Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Windows Operating Systems Software Linux

Ask the Author of the Latest MS-Funded Windows vs. Linux Study 449

Posted by Roblimo
from the Out-of-the-frying-pan-and-into-the-Slashdot-fire dept.
Last week on Slashdot you saw a (Microsoft-funded) research study on Windows vs. (Novell) Linux reliability by Dr.Herbert Thompson. Novell disagreed with the study's conclusions. So did most Slashdot readers. Thompson's work been mentioned on Slashdot before, especially his famous five-line script that could change electronic voting machine results and his novel, The Mezonic Agenda: Hacking the Presidency. He's a real, genuine-article computer security expert (and regular Slashdot reader) who is happy to put on his flame-resistant suit and discuss his Microsoft vs. Linux study with you. So ask whatever you like, one question per post. We'll send him 10 of the highest-moderated questions and publish his answers next Monday. He'll jump into the discussion then, which ought to make it rather lively.
This discussion has been archived. No new comments can be posted.

Ask the Author of the Latest MS-Funded Windows vs. Linux Study

Comments Filter:
  • by XorNand (517466) * on Monday November 21, 2005 @03:14PM (#14084444)
    Dr. Thompson:

    Admittedly, I don't know who you are and I haven't read any of your books. Worse, I didn't read your study itself, only its conclusions as reported second-hand by the press. However my lack of knowledge of your backgound is probably consistant with most Slashdot readers and the IT industry as a whole. I have to give you the benefit of the doubt and assume that you are a capable, respected researcher elsewise MS wouldn't have approached you in the first place.

    Could you please explain why you decided to risk drawing your objectivity into question by undertaking this project? Your findings may be 100% valid. And MS may very well have straight-up told you: "Please print whatever you find, even if it casts Windows in a bad light." However, who's going to believe it, even if it were true? If I were in your shoes, I'd be affraid that making a deal like this would ruin my career. If I don't tell MS what they want to hear, word would get out that I don't play ball. If I do report what's in the sponsor's best interest, a lot of people start accusing me of being a shill. Seems like a lose-lose proposition.
    • by CrimsonSamurai (912915) on Monday November 21, 2005 @03:20PM (#14084502)
      Good question. I'd be scared to post anything pro-microsoft on here, as a large number of /. users are pro-linux and anti-microsoft. I myself, am not too biased one way or another. I believe at this time that both linux and windows have their places, and aren't in 100% direct competition.
      • by miffo.swe (547642) <daniel.hedblom@g m a i l .com> on Monday November 21, 2005 @03:46PM (#14084753) Homepage Journal
        What many of you miss to realize(Microsoft included), is that there are a large group of current Microsoft only customers that are unhappy with their current offerings. Just because someone is against Microsofts decisions doesnt meen they like Linux. Many just see Linux as a catalysator wich will free the market, push standards and make interopability more common between vendors. Its very rare with 100% Microsofts network still Microsoft refuses to support any standard that would make life for their customers easier. The constant steering towards 100% MS networks is pissing people off.

        This really isnt about Linux its about making computers and their software be as standard as the internet.
    • Could you please explain why you decided to risk drawing your objectivity into question by undertaking this project? Your findings may be 100% valid. And MS may very well have straight-up told you: "Please print whatever you find, even if it casts Windows in a bad light." However, who's going to believe it, even if it were true? If I were in your shoes, I'd be affraid that making a deal like this would ruin my career. If I don't tell MS what they want to hear, word would get out that I don't play ball. If I
      • by Burz (138833) on Monday November 21, 2005 @04:01PM (#14084909) Journal
        Is a Linux study funded by GNU/FSF/OSI/OSDL or whatever any more impartial? No.

        I think many here would disagree. Nonprofits are not driven by motives which could be considered the mirrored opposite of commercial corporations. There is not the tremendous pressure to turn a profit (or some analog to monetary gain), and in your examples they're run by mere handfuls of individuals receiving very little compensation with only their reputations to fall back on. They represent what are largely hobbyists, almost to a maddening degree.

        OTOH, in Microsoft we have a callow and selfish for-profit entity with a rather abusive track record right up through their financial, er, daliances with SCO.

        Need I say more?

        Given their dynamics and history, being so dismissive of FOSS organizations as to just say 'well, eveone's biased anyway' really doesn't seem like an acceptable attitude.
        • by Haeleth (414428) on Monday November 21, 2005 @04:34PM (#14085168) Journal
          I think many here would disagree.

          Hang on, you're saying you believe that you would trust a FSF or OSDL-funded study to be impartial? You're saying that if the FSF funded a study comparing GNU to Windows, and the study came back saying "Windows saves you money in the long term, and Microsoft's Shared Source is as good as Free Software for 99% of users", that the FSF would then be happy to publish that study?

          I don't think so, and I suspect you won't either, if you pause to think about it.

          Nonprofits are not driven by motives which could be considered the mirrored opposite of commercial corporations. There is not the tremendous pressure to turn a profit (or some analog to monetary gain), and in your examples they're run by mere handfuls of individuals receiving very little compensation with only their reputations to fall back on.

          But that doesn't make them impartial! All it means is that the profit motive is replaced by other motives. And there are plenty.

          Think about how much time the major contributors to free software projects put into those projects. Hours, days, months, years of personal time, freely given. Time that could have been spent earning money, or doing charitable work, or even just spending time with their families. Time that was wasted, if it turns out that the software they produced is not actually going to help many people do anything at all.

          When you reach middle age, and the end starts to heave into sight on the horizon of your life, you start to get very, very uncomfortable about the idea that you might have devoted your precious time to an unworthy cause.

