Forgot your password?
typodupeerror
Security Microsoft The Almighty Buck

Microsoft Silently Backs Favorable Presentation at RSA 256

Posted by CowboyNeal
from the part-of-the-machine dept.
lildogie writes "Two researchers, from the Florida Institute of Technology and Boston-based Security Innovation Inc., 'surprised the audience at a computer-security convention last month with their finding that a version of Microsoft Windows was more secure than a competing Linux operating system' according to the Seattle Post-Intelligencer. 'This week, the researchers released their finished report, and it included another surprise: Microsoft was funding the project all along.' When will they ever learn?"
This discussion has been archived. No new comments can be posted.

Microsoft Silently Backs Favorable Presentation at RSA

Comments Filter:
  • Unsurprising (Score:2, Insightful)

    by Goo.cc (687626) *
    Okay, who didn't see this coming?
    • Re:Unsurprising (Score:2, Insightful)

      Since I work with a security company, methodologies used says that a security company should not take any sides. But since this is Microsoft they should have made their reseach with a tripple verification with some company like IBM, CGI and [insert security company here].
      • Test #1 Intruders are capable of taking control over the computer. Results: Linux: The system was finally hacked (after leaving the root/administrative account w/o a password, which seems fair to windows) Windows: The system crashed... nobody was able to take control! Analysis and conclusions: Windows is much better!
    • Re:Unsurprising (Score:5, Insightful)

      by beh (4759) * on Saturday March 26, 2005 @11:43AM (#12054178)
      Okay, who didn't see this coming?

      Only those, who follow enough news to "know" M$ tactics.

      Unfortunately, there are enough middle/upper management people who don't look into matters that closely and are simply "swayed" by knowing that M$ has market dominance -- and just tell themselves that "M$ wouldn't have it if their products sucked so badly, now would they?".

      As long as there is enough ignorance or even indifference on (non-technical) management levels, M$ *will* see benefits from each time they're doing that.

      (Besides, there is also the issue that you can't really go on to sue them for bad security if so many security companies openly tell of Microsoft's great security and the lack of security in competing OS's.).

      The fact is, M$ OS's aren't "safe", and neither is a run-of-the-mill linux installation. Both need updates and security-conscious people administrating them to keep them shut. I've had people break into my (linux) servers once or twice , and managed to evict the attackers both times and plugged the holes they used that I had been unaware of before - but by now there are so many software packages that it's hard to keep track of security issues in all of them.

      But, yes, despite those experiences, I'd still run a linux box over a windows box any day, because I think that in general my linux box is safer.
      • Re:Unsurprising (Score:3, Interesting)

        by quarkscat (697644)
        I certainly don't mean to let MSFT off the hook
        for such brazen (and repeatedly brazen) self-
        promotion. MSFT is a convicted (but yet to truly
        be punished) monopolist corporation that cannot
        be trusted to build a secure OS or Apps Suite,
        let alone to "play fairly" in the marketplace.

        But, hey folks, the 800 pound gorilla from Redmond
        is not alone in these tactics. The pharmacutical
        industry pulls the same kinds of tactics when it
        comes to testing (and promoting) their drugs, and
        they have (apparently) far more pull
        • Subject is enough answer, I guess.

          Just let me note, regarding your drug company example, that medicines generally doesn't make it unhealthy for everyone in a corporation to use alternative drugs from another company... :-)

          The rest is a bit off topic. I commented instead of using mod points.

        • Re:Unsurprising (Score:3, Insightful)

          by vsprintf (579676)

          But, hey folks, the 800 pound gorilla from Redmond is not alone in these tactics. The pharmacutical industry pulls the same kinds of tactics when it comes to testing (and promoting) their drugs, and they have (apparently) far more pull with the government than MSFT does.

          So this it the *everybody else does it* defense? Unless the appeal succeeds, Bernie Ebbers is going to jail, and Bill should be his cellmate. Microsoft is a convicted abusive monopolist and is held to higher standards than normal compa

  • Who? (Score:3, Informative)

    by Skiron (735617) on Saturday March 26, 2005 @11:07AM (#12054021) Homepage
    MS or researchers. One wins $$ and one wins $$...
  • Wait what? (Score:5, Funny)

    by failure-man (870605) <failuremanNO@SPAMgmail.com> on Saturday March 26, 2005 @11:08AM (#12054027)
    People will say whatever you want if you give them lots of money? Impudence!
    • People will always read what's put in front of them without checking sources, too. That fact is what Microsoft is after.

      Some of us may care because we make our living as software developers, resellers, et al. We know how much competing with a giant means to our personal bottom line. We care passionately about F/OSS because it's our livelyhood. (Some may care passionately against F/OSS bacuase they see it as a threat -- go figure.)

      It's that pointy-haired boss who's the target of these "studues", not
  • by danielrm26 (567852) * on Saturday March 26, 2005 @11:11AM (#12054037) Homepage
    These people make me sick. It's stories like this that make me realize why Microsoft is the object of so much hate. It's not because of their products, it's all about how they deal with competition.

