Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Linux Business Security

Linux Distributions Respond to Forrester 262

Posted by michael
from the opinions-bought-and-sold dept.
dave writes "GNU/Linux vendors Debian, Mandrake, Red Hat, and SUSE have joined together to give a common statement about the Forrester report entitled "Is Linux more Secure than Windows?". Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, it treats all vulnerabilities are equal, regardless of their risk to users. As a result, the conclusions drawn by Forrester have extremely limited real-world value for customers assessing the practical issue of how quickly serious vulnerabilities get fixed."
This discussion has been archived. No new comments can be posted.

Linux Distributions Respond to Forrester

Comments Filter:
  • IT Research shops (Score:5, Interesting)

    by Anonymous Coward on Tuesday April 06, 2004 @08:00PM (#8787454)
    WTF? Why does anyone buy shit from these people.

    The executive management of the agency that I work for pays Meta $500/hr to evaluate project plans... they always rubber stamp whatever answer the execs want.
    • by Anonymous Coward on Tuesday April 06, 2004 @08:14PM (#8787589)

      The executive management of the agency that I work for pays Meta $500/hr to evaluate project plans... they always rubber stamp whatever answer the execs want.

      And then when the project fails, they can go the higher-ups or shareholders and say "See, the plan was sound, it was that Anonymous little shit down in IT that screwed it up. Lay him/her off and ship the job to India!"

      Then they all go celebrate their cost-cutting with booze and hookers, whilst lighting their cigars with $100 bills.

      • Re:IT Research shops (Score:4, Informative)

        by ron_ivi (607351) <[sdotno] [at] [cheapcomplexdevices.com]> on Tuesday April 06, 2004 @10:51PM (#8788752)
        Forrester are the same goofbals that claim Sun Erases Doubts About Its Viability [forrester.com] by becoming another SCO-like pawn in Microsoft's linux war. It's an expensive subscription so it's easier&cheaper to read Cnet's spin on the forrester report [com.com] instead, which claims "These moves remove doubts about Sun's viability by bolstering Solaris".

        Their logic seems to be windows IP will bolster Solaris!?! Wow.

        Betcha microsoft or some exec who gets a bonus paid for that report.

      • Rob Enderle [enderlegroup.com], formerly of Forrester writes:

        I got hate mail from other employees, and my employer, Forrester, was threatened to a level they had never seen before either. I was actually told, subsequent to this, that I was never to write about Linux again which was something that had never, to my knowledge, ever happened before.

        This actually became one of the core reasons I used when I resigned from Forrester, no one had ever dictated a position to me before and that had clearly changed. I've always had a problem with opinions for hire and had been very active in fighting that trend; opinions as a result of personal threat seemed much worse and, while this was hardly the only reason for my departure, it was a major one.
        • by slipstick (579587) on Wednesday April 07, 2004 @01:12AM (#8789629)
          Never believe anyone who refers to the use of shared public domain code as "theft".

          From the rest of that article Enderle obviously has an axe to grind. It is quite possible he was threatened by a minority in the Linux community that can't seem to grow up and has obviously decided to hold a grudge against Linux as a whole.

          His argument for taking SCO's side boils down to "I'm pissed at some Linux fanboys!" That's fine but I hope he doesn't expect anyone to ever take him seriously as an analyst again(if they ever did). Almost by definition Analysts and Critics must have a thick skin because there's always someone who is going to insult them. Once they lose their objectivity they are effectively washed up.

          He further insults the integrity of Groklaw without actually pointing to any flaws in the facts that Groklaw presents. He ignores all the evidence mounting up against SCO and the fact that SCO has been back pedaling so fast they're tripping over themselves to get out of the way of the coming storm.
          • Never believe anyone who refers to the use of shared public domain code as "theft".

            Here is the quote you're referring to -->

            For me the course of events looked like the community had said once a crime had been committed that "there is no evidence", then when evidence was found they changed their tune to say "what was stolen didn't belong to SCO in the first place". If they had started with the second position and behaved reasonably I might have believed them, since they didn't, I didn't.

            Not onl

    • by The Monster (227884) on Tuesday April 06, 2004 @08:22PM (#8787661) Homepage
      It's so easy to do, too.
      Forrester collected security vulnerability data
      What vulnerability data? The Linux vendors have an open process. Every one knows what the vulnerabilities are. Can the same be said for Windows bugs? Or are there issues known within MS that simply aren't put on the Bug List until a fix is in the works? Is it a bug if MS doesn't officially admit that it's a bug yet?
      • by pholower (739868) * <longwoodtrail AT yahoo DOT com> on Tuesday April 06, 2004 @08:39PM (#8787800) Homepage Journal
        It is the same as Kevin Mitnick once said. There isn't a security hole if nobody knows about it. If you know about it, it is a security flaw, but to your friends that don't know about it, it is a secure machine.
      • by cshark (673578)
        I wonder how much of this is pandering to their audience. Enterprise users are slow, stupid, and don't adapt to change very well. They have this belief that open source software == unsupported software, and no matter how much evidence to the contrary, they will take this belief to their graves. Amazing how faith works. The report by forrester is going to say whatever they think their audience wants to hear. And if they get a kick back from microsoft, all the better.
    • Something True (Score:2, Insightful)

      by Deviate_X (578495)

      Yeah! Its So Obvious Linux Is More Secure Than Windows!

