Vulnerability Numerology - Defective by Design? 103
rdmreader writes "RDM has a point by point disassembly of the security vulnerability story phenomenon. We regularly see these, comparing various vulnerability lists for different operating systems. ZDNet's George Ou, for example, condemns Linux and Mac OS X by tallying up reported flaws and comparing them against Microsoft's. What he doesn't note is that his source, Secunia, only lists what vendors and researchers report. Results selectively include or exclude component software seemingly at random, and backhandedly claims its data is evidence of what it now tells journalists they shouldn't report. Is Secunia presenting slanted information with the expectation it will be misused?"
I've never read that site before (Score:2)
Riiight. Mac OS doesn't have libraries. There are no possible library mismatch issues on Mac OS. Okay, buddy, whatever.
Re: (Score:2)
his original post [roughlydrafted.com]
Look, have you ever used a Mac? Shared Libraries are versioned.
A
Re: (Score:2)
Bundles are great, but we are talking about shared libraries! If each package has its own version of the library, they aren't shared, are they? If each program loads it's own version and doesn't look at what is
Re: (Score:2)
This isn't a big deal on a modern computer... sharing code was important when you were trying to accomodate 50 people in under a megabyte of memory, but now that everyone has their own individual gigabyte or more, it really doesn't make much difference if ten programs each load their own copy of a 100 kb library into memory, does it?
Er, not that I know how it works but what happens when version X.a till Y.n of that library have a security bug. How do you fix it across all applications?
Uh, no. You don't understand the issue at all. (Score:2)
Shared libraries are either bundled with the OS (with guarantees covering how the versioning will work),
Right. So, application A is developed for system library libFoo1.2.3. But the library has a bug in it. So app A developers write a work around. Now, the system library is patched in an update. Application B is written for this new version, without the workaround. Which do you run, A or B? Because you can't run both. All you've done here is to show your ignorance of the issue. And you don't help matters by claiming "Waste lots of memory" is an answer. Either you are using statically linked libraries and was
Re: (Score:2)
Re: (Score:2)
I'll buy you a pound of spaghetti if you can actually point out anything that was "badly researched, plain wrong, full of proof of assertion" (no dice for "generally insulting to everyone who didn't agree with the author," as that is a bit subjective among pasta/Zune fans.)
Seriously, put up or shut up with the baseless accusations.
The New Apple Patent: WGA Evil or iPhone Knievel? [roughlydrafted.com]
Is it true that Apple is racing to duplicate Microsoft's infamously evil WGA, or is it possib
Re: (Score:2)
He: "I think XP is the best operating system."
Me: "Yeah, SP2 is certainly the best version of Windows there is. It works really well."
He: "Yeah, it's definitely te best OS there is."
Me: "Have you looked at recent versions of Ubuntu? They've been pretty good, too."
He: "Wha
Re: (Score:2)
Applied Reductionism ... (Score:1)
CC.
Numerology? (Score:2, Insightful)
Did the guy who titled this know what the term Numerology [wikipedia.org] means? It's usually associated with wild "magical thinking" about numbers, and is at best a rather silly form of pseudomathematics.
</Skeptical Nitpick>
Ryan Fenton
Re:Numerology? (Score:4, Insightful)
Exactly. IMHO, he's saying that Secunia vulnerability comparisons aren't any more reliable than numerology predictions.
Re: (Score:2, Funny)
No, I think he's saying if you apply numerology to trojans/virii, you can gain insight into their personalities...
Re: (Score:2)
Re: (Score:2)
Oh, and P.S.
Piss off, you wanker.
Re: (Score:2)
Re: (Score:2)
Using a "word" in the wrong context does not give that word new meaning. It simply makes you look stupid.
Re: (Score:2)
Well, thank you for blessing us with your superior intellect and allowing dictionaries the right to do this. I'll contact them and have them send you a card.
Quite possibly one of the most idiotic sentences ever written. Congratulations. That is EXACTLY why words have multiple meanings. Also EXACTLY why ther
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
That could be put to a halt with the addition of one last word to the "English" language: "Slanglish," defined as a separate language composed of all slang vocabulary identified as commonly interspersed among proper English. Considering the limited vocabulary of most speakers of it, any argument for a need to add even more words to the English language has given its counterargument a 99% Head Start.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1, Flamebait)
Comment removed (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
No, no. Nine isn't significant. You missed the easy explanation. 18 is 6 times 3. 666
Re: (Score:1)
Re: (Score:2, Insightful)
I RTFA. He is not critical of Secunia per se. He quotes a lot from Secunia's advisories and claims that George Ou has misused the data. In other words, Ou is practicing Numerology with Secunia's numbers. Presumably then, Secunia's numbers can be used intelligently by others who know how to correctly interpret the data. His criticisms of Ou sound correct to me, but I don't care for all the extremely harsh
Re: (Score:2)
Re: (Score:2)
About Secunia (Score:4, Interesting)
No, it just lists vulnerabilities. But it also lists them AND presents these two important things: (a) the importance of the vulnerability, and (b) whether or not it can be triggered through the network or not (local/remote vulnerability).
