In a 2,600-word email sent to Microsoft customers and partners on Wednesday, Microsoft's Steve Ballmer drove home the key themes of Microsoft's "Get The Facts" campaign. Bill Gates' second in command claimed that Windows was a better choice than Linux in terms of security, total cost of ownership (TCO) and protection against legal action over patent violations.

"And it's pretty clear that the facts show that Windows provides a lower total cost of ownership [than Linux]; the number of security vulnerabilities is lower on Windows; and Windows responsiveness on security is better than Linux; and Microsoft provides uncapped IP indemnification of their products, while no such comprehensive offering is available for Linux or open source," he stated.

In the aftermath of Ballmer's mail, ZDNet UK sought out a reaction from the various Linux vendors to Microsoft's allegations that the open-source OS is expensive and untrustworthy.

Novell vice-president of strategic marketing John Hogan's first response to the various points in the Ballmer email is that Microsoft has cherry-picked sections of the reports to back up its 'facts'. Novell bought SuSE Linux in January 2004.

"Not surprisingly, the points made by Mr Ballmer leverage only those statements in its commissioned studies that reflect most positively on Microsoft," says Hogan. "A broader look paints a much more objective picture, one more favourable to Linux."

French Linux vendor Mandrakesoft levels the same criticism at Microsoft. "Microsoft has a well-know tendency to somewhat stretch the definition of 'fact'," says a spokesman from Mandrakesoft. "The 'facts' referred to in the above [Ballmer's] quote originally appeared in Microsoft-funded studies, the independence of which is, at best, doubtful."

Objectivity

Ballmer attempted to head off claims of bias in his email, claiming that the research cited is independent. "In each case, the research methodology, findings and conclusions were the sole domain of the analyst firms. This was essential: we wanted truly independent, factual information."

Novell's Hogan says that Microsoft has often specified the exact system configuration in benchmark tests. For example, in two Veritest studies which compare Windows 2003 Server with Linux, Hogan asserts that Veritest fine-tuned the Windows set-up but did not do the same for Linux.

"The test used Windows protocols only, while Linux had to emulate the Windows protocols using Samba," says Hogan. "As far as we can see, the testers did not even make the smallest optimisation for this Linux/Samba setting, while Microsoft helped Veritest fine tune on Windows."

Hogan also claims that Microsoft turned off the Windows 8.3 file-naming convention and made tweaks to the TCP stack on the client machines and to the buffer-cache pool on the server. "Obviously, Microsoft invested considerable time and effort in finding the best possible configuration," he says.

Total cost of ownership

In the email, Ballmer attempts to reinforce Microsoft's claim to lower TCO with findings from a Yankee Group from April 2004, entitled "Linux, UNIX and Windows TCO Comparison". He claims the study concludes that upgrading Windows was cheaper than switching to Linux for large enterprises.

But according to Novell, the Yankee Group study also found that the relative TCO of Microsoft and Linux varies according to situation and that the TCO of Linux is considerably lower in, for example, small firms, organisations with customised vertical applications and in "greenfield" sites

An alternative report on TCO carried out by Research and Markets found that Linux had a 30 percent lower TCO than Windows, according to Mandrakesoft.

Training

In the section of the email on TCO, Ballmer also raised issues of the cost and availability of trained Linux resources to support Linux deployments, citing a Forrester Report, from early 2004, entitled The Costs and Risks of Open Source.

The Microsoft chief executive claimed Forrester found that training for IT employees was 15 percent more expensive for Linux than for Windows due to a lack of internal knowledge and a lack of availability of training materials.

But according to Novell's Hogan, the Forrester report also states that the added training costs for Linux are transitory and will reduce as companies gain more experience with the OS.

Security

The Ballmer memo also quotes data from a Forrester study entitled Is Linux More Secure than Windows?. It states that according to the analysts' study the four major Linux distributions have a higher incidence and severity of vulnerabilities, and are slower than Microsoft to provide security updates.

Representatives from Red Hat, Novell and Mandrakesoft claim the Forrester report was flawed.

Earlier this summer, Mark Cox from Red Hat's security response team told ZDNet UK that his firm had worked closely with Forrester, and that these findings were flawed because the analyst group had just taken a simple average of the data.

"An average is not representative. Red Hat fixes issues which other operating systems wouldn't fix, such as temporary file vulnerabilities," said Cox, adding that the report also failed to take into account the severity of the issues.

