Friday, December 19, 2008

Misleading Vulnerability Counts in the Browser Wars

Getting Behind the Raw Numbers

A lot of noise has been made recently about the inclusion of Firefox among the most vulnerable programs on Windows. Certainly, amongst the browsers, it has the dubious distinction of being most hit by vulnerabilities. What is the reason behind this? Is it due to the browser being so buggy that external researchers can find vulnerabilities very easily, or is it due to greater transparency and better internal audit that more bugs are found internally and reported due to its open source nature? To get behind the vulnerability numbers, I therefore decided to find out the externally and internally found vulnerability counts in the browsers for the last year (discovered between 1st January 2008 till now – the 19th of December, 2008). The vulnerabilities were found from the advisories given by the vendors themselves, from the National Vulnerability Database, as well as from the Secunia website.

In terms of Raw vulnerability counts, there is no doubt that Firefox seems to have far too many vulnerabilities. Internet Explorer 7 seems to be the most secure.

However, when broken down into externally and internally found vulnerability counts, it is seen that the apparent difference is entirely due to Firefox patching and giving out details of internal fixes.

It is important that at least the more severe vulnerabilities be found by internal quality control rather than by external sources. The vulnerability severity rating given by the base score of CVSS version 2.0 for those vulnerabilities listed in the National Vulnerability Database (NVD) was used to classify the vulnerabilities into high, medium and low severity bugs according to accepted guidelines. Then the high severity vulnerabilities across the three browsers were compared for both internal or external fixes. It is to be noted that some of the newly released Opera patches do not yet have a CVE number. Therefore, there should be some more vulnerabilities for Opera in the Externally found severe vulnerabilities column. However, the relative order of the browsers will not be changed. The graph below shows the comparison between internally found and externally reported highly severe vulnerabilities for the browsers.

 

It can be clearly seen that Firefox is not only the best browser as far as documenting internal fixes go, but we are actually assured that they have a well functioning, transparent, internal quality control mechanism in which they actually catch more browser vulnerabilities than its competitors. Now, this again may not be a valid point for comparison since the other browsers are closed source and may actually ship hidden fixes. However, we just cannot have the assurance of internal quality that is given by the Firefox team. Therefore, instead of publicly finding fault with the number of patches in Firefox and comparing the raw, misleading total vulnerability counts, Firefox should actually be congratulated on having such a transparent security process in place, and for patching more documented holes than its competitors.

However, these vulnerability counts should not be used as an indicator of security. Vulnerability counts are a very flawed measure of the security or insecurity of a product. There are better metrics, and rather than the number of vulnerabilities, a composite measure of the number of unpatched days, the efficiency of the patch delivery mechanism, securability of the browser, the potential surface area of attack against the browser and list based protection against malware sites is needed to properly assess the security of the browser. The point behind this article is not that Firefox is the most secure amongst the browsers (that discussion may be left till a later date), but that conclusions based on coarse raw numbers may paint a picture completely opposite the truth. There is a lot to be said about getting behind the numbers.

Friday, February 8, 2008

For the last few days, I have been in a totally grumpy mood. First, I see an article in a computer magazine Digit comparing the security of Linux with Vista and come to the conclusion that both are equally secure but if things go wrong, they will go more wrong in Vista. Hello Digit, can you get off the fence please? On one hand, you give reasons why Linux is more secure, explain the reasons, and then say in a round about way that Linux is more secure, but do not spell it out directly, as if afraid that you will lose popularity,(or perhaps will not get permission to distribute free trials of MS Office).

Then, trying to install Fedora from the DVD of that same computer magazine, my entire hard disk becomes unreadable, as a result I lose all the partitions and data (Ubuntu, Mandriva, SUSE, XP). Well Fedora, here you have lost a well wisher. The majority of the fault was mine, ( I pressed one Ok button by mistake, but Ubuntu, Mepis , and all the other distros I have tried give multiple opportunities to go back, and do not begin formatting at the first step. And I kicked the XP habit because it got corrupted during installation of updates due to a power cut. And now I have kicked the Fedora habit before even starting. Luckily , my first experience was with Mepis and Ubuntu, otherwise I might have clubbed all distros in the same basket. Ok, I had backups of most of my important files but stll....

