Gartner Group Suggests Dumping IIS For Now

sachmet is one of the many readers who contributed news that "Gartner Group is now recommending that IIS be replaced in corporate environments. This is based on the fact that TCO for IIS is rising due to the almost-weekly patches sent out by MS, and even then, it's nearly impossible to get patched quickly enough. Best part: 'Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS,' which they say has an 80% chance of happening by the end of next year." Gartner hasn't always said favorable things about Linux systems in the workplace, but the businesses that rely on this type of analysis to justify purchasing decisions may find this one interesting. Update: 09/24 22:04 GMT by T :As several people have pointed out, the 80% figure appears to be Gartner's odds that IIS won't be rewritten that soon, rather than the other way around (.673334 probability).

wow...

Gartner Group is usually not this anti-Microsoft, but given the events of the past week (who DIDN'T get hit by Nimda?), I can see why they're advocating switching, at least for the time being.

At work, we've been on-and-off contemplating switching a lot of our servers from IIS to something else. Our Linux and OpenBSD and Solaris boxes are all fine, but our unpatched IIS servers (the ones I don't admin, go fig) all got trashed. If you're gonna lose a day or two of work every month and you're paying the "cleanup people" $50 an hour or more, you can damn well bet you'll either start looking for new employees or new software.

- A.P.

Security

(who DIDN'T get hit by Nimda?)

I didn't. IIS can be secured -- many things that MS releases patches for are not exploitable if you follow sane security practices. Stuff like deleting all the ISAPI crap that comes in the default setup, and putting your web root in a nonstandard location (preferably on a different partition), deleting all sample files, enforcing proper filesystem permissions, and running any applications in an isolated process.

Of course, one of the advantages of Apache is that it ships in a relatively secure configuration by default, it's better for dummys who install stuff and plug it into the network without bothering to check the configuration. It's a whole lot better by default than IIS, that's for sure. Most of the MS patches are for various add-ons like index service that most people don't use anyway and should be shut off.

DISCLAIMER: I use Apache for the primary web server for the business I work at. We run IIS as the secondary server for load-balancing and have yet to be compromised by anything, even though patches don't always get applied immediately (usually pretty soon after release though). I think Apache is great, but want to point out that anything can be secured if you put some effort into it.

Re:Security

That's all well and good, but you solved .001% of the problem.

Like everyone else, I found myself gettting hammered by Code Red infested servers when this whole thing came down last month. So I went and did a few directories on several of those machines using the newly installed back doors just to see what was going on. Know what I found? They were ALL default installations of Win2K, and most were installed sometime early in August (based on the dates of some of the directories I found. Many of those machines still served up the IIS default page when I checked.) It was evident that someone simply dropped in the CD, clicked on some install button, and called it done. And *I* suffered for it.

You cured ONE machine, and for that I thank you. As you say that a smart admin will prevent these problems, but that's not true enough. These machines are owned by cable-modem morons that don't understand that they've just become an admin. They dropped in a CD and checked a box that said "Make this computer a web server." Then they probably invited their friends over to see their awesome Quake playing machine.

That's why IIS is not a winning recommendation, but the people who need to know this wouldn't know the Gartner group from a garter snake.

Dumping IIS?

Isn't it one of the greatest P2P app out there for automatic file sharing?

Linux firms: replace IIS as a service?

Are any of the linux companies activly promoting reviews such as this by offering to replace the *functionality* of IIS in corporate environs?

Just curious,
- RLJ

Re:Linux firms: replace IIS as a service?

There are other web servers out there that run perfectly well under Windows.

Very true. I know some folks running Apache/Tomcat-Jakarta on a W2K box and are pretty happy about it. I think in the short term (or mid term at least since some porting will be needed even if you only switch the web server) if the advice is followed they may stick with Apache, et al on Windows. But, since you save little to no $$ by purchasing NT/W2K/XP Server and not using IIS I would suspect those that did move off IIS would eventually lose NT/W2K/XP as the OS as well. I would imagine that the porting effort to move code the likes of PHP/JSP/servelets from Apache/MS to Apache/*BSD or Apache/Linux would be minimal.

Of course, I suspect that very few will switch. We got our asses handed to us last week, and the brass are sticking with MS anyway. Go figure.

Gartner Leads Way

At least they appear to not be using IIS themselves, although their web-server has no indication of what server is behind it. This in itself indicates that it is not IIS.

