Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Silently Backs Favorable Presentation at RSA

CowboyNeal posted more than 9 years ago | from the part-of-the-machine dept.

Security 256

lildogie writes "Two researchers, from the Florida Institute of Technology and Boston-based Security Innovation Inc., 'surprised the audience at a computer-security convention last month with their finding that a version of Microsoft Windows was more secure than a competing Linux operating system' according to the Seattle Post-Intelligencer. 'This week, the researchers released their finished report, and it included another surprise: Microsoft was funding the project all along.' When will they ever learn?"

cancel ×

256 comments

Sorry! There are no comments related to the filter you selected.

Unsurprising (1, Insightful)

Goo.cc (687626) | more than 9 years ago | (#12054017)

Okay, who didn't see this coming?

Re:Unsurprising (2, Insightful)

alexandreracine (859693) | more than 9 years ago | (#12054117)

Since I work with a security company, methodologies used says that a security company should not take any sides. But since this is Microsoft they should have made their reseach with a tripple verification with some company like IBM, CGI and [insert security company here].

Re:Unsurprising (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12054210)

Unfortunately, nobody cares what fucking frogs think.

Sad but true.

Isn't it that obvious? (3, Funny)

IvanD (719006) | more than 9 years ago | (#12054325)

Test #1 Intruders are capable of taking control over the computer. Results: Linux: The system was finally hacked (after leaving the root/administrative account w/o a password, which seems fair to windows) Windows: The system crashed... nobody was able to take control! Analysis and conclusions: Windows is much better!

Re:Unsurprising (5, Insightful)

beh (4759) | more than 9 years ago | (#12054178)

Okay, who didn't see this coming?

Only those, who follow enough news to "know" M$ tactics.

Unfortunately, there are enough middle/upper management people who don't look into matters that closely and are simply "swayed" by knowing that M$ has market dominance -- and just tell themselves that "M$ wouldn't have it if their products sucked so badly, now would they?".

As long as there is enough ignorance or even indifference on (non-technical) management levels, M$ *will* see benefits from each time they're doing that.

(Besides, there is also the issue that you can't really go on to sue them for bad security if so many security companies openly tell of Microsoft's great security and the lack of security in competing OS's.).

The fact is, M$ OS's aren't "safe", and neither is a run-of-the-mill linux installation. Both need updates and security-conscious people administrating them to keep them shut. I've had people break into my (linux) servers once or twice , and managed to evict the attackers both times and plugged the holes they used that I had been unaware of before - but by now there are so many software packages that it's hard to keep track of security issues in all of them.

But, yes, despite those experiences, I'd still run a linux box over a windows box any day, because I think that in general my linux box is safer.

Re:Unsurprising (1, Troll)

SpaceCadetTrav (641261) | more than 9 years ago | (#12054239)

Every post so far contains nothing but knee-jerk whining. Did anyone actually look at the claims of the report? Anyone care to see if it the findings might possibly be accurate? How about at least moving past the vauge claims of the submitter? Here's the beef:

The results of the research show that both Linux-based deployments contained more total security vulnerabilities and more "days of risk"-- the amount of time elapsed between public disclosure of a vulnerability and the issuance of a potential fix by a vendor--per vulnerability. The report also includes a separate, step-by-step description of the repeatable methodology, so that others can duplicated and validate the results.

Windows vs. Linux Web Server Security Research Study [securityinnovation.com]

Re:Unsurprising (1, Insightful)

Anonymous Coward | more than 9 years ago | (#12054286)

In other words, it's a critique of the full-disclosure security policies practiced by Open Source, rather than the sweep-under-the-cover policies of Microsoft?

I didn't see it comming (2, Funny)

essreenim (647659) | more than 9 years ago | (#12054284)

..because I'm blind and I have the MS window tatooed on my ass.

Who? (2, Informative)

Skiron (735617) | more than 9 years ago | (#12054021)

MS or researchers. One wins $$ and one wins $$...

Re:Who? (1, Insightful)

Anonymous Coward | more than 9 years ago | (#12054030)

One lose scientific credibility, one does not.

They had to create a new "never before used" metric just to get the results they wanted, and the metric is stupid to boot.

Re:Who? (2, Interesting)

0x461FAB0BD7D2 (812236) | more than 9 years ago | (#12054071)

Microsoft too would lose credibility, if it had any to lose.

It's got nothing to lose, because it's lost it all already.

Re:Who? (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12054090)

Like a bi-sexual.

Re:Who? (1)

cptgrudge (177113) | more than 9 years ago | (#12054280)

It's got nothing to lose, because it's lost it all already.

Yeah. When I hear about a study that raises Microsoft up above another product, I always find myself thinking, "Yeah, because they paid for it."

I'm not a Linux or Apple zealot by any means. I use the best tool for the job, be it Microsoft, Linux, Apple, etc.

But when I don't even check to see if Microsoft did pay for a positive study, I just assume it, Microsoft has lost all credibility for me, at least on studies.

Been there, done that? (0, Offtopic)

bugbeak (711163) | more than 9 years ago | (#12054025)

Been there, done that.

Re:Been there, done that? (0)

Anonymous Coward | more than 9 years ago | (#12054104)

Been there, done that!

Re:Been there, done that? (0)

Anonymous Coward | more than 9 years ago | (#12054124)

Got the FUD Inside t-shirt...

Wait what? (5, Funny)

failure-man (870605) | more than 9 years ago | (#12054027)

People will say whatever you want if you give them lots of money? Impudence!

Wrong Target (1)

soloport (312487) | more than 9 years ago | (#12054221)

People will always read what's put in front of them without checking sources, too. That fact is what Microsoft is after.

