Microsoft Silently Backs Favorable Presentation at RSA

lildogie writes "Two researchers, from the Florida Institute of Technology and Boston-based Security Innovation Inc., 'surprised the audience at a computer-security convention last month with their finding that a version of Microsoft Windows was more secure than a competing Linux operating system' according to the Seattle Post-Intelligencer. 'This week, the researchers released their finished report, and it included another surprise: Microsoft was funding the project all along.' When will they ever learn?"

Who?

[Skiron]

MS or researchers. One wins $$ and one wins $$...

How Microsoft manipulates the results

[Anonymous Coward]

Microsoft puts pressure on discoverers of security leaks on not to disclose them.
That gives MS time to find a fix and reach a better "days-of-risk" value

Re:Would somebody please refute the numbers

[Fished]

Linux vulnerabilities tend to get reported before there's an exploit, even when the "vulnerability" is very minor. Windows vulnerabilities only come to light when there is an exploit, because no one can see the code.

This is the article

[bird603568]

I was handed this article from a retired researcher that was supervising me on my wifi research. http://www.washington.edu/alumni/columns/march05/w akeupcall01.html [washington.edu]

Get the real stats

[markcox]

http://blogs.redhat.com/people/archive/000201.html [redhat.com] links you to the raw downloadable data on how well Red Hat really did and a trivial Perl script to analyse it and drop out all sorts of metrics.

Our firm reviewed the report pre-publication...

[QuantGuy]

...and found it lacking in several respects.

Some background. I work as an industry analyst for a major technology research firm you've heard of. We were asked to review the methodology and findings of the report prior to its publication---i.e., at the beginning of March.

Things I commented on, among others:

• No detailed breakdown of individual vulnerabilities. Which components were affected? How are they distributed?
• No indication of which version of Apache being used. 1.x? 2.x? Were the vulnerabilities for both versions counted erroneously?
• Prominence given to a dubious metric: "days of risk," which biases scores in favor of Microsoft since Red Hat, Apache et al don't follow the same "responsible" disclosure process
• Comparison of a managed runtime script engine (CLR+ASP.NET) with one that isn't (PHP). The correct "apples-to-apples" comparison (that's the authors' phrase, not mine) would be with JRE+JSP (e.g., Tomcat). Gee, no buffer overflow problems with ASP.NET. What a surprise!

In short, the authors' claims that the methodology was "transparent" and "reproducible" are unfounded, since there is no way to inspect the data underlying their conclusions. I predicted they'd be heavily flamed by the open source crowd, and that they ought to make some changes to the report before they went public. They didn't, other than to acknowledge (but not address) a few of the methodological issues we raised.

It's really too bad, since I really liked their emphasis on "role-based" analysis; that is, look at specific "stack" for a particular use case, for example web serving. The methdology paper, in case you haven't read it, is worthwhile reading. But all that good work is sullied since we can't see the data.

Re:After reading Slashdot for years

[dodobh]

An antivirus is like an IPS. Reactive. It can only catch what it knows. The current lot of viruses is good enough that you should just format and reinstall if your OS is infected.

Exactly the same thing that you do with a rootkit infected Unix system.

Also, the security of a system depends on the administrator. You are administering your friends system. Slight difference.

Oh, and did you turn off the RPC services?

Have you READ their study?

[khasim]

Here it is: http://www.securityinnovation.com/pdf/windows_linu x_final_study.pdf [securityinnovation.com]

So has anyone allready taken this to the test ?

What "test"? The whole point is how their "methods" are flawed.

As long as there is no counterevidence (besides the obvious evidence from everyday use of both OS's), why allready pass a judgement? (Ok, this -is- Slashdot, I'm not -too- new here)

Here's the "counterevidence":

Scenario: You are running a web site on Linux. All ports are blocked by the default firewall except port 80.
Is a local exploit in a .pdf reader that is not remotely accessible, but that goes unpatched for a year worse (in your opinion) than ... ... a remote httpd exploit that gives you root access but which has the patch released with the vulnerability announcement on a public mailing list but you don't deploy it for 1 week while Red Hat packages it and tests it?

By their "methods", the .pdf reader is far, Far, FAR, FAR worse than the httpd one.

Allthough I find it dubious, to say the least, to have MS funding this research ; I still think that they should at least try to reproduce the results , and investigate what might have been left out (on purpose) to skew the outcome.

Read the study. They did NOTHING that just about any 5th grade student couldn't do.

They counted the vulnerabilities (X).

They added together all the days between announcement of vulnerability and Red Hat releasing a patch (Y).

They divided Y by X to find the average time between vulnerability announcement and Red Hat releasing a patch.

They did the same for Win2003.

Then they announced that Win2003 was more secure because it had let time between public announcement and public patch.

That is all they based this "report" on.

Their methodology is fundamentally flawed. You can do the same arithmetic they did and get the same results, but that does not mean that their findings are valid.

Re:The *real* reason Microsoft sucks...

[Tony Hoyle]

Huh?

If you ignore security, stability and some flexibility

The first two are *critical* to a webserver, and rule out IIS in the first sentence.

Re:It's worse than that...

[innocent_white_lamb]

By anyone's logic, MS-DOS 6.2 is more secure than Win2003.

MS-DOS is a small kernel with a simple single-tasking program loader, limited number of more-or-less independent programs that "do stuff", and very limited communication abilities.

Windows, on the other hand, is a colossal set of interdependent programs, libraries and ghawd-knows-what-else, that can interact with each other in so many ways, in parallel, and at such great speed that nobody can possibly claim to completely understand how it works. Plus it is designed with advanced communication abilities.

Someone once described modern Windows as a giant hairball; that seems accurate to me.