decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books
Your contributions keep Groklaw going.
To donate to Groklaw 2.0:

Groklaw Gear

Click here to send an email to the editor of this weblog.


To read comments to this article, go here
Did a Microsoft Spokesman Just Say "Linux Is Not Open Source"? -- And The Cost of Malware on Windows
Thursday, May 06 2004 @ 03:29 PM EDT

A Microsoft spokesman says, according to TechWorld, that Linux isn't open source, or something almost incomprehensible but sort of like that. It made headlines that he said it, but I don't think that is what he meant, if that is indeed what he said. Reporters and/or headline writers have been known to sensationalize in order to drive traffic. Sometimes they make mistakes, too.

What could he possibly have meant, if he said it or something like it? Reading what he said carefully, I think the new FUD this is representative of is spinning it that it's a battle between open source (for free) and paid-for, commercial software, and according to that definition, Red Hat isn't truly open source. Just another attack on Red Hat, in other words. What an amazing coincidence. Right after the legal settlement between them, both Sun and Microsoft start attacking Red Hat.

They certainly don't want the discussion to be whether free/open source software that you can look at, change, copy and share is better than petrified-wood-in-a-proprietary-prison software for which you can be arrested or sued if you do any of the above. No one in their right mind would choose their software, if they were to think it through clearly like that.

He also said Linux isn't more secure than Windows, but poor thing -- he said it while the Sasser worm has been costing everyone using Windows heartache and millions or billions or whatever it turns out to be this time.

Frank Hayes, in an opinion piece, Shameless, criticizes Microsoft for blaming businesses for not patching fast enough, after Microsoft put out a patch for the Sasser worm two weeks ago:

But the hole is in every version of Windows NT and XP Pro that has shipped since Windows NT 4.0 in 1996.

In other words, it took Microsoft almost eight years to find and fix this hole -- a hole that exists only because of Microsoft product development policies that in another profession would be called malpractice. But now we're told it's corporate IT's fault too, because in two weeks we haven't patched the 12.5 million servers and 200 million client PCs affected. (That's the current Windows NT, Server and XP Professional installed base, according to IDC.)

Why haven't we patched them? Everybody knows the answer: because of the cost. There's such a continuous stream of patches from Microsoft that we can't afford to apply every patch immediately.

Why doesn't Microsoft get it right the first time -- or the second time, or the third -- so all those patches won't be necessary?"

He does some conservative math and figures all those patches cost about a billion for corporate IT to apply if you only figure patching servers; if you want to patch all the PCs too, add at least another billion. No doubt future "independent" studies of total cost of ownership between Windows and Linux will factor in those figures. Haha. Or here's an idea: how about someone actually studies what malware is costing Microsoft-users and factor in some real figures? My wish just came true, actually, in part. Gartner today says that responding to vulnerabilities appropriately adds about 15% to the cost of doing business, and that it's part of the increased cost of using Windows (yoohoo, Ms. DiDio):
Dealing with widespread worms like Sasser raises the cost of using Windows, a research analyst said Wednesday.

Mark Nicolett, research director at Gartner, recommended that enterprises boost spending on patch management and intrusion prevention software to keep ahead of worms, which are appearing ever sooner after vulnerabilities in Windows are disclosed.

“This is part of the carrying cost of using Windows," said Nicolett. "The cost of a Windows environment has gone up because enterprises have to install security patches very rapidly, deal with outages caused by secondary problems with these patches, and deploy additional layers of security technology."

As you see, Gartner's recommendation is that you spend the extra money. But you do have a choice. You could go Linux or get a Mac. It isn't just the expense. It's the time and the annoyance. When patches were released a couple of weeks ago, there was some criticism that there were so many patches still needed, so long after Microsoft began its well-publicized push for increased security. There were three patches, but one of them alone fixed 14 separate vulnerabilities. And there is another reason some don't like to install the patches, according to one reader, who suggested people just dump Microsoft and end their problems [Note that the comment is no longer at http://cwforums.computerworld.com/WebX?14@47.y1OJaZmrQIN^0 @.ee9d515/10, which is where it was in 2004. Ten years later, it's gone with the internet wind.]:
Just ditch MS

Why is it that it is only Microsoft products that suffer?