    I like Active Directory and a few other Microsoft creations, and I even have an MCSE. Hell, Exchange has a good feature-set; if it would just stay up and be easier to manage it'd be a great product too.

    What I can't abide is being told that IIS is superior to Apache, and that Windows is more secure than "Linux". They send out these teams of spin-doctors with big bankrolls and try and take over the world using FUD. It's total crap.

    When do you see Linus doing this? Steve Jobs? Not very often. There are occasional comments, but nothing like this steady stream of trash that comes out of Redmond. I grow tired of it, and my reasons for disliking the company have never been more clear.
    • by failure-man (870605) <failuremanNO@SPAMgmail.com> on Saturday March 26, 2005 @11:15AM (#12054055)
      Who modded this troll? Does Microsoft pay to mod down anti-fud too?
    • Why has this been modded Troll? Parent is simply expressing his disgust with Microsofts business tactics, and so am I.

      And before you jump at me saying "Well, duh, they are a business, and the whole point of a business is to make money", yes, I know that, and I still find it disgusting. There's a point where unethical behavior actually starts affecting peoples' lives.
    • by gidds (56397) <slashdot&gidds,me,uk> on Saturday March 26, 2005 @11:57AM (#12054228) Homepage
      Yep, I've been saying this for years too.

      Sure, their products suck. But on its own, that wouldn't be a problem, because people would be free to choose the best product for the job. MS would be under the same commercial imperatives as anyone else: make good products, or die.

      But their business practices suck too. Because of that, the market isn't free to pick the best products.

      They pay people (individuals, dealers, companies, governments) to use their sucky products, by offering discounts and other incentives -- even giving them away if necessary. They pay competitors not to make competing products, by buying them off. They pay masses in marketing to make their products seem less sucky. They pay lawyers to find ways to prevent competitors making better products. They pay dealers and distributors not to bundle competitors' products. They pay lawmakers to prevent competitors being able to compete fairly. They pay training companies to ensure that there's more expertise for their products. They pay their own developers to break competing products in various underhand ways. They pay anything they can to support their products.

      And so, ultimately, we all pay...

      In short, it's their immoral and illegal business practices which make their dodgy products popular. Prevent those, and their products wouldn't be a problem.

      • by dnoyeb (547705) on Saturday March 26, 2005 @02:59PM (#12055096) Homepage Journal
        When the sales team is given a quality product to push, they can do it with integrity and morals.

        When the sales team is given a garbage product to push, they can not do it with integrity and morals.

        The suckage of their business practices is in direct proportion to the suckage of their product offerings.

        MS Word has been downhill since word 97. I remember MS Visual Studio 5 which had a Great help system. After 5 they said "screw the help, just use the MSDN CD." Something serious happened in microsoft about the time when the internet was getting big. They totally lost their minds.
    • I agree wholeheartedly.

      Some of their products are good.

      Some of them suck.

      All in all, their business practices are abhorrent. Intentionally introduced, easy to fix incompatibilities piss me off.

      Releasing all this FuD when its not necessary. (They are still the marketing leaders in most areas).

      The atrocious way they've dealt with some of the ex-partners (competitors). Like Stacker, or Corel, or Caldera.

      I can't stand it, and that's why I won't recommend a Microsoft product, ever. There's always either an
    • I use both Apache and IIS. If you ignore security, stability and some flexibility, IIS has some distinct advantages over Apache. For starters, it's far more user friendly with a nice mangement GUI. I know there are third-party and distro specific add-ons to manage Apache with a GUI, but that's not a straight Apache installation. Any idiot can setup IIS. It takes a slightly more savvy idiot willing to edit conf files or a 3d party GUI add-on to get Apache running properly. I find IIS's security simpler
    • " It's not because of their products, it's all about how they deal with competition."

      At this point, it's just to look cool on Slashdot. Don't forget there's a race here to get +5 Insightfuls.
  • by Anonymous Coward on Saturday March 26, 2005 @11:11AM (#12054038)
    The article should be from the 'well-duh' dept.
  • from the article (Score:5, Insightful)

    by Stevyn (691306) on Saturday March 26, 2005 @11:12AM (#12054040)
    "They say they had "complete editorial control over all research and analysis" involved in the project."

    It was later learned that Microsoft "had complete financial control over all employees involved in the project."

    Anyway, is Microsoft trying to develop a pattern here? Every time windows beats linux it's from a source microsoft paid.
  • by bird603568 (808629) on Saturday March 26, 2005 @11:14AM (#12054050)
    If you want your product to be found safe or secure of what ever, you fund reasearch. Cell phone compinies fund research to show that they are safe, but a recently publish study buy a guy from University of Washington proved otherwise.
    • by Anonymous Coward on Saturday March 26, 2005 @11:17AM (#12054062)
      Do Microsoft not realise that if they were to fund a project properly, take the criticism constructively and make Windows better as a result of it we would have a lot more respect for them? I don't think it really matters that Windows is insecure, it is the fact that they aren't trying to fix it, just cover it up that I find concerning.
  • So predictable (Score:3, Interesting)

    by gagge (808932) on Saturday March 26, 2005 @11:15AM (#12054053)
    All these research by MS funded institutions and researchers, Alexis de Tocqueville etc... It's to predictable. Do people actually believe anything they're saying? At least this time they didn't claim Torvalds isn't the father of Linux.
    • Do people actually believe anything they're saying?