      Just [theregister.co.uk] Don't Store Your Important [internetnews.com] Source [theregister.co.uk] Code [apacheweek.com] On It [stargeek.com].... :))))))))))))

  • no way! (Score:5, Funny)

    by Anonymous Coward on Tuesday April 06, 2004 @08:02PM (#8787465)
    I'm sorry, but I simply can't believe that a research company, a company DEVOTED TO RESEARCH, would come out with biased opinions influenced by money.
    • Re:no way! (Score:2, Insightful)

      by TempusMagus (723668) *
      Uh, Troll-boy. These companies are DEVOTED TO MAKING MONEY not research. RESEARCH just happens to be the product they are selling.
  • ...but will they listen?
  • by darthcamaro (735685) * on Tuesday April 06, 2004 @08:03PM (#8787488)
    And who paid for the Forrestor study?? Not Red Hat they haven't got the cash. Probably another Microsoft funded event.
    The most dramatic thing from my point of view is that SuSe, Red Hat, Mandrake and community based Debian all got together to formulate a common reply. This is the BEST news we could ever hope for - a common on unified front - no forking when it comes to security.
    • by Anonymous Coward
      Man, these guys should work together on something.
    • by SKPhoton (683703) on Tuesday April 06, 2004 @08:16PM (#8787616) Homepage
      Probably another Microsoft funded event.

      you would be correct [microsoft.com]

      From the article:
      "In 2003, Microsoft Corporation commissioned Forrester Research, Inc., to conduct a study to measure the potential market of people in the United States who are most likely to benefit from the use of accessible technology for computers."
      • by Anonymous Coward
        uh, sounds like a different study to me, jackass
        • I think that the point that he was trying to make is that Microsoft *has* given Forrester money for a report in the recent past.
        • by SKPhoton (683703) on Tuesday April 06, 2004 @08:32PM (#8787739) Homepage
          "Hey Microsoft, you guys have funded studies for us before. I know Linux is being a problem for you and we just so happen to be doing a study to see which OS is better, yours or theirs. Would you be interested in funding us once more? -nudge nudge, wink wink-"
    • by bangular (736791) on Tuesday April 06, 2004 @09:46PM (#8788302)
      These reports are so dumb. In high school, I remember learning that averages don't give a good representation, because extremes will skew the numbers. The median is a better representation. Funny how some people don't seem to remember that. By Forrester's methods of research, they could come to the conslusion that the average american has one testicle (statisticly true btw).
      • Re:very slanted (Score:2, Interesting)

        by anagama (611277)
        I don't know whether to mod you funny (testicle comment) or insightful (statistics comment). We need a "Funny but True" option!
      • Re:very slanted (Score:5, Insightful)

        by Cecil (37810) on Tuesday April 06, 2004 @11:20PM (#8788935) Homepage
        In high school, I remember learning that averages don't give a good representation, because extremes will skew the numbers. The median is a better representation.

        First of all, it's called a "mean", not an average. It's a type of average. The median is also an average. So is the mode.

        Secondly, the median is not necessarily a better representation, just different. With the median, for example, you have *no idea* whether there are any extreme outliers. 1,1,2,5000000,90000000000. Median is 2. Is that representative of that set of numbers? Not really. The mean would give you a much better idea of what range of numbers you're dealing with in that case. That's why real statistics with distribution curves and standard deviation are important.

        Anyway, I'm done nitpicking. I agree that these reports are blatantly skewed. This is not really a surprise. Almost all research is funded and biased these days. Much like news media. It's a simple fact of life. The important thing is to know your source, and try to understand their motivations.

        When the next "scientific study" comes along saying that P2P increases music sales, no matter how much you believe that to be true, you need to take a look at who's writing it, and why. Is this some graduate student who is probably downloading his own MP3s all the time and just trying to justify their habits to the world? Perhaps not, but it's wise to make sure before you start throwing his or her study around as if it were gospel.

        Sorry if that sounded as if it was directed at you, it wasn't really. It's just some good advice (in my opinion).
      • by natrius (642724)
        So... if they used the median instead, they would come to the conclusion that the average American has no testicles since there are more women than men in America. Is that really any better? I don't want North Korea thinking we have no balls.
    • by WebCowboy (196209) on Tuesday April 06, 2004 @09:48PM (#8788311)
      You are right in your suspicions that these sort of "studies" are commissioned by Microsoft as part of their marketing strategy (just part of the business--Oracle, Sun, IBM etc parade studies flatter their products as well after all). However, I don't dwell at all on these sorts of studies and I certainly wouldn't give them any meaningful weight when making a decision on deploying Linux (or not).