And if you want to know why sysadmins don't install MS patches -- well they've had too many nasty experiences of "if I don't install the patch the machine will be compromised, but if I do install the patch the apps on it will break and the machine will be useless.

Is that not an obvious solution? Just switch to software that isn't vulnerable to the malware currently going around. I wonder why journalists, or analysts for that matter, so rarely mention that option when covering the latest virus or worm. They write about the problem as if there is no escape. Malware is inevitable and inescapable in their articles, like gravity. Maybe they need help to even think of the other possibilities. A software monoculture leaves you vulnerable, says Australia's Open Source Industry Association's spokesman, Stephen Jenkins: "A homogeneous environment, one with only Microsoft platforms and applications, is the worst from a security and survivability perspective," said Jenkin. "It's the same as having a whole wheat field made up of genetically identical plants. Introducing a propagating virus into just a single plant could be enough to wipe out the entire crop, as happened in the Irish Potato Famine.

"This same process applies to computer systems. By designing your network so that half of your organisation's computer systems are open source Linux or BSD Unix, you will ensure that some of your computer systems will always survive the next major malware outbreak, meaning your business stays in business." Microsoft has just announced that Palladium is dead, by the way. Longhorn will have a different security solution:

On Tuesday, Microsoft executives confirmed that NGSCB will be canned. The project, dreamed up with Intel in 2002, was once code-named Palladium.

"We're evaluating how these NGSCB capabilities should be integrated into Longhorn, but we don't know exactly how it'll be manifested. A lot of decisions have yet to be made," said Mario Juarez, product manager in Microsoft's Security and Technology Business Unit. "We're going to come out later this year with a complete story."

Juarez said the project is being shelved because customers and ISV partners didn't want to rewrite their applications using the NGSCB API set.

Now, swinging back around to that "Linux is not (solely) open source" remark, what I think he was trying to say was once Red Hat has the nerve to ask for money, they make it something that isn't pure open source. Here is what he said about them, and you'll see that he doesn't grasp yet the free-as-in-speech not free-as-in-beer part:
"There's a good quote from Red Hat that says, 'yes we are based on open source, but that doesn't mean it's free.' Quite frankly if we lose to Linux because our customers say it's better value for money, tough luck for us. Those that provide open source, like the Red Hats, need to provide commercial services and extensions. They'll need to invest and that's a commercial activity."
What he was trying to say, I think, was that Red Hat costs money, so they are commercial, and in his world view, commercial isn't open source:
Stressing that Linux is "not free", Vamos said open source is a development methodology that should not be confused with the commercial nature of Linux distributions.

"Open source is not [solely] Linux," Vamos said. "That's probably a little bit out there in the sense that Linux has been developed using open source development models. I guess what I'm saying is that when you talk about open source -- the way open source is being described -- is that people generally talk about it as being Linux and I think you really need to look at the two separately."

Vamos said Linux has a place, and that "it is already doing some good work for customers" but separates it from open source because "the open source debate tends to be one that's about philosophy and views". And then he gets to the punch: "When you talk about Linux versus Windows, you're talking about which operating system is the best value for money and fit for purpose. That's a very basic decision customers can make if they have the information available to them." . . .

And on: "For those of you engrossed in the decision about is it open source or is it commercial software, I'd probably respectfully suggest that you're spending a lot of time on issue number four or five in the pecking order."

So, first, Sun attacks Red Hat as "proprietary" and says open standards are better than open source. Now Microsoft attacks Red Hat as not being pure open source and suggests that on that basis, they are a better value. I think there is a basic flaw in this new strategy. The proprietary side is making a big mistake. They are used to competition that succeeds by destroying the opposition. That's Microsoft's MO. But GNU/Linux isn't a company. Red Hat does offer a distro, but it is just one of many choices. Even if MS and their new best buddy were successful in killing Red Hat, it wouldn't defeat the GNU/Linux side.

