Language Selection

English French German Italian Portuguese Spanish

Microsoft vs Linux Reports - Sheer Waste Of Time?

Filed under

The report released by Security Innovation Inc., an application security company, comparing Windows Server 2003 security with Red Hat Enterprise Linux 3 Enterprise Server (RHEL3ES) is very interesting in its own right. Just skimming through the report reveals a few discrepancies that question its credibility.

The main page briefing about the paper states:
"Results of Independent Research Project that Microsoft Windows Server 2003 has Fewer Security Flaws than Multiple Configurations of a Compatible Linux Server." While the researchers are clearly mentioning the Microsoft product the use the more generic term "Linux". Why generalize? It is hard to believe that these PhDs do not understand the relevance of this statement. Why couldn't they just be direct and mentioned "RHEL3ES?"

In the report:
"Aside from beliefs over the relative "security" of the closed versus Open Source development paradigms, another important contributing factor is that Microsoft develops and releases all the components in their Web server stack. This allows Microsoft more control over release cycles and vulnerability disclosures than the distributed development method."

This brings up a couple of interesting points. Firstly, according to them implementing multiple components (software) in an enterprise makes the overall system more vulnerable. Well, so we must expect enterprises to immediately take actions to ensure that ALL their ERP, SCM, CRM, and, of course, Web Servers are from a single vendor. Though we hate to repeat this but have they ever heard of something called "vendor lock-in".

Secondly, the report states that Microsoft has control over release cycles AND VULNERABILITY DISCLOSURES. Do they intend to say that the "days of risk" has been significantly affected by the fact that the vendor has control as to when the vulnerability will be disclosed?

A little later comes:
"Another factor which helps Microsoft in terms of average days of risk is that Microsoft strongly encourages a "responsible disclosure" policy - that is, the company attempts to carefully coordinate vulnerability announcement with fix announcement and actively build relationships with new security researchers."

It does seem that the report is trying to explain that the companies buying the Microsoft products are supposed to work closely with Microsoft to ensure that the vulnerability announcement and fix announcements are as close as possible to ensure that the "days of risk" are kept to a minimum. We sincerely hope that we got this one wrong.

Though a lot more can be analyzed in the report, it does appear that "independent" research seems to have been done (or should we say, written) by people who think that Enterprise IT Heads are a bunch of fools who have all the time on earth to read through tones of pages of deceptive analysis.


More in Tux Machines

Mozilla: Facebook-Mozilla Rift, MDN, No More Notifications (If You Want)

  • Mozilla stops Facebook advertising, demands privacy changes
    It’s probably not top of Mark Zuckerberg’s worry list this week but Mozilla Corporation, developer of the Firefox browser, is officially unhappy with Facebook.
  • Results of the MDN “Competitive Content Analysis” SEO experiment
    The next SEO experiment I’d like to discuss results for is the MDN “Competitive Content Analysis” experiment. In this experiment, performed through December into early January, involved selecting two of the top search terms that resulted in MDN being included in search results—one of them where MDN is highly-placed but not at #1, and one where MDN is listed far down in the search results despite having good content available. The result is a comparison of the quality of our content and our SEO against other sites that document these technology areas. With that information in hand, we can look at the competition’s content and make decisions as to what changes to make to MDN to help bring us up in the search rankings.
  • No More Notifications (If You Want)
    Online, your attention is priceless. That’s why every site in the universe wants permission to send you notifications about new stuff. It can be distracting at best and annoying at worst. The latest version of Firefox for desktop lets you block those requests and many others.

EUPL planned actions

A revised set of guidelines and recommendations on the use of the open source licence EUPL v1.2 published by the Commission on 19 May 2017 will be developed, involving the DIGIT unit B.3 (Reusable Solutions) and the JRC 1.4 (Joint Research Centre – Intellectual Property and Technology Transfer). The existing licence wizard will be updated. New ways of promoting public administrations' use of open source will be investigated and planned (such as hackathons or app challenges on open source software). The target date for the release of this set of guidelines on the use of the European Public Licence EUPL v1.2, including a modified Licence Wizard, is planned Q2 2018. Read more

Security: Dropbox, FUD, CNCF, 'Cloud'

  • Dropbox has some genuinely great security reporting guidelines, but reserves the right to jail you if you disagree

    Dropbox's position, however reasonable in many of its aspects, is woefully deficient, because the company reserves the right to invoke DMCA 1201 and/or CFAA and other tools that give companies the power to choose who can say true things abour mistakes they've made.

    This is not normal. Before DRM in embedded software and cloud connectivity, became routine there were no restrictions on who could utter true words about defects in a product. [...]

  • Hackers Infect Linux Servers With Monero Miner via 5-Year-Old Vulnerability [Ed: A five-year-old vulnerability implies total neglect by sysadmins, not a GNU/Linux weakness]
    Attackers also modified the local cron jobs to trigger a "watchd0g" Bash script every three minutes, a script that checked to see if the Monero miner was still active and restarted XMRig's process whenever it was down.
  • GitHub: Our dependency scan has found four million security flaws in public repos [Ed: No, GitHub just ran a scan for old versions being used and reused. It cannot do this for proprietary software, but the issues are there and the risks are no better.]
    GitHub says its security scan for old vulnerabilities in JavaScript and Ruby libraries has turned up over four million bugs and sparked a major clean-up by project owners. The massive bug-find total was reached within a month of the initiative's launch in November, when GitHub began scanning for known vulnerabilities in certain popular open-source libraries and notifying project owners that they should be using an updated version.
  • Envoy CNCF Project Completes Security Audit, Delivers New Release
    The Cloud Native Computing Foundation (CNCF) has begun a process of performing third-party security audits for its projects, with the first completed audit coming from the Envoy proxy project. The Envoy proxy project was created by ride-sharing company Lyft and officially joined the CNCF in September 2017. Envoy is a service mesh reverse proxy technology that is used to help scale micro-services data traffic.
  • Hybrid cloud security: Emerging lessons [Ed: 'Cloud' and security do not belong in the same headline because 'cloud' is a data breach, typically involving a company giving all its (and customers') data to some spying giant abroad]

A Look At The Relative Spectre/Meltdown Mitigation Costs On Windows vs. Linux

The latest in our Windows versus Linux benchmarking is looking at the relative performance impact on both Linux and Windows of their Spectre and Meltdown mitigation techniques. This round of tests were done on Windows 10 Pro, Ubuntu 18.04 LTS, and Clear Linux when having an up-to-date system on each OS where there is Spectre/Meltdown protection and then repeating the same benchmarks after reverting/disabling the security functionality. Read more