Furthermore, it separates Windows vulnerabilities in system and application vulnerabilities, if memory serves well. It's not able to do that with Linux, since different Linux distros incorporate different applications.
The matrix therefore becomes a lot more complicated. You can have a 'local only' problem (meaning: no remote exploitation) which can be considered as 'critical' on some Linux/BSD systems and not on others. You can have a remotely-exploitable problem which is critical on all systems that have application XYZ installed. But if I don't install XYZ (or if it's not activated by default) on my PC, I don't have a problem. And so on and so forth.
Which is why people that point at Linux/Mac and say: "Aha! More insecure than Windows!!" are not truly honest: I have Linux and OpenBSD machines with up-to-date SSH servers, no users, a good password, and no other network service running. These machines are almost perfectly secure -- except when it comes to an OpenSSH vulnerability -- even though there are plenty of applications on them that could be considered obsolete or vulnerable... if you can gain local access in the first place. The only point of vulnerability is OpenSSH. And I update it religiously.
All in all, don't blame Secunia: blame people (especially journalists) who know nothing about security and jump on meaningless numbers pulled out of thin air to blame Linux.
Re: (Score:2)
Re: (Score:3, Insightful)
If you said that removing the user removes a significant portion of the vulnerabilities, then you w
Re: (Score:2)
Re: (Score:2)
So as long as it is plugged into the wall, it can turn on without any interaction from a user at all.
You might as well have suggested that without computer, every OS is safe. Lets be practical here.
Re: (Score:2)
Re: (Score:2)
I'm sorry, I still don't get it. Could you point directly to the funny part?
Re: (Score:2)
Re: (Score:3)
All in all, don't blame Secunia: blame people (especially journalists) who know nothing about security and jump on meaningless numbers pulled out of thin air to blame Linux.
Except the same meaningless numbers were used to push FF against IE. I recall the "More secure" slogan.
But it's been a while since the last time I heard it. Malice suggests that those numbers aren't very useful to FF lately.
Disclaimer: I'm a Linux user and I use FF regularly.
For what it's worth, I don't wish to start a flame war, but I think we should attempt to be fair.
Re: (Score:1, Offtopic)
You make the same mistake a lot of so-called socialist make. You think that equality and fairness is for your followers, who are all inferior to you. If you considered them your equals, you wouldn't be commanding them. It's an interesting choice of title for someone who's supposed to be for the body of the people.
Room 12a, first door to your left (Score:1, Offtopic)
Any OS can be trojaned, but only one company's OS has viruses and spyware. And I think it incredibly unprofessional (incompetent?) that AV companies can't seeem to tell the difference between a virus and a trojan.
-mcgrew (not the security mcgrew, not the comedian mcgrew, but I do what I can to secure my PC and sometimes I can make people laugh).
# of Vulnerabilities!=Acknowledged Vulnerabilities (Score:5, Insightful)
And then unfortunately, their supporters like to bash Linux and Mac for actually working with security agencies and fixing their bugs as well as reporting them. This will forever be the bane of open source and it's benefit... that everyone gets to see its flaws but at the same time, everyone gets to contribute to fix them.
Re:# of Vulnerabilities!=Acknowledged Vulnerabilit (Score:2)
Re: (Score:2)
New Math (Score:2)
I must be exceedingly lucky cause I have a few Windows boxes and they aren't part of any botnet. I did have one that got owned pretty bad this year, but it's now running Suse while I figure out if I want to fix the Windows partition (yeah, it was that bad).
Re: (Score:2)
Still how many home users do you know that run as root? That run without updated antivirus? without ANY antiovirus? that open attachments? E
Re: (Score:2)
Corporations don't let botnets exist on their infrastructure for long, neither does the government and military. Even my ISP will deny you access if you have an infected machine.
Sorry, just don't buy the math.
Re: (Score:2)
Re: (Score:2)
If they seriously game, they're going to notice. If they're corporate, they're going to notice. My ISP noticed, it took them about 4 days and I had already quarantined the infected box, but eventually they blocked my router from getting an IP.
My solution was to install Suse. The teenager in my house was up and running in about an hour. He's still a l
Re: (Score:2)
The problem is that most people think of their computer as an appliance and have no real understanding of how to use anti-virus/spyware software, even if they have it. The software itself seems to be better at trying to bludgeon people into buying upgrades than it is at actually doing anything to protect systems.
