WinInformant Says Windows More Secure Than Linux

nihilist_1137 excerpts from this WinInformant article, which reads in part: "For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. ... A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux." I wonder how many sysadmins (Windows or Linux) would agree with this conclusion. Update: 02/04 16:54 GMT by T : Looks like the WinInfo site has gone down since the story was submitted, so you may have to content yourself in the meantime with the Bugtraq numbers. Update: 02/04 19:30 GMT by T :Several readers have pointed out that the conclusions WinInformant makes based on the Bugtraq data are not those of SecurityFocus; the headline has been changed accordingly.

Severity of vulnerabilities

[SiW]

The report doesn't seem to take into account the fact that while the number Windows holes was fewer, they were far more severe. Code Red, anyone?

Btw, I'm not a Linux cheerleader, I'm a Windows guy most of the time, and I subscribe to the "best tool for the job" philosophy.

Unfair comparison, uninformed journalist.

[opkool]

After reading the whole thing, I came to the conclusion that this is an unfair comparison:

-They only count bugs for one Microsoft OS product. I mean, there's Win95, Win95osr2, Win98, Win98SE, Win2000, WinME, WinCE, WinNT4.0...

-They count one bug for each distribution. I mean, if a bug is detected on rsync, it shows as one different bug for every distribution, that is, one but for Mandrake 7.0, one for Debian, one for Mandrake 7.1 ...

So, this makes me wonder if the journalist is plainly uninformed or if has no idea of what he is talking about (a laid-off journmalist from the gardening section re-hired for a tech-writter position).

The conspiracy theories, black helicopters and Microsoft-payed journalists, from my point of view, do not apply here.

Well, who said the world was fair?

Well ok...

[Bob+Smith+157]

Sigh...

I can't read the original article, It's been Slashdotted to death. But I think I can make a pretty good guess as to what happened.

First off, we host Bugtraq, not NTBugtraq, which is Russ Cooper's list. (Any chance we can get that fixed in the story intro? Anyone know if the same mistake is in the original article?)

Secondly, I'm constantly amazed at how people mis-read our stats page. The Linux aggregate stats are the total of all unique bugs across all the various distributions we track. It's supposed to answer the question "How many Linux-related bugs were there that year." It's based on things like which distro ships a particular package, and when that package is found to have a hole, it also gets attached to the distro. This is so you can look up your distro, and see what bugs you might need to patch.

Take a look at the top of the page, our script hasn't been running since August, when we switched from Roxen to Apache. So, we're missing the whole last quarter of 2001 stats.

Regardless of anything else, using these number to declare that one thing is more secure than another is a mistake. Based on our numbers, why didn't they declare that everyone should run MacOS for security? Or that if you want to be more secure, run Debian instead of Win2K?