      Even given the positive spin towards Microsoft, however, Forrester's comments [internetwk.com] on the study are a barely lukewarm endorsement of Microsoft, and don't seem to be too critical of Linux. Check out some of the comments by Forrester analyst Laura Koetzle:

      Surprisingly, Microsoft did the best job at patching vulnerabilities fast, even though it ranked at the top with the largest percentage of its security holes rated as high

      So they DID acknowledge that Microsoft's platform had the most HIGH RISK vulnerabilities, althought this fact is glossed over in the article. Koetzle also acknowledges that the study did NOT look at how WELL the patches addressed the problem (MS often needs to issue more than one patch to get it right, and sometimes they fix one bug and introduce another).

      "The fact that the Linux distributors fixed such a high percentage of their vulnerabilities is a remarkable achievement," she said. "Even Debian, in last place, was pretty darn thorough."

      Sure doesn't sound like something you'd expect an MS-paid cheerleader to day about the competition...

      This is very much a case of your mileage may vary

      Translation: even if patches are made fast they can still leak...

      The bottom line? Any of these platforms can be operated securely

      Quite the ringing endorsement for MS ain't it? Nice to see their people so solidly back their studies...
    • The IT research firm I work for has been contracted by Microsoft to study the Linux vs Windows value to corporations just recently (last week).

      Microsoft, for the first time, paid in full advance even before a full proposal could be drafted, or even basic details.

      They initially wanted a TCO study, and our CEO told them to NOT DO THAT, he is very honest, and knew beforehand Windows would lose. On the other hand, ew do not know what will happen.

      The reality is that under some very common scenarios, at least
  • ...try this, from good o'l News.com: Moving to Linux May Not Save Money -- Yet [com.com].

  • just in case (Score:5, Informative)

    by Anonymous Coward on Tuesday April 06, 2004 @08:08PM (#8787534)
    (site loads slowly. here we go in case of /.'ing)

    GNU/Linux vendors Debian, Mandrake, Red Hat, and SUSE have joined together to give a common statement about the Forrester report entitled "Is Linux more Secure than Windows?". Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, it treats all vulnerabilities are equal, regardless of their risk to users. As a result, the conclusions drawn by Forrester have extremely limited real-world value for customers assessing the practical issue of how quickly serious vulnerabilities get fixed.

    The security response teams of GNU/Linux distributors Debian, Mandrakesoft, Red Hat and SUSE have assisted Forrester in gathering and correcting data about vulnerabilities in their products. The gathered data was used at Forrester for a report that became titled "Is Linux more secure than Windows?". While the Linux vulnerability data that is the basis for the report is considered to be sufficiently accurate and useful, Debian, Mandrakesoft, Red Hat and SUSE, from now on referred to as "We", are concerned about the correctness of the conclusions made in the report.

    We believe that it is in the interest of our usership and the OpenSource community to respond to the Forrester report in the form of a common statement:

    We were approached by Forrester in February 2004 to help them refine their raw data. Forrester collected data about the vulnerabilities that affected Linux during a one year period and looked at how many days it took us to provide fixes to our users. Significant efforts have been put in not only making sure that the underlying dataset for the Linux vulnerabilities was correct, but also to articulate the special technical and organisational care taken in the response processes in the professional Open Source security field. This expertise is greatly appreciated by our usership since it adds a high value to our products, but we see that most of this value has been ignored in the methods used for the analysis of the vulnerability data, leading to erroneous conclusions.

    Our Security Response Teams and security specialized organisations of respectable reputation (such as the CERT/DHS, BSI, NIST, NISCC) exchange information about vulnerabilities and cooperate on the measures and procedures to react to them. Each vulnerability gets individually investigated and evaluated; the severity of the vulnerability is then determined by each of the individual teams based on the risk and impact as well as other, mostly technical, properties of the weakness and the software affected. This severity is then used to determine the priority at which a fix for a vulnerability is being worked on weighed against other vulnerabilities in our current queue. Our users will know that for critical flaws we can respond within hours. This prioritisation means that lower severity issues will often be delayed to let the more important issues get resolved first.

    Even though the Forrester report claims so, it does not make that distinction when it measures the time elapsed between the public knowledge of a security flaw and the availiability of a vendor's fix. For each vendor the report gives just a simple average, the "All/Distribution days of risk", which gives an inconclusive picture of the reality that users experience. The average erroneously treats all vulnerabilities as equal, regardless of the risk. Not all vulnerabilities have an equal impact on all users. An attempt has been made to allocate a severity to vulnerabilities using data from a third party, however the classification of "high-severity" vulnerabilities is not sufficient: The mere announcement of a vulnerability by a particular security organisation does not necessarily make the vulnerability severe - similarly, the ability to exploit a weakness over the network (remote) is often irrelevant to the vulnerability's severity.

