[ISN] Linux report stirs hornets nest

InfoSec News isn at c4i.org
Wed Apr 13 06:16:27 EDT 2005 

Forwarded from: security curmudgeon <jericho at attrition.org>
Cc: guymatthews at transom-media.co.uk, mike.magee at theinquirer.net, consultingservices at yankeegroup.com

: http://www.theinquirer.net/?article=22460
: 
: By Guy Matthews
: 
: Yankee Group software analyst Laura DiDio put out a report last week 
: daring to suggest, based on extensive research, that Microsoft Windows 
: Server 2003 may be as good as, if not in some respects better than, 
: Linux in terms of quality, performance and reliability.

Based on extensive research? Or based on extensive questionnaires? Big
difference. Read on for a bit more truth than this crappy opinion
piece gives us...

: A virtual techie "fatwa" seems to have been the result. Her views have 
: been repeatedly savaged by Linux apologists, accusing her of bias in 
: favour of Microsoft. DiDio has hit back denying any such leanings, but 
: the self-appointed Ayatollahs of open source have paid no heed.

Amusing that you call these linux apologists fun names like
"self-appointed Ayatollahs of open source" while she calls them "nut
jobs" and "extremist fringe of linux loonies".

Is there a chance.. just a remote, outside *chance*, that there could
be some bias in this survey? That these linux "nuts" have a reason to
be angry? Does the fact that Microsoft has funded such studies over
the last half decade give them reason to question her motives? Of
course there is.

: DiDio says the Yankee Group end user study her analysis was based on is 
: strictly independent, and not something she has any personal influence 
: over.

Unfortunately, if you go to the Yankee Group site [1] you see her
picture on the left (but not on the list of analysts), you find a PDF
mentioning the upcoming study on TCO [2], but no clear links to to the
survey results that I can see. Are they hiding it? No.. read on.

: This is not the first evidence suggesting a strong streak of 
: unreasonable insanity in the Linux community. Last year security analyst 
: firm Mi2g claimed Linux was getting hacked more frequently than Windows, 
: the resulting brouhaha leading it to declare on its web site that "any 
: empirical evidence pointing to a high level of online Linux breaches is 
: immediately shot down by religious zealots as if a church had been 
: desecrated".

mi2g has a history of releasing material that has little factual
basis, no clear methodology, and a tendancy to cater to news that gets
them attention, regardless of what it is. Very bad example to cite
backing your claims here. Please don't forget that only 6 years ago,
they ran 'portal' web sites dedicated to used cars as their only
business, then overnight became "security experts". You did know
that.. right Mr. Matthews?

--

Anyway, back to Didio's survey. A quick search finds all kinds of
wonderful commentary on it, but not the actual survey (wonder why..).  
Turns out they are issuing press releases for this survey but not
releasing the results until June 2005 [8]. So it's basically "believe
what we say, even though we won't disclose our testing methodology",
then let time pass, then quietly release the actual survey after the
hype has died down and people begin questioning it? Oh wait, search
Microsoft and you find it.. now why would they have a copy so far in
advance and make it available on their site [9]?

Moving on, check a GrokLaw article [3] that comments on it. Now we see
that this survey [4] is a bunch of questions that was sent to W2Knews
readers [5] including "C-level" executives, who are likely not the
most unbiased people to ask about Windows vs Linux. Next, the article
mentions that DiDio did her "independant" research with Sunbelt
Software [6] who is also known for their spamming [7]. Reading their
'about' page finds they are Windows consultants:

  The company was founded in 1994 and offers product solutions that enable 
  companies to protect and secure their infrastructure from costly 
  inefficiencies including spam, Windows system downtime and network 
  security vulnerabilities.

Again, this is not the most unbiased group to 'research' Windows vs
Linux TCO issues.

Next, search Microsoft's site and you will find that not only has the
Yankee Group been good pals with Microsoft [10], DiDio herself has
done other studies that favored Microsoft (in their eyes) [11]. In
fact, Microsoft has previously funded Yankee Group to carry out
surveys [12] which undermines any claims from DiDio that she or Yankee
Group are unbiased and "independant".


[1] http://www.yankeegroup.com/
[2] http://www.yankeegroup.com/public/research/surveys.jsp
[3] http://www.groklaw.net/article.php?story=20040324085956154
[4] http://www.sunbelt-software.com/surveys/040213_Linux.htm
[5] http://www.w2knews.com/index.cfm?id=463
[6] http://www.sunbelt-software.com/index.cfm
[7] http://www.spamhaus.org/sbl/sbl.lasso?query=SBL3704
[8] http://www.yankeegroup.com/public/products/survey/brochures/2005NorthAmericanLinuxTCOSurvey.pdf
[9] http://download.microsoft.com/download/e/e/e/eee3b9eb-0dbe-4729-95e2-829d5127760d/YankeeGroup-CustomercasestudiesonSoftwareAssurance.pdf
[10] http://www.microsoft.com/presspass/press/2000/Jun00/OSSpr.asp
     http://www.microsoft.com/windowsserversystem/facts/indemnification/indembrown.mspx
     http://www.microsoft.com/Education/GetTheFacts.aspx
     http://www.microsoft.com/presspass/press/2004/Jan04/01-06TVFoundationEditionPR.asp
[11] http://www.microsoft.com/windowsserversystem/facts/indemnification/indemwp.mspx
[12] http://www.microsoft.com/presspass/features/2004/oct04/10-05SBServer.asp

More information about the ISN mailing list