Gartner wields a lot of influence, and this will raise heads. Congratulations.

gus

Only had to be a matter a time (and my 0.02$)

To be honest i'm surprised it took this long for a report like this to appear, I maintain a small network in a small company, we have mainly win machines except for one server and my laptop... the overhead on keeping the win machines patched (5 on the network) is crazy, I spend too much of my valuable time hunting down patches for machines.... luckily at the moment IIS is shutdown as all of the dev work is being completed on linux. however I have to keep the patches up to date otherwise I'll be spending a week or 2 updating the server in a month or so time.

Will MS really write a new IIS from scratch I doubt it, and if they did would it really improve on where things are now.... it would take n months to write, beta and then lauch IIS+ 1.0 then people would want to know it was ok, some would try it, but most people would want to see IIS+ 2.0 before moving their web applications to it..... timescale ? how long is a piece of string.... and would it be any better, would MS allow external code reviews (or opensource) to ensure that IIS+ was better / secure. I doubt it....

Regards
Dave
----
"Iceberg dead ahead..... oh sorry, only joking !"

You can't visit Windows Update?

the overhead on keeping the win machines patched (5 on the network) is crazy, I spend too much of my valuable time hunting down patches for machines

Install Windows Critical Update Notification.

If it honestly takes you too long to visit the Windows Update web site once every week for the 5 machines, or get the users to visit the site and install the critical updates then there's a problem somewhere.

My Win2k machines WERE running IIS and had all critical updates installed. No Code Red. No Nimda. WTF is everyone else's problem? Even my web host which is running IIS didn't get hit.

As for rewriting IIS, it is a rather stupid idea. First of all the Code Red problem wasn't IIS at all, but the Index Server ISAPI DLL. Rewriting IIS will have zero effect on any of these extensions, much as rewriting Apache would have little effect on a bug in mod_php.

Honestly I don't get Gartner's points here - if you have a significant site with a large investment in .asp pages and custom server ActiveX objects then migrating from IIS is a fairly large expense. Even if you don't, the hassle of securely setting up a whole new web server is just asking for more holes to turn up. I'd be recommending companies don't ship at all, but pay attention to Microsoft's security bullitens (you ARE signed up, aren't you?)

Re:You can't visit Windows Update?

The problem is that you can't trust MS's patches.

One of the early NT service packs was called the SP-of-Death. Even recently... Remeber SP6? Nope. It was pulled rather quickly and replaced with 6a (which is often referred to as 6) because it caused a ton of problem for Notes users.

Direct-X 7.0 was buggy and toasted a few systems, but couldn't be uninstalled.

MS has a long history of playing games with patches. Often they don't release patches, forcing an "upgrade" to a later version, other times they release a "patch" that (intentionally?) breaks other companies software.

Decent admins don't install MS patches until they've seen them in action and could evaluate them. The proper action with CRed and Nimda isn't to rush to patch the server, but to change the firewall to prevent malicious requests. To do otherwise is to risk having to reinstall the OS (without the patch) to get your servers working again.

Now THATS Funny...

I've quit jobs due to PHB reliance on the morons over at Gartner.

"Unix will be a dead OS in three years." Quoth one, on his reasoning behind implemening MS solutions for the enterprise. (~ 1995)

An expensive Gartner "analyst" told him so.

Shoulda gave me that budget...

HooHa!

Gimme a break!

Rewriting is always an option. It's not a pretty one, but it CAN be done if you're dedicated enough.

Case in point - last year I saw the dead-end coming for my company's Enterprise solution, which was written in ASP/COM. The argument (er... *ahem*, discussion) I had with the higher-ups concluded that we HAD to continue moving forward. We couldn't wait 6 months for a rewrite (ambitious at best).

Fine, I said. Then let me do everything concurrently. Here's how it works:

Install Tomcat [apache.org] onto your Windows NT Server running IIS, along with JRE 1.3 and the HotSpot Server.

Link Tomcat in with IIS using the mod_isapi.dll you can get from the Tomcat site. Also install Tomcat as a service using jk_nt_service.exe.

Keep your Java session abstracted. The main session remains as-is within your ASP application. Write a bit of java.net code to hook in through a custom ASP page (note: security - ordinary clients can't access this page) to retrieve and update any session variables. This can be done by reading the ASPSESSION cookie, and spoofing it in your requests to IIS.

