Slashdot Mirror
5,198 Software Flaws Found in 2005
An anonymous reader writes "Security researchers uncovered nearly 5,200 software vulnerabilities in 2005, almost 40 percent more than the number discovered in 2004, according to Washingtonpost.com. From the article: 'According to US-CERT...researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included). An additional 2,058 flaws affected multiple operating systems.'"
including excluding
"(Updated)" "(Updated)"
Windows 813 671
U/L 2328 891
Multiple 2057 1512
(sorry about the spacing - can't find any way of doing it)
greatly reducing the proportion of Unix/Linux vulnerabilities
There's two ways to look at this. I would say that it is quite unlikely that the quality of software with respect to security went down in 2005. Computer Security now has such high profile that software houses across the world are spending many dollars trying to provide better security.
If you accept that security quality has not gone down, then you must conclude our ability to detect vulnerabilites is getting better. This is universally a good thing. Every vulnerability the "good guys" find before the "bad guys" is one we can have fix for before the bad guys take over our system.
Then there's the other side of these figures. That's alot of vulnerabilities. Now, fair enough not all vulnerabilities are created equally but I'd bet at least 10% are serious enough to get your system taken over if you're not careful. That's a lot of ways to break in to my system and it's a lot of work to make sure you're not vulnerable.
We have such a long way to go. For example, in PHP if they'd just follow Microsoft's example and put a SQL injection and XSS attack filter on information passed to web-pages we could close a serious hole in many web-applications. I've not looked at Ruby on Rails but I bet it fails this test too.
For gods sake, if you're not writing an operating system you have no business using C. Read me lips: YOU CAN'T WRITE SECURE C. Not now, not after 20 thousand hours of training, not ever. Sure, it's possible to write secure C in theory but the difference between theory and practice is that in theory they're the same and in practice they are not. In practice, you have deadlines, in practice you have people on the team who have less security training than others, in practice you have developers who have just had children and don't get a lot of sleep. In practice, people make mistakes. Code reviews may help but they wont remove everything. If you write your software in C you're doomed to having silly security bugs. If you want to remove most of the worry about overflows, use a language that rules them out.
Another thing, why should code we execute on our computers run at the maxmium privellege set of the user who's running it? Suppose my program checks a HTTP page against an MD5 hash periodically and sends an SMS through an internet based SMS gateway. Why should that program, if it wants to, be allowed to access the disk? I don't know about Java but C# has got a set of attributes that can control this type of behaviour. Really, we should be forcing declarations at the language level about what permissions each method of the program needs - the default being none of course.
Simon.
I would like to see some data showing the correlation between applications written in unmanaged languages and those with buffer overflow and similar exploits.
Modern unmanaged C++ is fine (STL containers instead of arrays, RAII, etc.), but I often wonder why people still write in C at all, particularly when it comes to Open Source software. We are not the bearded heroes of the 70s - it's time to write in a modern language. If you don't want to sacrifice speed and system level programming for a managed environment, write in modern C++.
812 flaws in the Windows operating system? When did they start counting flaws? December 28th?
Firefox: 1
Explorer: 45
Explorer wins!
Like this comment? I accept Bitcoin! - 153sc8UUBXyp12ofQqfAWDmJrzyiKCYC1x
I've released more than that by myself this year!
http://www.us-cert.gov/cas/bulletins/SB2005.html
Summary does not even bother to link the original article!
"According to US-CERT...researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included)."
Excellent news! I think it's clear now that Windows OS is about three (3) times more secure than Unix/Linux/Mac!
Oh, wait a minute...
I know Microsoft issued a lot of patches this year that fixed quite a few vulnerabilities ... but 812? My suspicion has always been that Microsoft sometimes fixes multiple flaws with a single patch, even though its advisories may make it appear as though the patch addressed a singular issue.
I'd love to know just what percentage of those reported Windows flaws have been fixed. For that matter, it would be lovely to know that for all of the flaws reported last year.
Anyone?
And is this the first year that these statistics have been gathered on a scale like this?
