Microsoft Silently Backs Favorable Presentation at RSA 256
lildogie writes "Two researchers, from the Florida Institute of Technology and Boston-based Security Innovation Inc., 'surprised the audience at a computer-security convention last month with their finding that a version of Microsoft Windows was more secure than a competing Linux operating system' according to the Seattle Post-Intelligencer. 'This week, the researchers released their finished report, and it included another surprise: Microsoft was funding the project all along.' When will they ever learn?"
Unsurprising (Score:2, Insightful)
Re:Who? (Score:1, Insightful)
One lose scientific credibility, one does not.
They had to create a new "never before used" metric just to get the results they wanted, and the metric is stupid to boot.
The *real* reason Microsoft sucks... (Score:5, Insightful)
I like Active Directory and a few other Microsoft creations, and I even have an MCSE. Hell, Exchange has a good feature-set; if it would just stay up and be easier to manage it'd be a great product too.
What I can't abide is being told that IIS is superior to Apache, and that Windows is more secure than "Linux". They send out these teams of spin-doctors with big bankrolls and try and take over the world using FUD. It's total crap.
When do you see Linus doing this? Steve Jobs? Not very often. There are occasional comments, but nothing like this steady stream of trash that comes out of Redmond. I grow tired of it, and my reasons for disliking the company have never been more clear.
from the article (Score:5, Insightful)
It was later learned that Microsoft "had complete financial control over all employees involved in the project."
Anyway, is Microsoft trying to develop a pattern here? Every time windows beats linux it's from a source microsoft paid.
Transparent and Open? (Score:2, Insightful)
Re:It's not just Microsoft (Score:4, Insightful)
Re:The *real* reason Microsoft sucks... (Score:2, Insightful)
And before you jump at me saying "Well, duh, they are a business, and the whole point of a business is to make money", yes, I know that, and I still find it disgusting. There's a point where unethical behavior actually starts affecting peoples' lives.
What a surprise... (Score:5, Insightful)
But the proof of the pudding should be in the eating: apply their methodology. Does it pan out for other Linux distributions/XP upgrades? If the methodology stands, it will be a great service to the debate.
It's just a damn shame the politics of the situation mean that probably won't happen.
Re:The *real* reason Microsoft sucks... (Score:5, Insightful)
If you think a comment along those lines is trolling, I suggest you take another look at the definition.
Windows may be more secure than some distributions (Score:3, Insightful)
They already did learn. (Score:5, Insightful)
When will they ever learn?
When will who learn? Microsoft? They already did. They learned that funding reasearch groups is a great way to portray themselfs as they see fit and at the say time spread FUD about linux and other competitors.
Duplicate the research and outcome (Score:4, Insightful)
So has anyone allready taken this to the test ?
As long as there is no counterevidence (besides the obvious evidence from everyday use of both OS's), why allready pass a judgement? (Ok, this -is- Slashdot, I'm not -too- new here)
Allthough I find it dubious, to say the least, to have MS funding this research ; I still think that they should at least try to reproduce the results , and investigate what might have been left out (on purpose) to skew the outcome.
When will they ever learn? (Score:5, Insightful)
The point is that many people who matter will see this paper, they are busy people they will read the headlines and the conclusions, they won't even notice that there is something about funding. These peole are IT directors and the like.
Yes: we geeks say that the report is a joke because of the way that it is funded; learn that the joke is on us since we dismiss this paper as irrelevant when it is opinion forming.
Re:Unsurprising (Score:2, Insightful)
Re:Would somebody please refute the numbers (Score:4, Insightful)
If you really take as gospel truth everything you believe about Linux, without demanding proof, why are you worrying about whatever trick makes the Windows numbers look good?
Loss of Credibility (Score:2, Insightful)
If you are going to derive your research from presupposed conclusions it helps to AT LEAST choose a plausible sounding conclusion.
As a genuine security researcher , I don't think anyone knowledgeable in the field believes that Microsoft has a more secure OS than a hardened version of Linux.
