Groklaw - Cranking Out the FUD -- and Some AntiFUD -- on TCO and Security

	When you want to know more...

Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines

ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

You won't find me on Facebook

Donate

No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.

What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments

Sponsors

Hosting:

On servers donated to ibiblio by AMD.

Webmaster

Cranking Out the FUD -- and Some AntiFUD -- on TCO and Security

Wednesday, April 07 2004 @ 09:30 AM EDT

Ever wonder what the Microsoft pitch might be when trying to sell businesses on the idea that Linux actually costs more than staying with Microsoft's products?

A reader sat through such a presentation, and he told me about it. The FUD was thick, but presented in a very appealing, professional, PowerPointy way, he said. The theme was basically that Linux is too risky and that it costs too much to train your employees.

Now you can share in the FUD fun without seeing the presentation personally. Here's WinXPNews' hilarious sales pitch, which seems to match what the reader described. Hilarious in an icky kind of infuriating way. Here's a taste of their article "Commercial Software vs. Open Source". You'll notice the title alone is misleading, implying that open source is invariably noncommercial, something SuSE, Red Hat, and Mandrake would take issue with, and which the article itself disproves by arguing against "commercial versions of Linux". *Sigh.* That's just the beginning. Here's part of why they think you won't save any money switching to a free operating system. They begin by stating that studies say so:

"The trouble with most of the studies arriving at this conclusion was that they were sponsored or funded in some way by Microsoft. This made them suspect, even though those out of Redmond protested that they commissioned the studies because nobody else was doing them. Well, now someone else has: The Yankee Group, a big market-research firm, has done an independent study that reaches pretty much the same conclusion. Their bottom line: technically Linux is pretty much equivalent (but not superior) to Windows and UNIX, but switching to Linux from Windows in a large enterprise will be three to four times more expensive than upgrading from a previous version of Windows."

Ah. A Laura DiDio sighting. It is she, coming to Microsoft's rescue with an "independent" survey "proving" that Windows really is cheaper than Linux. However did she manage such a feat?

CIO Today reveals the new math that made it possible to say that Linux costs more:

"'Keep in mind that TCO includes the risk of deploying Linux with little or no indemnification for customers,' DiDio said. 'Most businesses have to take a cautious and pragmatic approach when it comes to the systems they use.'"

Excuse me, but for starters customers don't need indemnification for using Linux. Maybe the businesses might want to consider indemnification or insurance for themselves from SCO or SCO-like nuisance lawsuits, but their customers are in no need of indemnification. I think she needs to recrunch those numbers. For that matter, what numbers? How did she quantify that "expense"? What numbers is she working with here that tip the TCO in Windows' direction? Here's Yankee Group's press release about the study. I tried to get the study itself, but haven't received it yet. If I do, perhaps then I can get answers to my questions.

She reports that respondents said Linux offers exceptional performance:

"While corporate customers report that Linux offers exceptional performance, total cost of ownership lags behind that of Windows and Unix platforms, states the study based on a survey of 1,000 I.T. administrators worldwide."

Her results are already being questioned, according to CIO Today:

"As might be expected, report author and senior analyst Laura DiDio is drawing a lot of heat, with some questioning sponsorship of the survey, as well as her motives. She told NewsFactor that it was an independent effort that included two-dozen interviews with CIOs and other high-level corporate officials."

Two dozen. I wonder how she picked them. She worked with SunBelt Software, according to The Age:

"The survey . . .was done in association with Sunbelt Software, a Windows NT/2K/XP Tools Provider."

I'm sure they have no axe to grind, despite having a business that totally depends on Microsoft. InternetNews says DiDio told them"no outside agency or company funded the survey." Presumably that means Yankee Group paid for it.