    We believe the report does not treat the open source vendors and single closed source vendor in th
    • by Spyro VII (666885)
      [Update: Apr 6 at 7:58pm CDT... Martin Schulze from the Debian team added some more information.] Javier Fernandez-Sanguino Pena composed a survey in 2001[*] and discovered that it has taken the Debian security team an average of 35 days to fix vulnerbilities posted to the Bugtraq list. However, over 50% of the vulnerabilities where fixed in a 10-days time frame, and over 15% of them where fixed the same day the advisory was released! For this analysis, all vulnerabilities were treated the same, though. H
  • by jd (1658) <<moc.oohay> <ta> <kapimi>> on Tuesday April 06, 2004 @08:10PM (#8787554) Homepage Journal
    Let's start by noting the existance of SARA and TARA for Unix, but not for Windows. It's hard to scan a box, locally, if you don't have the tools to do so. It's therefore correspondingly hard to fix problems under Windows.


    Then, there is the relevence of bugs. SE-Linux makes many otherwise serious glitches a mere nuicense. As do other modules in the LSM.


    There is no chroot() in Windows, to the best of my knowledge. This also changes the severity of a bug from catastrophic to irritant, in Unix.


    Finally, Nessus and SAINT are more often used to scan Unix boxes than Windows ones.

    • by ajv (4061) on Tuesday April 06, 2004 @10:21PM (#8788537) Homepage
      SARA is akin to MSBA and similar tools (some free, some not).

      Microsoft publishes extensive security checklists for various roles, and automates this process for the most likely deployment scenarios via the IIS Lockdown tool and local / group policy templates. You can manage a large fleet of computers using Group Policy in AD, so your lockdowns quickly apply to all computers, not just one.

      Nessus scans at the network level and works acceptably to find most Windows network-based vulnerabilities. I use Nessus myself when doing vulnerability assessments as a shortcut / initial pass. Nessus is not good at finding configuration or local user weaknesses. .NET supports sandboxing similar a chroot jail if an application asks for it. Windows supports junction points, which can be used (but I've never seen used) to contain a particular application to a particular volume (which could be a virtual device, or similar).

      However, in Windows, the use of ACLs, low privilege service accounts, and utilizing fine grained privileges replaces big ass isolation required by Unix-like operating systems simply because most Unix-like OSs don't have this level of security architecture or fine grained access control.

      I don't use SAINT, so I have no comment on that.

      Just because an OS is different or you personally don't have knowledge of lockdowns, doesn't make another OS insecure. It requires bad coding practices and poor configuration to do that. Thanks to Windows' popularity, there's more than enough of this to go around.

      Andrew
  • by Henry V .009 (518000) on Tuesday April 06, 2004 @08:11PM (#8787564) Journal
    Does anybody know of a case where someone has been attacked through a Microsoft vulnerability between the time of its going public and the release of the patch? The most often encountered scenario seems to be people who never upgrade getting attacked because hackers have reverse engineered the patches.
    • by pholower (739868) <longwoodtrail AT yahoo DOT com> on Tuesday April 06, 2004 @08:21PM (#8787647) Homepage Journal
      Mostly businesses have gotten attacked before the patch was released, but you don't hear about them because they don't release that information to let others know that they in fact have a security flaw.

      Microsoft finds their flaws in a number of ways, businesses that report them, and white hat hackers they do this for a living.

      But to answer your question a little better. If you look back at the flaws in IE, consumers, not businesses, were the ones that got attacked before the patches were out. Again, because it was a person, it is hard to track down the exact problem that occured to them. IE has the flaws that were exploited before the patches came out. Phishing scams from the address bar.

    • by awkScooby (741257)
      Does anybody know of a case where someone has been attacked through a Microsoft vulnerability between the time of its going public and the release of the patch? The most often encountered scenario seems to be people who never upgrade getting attacked because hackers have reverse engineered the patches.

      I think it was Stanford University that got hit with some of the RPC DCOM vulnerabilities before a patch was released. No, it wasn't one of the worms, it was hackers backdooring systems.

  • Debian's a vendor? (Score:2, Insightful)

    by Anonymous Coward
    Don't vendors sell things?
    • by Soko (17987) on Tuesday April 06, 2004 @08:47PM (#8787845) Homepage
      Sure. So is the Fedora project (though you could call them "RedHat", and not be too far off).

      I rely on then for providing me a rock-stable, thoroughly tested distribution and any security upates to that distribution.

      I, in turn, (since I'm not a really good coder) spread the good word that these people know what they're doing. If I find a bug or security vulnerability, I report it to them ASAP. I also test out thier new stuff, and report bugs and such for them, and suggest ways that thye might improve thier products.

      They give me something, I pay them in the currency they want. They are indeed a vendor.