Some of us may care because we make our living as software developers, resellers, et al. We know how much competing with a giant means to our personal bottom line. We care passionately about F/OSS because it's our livelyhood. (Some may care passionately against F/OSS bacuase they see it as a threat -- go figure.)

It's that pointy-haired boss who's the target of these "studues", not the general population. We should find a way to make pointy-haired bosses irrelevant. And... uh... good luck with that.

Whoa...whoa...whoa (0)

codesurfer (786910) | more than 9 years ago | (#12054032)

Are you saying that Microsoft funded a study that came to a M$ favourable conclusion? I'm shocked...oh wait...

In Soviet Russia . . . . . (-1, Offtopic)

theparanoidcynic (705438) | more than 9 years ago | (#12054034)

Researcher pays YOU off!

Re:In Soviet Russia . . . . . (-1)

Anonymous Coward | more than 9 years ago | (#12054116)

Topic offs YOU!

The *real* reason Microsoft sucks... (5, Insightful)

danielrm26 (567852) | more than 9 years ago | (#12054037)

These people make me sick. It's stories like this that make me realize why Microsoft is the object of so much hate. It's not because of their products, it's all about how they deal with competition.

I like Active Directory and a few other Microsoft creations, and I even have an MCSE. Hell, Exchange has a good feature-set; if it would just stay up and be easier to manage it'd be a great product too.

What I can't abide is being told that IIS is superior to Apache, and that Windows is more secure than "Linux". They send out these teams of spin-doctors with big bankrolls and try and take over the world using FUD. It's total crap.

When do you see Linus doing this? Steve Jobs? Not very often. There are occasional comments, but nothing like this steady stream of trash that comes out of Redmond. I grow tired of it, and my reasons for disliking the company have never been more clear.

Re:The *real* reason Microsoft sucks... (5, Funny)

failure-man (870605) | more than 9 years ago | (#12054055)

Who modded this troll? Does Microsoft pay to mod down anti-fud too?

Re:The *real* reason Microsoft sucks... (5, Insightful)

danielrm26 (567852) | more than 9 years ago | (#12054075)

It's not trolling if there is a real point being made other than to incite hostility and debate. My point is clear: Microsoft has a lot to offer by way of products, but they turn people off by being so deceitful when dealing with competition.

If you think a comment along those lines is trolling, I suggest you take another look at the definition.

omfg.. What a fucking useless rant... (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12054067)

..completely devote of any usefull or new material.. You could have just written: "Hey slashdot, me too!".. please give me the last 30 seconds of my life back!..

You remind me of Signal11, god rest his soul.. (or not)

Re:omfg.. What a fucking useless rant... (1)

0x461FAB0BD7D2 (812236) | more than 9 years ago | (#12054085)

Ironically, your rant was just as useless. You could have just written "GNAA rules".

Re:omfg.. What a fucking useless rant... (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12054135)

You're right, GNAA RUL3Z!!.. ;P

Re:omfg.. What a fucking useless rant... (1)

danielrm26 (567852) | more than 9 years ago | (#12054102)

devote
You keep using this word. I don't think it means what you think it means.

Re:The *real* reason Microsoft sucks... (2, Insightful)

debilo (612116) | more than 9 years ago | (#12054072)

Why has this been modded Troll? Parent is simply expressing his disgust with Microsofts business tactics, and so am I.

And before you jump at me saying "Well, duh, they are a business, and the whole point of a business is to make money", yes, I know that, and I still find it disgusting. There's a point where unethical behavior actually starts affecting peoples' lives.

You're right. It's not a troll: it's redundant. (0)

Anonymous Coward | more than 9 years ago | (#12054088)

See subject

Re:You're right. It's not a troll: it's redundant. (0, Troll)

debilo (612116) | more than 9 years ago | (#12054100)

Just like Microsoft's methods and tactics of spreading FUD.

Re:You're right. It's not a troll: it's redundant. (-1, Troll)

danielrm26 (567852) | more than 9 years ago | (#12054118)

You're right. It's not a troll: it's redundant.
Perhaps to some degree, but many here forget that Microsoft has good products and is not completely worthless. Most like to bash, bash, bash them for any and every product they have. I don't.

I'm making the distinction between their offerings and their dealings with the world. I don't hear that point of view very often here, so I thought it would be worthwhile to mention.

Re:The *real* reason Microsoft sucks... (1)

mocm (141920) | more than 9 years ago | (#12054078)

Unfortunately, this method of spreading FUD about the competition and praising yourself seems to be the best way to sell your products.

Re:The *real* reason Microsoft sucks... (0)

Qwavel (733416) | more than 9 years ago | (#12054212)


MS is a company. So is Apple. Companies do things like this all the time. Yes, I concede that not all companies act with the same degree of nastiness, but most will do whatever is necessary to win (or they will loose).

Linus is not a company. Nor is Linux.

Re:The *real* reason Microsoft sucks... (1)

orkysoft (93727) | more than 9 years ago | (#12054301)

Just like you play loose and fast with grammar?

Re:The *real* reason Microsoft sucks... (5, Insightful)

BoomerSooner (308737) | more than 9 years ago | (#12054305)

Not exactly. It's easier to run a company with a conscience if it isn't publicly traded and has few owners. My company operates with the intent of integrity being our first goal. If you run a company without having sales people that lie, support personel that don't care an managers that only care about the bottom line, it's pretty easy to be successful without losing your moral compass.

My company isn't taking off as quickly as I'd hoped, but I'd rather fail and leave my conscience in tact and know that I did it the ethical/moral way. Our goal is to build mutual beneficial relationships with our customers, not to sell them shit they don't need.

Sales people push. Partners (what we consider ourselves) work to provide benefits. It's no harder to operate in a good manner than it is in a poor manner.

That being said, my first company failed (too green out of college), my second company is just running at break-even (it does provide some good community services though so it's good karma either way), and my third company is getting close to break-even.