I do not think computer and operating sy
Fishing for vulnerabilities (Score:5, Informative)
Here's one even better: We use GeSHi [qbnz.com] (Generic Syntax Highlighter) in WikkaWiki [wikkawiki.org]. We often scour the so-called "security vulnerability" databases because we've found many inaccuracies. In this specific case, Secunia issued this statement:
WTF? This was a vulnerability in PHP's htmlspecialchars() function, NOT GeSHi. Yet, Secunia was planning on milking this vulnerability in order to boost its "vulnerability count" at the expense of a project that had absolutely NOTHING to do with the vulnerability.
You see, these so-called "vulnerability experts" try to wring out as many vulnerabilities as possible, because we all know that the most effective "vulnerability expert" will be the one with the most posted vulnerabilities. So they go on fishing expeditions to uncover vulnerabilities that really don't exist.
Or an even worse practice: "bottom-fishing" changelogs and bug trackers in order to discover vulnerabilities that have already been addressed. Here's another instance where Secunia was caught trying to boost its street cred through disingenuous reporting: They apparently scoured our bug tracking database and discovered an issue (already fixed!) and falsely implied in their report that the content of wiki pages marked private might be accessible via RSS. This was clearly false, as the original bug report indicated that the page name (not content) could be accessed. Secunia later corrected [secunia.com] the false report.
We've caught Secunia doing this on several occasions. My advice to anyone who is involved in an OSS project is to regularly scour the vulnerability databases and challenge each and every advisory that you believe is not accurate. You might be surprised at the amount of so-called "vulnerability intelligence" out there that is blatantly false, outdated, or inaccurate.
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Again, this goes back to my argument that Secunia simply cherry-picks its reports, penalizing those projects that are most open with their changelogs and issue tracking, often listing so-called "vulnerabilities" after said vulnerabilities have already been addressed (as in this case).
Re: (Score:2)
And warning of vulnerabilities that have already been patched is legitimate, IMHO, as many people will not always use the latest version and they would still be at risk.
Re: (Score:1)
As author of GeSHi I can confirm this is basically how things played out. I sent Secunia a very irate e-mail asking them basically WTF they were smoking, and as far as I can tell they didn't publish a vulnerability for it.
They've tried on other projects I've been on, such as Mahara [mahara.org]. They went trolling through the changelogs of old releases for the word 'security', and hit a git commit that fixed security being too tight on something - and sent an automated email saying they wanted more information about t
Re: (Score:2)
I'm not sure that this is necessarily a bad thing, as people with far more time than I to look for how to make trouble for others are doing exactly the same thing.
If I'm running foo 1.3.2, I may miss that 1.3.3 came out, or may disregard it if I don't think it's imperative that I update, watching for 1.4 to come out. There are a lot of disparate systems that I have t
Re: (Score:1, Offtopic)
Said it a thousand times. (Score:3, Interesting)
Again and again and again (Score:5, Insightful)
It's very simple, really.
You can _never_ know the relative security of two systems. There simply isn't any way to measure it fairly.
Count disclosed vulnerabilities? What about the vulnerabilities that weren't disclosed?
Have teams search for vulnerabilities and compare the results? What does that tell you? Was one team equally good at finding vulnerabilities in one system as the other was at finding them in the other system? What if one system had many easy to find vulnerabilities, and the other had a couple of severe but harder to find vulnerabilities?
Count actual break-ins? Well, was that due to the system being vulnerable the way the vendor left it, or because of the administrator? What about break-ins you don't know about?
It's always a matter of what you don't know about. You don't know the vulnerabilities that weren't reported. You don't know the vulnerabilities that weren't found. You don't know the relative skills of the teams you used. You don't know if you tested for all possible classes of vulnerability.
And I haven't even mentioned the severity of vulnerabilities, the availability of exploit code, the way vulnerabilities are dealt with by the vendor, and a host of other issues.
The take home message is that you just _can't_ know. It's a hard pill to swallow, but you will just never know which system is more secure. All you have is flawed metrics and your gut feeling.
Re: (Score:2)
You can't know for sure, but you can get a pretty good idea fairly quickly using software testing before any release of the product. Your mileage will vary from application to application, but any self-respecting release team will have a set of regression tests to run through to at least give them confidence that they aren't releasing software that has previously discovered bugs in it.
And using a path-analysis software like GCov you can get a feeling that a large body of your code is actually being exerci
Re: (Score:2)
Ask these questions:
What services are turned on by default?
What potentially vulnerable applications does the OS ship with (the fewer the better)?
What sort of ACLs are in place?
Wh
Where is the MacOS X malware? (Score:2, Interesting)
Re: (Score:2)
Nothing to see there, move along (Score:5, Insightful)
Long story short:
ZDnet published an article comparing Secunia vulnerability counts in Mac OS X and Windows Vista/XP. They spun it the Microsoft way, so Mac OS X loses big time. A mac fanboy wrote a reply spinning it the Apple way.
