Language Selection

English French German Italian Portuguese Spanish

Microsoft vs Linux Reports - Sheer Waste Of Time?

Filed under
Linux
Microsoft

The report released by Security Innovation Inc., an application security company, comparing Windows Server 2003 security with Red Hat Enterprise Linux 3 Enterprise Server (RHEL3ES) is very interesting in its own right. Just skimming through the report reveals a few discrepancies that question its credibility.

The main page briefing about the paper states:
"Results of Independent Research Project that Microsoft Windows Server 2003 has Fewer Security Flaws than Multiple Configurations of a Compatible Linux Server." While the researchers are clearly mentioning the Microsoft product the use the more generic term "Linux". Why generalize? It is hard to believe that these PhDs do not understand the relevance of this statement. Why couldn't they just be direct and mentioned "RHEL3ES?"

In the report:
"Aside from beliefs over the relative "security" of the closed versus Open Source development paradigms, another important contributing factor is that Microsoft develops and releases all the components in their Web server stack. This allows Microsoft more control over release cycles and vulnerability disclosures than the distributed development method."

This brings up a couple of interesting points. Firstly, according to them implementing multiple components (software) in an enterprise makes the overall system more vulnerable. Well, so we must expect enterprises to immediately take actions to ensure that ALL their ERP, SCM, CRM, and, of course, Web Servers are from a single vendor. Though we hate to repeat this but have they ever heard of something called "vendor lock-in".

Secondly, the report states that Microsoft has control over release cycles AND VULNERABILITY DISCLOSURES. Do they intend to say that the "days of risk" has been significantly affected by the fact that the vendor has control as to when the vulnerability will be disclosed?

A little later comes:
"Another factor which helps Microsoft in terms of average days of risk is that Microsoft strongly encourages a "responsible disclosure" policy - that is, the company attempts to carefully coordinate vulnerability announcement with fix announcement and actively build relationships with new security researchers."

It does seem that the report is trying to explain that the companies buying the Microsoft products are supposed to work closely with Microsoft to ensure that the vulnerability announcement and fix announcements are as close as possible to ensure that the "days of risk" are kept to a minimum. We sincerely hope that we got this one wrong.

Though a lot more can be analyzed in the report, it does appear that "independent" research seems to have been done (or should we say, written) by people who think that Enterprise IT Heads are a bunch of fools who have all the time on earth to read through tones of pages of deceptive analysis.

Source.

More in Tux Machines

SUSE Leftovers

  • openSUSE Heroes meeting, day 2
    After a long, but exciting first day, we even managed to get some sleep before we started again and discussed the whole morning about our policies and other stuff that is now updated in the openSUSE wiki. After that, we went out for a nice lunch…
  • Installing Tumbleweed, November 2016
    The Tumbleweed system that I already have installed had desktops KDE, Gnome, XFCE and LXDE. But for recent intstalls (as with Leap 42.2), I have been going with KDE, Gnome, XFCE, LXQt, FVWM and MATE. So it seemed reasonable for the new Tumbleweed install to follow the same path. I also added Enlightenment for experimenting.

Android Leftovers

Linux Graphics

  • LibRetro's Vulkan PlayStation PSX Renderer Released
    A few days back I wrote about a Vulkan renderer for a PlayStation emulator being worked on and now the code to that Vulkan renderer is publicly available. For those wanting to relive some PlayStation One games this week or just looking for a new test case for Vulkan drivers, the Vulkan renderer for the LibRetro Beetle/Mednafen PSX emulator is now available, months after the LibRetro folks made a Vulkan renderer for the Nintendo 64 emulator.
  • Etnaviv DRM Updates Submitted For Linux 4.10
    The Etnaviv DRM-Next pull request is not nearly as exciting as MSM getting Adreno 500 series support, a lot of Intel changes, or the numerous AMDGPU changes, but it's not bad either for a community-driven, reverse-engineered DRM driver for the Vivante graphics cores.
  • Mesa 12.0.4 Being Prepped For Ubuntu 16.10/16.04
    Ubuntu is preparing Mesa 12.0.4 for Ubuntu Xenial and Yakkety users. It's not as great as Mesa 13, but at least there are some important fixes back-ported. Mesa 12.0.4 is exciting for dozens of bug fixes, including the work to offer better RadeonSI performance. But with Mesa 12.0.4 you don't have the RADV Vulkan driver, OpenGL 4.5, or the other exciting Mesa 13 work.

Games for GNU/Linux