Any NEW components, write in Java. Remember - session variables get retrieved and saved from the ASP side still.

As you're working on new components, when you can arrange it, convert old components to Java one by one. Session still remains on ASP.

Wash, rinse, repeat until all components have been written in Java. Once this is done, convert your login into Java, and change your abstracted Session to be a Java session instead of hooking into IIS for the ASP one.

Voila. You are now 100% Java. Now get rid of IIS and switch to something else. This is the approach that my team took to rid ourselves of the VB horror that someone left me when I joined. It took about 8 months of solid effort, but it worked. We are now rid of all reliance on MS technologies from our site. We also managed to do it quickly because of good code layout, and the use of the most wonderful Velocity templates also available from the Jakarta site. This helped a lot.

The point is, you CAN do a rewrite. What you usually are NOT allowed to do is a code freeze. So... work around it! The beauty of this solution is that you are running two separate applications (technically) for a time. Keep a consistent look, and the users can't tell the difference between the ASP and the Java side. Change one function at a time, slowly, and eventually you'll reach the Utopia you're looking for.

OH MY GOD!

My PHB just saw this, screamed "MY PARADIGMS ARE MELTING!" and collapsed into a pile of goo. Many thanks to the Gartner Group!

Actually...

There is an 80% chance of it not happening by the end of 2002:

Gartner believes that this rewriting will not occur before year-end 2002 (0.8 probability).

There's TCO on Apache, too.

The problem is not just that IIS is a vulnerable piece of crap. The problem is the point and click admins who can only run setup and never ever will check for patches.

So you ditch IIS and install Apache. Do you honestly think that the guy who couldn't be bothered to update it will be bothered to check for Apache vulnerabilities and fixes?

Yes, because you will have to ditch that guy! And your new unix-savvy admin will be more expensive.

Oh well, only a matter of time before they think of that. The product is only as good as it's admin, and certainly not better.

Regular patching only a small part of TCO

From the article...

using Internet-exposed IIS Web servers securely has a high cost of ownership. Enterprises using Microsoft's IIS Web server software have to update every IIS server with every Microsoft security patch that comes out -- almost weekly.

I imagine you would need to patch Apache fairly regularly as well. Its not like its immune to worms or security holes. In fact, apache.org [apache.org] was compromised this year due to a security hole.

I am in the process of converting from a Windows based web server to Debian/Apache, and the process is not without its problems. On the first try, Debian did not pick up both processors on my machine. Also, using mySQL, I can consistently crash my machine by trying to index a 5 million row table.

So, I have some problems. As you might when converting from Windows to Linux. Where do I go? I can't just call my Debian rep and ask him to help me fix my problems. I have to hunt for the answers and spend a lot of time figuring out just what the heck is wrong with my system.

So keep this in mind if you are switching because of TCO costs. Yes, you will need to patch once a week sticking with Windows. However, I don't think this report fully explains everything that may be involved when figuring out the TCO for a Linux system.

That said, I expect to be able to solve my problems and end up with a very nice server.

Re:Regular patching only a small part of TCO

In fact, apache.org [apache.org] was compromised this year due to a security hole

Well yes Apache.org did get compromised but NOT due to an Apache server problem. It was a complicated hack [obsess.com] and took advantage of a configuration problem (mainly Apache had their incoming FTP tree viewable in their web space among others) Or perhaps you're referring to another event.

Yes, Apache is not all nice point and click, but there ARE tools out there (Webmin's [webmin.com] Apache module is NICE) to make administration easier. Yes Apache has had vulnerabilities in teh past, but considering its widespread use and installed base, I'm extremely impressed with how secure its been - upgrades to Apache are rare which reduces TCO.

Yes, all systems and software have problems. But overall, I'll stick with OSS where appropriate and regarding your issues with MySQL and Apache, a few simple posts to mailing lists or news groups related to the software will often get your problem fixed faster than most 3rd party setups.

you know what'll happen

More and more of these IIS "syadmins" (using the term loosely) will install Unix/Linux boxes, and forget about them, just like they installed the IIS boxes and forgot about them.

Then someone somewhere will find some little bug in some pre-installed convenience, some PHP shopping cart, some admin tool, some default password, something that comes on each machine. Then we'll have the same problem with some crazy Linux worm. And this time I bet the clueless M$-0wn3d media won't call it an "Internet worm", they'll be sure to call it a "Linux worm"!