          Being so dismissive of FOSS organizations as to just say 'well, eveone's biased anyway' really doesn't seem like an acceptable attitude.

          What's dismissive about that? Microsoft really does think that everyone ought to use Microsoft software, and the FSF really does think that everyone ought to use free software. Everyone is biased. Pretty much everyone does have a pre-existing investment, either of time or money, in one of the options. And human nature does dictate that when you have an investment in something, you are biased towards accepting studies that support it and disregarding studies that don't.

          What's wrong with telling the truth?
          • There's a number of huge distinctions between the open source community, such as the FSF, and Microsoft. One of them is money: the other is that Microsoft has been caught tiime and time again lying in court, under oath, and breaking the clearest laws of intellectual property ownership, trade secret theft, coercion of witnesses, and fraud.

            The FSF keeps its nose squeaky clean, because they know they have to to keep any respect from their members and from the world at large.

          • When you reach middle age, and the end starts to heave into sight on the horizon of your life, you start to get very, very uncomfortable about the idea that you might have devoted your precious time to an unworthy cause.

            Which is supportive evidence that your argument is too biased in itself to consider.

            How is helping to produce freely given and very secure software for EVERYONE ELSE TO USE FREELY an unworthy cause? Indeed, one could (and I do) consider it "charitable work".

            Oh
      • You make it sound like this is something rare and dangerous. It's common and everyday, even when the reports go against Linux.

        I'd just like to point out the fact that just because something is commona and everyday doesn't mean it's not dangerous or doesn't merit fighting against.

        GP has a valid question that doesn't really imply one way or another that his findings were bad, or wrong; merely that many people will view them as both things, and (as the prompt seems to imply) since Dr. Thompson seems to be pret
    • Meta-credibility? (Score:5, Insightful)

      by Tackhead (54550) on Monday November 21, 2005 @03:33PM (#14084644)
      Where I come from (non-management, grunt-level techie), appearing in any of these analysts' journals *costs* an author more credibility than it gains him or her. For example, if $RAG says that $CORP has the best customer support, I immediately assume that $CORP has such horrid customer support that they had to pay someone to make up some research that proves otherwise.

      To be sarcastic, I'd ask "who the heck actually takes these studies seriously?", but obviously *somebody* does. Who are these people, and why do these people take these inudstry analyst firms/journals/reports seriously? Are they right or wrong to do so? This isn't an attack (or endorsement :) of your research -- I'm talking about the credibility gap in industry research, and my observation that it's an industry-wide problem.

      The meta-credibility question is this: Given the amount of shoddy pay-for-play research out there, does being published in an analyst journal tend to cost (a researcher, his consulting company, his financial backers) more credibility than it can gains him/her/them? If not, why not -- and more importantly, if so, is there any way to reverse the trend?

      • PHBs who listen (Score:3, Insightful)

        To be sarcastic, I'd ask "who the heck actually takes these studies seriously?", but obviously *somebody* does. Who are these people, and why do these people take these inudstry analyst firms/journals/reports seriously?

        First, let's recognize that anyone experienced enough with both operating systems will have their own experiences that will tell them which OS is better in various ways. These people are unlikely to be swayed by studies. Therefore, the first thing that is critical to understand is this: th

      • by Mad_Rain (674268)
        Where I come from (non-management, grunt-level techie), appearing in any of these analysts' journals *costs* an author more credibility than it gains him or her. For example, if $RAG says that $CORP has the best customer support, I immediately assume that $CORP has such horrid customer support that they had to pay someone to make up some research that proves otherwise.

        So who do you go to when you have question then? Eventually you have to trust somebody when it comes to a topic that you've reached the lim
    • by James_Aguilar (890772) <aguilar.jamesNO@SPAMgmail.com> on Monday November 21, 2005 @04:18PM (#14085046) Journal
      "Could you please explain why you decided to risk drawing your objectivity into question with insane paranoiac Slashdot readers . . ."

      Corrected. I know it may seem like a troll, but I don't think it is. Something that a lot of the readers of this site don't understand is that not everyone thinks that Linux is the shit to the point of denying all evidence to the contrary. Don't get me wrong, I have one Linux-only computer that I use for work, my other is dual boot, and I like it. I love Linux both for its principles and because it allows me to do things that I can't normally do with Windows, BUT that does not mean that I believe its raw performance to be equal to that of a more heavily funded operating system. And you know what? That's OK. I'd still rather use it.
    • Maybe he did it because HE understands that research should not be guided by popularity. Go ask Galileo or Pythagoras.
  • by Anonymous Coward on Monday November 21, 2005 @03:17PM (#14084472)
    ...Will we see this as a dup on /. in about a month?

  • My Question (Score:5, Insightful)

    by rolfwind (528248) on Monday November 21, 2005 @03:18PM (#14084480)
    How can you stay neutral when one side is funding your research?
    • Re:My Question (Score:5, Insightful)

      by garcia (6573) on Monday November 21, 2005 @03:27PM (#14084575)
      How can you stay neutral when one side is funding your research?

      This isn't something that I think can be answered as no matter what he says most of the readership here won't believe him (myself included).

      Regardless of any study *I* have interpreted data for, I'm always looking to slant it in *my* favor. There's no way that *any* one person is able to present a set of data, paid for or not, in a neutral manner.