Speaking as an academic, it is somewhat disappointing to see this kind of spin besmirch the ivory tower of a university institution.
Researchers... (Score:5, Insightful)
The conclusion has to be that selling IT snake oil is an even better bet than becoming an aromatherapist or an urban shaman. No-one is likely to be able to prove you wrong, and you can continue to be paid by your vendor of choice secure in the knowledge that most publications will not print anything that upsets their biggest advertisers, and that even if a few minority interests notice the connection between your conclusions and your paycheck, the wider world probably won't notice.
The system will only fall apart if academic institutions get together and pass some suitably tough rules on the ethics of product comparisons - and history suggests that that the first one under the new rules will be a study of the aerodynamics of different breeds of pigs.
The first flaw was in the late disclosure (Score:4, Insightful)
Academia requires funding, and researchers are usually funded. Funding agencies always have a perspective (even when you're funded by the NIH or NSF or other federal agencies). The agreement that the researcher has intellectual control of the research process, data, and the right to publish is key, especially with commercial sponsors (e.g., MS, pharma companies).
These folks may well have had an agreement ensuring them that they could find what they found and freely report it. And if they reported it, others can appraise the quality of their methods. I haven't read the study, so I don't know if the comparison was fair. Did their support from MS include someone sending them specially-configured systems, for example?
But I do know that they should have known better than not to disclose the funding source in their first talk.
Re:Unsurprising (Score:5, Insightful)
Only those, who follow enough news to "know" M$ tactics.
Unfortunately, there are enough middle/upper management people who don't look into matters that closely and are simply "swayed" by knowing that M$ has market dominance -- and just tell themselves that "M$ wouldn't have it if their products sucked so badly, now would they?".
As long as there is enough ignorance or even indifference on (non-technical) management levels, M$ *will* see benefits from each time they're doing that.
(Besides, there is also the issue that you can't really go on to sue them for bad security if so many security companies openly tell of Microsoft's great security and the lack of security in competing OS's.).
The fact is, M$ OS's aren't "safe", and neither is a run-of-the-mill linux installation. Both need updates and security-conscious people administrating them to keep them shut. I've had people break into my (linux) servers once or twice , and managed to evict the attackers both times and plugged the holes they used that I had been unaware of before - but by now there are so many software packages that it's hard to keep track of security issues in all of them.
But, yes, despite those experiences, I'd still run a linux box over a windows box any day, because I think that in general my linux box is safer.
Paid opinions are worth exactly nothing (Score:3, Insightful)
Linux has been the choice of the leading edge for several years, it is well-established as the choice for the early adopter, and it's now starting to become a serious option for the mass market.
The mass market listens to the early adopters, the early adopters listen to the pioneers. That's the way it goes with technology, and that's why marketing only helps when products are otherwise equal.
Microsoft should work on the real problem - the low quality of their products, and the real gap between their outdated expensive proprietary software and the commodity alternatives - rather than try to influence the market with propaganda. Unless, of course, they have come to the realisation that they cannot fix the problems.
It will be newsworthy when a study finds that Microsoft has made a better product than the community, and when the study is both independent and accurate.
If Apple can do it, why can't you guys at Microsoft? It's just software... infinitely plastic, and you are so smart, so rich...
Nope. They won't do it. They just don't get it. They will continue to bitch and bluster and bluff until it's too late.
It's a shame. All that talent, all that money, and all they can do is pay people to lie.
Methodology...? (Score:5, Insightful)
And since they're claiming that this is a "Linux vs. Windows" research paper, the fact that they're looking at using the boxes as web servers makes it seem more like they're comparing Apache/PHP/MySQL to IIS/ASP/SQL...
I'm rather new to the Linux world, but isn't that like looking at the engine of a car, and saying the doors don't work?
What really makes me mad is... (Score:3, Insightful)
So, if you get a sloppy distro (wont cite any names to avoid flames) and compare it to Windows, you can say that distro is more insecure than Windows. But you cant say "Linux is more insecure than Windows"!
