Language Selection

English French German Italian Portuguese Spanish

Microsoft vs Linux Reports - Sheer Waste Of Time?

Filed under
Linux
Microsoft

The report released by Security Innovation Inc., an application security company, comparing Windows Server 2003 security with Red Hat Enterprise Linux 3 Enterprise Server (RHEL3ES) is very interesting in its own right. Just skimming through the report reveals a few discrepancies that question its credibility.

The main page briefing about the paper states:
"Results of Independent Research Project that Microsoft Windows Server 2003 has Fewer Security Flaws than Multiple Configurations of a Compatible Linux Server." While the researchers are clearly mentioning the Microsoft product the use the more generic term "Linux". Why generalize? It is hard to believe that these PhDs do not understand the relevance of this statement. Why couldn't they just be direct and mentioned "RHEL3ES?"

In the report:
"Aside from beliefs over the relative "security" of the closed versus Open Source development paradigms, another important contributing factor is that Microsoft develops and releases all the components in their Web server stack. This allows Microsoft more control over release cycles and vulnerability disclosures than the distributed development method."

This brings up a couple of interesting points. Firstly, according to them implementing multiple components (software) in an enterprise makes the overall system more vulnerable. Well, so we must expect enterprises to immediately take actions to ensure that ALL their ERP, SCM, CRM, and, of course, Web Servers are from a single vendor. Though we hate to repeat this but have they ever heard of something called "vendor lock-in".

Secondly, the report states that Microsoft has control over release cycles AND VULNERABILITY DISCLOSURES. Do they intend to say that the "days of risk" has been significantly affected by the fact that the vendor has control as to when the vulnerability will be disclosed?

A little later comes:
"Another factor which helps Microsoft in terms of average days of risk is that Microsoft strongly encourages a "responsible disclosure" policy - that is, the company attempts to carefully coordinate vulnerability announcement with fix announcement and actively build relationships with new security researchers."

It does seem that the report is trying to explain that the companies buying the Microsoft products are supposed to work closely with Microsoft to ensure that the vulnerability announcement and fix announcements are as close as possible to ensure that the "days of risk" are kept to a minimum. We sincerely hope that we got this one wrong.

Though a lot more can be analyzed in the report, it does appear that "independent" research seems to have been done (or should we say, written) by people who think that Enterprise IT Heads are a bunch of fools who have all the time on earth to read through tones of pages of deceptive analysis.

Source.

More in Tux Machines

Security Leftovers

  • Major Cloudflare bug leaked sensitive data from customers’ websites
    Cloudflare revealed a serious bug in its software today that caused sensitive data like passwords, cookies, authentication tokens to spill in plaintext from its customers’ websites. The announcement is a major blow for the content delivery network, which offers enhanced security and performance for more than 5 million websites. This could have allowed anyone who noticed the error to collect a variety of very personal information that is typically encrypted or obscured.
  • SHA1 collisions make Git vulnerable to attakcs by third-parties, not just repo maintainers
    After sitting through an endless flood of headless-chicken messages on multiple media about SHA-1 being fatally broken, I thought I'd do a quick writeup about what this actually means.
  • Torvalds patches git to mitigate against SHA-1 attacks
    Linux creator Linus Torvalds says two sets of patches have been posted for the distributed version control system git to mitigate against SHA-1 attacks which are based on the method that Dutch and Google engineers detailed last week. The post by Torvalds detailing this came after reports emerged of the version control system used by the WebKit browser engine repository becoming corrupted after the two proof-of-concept PDF files that were released by the Dutch and Google researchers were uploaded to the repository.
  • Linus Torvalds on "SHA1 collisions found"
  • More from Torvalds on SHA1 collisions
    I thought I'd write an update on git and SHA1, since the SHA1 collision attack was so prominently in the news. Quick overview first, with more in-depth explanation below: (1) First off - the sky isn't falling. There's a big difference between using a cryptographic hash for things like security signing, and using one for generating a "content identifier" for a content-addressable system like git. (2) Secondly, the nature of this particular SHA1 attack means that it's actually pretty easy to mitigate against, and there's already been two sets of patches posted for that mitigation. (3) And finally, there's actually a reasonably straightforward transition to some other hash that won't break the world - or even old git repositories.
  • [Older] Wire’s independent security review
    Ever since Wire launched end-to-end encryption and open sourced its apps one question has consistently popped up: “Is there an independent security review available?” Well, there is now!
  • Malware Lets a Drone Steal Data by Watching a Computer’s Blinking LED
  • FCC to halt rule that protects your private data from security breaches
    The Federal Communications Commission plans to halt implementation of a privacy rule that requires ISPs to protect the security of its customers' personal information. The data security rule is part of a broader privacy rulemaking implemented under former Chairman Tom Wheeler but opposed by the FCC's new Republican majority. The privacy order's data security obligations are scheduled to take effect on March 2, but Chairman Ajit Pai wants to prevent that from happening. The data security rule requires ISPs and phone companies to take "reasonable" steps to protect customers' information—such as Social Security numbers, financial and health information, and Web browsing data—from theft and data breaches. "Chairman Pai is seeking to act on a request to stay this rule before it takes effect on March 2," an FCC spokesperson said in a statement to Ars.
  • Google releases details of another Windows bug
  • How to secure the IoT in your organisation: advice and best practice for securing the Internet of Things
    All of the major technology vendors are making a play in the Internet of Things space and there are few organisations that won’t benefit from collecting and analysing the vast array of new data that will be made available. But the recent Mirai botnet is just one example of the tremendous vulnerabilities that exist with unsecured access points. What are the main security considerations and best practices, then, for businesses seeking to leverage the potential of IoT?