      Even if they can, we won't believe them unless it's for our side ;)
      • Integrity (Score:3, Insightful)

        by everphilski (877346)
        Its called integrity... I take it you've never done scientific research before (and if you have, shame on you)

        -everphilski-
      • Re:My Question (Score:3, Insightful)

        by slavemowgli (585321)
        Well, if you're not looking for a particular outcome, then it'll at least be easier for you to actually get to grips with unexpected outcomes instead of modifying the study until the results suit you - I think that's something that's a definite risk if you get paid by one side. Even when you still try to be objective, and even when you don't get any pressure whatsoever (explicit or implied) to come to a certain conclusion, I don't think you can truly be objective if one side is paying you.

        When you're not be
    • Re:My Question (Score:4, Insightful)

      by Decaff (42676) on Monday November 21, 2005 @03:30PM (#14084620)
      How can you stay neutral when one side is funding your research?

      Because if you don't, no-one will fund your research again. Anyone can find marketing people and spin doctors. Quality researchers are hard to find, and if there is evidence of biased or forged research, their career is at an end.
      • Re:My Question (Score:3, Insightful)

        by UserGoogol (623581)
        I don't know if that's true. Good biased research is done by actually conducting serious research and then selecting the most skewed way to interpret the data. This requires a bit more skill than just pulling numbers out of your ass.
      • Re:My Question (Score:3, Insightful)

        by peragrin (659227)
        Yankee Group
        Garter,
        Enderle consulting,

        Do any of these names ring a bell? all but the last on claims to be unbaised but their reports can be shown in minutes to us predetermined Data.

        So what was that about being neutral again? Which group is making more money than you do every minute?
    • Re:My Question (Score:4, Interesting)

      by miffo.swe (547642) <daniel.hedblom@g m a i l .com> on Monday November 21, 2005 @03:38PM (#14084690) Homepage Journal
      No problem, just apply yourself with some integrity. Sadly this is a rarely seen trade theese days. This kid is an Microsoft MVP (Most Valuable Professional) so its not only the funding that makes it hard to see him as unbiased.

  • by miffo.swe (547642) <daniel.hedblom@g m a i l .com> on Monday November 21, 2005 @03:19PM (#14084500) Homepage Journal
    The study seemed to only compare comercial applications on the various platforms and not the alternatives. Its very common that comercial apps on Linux have poor support on Linux while the free alternatives blows most out of the water on Windows too. Its not especially hard to select a couple of apps with stellar support on Windows and SAP like support on Linux and blame Linux when the problem really lies in the lack of vendor support. Some vendors even support just one specific linux version without! any patches applied.

    What care was taken in selecting applications with similar support offerings to not bias the study heavily to Microsofts advantage?

    • What commercial apps on Linux did he use, exactly? I just looked over the report, and I saw Apache, PHP, GLIBC, and MySQL. I'd argue that comparing MySQL to MS SQL Server is like comparing a bicycle to a BMW, but still, MySQL, PHP, GLIBC, and Apache are probably the best supported Linux-based apps on the planet. Did you even read the report?
      • by julesh (229690) on Monday November 21, 2005 @05:54PM (#14085875)
        What commercial apps on Linux did he use, exactly?

        See Appendix 5.

        During the experimental trials, 3rd party best-of-breed components were chose to satisfy the needs of the solution. [...] The specific 3rd party vendors are not disclosed because the focus of the study is the methodology and not a specific component.


        The commercial apps in question, though, had dependencies on (1) a very recent version of MySQL, and (2) a more recent version of glibc than is included in the version of SuSE in use. These two dependencies were the root cause of almost all the problems described in this paper.
  • by One Louder (595430) on Monday November 21, 2005 @03:20PM (#14084505)
    Do you believe your study would have been allowed to be published had the results turned out against them?

    How many Microsoft-funded studies have been buried because the conclusion was "incorrect"?

  • by hackstraw (262471) * on Monday November 21, 2005 @03:21PM (#14084514)
    I find that there are too many variables plus unknowns to preemptively measure a TCO before a system has been installed and maintained and migrated to the next system. The maintenance is sometimes addressed, the end of life is rarely if ever addressed.

    My personal bias is that Windows systems are good for being domain controllers and file servers for Windows clients, and the UNIX/Linux is better for your typical "headless" dull day to day server stuff like web servers, email, database servers, HPC machines, etc.

    So my questions are: Are these studies worth anything more than pseudo-science advertisements, and if so why? And why is the end of life so rarely discussed?
    • File servers (Score:2, Interesting)

      by StupidKatz (467476)
      [..]Windows systems are good for being domain controllers and file servers for Windows clients [...]

      Windows:
      Client Access Licenses

      Linux:
      Samba [samba.org]

      Additionally, software such as NIS exists to fill the role of a single-sign-on, although I've only had painful experiences with it, personally (using Solaris in a completely crazy setup).

      • Additionally, software such as NIS exists to fill the role of a single-sign-on, although I've only had painful experiences with it, personally (using Solaris in a completely crazy setup).


        Nooooooooooooooooooooooooooooo...............

        NIS is horrible for SSO because it essentially hands out the hashs of the passwords to the chient. *Never* use it for SSO unless you absolutely have to.

        It is better to use Kerberos for SSO and NIS for a sort of primitive directory services infrastructure than use NIS for SSO. H
      • Linux:
        Samba

        Additionally, software such as NIS exists to fill the role of a single-sign-on, although I've only had painful experiences with it, personally (using Solaris in a completely crazy setup).


        I love it how a random link that mentions UNIX/Linux doing something that Windows does AND an admitted headache associated with it gets modded up.

        I don't know much about Windows, but I'm sure its adequate for being a middle man between a RAID array and a client to copy files around, and adequate for checking pass
  • by MosesJones (55544) on Monday November 21, 2005 @03:24PM (#14084556) Homepage

    Microsoft and Linux distros have had a policy for some time of including more and more functionality in the base operating system, the latest example is the inclusion of "Local Workflow" in Windows Vista.