The dark side thinks in old-fashioned ways, so they can't fight very well. It's like they are the British army, and GNU/Linux are the American revolutionaries in the Revolutionary War. The British had all the money and the uniforms and the training and the numbers on their side. But they only fought the old way, despite finding themselves in a new kind of war, and they kept lining up in rows in bright red jackets in open fields, because that is what they were used to doing. The Americans had creativity and brains and a serious desire to prevail, motivated by a concept, an ideal, and they came up with an innovative way of fighting, hiding behind trees and picking off the Redcoats as they marched along in step, in the open, in the old-fashioned way. And you know how that turned out.

As for the economics, you can pay money to buy GNU/Linux software with or without support, but if you can't afford it, and are willing to download it and support it yourself, you can always get it for free. Yes. Free as in beer, but also free as in speech. It's the free as in speech that makes us want it so badly. But it's also freely available, free as in beer, all over the Internet. Even from big, "bad" Red Hat. Just go to their download page, and you will find two choices, Enterprise or Fedora. Click on Fedora, and there you are, downloading software that is free as in beer and free as in speech -- a complete operating system and applications galore. What is the Fedora Project?

The Fedora Project is a Red-Hat-sponsored and community-supported open source project. It is also a proving ground for new technology that may eventually make its way into Red Hat products. It is not a supported product of Red Hat, Inc.

The goal of The Fedora Project is to work with the Linux community to build a complete, general purpose operating system exclusively from free software. Development will be done in a public forum. The project will produce time-based releases of Fedora Core about 2-3 times a year with a public release schedule. The Red Hat engineering team will continue to participate in the building of Fedora Core and will invite and encourage more outside participation than was possible in Red Hat Linux. By using this more open process, we hope to provide an operating system that uses free software development practices and is more appealing to the open source community."

Here is a list of what you get for free. And here is their comparison page. What you don't get with Fedora is support and certification. My guess is you'd get that too if it weren't for the SCO's of this world. Service you pay for, because that is Red Hat's business. But the simple truth is, if you hire some GNU/Linux gurus, you can live without support from any particular vendor. Or hire a company to do support for you. That's the beauty of open source software, or one of the beauties: there is no vendor lock-in. So buy from another vendor, if you want a different price or service offering.

This attack on Red Hat wouldn't by any chance have something to do with their announcement that they are expanding from the server space into enterprise desktops, would it? Or maybe they just read the World Bank-sponsored Dravis Group report describing the state of open source software in the public and private sectors globally, which you can download here:

While the initial interest in open source seems to have been part of a drive to reduce IT budgets, today system administrators and CIOs are quickly becoming aware of the longer-term benefits and ROI that comes with flexibility, interoperability, and choices.
Even Time magazine says Microsoft has to do something, because of the Linux threat, but their thinking on what Microsoft may do gives you the shivers:
Such a threat is exactly the kick in the pants the company needs to get its mojo back. "Microsoft works best when there's a foe," says financial analyst Rosoff. And as Apple and Netscape discovered to their chagrin, the folks at Redmond are not shy about adopting their rivals' good ideas. The real attraction of Linux is that it is open source — anyone can poke around in the software code, and engineers around the world can suggest improvements. That is anathema to Microsoft, which fiercely protects its intellectual property. Yet to meet the threat, Microsoft has hired some top Linux brains and released its first open-source product. It's a relatively insignificant geekware tool called WiX. But considering that Ballmer previously called open source "a cancer," WiX may signal a major change of heart.

Which at this company is pretty much business as usual. "We have a treasure chest of technology that allows us to be very agile," says Rick Rashid, Microsoft's senior vice president for research. "If the world changes, we can change with it." Being aggressively agnostic about technology is the only way Redmond has a shot at double-digit growth again.

Eek. There may be a cancer growing, all right, but it's not Linux. It sounds like it may be a Brand X Linux. Only they won't call it that. It'll be called something like WinIX or . . . Lindows. Hmm. Could that be why they are fighting that case so hard? You think?

So far, it's just a few cells, but you know how that goes. Before you know it, if you aren't paying attention, it's metastisized all over the place and tries to take over.


  View Printable Version


Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )