The Annual US-CERT FUD Festival 152
Joe Barr writes "Joe Brockmeier and I have teamed up in a story on NewsForge to point out how the mainstream and trade press misrepresent the annual summary of vulnerabilities from US-CERT. They're doing it again this year to make it appear as if it is more secure than UNIX/Linux. Pamela Jones did a similar report at Groklaw over the weekend." From the article: "One figure represents the vulnerabilities found in Windows operating systems: XP, NT, 98, and so on. The other represents a total figure not just for Solaris, AIX, HP-UX, the BSDs, and Linux, but for a hundred different versions of Linux. The sum of all the unique vulnerabilities from all the Linux distros does not equate to the sum of vulnerabilities in any single Linux distro, and one could say the same about the various versions of Windows. That's why it is a completely meaningless exercise to discuss those totals as if they present an accurate picture of the relative security of Windows and Linux. " We've reported on the US-CERT list already this year. NewsForge is a sister site to Slashdot.org, both of whom are owned by OSTG.
Skewed? Oh yeah... (Score:5, Interesting)
Re:Should Compare A Single Version Of Windows Too (Score:3, Interesting)
Re:Downright Disingenuous (Score:3, Interesting)
Coming from the same government that denuded a slam dunk settled lawsuit against Microsoft? PuhLEASE!
Re:Downright Disingenuous (Score:4, Interesting)
then you need to consider the fact that x86 linux has a different kernel than PPC linux. And what about all the people running 2.4.x versus 2.6.x versus everyone still running older versions, still?
What about the fact that if a version of apache has some flaw that it [generally] affects the entire Apache installbase of that version. Whether it's BSD, Linux, OSX, Windows or BeOS. I say "generally" because some flaws may only affect x86 versions or PPC versions exclusively due to endian issues and ways that the kernels handle the stack and whatnot.
There really is no fair way of gauging and quantifying the number of flaws found in computers per-OS unless you go by installation package. Make lists of XP, make lists of win2k, make lists for OSX (10.2, 10.3 and 10.4 as well as server), make a list for each distro and every installation type for each of the lastest couple of versions. Sure it's a lot of work... but at least it'll be more accurate.
Re:Should Compare A Single Version Of Windows Too (Score:3, Interesting)
For instance, Windows has 2 distinct kernel families, Win9X and WinNT. Linux has 1. Within each of these families there is then versioning, Win95, Win98, WinME, WinNT, Win2k, WinXP, 2.4, 2.6, etc.
Beyond that, it appears that all Windows versions share things like GDI.dll (WMF, anyone?) while all Linux versions share things like glibc. Some are distinct, like Linux modutils, and I've heard that Windows has similar, but can't enumerate.
Then there are applications on top of both, both bundled with the OS, and not.
The CERT numbers are a mess, a disservice to all.