    As a security expert do you think that bundling more and more increases or decreases the risks, and should both Windows and Linux distros be doing more to create reduced platforms that just act as good operating systems.
  • Those who pick the metrics always win the pissing match.

    But my questions are: What do you hope to achieve from the study? To dissuade people from Linux and somehow get it shut down? Would the world be better served by a Windows only market?

    And an additional would be: How do you suppose to convince all the people who have switched from Windows to Linux and stayed there BECAUSE it met [or exceeded] their needs that Windows is actually the better technical choice?

    And last would be: How does it feel to sel
    • Results (Score:5, Interesting)

      by everphilski (877346) on Monday November 21, 2005 @03:32PM (#14084631) Journal
      He was paid to evaluate two possible scenarios given a set of initial conditions. Researchers do it all the time in this place we like to call the "real world" - in engineering for example. You take a few alternative designs, apply the constraints you are given, and pick the right tool for the job.

      Dr. Thompson was given a set of conditions and two contendors, he gave his evaluation, done deal. It doesn't imply endorsement. I'm an engineer - I evaluate options regularly. Sometimes I have to pick options I didn't like. But I do it because they are the right option for the given scenario. If the conditions were different the results probably would have been different.

      -everphilski-
      • blah blah blah.

        I can't think of one thing windows does better in the desktop or server market that Linux [and the scores of OSS tools] can't totally do better.

        File store? Nope. NFS.
        Web server? Nope. Apache
        DB server? Nope. MySQL, Oracle and postgres.
        Print server? Nope. Cups.
        NAT router/firewall? Nope. Iptables
        Media box? Nope. X11 + mplayer + apache == remotely controlable media box
        workstation? Nope. X11 + Gnome + openoffice + cvs + latex + ... + ... + ...

        etc, etc, etc

        If some twit half-wit can't s
        • I might add that Linux has better support for RAID than Windows [which has little to none] and that you can easily tarball your filesystem for an immediate restore.

          Can't do that in windows. :-)

          That also makes ghosting easier. Oh and I might add ... all with FREELY AVAILABLE TOOLS. No shelling out for "Norton Ghost" when tar + bzip2 will do all you need.

          Tom
        • Name one thing you can do on a windows desktop that you can't [for technical reasons] do on a Linux powered one?

          Play most computer games released for personal computers?

          • Re:Results (Score:2, Funny)

            by tomstdenis (446163)
            Technical reason.

            Developers just not targetting it is not it. It isn't like multimedia [openal.org] libraries don't [demon.co.uk] exist [opengl.org] for [libsdl.org] many platforms including Linux.

            It's FUD spreading people like you who give OSS projects bad press. Go stand in the corner and think of what you did.

            Tom
        • zzzzzzzzzzzzealot

          OK here goes. Engineering analysis. Name a good Finite element analysis package (algor? not really). Now a good 6DOF trajectory package. Now a good CAD package (you might be able to name a half-ass one, but not a good one). You have a point, for people doing generic IT things or generic end-user things yea, linux and windows, doesnt matter. But for those of us with specific needs - in engineering, certain types of media, etc - the markets locked up and TCO does point in a certain direction
        • I haven't heard good things about NFS security, or NFS performance on Linux.
        • Re:Results (Score:4, Interesting)

          by Zathrus (232140) on Monday November 21, 2005 @04:15PM (#14085019) Homepage
          I can't think of one thing windows does better in the desktop or server market that Linux [and the scores of OSS tools] can't totally do better.

          Debugger.

          Sorry, ddd/gdb, Eclipse, and so forth are pale shadows to MS Visual Studio still, particularly for C and C++ work (Eclipse is probably the best for Java though).

          Our code is cross platform Unix, but we maintain a Windows port for one reason only -- debugging. Using Visual Studio is far, far better than the alternatives. We vastly reduce the time involved in finding and eliminating bugs by doing so. And no, we don't sell the Windows version. It's literally only used for internal debugging.

          Is there a technical reason why the Linux debuggers couldn't be better? Of course not. That's completely and utterly irrelevant (as are most of your "explanations" you attempt to give in rebuttal) though. The fact of the matter is they aren't, and are actually several years behind in comparison.

          And no, I don't develop in Visual Studio -- I prefer vim. And we use CVS for source control. We use gmake (even on Windows) and other OSS tools too. Best tool for the job.
          • Debugging in Linux (Score:3, Insightful)

            by Peaker (72084)
            While the Visual Studio debugger has some nice features that gdb frontends lack:
            • Partial recompilation during runtime
            • Convinient stepping into assembly code

            The two are largely equivalent.

            I use emacs gdbsrc mode to debug my code, and I can set breakpoints, conditional breakpoints, step in, step over, print any expression, or call any function I want in the debugger. If I recall correctly, you cannot really manually call functions in the Visual Studio debugger, but correct me if I'm wrong.

            There are also advanta

      • Re:Results (Score:5, Insightful)

        by Znork (31774) on Monday November 21, 2005 @03:59PM (#14084884)
        The study had admins manually resolving dependency conflicts and borking their systems. I dont think 'right tool for the job' is even on the map if that's where the admins end up.

        I mean, by whatever deitys protect sysadmins, _manually_ upgrade _glibc_??? I havent done that since before package systems were invented.

        "If the conditions were different"

        You mean, if the Windows admins spent most of their time manually copying files in dos shells from floppy disk because they for some inexplicable reason didnt want to use more modern methods for handling such problems?