Privacy is underrated!
So, where did you read that windows is more secure all of a sudden?
You didn't take those figures at face value did you?
Those figures said they were for linux AND other univx variants like OSX...
So, 2500 between OSX, openBSD, netBSD, freeBSD, Linux, Solaris, etc... (not to mention all the flaws listed for the dfifferent linux distributions probably got duplicated across several distros)
versus 900 for windows
(I'm rounding up)
Was this 900 split between 95/98/98SE/ME/2000/XP/Vista?
or just for XP?
There're lies, damned lies, and statistics
5198 bugs is interestingly excately 10% of the number of times I tried picking up girls a bars in 2005. ...they kept calling med a creep, not a bug, though. *cough* *cough*
Finding software flaws -ahem- 'exploits' ... is en vogue at the moment. Unfortunately this is also the catalyst for additional needless security, DRM, policies. Instead of putting resources towards development or improvement, the resources are wasted on finding minute problems. Sure this effort could make software better for the future (reliable, secure), but the bureaucracy is putting us farther behind, and is creating more work with less usable results.
"researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included). "
... but 812? My suspicion has always been that Microsoft sometimes fixes multiple flaws with a single patch, even though its advisories may make it appear as though the patch addressed a singular issue. "
If we listened to just the media you would have thought Windows has thousands and the others only had a few dozen. I promise I'm not trolling, but do those numbers stop and make anyone on the site re-think stances? We all saw the numbers that put Firefox with more holes then IE earlier this year too. Could MS be doing a better job, but just getting hammered in the press (who are mostly Apple users by the way)? MS holes get lots of press while other operating systems get a free pass.
"I know Microsoft issued a lot of patches this year that fixed quite a few vulnerabilities
MS always has an attached KB article that details everything their path does. I don't think that statement is denial.
I find myself defending MS allot on this site, and it's nice to have some numbers from a respected neutral organization to debate some of you guys with. I'm sure after this piece they will be re-classified as MS zealots, but what can ya do.
...report all the flaws to CERT that they find internally? Is CERT counting all open source project flaws then comparing that number to a limited number of windows-shiped products and ignoring most third party windows apps because they are closed source and those devs aren't in the habit of revealing vulnerabilities if they don't hjave to? I mean, there's a rather glaringly LARGE difference with what you get with a windows XP operating system direct from Redmond or any of the big box vendors compared to any of the major distros and what comes on their disks. What's a "system" then?
I looked at the CERT link from the blog link in this article, where are all the windows apps? That list is ALL the windows third party apps vulns? Why am I not believing this? Are all the third party windows apps devs actually reporting vulns, or just shipping new and improved and clamming up over anything they find?
Good thing CERT has a disclaimer at the top saying they have no idea if any of what they have there is complete or not, or even true. At best this CERT list is a really vague guess.
Let's compare entries in the vulnerability database.
Linux
Optimistic TCP acknowledgements can cause denial of service
Gaim vulnerable to HTML processing denial of service
Windows
Windows XP
Windows 2000
Yes, I can see where those numbers come from.
One bad thing is that software is getting more complicated and secure design methodologies are lagging behind. We've had secure development environments like Java for a long time now, and we have known for the past decade that large pieces of software developed in unsafe languages (C) can never be safe, and yet... we continue to use these unsafe tools. Until tools and design methodology change, we're going to keep having more holes as software systems get bigger.
Someday that will change. People will (eventually) shift to "safe" languages, where "safe" means no unchecked memory access, bounds checking on arrays, type safety, etc. The more we get to that the fewer vulnerabilities we will be seeing.---------------
Drag-and-drop file upload in your browser
If you assume only 5% of those calls could overflow a buffer, Windows is doing 4x better than expected!
Well, which were more serious?
Ok, I've made a 'hello world' program in C++...I had 0 bugs in it, do I win?
Seriously now, these numbers are useless without mentioning lines of code and programming languages. Suse Linux 9.3, for example, has over 7,000 RPMs, which is an enormous amount of software.
Absolute bug numbers are meaningless.