She found that 76% of respondents gave Linux and Unix comparable marks for reliability, "while the biggest concern for Windows customers was the amount of time spent installing security fixes and performing patch management," CIO Today reports. The Age notes this:

"Around a third of the respondents said they felt Linux is more reliable than Windows; 31 percent said their perception was that Linux is more secure than Windows; 29 percent feared being locked into an all Microsoft environment."

They also have more details on the indemnification issue:

"The biggest growing concern for Linux in the business world, however, comes from the failure of vendors to indemnify their products. DiDio is quick to point out that doesn't just mean indemnification over legal disputes, such as the highly-publicized lawsuit filed by the SCO Group against IBM.
"Indemnification covers much more than protection from litigation, DiDio said. It also shields companies from events, whether it's a national disaster or outage. For large organizations, lack of a product warranty is a non-starter, she said. What limited indemnification commercial Linux vendors like Red Hat, Novell's, SuSE, Hewlett-Packard provide is contingent on customers 'not making any modifications to the Linux code they distributed to you,' she said."

Unless I have misunderstood her, or she was misquoted, she appears to be suggesting that GNU/Linux software vendors should offer national disaster insurance. Is that not what regular insurance is for? There is insurance covering equipment breakdown and ebusiness risks, such as security breaches, for Microsoft shops, but you buy it from insurance companies, not from Microsoft. Is she seriously saying that Microsoft offers indemnification against national disasters, but Linux doesn't? I hope she didn't factor that into the TCO numbers. I really want to read this report.

I am obliged to correct Ms. DiDio on the indemnification issue, because she is mistaken on her facts. I never thought I would see the day where I'd be defending HP's indemnification program, because I am not in love with any restrictions on modifications, although I understand no single vendor can offer indemnification without such restrictions, but you can modify the code without losing your indemnification with HP. You just can't do it without prior approval. You can also get vendor-neutral insurance that does allow you to modify the code freely. How could a senior analyst get that so wrong? I hope she was misquoted.

Did DiDio factor in the cost of time spent dealing with security problems in the Windows operating system? The cost of a company meltdown from a virus or worm? If she didn't, despite respondents listing it prominently as a concern, and she factored in the phantom costs of customer indemnification, there may be an imbalance in the DiDio TCO universe, especially when you consider the millions such malware costs every year, they say, in the Windows world.

Ms. DiDio admits, according to InternetWeek, that Linux can be dramatically cheaper for smaller businesses:

"Linux can deliver a dramatic increase in ROI and lower TCO for some firms, said DiDio. But they're primarily smaller shops in the engineering and scientific vertical markets, where the staff is extremely technical, and can create its own custom applications, build its own boxes, and do its own support without resorting to Linux vendors or developers."

And what, pray tell, would hinder a large firm from hiring some local Linux-savvy personnel and reaping the same benefits?

This FUD about how expensive and hard it is to switch is questionable too. Here's what the survey says it found, according to CIO Today:

"Among the conclusions drawn from participants is that a major Linux deployment or total switch from Windows to Linux would be three to four times more expensive and take three times as long to deploy as an upgrade from one version of Windows to newer Windows releases."

Oh, so it's not a study of such costs; it's a survey of what some executives think it would cost? That's not the same thing. And as for it being more expensive to switch than to upgrade, that might be true if you only measure the day you switch, and even then, it'd be more expensive only if you don't have too many computers needing Microsoft licenses and software. But what about costs after that? Once you've switched, you've escaped the license/upgrade costs of a Windows environment forever. This isn't a survey about total cost of ownership so much as it is a survey of the total cost of migration.

I enjoy GNU/Linux software, but even I would acknowledge that not all businesses may wish to make a total switch now, because some may like to use specialized applications that are not yet available in GNU/Linux. There are quite a few specialized applications in the legal world, for example. But the argument that retraining will be such a huge cost seems strained. Have these folks tried GNU/Linux software lately? The old command-line-or-perish days are history. You can sit down at a Mandrake box and there is no need to even read a manual, if you are used to Windows. It's that intuitive. And yes, Mandrake does business. SuSE's most recent demo looked mighty easy to me, so I question the value of the results on this point.