        If the conditions are to benchmark people doing things the wrong way then I rather doubt the value of the conclusions.
  • Sample window size (Score:5, Interesting)

    by Monoman (8745) on Monday November 21, 2005 @03:28PM (#14084593) Homepage
    I only skimmed over the public comments and your survey. My impression was that the sample period you chose was very small. Why so small? It seemed so small that it struck me as deliberate to get a predetermined outcome. I am not saying that was your intention but it does give the appearance that it could have been.

    Have you considered increasing the sample period?

  • by Daveznet (789744)
    If the same study was not funded by Microsoft and was funded by a company that supports Open source and the linux platform say google or IBM would your results have been the same?
    • The thing about it is, I think that the same study would not have been funded by a company that supports F/OSS and Linux. The reason is mentioned in a comment a few posts up- the results were given for a very specific set of circumstances. I would venture to say that Microsoft probably knew a few cases where it could objectively beat Linux, and then chose to have a study conducted to prove that. If IBM or Novel or Redhat were to fund a study, I'm sure they would pick the circumstances in which they have
  • Curious (Score:3, Interesting)

    by Anonymous Coward on Monday November 21, 2005 @03:29PM (#14084606)
    "As they attempt to increase business capabilities over time, customers are telling us that they are hitting a wall with Linux, experiencing significant reliability issues resulting in higher total cost of ownership," said Martin Taylor, general manager of platform strategy at Microsoft.

    If scaling up on windows means significant reliability issues, how has google managed to avoid these despite scaling to the level they have?

    Or Amazon, which I beleive also runs on linux. These are true enterprise level e-commerce apps, and despite the tons of studies saying they've picked the WRONG computing platform, places like google, amazon have amanged to create profitable businesses on non MS platforms.

  • Personal OS (Score:3, Interesting)

    by mchawi (468120) on Monday November 21, 2005 @03:30PM (#14084616)
    What OS do you run personally - and why?

    IE: If you run Windows is it because that is what they run at work? If it is an Open Source OS - is it because you believe in open source? If it is OSX - why wasn't it included in the study?

  • Altho I can understand that Novell are protecting their interests, the same could be said about microsoft.

    Also, did Microsoft give you some procedures or methodology to follow in your study?

  • by gentimjs (930934) on Monday November 21, 2005 @03:33PM (#14084643) Journal
    How many NDAs did you have to sign before starting the study? Did anyone pull you asside to "set the record streight" before the study began? How were you first asked about doing this study? Was it something like "hey, we need a study to boost our TCO stats, here's some cash..." or was it more altruistic like "hey, we need to see how we stack up agaist the competition .. heres some cash, and dont hold any punches!" -GenTimJS
  • Apache versus IIS (Score:5, Interesting)

    by 00_NOP (559413) on Monday November 21, 2005 @03:33PM (#14084645) Homepage
    Simple one: of course I accept that Windows and Linux are a priori equally vulnerable - C programmers make mistakes. the question is which model is most likely to deliver a fix fastest. Given that the one area where Linux is probably in the lead over Microsoft's software is in the realm of the webserver - why are my server logs filled with artifacts of hacked IIS boxes but apache seems to remain pretty safe?
  • by evenprime (324363) on Monday November 21, 2005 @03:35PM (#14084657) Homepage Journal
    Everyone on /. likes to complain about microsoft security, and microsoft PR people like to point out their improvements. Here's a chance to give ammunition to both sides. What do you think are the three biggest security improvements microsoft has made in the past two years, and what are the three biggest security-related issues that still remain?
  • by Sheetrock (152993) on Monday November 21, 2005 @03:35PM (#14084658) Homepage Journal
    Lately, I've felt that Microsoft is emphasizing greater trust in their control over your system as a means of increasing your security. This is suggested by the difficulty of obtaining individual or bulk security patches from their website as opposed to simply loading Internet Explorer and using their Windows Update service, the encouragement in Service Pack 2 of allowing Automatic Update to run in the background, and the introduction of Genuine Advantage requiring the user to authenticate his system before obtaining critical updates such as DirectX.

    In addition, Digital Rights Management or other copy protection schemes are becoming increasingly demanding and insidious, whether by uniquely identifying and reporting on user activity, intentionally restricting functionality, and even introducing new security issues (the most recent flap involves copy protection software on Sony CDs that not only hides content from the user but permits viruses to take advantage of this feature.)

    I would like to know how you feel about the shift of control over the personal computer from the person to the software manufacturers -- is it right, and do we gain more than we're losing in privacy and security?

    • Re: Your sig (Score:3, Informative)

      by Krach42 (227798)
      effect:
      tr.v. effected, effecting, effects
      1. To bring into existence.
      2. To produce as a result.
      3. To bring about. (*See Usage Note at affect*).

      Usage Note: Affect and effect have no senses in common. As a verb affect is most commonly used in the sense of "to influence" (how smoking affects health). Effect means "to bring about or execute": layoffs designed to effect savings. Thus the sentence These measures may affect savings could imply that the measures may reduce savings that have already been realized, w

  • by hahiss (696716) on Monday November 21, 2005 @03:36PM (#14084668) Homepage
    You tested six people on two different systems; how is that supposed to yield any substantial insight into the underlying OSes themselves?

    [At best, your study seems to show that the GNU/Linux distribution you selected was not particularly good at this task. But why does that show that the ``monolithic" style of Windows is better per se than the ``modular" style of GNU/Linux distributions?]
  • You are paid by a company to compare their product to the competition, and, what a surprise, you end up with the conclusion that your employer's product is superior.