Of course I could be wrong. Maybe Microsoft really can't code a proper webserver. But I think having sysadmins awake and at the wheel will help too.

Hmm, how about a web server that emails the admin saying "This web server will shut down in 15 days unless you run the up2date tool" or something similar? To force people to check for upgrades.

M$ license restrictions on IIS alternatives

Tim O'Reilly wrote a Salon article [salon.com] back in November 1999 about the obstacles M$ places in the path of people who want to run alternative web servers on NT:

In fact, the rise of Microsoft's Internet Information Server (IIS) as the dominant Web server on NT shows much the same pattern as the rise of IE as the dominant browser: Microsoft got pole position by exercising its unique leverage as an operating system vendor.
Originally IIS, Web server software that runs only on the NT operating system, was bundled "free" with a version of NT called NT Server. Web server vendors such as Netscape and O'Reilly responded by pointing out in our advertising and PR that if customers ran our third-party Web server software on NT Workstation (a less expensive version of NT, which came without the IIS Web server software), they would end up with a more powerful server than Microsoft's IIS running on NT Server -- and it would cost less too.
Much as it had done by bundling the browser with Windows 98, Microsoft was bundling an application -- the IIS Web server -- as part of an operating system, (NT Server). But in this case, the company offered another version of the same operating system without the bundle, (NT Workstation). It seemed natural to competitors to offer our products on top of the version of the operating system that came without IIS.
It did not, however, please Microsoft that we did so. In June 1996 Microsoft responded by changing [ora.com] the license to NT Workstation to prohibit its use as a server platform. (At first, the company went further, and actually crippled the version of TCP/IP provided in NT Workstation, but the outcry from users forced it to backtrack.)
Microsoft argued, quite rightly, that it had the right to create two different versions of NT, with different price points, and different functionality. But the company went a step further, and used its operating system license (and more specifically the license to the parts of the operating system that implemented TCP/IP, an industry standard protocol) to prohibit the use of third-party applications that duplicated the functionality of Microsoft's more expensive platform.
Microsoft's public rationale for the policy -- that it was protecting its customers because NT Workstation was not suitable for use as a server operating system -- was proven false by my colleague, former O'Reilly editor Andrew Schulman (working with Mark Russinovich). Shulman and Russinovich demonstrated [ora.com] that it was possible to convert NT Workstation to NT Server by changing only a few registry entries. NT Workstation contained all of the same program code as NT Server; the code was simply disabled, and some additional applications bundled.

This is admittedly an old story; I don't know if M$ is still legally implementing this particular "innovative" license restriction nowadays. Does anybody know?

The problem

The problem is that the crackers and script kiddies attack the lowest common denominator. In this case it's IIS and other Microsoft wares. But what if Gardner suceeds and the Fortune 500 dump IIS and switch to Apache? When that happens the safe thing to do will be to use the less-common and thus less-attacked IIS, because the crackers will make Apache too expensive to use. In other words, once again the best course of action is to do exactly the opposite of what Gardner recommends.

It seems like people are already doing it

Take a look at the data at:
http://www.securityspace.com/s_survey/data/20010 8/ index.html

Since July IIS market share has been falling.

Check the .mil, and .br graphs!

The share is flowing to Apache and Netscape servers.

Joao

Foot in the door...

"...but the businesses that rely on this type of analysis to justify purchasing decisions may find this one interesting."

One of the biggest problems with getting Linux, OpenBSD, or any new OS widely adopted is that it costs a great deal to switch to a new system once a business has standardized on a different solution. So many corporations decided to use WinNT, and having made the investment need a great deal to sway them to something better. It has to be something very big, and these virii may do it. This could be good news for OS's competing with M$, because the investment thing works both ways. Once Linux is installed, companies are less likely to go back to Windows NT...

Ummm...

'Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS,'

Am I the only one who thinks this is the absolute wrong thing to do? As vulnerable as IIS has proved as of late, completely rewriting any piece of software runs the risk of not only reintroducing old exploits but possibly generating new ones. IIS is a very complex piece of software with years of thorough public testing (in the form of live deployments) already in place. By completely rewriting it, you throw out that experience and start from zero.

Re:Ummm...

By completely rewriting it, you throw out that experience and start from zero.

