Linux Distributions Respond to Forrester 262
dave writes "GNU/Linux vendors Debian, Mandrake, Red Hat, and SUSE have joined together to give a common statement about the Forrester report entitled "Is Linux more Secure than Windows?". Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, it treats all vulnerabilities are equal, regardless of their risk to users. As a result, the conclusions drawn by Forrester have extremely limited real-world value for customers assessing the practical issue of how quickly serious vulnerabilities get fixed."
We can respond... (Score:2, Insightful)
Analyst hacks will never bit the hand that feeds (Score:5, Insightful)
The most dramatic thing from my point of view is that SuSe, Red Hat, Mandrake and community based Debian all got together to formulate a common reply. This is the BEST news we could ever hope for - a common on unified front - no forking when it comes to security.
Re:We can respond... (Score:3, Insightful)
Slant (Score:1, Insightful)
Re:no way! (Score:0, Insightful)
Yes, let's instead listen to the unbiased people at Debian, Mandrake, Red Hat, and SUSE. Surely their opinions on this issue are less biased than those of the research company.
On Microsoft's Side (Score:3, Insightful)
Debian's a vendor? (Score:2, Insightful)
Forrester's right, you know (Score:1, Insightful)
A breakin on a Windows system results in the loss of local data (whose value cannot be adequately assessed, but can be assumed to be less than the sum total of all data on the servers).
It is a little like assessing the risk of terrorism in transportation. The sheer number of automobile accidents far outweighs any risk of death due to terror attack on the highways. So too is the unlikelihood that a major terrorist attack will occur in the US skies or US rail system. However, an attack on rail cargo would be far more devastating than a similar attack on the highway system. Rail provides a very high bandwidth for cargo delivery but is also restricted to an unroutable track, so any attack on rail would essentially wipe out a very significant method of cargo transportation. On the other hand, traffic can be rerouted around any localized road problem minimizing the impact of any highway attack.
Windows is ubiquitous on the desktop, but on these desktops are very small amounts of data compared to the large amounts located on servers. A loss due to breakin would be necessarily less significant than a similar breakin on a Linux server.
Money talks (Score:5, Insightful)
how can they claim that since Micro$oft receives bug reports that are not publicly announced???
It is easy to announce the bug along with the patch after having it hidden for 6 months...
Re:IT Research shops (Score:5, Insightful)
The executive management of the agency that I work for pays Meta $500/hr to evaluate project plans... they always rubber stamp whatever answer the execs want.
And then when the project fails, they can go the higher-ups or shareholders and say "See, the plan was sound, it was that Anonymous little shit down in IT that screwed it up. Lay him/her off and ship the job to India!"
Then they all go celebrate their cost-cutting with booze and hookers, whilst lighting their cigars with $100 bills.
Re:Analyst hacks will never bit the hand that feed (Score:2, Insightful)
Re:Slant (Score:5, Insightful)
Malleable Statistics (Score:5, Insightful)
Re:Analyst hacks will never bit the hand that feed (Score:2, Insightful)
Re:Slant (Score:3, Insightful)
Besides. It's the community take on events that I'm interested in. I can check out the wire services if I just want the news.
Re:no way! (Score:2, Insightful)
Re:Forrester's right, you know (Score:3, Insightful)
If anything, I'd say that validates Linux's usefullness.
Now I only wish someone could tell me what this has to do with the number of bugs...
Re:Slant (Score:2, Insightful)
I did notice though that that is about the first full length article LX has themselves published (instead of pointing to other Linux sites) so kudos to them:)
But...Linux is a kernel (Score:1, Insightful)
These same slashbots will then talk about how "Linux is ready for the desktop". Not Gnome, not KDE but Linux.
Make up your minds. Either its an OS, or its a kernel. You cant pick and chose which one depending on the situation. If its a kernel, the Linux will NEVER be ready for the desktop. Gnome may be ready, KDE may be ready, but Linux will never be ready. If its the entire OS, then it is responsible for the vulnerabilities in Apache, sshd.
If Gnome is ready for the desktop, then Gnome on BSD is just as ready as Gnome on Linux, which is just as ready as Gnome under Cygwin.
Oh, and a terminal is NOT a usable desktop environment for your average end user. vi does not count as a word processor.
Its about time there was a mod score -1 Slashbot.
Re:Analyst hacks will never bit the hand that feed (Score:4, Insightful)
Re:Forrester's right, you know (Score:2, Insightful)
Re:Malleable Statistics (Score:5, Insightful)
Re:The cold-hard turth about Forrester and Gartner (Score:2, Insightful)
Unfortunately, the largest herd is heading for a cliff.