I think they are exaggerating the need for training and underplaying that you need retraining to upgrade Windows also. I know. A neighbor teaches classes for employees of large corporations who can't figure out how to do things in the new Windows software when the companies upgrade, and she makes a good, steady income. The survey results are only as accurate as the respondents are accurately informed. I guess it's a struggle to make a free operating system look like it costs more than Microsoft's software. No doubt she did her best.

Ms. DiDio argues that two years down the road, when Linux is more popular, it will have just as many problems with security issues as Microsoft. I doubt it, personally, because of the way it is designed, but I take it she thinks Linux will be wildly popular in two years, and that's nice to know. Oh, that isn't what she meant? Then how could it be comparable? This sounds like a bit of analyst spinach that doesn't stand up to close scrutiny. When there is a problem in GNU/Linux, your whole system doesn't go down, and there are almost always ways to access your data. Plus it makes it hard for clueless clickers to initiate viral infections. You certainly can't just click and poof! Everything is corrupted. Usually you can preserve your documents and email and personal materials even if you have to reinstall the rest, anyhow. Even if it did become comparable in the future, the future isn't now, and companies can save malware costs right now by switching to GNU/Linux.

Getting back to the original newsletter, here are some more arguments it makes:

"In some ways, the open source vs. commercial software issue is a political one. Those who believe that 'software just wants to be free' are often (not always) the same folks who like the ideals of socialism, while commercial software supporters tend to be more capitalistic in nature. For some, operating system choice transcends even politics and becomes almost a religious experience. Different strokes for different folks, as the saying goes.
"But for the more pragmatic, who just want to get the work done and keep Total Cost of Operations (TCO) down, it's beginning to look like the old acronym TANSTAAFL ('There Ain't No Such Thing As A Free Lunch') might also mean that for businesses, there ain't no such thing as a free Linux."

Is that not smarmy? They can't even be sued, because of the "not always" disclaimer. But the mud fud splats just the same. Imagine how the executives at IBM or Red Hat or Novell feel reading this. IBM a socialist? I think not.

By the way, Microsoft, while attacking GNU/Linux has decided to ape Linus' methods of development in its own closed way:

"Microsoft is creating a central engineering division that will work on the core of its Windows operating system. The Windows Core Operating System Division (COSD), within the company's Platforms Group, will be responsible for the core OS platform, including development, program management and testing.
"To a certain extent, Microsoft's decision to form a division focused on the OS core was driven by its main rival, Linux, said Rob Enderle, principal analyst at Enderle Group.
"'They have been studying Linux extensively. Part of their study has been on how Linux has been able to maintain a high level of consistency in the kernel while groups around it maintain maximum flexibility.'
"By closely controlling the OS core, Microsoft will be able to better ensure that Longhorn will arrive on time and meet its quality and security objectives, Enderle added. He expected Longhorn to come out in the fourth quarter of 2005, provided that a beta becomes available as planned in 2004."

I have a question: If Microsoft's software is so much better for businesses, why is Microsoft aping the Linux kernel development model? Of course, Microsoft will never be able to duplicate what Linus does, because it won't actually imitate the openness. And that's the secret sauce, except it's no secret. Microsoft would like the exceptional results, which they obviously feel are worth having, while refusing to do what you need to do to get them.

Speaking of security, I read something a Microsoft developer admits about MS software and malware:

"The Seamy Side
"Not everything in the software development universe this year has been rosy. For starters, security in Microsoft products still stinks. Oh, sure, it's getting better, but every time I start to get even little complacent, something new happens. Remember the Blaster worm? Then there was the round of patches in February of this year, which revealed that it took Microsoft six months to fix a major security bug at the heart of pretty much every version of Windows. Sure, we keep hearing about how it will be better in future products, but that doesn't really seem to have materialized yet. Meanwhile, I still run across far too many developers who don't even understand the basics of things like SQL injection or cross-site scripting attacks."