I'd rather work for myself and make $20,000/year than work for (insert global corp here) and make $120,000/year. It's more rewarding and the stress isn't comparable. Most people don't realize that starting your own business is primarily difficult because it requires fiscal discipline and the ability to not be afraid of the umbilical (sp?) cord being cut from receiving a paycheck every 2 weeks or half month. In the end most people are 2 paychecks away from being broke anyway.

Employees are expensive but running a company with integrity is priceless!

It's the business practices (4, Insightful)

gidds (56397) | more than 9 years ago | (#12054228)

Yep, I've been saying this for years too.

Sure, their products suck. But on its own, that wouldn't be a problem, because people would be free to choose the best product for the job. MS would be under the same commercial imperatives as anyone else: make good products, or die.

But their business practices suck too. Because of that, the market isn't free to pick the best products.

They pay people (individuals, dealers, companies, governments) to use their sucky products, by offering discounts and other incentives -- even giving them away if necessary. They pay competitors not to make competing products, by buying them off. They pay masses in marketing to make their products seem less sucky. They pay lawyers to find ways to prevent competitors making better products. They pay dealers and distributors not to bundle competitors' products. They pay lawmakers to prevent competitors being able to compete fairly. They pay training companies to ensure that there's more expertise for their products. They pay their own developers to break competing products in various underhand ways. They pay anything they can to support their products.

And so, ultimately, we all pay...

In short, it's their immoral and illegal business practices which make their dodgy products popular. Prevent those, and their products wouldn't be a problem.

Should be from.... (5, Funny)

Anonymous Coward | more than 9 years ago | (#12054038)

The article should be from the 'well-duh' dept.

from the article (4, Insightful)

Stevyn (691306) | more than 9 years ago | (#12054040)

"They say they had "complete editorial control over all research and analysis" involved in the project."

It was later learned that Microsoft "had complete financial control over all employees involved in the project."

Anyway, is Microsoft trying to develop a pattern here? Every time windows beats linux it's from a source microsoft paid.

Re:from the article (1)

oscartheduck (866357) | more than 9 years ago | (#12054077)

And every time windows beats "Linux", it's all about number of reported vulnerabilities and days to fix them and nothing about reported number of severe vulnerabilities vs reported number of minor vulnerabilities. Move along, nothing to see here.

Re:from the article (-1, Troll)

TheLink (130905) | more than 9 years ago | (#12054181)

It could well be they had complete control and independence over the research and analysis.

But what also matters is the publishing part. Otherwise Microsoft could just sponsor 10 independent researchers. And only let the one favourable study get published.

That way, all the studies are independent, but you still pick the result you want.

In contrast picking the US president is the other way round... The US people get to independently pick the conclusion they want, from 2 pre-chosen results :).

That said, Linux Distros aren't really that secure - esp the desktop configurations - once all the typical desktop stuff is installed. I doubt Mozilla is secure - it's just not been as targetted. Mozilla regularly crashes and exits on me for no apparent reason. If you can get a C/C++ program to crash, an attacker can usually get it to run arbitrary code of the attacker's choice.

Same with OpenOffice. Not very stable even with just normal usage. Microsoft Word hardly crashes in comparison.

However for some reason, the latest fully patched IE seems to crash repeateably on some sites when I drag a link in a browser window and let go within the same window (needs javascript enabled - I only enable javascript for a few sites). I don't recall it doing that before.

However Microsoft has really dropped the ball with XP SP2 becoming vulnerable to the LAND attack. Sure speaks volumes that they allow such a vulnerability to be REINTRODUCED.

The Linux kernel has had a fair number of bugs just this year too.

So they're all crap ;).

Re:from the article (1)

LiquidCoooled (634315) | more than 9 years ago | (#12054287)

Wasn't the original LAND attack a Win95 vuln?

Isn't win 2000/xp etc a completely different code base?

It is likely that something like this can happen, its the WHOLE reason why applying fixes to old slow bugfixed, tested real world code is in most cases better than recoding it from scratch.

Exhaustive regression testing should reveal things like this, but occasionally things get missed.

Besides, this is a local machine exploit - I have another "pressing the power button on a local machine results in denial of usage", should MS prevent that happening as well?

I agree with your main points though :)

Hanging chads (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12054041)

Florida: hanging chads and now crooked reports? What's next?

It's not just Microsoft (5, Interesting)

bird603568 (808629) | more than 9 years ago | (#12054050)

If you want your product to be found safe or secure of what ever, you fund reasearch. Cell phone compinies fund research to show that they are safe, but a recently publish study buy a guy from University of Washington proved otherwise.

Re:It's not just Microsoft (4, Insightful)

Anonymous Coward | more than 9 years ago | (#12054062)

Do Microsoft not realise that if they were to fund a project properly, take the criticism constructively and make Windows better as a result of it we would have a lot more respect for them? I don't think it really matters that Windows is insecure, it is the fact that they aren't trying to fix it, just cover it up that I find concerning.

Re:It's not just Microsoft (0)

rpozz (249652) | more than 9 years ago | (#12054133)

I don't know why, but the general public seems to like crap. Microsoft is just giving them what they want - crap.

Look at the most popular fast-food chains, the most popular music, the most popular TV programs, etc.

Re:It's not just Microsoft (0)

Anonymous Coward | more than 9 years ago | (#12054095)

"Cell phone compinies fund research to show that they are safe, but a recently publish study buy a guy from University of Washington proved otherwise."

I don't think the study really proved otherwise. My interpetation was that the study just suggested that the cell-phone-company funded research might be flawed. There is a major difference between showing inconsistent data and proving that something is false. I think, if anything, it showed simply that more (neutrally funded) research is needed.

