Language Selection

English French German Italian Portuguese Spanish

Microsoft vs Linux Reports - Sheer Waste Of Time?

Filed under
Linux
Microsoft

The report released by Security Innovation Inc., an application security company, comparing Windows Server 2003 security with Red Hat Enterprise Linux 3 Enterprise Server (RHEL3ES) is very interesting in its own right. Just skimming through the report reveals a few discrepancies that question its credibility.

The main page briefing about the paper states:
"Results of Independent Research Project that Microsoft Windows Server 2003 has Fewer Security Flaws than Multiple Configurations of a Compatible Linux Server." While the researchers are clearly mentioning the Microsoft product the use the more generic term "Linux". Why generalize? It is hard to believe that these PhDs do not understand the relevance of this statement. Why couldn't they just be direct and mentioned "RHEL3ES?"

In the report:
"Aside from beliefs over the relative "security" of the closed versus Open Source development paradigms, another important contributing factor is that Microsoft develops and releases all the components in their Web server stack. This allows Microsoft more control over release cycles and vulnerability disclosures than the distributed development method."

This brings up a couple of interesting points. Firstly, according to them implementing multiple components (software) in an enterprise makes the overall system more vulnerable. Well, so we must expect enterprises to immediately take actions to ensure that ALL their ERP, SCM, CRM, and, of course, Web Servers are from a single vendor. Though we hate to repeat this but have they ever heard of something called "vendor lock-in".

Secondly, the report states that Microsoft has control over release cycles AND VULNERABILITY DISCLOSURES. Do they intend to say that the "days of risk" has been significantly affected by the fact that the vendor has control as to when the vulnerability will be disclosed?

A little later comes:
"Another factor which helps Microsoft in terms of average days of risk is that Microsoft strongly encourages a "responsible disclosure" policy - that is, the company attempts to carefully coordinate vulnerability announcement with fix announcement and actively build relationships with new security researchers."

It does seem that the report is trying to explain that the companies buying the Microsoft products are supposed to work closely with Microsoft to ensure that the vulnerability announcement and fix announcements are as close as possible to ensure that the "days of risk" are kept to a minimum. We sincerely hope that we got this one wrong.

Though a lot more can be analyzed in the report, it does appear that "independent" research seems to have been done (or should we say, written) by people who think that Enterprise IT Heads are a bunch of fools who have all the time on earth to read through tones of pages of deceptive analysis.

Source.

More in Tux Machines

Trisquel 9.0 Development Plans and Trisquel 8.0 Release

  • Trisquel 9.0 development plans
    Just as we release Trisquel 8.0, the development of the next version begins! Following the naming suggestions thread I've picked Etiona, which sounds good and has the fewest search results. We currently do our development in a rented dedicated server in France, and although it is functional it has many performance and setup issues. It has 32 gigs of RAM, which may sound like plenty but stays below the sweet spot where you can create big enough ramdisks to compile large packages without having to ever write to disk during the build process, greatly improving performance. It also has only 8 cores and rather slow disks. The good news is that the FSF has generously decided to host a much larger dedicated build server for us, which will allow us to scale up operations. The new machine will have fast replicated disks, lots of RAM and two 12 core CPUs. Along with renewing the hardware, we need to revamp the software build infrastructure. Currently the development server runs a GitLab instance, Jenkins and pbuilder-based build jails. This combination was a big improvement from the custom made scripts of early releases, but it has some downsides that have been removed by sbuild. Sbuild is lighter and faster and has better crash recovery and reporting.
  • Trisquel 8.0 LTS Flidas
    Trisquel 8.0, codename "Flidas" is finally here! This release will be supported with security updates until April 2021. The first thing to acknowledge is that this arrival has been severely delayed, to the point where the next upstream release (Ubuntu 18.04 LTS) will soon be published. The good news is that the development of Trisquel 9.0 will start right away, and it should come out closer to the usual release schedule of "6 months after upstream release". But this is not to say that we shouldn't be excited about Trisquel 8.0, quite the contrary! It comes with many improvements over Trisquel 7.0, and its core components (kernel, graphics drivers, web browser and e-mail client) are fully up to date and will receive continuous upgrades during Flidas' lifetime. Trisquel 8.0 has benefited from extensive testing, as many people have been using the development versions as their main operating system for some time. On top of that, the Free Software Foundation has been using it to run the Libreplanet conference since last year, and it has been powering all of its new server infrastructure as well!

today's howtos

FOSS Events in Europe: Rust, foss-north, KubeCon + CloudnativeCon Europe 2018

  • Rust loves GNOME Hackfest: Day 1
    This is a report of the first day of the Rust loves GNOME Hackfest that we are having in Madrid at the moment. During the first day we had a round of introductions and starting outlining the state of the art.
  • Madrid GNOME+Rust Hackfest, part 1
    I'm in Madrid since Monday, at the third GNOME+Rust hackfest! The OpenShine folks are kindly letting us use their offices, on the seventh floor of a building by the Cuatro Caminos roundabout. I am very, very thankful that this time everyone seems to be working on developing gnome-class. It's a difficult project for me, and more brainpower is definitely welcome — all the indirection, type conversion, GObject obscurity, and procedural macro shenanigans definitely take a toll on oneself.
  • Five days left
    I use to joke that the last week before foss-north is the worst – everything is done, all that is left is the stress.
  • KubeCon + CloudnativeCon Europe 2018
    The Cloud Native Computing Foundation’s flagship conference will be taking place in Copenhagen from May 2-4. It will cover Kubernetes, Prometheus OpenTracing, Fluentd, Linkerd, gRPC, CoreDNS, and other key technologies in cloud native computing.

Programming: Taxonomy of Tech Debt, Python and More

  • A Taxonomy of Tech Debt
    Hi there. I’m Bill “LtRandolph” Clark, and I’m the engineering manager for the Champions team on LoL. I’ve worked on several different teams on League over the past years, but one focus has been consistent: I’m obsessed with tech debt. I want to find it, I want to understand it, and where possible, I want to fix it. When engineers talk about any existing piece of technology - for example League of Legends patch 8.4 - we often talk about tech debt. I define tech debt as code or data that future developers will pay a cost for. Countless blog posts, articles, and definitions have been written about this scourge of software development. This post will focus on types of tech debt I’ve seen during my time working at Riot, and a model for discussing it that we’re starting to use internally. If you only take away one lesson from this article, I hope you remember the “contagion” metric discussed below.
  • 6 Python datetime libraries
    Once upon a time, one of us (Lacey) had spent more than an hour staring at the table in the Python docs that describes date and time formatting strings. I was having a hard time understanding one specific piece of the puzzle as I was trying to write the code to translate a datetime string from an API into a Python datetime object, so I asked for help.
  • Getting started with Anaconda Python for data science
  • How to install the Moodle learning management system
  • Anatomy of a JavaScript Error
  • Is DevOps compatible with part-time community teams?