    Who's the target audience for that marketing speech?
  • by dtfinch (661405) * on Monday November 21, 2005 @03:38PM (#14084692) Journal
    The Linux administrators faced some out of the ordinary challenges, not faced by most Linux admins, while the Windows admins faced none.

    For example, most of the time difference between Windows and Linux was spent upgrading gLibC, something that you're really not supposed to do. It's comparable to trying to manually upgrade parts of a Windows 98 system to run a program that required XP, rather than actually upgrading to XP.

    Then, you had the Linux admins getting updates from 4 different sources, rather than just from SuSE's repositories, which is also out of the ordinary, while the Windows admins only visited Windows Update, which only supplies patches to the base operating system, when in reality they'll have to get updates from many other sources if they wanted to keep their apps up to date.

    Do you think this was a fair study?
    • by miffo.swe (547642) <daniel.hedblom@g m a i l .com> on Monday November 21, 2005 @03:54PM (#14084833) Homepage Journal
      The glibc upgrade was if i understood it correctly done instead of just compiling MySQL manually. I was boggled, why would you change glibc instead of making a fast compile? Upgrading glibc will make the whole OS and all its applications unstable, its almost as it was intentional. I have a hard time beleiving a seasoned linuxadmin would do such a stupid thing as upgrading glibc.

      Its smells funny indeed.

  • The link to the study is for a different one, comparing RHEL to Windows. Here is the actual study [microsoft.com] and slashdot article [slashdot.org] for the right one, comparing to SUSE.
  • by 99BottlesOfBeerInMyF (813746) on Monday November 21, 2005 @03:41PM (#14084714)
    I haven't had time to read through this study in its entirety, but from what I have seen it looks like there are several things that could lead it to improper conclusions. First, some of the procedures used to define the benchmarks seem completely arbitrary. For example, security fixes are applied on a monthly basis, rather than as they become available and can be tested, or based upon their severity. In my experience some security patches are tested and applied immediately and others are applied later. Also, no mention is made of mitigating the effects of security vulnerabilities/exploits before a patch is available which, while uncommon does happen. Coincidentally, Microsoft has moved Windows to a monthly patch release cycle. Don't you think defining the operating procedures to be exactly those used by one OS, and not the other biases the test?

    Another concern I have is that while your study simulates the installation and upgrade of two different systems based upon two OS's, it does not seem to simulate the real-world work needed to keep those systems running on a daily basis. In the real world systems break, worms clog the network, and regular maintenance must be done. Your study seems to completely disregard all that work and focus only on install/upgrade. Why did you not base your study on the behaviors of a real working system with a simulated network attached? It seems like the shortcut method you used to quickly evaluate only certain tasks makes the study wholly academic and loses any value as a predictor for the operation of a real network, over time, with real traffic.

    Finally, I've seen it suggested that this study requires that all software be updated to the latest versions, but While Linux based servers constantly release the latest patches to each component as they become available, Windows only releases them en masse, How then can you compare the two? To be perfectly fair one would have to know what development has happened on the various components of Windows and rate all of those components as failing to be updated (since MS has not yet released that version). Barring such inside information, any comparison between a system with an open development process and one with a closed development process is critically flawed. Do you not see this as a problem with your study?

  • How much would it cost us to buy a study showing open source solutions are more reliable?

    Seriously, I know this will be dismissed as simply "anecdotal" but in all my years of working with Windows and PC Unix machines (including sysasmining a 50 desktop business for 7 years) I've found the PC Unix boxes, once setup and running, work reliably day in and day out, whereas every Windows box has experienced some kind of 'bit rot'. I've seriously though Microsoft must put some kind of timer in there to throw rando
  • by altoz (653655) on Monday November 21, 2005 @03:44PM (#14084741)
    Looking at your research report's appendices, it seems that the requirements for Windows Administrators were somewhat different than the Linux Administrators. For instance, you ask for 4-5 years sys admin experience minimum for Windows, whereas it's 3-4 years sys admin experience minimum for Linux.

    Why wasn't it equal for both? And doesn't this sort of slight Windows favoring undermine your credibility?
  • by killmenow (184444) on Monday November 21, 2005 @03:46PM (#14084754)
    Do you think there is reasonable evidence of vote tampering in the 2004 US Presidential election? Do you think the current batch of Diebold machines in Ohio or other electronic voting machines in use for that election are trustworthy?
  • by digitaldc (879047) * on Monday November 21, 2005 @03:47PM (#14084768)
    How is it that Diebold can make ATM machines that will account for every last penny in a banking system, but they can't make secure electronic voting machines?

    Also, does the flame-resistant suit come with its own matching tinfoil hat? (don't answer that one)
  • by Infonaut (96956) <infonaut@gmail.com> on Monday November 21, 2005 @03:49PM (#14084791) Homepage Journal
    Did Microsoft come to you with a specific set of metrics, or did you work with them to develop the metrics, or did you determine them completely on your own?

    Kudos to you for braving the inevitable flames to answer people's questions here on Slashdot.

  • The study, commissioned by the software giant from Security Innovation, a provider of application security services, claimed that Linux administrators took 68 per cent longer to implement new business requirements than their Windows counterparts.