I'd have to disagree with you on that one. They won't throw away the old experiences, in fact they will prove quite valuable. Most programmers encounter parts of a project that they would change if there were not the possibility of breaking things or hurting backwords compatability. When they start from the ground up, they can look at what worked well and what did not work well. Features that were added to later releases had to be designed to use the existing code base, which is often suboptimal. When they have a good idea of the types of features they will use (and even trends for adding features) they can make those features more optimal. It also makes it easier to understand the code in the short term. It is hard to understand code written years ago by yourself, and it is especially hard to understand code written by someone who left the company years ago. I'm sure bugs will be introduced, but it is much easier to prevent security problems if you start from the scratch (hint: check for buffer/stack overflows everywhere). When you rewrite, you draw heavily on previous experience, and get the chance to write things with more knowledge than you had when you wrote them a long time ago the first time around.

Dear Gartner

Sorry I was late with the usual monthly cheque. I assure you that this will never happen again.

Love,
Bill

If It Weren't For Microsoft....

What would /. use for stories?

Think about it guys...1/2 of the discussion today involves MS.

If you guys hate MS so much why do you spend so much energy talking about it?

Microsoft Tool to check Windows 2000 Adv Servers

In recent dealings with the latest worms, I found a tool from Microsoft called Hfnetchk [microsoft.com] that will, with a valid connection to the internet, tell you exactly what patches you do or do not have installed. They cross list them by article (eg Q123455) and also by another form (eg MS01-077).

We're running Windows 2000 Adv Server (yeah yeah, I know, but we don't have the Cold Fusion package for Linux) with IIS 5, and were having an average of 30-45 minutes uptime before getting blasted by the worm(s).

After using the hfnetchk and downloading quite a few patches (burn them to a CD, having to reload the system isn't out of the question, even if it is working now), we have had about 5 days uptime, and *knocks on wood* no infections, although the log says there have been attempts.

Even though I'm spoiled to the ease at which I can find Linux updates, I found that the tool was very useful, especially since Microsoft's site is so unorganized when it comes to downloading patches and updates (I want a list, not having to search for something, especially when it never works right) that this tool was a big time saver for me.

brain-damaged sysadmins

Imagine if business did dump all of it's IIS servers and replaced them with Apache - how many 'point and click' admins would suddenly be unemployed?

I mean christ, I hear people complaining about how complicated Apache is in comparison to IIS and I think to myself "if you can't figure this shit out, you have no business being a network admin because YOU'RE TOO STUPID TO DO THE JOB!".

Seriously, any network admin that bitches about Apache (which is bloody easy to use, in comparison to most previous tools) is too fucking braindead to be let anywhere near a server. Switching to Apache would at least show an organization where some of its dead weight is in the IS department.

Max

This is interesting, in a number of respects.

Firstly, this is one of the few times the Garner Group has openly critisised a Microsoft product. Given that they -are- a major group, this has to be taken seriously, whether you trust them to tie their own shoelaces or not.

Secondly, the timing couldn't be worse for Microsoft. With XP only just hitting the shelves, this has the potential to seriously cripple the uptake of the new OS. (Note: I'm saying "potential" as you're bound to get plenty of execs who argue that nobody ever got fired for buying Microsoft. Even when it puts the entire company's public profile at risk.)

Thirdly, this also comes at a critical point in time, with respect to the European Union anti-trust investigation, the British fair trading investigation, and the US' very own anti-trust Lawsuit Revisited. Should the market-share of IIS continue to grow at the current rate, competitors may be able to argue the case that companies aren't heeding the report because they can't. That could seriously jeapordise Microsoft's arguments that they are not a monopoly, and that "future threats" could affect their market-share.

(Let's face it - if this isn't a "future threat", I don't know what is.)

Fourthly, this comes at a time when the economy is seriously wounded, and yet Microsoft's pricing continues to rise. As other posters have noted, this might persuade some accounts departments to start pushing the alternatives.

Lastly, homeless shelters are still pretty full, from the collapse of the dot-coms. This makes computer expertise very cheap. ("Will Code For Food" no longer sounds such a joke.) Thus, there is really little need to hold onto "old hands", who command high fees. You could probably pick up a webmaster and a couple of ASP/PHP/Perl gurus by going to the local K-Marts and asking the people collecting the carts. They'd cost a fraction of what most companies are paying for their IIS expert, and they'd probably worship the ground the management walk on.

HOWEVER, this is purely speculative. Although what I've written is a plausable scenario, companies could equally well ignore the report, the anti-trust lawyers might deem it too tenuous to be usable in court (if they notice it at all), and Microsoft might remain King Of The Hill by sheer default.