      Soko
  • "Secure box" (Score:5, Interesting)

    by SKPhoton (683703) on Tuesday April 06, 2004 @08:12PM (#8787574) Homepage
    Any box in the wrong hands can become unbelievably secure, regardless of the OS.
    What would be a very interesting read would be to have sys admins lock down the box (perhaps those do consulting for corporations) and then test how well they're set up.
    Granted, it's up to the admin at that point so have many admins on different boxes.
  • Money talks (Score:5, Insightful)

    by Angelonio (744297) * on Tuesday April 06, 2004 @08:13PM (#8787582)
    "Microsoft Corp., however, fixes security problems the quickest"
    how can they claim that since Micro$oft receives bug reports that are not publicly announced???
    It is easy to announce the bug along with the patch after having it hidden for 6 months...
    • Others have called you an M$ basher but you are spot on. The OS community announces a bug and then knuckles down and fixes it. This is how it has to be done considering the developer community is a subset of the user community.

      At Microsoft, and any other closed source company for that matter, bugs can be fixed inhouse and only then announced along with a patch. This is simply the nature of closed source software.

      Interstingly, there have been occasions where people have sent bug reports to Microsoft and
    • Re:Money talks (Score:5, Informative)

      by awkScooby (741257) on Tuesday April 06, 2004 @10:09PM (#8788450)
      Microsoft has 2 critical vulnerabilities which they have known about for 209 days. Another one they've know about for 182 days. I don't know of any open source security holes which have sat for 209 days!

      reference [eeye.com]

      I don't buy for a minute that 1) Microsoft releases patches faster or 2) that Microsoft even gives a damn about security, except for the black eye it gives them.

  • by TempusMagus (723668) * on Tuesday April 06, 2004 @08:14PM (#8787590) Homepage Journal
    No one buys reports from these companies to actually learn anything. The primary purpose these companies serve is to give companies objective sounding quotes to pepper their marketing material with and to convince risk averse managers that they are safely following the largest herd.

    • How well do you trust a companies research when they use telemarketers to try and sell it to you? I had a Forrester woman call me well over 50 times in one year about buying their reports. And of course if you pay them for a custom report, a service they offer, I'm sure your extant point of view could certainly be objectively supported.
    • convince risk averse managers that they are safely following the largest herd.

      Unfortunately, the largest herd is heading for a cliff.

      Or would a better analogy be:

      Unfortunately, the largest herd is surrounded by a pack of wolves.

      The first is funnier, but the second is probably more accurate (IE script kiddies mostly target MS Products), and it was more along the lines of my first thought.
    • There are not enough moderator points that can be applied to this statement. /ditto
    • I only wish.

      I worked for a world known brand that took these very seriously. They took a bunch of Jupiter reports (IIRC, they are basically the same thing). They based the whole IT strategy on a these things. All handed down from the global management team "The new direction". "We will use only best of breed" (MS and cisco) "no linux on the desktop" (surprised me that that was mentioned specifically) and a bunch of other things that basically came directly out of a bunch of these reports.

      I think this
    • You're absolutely right. One of the first jobs I was given when I joined my current employer was to write a technical paper explaining why we should migrate from Lotus Notes to Exchange. My remit was not to do any analysis, but to provide justification for the decision our regional president had already made.

      I made a lot of use of reports from the Giga and Meta groups, coincidentally sponsored by Microsoft. In the end I had a fairly respectable looking document with lots of plausible-looking quotes tha

  • When I started reading the mail I first thought that debian, redhat, suse and mandrake had got together to make faster pacthes to their vulnerabilities :)) Well no, I was wrong, they are just writing a response letter together :(

    Time to go back to sleep and dream of Distributions uniting forces.
  • by binary_life (656759) * on Tuesday April 06, 2004 @08:21PM (#8787655)
    Hey why aint gentoo on the list? I guess they're still compiling their response ,p (PS I love gentoo, so don't go flaming me!)
  • by Eberlin (570874) on Tuesday April 06, 2004 @08:29PM (#8787713) Homepage
    From tests conducted at an observatory overlooking the skies of Los Angeles, researchers have concluded from the gathered data that the sky is indeed red.

    Buried in all the hoopla, they never tell you that all the smoggy red photos were taken at around the time sunsets happen.

    Statistics and numbers in general can be thrown any which way to serve the purpose of the writer. It's an unfortunate side-effect of being biased by nature. Even if someone were to WANT to be impartial, they'll often offer a slant merely by presenting data a certain way.

    It's difficult to find people to trust when money is on the line somewhere. With Microsoft's track record and its acknowledged need for "Trustworthy Computing" (a marketing term), it's difficult to take their word. Unfortunately, with that money, they have enough marketing power to buy research, and flood biz execs with enough propaganda...and when they constantly hear that kind of information from what they'd consider mainstream sources, they start to believe it as fact.

    Now that's dangerous.
  • It is obvious the only way to truly secure a machine is to kill the users. There are more windows users than Linux users, therefore, it is easier to secure a Linux than it is to secure Windows. This also clearly explains why OpenBSD is one of the most secure OS's. Of course, the most secure system is StoxOS&TM which currently has no users and is perfectly secure.
  • by coshx (687751) on Tuesday April 06, 2004 @08:42PM (#8787822)
    Like most linux geeks, I too believe that linux is much more secure than windows, but when asked why, I can only give some rant about how the open source methodology is superior and promotes faster response times to vulnerabilities. Either that, or I point to all the recent windows virus outbreaks.