Because the topic is controversial and a lot of money is involved, it will be important to keep such studies as blind as possible in terms of the researchers.

This is the article (2, Informative)

bird603568 (808629) | more than 9 years ago | (#12054146)

I was handed this article from a retired researcher that was supervising me on my wifi research. http://www.washington.edu/alumni/columns/march05/w akeupcall01.html [washington.edu]

Re:This is the article (1)

rikkards (98006) | more than 9 years ago | (#12054272)

My dad specializes in EMI. Most of his work involves ensuring avionics from different manufacturers don't interact negatively with each other. About 15 years ago I remember him telling me that if you were going to use a cell phone in a car for a prolonged time, you might as well stick your head in a microwave.

Re:It's not just Microsoft (1)

Cyhawkalewagee (854711) | more than 9 years ago | (#12054207)

But unlike the computer world, the majority of people already KNOW cell phones cause cancer and what not, as well as millions of signs around hospitals, and gas stations (my shell station here in Sunnyvale now has a 'do not use a cell phone while pumping', reason? Not sure, but there must be a reason, people GENERALY dont put up signs like that unless theres a slight, remote possibility of something going bad). The problem is, the unsuspecting computer user, who only looks at websites, reads email, uses AIM and plays Solitare will not understand the fundementals behind the whole argument, because these people are NOT informed about computers and various security involving computers and the internet. (Sasser, code red, NONE of these would of happened if people had the slightest clue). All they hear, if they hear anything at all is the stream of crap comming out of redmond. Why do they only heard this? Because this is all thats reported on, and IMHO, this needs to stop. We as a community need to band together and release, to the wide public counter-spin.

Take this as an example. How many of you have had someone you know, ask you what is the best kind of computer, Dell or Gateway? (or any other major brand of machine-made computers). How many of you have answered, "Build your own, and save your money, it works identicaly, and i'll even build it for you for free". Whats the most typical answer? Ive been running my own bussiness, fixing peoples Dell computers. (Rarely anything else, sometimes old gateways..) and alot of them ask me this same question. Only maybe 1 out of every 20 customers who are seriously going to buy a computer, actualy let me build one, of identical specs (right down to the mouse and keyboard) for more than $400 cheaper, and only ONE, ONE out of 2-4 builds a WEEK in the last 5 years have wanted Linux. Not that i havent tried to get them to use linux, infact i explain to them the benfits of Linux for what they generaly do. And sadly, alot of them HAVE read the crap from Microsoft, (or 'heard' it from someone at 'work')

All in all, yes of course we know Linux is more secure. But its 'US', not the average joe email who doesnt yet understand (or doesnt care to understand) the way computers and security really work. We as a community need to fix this.

/Soapbox

So predictable (3, Interesting)

gagge (808932) | more than 9 years ago | (#12054053)

All these research by MS funded institutions and researchers, Alexis de Tocqueville etc... It's to predictable. Do people actually believe anything they're saying? At least this time they didn't claim Torvalds isn't the father of Linux.

Re:So predictable (1)

Maljin Jolt (746064) | more than 9 years ago | (#12054108)

Do people actually believe anything they're saying?

Propaganda is always directed at specific target audience. In the purpose of such institutions as ADTI, there is no reason for common people should believe them. But the politicians, both administratives and lawmakers do, and that does count well.

Re:So predictable (1)

ozmanjusri (601766) | more than 9 years ago | (#12054164)

Do people actually believe anything they're saying?

They don't need to. This stuff is just fodder for metadata that ends up in marketing material for PHBs. You see it all the time; "Seven out of ten independant studies showed that black is white". It doesn't matter that anyone with a clue knows the research is paid for.

Re:So predictable (1)

daniil (775990) | more than 9 years ago | (#12054254)

Do people actually believe anything they're saying?

They do buy (or steal) Microsoft software, so the answer is probably either "Yes" or "They don't have to, as long as they keep buying MS's products."

Transparent and Open? (4, Insightful)

oscartheduck (866357) | more than 9 years ago | (#12054058)

"Our own requirement for the methodology was that it had to be very open and transparent." "However, during their Feb. 16 presentation at the RSA Conference, Thompson and fellow researcher Richard Ford of the Florida Institute of Technology did not mention that one of the subjects of their research was the one funding the project." Huh. As noted already, this reeks of bias. Even if the results are perfectly accurate (and the FUD surrounding the notion that "Linux" is insecure rather than a specific distro means that they aren't) suspicions are aroused irrespectively.

Would somebody please refute the numbers (0)

Anonymous Coward | more than 9 years ago | (#12054069)

"... with 52 reported vulnerabilities for the year, compared with 132 vulnerabilities for the Linux version, according to the report. The researchers also calculated an average of about 31 days of risk for the Windows software in 2004, compared with an average of about 70 days of risk for the Linux version."

I strongly suspect, but can't prove, that more vulnerabilities are reported for Linux because more eyes are able to see them. I always took it as a matter of faith that problems were patched much faster in Linux than Windows. So, what sleazy trick have these guys pulled to make the Windows numbers look so good?

Re:Would somebody please refute the numbers (5, Informative)

Fished (574624) | more than 9 years ago | (#12054105)

Linux vulnerabilities tend to get reported before there's an exploit, even when the "vulnerability" is very minor. Windows vulnerabilities only come to light when there is an exploit, because no one can see the code.

Re:Would somebody please refute the numbers (3, Insightful)

westlake (615356) | more than 9 years ago | (#12054119)

I strongly suspect, but can't prove, that more vulnerabilities are reported for Linux because more eyes are able to see them. I always took it as a matter of faith that problems were patched much faster in Linux than Windows.

If you really take as gospel truth everything you believe about Linux, without demanding proof, why are you worrying about whatever trick makes the Windows numbers look good?