      Propaganda is always directed at specific target audience. In the purpose of such institutions as ADTI, there is no reason for common people should believe them. But the politicians, both administratives and lawmakers do, and that does count well.
    • Do people actually believe anything they're saying?

      They don't need to. This stuff is just fodder for metadata that ends up in marketing material for PHBs. You see it all the time; "Seven out of ten independant studies showed that black is white". It doesn't matter that anyone with a clue knows the research is paid for.
    • They'll make a go of claiming Linus isn't the father of Linux shortly...
  • "Our own requirement for the methodology was that it had to be very open and transparent." "However, during their Feb. 16 presentation at the RSA Conference, Thompson and fellow researcher Richard Ford of the Florida Institute of Technology did not mention that one of the subjects of their research was the one funding the project." Huh. As noted already, this reeks of bias. Even if the results are perfectly accurate (and the FUD surrounding the notion that "Linux" is insecure rather than a specific distro
  • What a surprise... (Score:5, Insightful)

    by ewe2 (47163) <(ewetoo) (at) (gmail.com)> on Saturday March 26, 2005 @11:20AM (#12054073) Homepage Journal
    ...and what a bad move. Anyone with half a brain would have looked for independent funding, separate from both sides to put their methodology beyond doubt. Instead they sold their concept to Microsoft, unbelievable naivette.

    But the proof of the pudding should be in the eating: apply their methodology. Does it pan out for other Linux distributions/XP upgrades? If the methodology stands, it will be a great service to the debate.

    It's just a damn shame the politics of the situation mean that probably won't happen.
    • ponder this... (Score:3, Interesting)

      by Hooya (518216)
      with their methodology, the proof of the pudding is this:

      all MS has to do to make their OS more secure as part of their 'trustworthy computing' is to announce the service pack and what it fixes one day *after* releasing the said service pack as the study uses a metric called 'days of risk'. can't beat the resulting -ve 'days of risk' unless the competitors did some serious time travelling to issue the patch. sure seems that if you actually make early disclosures it counts against you. some trustworthiness.
  • by stubear (130454)
    ...to consider the possibility that if the study was unfavorable to Microsoft's position they would simply have pulled the plug and thrown away the results? Unless you can find fault with the study itself, there is nothing wrong with Microsoft financing studies which show Microsoft in a favorable way as long as the study itelf was legitimate. I realize this may be a difficult concept for many /.'ers to grasp but give it a shot.
    • by kryptkpr (180196) on Saturday March 26, 2005 @12:09PM (#12054282) Homepage
      We are not questioning their results, our problem is with their methodology.

      Their primary metric is "days since a vulnerability is disclosed to when a patch is released".

      Microsoft doesn't officially disclose anything (aka "responsible disclosure") until all of their major customers have already been hit, and they have a fix ready.

      Open-source software on the other hand has a tendency of being overly paranoid, and will release a security bulletin for every little thing as quickly as possible. This puts them at a natural disadvantage, using the above metric.

      According to these "researchers", not letting your customers know that there's a vulnerability is preferred to letting them know as soon as possible. This sort of sounds like a good idea, until you factor in the fact that black hats will know pretty much immediately, word spreads quick.
    • by Svartalf (2997) on Saturday March 26, 2005 @12:39PM (#12054434) Homepage
      C'mon now... We found faults with the methodology to begin with. The metrics they're using are completely useless for determining the relative security of an OS- they're using time to release fixes for reported exploits.

      Now...

      1) Microsoft waits until they actually have a fix or is forced to report/acknowledge an exploit when someone else makes an issue of it.

      2) Microsoft doesn't report any other exploits that they know about and doesn't go auditing for potential issues either.

      3) The Open Source community as a whole is rather paranoid compared to Microsoft when it comes to overall security so they report anything that might be a potential problem.

      Given the above items, that isn't a terribly good metric for determining overall security, nor is determining how secure the OS is by the reported issues. Overall security is a measure of how many issues, how severe, how exploitable, and how well they get fixed. Microsoft consistently flunks in the overall issues (they have more than we do, we just don't find out about them until after the fact...), severity, and fixing arenas.

      Combine this all with the facts that Microsoft maintained editorial AND financial control of the entire "study" and it all becomes a farce and worthy of the derision we're all heaping up on it.
      • by khasim (1285) <brandioch.conner@gmail.com> on Saturday March 26, 2005 @01:23PM (#12054599)
        #1. They didn't even evaluate the risk of each item they were counting AS IT PERTAINED TO THEIR DEFAUL INSTALL.