If they really want to compare Linux to Windows, well... then lets compare the kernels, Linux X NT! Witch one is more secure? Has more bugs? Heh, that's something I'd like to see.
Re:Loss of Credibility (Score:2, Insightful)
Right there is the flaw in your statement. You're correct in that no one in the field would believe that a Microsoft OS is more secure than a hardened version of Linux. On the same token though, any reputable person in the field would agree that a hardened version of Microsoft's OS is not any less secure than a hardened version of Linux.
Speaking as an academic, it is somewhat disappointing to see this kind of spin besmirch the ivory tower of a university institution
What are you talking about? Academic research is funded by corporatations all the time. Why is this any different? Just because they were funded by Microsoft does not immediately mean the research is flawed or skewed. Have you reviewed the paper? My guess is not. Before making straw man arguments make sure you have all the facts.
I'm not trying to make a claim for or against the findings - only that, with the amount of information we have about the research; at this time, these kinds of statements, "These sell outs always surprise me," are completely unwarranted.
It's the business practices (Score:5, Insightful)
Sure, their products suck. But on its own, that wouldn't be a problem, because people would be free to choose the best product for the job. MS would be under the same commercial imperatives as anyone else: make good products, or die.
But their business practices suck too. Because of that, the market isn't free to pick the best products.
They pay people (individuals, dealers, companies, governments) to use their sucky products, by offering discounts and other incentives -- even giving them away if necessary. They pay competitors not to make competing products, by buying them off. They pay masses in marketing to make their products seem less sucky. They pay lawyers to find ways to prevent competitors making better products. They pay dealers and distributors not to bundle competitors' products. They pay lawmakers to prevent competitors being able to compete fairly. They pay training companies to ensure that there's more expertise for their products. They pay their own developers to break competing products in various underhand ways. They pay anything they can to support their products.
And so, ultimately, we all pay...
In short, it's their immoral and illegal business practices which make their dodgy products popular. Prevent those, and their products wouldn't be a problem.
A no-brainer for MS (Score:2, Insightful)
Also, the compared systems are not equal in scope. Redhat's Enterprise Linux offers a whole lot more software than a 'naked' Windows Server 2003, and thus a lot more potential for security problems. If you coompared Windows Server 2003 with a rather bare Linux setup with no frills that offers similar functionality, then you could compare those systems.
In other words, the results of the study were already clear before the "researchers" started it. MS had nothing to lose because they could very much assume the results would be favourable to them. They didn't even need to put any pressure at all on those "researchers".
Blinded Me With Science (Score:2, Insightful)
After reading Slashdot for years (Score:3, Insightful)
When one of my roommates got a Dell recently, I took a look at his XP before connecting to the internet. A few clicks and the firewall was on. A few more clicks and his anti-virus software was up and running. After connecting to our LAN I downloaded Firefox, and for the past month and a half he has had no problems with any security issues on his machine. No, Windows is inherently not as secure as linux, but if you know what you are doing, you will be able to set up your Wintel box to be decently safe and hacker-free.
The downside is, of course, that Microsoft could do a lot more to make Windows more secure out of the box. But Linux (and the Linux community) has a long way to go before the average wal-sumer will feel comfortable using Linux machines, much less knowing how to run them.
Re:Unsurprising (Score:1, Insightful)
Re:The *real* reason Microsoft sucks... (Score:5, Insightful)
My company isn't taking off as quickly as I'd hoped, but I'd rather fail and leave my conscience in tact and know that I did it the ethical/moral way. Our goal is to build mutual beneficial relationships with our customers, not to sell them shit they don't need.
Sales people push. Partners (what we consider ourselves) work to provide benefits. It's no harder to operate in a good manner than it is in a poor manner.
That being said, my first company failed (too green out of college), my second company is just running at break-even (it does provide some good community services though so it's good karma either way), and my third company is getting close to break-even.