If I were you, I'd keep my eyes out for a Windows logo on that web site. *cough*kickbacks*cough* From my experience, if Microsoft doesn't have more bugs, then their software sure is shitty. I mean, FireFox is open source, IE is not. Who is more secure, doesn't crash as much, and has nifty plug-ins? If you said IE, you're living in the past. Sure, Open Source is going to have more bugs, it's hundreds of thousands, if not millions of people contributing code. Of course not all of them are going to get everything perfect. Now compare how many people Microsoft has working on bugs. A few thousand at best. Now you see the reality of this. Linux is going to have more bugs simply because it has more software. Microsoft is going to take longer to patch their bugs because they only have a fraction of the people working on it.
What I want to know is how many they didn't find.
All of the brightest boys, To play with the biggest toys - More than they bargained for...
Because I know I just woke up but that CERT page is listing APPLICATIONS FLAWS and NOT OS flaws.
Is a flaw in "Gold FTP explorer" or Photoshop a Windows OS flaw?
Am I the only one seeing this?
If you wanna get rich, you know that payback is a bitch
Actually, it seems that in the linux/unix section it is possible that some bugs have been reported twice or more.
It could be that one bug that effects the linux kernel could be reported as both as a bug in red hat, feodora and under the line of multiple vendors.
I would like them to seperate windows (versionnumber),linux kernel and then for apps.
If you are using numbers like these to make an argument that MS products are "more secure",
I've got a nugget of wisdom for you: Whichever OS is the most popular is going to end up being the least secure. It doesn't matter who makes it.
The theory of relativity doesn't work right in Arkansas.
I wouldn't say that the guys compiling the stats had an agenda or something- but how do you count bugs/flaws? If you said Linux was one "thing" and didn't account for the various distros, is that realistic? And if you account for the various distros, you will undoubtedly end up with duplicates. Its very much like the problem faced when trying to figure out popularity of a website- do you count hits, page impressions, stickiness...and if you count things differently than I do, which of us is right?
One thing I can say with certainty: Linux does not have fewer flaws that Windows. I have as many (or more) patches to apply to my Linux servers at work each month as I do to my Windows servers. I think its reasonable, however, to say that the flaws that show up in Linux are more transparent. Knowledgable people can look at the code for certain coding practices and find flaws *before* they are reported in the wild- the availability of source code definitely gives Linux an edge in that regard.
A quick browse over some of the vulnerabilities listed... I think that the issue of scope is not covered at all in the number-quoting.
Windows: XP,NT,Me,98,95
note that these are all x86...
Unix/Linux (Oh yeah, and Mac too) : All variants of Linux, with all moderately current kernels, running on all architectures. All variants of Unix. Mac OS X.
On the other hand, there are a few positive sides: it included non-OS programs (web servers and user programs and such), which many studies often overlook, or selectively overlook and count Apache vulnerabilities for Linux and not Windows. It didn't try to pump the numbers TOO much. It was not actually a comparison between the merits of any one operating system over another (unlike most studies talked about, which are almost always funded by MS), but in fact was a compilation of the various vulnerabilities out there for each OS, including things like MusicMatch Jukebox, which very few people would claim is an integral part of the OS and can't be lived without, and thus completely eliminating that vulnerability from the numbers.
In regards to numberpumping, it is generally a lot easier to find a vulnerability in a Linux/Unix/OSX program than a Windows program, for the simple reason that a greater proportion of L/U/O programs are open source. You have two angles to attack from, and if you find some problem in the code, you can most likely find other instances in the code where the exact same mistake is made. Whereas the only way to find a vulnerability in a closed source program (most Windows programs, including the OS itself) is to observe and interact with it from the outside. Even if you do find a buffer overflow in some area, it counts as one vulnerability. You can't go look through the source for the rest of the OS and/or related programs, because you don't have it. Assuming a fairly large code base, any vulnerability (that is, a flaw in the underlying structure of the program, not a mistake) would probably be repeated at least 5 times.