        #2. They ONLY counted the days until Red Hat had a fix ... NOT the days until a fix was publicly available.

        So, a local exploit in a .pdf reader that goes unpatched for a year (after being posted on public mailing list) is (by their calculations) WORSE than a remote root attack against the web server that is open on port 80 but which has a patch from Red Hat within a week (and a publicly available patch posted with the vulnerability announcment).

        WTF?!?

        Or, rather, Microsoft can SIT on a vulnerability notification for YEARS and release the patch the SAME DAY they publicly admit the vulnerability and they will STILL get a better rating than the Apache vulnerability in the previous example.

        There was NO research done for this "study". It is pure bullshit. Counting patches is MEANINGLESS when it comes to security.

        By their "logic", MS-DOS 6.2 is even more secure than Win2003.
        • By anyone's logic, MS-DOS 6.2 is more secure than Win2003.

          MS-DOS is a small kernel with a simple single-tasking program loader, limited number of more-or-less independent programs that "do stuff", and very limited communication abilities.

          Windows, on the other hand, is a colossal set of interdependent programs, libraries and ghawd-knows-what-else, that can interact with each other in so many ways, in parallel, and at such great speed that nobody can possibly claim to completely understand how it works.
        • By their "logic", MS-DOS 6.2 is even more secure than Win2003.

          By almost ANYBODY's log, MS-DOS 6.2 is more secure than many other OSes. It's certainly more secure than Linux, or OpenBSD, or any UNIX at all.

          A default MS-DOS system has NO network ports opened.

          The system must be accessed physically to intrude into it.

          Everybody knows that once physical access has been reached, all bets are off. Very complex encrypted filesystem schemes must be implemented to make ANY OS more secure than any other, and

    • Let the article itself answer:

      ""It was evidence that Microsoft was doing better, and now the evidence is tainted," said Counterpane Internet Security founder Bruce Schneier, a longtime RSA Conference speaker. "The results might be accurate, but now nobody's going to care, because all they'll see is a bias that was undisclosed."

    • http://www.securityinnovation.com/pdf/windows_lin u x_final_study.pdf [securityinnovation.com]

      Read it. Look at how they took the "default" settings EXCEPT where those settings would make Microsoft look too bad (firewall disabled by default).

      Read it all. Then look at what they REALLY based their "finding on".

      Nothing more than some other site's listing of security announcements/bug fixes.

      Unless you can find fault with the study itself, there is nothing wrong with Microsoft financing studies which show Microsoft in a favorable wa

  • It is hard to get a 'true' test on what is this and what is that, especially security.

    What needs to be done is _not_ an independent review sponsored by MS, but a review by all parties not sponsored by anyone.

    MS always use it FUD.

    Why not get a panel from ALL current OS and do similar?

    Tut.

    We know why that will never happen.

    BTW, did the guys involved have to pay the full wack on Windows server 2003 btw?
  • Not news! (Score:3, Funny)

    by IGnatius T Foobar (4328) on Saturday March 26, 2005 @11:22AM (#12054086) Homepage Journal
    Our other top story today: President Bush's approval rating is higher than ever, mainly because consumers are very happy about rising oil and gas prices ... reports FOX News.
  • "Thompson said he didn't know whether anything in the research contract with Microsoft would have prevented release of the study if the company considered the results unfavorable."

    He surely doesn't have to read it to understand how the system works...

    -- Shameless plug for the Nuggets [mynuggets.net] mobile search engine.

  • by Jeff DeMaagd (2015) on Saturday March 26, 2005 @11:23AM (#12054094) Homepage Journal
    ...but I wouldn't put it past them to test ten and use the one that makes them look best.
  • Pfft (Score:3, Funny)

    by irritus (789886) on Saturday March 26, 2005 @11:24AM (#12054099)
    You guys are too skeptical. So MS paid for the study that found them to be safer. That doesn't mean a thing. Seriously, give up the paranoia and trust your fellow human beings for a change. Now, if you'll excuse me, I need to draw up plans for a toll both. A nice fellow in a trenchcoat just sold me the deed to the Brooklyn Bridge.
  • by sicking (589500) on Saturday March 26, 2005 @11:25AM (#12054103)

    When will they ever learn?

    When will who learn? Microsoft? They already did. They learned that funding reasearch groups is a great way to portray themselfs as they see fit and at the say time spread FUD about linux and other competitors.

  • by 88NoSoup4U88 (721233) on Saturday March 26, 2005 @11:27AM (#12054111) Homepage
    The researchers, from the Florida Institute of Technology and Boston-based Security Innovation Inc., defend their process and conclusions as valid. They say they had "complete editorial control over all research and analysis" involved in the project. Their report details their methods, and they invite other experts to examine and duplicate their work.