What a surprise... (4, Insightful)

ewe2 (47163) | more than 9 years ago | (#12054073)

...and what a bad move. Anyone with half a brain would have looked for independent funding, separate from both sides to put their methodology beyond doubt. Instead they sold their concept to Microsoft, unbelievable naivette.

But the proof of the pudding should be in the eating: apply their methodology. Does it pan out for other Linux distributions/XP upgrades? If the methodology stands, it will be a great service to the debate.

It's just a damn shame the politics of the situation mean that probably won't happen.

Is it so difficult... (2, Interesting)

stubear (130454) | more than 9 years ago | (#12054076)

...to consider the possibility that if the study was unfavorable to Microsoft's position they would simply have pulled the plug and thrown away the results? Unless you can find fault with the study itself, there is nothing wrong with Microsoft financing studies which show Microsoft in a favorable way as long as the study itelf was legitimate. I realize this may be a difficult concept for many /.'ers to grasp but give it a shot.

Re:Is it so difficult... (1, Interesting)

Anonymous Coward | more than 9 years ago | (#12054170)

Their metric is fucking stupid, and handcrafted to get the results that would net them the funding. The "research" is tainted and the "researches" have lost credibility, as they should. I realize this may be a difficult concept for you to grasp, but give it a shot.

HTH.

Re:Is it so difficult... (4, Interesting)

kryptkpr (180196) | more than 9 years ago | (#12054282)

We are not questioning their results, our problem is with their methodology.

Their primary metric is "days since a vulnerability is disclosed to when a patch is released".

Microsoft doesn't officially disclose anything (aka "responsible disclosure") until all of their major customers have already been hit, and they have a fix ready.

Open-source software on the other hand has a tendency of being overly paranoid, and will release a security bulletin for every little thing as quickly as possible. This puts them at a natural disadvantage, using the above metric.

According to these "researchers", not letting your customers know that there's a vulnerability is preferred to letting them know as soon as possible. This sort of sounds like a good idea, until you factor in the fact that black hats will know pretty much immediately, word spreads quick.

To be honest... (1)

Skiron (735617) | more than 9 years ago | (#12054083)

It is hard to get a 'true' test on what is this and what is that, especially security.

What needs to be done is _not_ an independent review sponsored by MS, but a review by all parties not sponsored by anyone.

MS always use it FUD.

Why not get a panel from ALL current OS and do similar?

Tut.

We know why that will never happen.

BTW, did the guys involved have to pay the full wack on Windows server 2003 btw?

"silently" (1)

rob_squared (821479) | more than 9 years ago | (#12054084)

I'm so glad they did it silently so nobody would hear about it. On a different topic, I'm glad they put up that sign for warning people to stay out of that secret army base.

Not news! (2, Funny)

IGnatius T Foobar (4328) | more than 9 years ago | (#12054086)

Our other top story today: President Bush's approval rating is higher than ever, mainly because consumers are very happy about rising oil and gas prices ... reports FOX News.

How Microsoft manipulates the results (1, Informative)

Anonymous Coward | more than 9 years ago | (#12054089)

Microsoft puts pressure on discoverers of security leaks on not to disclose them.
That gives MS time to find a fix and reach a better "days-of-risk" value

Florida Tech./Security Innovation selling souls (1)

j.leidner (642936) | more than 9 years ago | (#12054091)

"Thompson said he didn't know whether anything in the research contract with Microsoft would have prevented release of the study if the company considered the results unfavorable."

He surely doesn't have to read it to understand how the system works...

-- Shameless plug for the Nuggets [mynuggets.net] mobile search engine.

Windows may be more secure than some distributions (2, Insightful)

Jeff DeMaagd (2015) | more than 9 years ago | (#12054094)

...but I wouldn't put it past them to test ten and use the one that makes them look best.

MS is Con-Choice (0)

Anonymous Coward | more than 9 years ago | (#12054271)

...and even if they beat every single one of the ten, they'd still only mention one, because doing otherwise would imply that there's choice on the "other side of the fence".

MS wants nothing of that. If, horror, they have to compete with "Linux", there will be only one "Linux", and that today is RedHat.

We'll know they're sweating when their paid shills start to rave about some other dist, or even mentions several of them at the same time.

Pfft (3, Funny)

irritus (789886) | more than 9 years ago | (#12054099)

You guys are too skeptical. So MS paid for the study that found them to be safer. That doesn't mean a thing. Seriously, give up the paranoia and trust your fellow human beings for a change. Now, if you'll excuse me, I need to draw up plans for a toll both. A nice fellow in a trenchcoat just sold me the deed to the Brooklyn Bridge.

They already did learn. (5, Insightful)

sicking (589500) | more than 9 years ago | (#12054103)

When will they ever learn?

When will who learn? Microsoft? They already did. They learned that funding reasearch groups is a great way to portray themselfs as they see fit and at the say time spread FUD about linux and other competitors.

Duplicate the research and outcome (3, Insightful)

88NoSoup4U88 (721233) | more than 9 years ago | (#12054111)

The researchers, from the Florida Institute of Technology and Boston-based Security Innovation Inc., defend their process and conclusions as valid. They say they had "complete editorial control over all research and analysis" involved in the project. Their report details their methods, and they invite other experts to examine and duplicate their work.

So has anyone allready taken this to the test ?
As long as there is no counterevidence (besides the obvious evidence from everyday use of both OS's), why allready pass a judgement? (Ok, this -is- Slashdot, I'm not -too- new here)

Allthough I find it dubious, to say the least, to have MS funding this research ; I still think that they should at least try to reproduce the results , and investigate what might have been left out (on purpose) to skew the outcome.