I'd rather work for myself and make $20,000/year than work for (insert global corp here) and make $120,000/year. It's more rewarding and the stress isn't comparable. Most people don't realize that starting your own business is primarily difficult because it requires fiscal discipline and the ability to not be afraid of the umbilical (sp?) cord being cut from receiving a paycheck every 2 weeks or half month. In the end most people are 2 paychecks away from being broke anyway.
Employees are expensive but running a company with integrity is priceless!
Key part of the article (Score:5, Insightful)
Thompson said he and Ford developed the methodology on their own and submitted a proposal to Microsoft last year. He declined to say how much Microsoft paid to fund the research, but he said the company didn't have a say in the methodology.
I'm surprised that this kind of research would get so much attention . . . reading between the lines, the research proposal was written to attract money from Microsoft. This implies an immediate conflict of interest . . . the research proposal and methodology were very possibly skewed in favor of Microsoft from the very beginning to garner Microsoft's favor and money.
This is like writing a research proposal on the effects of smoking to get money from Phillip Morris. Of course such a proposal won't be written is such a way as to build a link between smoking and cancer . . . it would likely be written to imply that the research may refute the link between smoking and cancer. Skew the proposal in favor of the benefactor and one is more likely to get money . . .
The whole process needs to be more transparent . . and all of the facts need to be issued before presenting . . . otherwise this is just irresponsible research.
Re:The *real* reason Microsoft sucks... (Score:4, Insightful)
Nor is RMS, but lots of free software hackers work for corporations (for instance, good GCC work has been done by Cygnus and now by Red Hat). But it's important that we don't come away thinking that "Linux" is an operating system (it's a kernel) or that Linus Torvalds alone represents all of the work one finds on a GNU/Linux system. The result of many people's participation is found in a modern GNU/Linux system.
This is "interesting"? I THINK NOT. (Score:5, Insightful)
Now...
1) Microsoft waits until they actually have a fix or is forced to report/acknowledge an exploit when someone else makes an issue of it.
2) Microsoft doesn't report any other exploits that they know about and doesn't go auditing for potential issues either.
3) The Open Source community as a whole is rather paranoid compared to Microsoft when it comes to overall security so they report anything that might be a potential problem.
Given the above items, that isn't a terribly good metric for determining overall security, nor is determining how secure the OS is by the reported issues. Overall security is a measure of how many issues, how severe, how exploitable, and how well they get fixed. Microsoft consistently flunks in the overall issues (they have more than we do, we just don't find out about them until after the fact...), severity, and fixing arenas.
Combine this all with the facts that Microsoft maintained editorial AND financial control of the entire "study" and it all becomes a farce and worthy of the derision we're all heaping up on it.
The bottom line.. (Score:5, Insightful)
The problems with the study:
1. The researchers were dealing with vendor-supplied patches of RHEL3.0 and Windows 2003 Server only. If a Linux vulnerability was released, and then patched by the author on the same day, but Red Had didn't release an update until 7 days later, this would be counted as a week. (Which may or may not be the correct way to view it - it's an 'apples-to-apples' comparison of a distinct 'apples-to-oranges' problem.)
2. the researchers didn't take into account the severity of the vulnerabilities. A local DOS vulnerability was given the same weight as one that offered remote administrative priveleges. The RHEL vulnerabilities were typically not as severe as the Windows ones.
3. the researchers didn't take into account whether the vulnerabilities were theoretical or not. A vulnerability that was theoretical was given the same weight as one which was proven real. All of the vulnerabilities in Windows were real, while the same is not true of RHEL.
4. The researchers didn't take into account the fact that RHEL has *much* more software included with it than Windows Server 2003. More software == more vulnerabilities.