    Would you be willing to say that the statement, among others, found in media reports does not correctly represent your findings?
    If so, are you planning on determining the source of these statements (ie. Microsoft spin doctors) and pursuing legal action?
  • by gorbachev (512743) on Monday November 21, 2005 @03:53PM (#14084831) Homepage
    Dr. Thompson,

    How do you explain the different conclusions from studies funded by Microsoft and studies funded by Unix/Linux vendors? Shouldn't studies that essentially study the same issue inevitably arrive in the same conclusions, if the research for the study was made independently, honestly and with no systemic errors? How do you expect people to take any of these studies, whether pro-Microsoft or anti-Microsoft, seriously?
  • by John the Kiwi (653757) <.moc.iwikehtnhoj. .ta. .iwik.> on Monday November 21, 2005 @03:56PM (#14084854) Homepage
    Mr Thompson

    I've always wondered exactly how much Linux based knowlege a writer should have in order to write a report on the TCO of Linux based networks and software.

    How much Real World/In the Trenches experience do you have implementing and supporting large network and software applications that run Microsoft products compared to *nix based solutions?

    Exactly how experienced are you with Linux? What is your favourite distro? How long have you been running Linux?

    What is the best thing Windows does better than Linux?

    What is the best thing Linux does better than Windows?

    Have you ever contributed to an Open Source project or been part of an Open Source community?

    Thanks

    John the Kiwi
  • by arevos (659374) on Monday November 21, 2005 @04:02PM (#14084917) Homepage
    The Data Mining Software used in M1 required the Linux administrators to use MySQL 4.1, which was not part of the SLES distribution. This appears to be where the majority of the problems with the Linux servers stemmed from. Do you think the choice of Linux distribution and/or Data Mining Software biased the outcome report in any way?
  • by Qrlx (258924) on Monday November 21, 2005 @04:04PM (#14084930) Homepage Journal
    I wonder if it's really appropriate to make TCO guesstimates from a study which essentialy asks the question "Which OS has nicer installers?"

    From the study:
    We conducted an experiment pitting Windows 2000 Server against SuSE Linux
    Enterprise Server 8, simulating [a] one year period...At the end
    of the period, both systems are then transitioned to the more recent versions of their
    respective operating systems, Windows Server 2003 and SuSE Linux Enterprise Server 9.

    What I find lacking is the business case for upgrading the OS. And why on earth would any enterprise with even the tiniest amount of foresight and planning deploy Windows 2000/SuSE 8 knowing they will upgrade to the next gen just one year later? (Not that there aren't plenty of enterprises who fit your model, not to mention IT workers seeking to "power level" their skills...)

    Now, certainly there is value in trouble-free installs. But can you say with confidence a better upgrade experience is really a fair test of value? Especially when the entire install/patch/upgrade philosophy between Windows and Linux is so disparate?

    In other words: It's no surprise that Windows will perform better on the treadmill, constantly upgrading is at the very core of Microsoft's profitability.
    --
  • Weak setup (Score:5, Interesting)

    by 0xABADC0DA (867955) on Monday November 21, 2005 @04:05PM (#14084938)
    If I understand the study correctly, the windows side had to do nothing but set up a server to do a few different tasks over time and run windows update. The linux side had to have have multiple incompatible versions of their database server running simultaneously on a single system and had to run unsupported versions of software to do it.

    Why wasn't the windows side required to run multiple versions of IIS or SQL server simultaneously? In real life if you need to run multiple database versions you use virtualization or multiple systems, especially if one requires untested software. You don't run some hokie unstable branch on the same system as everything else. Why was a linux solution picked that required this level of work? My other related question is, did any of the unix administrators question why there were being asked to do such a thing? For example, did they come back and say they need a license for vmware? If they did not they do not seem like very competent administrators in my opinion.
  • Security and the web (Score:3, Interesting)

    by whitehatlurker (867714) on Monday November 21, 2005 @04:06PM (#14084946) Journal
    Given that you are in the field of security and that there is much concern about security holes in web browsers, I'll ask: "What web browser do you use, and why?"

    Of course, with this audience, you might want to say FireFox, or possibly Safari. I am curious if you use MS IE. (Though I'd like to hear "Opera, of course.")

  • A Few Comments: (Score:5, Interesting)

    by abscondment (672321) on Monday November 21, 2005 @04:36PM (#14085187) Homepage
    1. Windows administrators are forced to wait until Windows releases a patch for known vulnerabilities to upgrade their systems. Why, then, were the Linux administrators told to attempt to upgrade their systems before Novell had released newly packaged versions of MySQL? The entire point of a package management system is that administrators rely on companies like Novell to correct dependencies prior to deployment. Since Windows administrators have the same constraint (i.e., waiting for security updates to be released), it is an unfair and arbitrary difference that caused a lot of troubles.

    2. Why did you compare the number of patches required to apply between the systems? This is not a measure of security. Windows patches are bundled and affect many parts of the operating system while Linux patches affect individual components. The overtone in your paper implied that fewer windows patches was in some way easier or more secure; what justification do you have for this assertation?

    3. While kernel patches did not require an immediate reboot during installation, the majority of them need a system restart to immunize the system against a specific vulnerability.

      -Page 25, under "Patching and Milestone Upgrades"

      What is the rationale behind this? Were the Linux administrators required to restart at this point? This is an incredibly contrived situation; one can simply stop and re-start the process in question after the upgrade has completed.

    4. Furthermore, the upgrade methodology questionable. Real companies use development and production servers and don't upgrade the production server until a reproduceable upgrade trajectory has been tested on the development server. The actions of these administrators imply that they had no such access, and that there was no possibility for backtracking or restarting after a failed step. Normally, one would expect the ability to nuke the development server and start over, rather than following a bad plan to worse conclusions.