    So has anyone allready taken this to the test ?
    As long as there is no counterevidence (besides the obvious evidence from everyday use of both OS's), why allready pass a judgement? (Ok, this -is- Slashdot, I'm not -too- new here)

    Allthough I find it dubious, to say the least, to have MS funding this research ; I still think that they should at least try to reproduce the results , and investigate what might have been left out (on purpose) to skew the outcome.

    • by khasim (1285) <brandioch.conner@gmail.com> on Saturday March 26, 2005 @01:44PM (#12054698)
      Here it is: http://www.securityinnovation.com/pdf/windows_linu x_final_study.pdf [securityinnovation.com]
      So has anyone allready taken this to the test ?
      What "test"? The whole point is how their "methods" are flawed.
      As long as there is no counterevidence (besides the obvious evidence from everyday use of both OS's), why allready pass a judgement? (Ok, this -is- Slashdot, I'm not -too- new here)
      Here's the "counterevidence":

      Scenario: You are running a web site on Linux. All ports are blocked by the default firewall except port 80.
      Is a local exploit in a .pdf reader that is not remotely accessible, but that goes unpatched for a year worse (in your opinion) than ... ... a remote httpd exploit that gives you root access but which has the patch released with the vulnerability announcement on a public mailing list but you don't deploy it for 1 week while Red Hat packages it and tests it?

      By their "methods", the .pdf reader is far, Far, FAR, FAR worse than the httpd one.
      Allthough I find it dubious, to say the least, to have MS funding this research ; I still think that they should at least try to reproduce the results , and investigate what might have been left out (on purpose) to skew the outcome.
      Read the study. They did NOTHING that just about any 5th grade student couldn't do.

      They counted the vulnerabilities (X).

      They added together all the days between announcement of vulnerability and Red Hat releasing a patch (Y).

      They divided Y by X to find the average time between vulnerability announcement and Red Hat releasing a patch.

      They did the same for Win2003.

      Then they announced that Win2003 was more secure because it had let time between public announcement and public patch.

      That is all they based this "report" on.

      Their methodology is fundamentally flawed. You can do the same arithmetic they did and get the same results, but that does not mean that their findings are valid.













  • by Alain Williams (2972) <addw@phcomp.co.uk> on Saturday March 26, 2005 @11:27AM (#12054114) Homepage
    I am sorry, that is wrong, it should be:

    1. When will
    2. we ever learn?

    The point is that many people who matter will see this paper, they are busy people they will read the headlines and the conclusions, they won't even notice that there is something about funding. These peole are IT directors and the like.

    Yes: we geeks say that the report is a joke because of the way that it is funded; learn that the joke is on us since we dismiss this paper as irrelevant when it is opinion forming.

  • These sell outs always surprise me. Your reputation is the most valuable thing you "have". Once that's gone, you are nothing more than some guy who lives in a van down by the river.

    If you are going to derive your research from presupposed conclusions it helps to AT LEAST choose a plausible sounding conclusion.

    As a genuine security researcher , I don't think anyone knowledgeable in the field believes that Microsoft has a more secure OS than a hardened version of Linux.

    Speaking as an academic, it is somewh
    • Microsoft has a more secure OS than a hardened version of Linux.

      Right there is the flaw in your statement. You're correct in that no one in the field would believe that a Microsoft OS is more secure than a hardened version of Linux. On the same token though, any reputable person in the field would agree that a hardened version of Microsoft's OS is not any less secure than a hardened version of Linux.

      Speaking as an academic, it is somewhat disappointing to see this kind of spin besmirch the ivory tower

  • Apples to Oranges (Score:3, Interesting)

    by yancey (136972) on Saturday March 26, 2005 @11:33AM (#12054137)
    Let Microsoft open the source code for their operating system and then let us see who has more reported vulnerabilities!
  • Still a good move. (Score:5, Interesting)

    by Douglas Simmons (628988) on Saturday March 26, 2005 @11:34AM (#12054141) Homepage
    Keep in mind that we, the people who see the evil trickery, are a flash in the pan of all the people Microsoft would like to spook people from Linux with fud. Several years ago Microsoft tried to use Linux's existance in their legal battles to say Hey, it's not peaches and cream for us with these commy hippie coders spreading free software, so please, DOJ, cut us some slack. Violins.

    But at the time they weren't too worried about the long term growing threat, they were worried about the pending case. Now the big picture nightmare is being realized on all fronts and they need to go down in flames shooting off ridiculous attacks/defenses that they paid for because the net result will probably be in the black, at least beyond the slashdotters, of keeping more people from moving to linux than they drive toward linux because those people found out that MS paid for the study and yada yada. Count on that MS reads the likes of Slashdot and give them a little benefit of the doubt -- not with their ethics, but with their business sense. In this case I think the ensuing flood of "when will they learn" posts will be overstated. I should note however that MSFT has had a pretty disappointing [yahoo.com] performance and that the public is catching onto the hole they're in, and not every investor is going to stay on the ship just because Microsoft is selling video games.

    But then I think, I am a Debian addict and I am defending MS's business decisions, and then I think I've been up all night perfecting my porn site and I'm beginning to hallucinate. I don't know where I'm going with this... Back to the porn!