Or would a better analogy be:
Unfortunately, the largest herd is surrounded by a pack of wolves.
The first is funnier, but the second is probably more accurate (IE script kiddies mostly target MS Products), and it was more along the lines of my first thought.
some merit in the study (Score:4, Insightful)
But if linux were on every desktop, I'll bet you'd be getting a few emails every day with attachments like "your_paper.sh" that most of us would trivially delete, but many would stupidly run (and these are the same users who would login as root to check their email).
It wouldn't be fair to use instances like this (albeit they're not common yet) to show that linux is more vulnerable than windows.
Therefore, I believe that by quantifying the vulnerabilities and response time, Forrester is on the right track, they just need to take into consideration this response, and find a better method of quantifying the data.
Local Vulnerbilities (Score:5, Insightful)
3 or 4 games, unsafe handling of common scoreboard files producing exploits.
WHAT THE HELL? That's Unix security for you... even GAMES that have vulns get attention. Windows only gets remotely exploitable vuln attention.
Consider how many windows programs use shared registry keys, consider how many read/write to common temp folders, or common locations on disk. Have any of the probably hundreds of overflows involved in reading a temp file from C:\Winnt\Temp been taken into consideration with WIndows? Heck no, nobody even cares. Windows too many remote vulns to even pay attention to stuff like that.
Consider gzip's unsafe handling of temporary files. I wonder how many Winzip/Windows Compressed Folders have? NOBODY HAS EVEN LOOKED.
Re:no way! (Score:2, Insightful)
And are these companies hiding this bias? The is no question what their agenda is (well, I suppose if one was an utter moron and didn't realize what each of these have in common). And, is the research ([sic]) company claiming to be unbiased? If I'm not mistaken, they claim to have done an independent investigation. Yet, I'm sure there is a few posts above here pointing out they are ready, willing and quite capable of producing exactly the results you pay for (and a post or two about who actually paid for these particular results).
These reports are useless (Score:5, Insightful)
Funny, the report was ALL about WRONG. Nothing was close to reality. How did they get it SO WRONG?
In another situation, I was directed by Management to ask one of these big research firms about embedded database products. At the time they didn't have any expertise in that area. However, they found a kid internal to the company that was willing to learn so they could write a report. It seemed silly and convoluted. Here's a guy without the necessary understanding or expertise, and in a few weeks he's going to learn and gather enough information to write a report? A Report that other people will use to make decisions? Crazy!
In the end, I concluded that these reports are useless "on the ground". They're only useful for those who wish to pretend that they've done adequate research.
So my short answer is: These research firms exist to just cover butts and promote positions. Any IT management personnel that subscribe to their services should be FIRED. It's negligent to cite their reports; it's negligent to use them as a resource. If you need expertise, hire a consultant with REAL expertise, not a generic and biased report. If you want a biased report, the sales guys will come to you for free.
ease of use vs. security (Score:3, Insightful)
I changed the security level to "normal" because I just got freaked out by how strange it was; I only wanted to see if I could get the box running at all, and the heightened security level was making life difficult.
So the real study that someone should do, is how "ease of use" affects "security". Because that's where the real deal is at. It's just like having to go through the lines at the airport - the more secure we need to be, the more of a pain it is for everyone.
There is definitely an inverse relationship between "ease of use" and "security". Seeing as how there is a big focus on making Linux easy to use, or at least it seems to me that there is; I get the feeling that people won't accept Linux if it's not as easy to use as Windows or OS X, I wouldn't be surprised to see Linux security, or "user friendly" Linux security suffer a little bit.
But still, Linux has been designed from the outset with security in mind; other user-friendly OS's are designed for ease of use. It's going to take some time, but we are slowly going to move in the right direction. If Linux is a secure OS now, and some consultancy group says that it isn't, then the trick would be to make it LESS secure by making it more user-friendly, and immediately, consultancy groups and analysts will be saying that it is secure. But that's a sacrifice that's not really worth it. However, unfortunately, given the open nature of Linux, and that fact that it can go in many directions, we will probably see Linuxes that are less secure than they could be because of the focus on user-friendliness. So I guess that means that analysts are going to change their minds? I wouldn't be surprised.
Exponential Security (Score:4, Insightful)
Although I've herd MS say that the reason Linux hasn't had as many big security problems is because they aren't used as much, I think the truth will turn out to be just the opposite. Not to mention that a hacker who finds a security flaw in Linux is more tempted to get fame by reporting it, and that fame becomes more prestigious as Linus grows, but a hacker who finds a security flaw in windows will be more tempted to gain fame by exploiting it.
