Language Selection

English French German Italian Portuguese Spanish

Microsoft vs Linux Reports - Sheer Waste Of Time?

Filed under
Linux
Microsoft

The report released by Security Innovation Inc., an application security company, comparing Windows Server 2003 security with Red Hat Enterprise Linux 3 Enterprise Server (RHEL3ES) is very interesting in its own right. Just skimming through the report reveals a few discrepancies that question its credibility.

The main page briefing about the paper states:
"Results of Independent Research Project that Microsoft Windows Server 2003 has Fewer Security Flaws than Multiple Configurations of a Compatible Linux Server." While the researchers are clearly mentioning the Microsoft product the use the more generic term "Linux". Why generalize? It is hard to believe that these PhDs do not understand the relevance of this statement. Why couldn't they just be direct and mentioned "RHEL3ES?"

In the report:
"Aside from beliefs over the relative "security" of the closed versus Open Source development paradigms, another important contributing factor is that Microsoft develops and releases all the components in their Web server stack. This allows Microsoft more control over release cycles and vulnerability disclosures than the distributed development method."

This brings up a couple of interesting points. Firstly, according to them implementing multiple components (software) in an enterprise makes the overall system more vulnerable. Well, so we must expect enterprises to immediately take actions to ensure that ALL their ERP, SCM, CRM, and, of course, Web Servers are from a single vendor. Though we hate to repeat this but have they ever heard of something called "vendor lock-in".

Secondly, the report states that Microsoft has control over release cycles AND VULNERABILITY DISCLOSURES. Do they intend to say that the "days of risk" has been significantly affected by the fact that the vendor has control as to when the vulnerability will be disclosed?

A little later comes:
"Another factor which helps Microsoft in terms of average days of risk is that Microsoft strongly encourages a "responsible disclosure" policy - that is, the company attempts to carefully coordinate vulnerability announcement with fix announcement and actively build relationships with new security researchers."

It does seem that the report is trying to explain that the companies buying the Microsoft products are supposed to work closely with Microsoft to ensure that the vulnerability announcement and fix announcements are as close as possible to ensure that the "days of risk" are kept to a minimum. We sincerely hope that we got this one wrong.

Though a lot more can be analyzed in the report, it does appear that "independent" research seems to have been done (or should we say, written) by people who think that Enterprise IT Heads are a bunch of fools who have all the time on earth to read through tones of pages of deceptive analysis.

Source.

More in Tux Machines

Android Wear Gets Its First Big Update

Google's Android Wear on Thursday got its first major update, bringing GPS support and offline music capabilities to the wearables platform. "Android Wear is great for tracking things like route, distance and speed," wrote Kenny Stoltz, Android Wear product manager. "Before today, you had to keep your phone close at hand. Starting today, Wear supports watches with GPS sensors, so you can enjoy these features regardless of where your phone's at." Read more

Positive results from Outreach Program for Women

In 2013, Debian participated in both rounds of the GNOME Outreach Program for Women (OPW). The first round was run in conjunction with GSoC and the second round was a standalone program. The publicity around these programs and the strength of the Google and Debian brands attracted a range of female candidates, many of whom were shortlisted by mentors after passing their coding tests and satisfying us that they had the capability to complete a project successfully. As there are only a limited number of places for GSoC and limited funding for OPW, only a subset of these capable candidates were actually selected. The second round of OPW, for example, was only able to select two women. Read more

Mesa 10.3.2 Has A Couple Bug-Fixes

For those living by stable Mesa releases rather than the exciting, bleeding-edge Mesa Git code for open-source Linux graphics drivers, Mesa 10.3.2 is available this Friday night. Mesa 10.3.2 has fixes for Nouveauy's GM107 Maxwell and GK110 support, a handful of Intel DRI driver fixes, and also a few R600g/RadeonSI driver fixes. Mesa stable users interested in learning more can find the 10.3.2 release announcement by Emil Velikov, the new Mesa release manager. For those after the latest Git developments, Mesa 10.4 will be declared stable in December. Read more

openSUSE Tumbling, Fedora Slipping, and Calculating Linux

The big news today is the merger of openSUSE Factory and Tumbleweed. Fedora 21 is delayed again due to numerous blockers. Jack M. Germain looks at Calculate Linux 14 and Bryan Lunduke is back with another desktop review, this week LXDE. There's a "victory for free software" in the news, but it's not in Berlin where Microsoft Office is being substituted for OpenOffice. Read more