When will they ever learn? (4, Insightful)

Alain Williams (2972) | more than 9 years ago | (#12054114)

I am sorry, that is wrong, it should be:

  1. When will
  2. we ever learn?

The point is that many people who matter will see this paper, they are busy people they will read the headlines and the conclusions, they won't even notice that there is something about funding. These peole are IT directors and the like.

Yes: we geeks say that the report is a joke because of the way that it is funded; learn that the joke is on us since we dismiss this paper as irrelevant when it is opinion forming.

Re:When will they ever learn? (0)

Anonymous Coward | more than 9 years ago | (#12054298)

What do you mean no one will read who funded ? No one has time to read the details of the method, but, how long does it take to read the acknowledgement line? After all they need to know who is funding researches so that they know who to ask for money. Also, they need some quick way to evaluate the merit of the paper without understanding it fully, like in this case - it's funded by microsoft, don't believe it.

Loss of Credibility (1, Insightful)

digitaltraveller (167469) | more than 9 years ago | (#12054134)

These sell outs always surprise me. Your reputation is the most valuable thing you "have". Once that's gone, you are nothing more than some guy who lives in a van down by the river.

If you are going to derive your research from presupposed conclusions it helps to AT LEAST choose a plausible sounding conclusion.

As a genuine security researcher , I don't think anyone knowledgeable in the field believes that Microsoft has a more secure OS than a hardened version of Linux.

Speaking as an academic, it is somewhat disappointing to see this kind of spin besmirch the ivory tower of a university institution.

Re:Loss of Credibility (2, Insightful)

United544 (851579) | more than 9 years ago | (#12054203)

Microsoft has a more secure OS than a hardened version of Linux.

Right there is the flaw in your statement. You're correct in that no one in the field would believe that a Microsoft OS is more secure than a hardened version of Linux. On the same token though, any reputable person in the field would agree that a hardened version of Microsoft's OS is not any less secure than a hardened version of Linux.

Speaking as an academic, it is somewhat disappointing to see this kind of spin besmirch the ivory tower of a university institution

What are you talking about? Academic research is funded by corporatations all the time. Why is this any different? Just because they were funded by Microsoft does not immediately mean the research is flawed or skewed. Have you reviewed the paper? My guess is not. Before making straw man arguments make sure you have all the facts.

I'm not trying to make a claim for or against the findings - only that, with the amount of information we have about the research; at this time, these kinds of statements, "These sell outs always surprise me," are completely unwarranted.

Apples to Oranges (2, Interesting)

yancey (136972) | more than 9 years ago | (#12054137)

Let Microsoft open the source code for their operating system and then let us see who has more reported vulnerabilities!

Still a good move. (4, Interesting)

Douglas Simmons (628988) | more than 9 years ago | (#12054141)

Keep in mind that we, the people who see the evil trickery, are a flash in the pan of all the people Microsoft would like to spook people from Linux with fud. Several years ago Microsoft tried to use Linux's existance in their legal battles to say Hey, it's not peaches and cream for us with these commy hippie coders spreading free software, so please, DOJ, cut us some slack. Violins.

But at the time they weren't too worried about the long term growing threat, they were worried about the pending case. Now the big picture nightmare is being realized on all fronts and they need to go down in flames shooting off ridiculous attacks/defenses that they paid for because the net result will probably be in the black, at least beyond the slashdotters, of keeping more people from moving to linux than they drive toward linux because those people found out that MS paid for the study and yada yada. Count on that MS reads the likes of Slashdot and give them a little benefit of the doubt -- not with their ethics, but with their business sense. In this case I think the ensuing flood of "when will they learn" posts will be overstated. I should note however that MSFT has had a pretty disappointing [yahoo.com] performance and that the public is catching onto the hole they're in, and not every investor is going to stay on the ship just because Microsoft is selling video games.

But then I think, I am a Debian addict and I am defending MS's business decisions, and then I think I've been up all night perfecting my porn site and I'm beginning to hallucinate. I don't know where I'm going with this... Back to the porn!

Researchers... (4, Insightful)

panurge (573432) | more than 9 years ago | (#12054143)

In pure science, there is a reasonable probability that biased or faked research will get found out. This is because the rules are constant and experiments are reproducible. The great merit of IT as a field for making money out of biased research is that things do not stay the same. In five years time nobody is likely to do a study of penetration of Linux vs Windows systems in 2004 and decide that one system was superior to another. Apart from the commercial secrecy surrounding hacks, there is no way of collating all the logs.

The conclusion has to be that selling IT snake oil is an even better bet than becoming an aromatherapist or an urban shaman. No-one is likely to be able to prove you wrong, and you can continue to be paid by your vendor of choice secure in the knowledge that most publications will not print anything that upsets their biggest advertisers, and that even if a few minority interests notice the connection between your conclusions and your paycheck, the wider world probably won't notice.

The system will only fall apart if academic institutions get together and pass some suitably tough rules on the ethics of product comparisons - and history suggests that that the first one under the new rules will be a study of the aerodynamics of different breeds of pigs.

Re:Researchers...When Pigs Fly (1)

GnarlyNome (660878) | more than 9 years ago | (#12054306)

We will all be carring heavy duty umbrellas
And everytime I see one of these "Research Papers" I reach for mine

The first flaw was in the late disclosure (4, Insightful)

Anonymous Coward | more than 9 years ago | (#12054148)

I'm a researcher and on the editorial board of an academic journal. The cardinal rule is you disclose your funding or any conflict of interest *every* time and *any* time you make a presentation or write a paper. Such disclosures are essential in allowing others to evaluate the possibility of bias and are accepted practice.

Academia requires funding, and researchers are usually funded. Funding agencies always have a perspective (even when you're funded by the NIH or NSF or other federal agencies). The agreement that the researcher has intellectual control of the research process, data, and the right to publish is key, especially with commercial sponsors (e.g., MS, pharma companies).