If we use that estimate, and assume that only one such flaw was found in a Windows program and all 5 in a Linux/Unix/OSX program, that brings the numbers to this:
Windows 4060
LUO 2328
(ignore the multi-OS ones)
Now, assuming that Linux, Unix, and OSX collectively run on 5 architectures (QUITE modest), that is 5 times the code for any architecture and hardware related problems to arise in, although I would be willing to bet that it doesn't actually increase numbers that much.
However, all of my rampant assumptions aside, the numbers mean absolutely NOTHING, for ANYONE. This is not a study. It is a summary of the vulnerabilities found in 2005. In order for "vulnerability numbers" to mean ANYTHING, they have to be discovered and explored in an impartial study which clearly defines various levels of "vulnerability" beforehand and equally explores all test OS's/programs, which would most likely require source code for all OS's/programs in question, wihch essentially rules out including any Microsoft products in any such study.
I have seen numbers like this running around for some time. What I would like to see is *someone* actually define a number of catagories (like OS, UI, Apps, Drivers, etc.) and then place specific *named* apps in those catagories and then give me the numbers. So, how many of those bugs are actually OS/driver specific or are vectored through the UI, Apps, etc?
"researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included). "
If we listened to just the media you would have thought Windows has thousands and the others only had a few dozen. I promise I'm not trolling, but do those numbers stop and make anyone on the site re-think stances? We all saw the numbers that put Firefox with more holes then IE earlier this year too. Could MS be doing a better job, but just getting hammered in the press (who are mostly Apple users by the way)? MS holes get lots of press while other operating systems get a free pass.
If you look at the first post, you'll see that the real count of vulnerabilities isn't so shocking after all:
Windows 671
UNIX/Linux 891
Multiple 1512
Also, when you consider the fact that "UNIX/Linux" includes many different operating systems (e.g., GNU/Linux, *BSD, OS X, etc.), you can't give any one Unix operating system the blame. Remember that although some code is shared between projects, GNU/Linux and the *BSD are more or less completely different code bases. In any case, the simple counts of vulnerabilities don't take into account the severity of each, so the real winner is even more ambiguous.
I find myself defending MS allot on this site, and it's nice to have some numbers from a respected neutral organization to debate some of you guys with. I'm sure after this piece they will be re-classified as MS zealots, but what can ya do.
While Brian Krebs might be tainted by his misrepresentation (see the post I got the numbers from), I can't imagine anyone here claiming that US-CERT is somehow a bunch of MS zealots. In fairness to Microsoft, they've definitely come a long way with SP2, and I don't feel nearly as vulnerable when using an SP2 machine as I did with previous Windows versions (though the recent WMF hole makes me a bit more worried). without considering the severity of each vulnerability. But they're still no where near the point where I would switch from Linux.
I have discovered a truly remarkable proof of this theorem that this sig is too small to contain.
I should like to note that I would be very impressed with any language which does not allow direct memory access and which doesn't need one that does in order to function.
Also, using Java as an example of a secure development environment is like using OS/2 as an example of a secure OS: Nobody uses it, so you can't prove it's secure.
vector was meant to be a vector<int>.
Look how defensive the Slashdot community gets... So freaking funny.
Only a MS-tool would not instantly spot this. Others have already pointed this out but of course they are just Unix and OS-X and BSD and Linux hippies. Oh and wich OS makes it unsafe to simple browse the web right now? Thank you. Bill Gates called, he is about to take a dump and needs you to swallow it all.
All this article shows is how easily statistics can be used to tell a complete lie.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I've noticed that on some of the 'nix-based alerts, the initial "discovery" was made in 2004, but not reported by various distros until after the beginning of 2005. I also noticed that with some of them, ALL of the distros listed reported the problem in 2004, but then, someone else chimes in right after the beginning of 2005 (Avaya Security Advisory), basically restating what has already been announced by several other parties prior to 2005.
Evil doers devised 812 ways of raping women named Jane, and 2328 ways of raping women named Mary or the pets they own.
What we really want to know is who got fucked.