  • by fdisk3hs (513270) on Monday November 21, 2005 @05:13PM (#14085506) Homepage
    A quick read of the report shows that the real losers here seem to be the Administrators. Some of the Linux admins "could not meet business requirements", and some were judged as failures by not using vendor-supplied solutions.
    Isn't one of the points of running Linux servers the freedom to use solutions NOT supplied by the vendor? Is it even possible for the Microsoft admins to make changes that aren't fed from the vendor?
    When the only tool you have is the "Upgrade" button, and the button doesn't work, what then? The advantage of Linux in administration is the flexibility to Make It Happen, even if the vendor sends you something broken.
    I know good admins on Microsoft, and good ones on UNIX. They seem to Make It Happen no matter what, because that is their job. Making It Happen sometimes include custom fixes, that are documented, so you can undo them when the vendor comes through (hopefully) later.
    So the Final Question is, why was it bad for the Linux admins to stray from vendor-supplied fixes, and why is the lack of flexibility on the Microsoft side a "win"?
  • by epan47 (932929) on Monday November 21, 2005 @05:19PM (#14085553)
    Dr. Thompson, the way you selected the administrators seems to suggest a strong bias against Linux. In Appendix 3 (page 41), you recruited Windows administrators with at least 4-5 years of Windows administrator experience, while in Appendix 4 (page 43), you recruited Linux administators with just 2 years of Linux experience.

    It seems that either you're a true Linux believer thinking that a Linux administrator can out-smart, out-perform a Windows administor with twice the experience, or that your experiment was setup to pit inexperienced Linux admins against experienced Windows admins.

    So which is it?
  • by ramsejc (671676) on Monday November 21, 2005 @05:22PM (#14085581) Homepage

    How do your findings hold up against page 31 of the recent leaked MS Singularity OS research document found at ftp://ftp.research.microsoft.com/pub/tr/TR-2005-13 5.pdf [microsoft.com], in which MS compares current versions of Windows XP, Linux and FreeBSD, only to show that Linux and FreeBSD outperform Windows XP?

    Why do you suppose that MS would even consider building a new OS from the ground up, as they are doing with Singularity, if their current model already beats the competition?

  • by Medievalist (16032) on Monday November 21, 2005 @06:24PM (#14086173)

    Question: Were the "underlying assumptions" and basic methodology (which you very responsibly and sensibly do report in your study) dictated to you by Microsoft or some other external entity, or did you yourself come up with the test scenario?

    I ask because the consensus around here seems to be that the conditions and methodology were cherry-picked to favor systems with single-vendor provenance and ease of initial installation, and do not include any real measures of operational stability or reliability.
  • by Irvu (248207) on Monday November 21, 2005 @07:12PM (#14086571)
    Dr. Thompson.

    You note yourself, in your study that the sample is based upon 6 system administrators/systems. That number is, as you yourself note, too small to be considered definitive. That being the case I would argue that this makes the report viable not as a decisionmaking tool but a marketing tool. Were I a CIO I would feel unwilling to base my conclusions soley on a sample size of 6. What is your opinion on this? Do you expect further, more statistically-significant, work to take place? Or do you feel that this is not a problem?

  • Vendor Tools (Score:4, Insightful)

    by YoJ (20860) on Monday November 21, 2005 @07:32PM (#14086707) Journal
    Your study is interesting, but without knowing the 3rd party tools and applications that were used in the test how can we know the results are valid? Without disclosure the results are irreproducible. My hypothesis is that many of the applications were very poorly supported for linux and well-supported for Windows, but without knowing the applications I can't know if this is true or not.
  • by Irvu (248207) on Monday November 21, 2005 @07:42PM (#14086802)
    So far as I can tell, the essence of your study, and your conclusions rests on the following assumptions:
    1. The set of requirements listed is a natrual one.
    2. The schedule is a normal business schedule.
    3. The method by which the components were selected, ordered, and applied was natural.


    You state in your report that the requirements were developed after interviews with "leading CIO's, CTO's, ..." Nowhere do you state who conducted those interviews and, crucially, how many of them had overlapping requirements. Similarly, you do not state how you selected the particular schedule of your study both in terms of the product-period that you examined and the feature schedule you considered.

    Moreover, in appendix 5 of your study you show little overlap between the lists of popular component users. Many of the groups listed for one "popular solution" were not listed on another. Nor did you separate these lists by operating system. This give no indication whether the popular components are ever used in concert. Nor does it indicate how many groups are using each feature set or system. Nor even where these user numbers came from.

    I bring these points up because they point to potential holes in your study that I am curious about. In particular:
    1. If either Microsoft or Novell supplied either the requirements list and/or the upgrade schedule then the study is vulnerable to the assertion that they schose a schedule, time, etc that was most favorable to them.
    2. If the most popular 'component' solution to any one task is used only by one group but not another then this may point to general incompatibilities between them. When making a purchasing decision I typically consider the current state of my system and potential compatibilities with future upgrades. If the components selected for either os are not typically used in concert then this raises the possiblity that the components have known incompatabilities that would keep them from being used together. In that event the system administrators would be installing packages that are not meant to go together and would not be selected by a real-world selection metric, and as a result faced unrealistic issues.
    3. In your selection of "popular components" you focused on 3rd party solutions. Nowhere do you state whether you considered only commercial vendors of such solutions or open-source vendors as well. If you focused soley on commercial products that might mean that the system administrators were actually installing less popular, or less viable products on the linux side given the lower amount of such vendors for the Linux platform.
    4. If the schedule of upgrades was not one used by many of the real world companies but again, an artificial one constructed as a superset, then the study is vulnerable to the charge that it used an unrealistic technical schedule for installing and testing components.


    My question is, do you see these as issues? If not why not?

"No job too big; no fee too big!" -- Dr. Peter Venkman, "Ghost-busters"

Working...