    But if linux were on every desktop, I'll bet you'd be getting a few emails every day with attachments like "your_paper.sh" that most of us would trivially delete, but many would stupidly run (and these are the same users who would login as root to check their email).

    It wouldn't be fair to use instances like this (albeit they're not common yet) to show that linux is more vulnerable than windows.

    Therefore, I believe that by quantifying the vulnerabilities and response time, Forrester is on the right track, they just need to take into consideration this response, and find a better method of quantifying the data.
    • by GreyWolf3000 (468618) on Tuesday April 06, 2004 @08:58PM (#8787919) Journal
      Can you actually write a shell script that takes control of the system?

      I see what your saying, but the way package management is going, pretty soon Linux setups will just download security updates on their own, meaning that findning a binary to exploit will get really difficult. In the Windows world, if you find a buffer overrun, you can often assume that 95% of the Windows machines out there will also have the same exploit. In Linux, this wouldn't be the case even with many more users, as package management really takes care of things automatically.

      Therefore, I believe that by quantifying the vulnerabilities and response time, Forrester is on the right track, they just need to take into consideration this response, and find a better method of quantifying the data.

      I agree.

      • Can you actually write a shell script that takes control of the system?

        Do you need to? I wouldn't give a flying SCO if my /usr/bin got nuked. It's my $HOME that I care about, and a worm only needs user privileges to kill that.
      • I see what your saying, but the way package management is going, pretty soon Linux setups will just download security updates on their own, meaning that findning a binary to exploit will get really difficult. In the Windows world, if you find a buffer overrun, you can often assume that 95% of the Windows machines out there will also have the same exploit. In Linux, this wouldn't be the case even with many more users, as package management really takes care of things automatically

        This is different from the
        • The real reason you won't see the same kind of wide-spread vulnerabilities in Linux is due to a more technical and security-minded user, NOT superior package management and automatic update systems.

          I agree, but you missed my point. Microsoft has a mechanism for patching Windows, but not all those third party applications. I'm not sure if it can even patch software like Word. In the Linux world, all of your software gets to you through your OS supplier, which is a big differenc.

    • The popularity issue can be countered with the Apache vs. IIS deal where Apache's stability and security (and reaction to vulnerability) is much better. Just because something is popular doesn't mean it's not as safe merely because it's a bigger target.

      The Open Source model definitely is an advantage as far as security goes. Having the code around can speed up bug detection and consequently, speed up fixes. There's also the fact that a programmer's name is at stake -- if you take pride in your work, you
    • by kardar (636122)
      I remember once I installed OpenBSD on an old SparcStation 1+ (that's 25Mhz) with a 1gig scsi drive. I was new to it, and so when the install process asked what "security level" I wanted to install at, I installed at one below the most secure. It was very strange. Very hard to get anything done, it had no path.

      I changed the security level to "normal" because I just got freaked out by how strange it was; I only wanted to see if I could get the box running at all, and the heightened security level was making
      • I just thought of this. It's a fine line between how secure you want something to be, and how much of a pain it is. It's the whole 9/11 thing. Too much security is a bad thing, because it shuts down the economy, and makes life exceedingly difficult, not to mention that it affects freedoms that we are used to. We hear this kind of talk in the media all the time. It's a fine line - too little security, disaster happens - too much, life gets difficult and the economy suffers.

        So the fact that it takes a certai
    • Okay, but first the script would have to get root somehow. In windows its probably already at administrator level. Nevermind that the probability of it being executed in the first place is inherently lower, since no Linux mail client I know of will fail to complain when you ask it to execute an attachment. Further, I'm betting the permissions on the file default to non-executable, so you'd have to chmod it (or GUI equivalent)....

      In any case, no study on OS security should care too much about vulnerabili
    • But if linux were on every desktop, I'll bet you'd be getting a few emails every day with attachments like "your_paper.sh" that most of us would trivially delete, but many would stupidly run (and these are the same users who would login as root to check their email).

      Damn. Got another attachment-- "your_paper.sh". The "sh" must stand for "super-helpful." Cool.

      Let's see if I can read it. Do I want to view it, or save it? Uhm... view it.

      Gibberish. Starts with "#!/bin/bash". Should have known. Dam
  • by at10u8 (179705) on Tuesday April 06, 2004 @08:51PM (#8787872)
    There are three types of lies: lies, damn lies, and statistics.
  • by wasabii (693236) on Tuesday April 06, 2004 @08:56PM (#8787903)
    The idea is that these vulnerbilities don't have equal impact at all. Lets examine some of the unix security vulns i've seen in the last few months.

    3 or 4 games, unsafe handling of common scoreboard files producing exploits.

    WHAT THE HELL? That's Unix security for you... even GAMES that have vulns get attention. Windows only gets remotely exploitable vuln attention.