TFA starts with a long-winded attack against the author of the ZDnet article without ever getting to the point. Let's just say that it talks about Zunes, XBoxes, train wrecks, ballet dancing and many more things.
Then it explains what Secunia does (in about two pages): they track software vulnerabilities which are - among others - reported by the vendors. So "honest" vendors get higher vulnerability counts. Who would have thought.
On it goes by saying that the "border" of an operating system is nowadays blurry; should the vulnerabilities in bundled applications be counted? Even if they are by another vendor?
Then he babbles about how most of the cited vulnerabilites in Mac OS X are related to what he calls "external software" - things such as python, java, perl, samba, tcpdump etc and that those same programs have the the same (or a similar) amount of vulnerabilities on other platforms. What he fails to point out is that Mac OS X *consists* of such "external software" for a big part, and that they are *part* of Mac OS X and cannot be removed easily.
Conclusion: a pointless (and extremely long-winded) article full of Microsoft bashing, as reply to an equally pointless article full of Apple bashing.
the only way to legitimately test this... (Score:2)
...is to construct a real-world test and repeat it fairly often, then tally up how each OS performs. Create a monthly or bimonthly hacking "tourney" with a money purse to properly motivate the contestants. Get "normal" IT staff (i.e. not experts hand-picked by MS or the OSS community) to "secure" the competing operating systems, then let the hackers loose.
Unfortunately this only gauges vulnerability to remote exploits, which probably aren't the most common means of penetration and which both systems prob
Re: (Score:1)
Vulnerability Counts: Humorous, Not Useful (Score:3, Interesting)
Over the years, there's nearly one flaw in the methodology for every one of these surveys ever released:
* Counting vulnerabilities in services installed by default the same as a service that is optional and not frequently enabled
* Subjective rating of impact (mild/severe)
* Treating remote code execution the same when on one system it is as uid nobody, and on the other, it is as administrator
* Ignoring the ease of use of tools that can actually verify a system's integrity (e.g., tripwire with signatures on RO media
and booted off CD)
* Ignoring what a user may have to do to trigger a vulnerability (ie, visit a web page with a malicious image, vs downloading a dmg file, running an install, and giving your password to elevate to root)
* Ignoring how an operating system enables or discourages user stupidity (ie, hordes of useless, "This program wants to do something, yes/no?" vs rare requests for a password)
And on and on and on. The average PC has over 25 different pieces of Malware installed. I know dozens of people with macs, and I don't know anyone who has had a single piece of malware, ever. I've been running linux for 12 years, desktop and server, and I've had two compromises ever, and both were via wu-ftpd.
Local security is good, but... (Score:2)
Treating remote code execution the same when on one system it is as uid nobody, and on the other, it is as administrator
Local security does need to be considered, but it shouldn't be depended on. A remote code execution vulnerability is still critical, whether it happens as LOCALYSTEM, root, Administrator, local user, nobody, or in a partial sandbox like a chrooted environment or Microsoft's new sandbox in Vista. Local privilege elevation attacks to exist, and even without priv
Re: (Score:2)
Linux fanboys* used to do the same thing with narrow performance benchmarks, showing how much faster Linux was than Windows. Once the benchmarks sta
Re: (Score:2)
Windows does own the market for actual viruses, adware, botnet membership, spyware and other problems.
Secunia and George Ou are publishing numbers of vulnerabilities that suggest the opposite is true. But it's obviously not.
You can try to muddle those two ideas together, and you reveal your bias by describing my outlining o
Re: (Score:3, Insightful)
Everyone wants to validate their own prejudices (and some are paid to support other folks interests).
Security is a process, the goal of which is to protect something (usually your data - maybe your hardware - maybe availability or even user sanity!) and (usually at least) to minimize the resources it takes to do it. Y
How about George Ou sucks? (Score:3, Interesting)
See here [cnet.com] for a brief recap of Ou's idiocy (not a word but still).
Re: (Score:1)
The whiniest flame site on earth... (Score:1)
STOP IT STOP IT It's not that clever! It's a play off of the old saying "Deficient by Design" -- and that referred to UNIX!
Roughly Drafted != News Source
It's the most whiny flame blog on earth- stop punishing slashdot readers with
My experience with Secunia (Score:5, Informative)
never attribute to malace... (Score:2)
I for one would like to see a rating scale that factors in not just the problem, the severity, and the scope, but also the availability of information on the problem. For example, you couldn't score anywhe
Re: (Score:1)
Patent prohibitions of viewing proprietary source code may be acceptable, under standard as-advertised operating conditions, but when source code exposes users to having their computers taken over by computer criminals, I submit that protections of