GNOME News

  • FEDORA and GNOME at UNSAAC
    Today I did a talk to introduce students of UNSAAC to the Fedora and GNOME world as it was announced by the GDG Cusco group. We started at 8:30 am and it was a free event:
  • GNOME Theme For Firefox Gets Updated, Looking Great
    There are a lot of complete themes for Firefox. We spoke about 3 of them in one of our previous articles. The good news today is that “GNOME 3” theme (which was also called Adwaita) for Firefox was updated. Now it’s working with all versions higher than Firefox 45. Previously, the theme didn’t work with the recent versions of Firefox. So people had to switch to other available themes. Fortunately, this finally changed today when another developer took the code, fixed the compatibility problems and re-released the theme.
  • GStreamer Now Supports Multi-Threaded Scaling/Conversion For Big Performance Win
    With the addition of over two thousand lines of code, GStreamer's video-convert code within gst-plugins-base is now properly multi-threaded. Video scaling and conversion can now be multi-threaded when using GStreamer. With this multi-threading work by Sebastian Dröge, he commented with the commit, "During tests, this gave up to 1.8x speedup with 2 threads and up to 3.2x speedup with 4 threads when converting e.g. 1080p to 4k in v210."

Linux and Graphics

  • OpenRISC For Linux 4.11 Gets Some Optimizations, Prepares For SMP
    OpenRISC continues advancing with its sights on being a free and open processor for embedded systems using the RISC instruction set architecture. Last year the Linux kernel got a new OpenRISC maintainer and for Linux 4.11 there is a fair amount of interesting changes for the OpenRISC code within the mainline tree.
  • drm for v4.11 - main pull request
    The tinydrm code seems like absolute pure shit that has never seen a compiler. I'm upset, because I expect better quality control. In fact, I expect *some* qualitty control, and this piece-of-shit driver has clearly seen none at all. And those patches were apparently committed yesterday. WHAT THE ACTUAL FUCK?
  • [Old] A Guide Through The Linux Sound API Jungle
    At the Audio MC at the Linux Plumbers Conference one thing became very clear: it is very difficult for programmers to figure out which audio API to use for which purpose and which API not to use when doing audio programming on Linux.
  • Mesa, Vulkan & Other Driver Talks From 2017 Embedded Linux Conference
  • Fuzzing Mesa Drivers Begin To Uncover Bugs
    Last December we wrote about work being done on fuzzing OpenGL shaders leading to wild differences with the work being done at the Imperial College London. While they were testing other drivers on different operating systems, they have now fired up tests of Mesa.
  • Wayland's Weston 2.0 Compositor Released
    Wayland 1.13 was released earlier this week but the adjoining Weston compositor update didn't happen at the same time due to some last minute changes needing more time to test, but this Friday, Weston 2.0 is now shipping. But before getting too excited, Weston 2.0 doesn't represent some break-through changes but rather was bumped away from the Wayland versioning rhythm due to its new output configuration API breaking Weston's ABI. Thus the major version bump.
  • weston 2.0.0
    Welcome to the official release of Weston 2.0. There are no changes since RC2.

today's howtos