It's fascinating that there are two replies to the GPP, post mentioning using Java in a real-time context, as if that somehow implies that its performance is equivalent to something like C or C++. "Hard real-time" and "fast" are completely different qualities, and having one does not imply the other either way around.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
What exactlu do tehy call bugs, one mans "bug" is another mans feature. If a function or dialog in open office for example doesn't have the same capability as MS office, or different capability than the Office equivalent, is that a "Bug" or a feature? depends who you ask...
Just try this :
:\t\t\t "sum "\n Number of entries :\t " entries "\n Sum/Number of entries : "sum/entries "\n\n" }'
:\t\t\t "sum "\n Number of entries :\t " entries "\n Sum/Number of entries : "sum/entries "\n\n" }'
#!/bin/bash
lynx --dump http://www.us-cert.gov/cas/bulletins/SB2005.html > stats.tmp
{
echo "Windows"
sed -e '/ \* Windows Operating Systems/,/Unix\/ Linux Operating Systems/ !d' \
-re 's/^[ \t]+//' \
-e '/^[\*\+] \[[0-9]+\]/ !d' \
-e 's/\[[0-9]+\]//' stats.tmp | uniq -c \
|awk '{sum ++ ; entries += $1 ; print ; } \
END {print "\n\n Sum
echo "Linux/Unix"
sed -e '/Unix\/ Linux Operating Systems/,/Multiple Operating Systems/ !d' \
-re 's/^[ \t]+//' \
-e '/^[\*\+] \[[0-9]+\]/ !d' \
-e 's/\[[0-9]+\]//' stats.tmp | uniq -c \
|awk '{sum ++ ; entries += $1 ; print ; } \
END {print "\n\n Sum
echo "Any"
sed -e '/Multiple Operating Systems/,$ !d' \
-re 's/^[ \t]+//' \
-e '/^[\*\+] \[[0-9]+\]/ !d' \
-e 's/\[[0-9]+\]//' stats.tmp | uniq -c \
|awk '{sum ++ ; entries += $1 ; print ; } \
END {print " Sum : "sum "\n Number of entries : " entries "\n Sum/Number of entries : "sum/entries }'
} | more
-Mark Twain Attribute yo' quotes, foo.
Ninjas and pirates. How piquant.
"The ignorant define themselves" why is there even a discussion going on about the essence of the word "flaw"? Fact is that this research has not been fair because all Linux distro's, UNIX variants (such as BSD) and Mac are counted as one, and MS Windows as another. You cannot compare the multitude of Linux distro's to the one-man platform of MS Windows. If there would have been a tally between, say, Redhat, Ubuntu, FreeBSD, NetBSD, OpenBSD, Mac OS (I dunno what version it is in atm) and MS Windows, and all stats would have been listed seperately ... that would have been fair and clear. Now it's just a mash of all these stats with just one simple query on it SELECT bugs FROM stats WHERE os = Windows. THey just mashed the rest together and called it "the rest".
-------
Userfriendly? Sure it is, unless you aren't computerfriendly!
/me to a classmate on FreeBSD
As soon as I saw OS's grouped together I expected to see another company purchaged evaluation designed specifically for a press release.
After seeing that someone had simply counted lines on a web page as their "research", I realized it was just another ignorant writer putting together anything possible to get the job done.
I think US-CERT is partly to blame. Their page is misleading in that it lists software for *nix OS's under the heading of "Unix/ Linux Operating Systems". They also lists the mistakes some package manager's make while compiling software for specific distubutions. For example: "Debian Horde Default Administrator Password" or "Gentoo webapp-config Insecure Temporary File".
Having to work for a living is the root of all evil.
That quote has been used to much it's entered the common vernacular, hardly worth attributing it these days.
(besides, I wasn't sure it was mr Clemmens and couldn't be bothered checking)
That's almost the number of dupes on Slashdot this year...
[crunches some numbers]
And the trends from last year match, too!
I'm grabbing my tinfoil hat.
ME and prior have been EOLed and so are no longer supported, aren't they? And Vista hasn't been released. So we're left with only a couple (few -- 2003) OS's that it's reasonable to count vulnerabilities from.
