECOMES LOCALLY EXPLOITABLE by remote users hijacking it, & under the user context in which you are logged on as... with ALL the corresponding priveleges.
So, if said app with buffer overflow exists & gets exploited while you are running it as admin/superuser/root? You see the problem with calling ANY exploit "local" only!
(Better luck next time... lol!)
APK
P.S.=> And, to the guy that replied below me stating I didn't know what versatile meant? Wake up, read this post, ok?? apk
First? Read this:
8 949&cid=14103910
http://interviews.slashdot.org/comments.pl?sid=16
Secondly, anything that is capable of doing more than something else is more versatile, period.
So, that said? What runs more hardware & software:
Linux
or
Windows
?
APK
P.S.=> I'll let YOU answer that for yourself, & thus, letting you answer your own question as well as defeating your b.s. easily... apk
http://linux.slashdot.org/comments.pl?sid=168464&c id=14047049
.pdf study was about MS SQLServer 2000 (SP#3) + Windows Server 2003 (SP#1 + hotfixes) was found more secure than Redhat Linux + Oracle 10 &/or MyPhP DB engines combinations, & that the article showed the problems were MOSTLY in the OS cores/kernels, not the DBEngines themselves!)
As to the authors/article submitters here? Read that, & see, they indeed DID change the original article link... & I was NOT the only one who noted that!
(That very post shows that someone else noted what I did - that the original
Had to back that up, with others from that posting too... pretty lame, switching articles on us like that!
APK
I want to know how you came up with the test cases. As far as I can tell they we based on standard mainstream server configuration that could be done equally well in Windows or Unix. You then compared ease making changes to enterprise distributions using custom packages.
So for example the study failed to consider:
1) Firms that were taking advantage of the Linux "roll your own" and doing things in a custom way, i.e. firms that had atypical server needs in some respect.
2) Firms that were making use of very large numbers of similarly configured boxes where small additions of manpower wouldn't be as much of an issue. (This has always been a core market for Linux).
3) Embedded systems where initial configuration costs can be very high as long as changes do not need to be.
etc...
Yet the results were phrased in a way which seemed much more general, "Microsoft Claims Firms 'Hitting a Wall' With Linux".
Do you agree with this phrasing and if so why did you choose such a narrow methodology to prove such a broad point?
Dear mister Thompson I am one of the few peoples who read your essay. I think it is interesting that you "experienced" SUSE linux administrator, tested in the study, choosed to upgrade GLIBC directly and to ignore dependency. It obviously resulted in an unusable or unbootable system. I did exactly the same error several years ago on my home PC. I am not a professional system administrator. I had used linux for less than a month. Did your "experienced" SUSE linux administrators had ever used linux before the tests?
this post contain no useful information, no need to mod it down
The keyword here is sales. This report measures sales revenue, which is not an accurate way of measuring quantity. For instance, say I sold 100 copies of Windows for $1000 each, and 400 copies of Linux for $200 each. The total revenue for Windows would be $100'000, whilst the total revenue for Linux would only be $80'000. In such an example, Windows earns more revenue than Linux, but only has a quarter of the numbers.
This problem is further compounded by the fact that the majority of installed Linux distributions are downloaded for free, rather than bought with support. For instance, the company I work for recently installed freely downloaded copies of Fedora Core 4 on six servers.
In short, server revenue tells us little to nothing about the number of servers with Linux installed. The Netcraft survey, on the other hand, queries webservers directly, giving a reasonably accurate result. From this, it is safe to assume that Linux outnumbers Windows servers by a large margin.
It's lucky that Redhat Linux doesn't use the stock Linux kernel then, otherwise it would be affected by those vulnerabilites. Redhat, and indeed most major Linux distributions, use customised kernels that are patched regularly through automated update tools.
Being popular is not the same as being versatile.
I think Linux is versatile because it gives me a wide choice of window managers; Windows does not. It gives me a choice of about a dozen file systems; Windows does not. It gives me the choice of three major desktop environments; Windows does not. It allows me to customise my kernel with 3rd party patches; Windows does not. It allows me to mount hard drives as directories; Windows does not.
Linux can run off a 1.44MB floppy, or run the fastest supercomputer in the world. That seems pretty versatile to me.
I'm afraid it's not that black and white. Windows supports more up-to-date IBM compatable hardware and software; this is true. However, Linux supports more different architectures and platforms than Windows. Ever tried installing Windows on a Mac or a PS2?
Furthermore, Windows is deliberately restricted. You get a standard interface, standard window manager, standard desktop. You can theme it, skin it - but you cannot remove it and replace it with something else. This ensures that Windows is very uniform in interface, which is one of its greatest advantages and disadvantages. Sit a Windows user down at a Windows PC, and its unlikely they'll get lost.
However, this uniformity comes at the price of less flexibility. In Linux the GUI is not artificially limited by this, which means that the GUIs for Linux are far more varied, and therefore versatile. Similarly, the filesystems for Linux are generally more flexible and versatile than Windows' FAT32 and NTFS.