Then, I reinstalled Mandriva. There is a reason behind this, my ISP Sify Broadband, gives only a rpm client for installation. Its files from source does not work. So, I had to choose a rpm based distro as the first choice. Then, that client is really crappy. It automatically stops after a few minutes. Therefore, as you can imagine, my distro was not getting updated. Furthermore, an enterprising open sourcer has made an alternative client, Supersify, but that needs Java to work. I got down to downloading Java, but the broadband client had a mind of its own, the transmission stopping periodically, and then when I go to restart the client, I get a message saying that the one version of the client is already running. Way to go, Sify, you are making great efforts to ensure people get tired of Linux. (BTW, this is the new better version of the client, the earlier version did not work at all). And they have the cheek to ask if my "software" is good! Time to leave Sify for good, I guess, but I may change my residence and go for a job elsewhere in India, so I have decided to change my ISP after that). Seriously, this is the difficulty of using Linux in India, not Linux itself, but stupid service providers.

And I miss posting, and checking out my mail and everything! So now you know why I have not been posting these last few days!


Tuesday, February 5, 2008

The eyeOS: A Review

The eyeOS has been making ripples among enthusiasts of “cloud” computing. It intends to serve as an Operating System which can be accessed anywhere through a web browser. One just has to install the eyeOS on to one's web server or use the web hosting solution provided by the vendors themselves. On top of that, it is one of the first open source offerings on the cloud (Google, even though running on open source components, is in itself proprietary). How good is it, though? To answer this question, I took the option of trying out the software on the vendors hosting service. This has the disadvantage of not being extendable, i.e you cannot install any additional applications, but this serves as a good starting point for evaluating the platform.

The registration was really fast and the I logged in. The service really looked like a desktop in the browser. It was user friendly and after reading the user manual, I was on my way.

The applications: Since the service intends to be a desktop in a browser, there were applications for Office work(Calender, Contacts,Calculator,Word processor, an experimental spreadsheet, Slide presentation software), for games(Flash version of Sonic the hedgehog, Prince of Persia, Solitaire, Chess), Networking(A browser, mail client, RSS reader, FTP client,messenger for users of the same system and notes) and for entertainment (mp3player, video player, image viewer and Flash Earth). The choice of software was really stunning, and I must admit I did not expect so much. But how good were they really?


Office:
The Calender and contacts were satisfactory. They were quite full featured. The e-mail client also worked well, as did the notes. On these counts,there should not be any major complaints. The word processor was skimpy when compared to a desktop office suite, but it was adequate for most purposes, and could handle both MS Office (.doc) as well as ODF files. For some sorts of special formatting, one has to use the desktop browser, or a more powerful online office suite like the Zoho Office (By the way, one can easily access the Zoho Office suite through EyeOS's own browser. So that would be an office suite inside a browser inside an Operating system inside a browser inside an operating system: Cool for geeks, may sound crazy to others).The spreadsheet component was experimental and good just for viewing and minor editing.No calculations can be done. The lack of features of document
and spreadsheet creation and editing are, I think, the greatest
drawback of eyeOS at present. It should be noted here that documents and spreadsheets are opened for viewing by an app called eyeVisor. This application satisfactorily opened the files I threw at it. The Word processing and spreadsheet applications are opened only when editing files or creating a new file.

Office suite inside a browser inside an Operating system inside a browser inside an operating system. Sounds crazy, huh?



G
ames and entertainment: No complaints here. All the games played well. The Sonic Hedgehog and Solitaire games were flash based , but still entertaining. I also played a mp3 music file. The sound quality was good, even though there were no advanced options for playback. The Flash earth also played well(Of course, you will not get close up shots of your home from this app, unlike Google Earth). There are no complaints on this front.

Networking: A web browsing application has been added which does its work quite well as does the mail client, the feed reader and the instant messenger. All these have just the essential functionality, but that is enough for most users. No complaints on this front either. An application called the eyeBoard is present as well by which you can post messages to other eyeOS users.

All in all, the software works well. I personally am satisfied with most of the applications present by default. However, this satisfaction may have to do with the fact that my initial expectations were low. Users who want a complete desktop experience will be disappointed. Such an experience should not be expected. I wish to also point out that in my experience, eyeOS does not work well with all browsers. On Konqueror, it was slow, on Opera, I just could not log in.I do hope that these issues will be taken care of in the near future.

My (decidedly personal) conclusion:This is one cool platform. The idea of accessing files, pictures, videos and music files anywhere on any computer is appealing, especially to hardcore geeks. Just think of a combination of iPhone + eyeOS, or Archos + eyeOS , or Wii + eyeOS(provided the Opera support improves). There are individual web apps which do a better job than eyeOS for each function(e.g Zoho for Office, flickr or Google for photos), and therefore improvement is needed. Still, I think that this tool has great future potential, not only for the idea of an universal web desktop, but for a completely different reason.

You see, enterprises are moving towards greater networked collaboration. Some are also moving towards thin clients. If a proper collaboration framework is laid down on the EyeOS platform, with the possibility of editing documents, spreadsheets, modifying pictures for a slideshow, it may well become a killer application in the enterprise. The range of applications that EyeOS supports is much wider than that of most other online suites or individual services. It gives a very cheap, customizable option in such a case. And it is here, I feel that it should show its strength. However, it needs to improve its core Office software like Word processing, Spreadsheets etc and add good collaboration tools for this to actually happen.

Finally, congratulations are due to the Spanish teenagers who have been the main movers behind this software. If not anything, eyeOS may revolutionize our definition of what an Operating System actually is!



Sunday, February 3, 2008

Popularizing Linux: Are Flash based Distros underutilized?

I have often thought why Linux is not more popular. Mostly, it is usable, more secure and less costly than Windows. Why, then, do more people not use Linux? Disregarding, for the time being, the general ignorance of the people,I think the following points are very relevant:

  1. It is a Windows world: Most of the applications that people use are Windows specific proprietary programs. The most commonly used applications are an e-mail client, web browser, office suite, instant messenger, multimedia programs and a photo organizer. Changing over to a completely new system is a great culture shock. I think this great change as well as questions as to whether Linux will actually provide an adequate replacement for the programs of their day to day use is a great deterrent for people who actually are interested in Linux
  2. Fear: Most people do not have enough technical knowhow. They are afraid of messing up their systems by opting for a dual-boot configuration. Even if they have backed up all their data, they are afraid of losing a working operating system.  They also are not confident enough of using virtualization as a means of testing different operating systems.
  3. Self –doubt: Linux has earned notoriety as an operating system for geeks. People are just put off by hearing that it is difficult.

How, then, to actually lessen the pain of changing operating systems? The first objective to be achieved is to see whether the persons concerned are actually interested in adopting a dual-boot configuration. In case they are even slightly afraid, I think the best option is to introduce the users to Live-CD and USB bootable distributions. Of these two options, I personally think that the latter is a better option.

Why? For starters, it adds something that Windows cannot give: A portable desktop in your pocket. It gives users the opportunity to access their personal files wherever possible without fear of them being seen by others. And this is a very big value. Windows just does not give this type of privacy. It is non-destructive for the hard disk, but can store additional files. With proper partitioning and formatting of the flash device, the user files can also be accessed from Windows. This option will remove the fear of destroying the system from the users (provided they are told at the beginning how to boot from an USB drive, or a volunteer adjusts the BIOS defaults), and users can try and get accustomed to the different Linux applications. A big advantage over Live-CD based systems will be its boot times and speed in general. I personally think that if, along with the widespread word-of mouth advertisement Ubuntu is getting, this unobtrusive and safe option is projected, Linux will actually gain more popularity. Which makes me wonder, are flash based distros like Puppy or Mandriva-flash underutilized and under-advertized?

 


Technorati Tags    

Saturday, January 26, 2008

The Safest Version of Internet Explorer Yet?




Evidence:
Tried to install spyware: Failed
Tried out proof of concepts of some known vulnerabilities: Failed
Tried out ActiveX: Failed

Friday, January 25, 2008

Jeff Jones at it again

When will the half truths of Microsoft end? While reading ZDNet, I came across a blog post stating that Jeff Jones, security director of Microsoft has again published a flawed study in which he compares the total security counts of Vista in its first year vs those of Linux distributions in their first year.
Of course, he does not mention how many of those were high risk, and how many low risk. Anyone knowing even a bit about Linux patches will see through the deception, Linux has a huge number of third party applications as well as low risk vulnerabilities that have no damage potential. What should be compared is the number of high risk vulnerabilities vs other high risk vulnerabilities, and that after dividing the vulnerabilities into OS vulnerabilities, and application vulnerabilities. Compare OS vs OS, application vs application. For OS vs OS, at least Ubuntu has a lower number of highly and severely critical vulnerabilities.
I do not know when this Microsoft FUD is going to end.Vulnerability counts are a horrible measure of measuring security. Yet they continue to publish their "studies". The only way to protect oneself, I think, is awareness. Get the real facts.

Thursday, January 24, 2008

My encounter with a computer salesman (or justification of my obsession with FUD)

Today, I went to an authorized dealer for HCL computers. I was interested in their offering of a mini-laptop just like the Asus EEE-PC, and was slightly cheaper to boot (costing about 14,000 Rs + taxes for the 2 GB model against Rs 15, 900 approx for the ASUS EEE PC 4 GB model; I intended
to use a 2GB pen drive to make up for the difference in storage) . I also had to help a colleague of mine make a purchase of a cheap desktop for his office. So I asked the shop manager about the laptop. Imagine my surprise when he began dissing the product, saying that it was good for nothing but opening MS Office (Yes, MS Office, this is not a typo) or surfing the internet. Now, I am getting a little ahead of myself. Let me put it the way it happened (I may have missed something because I was in a red mist by the end, and the exact wordings may have been a little different):
Me: When are you stocking the lightweight 7" computer ?
Dealer: We will have that, but we also have a better laptop (proceeds to point out the specifications of a 47,000 Rs laptop running Windows Vista).
Me: I am more interested in that particular laptop I was talking about, the 7" one. By the way, which Linux does it run?
Dealer: It runs on Linux.
Me: I know, but which one? There are quite a few, you know.
Dealer: I do not know. Perhaps Red Hat. And why do you want that model. That is useless. That will be released in February. That will only run MS Office and surf the internet, nothing more. You cannot do anything more with that. Do you know how much hard drive capacity you need? That has only 20 GB or so, you cannot do anything else.
Me: Open Office, you mean?
Dealer: That model is not worth it, buy good laptops. That model is just for show, no body will buy that.
Me: If I am concerned about the storage, I will just buy an external hard drive and still will have a laptop costing less and which is more mobile. And I know what I can do with it. By the way, the computer which your company is copying, the Asus PC, is already a superhit in the international market.
Dealer: That laptop is useless (or something of that sort) and is of a low configuration
Me: Listen, that laptop runs Linux, and it will not need a high configuration probably. It may very will be faster than Vista in one of your costly models.
Dealer: Who cares about Linux. Ask the persons outside, everyone uses Windows. Who will be able to run this laptop?
Me(Getting angry): Well, I am interested. And you should know that Linux is just
as easy. And you very well know that people don't buy Windows, they pirate
it. Tell them about Linux,and force them to buy Windows, they will take Linux.
Dealer: That is not Microsoft's fault. What is Linux doing about that? Whose fault is that?
Me: The customer's fault, for being a thief
Dealer: That is not Microsoft's fault. That is the fault of Linux. What is Linux doing about that? Who runs Linux?
Me: Listen, I could not care less what the other people think, but let me make it clear, it is the customer's fault and the dealer's fault. Both of you are in it together,
Dealer: Who runs Linux?
Me: The community (looking at the quizzical look on his face, still not realizing that he had never heard of the community). The Linux community, everyone,(then realizing that he knew nothing about Linux) RedHat, Ubuntu (I should have said Canonical, would not have made any difference, anyway), Novell all the companies with the community
Dealer: That is not Microsoft's fault
Me: (Surprised, not getting his meaning) Linux is Open Source, you know?
Dealer: Not all Linux are Open Source. Open Source does not work. The better Linux are not Open Source.
I just looked at the dealer in amazement. And in my anger, I left the shop and waited outside for my friend to come out, calming myself by means of a cigarette. Of course, he heard the altercation, left the shop and then we went away, amid choice swear words uttered under my breath.
Now, that dealer was just under the influence of FUD. He thinks Windows is the be all and end all of computing, and is afraid of his ignorance about other systems being exposed to the customer. He, in his own ignorance, and narrow minded knowledge of Windows, will be ready to give all this wrong advice to his customers. And when dealers, whom the customers rely on as knowledgeable people, are such, what chance does Linux have in India? Countering FUD is essential if Open Source is to spread.
As for the dealer, he has lost a customer. I will not recommend anyone to his shop because I have understood what his limitations are. I also know that he does not know much about the products he is selling (Imagine calling a 2GB SSD drive a 20 GB drive. or putting MS Office in Linux). If I have to buy the HCL Laptop, I will buy from somewhere else, or will wait for the Asus EEE PC to reach Pondicherry.

Wednesday, January 23, 2008

Ten Common Security Myths

While browsing and in discussion with friends, I have come across many 
misconceptions regarding security. Some of them are planted by the marketing division of software companies, some are the result of fanboyism and some are due to plain ignorance. The following are some of the most common:

Myths regarding the OS:

  • Windows is insecure because of its popularity : Perhaps the most widely repeated myth, since it was propagated by Microsoft to lessen the perception of its own failures. The older Windows was insecure because it was not a multi-user system with privilege protection. Windows XP is insecure because of the user running as administrator by default, with the additional burden of ActiveX. Windows Vista has been made far more secure, and it is highly unlikely to face the same security problems to the same extent that dogged its predecessors.

  • Vista is the most secure OS ever : However, once Microsoft does something even partially right, its marketing machine goes into overdrive. Microsoft Vista is the most secure version of Windows for the desktop, but it lags behind many Linux distros or BSDs as far as implementation of its security features is concerned. User Account Control with protected mode offers incomplete security, and can be bypassed. Linux users have a one click system to reduce the user-days-of risk for all software. Furthermore, Linux and BSDs have a more transparent security process which greatly aids security. For a more detailed discussion of Linux vs Windows security, 
    look here

  • If you use Linux, you cannot be compromised : It is true that many Linux distros are more secure than Windows, but that does not make it impregnable to intrusion. The truth is that Linux is insecure if improperly used, some Linux distros do use insecure defaults, and it would be a betrayal of the ideals of transparency and openness if such a fact were to be obfuscated from a new user by blatant fanboyism. The security of a system depends primarily on the user, and if any user forgets patches or is caught off guard, his or her system may be destroyed. There are too many web server exploits to even think of saying that Linux is inviolable.

  • For total safety, you need anti-viruses on Linux : Linux desktop clients operate in a much less hostile environment than Windows. The diverse environment of Linux is itself protective. There are as yet no widespread Linux viruses. Furthermore, the viruses need root permission to run. Now, if you are going to run an untrusted program as root, then the major vulnerability of your system resides in you. As yet, there is no need for a Linux anti-virus, just keep the basics right, i.e do not run untrusted programs as root (in fact, do not use root at all other than for updating your system or very essential work), keep your software up to date, and that is that. Desktop Linux does not need (and probably won't need, at least in the near future) any anti-viruses.

  • Keeping up to date with all the vendor patches will keep you secure against vulnerabilities : While this is true for most Linux distributions with programs downloaded from their repositories, this is certainly not true for Windows. You have to update each and every non-Microsoft program individually in order to be safe. In fact, some of the biggest exploits in the recent past have directed non-Microsoft software. Do yourself a favor if you are using Windows, download Secunia Personal Security Inspector and run it regularly. For Linux users, download your software from the repositories, if by any chance the software you need is not present in the repository, make sure to add the source of your software to your Software manager, or be sure to update it manually.

Myths regarding measurement of security:

  • A product having a higher vulnerability count is more insecure. As put nicely by Window Snyder, formerly a Senior security strategist at Microsoft, presently head of security at Mozilla: “Number of vulnerabilities identified is a function of how many bugs are present, but is probably more influenced by things like who is looking, and how good they are at finding security issues. That makes it a misleadingmetric” Vulnerability comparisons between Open and closed source products have an added confounding factor in the philosophy of their disclosure, with closed source products commonly hiding internally found vulnerabilities to fix it along with a major update or service pack. What is more important therefore, is how fast the vulnerabilities were fixed by the vendors and how fast the user downloaded the vendor released patch. Therefore, always ask these two questions: I) Does the vendor release the patches quickly for each and every vulnerability? ii) Does the Software have a mechanism by which the vulnerability may be notified to the user and the security updates downloaded and installed simply and fast?

Myths regarding browsers

  • You will be protected from malware/spyware if you use such and such browser : A totally misleading fanboyish statement. Browsers, be it Firefox or Opera , do not intrisically protect against spyware, (even though a majority of the spyware attaches itself through Internet Explorer). The main protection against spyware and other malware is through safe browsing practices and keeping your computer updated. No graphical browser is totally safe. In fact, no software is totally safe, but I am digressing.

Myths regarding Anti-Viruses:

  • An anti-virus having a higher detection rate is always a better anti-virus : Not necessarily. While a high detection rate is a necessary feature of a good anti-virus, other features like the number of false positives, features like boot time scanning, proactive network and e-mail scanning and consumption of system resources are also important indicators. The choice of anti-virus has to be made keeping all these features in mind.

  • Two anti-viruses are better than one : Using more than one anti-virus causes extra consumption of system resources, software conflicts, system instability and crashes, i.e precisely the same things you were trying to prevent when you installed the anti-virus in the first place. There are chances of false positives from one anti-virus scanning another. Besides this, an extra anti-virus will increase the vulnerability footprint of your system. If you already use a good anti-virus, a second one will not increase the detection rate by much, but may cause more harm than good.

  • Keeping an updated anti-virus and anti-spyware with regular scanning is enough to keep you secure : Anti-viruses and anti-spyware are one of the last lines of defense, but the primary defense is the user. Anti-viruses and anti-spyware are actually flawed security tools, depending on a blacklist of signatures (Good security is whitelist based, rather like a firewall passing only packets that are explicitly defined, and blocking all others). Therefore, some viruses or worms will be missed by even the best of these tools. Furthermore, antiviruses certainly do not help you in the event of phishing. Computer attacks have become increasingly sophisticated, and anti-viruses and anti-spyware (even though they remain important) increasingly find themselves on the fringe of the action.

Tuesday, January 22, 2008

FUD from Techworld, and Secunia's numbers

I came across an article in Techworld which discussed a Secunia report. The story ran with the title: "Red Hat and Firefox more buggy than Microsoft" . Now, on reading the report by Secunia, it is amply clear that the window of exploitation is lesser for Firefox, and Secunia also makes it clear that on a OS is to OS comparison, RedHat has far lesser bugs than Windows, with most of the security flaws residing on third party software. Therefore, if a proper comparison was to be made on the basis of the Secunia report, it would have meant that Firefox was more secure as they patched vulnerabilities quicker, and that Red Hat Operating system was less buggy. The article by Techworld therefore should be read with more than a pinch of salt, even though they actually clarify things later in the article. The definition of a "Zero day bug" is also. I feel wrong. A Zero day is one which is exploited before the patch is out. Mere report of a vulnerability does not constitute a zero day exploit. By this definition, Internet Explorer should have 2 zero day exploits and Firefox, none.
I also have an issue with the numbers quoted by Secunia in the report. Now, I have done quite a comprehensive analysis of the vulnerability counts between Windows and Linux, specifically Ubuntu. The number of vulnerabilities quoted for Windows seems to be very high, and I think they have added the numbers of Vista and XP with Server 2003 thrown in for Windows. The chart of the Secunia Report is by itself misleading. For me, an OS should not contain the browser or the mail client, and the numbers of separate Operating Systems like XP or Vista should be mentioned separately. The number of vulnerabilities of RedHat OS also seems to be skewed. Are they counting the Linux Kernel as a third party application? It certainly seems so, because there are a large number of kernel vulnerabilities (none of them highly or extremely critical, by the way). I myself had done a comparison of the highly and extremely critical vulnerabilities between Vista and Ubuntu Dapper, with Secunia's statistics. While Ubuntu certainly had fewer vulnerabilities, Vista certainly did not have 100 vulnerabilities, even with Internet Explorer and Mail included. I would certainly like an explanation from Secunia about their numbers.
Other interesting topics in the Secunia report dealt with the number of zero day vulnerabilities. It would have been interesting if all the vulnerabilities were detailed, since I had done an article about the zero day bugs of 2007 affecting desktops. However, the interesting point that is seen is that the number of zero day attacks have gone down for Microsoft products. Attackers are also targeting third party apps more and more.
Furthermore, the Secunia article also points out that the third party apps were the ones most likely to remain unpatched, thus raising the risk level of the user. In this scenario, it is essential to have a framework by which third party apps can be easily patched. Linux users are lucky, they have apt-get, which is THE KILLER application as far as security is concerned, and this is one of the main reasons why Linux users are nore secure than Windows. Sadly, Windows lacks a proper tool to do that in a single click. Secunia Personal Software Inspector goes a long way in actually finding out the vulnerable software though, and is a must have for any security conscious Windows user.
The final word about vulnerability count measurements, should, however, go to Window Snyder, formerly of Microsoft, now of Mozilla : "
Counting security vulnerabilities to compare the security of different software projects is flawed. It is only a useful metric if you are comparing a project to itself over time." and the classic "Number of vulnerabilities identified is a function of how many bugs are present, but is probably more influenced by things like who is looking, and how good they are at finding security issues. That makes it a misleading metric."

Monday, January 21, 2008

Sorry for not posting for a few days

I have been quite busy with my work and have not been able to post for a few days. I am sorry for that. I will remain busy on till about the 25th of this month, and do not really think will be able to post anything before that. I apologize once again.
Nilotpal
Edit: Made redundant by Techworld's FUD

Thursday, January 17, 2008

Does OpenOffice have an unfair notoriety as a performance hog?

The OpenOffice.org Suite is an adequate office suite for many people. However, it has been dogged by the accusations of performance bloat. Some studies have found that it was slower and had a worse performance than MS Office. However, some of these studies have been done on a spreadsheet of unnaturally large size. Comparisons of the Word processing components also have been missing. I have shown in my previous articles that Writer (the Word Processor of Open Office) is faster at loading files than Microsoft Word2007. Calc (the spreadsheet component of OpenOffice) is also faster than Microsoft Excel2007 in opening files in certain conditions. In the light of these findings, is it fair to consider Open Office a performance hog?

To further study the relative performance of MS Office 2007 and OpenOffice 2.3, I used Sysinternals Process Explorer and made a detailed analysis of how much processor and memory resources the Office applications were using in opening equivalent files in their own native format. For opening documents, was found that Writer was uniformly more resource efficient than Microsoft Word 2007.