A more accurate portrayal of the bug situation would be run down by a count of patched and unpatched bugs at the end of the year.
Windows Server 2003 - Enterprise Edition vs. Red Hat Enterprise Linux
Who has the most unpatched flaws and the better ratio in that one? I'm really not sure.
Windows XP vs. Fedora Core 4
This one's pretty easy...
Windows ME vs. Red Hat Linux 6
Sorry, I couldn't resist.
Windows (Any version) vs. Mac (any version)
Erm, yeah. I had to. I don't know the answer to this one, though.
$signature_views++;
I suggest a new, totally secure and bug-free programming paradigm. Example:
void main()
{
SuperSecureFunction();
TotallyNotBuggyFunction();
ImmaculatelyConceivedOperation();
}
I call it Intelligent Design programming. You just have to link to the right libraries.
Evil doers devised, and 2328 ways of raping women named Mary or the pets they own.
I would have said that it was more like: 812 Janes went to dives on saturday nights half naked and unchaperoned whilst 2328 Marys also went dancing.
Who was looking after the Marys?
Most of the people who look after the Janes are unpaid good neighbours. It's a bloody good job there's such a hell of a lot of them.
otuh://www.nsa.gov/kids/
Be taken out of the libraries and such? Why is it so hard to remove such vulnerabilites when I've read that there are replacements for weak or exploitable code?
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
Well, I found my own way to interpret this "mash-up" data.
.80 gives us 1,646 rounded down.
Take the total # of flaws of the Linux distros; 2,328.
The number of distros including Mac -- by pulling a guess out of my hat; 12
Since, we can assume that most UNIX distros are similiar, and we'll be kind by saying the Mac has the same number of flaws, Just divide the total by the platforms and you get... 194.
And, since we can assume this is an "independent analyst" paid for by Microsoft -- we can safely assume that they buried vulnerabilities from Internet Explorer, Entourage/Outlook, and Microsoft Office as the flaws affected multiple operating systems while just throwing in the app flaws that came with the *NIX boxes. So, you can assume that 80% of all vulnerabilities in applications are from these three Microsoft apps. So 2,058 *
So any single UNIX has about 194 flaws versus 2,458 flaws attributed to Microsoft products. Of course, I could be wrong, but since we are pulling figures our of our collective butts here -- what the hey, right?
But, if you are purchasing software per flaw (and well call the LINUX distros free except for Mac) so, it is still more expensive for each flaw that you get on all combined *NIX's -- since the author assumes you are buying every NIX to acquire every flaw you possibly can. Windows comes out ahead on less cost per flaw.
I really didn't add in SUN -- that would reduce the number of flaws per NIX and greatly increase the cost per flaw. UNIX really needs to step up here -- a user has to really invest in a lot of platforms to achieve a good allotment of flaws.
>>"ad space available -- low rates!!!"
The problem is obviously humans. If we kill the humans the problems wouldn't happen.
Table-ized A.I.
I hate to just dump on this article, but I have to. Its basically a pile of rubbish. I don't mean to just insult the authors of the article, I read it, and came to my conculusion with thought and reflection. The basis for my analysis and conclusion follow. Firstly, they never describe or define exactly what they call 'an operating system'. From my computer science textbook (Silbershatz/Galvin), an operating system is strictly the third program running on a computer after power is applied (the first being bios/post instructions coming from the firmware, the second being the bootloader, and the third being the operating system). The operating system has absolutely 0 interaction with the user. There are applications that are usually loaded after the operating system is running that allow user interaction (programs that allow the user to type at the keyboard, use the mouse, or provide some kind of graphical interface to start programs). None of these things are part of the operating system. They interact (make calls) to the operating system. So are the 'flaws' part of the OS, or are they add-on programs, or what? Second, when developing a system in the open such as Linux, people are working on the software all the time. They might add a new piece to a section of code, and might not finish that day, or might need to modify another piece of software to provide complete interaction as intended. Occasionally the partially built pieces will create problems (which Cert then counts). It's a bit like driving by the partially built house and yelling at the contractor 'there's no roof yet!'. Sure, it hasn't been added yet. Next comes the problem of whether the bugs are serious or nusinces. Are they critical or minor or what? Nothing from the article says anything about that. Next comes the issue of whether any of the 'flaws' were fixed after being mentioned, and how soon after were they fixed? Again, nothing from the article. Sorry for being overly critical, but it's a bit like proclaiming 'overcast day caused kids to catch colds and stay home from school'. There is an assertion of fact, some kind of follow on fact that apparently fits somehow, but no logical path to show how you get from A to B, no clear idea of how they got their information, and spare little supporting evidence. A pile of rubbish.
