Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security Operating Systems Software Unix Windows Linux

The Annual US-CERT FUD Festival 152

Posted by Zonk from the comparing-apples-and-pineapples dept.
Joe Barr writes "Joe Brockmeier and I have teamed up in a story on NewsForge to point out how the mainstream and trade press misrepresent the annual summary of vulnerabilities from US-CERT. They're doing it again this year to make it appear as if it is more secure than UNIX/Linux. Pamela Jones did a similar report at Groklaw over the weekend." From the article: "One figure represents the vulnerabilities found in Windows operating systems: XP, NT, 98, and so on. The other represents a total figure not just for Solaris, AIX, HP-UX, the BSDs, and Linux, but for a hundred different versions of Linux. The sum of all the unique vulnerabilities from all the Linux distros does not equate to the sum of vulnerabilities in any single Linux distro, and one could say the same about the various versions of Windows. That's why it is a completely meaningless exercise to discuss those totals as if they present an accurate picture of the relative security of Windows and Linux. " We've reported on the US-CERT list already this year. NewsForge is a sister site to Slashdot.org, both of whom are owned by OSTG.
This discussion has been archived. No new comments can be posted.

The Annual US-CERT FUD Festival More

The Annual US-CERT FUD Festival

Comments Filter:

  • Skewed? Oh yeah... (Score:5, Interesting)

    by fak3r ( 917687 ) on Friday January 06, 2006 @11:45AM (#14409257) Homepage
    Considering Linux is a Kernel, to say there were 1000s of bugs again Linux is silly. Let's see how many were against the Linux kernel vs all the userland apps that don't touch anything system level. Now I'll admit bugs show up, and I think that's Open Source's strength; there's constantly ppl combing over the code finding f'd up stuff that no one would think to look at. This is only achieved through constant gazing at the source code, whereas with Windows a bug is usually found out after it's a vuln. Also, I'm happy that MS patched the issue so quickly, even if they were beaten to the punch, perhaps they'll take things (security) more seriously now that they're pushing 'trusted computing'. Not that I care that much, I'm sold on Linux, OS X on the desk and freeBSD on the server, but I did play with ReactOS the other night, and see a future for x-Windows folks who don't want to lose Windows compat when XP support goes away...

  • Re:Should Compare A Single Version Of Windows Too (Score:3, Interesting)

    by theonlyholle ( 720311 ) on Friday January 06, 2006 @11:50AM (#14409304) Homepage
    In principle, you are right - but you will have to agree that lumping say 4 or 5 versions of Windows together is an order of magnitude less stupid than lumping say 100 distros of Linux, plus assorted flavors of Unix (including MacOS) together...

  • Re:Downright Disingenuous (Score:3, Interesting)

    by greg_barton ( 5551 ) * <greg_barton@yaho ... m minus math_god> on Friday January 06, 2006 @11:53AM (#14409322) Homepage Journal
    I honestly expected better from the CERT folks. I don't know why, but I really did.

    Coming from the same government that denuded a slam dunk settled lawsuit against Microsoft? PuhLEASE!

  • Re:Downright Disingenuous (Score:4, Interesting)

    by MyDixieWrecked ( 548719 ) on Friday January 06, 2006 @12:29PM (#14409643) Homepage Journal
    Whether "different" OSes should be lumped together is another discussion entirely (how "different" are they if they have the same kernel?)

    then you need to consider the fact that x86 linux has a different kernel than PPC linux. And what about all the people running 2.4.x versus 2.6.x versus everyone still running older versions, still?

    What about the fact that if a version of apache has some flaw that it [generally] affects the entire Apache installbase of that version. Whether it's BSD, Linux, OSX, Windows or BeOS. I say "generally" because some flaws may only affect x86 versions or PPC versions exclusively due to endian issues and ways that the kernels handle the stack and whatnot.

    There really is no fair way of gauging and quantifying the number of flaws found in computers per-OS unless you go by installation package. Make lists of XP, make lists of win2k, make lists for OSX (10.2, 10.3 and 10.4 as well as server), make a list for each distro and every installation type for each of the lastest couple of versions. Sure it's a lot of work... but at least it'll be more accurate.

  • Re:Should Compare A Single Version Of Windows Too (Score:3, Interesting)

    by dpilot ( 134227 ) on Friday January 06, 2006 @12:34PM (#14409685) Homepage Journal
    For the moment, I'm going to lump a response to this together with "Skewed, Oh yeah..." thread ( http://it.slashdot.org/comments.pl?sid=173159&cid= 14409257 [slashdot.org] ) and say that it would be interesting to have a little better detail - for Windows and Linux both.

    For instance, Windows has 2 distinct kernel families, Win9X and WinNT. Linux has 1. Within each of these families there is then versioning, Win95, Win98, WinME, WinNT, Win2k, WinXP, 2.4, 2.6, etc.
    Beyond that, it appears that all Windows versions share things like GDI.dll (WMF, anyone?) while all Linux versions share things like glibc. Some are distinct, like Linux modutils, and I've heard that Windows has similar, but can't enumerate.

    Then there are applications on top of both, both bundled with the OS, and not.

    The CERT numbers are a mess, a disservice to all.

Slashdot Top Deals

The hardest part of climbing the ladder of success is getting through the crowd at the bottom.

Close