There are people out there who try to justify or defend Microsoft’s actions.
Attackers are just:
- going after an incredibly large and therefore easy target.
Microsoft is just being extremely competitive, the apologists say. Other people are just complaining about their woes rather than actually doing something better.
And then I read these two articles:
Microsoft changes MSN.com to prevent Firefox from right-clicking
Microsoft commissions independent firm to study cost of updating Microsoft and open source software
The first one talks about how MSN apparently prevents Firefox users from right-clicking or middle-clicking on links. If you read through the posts, someone talks about how you can use AdBlock, a nice Firefox extension, to prevent it. But the real problem is that Microsoft has decided to introduce this problem that exclusively affects competitors. But they aren’t acting in monopolistic ways. They are just being competitive. Yeah, right.
The second one talks about the results of a Microsoft-commissioned study on the costs of updating your software in a real world setting. It says that Microsoft software is less expensive to update and patch than open source solutions. It has some great lines:
“We already know how to secure a Windows-based solution and keep it running smoothly,” says Stephen Shaffer, the airline’s director of software systems. “With Linux, we had to rely on consultants to tell us if our system was secure. With Windows, we can depend on Microsoft to inform us of and provide any necessary updates.”
Now, let’s ignore the fact that Microsoft commissioned this study. I don’t want to assume that Wipro was skewing the results because I don’t know the details of the study. It could very well be that patching software on Windows is a lot cheaper than patching software on Gnu/Linux. Of course, Wipro’s strategic relationship may have had a hand in it, but again, it may be possible that they conducted a study without a conflict of interest.
But let’s assume that the study is legitimate.
It claims that each patch is cheaper to deploy on Windows than it is for OSS-based systems. It claims that even though there is a larger volume of patches for Windows, the lower cost per patch negates it. It claims that when patches are available, Windows systems get patched sooner than their OSS counterparts. And it found that for both systems, best practices lower costs of patching.
But apparently the companies surveyed had a larger number of Windows servers than OSS-based servers. Also, Apache, which is open source, running on Windows would be considered in the Windows category, so the results can be skewed in some ways. The study doesn’t explicitly say such details, but claims that Oracle on Red Hat would count as OSS. In a Windows vs OSS study, Oracle, which is owned by NOT MICROSOFT, shouldn’t have been in question in the first place.
In any case, they are claiming that while the costs for management tools for Windows are higher than the costs for their OSS equivalents, those tools being used on many more Windows machines and patches aggregate. To make a really exaggerated point, $100 spent on a tool you use 100 times on 100 servers means that each patch job can be $0.01. On the other hand, $50 spent on a tool that you use on 50 servers that you use twice will cost you $0.50, which is much more per use. Now, ignoring that some of the cheap patches credited to Windows are actually for OSS servers like Apache and that patches to non-OSS, non-Microsoft software running on OSS-based operating systems might cost some money, and ignoring that it has been shown that it takes fewer Linux admins to administer more machines, they are claiming that because Windows has a higher distribution than OSS-based solutions that economies of scale affect the cost of patching.
So this study isn’t claiming that Windows is cheaper to patch by virtue of being Windows. It means that it is cheaper to patch because it exists in more places. By the logic presented, if a company had only one Windows machine among hundreds of OSS-servers, the cost-per-patch for Windows would be astronomical in comparison.
That part of the study shouldn’t have much of an impact on what you choose to deploy. Obviously retraining will cost you plenty of money if you choose to switch from one to the other, but it isn’t because of anything inherent with Windows over OSS-based systems.
On top of that, OSS-based systems can include a wide range of software. Gnu/Linux, BSD, OSX? Red Hat, Debian, Novell? No, we’ll just lump those together and then hope people can figure out that the costs for one might be incredibly different than the costs for another.
And my favorite omission from the study is the fact that the world’s economies didn’t suffer millions in lost revenues and productivity due to the critical vulnerabilities in the OSS-based systems running the Internet infrastructure. It was due to the Windows machines running in corporate environments.
Windows costs less to secure? Maybe, if you bend the facts the right way. Again, the PDF study didn’t explicitly explain how it conducted the study. META group validated the approach and methods used in the study, but can’t vouch for the conclusions.
I don’t think that OSS is inherently secure. It is software, and there will be bugs and exploits. But there are fewer critical failings in OSS than there are in Windows. Firefox had its first critical problem, and there were anti-OSS zealots crying out “I told you so!” and “Completely secure, huh?!” No one claimed that OSS has complete security. There will be problems.
Still, Windows beats Linux on security? Yeah, right.