Confused on this; help me

--Say you're a good MS admin and you ghave dutifully patched up your IIS machine and never got hit with Code Red or Nimda on your servers BUT your Win9x users who don't run Outlook (Express either) go to an infected webpage: How will not using IIS help?

--Yes the patch was there for months; but SARC (et al) was cuaght off guard, .DAT files were'nt ready until the next day and the "Fix" is so-so at best.

--I"m not blaming anti - virus companies but I am confused how IIS is the sole badguy.

--You can get hit with this thing from many directions (assuming WinXX.)

--Gartner even says you "Can't Patch Fast Enough"

Incorrect statement on IIS rewrite timeline.

The submitter says that IIS needs to be rewritten, something that "[Gartner says] has an 80% chance of happening by the end of next year." This is incorrect.

The actual quote is: "Gartner believes that this rewriting will not occur before year-end 2002 (0.8 probability)." That means there's an 80% probability that the preceeding statement is true, and that statement is that MS will _not_ have completed a rewrite in that timeframe.

So instead of MS being 80% likely to fix the problem, they're 80% UNlikely to do so in the timeframe specified.

Configure, don't patch

Do what I do. I'm too f-ing lazy to keep up with the weekly patches. So I spent a couple hours a year ago and properly configured my IIS servers, following the published checklists. Now I review bug after bug and say "ok, that one can't impact me so I'll patch it later."

There is no reason a properly configured but completely unpatched IIS 4 or IIS 5 server could not have survived both the Nimda and Code Red worms.

Nimda made use of the Unicode directory traversal bug, which only lets you move around on the drive where the web documents are stored. Move the wwwroot to another drive, set file permissions as tight as possible, remove the sample applications, and you would have been safe. Every one of those is on any decent IIS admin's checklist.

Code Red made use of a bug in the Index Server. Removing unused mappings is near the top of every decent IIS admin's list. In fact, one IIS server I have didn't have the patch applied when Code Red hit. I didn't bother to apply it until almost a month later.

Administering Two Owesses. A True Story. By Me.

System 1: IIS on Windows NT:

• monthly: download patch (click), execute it (click, click, click) and reboot (click, click, click)
• quarterly: reboot crashed system
• infected: never (yet)

System 2: standard Mandrake-Linux distro with manual install of current versions of Apache, PHP, mySQL, OpenSSL and mod_ssl.

• daily: Mandrake distro stuff:
  • Read email sent by Mandrake Security Announce .
  • Determine if the Security Announce concerns your installation. It does.
  • MandrakeUpdate the rpms as needed. Skip rpms that are wrongly marked as dependent on something you don't want to update. (Why is xyz dependent on emacs of all things ?)
  • Download the skipped rpms manually, and rpm -U.
• fortnightly: other stuff:
  • Check apache.org, mysql.com, php.net, modssl.org and openssl.org for updates as your attention gets caught by security bulletins.
  • download source code, tar gxf; ./configure --with-abc=def .......; make; su; make install; exit. Repeat, repeat, repeat, repeat due to interdependencies and changed config options. su; apachectl stop; sleep 5; apachectl startssl; enter passphrase; exit; gedit broken .conf files and repeat, repeat, repeat.
• yearly: reboot the system (uptime: 305 days and counting)
• infected: never (yet)

Now which system do you want to administer today ?

Gartner's crystal ball is broken

If there's anyone reading this who's in charge of "decision-making" at the "enterprise level" --

The question you should be asking yourself is not "Should I be replacing my IIS systems with Linux+Apache?" but, rather, "If I am relying on Gartner for recommendations on conditions in the future, why didn't they see this coming a year ago?"

Well more than a year ago, the security benefits of open source were explored not only by /. but by almost every pundit on the web. Where was Gartner? Wouldn't it have saved you a ton of money if they had pointed out the probability of problems with security and patching in 1999 instead of late 2001? Isn't it amazing that they were near last to the table with this finding?

Why does Gartner put probabilities on their expectations without showing their work? Does anyone go back in history and look at these probabilities?

Doesn't Gartner have an interest in pressing the solutions that people expect them to press? And here's a HUGE question... if you're using the exact same solutions as every one of your competitors, are you prepared to give up the idea that IT could give your company a competitive advantage? Do your bosses agree with this?