For opening spreadsheets, at the initial startup and for large files, Microsoft Excel 2007 was more resource efficient than Open Office Calc. For small to moderately large files (at sizes having most real world use), the resource consumption of both OpenOffice.org Calc and Microsoft Excel were very close, with Calc having the slight upper hand in processor and memory resources. For extremely large files like those provided by George Ou, Excel substantially outperforms Calc in all respects(total time 23 vs 68secs, and memory consumption, Page faults 24.8K vs 42.8 K).

For handling presentations, while Microsoft Office had the better performance in initial startup of blank presentations, when actual presentations were being loaded, OpenOffice.org Impress had the upper hand over Microsoft Powerpoint. The results are given in the chart below. Further details are given at the bottom.

Therefore, if the Word processing, spreadsheet and presentation components are all considered, OpenOffice.org Office suite actually enjoys a slight performance advantage over Microsoft Office(much better in Word processing, slightly lesser in Spreadsheets, better in presentations). It is therefore surprising as to why OpenOffice is seen as bloated and a performance hog, while Microsoft Office is not. In fact, both are quite efficient programs in most real world situations, and the choice between them has to be made on a price/Feature comparison. While it is true that Open Office Calc is slow at loading gigornomous spreadsheets, Microsoft Word also has issues with large documents. In fact, I think Microsoft Word in handling large documents is a worse resource hog than OpenOffice Calc is in handling enormous spreadsheets, but I will leave that for a separate post. Therefore, do not fall for the statement that OpenOffice.org is more bloated. Those statements either stem from ignorance or are FUD. Both are dangerous.




Kernel Time

User Time

Total Time

writer startup

1.98

1.16

3.14

word startup

1.31

2.23

3.55

writer small file

0.5

2.67

3.17

word small file

0.58

3.5

4.08

writer large file

1.09

58.2

59.3

word large file

9.23

33min18.7s

33min27.9s





Calc Startup

1.09

1.09

2.19

Excel Startup

0.23

0.3

0.53

Calc Small File

0.5

2.02

2.52

Excel small file

0.72

3

3.72

Calc Large File

0.55

4.86

5.41

Excel Large File

0.69

3.53

4.22





Impress Startup

1.44

1.34

2.78

Powerpoint startup

0.39

0.56

0.95

Impress file

0.7

2.58

3.28

Powerpoint file

0.88

3.53

4.41

Impress Large file

0.86

5.75

6.61

Powerpoint Large File

1.81

13.72

15.53

Table 1: Showing the time taken by OOo and MSOffice completely open the test files. For details of the different files, see below Table 2.



Pr M (K)

Peak Pr M (K)

Page faults

Ph M (K)

Peak Ph M (K)

writer startup

24788

24792

16918

46468

47424

word startup

53196

55404

27860

63668

65864

writer small file

31148

31184

16445

54480

54480

word small file

56312

56324

21518

81100

81100

writer large file

51588

51620

23822

74720

74728

word large file

65040

69812

50830

92952

94704







Calc Startup

23228

23236

12408

44084

44084

Excel Startup

9472

9472

3903

14576

14576

Calc Small File

31542

31550

16367

53908

53912

Excel small file

52608

52608

16593

62452

62452

Calc Large File

35500

35508

18060

57984

57988

Excel Large File

52944

53020

17985

64288

64288







Impress Startup

30488

30496

17412

51960

52684

Powerpoint startup

8676

10468

7135

17180

18728

Impress file

35228

35900

22366

61196

61516

Powerpoint file

59372

60908

21533

74260

75656

Impress Large file

39496

40064

24439

70064

70352

Powerpoint Large File

90120

90120

34888

104984

104984

Table 2: Showing Memory performance of OOo and MS Office



Explanation and details:

Startup: Initial Startup after boot

Word and Writer Small File: A 30 pg document in .docx and .odt formats.

Word and Writer Large File: A 1200 pg document in .docx and .odt formats.

Excel and Calc Small File: This was a workbook having three sheets, each sheet having 256 rows and 13 columns written. (in .xlsx and .ods formats)

Excel and Calc Large file: A workbook having three sheets, but having 4096 rows and 13 columns written on each spreadsheet. The first 256 rows of the small file were copied and pasted 16 times in succession.(in .xlsx and .ods formats)

Impress and Powerpoint File: A 37 slide presentation taken from the internet http://depts.washington.edu/pccm/DIC.ppt

Impress and Powerpoint Large File: The 37 slides from the above presentation copied and pasted 3 times in the same file to make it a 148 slide presentation. (The presentation file was changed to .odp and .pptx)

Abbreviation: Pr M: Private Memory; Ph M : Physical memory; K: 1000 (the figures for the memory are bytes x 1000)




Monday, January 14, 2008

MS Excel 2007 vs OOo Calc 2.3: Which is faster?