    • Keep in mind that we, the people who see the evil trickery, are a flash in the pan of all the people Microsoft would like to spook people from Linux with fud.

      I wouldn't say we're a "flash in the pan". Slashdot readers include 14-year old script kiddies, yes, but also many people like corporate IT managers who make serious purchasing decisions, and consultants who give respected advice. Even if small in terms of percentage, the opinions of Slashdot readers are disproportionately important in the IT worl

  • Researchers... (Score:5, Insightful)

    by panurge (573432) on Saturday March 26, 2005 @11:34AM (#12054143)
    In pure science, there is a reasonable probability that biased or faked research will get found out. This is because the rules are constant and experiments are reproducible. The great merit of IT as a field for making money out of biased research is that things do not stay the same. In five years time nobody is likely to do a study of penetration of Linux vs Windows systems in 2004 and decide that one system was superior to another. Apart from the commercial secrecy surrounding hacks, there is no way of collating all the logs.

    The conclusion has to be that selling IT snake oil is an even better bet than becoming an aromatherapist or an urban shaman. No-one is likely to be able to prove you wrong, and you can continue to be paid by your vendor of choice secure in the knowledge that most publications will not print anything that upsets their biggest advertisers, and that even if a few minority interests notice the connection between your conclusions and your paycheck, the wider world probably won't notice.

    The system will only fall apart if academic institutions get together and pass some suitably tough rules on the ethics of product comparisons - and history suggests that that the first one under the new rules will be a study of the aerodynamics of different breeds of pigs.

  • by Anonymous Coward on Saturday March 26, 2005 @11:35AM (#12054148)
    I'm a researcher and on the editorial board of an academic journal. The cardinal rule is you disclose your funding or any conflict of interest *every* time and *any* time you make a presentation or write a paper. Such disclosures are essential in allowing others to evaluate the possibility of bias and are accepted practice.

    Academia requires funding, and researchers are usually funded. Funding agencies always have a perspective (even when you're funded by the NIH or NSF or other federal agencies). The agreement that the researcher has intellectual control of the research process, data, and the right to publish is key, especially with commercial sponsors (e.g., MS, pharma companies).

    These folks may well have had an agreement ensuring them that they could find what they found and freely report it. And if they reported it, others can appraise the quality of their methods. I haven't read the study, so I don't know if the comparison was fair. Did their support from MS include someone sending them specially-configured systems, for example?

    But I do know that they should have known better than not to disclose the funding source in their first talk.
  • Go Microsoft! (Score:2, Interesting)

    by tmasky (862064)
    The worst thing MS ever did for itself is admit to competing against GNU/Linux.

    They're just spreading the word further, to people who may never known of alternatives. Anyone who's semi-competent can then clarify the situation.

    Keep it up Microsoft. Remember, it's a case of when - not if. You're helping to bring that date closer =)
  • Get the real stats (Score:5, Informative)

    by markcox (236503) on Saturday March 26, 2005 @11:37AM (#12054159) Homepage
    http://blogs.redhat.com/people/archive/000201.html [redhat.com] links you to the raw downloadable data on how well Red Hat really did and a trivial Perl script to analyse it and drop out all sorts of metrics.
  • by ites (600337) on Saturday March 26, 2005 @11:46AM (#12054185) Journal
    It's remarkably stupid of Microsoft to continue to fund studies slamming Linux. The choice between operating systems is not one that people make on the basis of slight opinion. They follow trends, and technological trends are influenced by people who understand the impact of their choices.

    Linux has been the choice of the leading edge for several years, it is well-established as the choice for the early adopter, and it's now starting to become a serious option for the mass market.

    The mass market listens to the early adopters, the early adopters listen to the pioneers. That's the way it goes with technology, and that's why marketing only helps when products are otherwise equal.

    Microsoft should work on the real problem - the low quality of their products, and the real gap between their outdated expensive proprietary software and the commodity alternatives - rather than try to influence the market with propaganda. Unless, of course, they have come to the realisation that they cannot fix the problems.

    It will be newsworthy when a study finds that Microsoft has made a better product than the community, and when the study is both independent and accurate.

    If Apple can do it, why can't you guys at Microsoft? It's just software... infinitely plastic, and you are so smart, so rich...

    Nope. They won't do it. They just don't get it. They will continue to bitch and bluster and bluff until it's too late.

    It's a shame. All that talent, all that money, and all they can do is pay people to lie.
  • Methodology...? (Score:5, Insightful)

    by endofoctober (660252) <jk.coleNO@SPAMifredsayred.com> on Saturday March 26, 2005 @11:46AM (#12054187) Homepage
    Reading their report, something caught my eye...
    "In our analysis we leverage the inherent modularity of Linux to consider both a default configuration and a "minimal install" system that has a smaller attack surface that both satisfy the web server role."
    ...compared to...
    For the Microsoft-based solution there are many components which are difficult or impossible to completely remove from the operating system and therefore we consider only one configuration, a "complete" installation, and count vulnerabilities for every application included with the server software in our analysis."
    So, if I'm understanding this correctly, they're comparing a default install of Linux to a complete (assuming fully-patched?) install of WS2k?