These folks may well have had an agreement ensuring them that they could find what they found and freely report it. And if they reported it, others can appraise the quality of their methods. I haven't read the study, so I don't know if the comparison was fair. Did their support from MS include someone sending them specially-configured systems, for example?

But I do know that they should have known better than not to disclose the funding source in their first talk.

Go Microsoft! (2, Interesting)

tmasky (862064) | more than 9 years ago | (#12054151)

The worst thing MS ever did for itself is admit to competing against GNU/Linux.

They're just spreading the word further, to people who may never known of alternatives. Anyone who's semi-competent can then clarify the situation.

Keep it up Microsoft. Remember, it's a case of when - not if. You're helping to bring that date closer =)

News? (0, Redundant)

jbrandv (96371) | more than 9 years ago | (#12054152)

No news here. Move along.

Get the real stats (5, Informative)

markcox (236503) | more than 9 years ago | (#12054159)

http://blogs.redhat.com/people/archive/000201.html [redhat.com] links you to the raw downloadable data on how well Red Hat really did and a trivial Perl script to analyse it and drop out all sorts of metrics.

MOD PARENT UP (0)

Anonymous Coward | more than 9 years ago | (#12054209)

A very nice counter from RH, detailing the flaws in the original "independant" research.

Any comments from Florida Institute of Technology? (1)

TorKlingberg (599697) | more than 9 years ago | (#12054168)

Are there any comments from the Florida Institute of Technology? Do they usually sell faked research?

Re:Any comments from Florida Institute of Technolo (1)

GnarlyNome (660878) | more than 9 years ago | (#12054262)

unfortunately all academic institutions fake research the pressure for money makes it hard to turn down a "grant"

This is not the career you are looking for... (1)

mikaelhg (47691) | more than 9 years ago | (#12054177)

This is not the career in research you were looking for, you can go about your business. Move along, move along.

flawed study (1)

stefanmi (699755) | more than 9 years ago | (#12054179)

The problem with this study isn't that it can been seen to say that Windows is more secure than Linux (which it doesn't say, specifically denies it's saying it, but with Linux users will think it's saying and flame away). The problem is that they claim to be trying to find the "most secure" OS, and then look at the % of total attacks against each type of system instead of the average per installation of each type. If I set up 5 insecure "A" machines and 100 more secure "B" machines, and find that there were 5 attacks against the A machines and 20 against the B machines, I can conclude that the B machines are least secure because they account for 80% of attacks, or that A machines are least secure because they're attacked 100% of the time vs. 20% of the time. The raw numbers are completely meaningless in the context they're presented in, and the "news alert" itself show they're either intentionally misleading people or they're incompetent and need to hire a statistician with a big clue stick.

Paid opinions are worth exactly nothing (2, Insightful)

ites (600337) | more than 9 years ago | (#12054185)

It's remarkably stupid of Microsoft to continue to fund studies slamming Linux. The choice between operating systems is not one that people make on the basis of slight opinion. They follow trends, and technological trends are influenced by people who understand the impact of their choices.

Linux has been the choice of the leading edge for several years, it is well-established as the choice for the early adopter, and it's now starting to become a serious option for the mass market.

The mass market listens to the early adopters, the early adopters listen to the pioneers. That's the way it goes with technology, and that's why marketing only helps when products are otherwise equal.

Microsoft should work on the real problem - the low quality of their products, and the real gap between their outdated expensive proprietary software and the commodity alternatives - rather than try to influence the market with propaganda. Unless, of course, they have come to the realisation that they cannot fix the problems.

It will be newsworthy when a study finds that Microsoft has made a better product than the community, and when the study is both independent and accurate.

If Apple can do it, why can't you guys at Microsoft? It's just software... infinitely plastic, and you are so smart, so rich...

Nope. They won't do it. They just don't get it. They will continue to bitch and bluster and bluff until it's too late.

It's a shame. All that talent, all that money, and all they can do is pay people to lie.

Methodology...? (4, Insightful)

endofoctober (660252) | more than 9 years ago | (#12054187)

Reading their report, something caught my eye...
"In our analysis we leverage the inherent modularity of Linux to consider both a default configuration and a "minimal install" system that has a smaller attack surface that both satisfy the web server role."
...compared to...
For the Microsoft-based solution there are many components which are difficult or impossible to completely remove from the operating system and therefore we consider only one configuration, a "complete" installation, and count vulnerabilities for every application included with the server software in our analysis."
So, if I'm understanding this correctly, they're comparing a default install of Linux to a complete (assuming fully-patched?) install of WS2k?

And since they're claiming that this is a "Linux vs. Windows" research paper, the fact that they're looking at using the boxes as web servers makes it seem more like they're comparing Apache/PHP/MySQL to IIS/ASP/SQL...

I'm rather new to the Linux world, but isn't that like looking at the engine of a car, and saying the doors don't work?

This is kind of thing misses the point (1)

hey! (33014) | more than 9 years ago | (#12054188)

Point 1:In a world where there is only one choice of operating system, if you security sucks, you're screwed. Even better would be to have a diversity of operating systems in an organization if cost allows.

Point 2: Linux is not an operating system. It's a kernel that various organizations build operating systems on. I haven't read the report, but if the authors include userland vulnerabilities, they're being completely dishonest. WRT to userland vulnerabilities, you have your choice of Linux based operating systems and you should exercise your choice accordingly.

Point 3: Not all security vulnerabilities are the same. Remote root is different from local vulnerabilities. It's tempting to say that experience has shown Linux vulnerabilities to be on average less severe. However I wouldn't do so because most people live in a fool's paradise when it comes to security, and it's not responsible to encourage them to continue to do so.


