Vulnerability Numerology - Defective by Design? 103
rdmreader writes "RDM has a point by point disassembly of the security vulnerability story phenomenon. We regularly see these, comparing various vulnerability lists for different operating systems. ZDNet's George Ou, for example, condemns Linux and Mac OS X by tallying up reported flaws and comparing them against Microsoft's. What he doesn't note is that his source, Secunia, only lists what vendors and researchers report. Results selectively include or exclude component software seemingly at random, and backhandedly claims its data is evidence of what it now tells journalists they shouldn't report. Is Secunia presenting slanted information with the expectation it will be misused?"
About Secunia (Score:4, Interesting)
No, it just lists vulnerabilities. But it also lists them AND presents these two important things: (a) the importance of the vulnerability, and (b) whether or not it can be triggered through the network or not (local/remote vulnerability).
Furthermore, it separates Windows vulnerabilities in system and application vulnerabilities, if memory serves well. It's not able to do that with Linux, since different Linux distros incorporate different applications.
The matrix therefore becomes a lot more complicated. You can have a 'local only' problem (meaning: no remote exploitation) which can be considered as 'critical' on some Linux/BSD systems and not on others. You can have a remotely-exploitable problem which is critical on all systems that have application XYZ installed. But if I don't install XYZ (or if it's not activated by default) on my PC, I don't have a problem. And so on and so forth.
Which is why people that point at Linux/Mac and say: "Aha! More insecure than Windows!!" are not truly honest: I have Linux and OpenBSD machines with up-to-date SSH servers, no users, a good password, and no other network service running. These machines are almost perfectly secure -- except when it comes to an OpenSSH vulnerability -- even though there are plenty of applications on them that could be considered obsolete or vulnerable... if you can gain local access in the first place. The only point of vulnerability is OpenSSH. And I update it religiously.
All in all, don't blame Secunia: blame people (especially journalists) who know nothing about security and jump on meaningless numbers pulled out of thin air to blame Linux.
Said it a thousand times. (Score:3, Interesting)
Where is the MacOS X malware? (Score:2, Interesting)
Vulnerability Counts: Humorous, Not Useful (Score:3, Interesting)
Over the years, there's nearly one flaw in the methodology for every one of these surveys ever released:
* Counting vulnerabilities in services installed by default the same as a service that is optional and not frequently enabled
* Subjective rating of impact (mild/severe)
* Treating remote code execution the same when on one system it is as uid nobody, and on the other, it is as administrator
* Ignoring the ease of use of tools that can actually verify a system's integrity (e.g., tripwire with signatures on RO media
and booted off CD)
* Ignoring what a user may have to do to trigger a vulnerability (ie, visit a web page with a malicious image, vs downloading a dmg file, running an install, and giving your password to elevate to root)
* Ignoring how an operating system enables or discourages user stupidity (ie, hordes of useless, "This program wants to do something, yes/no?" vs rare requests for a password)
And on and on and on. The average PC has over 25 different pieces of Malware installed. I know dozens of people with macs, and I don't know anyone who has had a single piece of malware, ever. I've been running linux for 12 years, desktop and server, and I've had two compromises ever, and both were via wu-ftpd.
How about George Ou sucks? (Score:3, Interesting)
See here [cnet.com] for a brief recap of Ou's idiocy (not a word but still).