This brings us to the Forrester Study comparing security vulnerabilities between Linux and Windows, which you can buy for only $899. Red Hat, SuSE, Mandrake and Debian responded to the report in a joint statement yesterday. Here's their Executive Summary:

"Executive Summary:GNU/Linux vendors Debian, Mandrake, Red Hat, and SUSE have joined together to give a common statement about the Forrester report entitled 'Is Linux more Secure than Windows?'. Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, it treats all vulnerabilities as equal, regardless of their risk to users. As a result, the conclusions drawn by Forrester have extremely limited real-world value for customers assessing the practical issue of how quickly serious vulnerabilities get fixed."

I believe that is a polite way of saying that Forrester's methodology was flawed and its results not accurate. In fact, the statement goes on to say that they "are concerned about the correctness of the conclusions made in the report" and the last line says, "Finally, the claim that one software vendor had fixed 100% of their flaws during the period of the report should be incentive for a closer investigation of the conclusions the report presents." I believe you can catch their drift. Anyway, the statement makes clear that before you quote or use the results of the survey, you might want to take a look at the methodology.

This isn't the first time Forrester's methodology has given rise to questions and criticism, nor is it the first time they have presented a controversial pro-Microsoft "study." The last time, the outcries over the study having been paid for by Microsoft inspired Forrester to change its policies. If you can't spend $899 either for the study, I recommend eWeek's report on the study, because it is quite thorough.

I saved the very best FUD for last, though. Open Source has no future in the Phillippines, the headline trumpets:

"'The software development industry in the Philippines will always choose commercial applications over open source applications, unless the open source community comes around and becomes serious in turning open source software into a serious business,' said Joey Gurango, CEO of software development firm Webworks OS."

Isn't that priceless? Where do they find people willing to say such things? Pssst. Red Hat. Novell. IBM. You'd better get serious about business this exact minute, if you want to penetrate the Philippine market someday.

A reader just sent me the url to an interview with David Wheeler on "How useful are 'proprietary vs. open source' TCO studies?" Here's part of what he says about how studies can be skewed, and while he was talking about self-funded studies, I would think this would be true of any study, regardless of funding source, as long as there was a desired outcome going in:

"I doubt that these studies just made up their figures, but the problem with self-funded studies is that it's so easy to skew studies in more subtle ways:
"1. A funder can control the study's setup. For example, a funder make itself look good by asking an evaluator to only look at a few specific factors (ignoring others), or only look at specific environments and situations. In the old 1999 Mindcraft studies, for example, Microsoft chose to only evaluate an extremely unrealistic environment favorable to itself.
"2. A funder can control exactly how the study measures its results. That can make a significant difference, since different measurement approaches can produce wildly different results. If the study uses samples, it's easy to bias a sample to produce biased results.
"3. A funder can also control the study outputs. For example, maybe many factors were measured, or many separate studies were made, and only the favorable ones were reported. Conflicting results could have been suppressed. Or perhaps some of the key controlling variables weren't explained or controlled. The results can even be correctly described in a misleading way (for a humorous example, see the information about dihydrogen monoxide)."

What is really needed, Wheeler says, is "more independent studies that are clearly independent, and not funded directly or indirectly by a vendor."

Here's why I'm so glad to see the joint statement about the Forrester study and why I painstakingly answer all the FUD, day after day after day. The antidote to FUD is to shine a light on it. People can only be fooled if they don't know the truth.

Cranking Out the FUD -- and Some AntiFUD -- on TCO and Security | 464 comments | Create New Account

Comments belong to whoever posts them. Please notify us of inappropriate comments.

Corrections Here Please

Authored by: PJ on Wednesday, April 07 2004 @ 09:33 AM EDT

Please put corrections in this thread, so I can find them quickly. Thank you.