    Consider how many windows programs use shared registry keys, consider how many read/write to common temp folders, or common locations on disk. Have any of the probably hundreds of overflows involved in reading a temp file from C:\Winnt\Temp been taken into consideration with WIndows? Heck no, nobody even cares. Windows too many remote vulns to even pay attention to stuff like that.

    Consider gzip's unsafe handling of temporary files. I wonder how many Winzip/Windows Compressed Folders have? NOBODY HAS EVEN LOOKED.
  • by big_groo (237634) <groovis AT gmail DOT com> on Tuesday April 06, 2004 @09:08PM (#8787993) Homepage
    "Is Linux more Secure than Windows?" *cough*Bullshit*cough* signed, Noah Meyerhans, Debian Vincent Danen, Mandrakesoft Mark J Cox, Red Hat Roman Drahtmueller, SUSE
  • by ljavelin (41345) on Tuesday April 06, 2004 @09:09PM (#8788005)
    I remember reading a report from one of these big research firms (I think) in 1997. It was a report first published in 1994. It talked about how Apple would own the desktop (90% probablility), NeXT would be a power player (90% probability), and how GuptaSoft would drive most IT application (90% probability).

    Funny, the report was ALL about WRONG. Nothing was close to reality. How did they get it SO WRONG?

    In another situation, I was directed by Management to ask one of these big research firms about embedded database products. At the time they didn't have any expertise in that area. However, they found a kid internal to the company that was willing to learn so they could write a report. It seemed silly and convoluted. Here's a guy without the necessary understanding or expertise, and in a few weeks he's going to learn and gather enough information to write a report? A Report that other people will use to make decisions? Crazy!

    In the end, I concluded that these reports are useless "on the ground". They're only useful for those who wish to pretend that they've done adequate research.

    So my short answer is: These research firms exist to just cover butts and promote positions. Any IT management personnel that subscribe to their services should be FIRED. It's negligent to cite their reports; it's negligent to use them as a resource. If you need expertise, hire a consultant with REAL expertise, not a generic and biased report. If you want a biased report, the sales guys will come to you for free.

  • by pair-a-noyd (594371) on Tuesday April 06, 2004 @09:19PM (#8788074)
    I'm staying with Linux and my money goes with Linux. After two years of running Linux I've not been hacked once, I've not gotten ONE SINGLE VIRUS, I've not had to look at one single pop-up add that I didn't want to look at, I've not had to look at one single BSOD, I've not had to reboot one single time unless I chose to.

    I don't have to spend all my time in a panic worried about patches and viruses and other such nonsense. Neither do my friends and family, I converted them to Linux too. Now I don't have to worry about them either.

    What does Windows offer me that I can't do with Linux? Nothing. Why should I use Windows which is constant trouble and extremely high maintenence and is a constant cash drain, versus the ONE TIME PURCHASE (if I choose to purchase v. free download) of a Linux distro, in my case Suse, that is mine, with no strings attached and will cost me no further money, ever?

    Once I own the $89 Suse distro I never have to spend another penny on it or any other software, ever. It works. It's secure. Anyone that says it isn't is a stupid SOB or a liar or both.

    • "You know, ever since I upgraded to Windows XP I haven't had a single Blue Screen of Death."

      "Does it randomly reboot?"

      "Sometimes."

      "You have automatic reboot on. It's like a Blue Screen of Death, but without the pretty colors."

    • While you sound like the commendable type who's willing to spend the money to support further development, for the sake of accuracy I feel compelled to mention that you don't have to spend the initial penny on SuSE professional, you can install it over FTP from any of several servers. 129.79.5.130 is pretty fast :-)
      • Though, if you love it so much and it does so much for your organization, why don't you buy the distro every year or so. Continue funding the development you like so much.
  • by digidave (259925) on Tuesday April 06, 2004 @09:28PM (#8788141)
    It's fair given administrators who only patch based on official distribution releases. It seems to not care that they are making Linux companies responsible for a lot of 3rd party software such as Apache. It stands to reason that their average patch release would be slower if they're maintaining thousands of applications. It's more important that they release OS updates and core software updates quickly. Their customers have to take some responsibility for updating 3rd party software even if it does come on the same CD as the distro.

    Perhaps of more concern to administrators should be the nondisclosed vulnerabilities found by researchers such as eEye that are not patched. I can't find the link now, but eEye alone has dozens of vulnerabilities they've let MS know about, but haven't been patched for sometimes hundreds of days. eEye is just being courteous by non disclosing the bugs until MS fixes them. By using the disclosure time as a 'start time', Forrester is ignoring lead time developers get. It's my experience following Bugtraq and Full Disclosure mailing lists as well as many OSS projects that most major OSS developers respond quicker to their lead time before disclosure.

    Forrester is completely ignoring vulnerabilities that are not public knowledge, which is misrepresenting the problem.
  • by argoff (142580) on Tuesday April 06, 2004 @09:51PM (#8788337)
    One thing that I don't see mentioned is that as the gnu/linux base grows larger, so do the proportion of competent developers who can spot and fix code security problems before they go mainstream. With MS, the number of people looking to spot code security problems reamins constant no matter how big the user base.