"A vulnerability which could allow a remote attack on Windows was considered in the same light as a file vulnerability on Linux which makes the system slow down," said Cox.

Novell's Hogan agrees with Cox that the report fails to take into account severity. "Mr Ballmer failed to mention that the study found Microsoft had the highest number of critical flaws," he says.

Hogan also says that the study measured the time to fix a flaw from the time it is made public, which is different for Microsoft and open source. "In open source, this is immediate, so a fix can be generated quickly. Microsoft delays making the existence of a flaw known as long as possible, unless your company has signed a special non-disclosure agreement with them," he says.

Indemnification

In the email, Ballmer wrote that "it is rare for open-source software to provide customers with any indemnification at all."

The response from Red Hat and Novell SuSE executives is that both companies provide indemnification against intellectual property.

Red Hat provides a warranty to Red Hat Enterprise Linux customers which guarantees to replace software if there is an intellectual property issue so they can continue using the product without interruption. It also has a fund which assists companies with any legal expenses associated with litigation related to the development of software under an open-source licence.

Novell provides indemnification to customers of versions 8 and 9 of SuSE Linux Enterprise Server. It states that it will pay damages up to $1.5m for an allegedly infringing product. On top of this it will pay legal defence fees.

UNIX Migration

On the subject of migrating enterprise resource planning systems from UNIX to Windows or other platforms, Ballmer highlighted a survey purporting gains in performance by moving to Windows and suggests that Windows outperforms Linux in UNIX migration scenarios.

But Novell claims that an alternative analysis by Flexdata comparing Windows 2003 with SuSE Enterprise Server 9 (SLES9) found that it performed better on the same hardware.

Despite the distinct lack of common ground, there are some points that Microsoft and Novell agree on. At the end of Ballmer's email, he directs customers toward the "Get the Facts" section on the Microsoft Web site. Novell's Hogan agrees that people should read these reports to get a more complete picture.

"Read the complete reports on Microsoft's site, not just Microsoft's chosen sound bites," he says.

Gael Duval, the founder of Mandrakesoft, is less forgiving and sums up Microsoft's email as an attempt to spread confusion.

"We think that Microsoft is trying a new strategy to fight against Linux by spreading much FUD (fear, uncertainty and doubt) about Linux' strongest points."

Novell's full response follows

"...corporate customers report Linux provides businesses with excellent performance, reliability, ease of use and security. Yes, Linux is a viable alternative to UNIX and Windows. In addition, Linux is the most serious competition to Microsoft’s dominance in the server operating system market to date."

"Linux shows measurably improved TCO compared with UNIX and Windows in small firms, in organizations with customized vertical applications and in "greenfield" networking situations where there is no existing software infrastructure."

"The ability to modify and customize the Linux source code affords customers the most intriguing possibilities for custom application development. This ability stands in stark contrast to the closed or proprietary nature of the Windows operating system. In recent years, Microsoft has opened up Windows to a limited extent and released numerous APIs. This enables third-party ISVs to efficiently produce interoperable applications that more easily integrate with Windows. However, this is nothing like the changes developers can make with Linux, where there is total access. The open source philosophy is deceptively simple: allowing developers, programmers and engineers to read, modify and redistribute the source code via standardized Linux interfaces spurs software development and evolution."

"In summary, the Yankee Group’s TCO survey found that Linux does offer compelling cost savings, economies of scale and technical advantages, as many a satisfied user will attest. However, the cost savings and benefits are not automatic; they are not achieved without customer due diligence and they do not necessarily apply in every user scenario. Ultimately, the TCO and ROI of Linux may be less than, comparable to, or more expensive than UNIX or Windows depending on the individual corporate deployment circumstances."

