Microsoft Silently Backs Favorable Presentation at RSA 256
lildogie writes "Two researchers, from the Florida Institute of Technology and Boston-based Security Innovation Inc., 'surprised the audience at a computer-security convention last month with their finding that a version of Microsoft Windows was more secure than a competing Linux operating system' according to the Seattle Post-Intelligencer. 'This week, the researchers released their finished report, and it included another surprise: Microsoft was funding the project all along.' When will they ever learn?"
Who? (Score:3, Informative)
How Microsoft manipulates the results (Score:1, Informative)
That gives MS time to find a fix and reach a better "days-of-risk" value
Re:Would somebody please refute the numbers (Score:5, Informative)
This is the article (Score:2, Informative)
Get the real stats (Score:5, Informative)
Our firm reviewed the report pre-publication... (Score:5, Informative)
...and found it lacking in several respects.
Some background. I work as an industry analyst for a major technology research firm you've heard of. We were asked to review the methodology and findings of the report prior to its publication---i.e., at the beginning of March.
Things I commented on, among others:
In short, the authors' claims that the methodology was "transparent" and "reproducible" are unfounded, since there is no way to inspect the data underlying their conclusions. I predicted they'd be heavily flamed by the open source crowd, and that they ought to make some changes to the report before they went public. They didn't, other than to acknowledge (but not address) a few of the methodological issues we raised.
It's really too bad, since I really liked their emphasis on "role-based" analysis; that is, look at specific "stack" for a particular use case, for example web serving. The methdology paper, in case you haven't read it, is worthwhile reading. But all that good work is sullied since we can't see the data.
Re:After reading Slashdot for years (Score:3, Informative)
Exactly the same thing that you do with a rootkit infected Unix system.
Also, the security of a system depends on the administrator. You are administering your friends system. Slight difference.
Oh, and did you turn off the RPC services?
Have you READ their study? (Score:4, Informative)
What "test"? The whole point is how their "methods" are flawed. Here's the "counterevidence":
Scenario: You are running a web site on Linux. All ports are blocked by the default firewall except port 80.
Is a local exploit in a
By their "methods", the
They counted the vulnerabilities (X).
They added together all the days between announcement of vulnerability and Red Hat releasing a patch (Y).
They divided Y by X to find the average time between vulnerability announcement and Red Hat releasing a patch.
They did the same for Win2003.
Then they announced that Win2003 was more secure because it had let time between public announcement and public patch.
That is all they based this "report" on.
Their methodology is fundamentally flawed. You can do the same arithmetic they did and get the same results, but that does not mean that their findings are valid.
Re:The *real* reason Microsoft sucks... (Score:3, Informative)
If you ignore security, stability and some flexibility
The first two are *critical* to a webserver, and rule out IIS in the first sentence.
Re:It's worse than that... (Score:2, Informative)
MS-DOS is a small kernel with a simple single-tasking program loader, limited number of more-or-less independent programs that "do stuff", and very limited communication abilities.
Windows, on the other hand, is a colossal set of interdependent programs, libraries and ghawd-knows-what-else, that can interact with each other in so many ways, in parallel, and at such great speed that nobody can possibly claim to completely understand how it works. Plus it is designed with advanced communication abilities.
Someone once described modern Windows as a giant hairball; that seems accurate to me.