    And since they're claiming that this is a "Linux vs. Windows" research paper, the fact that they're looking at using the boxes as web servers makes it seem more like they're comparing Apache/PHP/MySQL to IIS/ASP/SQL...

    I'm rather new to the Linux world, but isn't that like looking at the engine of a car, and saying the doors don't work?

  • Point 1:In a world where there is only one choice of operating system, if you security sucks, you're screwed. Even better would be to have a diversity of operating systems in an organization if cost allows.

    Point 2: Linux is not an operating system. It's a kernel that various organizations build operating systems on. I haven't read the report, but if the authors include userland vulnerabilities, they're being completely dishonest. WRT to userland vulnerabilities, you have your choice of Linux based ope
  • by vhogemann (797994) <victor AT hogemann DOT com> on Saturday March 26, 2005 @11:47AM (#12054193) Homepage
    They're talking about "Linux", and its a kernel. RedHat, Fedora, Debian, Slack, Suse... these are OSes!

    So, if you get a sloppy distro (wont cite any names to avoid flames) and compare it to Windows, you can say that distro is more insecure than Windows. But you cant say "Linux is more insecure than Windows"!

    If they really want to compare Linux to Windows, well... then lets compare the kernels, Linux X NT! Witch one is more secure? Has more bugs? Heh, that's something I'd like to see.
  • Innovation Inc., 'surprised the audience at a computer-security convention last month with their finding that a version of Microsoft Windows was more secure than a competing Linux operating system' according to the Seattle Post-Intelligencer

    Hahahahaha..."snort" stop it! You're killing me (holds gut in pain)..

    I can always look forward to a good laugh from /.
  • Now everyone reading TFA knows better, because you already know about /.. How about the millions of people using Windows that were trying to ceonvert away because of security reasons, who dont know about /.. Until I switched from Windows to Mandrake Linux - I never even heard of this place, much less cared about which was more secure - however now I know better, my wife OTOH, doesn't - nor doesn't care to either I might add.

    Stories like this are just like SPAM, the reason they keep happening is because i
  • NO matter what MS says, no matter how hard they yell or lie or cheat or steal, as long as LINUX is useful and continues to improve people will use it. MS still does not understand that Windows biggest enemy is itself and not LINUX. LINUX is'nt designed to "beat" windows. It's designed according to the needs of it's users. The only reason we are seeing it improve in the desktop arena is because the userbase is changing, becomming more mainstream. So don't worry! Use LINUX (or BSD if that's your fancy) and i
  • by siljeal (841276)
    When those "researchers" (I'd rather call them hacks) presented their methology to Microsoft and asked for funding, it was pretty much a no-brainer for MS to do so, as the metrics were clearly in their favour. Take the number of security reports, for example. The number of errors reported does not only depend on the number of errors in the system, it also depends on how available the means for finding these errors are. Compared to the number of people being able to do so witht he Linux sources, fewer people
  • Computer science like their report does not have peer review. Which is disappointing, because proper computer science research is so much more repeatable than natural science. I'd like to see the ACM take a stand, and aggressively demand that published research either cite a peer review process upon publication, or publish auditable records of the publisher's finances. Of course, anyone can publish anything, and anyone is free to believe it. But computer science is too important not to distinguish accountab
  • by Pingsmoth (249222) on Saturday March 26, 2005 @12:03PM (#12054252) Homepage
    and not owning a PC, I used to really dig this kind of stuff. I still don't own a PC, but my two roommates do, and the more I see these kinds of things on /. the more it reads like sour grapes from the linux community.

    When one of my roommates got a Dell recently, I took a look at his XP before connecting to the internet. A few clicks and the firewall was on. A few more clicks and his anti-virus software was up and running. After connecting to our LAN I downloaded Firefox, and for the past month and a half he has had no problems with any security issues on his machine. No, Windows is inherently not as secure as linux, but if you know what you are doing, you will be able to set up your Wintel box to be decently safe and hacker-free.

    The downside is, of course, that Microsoft could do a lot more to make Windows more secure out of the box. But Linux (and the Linux community) has a long way to go before the average wal-sumer will feel comfortable using Linux machines, much less knowing how to run them.
    • An antivirus is like an IPS. Reactive. It can only catch what it knows. The current lot of viruses is good enough that you should just format and reinstall if your OS is infected.

      Exactly the same thing that you do with a rootkit infected Unix system.

      Also, the security of a system depends on the administrator. You are administering your friends system. Slight difference.

      Oh, and did you turn off the RPC services?
  • by StateOfTheUnion (762194) on Saturday March 26, 2005 @12:16PM (#12054315) Homepage
    Quoted:

    Thompson said he and Ford developed the methodology on their own and submitted a proposal to Microsoft last year. He declined to say how much Microsoft paid to fund the research, but he said the company didn't have a say in the methodology.