Final point, addressed to Linux advocates: Don't make too much of the fact the study's funding source. If you must look to anything other than the substance of the methodology, then look at the reputation and track record of the authors.

What really makes me mad is... (3, Insightful)

vhogemann (797994) | more than 9 years ago | (#12054193)

They're talking about "Linux", and its a kernel. RedHat, Fedora, Debian, Slack, Suse... these are OSes!

So, if you get a sloppy distro (wont cite any names to avoid flames) and compare it to Windows, you can say that distro is more insecure than Windows. But you cant say "Linux is more insecure than Windows"!

If they really want to compare Linux to Windows, well... then lets compare the kernels, Linux X NT! Witch one is more secure? Has more bugs? Heh, that's something I'd like to see.

Made my day :) (1)

Nonillion (266505) | more than 9 years ago | (#12054199)

Innovation Inc., 'surprised the audience at a computer-security convention last month with their finding that a version of Microsoft Windows was more secure than a competing Linux operating system' according to the Seattle Post-Intelligencer

Hahahahaha..."snort" stop it! You're killing me (holds gut in pain)..

I can always look forward to a good laugh from /.

This is important because.... (2, Interesting)

seanvaandering (604658) | more than 9 years ago | (#12054208)

Now everyone reading TFA knows better, because you already know about /.. How about the millions of people using Windows that were trying to ceonvert away because of security reasons, who dont know about /.. Until I switched from Windows to Mandrake Linux - I never even heard of this place, much less cared about which was more secure - however now I know better, my wife OTOH, doesn't - nor doesn't care to either I might add.

Stories like this are just like SPAM, the reason they keep happening is because it WORKS. Like it or not, its making an effect somewhere with someone and Redmond knows it.

It matters not....... (1)

Danathar (267989) | more than 9 years ago | (#12054230)

NO matter what MS says, no matter how hard they yell or lie or cheat or steal, as long as LINUX is useful and continues to improve people will use it. MS still does not understand that Windows biggest enemy is itself and not LINUX. LINUX is'nt designed to "beat" windows. It's designed according to the needs of it's users. The only reason we are seeing it improve in the desktop arena is because the userbase is changing, becomming more mainstream. So don't worry! Use LINUX (or BSD if that's your fancy) and ignore the "other camp". As long as everybody likes using it it will not die.

A no-brainer for MS (2, Insightful)

siljeal (841276) | more than 9 years ago | (#12054235)

When those "researchers" (I'd rather call them hacks) presented their methology to Microsoft and asked for funding, it was pretty much a no-brainer for MS to do so, as the metrics were clearly in their favour. Take the number of security reports, for example. The number of errors reported does not only depend on the number of errors in the system, it also depends on how available the means for finding these errors are. Compared to the number of people being able to do so witht he Linux sources, fewer people have access to Windows Server 2003 source code. That'd be one factor. To that you should add that Microsoft can decide whether or not they want to make a security problem public. It would not surprise me at all if they didn't fix a few of those holes silently with their updates.

Also, the compared systems are not equal in scope. Redhat's Enterprise Linux offers a whole lot more software than a 'naked' Windows Server 2003, and thus a lot more potential for security problems. If you coompared Windows Server 2003 with a rather bare Linux setup with no frills that offers similar functionality, then you could compare those systems.

In other words, the results of the study were already clear before the "researchers" started it. MS had nothing to lose because they could very much assume the results would be favourable to them. They didn't even need to put any pressure at all on those "researchers".

Blinded Me With Science (1, Insightful)

Doc Ruby (173196) | more than 9 years ago | (#12054245)

Computer science like their report does not have peer review. Which is disappointing, because proper computer science research is so much more repeatable than natural science. I'd like to see the ACM take a stand, and aggressively demand that published research either cite a peer review process upon publication, or publish auditable records of the publisher's finances. Of course, anyone can publish anything, and anyone is free to believe it. But computer science is too important not to distinguish accountable research from PR.

After reading Slashdot for years (3, Insightful)

Pingsmoth (249222) | more than 9 years ago | (#12054252)

and not owning a PC, I used to really dig this kind of stuff. I still don't own a PC, but my two roommates do, and the more I see these kinds of things on /. the more it reads like sour grapes from the linux community.

When one of my roommates got a Dell recently, I took a look at his XP before connecting to the internet. A few clicks and the firewall was on. A few more clicks and his anti-virus software was up and running. After connecting to our LAN I downloaded Firefox, and for the past month and a half he has had no problems with any security issues on his machine. No, Windows is inherently not as secure as linux, but if you know what you are doing, you will be able to set up your Wintel box to be decently safe and hacker-free.

The downside is, of course, that Microsoft could do a lot more to make Windows more secure out of the box. But Linux (and the Linux community) has a long way to go before the average wal-sumer will feel comfortable using Linux machines, much less knowing how to run them.

Key part of the article (4, Insightful)

StateOfTheUnion (762194) | more than 9 years ago | (#12054315)

Quoted:

Thompson said he and Ford developed the methodology on their own and submitted a proposal to Microsoft last year. He declined to say how much Microsoft paid to fund the research, but he said the company didn't have a say in the methodology.

I'm surprised that this kind of research would get so much attention . . . reading between the lines, the research proposal was written to attract money from Microsoft. This implies an immediate conflict of interest . . . the research proposal and methodology were very possibly skewed in favor of Microsoft from the very beginning to garner Microsoft's favor and money.

This is like writing a research proposal on the effects of smoking to get money from Phillip Morris. Of course such a proposal won't be written is such a way as to build a link between smoking and cancer . . . it would likely be written to imply that the research may refute the link between smoking and cancer. Skew the proposal in favor of the benefactor and one is more likely to get money . . .

The whole process needs to be more transparent . . and all of the facts need to be issued before presenting . . . otherwise this is just irresponsible research.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>