    Although I've herd MS say that the reason Linux hasn't had as many big security problems is because they aren't used as much, I think the truth will turn out to be just the opposite. Not to mention that a hacker who finds a security flaw in Linux is more tempted to get fame by reporting it, and that fame becomes more prestigious as Linus grows, but a hacker who finds a security flaw in windows will be more tempted to gain fame by exploiting it.
  • Sort of like the one that I seen yesterday that says that linux cannot scale as good as unix. Nevermind it currently holds the TPC-C record. As for security does Windows have the flexibility to run port knocking? Can I modify all of the port settings for all of the services in Windows?

    One of the biggest strenghts in linux is it's flexibility. Windoze lacks the flexibility required to create a diverse environment.

    I hereby declare that Windows security is not as good as Linux.
  • We got rid of all of our windows boxes so I guess it would be easy to claim it is safer because it no longer exists.
  • by LuxFX (220822) on Tuesday April 06, 2004 @10:47PM (#8788717) Homepage Journal
    This is just one of the great things about Linux (or any open source project):

    Say an article about security is published in a magazine. The article takes a really good critical look at Linux vs. Windows and genuinely points out a few areas of improvement. Well, that just prompts the open source community to rev up their engines and (should they agree with the evaluation) they'll just go out and fix it! In fact, there's a pretty good chance that the fix is available in a development version in time to send a letter to the editor for the next month's issue.

    Now compare that to Windows. Microsoft would spend two, maybe three times that long debating with the media about whether or not it's a problem or a 'feature', and then whether or not it will be fixed immediately or we have to wait until 2031 for Looooooonghorn to be released. Then they'll just sit on it for a while to see if people really care about it being fixed, and how much. They might also, at this point, have their lawyers spend three weeks writing the licensing agreement for the patch, should it be created. Then they put the whole thing on hold and wait until somebody exploits the problem. Then, only if everything else has gone completely in their favor and the problem has been exploited and the existance of the problem has reached at least two major media outlets, they might work on a patch and distribute it....

    Then Microsoft will brag about how quickly they've updated their software in response to the problem... ...as Linux is releasing the seventeenth update since the article....
  • by tgd (2822)
    As a result, the conclusions drawn by Forrester have extremely limited real-world value for customers

    Thats probably why they went from having all but two floors of the building they were in in Cambridge to only two floors and part of a third.
  • Forester was intsremental in trying to stop the martian. In fact, he brought one of their 'eye pieces' in for study. In the end, it was are basteria that did them in though.
    Dr. Forester also has a plane.
  • My Take.. (Score:3, Interesting)

    by naelurec (552384) on Tuesday April 06, 2004 @11:04PM (#8788830) Homepage
    I didn't read the report, as I am sure most of you haven't, simply because it is $899 to tell me something that I already know otherwise.

    Anyways, my question is about the severity of the vulnerabilities. When you get right down to it, Microsoft generally only offers one web server, one mail server, one database server, etc..etc..etc.. A standard distribution OTOH includes a huge array of software. For example, I can choose sendmail, postfix, qmail, exim and others for my mail server; apache, aolserver, boa, dhttpd, zope, etc for my web server; php, ruby, python, perl, cgi, etc for my scripting needs; mysql, postgresql, berkley db, firebird, etc for a database; gnome, kde, xfce, etc for a window manager ..

    you get the point.

    In addition to the multitude of different configurations that I could have for a particular system, I can also, if desired, cut out everything that is not essential to maintain as barebones of a system as possible (heck this even includes lots of kernel modules/features).. I can run everything through a localized firewall, block ports, limit IP ranges for various services, chroot/jail certain services, etc..etc..etc..

    So I guess my question is:

    1. Does this report simply gather up all published security issues and compare? Or do they look at "best practices" on both platforms and only compare packages that, for example, would be installed on a web server, mail server, database server, standard desktop, etc?

    2. What is the true damage that could be done by successfully exploiting these issues? Ie, I'm sure most BIND installations are in a chroot/jail .. so even if that was exploited, a cleanup on a *nix machine would be significantly faster than perhaps a Windows box that does not chroot its respective DNS service.

    Sure, raw data might indicate that a Red Hat distro has the same number of exploits as a Windows system, but I am much more interested in the applicability of those exploits to my systems and ultimately the increased chance of exploit.
  • by Long-EZ (755920) on Wednesday April 07, 2004 @03:54AM (#8790187)
    Every day, I receive 20-30 Netsky worms, courtesy of Windows machines.

    Much of my daily spam now comes from compromised Windows boxes being run as spam zombies.

    My personal data was stolen from a company I trusted because their server was running IIS and it was infected with Slammer.

    I suffer because of Windows insecurity almost constantly, yet no operating system *except* Windows has ever caused me any such grief. Clearly the Forrester "data" is FUD. Plain and simple.

"In the face of entropy and nothingness, you kind of have to pretend it's not there if you want to keep writing good code." -- Karl Lehenbauer

Working...