    I'm surprised that this kind of research would get so much attention . . . reading between the lines, the research proposal was written to attract money from Microsoft. This implies an immediate conflict of interest . . . the research proposal and methodology were very possibly skewed in favor of Microsoft from the very beginning to garner Microsoft's favor and money.

    This is like writing a research proposal on the effects of smoking to get money from Phillip Morris. Of course such a proposal won't be written is such a way as to build a link between smoking and cancer . . . it would likely be written to imply that the research may refute the link between smoking and cancer. Skew the proposal in favor of the benefactor and one is more likely to get money . . .

    The whole process needs to be more transparent . . and all of the facts need to be issued before presenting . . . otherwise this is just irresponsible research.

  • Money vs Ideology (Score:2, Flamebait)

    by Rostin (691447)
    The stories are stupid. What no one EVER comments on is the research itself, only that it is obviously wrong because M$ funded it. (Of course, that's really just icing on the cake. Any research favoring M$ is automatically wrong, we all know.)

    Also, what no one ever mentions when research favors OSS is ideological bias. What's especially interesting about the second thing is that it should be obvious that it exists, because we are neck deep in it here.
  • What the hell difference is it in a lab environment if my system is more secure than yours if there's no measure of real world elements? Dropping a couple hundred boxes on the net and plotting out the time it takes for their security to be subverted would be a good measure of the OS security.

    Multiple bandwidth tests (56k-1.5mbdsl) trying to update the OS. Utilizing vendor (Dell/HP/Gateway) XP installs/Linux installs (not fully patched, but patched a *little*) In combination with hardened installations i
  • by QuantGuy (654249) on Saturday March 26, 2005 @12:48PM (#12054464)

    ...and found it lacking in several respects.

    Some background. I work as an industry analyst for a major technology research firm you've heard of. We were asked to review the methodology and findings of the report prior to its publication---i.e., at the beginning of March.

    Things I commented on, among others:

    • No detailed breakdown of individual vulnerabilities. Which components were affected? How are they distributed?
    • No indication of which version of Apache being used. 1.x? 2.x? Were the vulnerabilities for both versions counted erroneously?
    • Prominence given to a dubious metric: "days of risk," which biases scores in favor of Microsoft since Red Hat, Apache et al don't follow the same "responsible" disclosure process
    • Comparison of a managed runtime script engine (CLR+ASP.NET) with one that isn't (PHP). The correct "apples-to-apples" comparison (that's the authors' phrase, not mine) would be with JRE+JSP (e.g., Tomcat). Gee, no buffer overflow problems with ASP.NET. What a surprise!

    In short, the authors' claims that the methodology was "transparent" and "reproducible" are unfounded, since there is no way to inspect the data underlying their conclusions. I predicted they'd be heavily flamed by the open source crowd, and that they ought to make some changes to the report before they went public. They didn't, other than to acknowledge (but not address) a few of the methodological issues we raised.

    It's really too bad, since I really liked their emphasis on "role-based" analysis; that is, look at specific "stack" for a particular use case, for example web serving. The methdology paper, in case you haven't read it, is worthwhile reading. But all that good work is sullied since we can't see the data.

  • by in4mation (652196) on Saturday March 26, 2005 @12:49PM (#12054470)
    The study by Thompson and Ford compared Microsoft Windows Server 2003 to Red Hat Enterprise Linux 3.0 on such factors as the number of reported security vulnerabilities in 2004 and "days of risk" -- the amount of time between the public disclosure of a vulnerability and the availability of a fix.

    Windows Server benefited in part from Microsoft's reduction of security vulnerabilities in the latest version of the software -- with 52 reported vulnerabilities for the year, compared with 132 vulnerabilities for the Linux version, according to the report. The researchers also calculated an average of about 31 days of risk for the Windows software in 2004, compared with an average of about 70 days of risk for the Linux version.

    Yeah but how many people get to review M$ code and discover new vulnerabilities? Did they account for that in their bug count methodology?

  • Research which demonstrated the superiority of software *not* written by a greedy corporation was tainted today by the revalation that the researchers themselves were not funded by a greedy corporation.
  • MS numbers to tumble (Score:2, Interesting)

    by arn@lesto (107672)
    MS recently announced that it would be giving the US military 30 days to apply security patches before releasing them (and disclosing them) to the public.

    So now MS will have 30 days exposure for every security breach.

    I look forward to a new report from the same guys next year showing these results.
    Oh, I forgot, they won't be able to get the funding from MS.
  • Acknowledgements
    This study and our analysis were funded under a research contract from Microsoft. As part of the agreement, we have complete editorial control over all research and analysis presented in this report. We stand behind our methodology and execution of that methodology to determine objective results that will be useful to customers and security practitioners.

    Do they really expect us to buy an excuse that thin? Yes, a report of this type is academically viable, but only if you maintain neutral

Men love to wonder, and that is the seed of science.

Working...