Good catch!! Several other posters wondered if the results were somehow slanted towards M$. Re-couting *NIX '04 bugs as '05 bugs would sure skew the numbers! Like I said when we get an UNBIASED study with severity levels, OSes and releases of each indicated then we can make a fair comparison of "bugginess".
Will somebody please remove this guy from having the ability to post stories to slashdot? Yes, I already have his stories blocked, and I wonder how many others are doing the same.
The stories are always slanted FAR away from the reality of what was said, and many times are flat out LIES! I first thought it could have been a mistake, but time has shown that this editor does not represent the community in ANY way whatsoever! This is pathetic! Im not going to waste time digging through all the previous examples of this editor, anyone can search this out in the slashdot archives.
I wonder how many people have simply stopped coming here since he became an editor? I know my own visits have declined greatly for that exact reason. And I can see that the level of posts has also trailed off noticably. Slashdot makes money by advertising, so how long is it going to take before the owners notice that ONE person is causing you to lose MONEY!
To make matters worse, as some others may have pointed out, there are security issues that are listed multiple times. The Apache mod_ssl alert, for example, is listed nine separate times, but they all refer to the exact same issue- like that won't skew the results.
I'd be embarrassed if I were the Washington Post, as it appears as though someone didn't do their homework.
Well, the numbers are shocking, when I went to secunia, and compared windows XP (with all the crap that comes with it) and just the Linux kernel 2.6.
.net etc): 45 advisories
Linux kernel itself(no other programs) : 33 advisories
Windows XP(including IIS, libraries,
Obviously a simple count of vulnerabilities is a real stupid way to compare things, but i would not claim linux is any more secure than windows or the other way around. You are better of using what OS you know better, and secure better. But MS needs to take one extra step of making people logon by default as regular non-admin users. Because if people were, most of the flaws we see in application will have very low impact.
...how many of the UNIX/Linux vulnerabilities were found (and then subsequently patched) because someone simply found a buffer overflow or the like in a code review.
How many code reviews find and fix bugs for which no exploit exists in the wild for *ix?
How many patched fixed bugs for which there was no exploit in the wild for Windows?
This space for rent. Call 1-800-STEAK4U
attack on Microsoft... check!
defending open source... check!
"nifty" in post... check!
Yup, he passes: MOD PARENT UP.
My company's Bugzilla database shows 5580 bugs opened in 2005. So I guess if bugs marked as duplicate and invalid are removed, our software accounted for almost all 5,198 software flaws of 2005.
So... what's the secret you guys are hiding from us?
Ceci n'est pas une signature.
Then I guess I should quit coding in C and go back to assembly.
now we need to go OSS in diesel cars
Voting for most ridiculous stat ever posted in an article for Slashdot (sand the **AA losses from 'piracy')
;-)
"Brian Krebs is clearly either extremely stupid, or has an axe to grind. If you look at the Cert Cyber Security Bulletin 2005 Summary, you can see that many of the lines in it end in "(Updated)" A simple count of lines gives the results that Brian quotes, however there are far more "(Updated)" entries in the Unix/ Linux Operating Systems section."
The author isn't trying to make a security comparison between the two OS's. Not once does he even imply one OS is better than another based on this list. So why are you trying?