5. The study dealt with "public disclosures" - security researchers typically work with the vendors, giving them some period of time to produce a fix before releasing the advisory; again, as the "vendor" in OSS is the program author, and not Red Hat, MS has a distinct advantage in "number of days to fix", as they can have a fix ready before the advisory is released, while Red Hat usually cannot. (This ties back into point #1 above.)
yeah but how many people see the code? (Score:3, Insightful)
Windows Server benefited in part from Microsoft's reduction of security vulnerabilities in the latest version of the software -- with 52 reported vulnerabilities for the year, compared with 132 vulnerabilities for the Linux version, according to the report. The researchers also calculated an average of about 31 days of risk for the Windows software in 2004, compared with an average of about 70 days of risk for the Linux version.
Yeah but how many people get to review M$ code and discover new vulnerabilities? Did they account for that in their bug count methodology?
How do you define "security"? (Score:5, Insightful)
It's all about limiting the avenues of attack.
I run Ubuntu, you cannot crack my machine with any worm because it does not have any ports open to you.
I can put that machine on a DSL connection and read
You believe that no matter how much care is put into designing an app, security holes will magically appear once enough people start using it. Nope. That's usually a sign of a "buffer overflow". Nice. You keep confusing software that crashes with security holes.
Whatever. And no mention of Browser Helper Objects of how IE runs with unreasonably high access rights. Well, you certainly can't argue with that "logic".
All I can do is to point out that all security issues are not the same.
#1. Remote exploit that gives root/admin rights.
#2. Remote exploit that gives non-root access.
#3. Local exploit that gives root/admin rights.
Way way way down the list is "Exploit that crashes the app". The worst you can get from that is a DoS attack.
But to you, all issues are the same. If FireFox crashes, that's just as bad as the sasser worm on Windows.
Sure, it may be impossible TODAY for someone to crack my Ubuntu desktop
Re:Unsurprising (Score:1, Insightful)
My main difficulty with the report (assuming the findings are valid) is that it's selective in it's scope - it looks at days of risk between when vulnerabilities are found, and when these vulnerabilities are fixed - but doesn't look at what exploits actually exist in the wild, so it shouldn't be used to conclude that running a Windows server is less risky than a Linux server. In fact, the authors of the report acknowledge that there are other factors that should be considered. From the report [sisecure.com]:
To get a full view of Security Risk, one has to get a view of two factors:
Of the two factors, our own experience leads us to believe that the latter is more difficult to quantify and predict in an objective manner. This is an exciting and open field and we strongly encourage others to consider this as an area for thoughtful research. However, given that there are research opportunities in both areas, we have chosen to try and make progress in studying and measuring the vulnerability factors first; this is a critical precursor to other threat-based metrics.
Unfortunately, many commentators will ignore this part of the report and will simply conclude that Windows is more secure than Linux.
However if the report's analysis does hold water, albeit for the limited scope of the report, surely this is something that we should be concerned about. It should be possible for an independent analysis based on the methodology in the report, and I would like to see criticisms of the methodology/analysis rather than the fact the report was funded by Microsoft.
Re:Unsurprising (Score:5, Insightful)
You instruct them to ask the questions that reveal the 10 features that favour your product A.
That's it. Simple as that. No lying required. This is the reason why you don't even bother to read a report that is financed by one of the product companies.
Now, the reasons why Security Innovation have chosen the two measures that you mention is quite obvious. It favours secret development over open development. Yet these factors do not have a direct relationship to how secure an operating system is. They are metrics that are at least one step removed. A direct metric would be for example, looking how often real systems are successfully attacked.
Re:The *real* reason Microsoft sucks... (Score:3, Insightful)
Some of their products are good.
Some of them suck.
All in all, their business practices are abhorrent. Intentionally introduced, easy to fix incompatibilities piss me off.
Releasing all this FuD when its not necessary. (They are still the marketing leaders in most areas).
The atrocious way they've dealt with some of the ex-partners (competitors). Like Stacker, or Corel, or Caldera.
I can't stand it, and that's why I won't recommend a Microsoft product, ever. There's always either an almost as good solution, or a better solution, from another supplier, and given that the gap between Microsoft (even when they are ahead) and other suppliers is never that big, I'll ALWAYS recommend the other supplier.
