Dan Appleman: Kibitzing and Commentary

My personal blog

Now that we have reached the home stretch of the political season, the chance to actually vote on something… and the prelude to what is likely to be an extended and painful period of lawsuits, recounts and recriminations for one side or the other, it’s time to look ahead at what we can do to occupy our spare time for the few months until the next election cycle begins.
Fortunately, there is an ongoing contest that is quickly becoming just as extreme, just as polarized, and just as lacking in honesty as any political contest we’ve seen yet. Yep, it’s the good old closed vs. open source debate.

This is prompted by a couple of friendly messages I’ve received lately. The first sent by a good friend is an presumably objective report in the Register comparing the security of the two systems.

The other, an email from my good friend Steve Ballmer (who I’ve never met, but have seen from a distance at a technical conference or two), containing six pages (2700+ words) extolling the benefits of Windows over Linux in every possible way (including, of course, security, with an indirect reference to a study by Forrester Research).

Now, the Register article seemed to me well researched, but it’s pretty easy to see that despite the innocuous title “Security Report: Windows vs. Linux”, the piece is clearly advocating the Linux side. Let’s face it, an objective report is unlikely to have it’s first couple of sections titled “Myth: There’s Safety In Small Numbers” and “Myth: Open Source is Inherently Dangerous.” Still, it makes for a fascinating read, and the author’s arguments are based both on technological reasoning and hard statistics – not the anecdotal evidence so common in white papers and political campaigns.

I’m afraid this time the “Swift Boat Veterans for Truth” spam of the year award has to go to Ballmer’s letter. It was just too easy to see the spin. My first hint came with the name dropping – while reading the list of customer case studies I couldn’t help but see Kerry in his second debate name dropping an endless list of senators and generals. I also found Ballmer’s choose Windows because “being on the wrong end of a software patent lawsuit could cost a customer millions of dollars, and massively disrupt their business” argument comparable to Dick Cheney’s “if you choose Kerry the terrorists will attack us” tirade (as a technologist, the idea of choosing software to avoid lawsuits instead of based on cost represents a huge failure on the part of our industry and society).

Then there’s the security article itself. The MSDN page is headlined “Windows Users have Fewer Vulnerabilities.” Imagine my surprise when I found the actual title of the Forrester report was “Is Linux more Secure than Windows”

Ok, so maybe the MSDN page refers to the conclusion? No – the executive summary of the report concludes: “both Windows and four key Linux distributions can be deployed securely”.

Ok, so do Windows users actually have fewer vulnerabilities?

Well, Windows users do have fewer overall days of risk by their metrics – which might explain this quote. But the study also shows that Windows had the highest percentage of high-severity vulnerabilities.

I’m not going to try to guess which system is really more secure. I don’t have time to reconcile the methodology of these two reports (the Register report found that Windows had more vulnerabilities). Which brings me to my greatest frustration.

With technology advocacy and marketing becoming as polarized as a political campaign, who can we look towards to be honest brokers? Even non-sponsored objective reports are inevitably influenced by the biases and backgrounds of their authors, and their results spun by each side.

On one hand, I truly sympathize with anyone who actually has to make a choice between platforms. Between the lack of trustworthy information and the flood of marketing noise, the chances of being able to truly choose the best one for your situation are slim. On the other hand, perhaps there is good news after all. Both platforms work, and can be secured. Cost studies go both ways, but few of them seem to claim a real difference in total cost of more than 20%, which is probably well within the margin of error when calculating the cost of a large scale platform deployment anyway.

So if the two approaches really are comparable in cost, and security, maybe the right answer is to choose based on a more arbitrary standard, like which name you like, or which fits better with your personal politics, or maybe the roll of a dice. Who knows, the money you save by not studying and comparing and analyzing the choice may be more than the ultimate cost difference between Windows and Linux.