Vote for Pedro
To be perfectly honest with all of you, we all know what the better operating system is, don't we? This shouldn't even be a discussion as the battle of the operating systems has already been won, the illiterate crowd just has to find out...
-------
Userfriendly? Sure it is, unless you aren't computerfriendly!
/me to a classmate on FreeBSD
Ever heard of Qmail? All C, used by thousands for years, never been exploited, extremely secure. Just one example. There are many out there. Get a clue.
Hard real-time Java programming is vastly different from normal Java programming. Most of the standard Java class libraries are gone. Exception handling is gone. Automatic garbage collection is gone. Almost all third party class libraries are gone. Coding hard real-time apps in Java feels very much like coding C apps from scratch, even if you don't have to manually allocate and deallocate blocks of memory. From the article:
I guess my point is this: hard real-time Java is not the Java with which 99.9% of so-called Java developers are familiar. Choosing Java over C or Ada for a hard real-time system will not enable you to hire lesser programmers, nor will it significantly increase your pool of eligible employees. No matter which language you use, to do hard real-time systems correctly and effiently you must hire only top-tier programmers. Top-tier programmers can make use of any relevant language. Hire any lesser programmers and they will screw up, regardless of language choice.
The preceding comments reflect the author's personal opinion and are public domain, unless explicitly stated otherwise.
At the end of the day, GC is a useful tool for many programming jobs, but it's only a tool, not a silver bullet. It's no substitute for a good programmer who knows what he's doing.
Perhaps your problem is that you don't understand what a "safe language" is. A safe language is a language that makes guarantees about type errors, error detection, and fault isolation. A language with dynamic memory allocation needs to have a GC in order to be safe. A safe language does not make guarantees about security or parallelism or race conditions, it doesn't necessarily make programming any easier, and it doesn't necessarily help the programmer avoid errors.
And I make this case without, until now, mentioning the IME very real problem that a lot of cheaposoft programmers who grow up relying on GC don't have the same appreciation of low level mechanics as those who don't,
No, the problem is that there are too many people like you in this industry, people who don't even understand what a basic concept like a "safe language" means.
Bender, sleeping: "Hey, sexy mama... Wanna kill all humans?"
Oh really? And who exactly are you to tell me, or anyone else reading this, what a safe language is? Your argument is a common logical fallacy -- a weak appeal to your own authority -- and nothing more.
My interpretation of the word "safe", and also the definition given by an English dictionary, would be "not in any danger". Your definition conveniently excludes several common dangers to programmers and focuses only on a single, narrow problem, yet if you are to be completely safe, you cannot exclude anything. Any approach that addresses less than that may be safer, as GC may be most of the time, but it certainly isn't safe.
This is my point: some people focus on GC so much that they forget to address other problems. There are languages that do make guarantees about security, use safe parallelised processing implicitly, make programming much easier, and avoid many other classes of programmer error. Claiming that any language that provides GC but does not do these things as well could possibly be "safe" is irrational, and believing that your code is safe because you use such a language is delusional.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I just went to CERT's website and copied down the whole list of flaws, and realized most of them are not OS related... so i then went down the list for the Window OS's flaws and copied down only the ones starting with Microsoft, and went down the list for Unix/Linux and copied down only the entries with Multiple Vendor. Then, i removed the entries with (Updated), and the resulting list was:
Microsoft: 120
Unix/Linux: 192
Then, under the Microsoft list, i just selected the ones starting with Microsoft Windows, and similiarly under Unix/Linux, selected just the ones starting with Multiple Vendor Linux Kernel (not including Linux Kernel 64 bit). Then, the results were:
Microsoft Windows: 43
Unix/Linux: 77
Any thoughts, anyone? That seems suspiciously low for windows problems, but dispite Microsoft's image, i do think that they're doing a lot better security wise than before, and doesnt deserve ALL of the crap that they're getting from a lot of the people here. Seeing all the Updated tags on the Unix/Linux list, it does seem, and i do know, that the community responds a lot faster to any flaws found, but still, Windows i think should really be given fairer treatment for what they're doing to try to fix their problems.