Thankfully, other suppliers are getting closer and closer, and its easier to recommend them for most tasks.
I always thought that one day Microsoft would 'grow-up', and develop into an IBM of the PC world. Always there, always 85% competitive, always an important part of the market, but not this paranoid schizophrenic behavior pandering for marketshare (even more importantly than PROFIT, which is shocking) at all costs.
MS Money, for example. That's a product they should drop. They should simply give up in that area, and work on something else. MS Money is generally agreed to be inferior to all its competitors, and has never turned a profit for MS.
Yet they continue to develop it, at a loss, because Microsoft will NEVER give up a chance at control.
Very strange, and to me, not the behavior of a good component to the 'eco-system' of the software world.
It's worse than that... (Score:5, Insightful)
#2. They ONLY counted the days until Red Hat had a fix
So, a local exploit in a
WTF?!?
Or, rather, Microsoft can SIT on a vulnerability notification for YEARS and release the patch the SAME DAY they publicly admit the vulnerability and they will STILL get a better rating than the Apache vulnerability in the previous example.
There was NO research done for this "study". It is pure bullshit. Counting patches is MEANINGLESS when it comes to security.
By their "logic", MS-DOS 6.2 is even more secure than Win2003.
Re:The bottom line.. (Score:3, Insightful)
And it is this one that I think should stick in anyone's craw. Clearly this allows a report to be severely unbalanced and give points to MS. In fact, this particular methodology seems almost guaranteed to make any vendor that handles disclosure like MS look superior. These guys, no matter how they may try to defend themselves, became corporate shills by using this method.
Congrats MS, you've funded yet another distorted study,
I see a lot of "if" in there. (Score:5, Insightful)
If magical elves decided to hide bad code in Linux and if they had CVS access and if they wrote it right and if no one noticed
HOW is someone going to get that data into my OO.o document? Hmmmmmm?
Magic? I don't think so.
Why don't you skip the "if"s and start focusing on the "How"s?
Security doesn't rely upon "if". It relies upon "how".
Re:Would somebody please refute the numbers (Score:2, Insightful)
They neglected to mention that they were funded by Microsoft, which betrayed the faith I had put in their honesty. I do not have time to carry out a rigorous analysis comparing Linux and Windows security, I have to rely on shortcuts of reputation and apparent honesty. Studies that show Linux is more secure generally state their biases up front, studies showing a Microsoft advantage go against my experience and unfailingly turn out to have been covertly funded by Microsoft. So my standard of proof is much higher for studies that support Microsoft.
One aspect is never mentioned (Score:2, Insightful)
We get long discussions about TCO and security and others but never about what we are allowed to do with the software.
The problem with freedom is that it's difficult to explain to people that never experienced it. As the old joke goes when the american explained to the russian that in the USA you can criticize the president as much as you like the russian replied: you can criticize the american president in Soviet Russia as well, there's no restrictions on that.
Re:Unsurprising (Score:3, Insightful)
But, hey folks, the 800 pound gorilla from Redmond is not alone in these tactics. The pharmacutical industry pulls the same kinds of tactics when it comes to testing (and promoting) their drugs, and they have (apparently) far more pull with the government than MSFT does.
So this it the *everybody else does it* defense? Unless the appeal succeeds, Bernie Ebbers is going to jail, and Bill should be his cellmate. Microsoft is a convicted abusive monopolist and is held to higher standards than normal companies that have real competition. Funding a self-serving survey/study like that is a slap in the face to the DOJ, not to mention it being completely dishonest and opposed to the welfare of consumers. Any company that can be proven to be lying during a trial (perjury), as Microsoft was, and still get off without a penalty is far more powerful than any drug company.
Re:The *real* reason Microsoft sucks... (Score:1, Insightful)
You are making an argument for ease of learning, not for ease of use. The two are not the same and IMHO can actually be conflicting goals.
Re:The *real* reason Microsoft sucks... (Score:3, Insightful)