Language Selection

English French German Italian Portuguese Spanish

Microsoft vs Linux Reports - Sheer Waste Of Time?

Filed under
Linux
Microsoft

The report released by Security Innovation Inc., an application security company, comparing Windows Server 2003 security with Red Hat Enterprise Linux 3 Enterprise Server (RHEL3ES) is very interesting in its own right. Just skimming through the report reveals a few discrepancies that question its credibility.

The main page briefing about the paper states:
"Results of Independent Research Project that Microsoft Windows Server 2003 has Fewer Security Flaws than Multiple Configurations of a Compatible Linux Server." While the researchers are clearly mentioning the Microsoft product the use the more generic term "Linux". Why generalize? It is hard to believe that these PhDs do not understand the relevance of this statement. Why couldn't they just be direct and mentioned "RHEL3ES?"

In the report:
"Aside from beliefs over the relative "security" of the closed versus Open Source development paradigms, another important contributing factor is that Microsoft develops and releases all the components in their Web server stack. This allows Microsoft more control over release cycles and vulnerability disclosures than the distributed development method."

This brings up a couple of interesting points. Firstly, according to them implementing multiple components (software) in an enterprise makes the overall system more vulnerable. Well, so we must expect enterprises to immediately take actions to ensure that ALL their ERP, SCM, CRM, and, of course, Web Servers are from a single vendor. Though we hate to repeat this but have they ever heard of something called "vendor lock-in".

Secondly, the report states that Microsoft has control over release cycles AND VULNERABILITY DISCLOSURES. Do they intend to say that the "days of risk" has been significantly affected by the fact that the vendor has control as to when the vulnerability will be disclosed?

A little later comes:
"Another factor which helps Microsoft in terms of average days of risk is that Microsoft strongly encourages a "responsible disclosure" policy - that is, the company attempts to carefully coordinate vulnerability announcement with fix announcement and actively build relationships with new security researchers."

It does seem that the report is trying to explain that the companies buying the Microsoft products are supposed to work closely with Microsoft to ensure that the vulnerability announcement and fix announcements are as close as possible to ensure that the "days of risk" are kept to a minimum. We sincerely hope that we got this one wrong.

Though a lot more can be analyzed in the report, it does appear that "independent" research seems to have been done (or should we say, written) by people who think that Enterprise IT Heads are a bunch of fools who have all the time on earth to read through tones of pages of deceptive analysis.

Source.

More in Tux Machines

today's leftovers

Leftovers: More Software

  • PSPP 0.10.2 has been released
    I'm very pleased to announce the release of a new version of GNU PSPP. PSPP is a program for statistical analysis of sampled data. It is a free replacement for the proprietary program SPSS.
  • Skype For Linux Alpha Update Adds ‘Close to Tray’, Call Settings, More
  • Hamster-GTK 0.10.0 Released
    Just a few seconds ago the initial release of Hamster-GTK, version 0.10.0, has been uploaded to the cheese shop. That means that after the rewritten backend codebase hamster-lib has been out in the wild for a few days by now you can now have a first look at a reimplementation of the original hamster 2.0 GUI. It will come as no surprise that this current early version is rather unpolished and leaves a lot to be desired. However, if you are familiar with legacy hamster 2.0 aka hamster-time-tracker you will surely see some major resemblance.
  • Core improvements in digiKam 5.0
    Version 5.0.0 of the digiKam image-management application was released on July 5. In many respects, the road from the 4.x series to the new 5.0 release consisted of patches and rewrites to internal components that users are not likely to notice at first glance. But the effort places digiKam in a better position for future development, and despite the lack of glamorous new features, some of the changes will make users' lives easier as well. For context, digiKam 4.0 was released in May of 2014, meaning it has been over two full years since the last major version-number bump. While every free-software project is different, it was a long development cycle for digiKam, which (for example) had released 4.0 just one year after 3.0. The big hurdle for the 5.0 development cycle was porting the code to Qt5. While migrating to a new release of a toolkit always poses challenges, the digiKam team decided to take the opportunity to move away from dependencies on KDE libraries. In many cases, that effort meant refactoring the code or changing internal APIs to directly use Qt interfaces rather than their KDE equivalents. But, in a few instances, it meant reimplementing functionality directly in digiKam.
  • MATE Dock Applet 0.73 Released With Redesigned Window List, Drag And Drop Support
    MATE Dock Applet was updated to version 0.73 recently, getting support for rearranging dock icons via drag and drop (only for the GTK3 version), updated window list design and more.
  • Minimalist Web Browser ‘Min’ Sees New Release
    The Min browser project has picked up a new update. Version 1.4 of the open-source, cross-platform web browser adds browser actions and full-text search.
  • Docker adds orchestration and more at DockerCon 2016
    DockerCon 2016, held in Seattle in June, included many new feature and product announcements from Docker Inc. and the Docker project. The main keynote of DockerCon [YouTube] featured Docker Inc. staff announcing and demonstrating the features of Docker 1.12, currently in its release-candidate phase. As with the prior 1.11 release, the new version includes major changes in the Docker architecture and tooling. Among the new features are an integrated orchestration stack, new encryption support, integrated cluster networking, and better Mac support. The conference hosted 4000 attendees, including vendors like Microsoft, CoreOS, HashiCorp, and Red Hat, as well as staff from Docker-using companies like Capital One, ADP, and Cisco. While there were many technical and marketing sessions at DockerCon, the main feature announcements were given in the keynotes. As with other articles on Docker, the project and product are referred to as "Docker," while the company is "Docker Inc."

Games for GNU/Linux

  • Cheese Talks: Porting Games to Linux & Day of the Tentacle
    In addition to my own thoughts, the article includes insights from a number of other Linux game porters including Leszek Godlewski (Painkiller Hell & Damnation, Deadfall Adventures), Ryan "icculus" Gordon (StarBreak, Left 4 Dead 2, Unreal Tournament 2004, Another World, Cogs, Goat Simulator), David Gow (Keen Dreams, Multiwinia), Ethan Lee (Salt & Sanctuary, Hiden in Plain Sight, HackNet, Waveform, Dust: An Elysian Tail) and Aaron Melcher (Outland, La-Mulana, Hyper Light Drifter, Darkest Dungeon). Betweem them, they offer a great range of attitudes and approaches that support and provide counterpoint to my own experiences.
  • ​Bundle Stars presents the Indie Legend Bundle 4
    Boasting one of the most star-studded game line-ups ever seen in an indie bundle, the brand new and exclusive Indie Legends 4 Bundle is here. Bundle Stars has pulled 8 incredible Steam games out of the bag for just $3.49 – that’s a saving of more than $100, and a discount of more than 95%. So just how good are the games? Games like Party Hard and Door Kickers are award winners, and the average Steam user score is a stunning 91%, across nearly 30,000 reviews!
  • Life is Strange: a Groundhog Day Simulator

Android Leftovers