Re:no way! (Score:5, Insightful)
Something True (Score:2, Insightful)
Yeah! Its So Obvious Linux Is More Secure Than Windows!
Just [theregister.co.uk] Don't Store Your Important [internetnews.com] Source [theregister.co.uk] Code [apacheweek.com] On It [stargeek.com].... :))))))))))))
A comment on Forrester from one of their own. (Score:5, Insightful)
Rob Enderle [enderlegroup.com], formerly of Forrester writes:
Re:very slanted (Score:5, Insightful)
First of all, it's called a "mean", not an average. It's a type of average. The median is also an average. So is the mode.
Secondly, the median is not necessarily a better representation, just different. With the median, for example, you have *no idea* whether there are any extreme outliers. 1,1,2,5000000,90000000000. Median is 2. Is that representative of that set of numbers? Not really. The mean would give you a much better idea of what range of numbers you're dealing with in that case. That's why real statistics with distribution curves and standard deviation are important.
Anyway, I'm done nitpicking. I agree that these reports are blatantly skewed. This is not really a surprise. Almost all research is funded and biased these days. Much like news media. It's a simple fact of life. The important thing is to know your source, and try to understand their motivations.
When the next "scientific study" comes along saying that P2P increases music sales, no matter how much you believe that to be true, you need to take a look at who's writing it, and why. Is this some graduate student who is probably downloading his own MP3s all the time and just trying to justify their habits to the world? Perhaps not, but it's wise to make sure before you start throwing his or her study around as if it were gospel.
Sorry if that sounded as if it was directed at you, it wasn't really. It's just some good advice (in my opinion).
Re:Analyst hacks will never bit the hand that feed (Score:3, Insightful)
Microsoft, for the first time, paid in full advance even before a full proposal could be drafted, or even basic details.
They initially wanted a TCO study, and our CEO told them to NOT DO THAT, he is very honest, and knew beforehand Windows would lose. On the other hand, ew do not know what will happen.
The reality is that under some very common scenarios, at least where I live, Linux expertise is regarded as expensive, and that some Microsoft apps allow companies to get work done quicker.
If you where to look at the Linux trend of adoption, growing support, etc., regarded retraining costs as an investment into future savings, noted that Microsoft is free to change it's pricing policy anytime, and they can force you to demand more than you want in the future, and that after 3 years you own nothing at all (license obsolete, or app obsolete), then you'll see Linux wining by large.
But guess what, Research firms, even unbiased ones, tend to choose scenarios that are real world, but benefit their customers more.
If IT adopters where the ones financing these research studies, then the story would be different. But guess what? They dont pay much, and if they do, then Microsoft and the likes can double the bet to get what they want or, as someone else put it, they'd pay you $400 so that you'll "agree" with whatever their CIO believes is true. The same happens with newspapers, what you read is 90% dicatated by the ads they can sell in that "section". Thats why you always see some Cars suplement, because people like it, but MORE importantly, because they can sell expensive adds.
If you want unbiased researchers, find a way to fund that does not involved their reveneus depending on an interested party.
My Real World Experience Disagrees With Forrester (Score:4, Insightful)
Much of my daily spam now comes from compromised Windows boxes being run as spam zombies.
My personal data was stolen from a company I trusted because their server was running IIS and it was infected with Slammer.
I suffer because of Windows insecurity almost constantly, yet no operating system *except* Windows has ever caused me any such grief. Clearly the Forrester "data" is FUD. Plain and simple.
Re:some merit in the study (Score:2, Insightful)
Yes, but you cannot get the user to execute it accidentally. For KMail users, the instructions are:
1. Right-click on the attachment
2. Click "Open With"
3. Type "/bin/sh" (without the quotes)
4. Click OK.
I have actually used this in the past, to run a "diagnostics" script on a customer's machine. I wanted to run various commands and have the results emailed back to me. The above method let me do that.
However, if the user simply clicks on the shell script, like any other attachment, then the user just sees the text in the script. To get round the lack of execute permission, you must tell the user how to execute it. This means asking the user to follow an off-putting sequence of scary instructions.
Furthermore, the shell script only runs with the user's permissions. The way to overcome that would be to know or guess the root password, unless the user is already root. Another possibility would be to find a buffer overflow in KMail which would allow the shell script to auto-run. However, no such vulnerability exists, as far as I know, in KMail.
Therefore, an email virus for the Linux platform is possible, but it will only work on those users brave enough to follow instructions that they probably don't understand. In other words, I believe the following statement is true now and will hold true in the future:
"To screw up Linux, you have to work at it. To screw up Windows, you just have to use it."