The following comments follow the flow of Mr. Ballmer's letter. Not surprisingly, the points made by Mr. Ballmer leverage only those statements in its commissioned studies that reflect most positively on Microsoft. A broader look paints a much more objective picture, one more favorable to Linux.In teeing up the research results, Mr. Ballmer states thatThis is somewhat at odds with what transpired. Microsoft generally specified the configurations to be used. As an example... Based on two studies on Microsoft's "Get The Facts" website entitled "Windows Server 2003 Outperforms Linux for File Serving" and "Windows Beats Red Hat in Multiple Configuration Web Server Benchmark Tests" (Veritest 2003 and 2004), Microsoft concludes that Microsoft Windows 2003 Server has higher performance than Linux as a file- or web server. However, the test used Windows protocols only, while Linux had to emulate the Windows protocols using Samba. As far as we can see, the testers did not even make the smallest optimization for this Linux/Samba setting, while Microsoft helped Veritest fine tune on Windows. Microsoft provided a registry setting that turns off the standard Windows 8.3 file-naming convention. Another tweak was made to the TCP stack on the client machines. Yet another tweak was made to the buffer-cache pool on the server. Obviously, Microsoft invested considerable time and effort in finding the best possible configuration.To support his TCO arguments, Mr. Ballmer quotes extensively from Yankee Group's report entitled "Linux, UNIX and Windows TCO Comparison" Yankee Group, April 2004". That report, available on Microsoft's site, also states the following, which Ballmer did not cite:Mr. Ballmer brings up the issue of the cost and availability of trained Linux resources to support Linux deployments, citing a Forrester Report titled "The Costs and Risks of Open Source." However, that study concludes,This acceleration of growth wouldn't be possible if lack of availability of Linux resources were truly a mitigating factor for customers. Linux expertise is extensive, and growing rapidly. Computer science graduates today have grown up on open source, not Windows. Evans Data Corporation, in their Linux Development Survey dated Summer, 2004, shows that there are 1.2 Million Linux developers and growing. Evans further states thatForrester makes a clarifying comment regarding those companies who were expending more effort in their Linux deployments:The report concludes that these costs are transitory.

4. SECURITY: Mr. Ballmer brings up the issue of security, which admittedly must be much on his mind. He states "I think it's fair to say that no other software platform has invested as much in security R&D, process improvements and customer education as we have at Microsoft." Novell applauds Microsoft's continued efforts to improve their product quality. Novell deplores any malicious attack or any company or any software. But the reality is that the financial impact to the economy and to customers of the malicious attacks on Microsoft products has run into the billions.

Ninety two percent of survey respondents indicated that their Linux systems have never been infected with a virus.

Fewer than 7% said that they'd been the victims of three of more unauthorized intrusions.

Only 22% of Linux developers said that their systems had ever been invaded (of those, almost a quarter of cases (23%) involved unauthorized intrusion initiated by companies' employees, i.e. people having available accounts allowing to log in corporate Linux servers.)

Twenty five percent of developers believe that the Linux operating system has the best innate security

Nine of ten companies developing Linux claim that their systems have never been infected by a virus, while four of five companies assert that their systems haven't ever been down due to hacking.

Mr. Ballmer further states. We cannot argue that point, but isn't this the same process used in developing the products that have been plagued by malicious attacks? Something has to change. Open Source provides an equally structured process, but different than the one Microsoft utilizes. Open source – modular in its nature - is much more flexible and, being open, it's processes and code are much more amenable to scrutiny and improvement. Partly for this reason, Linux has a strong security record. Mr. Ballmer brings up the Forrester report titled "Is Linux More Secure than Windows?" He concludes that the studyMr. Ballmer failed to mention that the study found Microsoft had the highest number of critical flaws. 67 percent of Windows flaws had been rated "critical", under the U.S. National Institute for Standards and Technology's ICAT project standard for high-severity vulnerabilities. This compared to 63 percent for (pre-Novell) SuSE Linux, 60 percent for MandrakeSoft, 57 percent for Debian and 56 percent for Red Hat. Note also that this study measures the time to fix a flaw from the time it is made public. In open source, this is immediate, so a fix can be generated quickly. Microsoft delays making the existence of a flaw known as long as possible, unless your company has signed a special non-disclosure agreement with them. The Forrester study does not take this differing public start time into account. This is like a golfer starting on a tee closer to the hole saying they are a better golfer because they have fewer strokes. The Yankee Group study that Mr. Ballmer referred to earlier in his message statesEvans Data Corporation, in their Linux Development Survey dated Summer, 2004, shows:A similar survey by Evans last spring found that nearly 60% of non-Linux developers admitted they'd been victimized by security breaches, and 32% had been hit three or more times.

5. IP ISSUES: On the subject of indemnification, Mr. Ballmer states that "it is rare for open source software to provide customers with any indemnification at all". If he were to check the slides he himself used at the Massachusetts Software Council address he gave on September 1, 2004, he would see a slide where both Microsoft and Novell are "checked" as offering indemnification, Novell referring to our Linux offering. Granted that same slide showed a "no check" for Novell regarding patents. Since that time Novell has made public its stance of using its patents to protect its open source offerings. See here.