Calc, the spreadsheet program of the OpenOffice.org Office suite, has often been ridiculed for being slow in opening spreadsheets. On the other hand, Microsoft Excel has been praised for being fast and less bloated. How far is this perception grounded in reality?

To find the answer to the above mentioned question, I measured the initial startup time (the time taken to load a blank workbook after booting), the subsequent startup time for loading a blank spreadsheet, and then the load times for workbooks of varying sizes, ranging from those having just one sheet filled with characters, to those having 21 sheets. The results were rechecked twice ( after rebooting). Two corresponding sets of workbooks were made for this purpose, .xslx for MS Excel and .ods for OOo Calc. Details about the workbooks and the load times for the applications are given later in the post.

The test machine was the same in which the previous comparison of MS Word and OOo Writer was done, i.e a machine having AMD Athlon 3000+ CPU, 1 GB 400 MHz DDR RAM, Nvidia GeForce 6200 LE Graphics card with Microsoft Windows XP SP2 installed. During the tests, AVG 7.5 Free antivirus was also running.

Initial Startup was faster for Excel (5.2 seconds vs 12.2 secs). Excel also loaded a blank workbook on subsequent startup faster (1.2 vs 2.5 seconds).

However, subsequent to opening (and closing) a blank file, Calc opened workbooks having written data faster than Excel. Only when the datasets grew very large did Excel outperform Calc(e.g workbooks having more than 2000 rows of data , or workbooks having 9 sheets, each containing more than 1000 rows of data). Thus, contrary to popular perception, Calc is faster than Excel over a wide data range on repeated use.







Note: In the chart above, "sheets" refers to the number of datasheets present in the test workbook, the numbers represent the number of rows and columns of data in each sheet.

Therefore, it is disingenuous to suggest that Calc is significantly slower than Excel. There have been articles where Calc was found to be poorer in loading files of gigantic sizes; however, for more normal uses Calc more than holds its own against Excel. The main area of concern is the relatively slow initial startup. The developers are aware of this issue and work is currently being done to increase the performance of Open Office.

It is also to be noted that the charts represent the load times for the applications subsequent to opening and closing a blank file. If the data files were opened immediately after startup, due to the wide difference in the initial startup time, the first file would load much slower in Calc. However, the performance would return while subsequently opening the files. However, to individually check each file on boot would require at least 78 reboots for me (I check every result twice). Sorry, I am not able to do that.

I will repeat again the same thing that I had mentioned in my last post: A few seconds here and there do not provide enough reason for selecting platforms. Office suites are presently a very important part of our working lives, and it is necessary to make an informed decision based on the features (and the cost) one requires. Much as I admire MS Office for being feature rich, I have not yet found a single essential feature that will make me dump Open Office and make me part with my money. For others, it may very well be different.

The Test Workbooks: The smallest test workbook had just one sheet having data written over 256 rows and 13 columns(256 x 13). The details about this and other workbooks with load times after initial startup are (all times are in seconds):

Workbook no.

No. Of sheets having written data

No of rows x columns having written data

Time taken to load

MS Excel2007

Time taken to load

OOo Calc 2.3

1.

1

256 x 13

4.2

3.1

2

2

256 x 13

4.2

3.1

3

3

256 x 13

4.2

3.1

4

3

512x13

4.2

3.1

5

3

1024x13

4.2

3.7

6

3

2048x13

4.3

4.3

7

3

4096x13

4.7

5.7

8

6

256 x 13

4.2

3.1

9

9

256 x 13

4.2

3.5

10

12

256 x 13

4.2

3.7

11

15

256 x 13

4.3

3.9

12

18

256 x 13

4.5

4.1

14

21

256 x 13

4.7

4.3

15

6

512 x 13

4.7

3.5

16

9

512 x 13

5.0

4.2

17

12

512 x 13

5.3

4.7

18

15

512 x 13

5.5

5.0

19

18

512 x 13

5.7

5.3

20

21

512x13

6.1

6.1

21

6

1024x13

5.0

4.6

22

9

1024x13

5.5

5.3

23

12

1024x13

6.0

6.2

24

15

1024x13

6.5

6.9

25

18

1024x13

7.1

7.7

26

21

1024x13

7.5

8.7

Color guides:


Workbooks loaded faster by Calc


Workbooks loaded faster by Excel


Workbooks loaded equally fast by both


Related post: Open Office Writer 2.3 is faster than MS Word 2007