Slashdot Mirror
The Annual US-CERT FUD Festival
Joe Barr writes "Joe Brockmeier and I have teamed up in a story on NewsForge to point out how the mainstream and trade press misrepresent the annual summary of vulnerabilities from US-CERT. They're doing it again this year to make it appear as if it is more secure than UNIX/Linux. Pamela Jones did a similar report at Groklaw over the weekend." From the article: "One figure represents the vulnerabilities found in Windows operating systems: XP, NT, 98, and so on. The other represents a total figure not just for Solaris, AIX, HP-UX, the BSDs, and Linux, but for a hundred different versions of Linux. The sum of all the unique vulnerabilities from all the Linux distros does not equate to the sum of vulnerabilities in any single Linux distro, and one could say the same about the various versions of Windows. That's why it is a completely meaningless exercise to discuss those totals as if they present an accurate picture of the relative security of Windows and Linux. " We've reported on the US-CERT list already this year. NewsForge is a sister site to Slashdot.org, both of whom are owned by OSTG.
No, but it sounds like they're adding the vulnerabilities to represent Linux. Much as they're adding the unique Windows vulnerabilities to represent Windows.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
It's equally unfair to lump Windows 98, NT, 2000, XP all together. They could be looked at as different "distros" of Windows. Should pick the best or latest OS from each group with the least vulnerabilities to compare.
Shouldn't we be asking the more pertinent question: why do all the various operating systems have so many vulnerabilities? When it comes to such things, this shouldn't be a competition. OS builders should be striving for zero tolerance to vulnerabilities and there shouldn't be an quibbling over the number that exist.
GetOuttaMySpace - The Anti-Social Network
Part of the contention is the repeat entries with the "updated" notation. So if you throw out all 141 "updated" occurrences in the Microsoft section, that leaves 671 (812-141=671).
If you throw out all 1437 "updated" occurences in the linux/unix secion, that leaves 891 (2328-1437=891). Subtracting Apple OS X (130) and Sun Solaris (77), Linux/Unix ends up with 13 more vulnerabilities than Windows (891-130-77=684), but it's for more operating systems, so it may be fair to divide that 684 further.
The theory of relativity doesn't work right in Arkansas.
Suckers ...
But it is true, engage intellect and you can see at a glance how useless the figures are.
- No ranking by severity levels, or weighting of overall score by severity
- No individual OS scores
I can't see how this 'report' is useful to anyone except marketing droids who work for Microsoft.
Good point and I'd like to add, What about the time length between when vulnerabilities are found, and then patched? Surely, they thought about that. Linux and Unix can continue to have more "reported" vulnerabilities than Windows, but if they are patched faster than Windows, doesn't that count for something?
I have nothing clever to put here...
They're doing it again this year to make it appear as if it is more secure than UNIX/Linux.
What is "it"? Slight tinge of paranoia here, maybe?
Let's review the score here:
- It does not matter what material is published, the fact of the matter is that every Windows PC in the world regularly has visible and non-trivial security issues, while on Linux and OS/X these issues are generally theoretical.
- People's perceptions of Windows are very simple: it's a piece of crap that they use because it came with the box and everyone else uses it.
- The relative security of Windows vs. the World is not a deciding factor in most people's use of Windows. It's largely a captive, neutered market.
- For people who actually do care, no amount of statistics can change the visible and perceived situation. When I choose to ban Windows in my company, it's not because I read some website or article. It's because I'm sick and tired of removing spyware from people's PCs.
Complaining about these statistics is to give them credibility. Those who chose on the basis of security will ignore this data, and those who chose on other criteria won't care about this data.
My blog
I'm an automation officer in the U.S. Army, and I know for a fact that we're full of Microsoft shills and contractors with Microsoft loyalties. We don't employ Unix/Linux in an enterprise manner; the government sold its soul to Microsoft years ago. Unix is used on some Army tactical platforms, though. Food for thought.
I would have expected better *if* CERT was still in the hands of a university. I wouldn't trust a government analysis as far as I could throw a CRAY.
Considering Linux is a Kernel, to say there were 1000s of bugs again Linux is silly.
It would be interesting to see all of the Windows application vendors lumped into the "Microsoft security flaws" category in a similar manner. I've seen quite a few Windows applications from all sorts of software vendors with issues this last year and noticed they weren't listed. While one might argue at first that this would be unfair because of all of the commercial products available for Windows, I'm not sure Windows wouldn't still have an advantage. Just go to sourceforge.net and start counting up all the projects available there that could be lumped into Linux "security flaws."
Looking just at core operating system applications, Fetchmail doesn't make the cut. In fact, it's inappropriate to include GCC in there since I'm certain they didn't include Microsoft development environment tools in the Microsoft count. An apples-to-apples comparison isn't appropriate and perhaps for those uneducated technical journalists that like to make comparison stories, a kernel-to-kernel, browser-to-browser (e.g. IE vs. Mozilla vs. Opera), office suite to office suite, and other category-based comparison is the only appropriate approach.
I've seen these numbers, and wonder what counts as a "Linux" vulnerability - does every little PHP bulletin board package that generates hundreds of bug reports a month on bugtraq count towards the total? All vulnerabilities aren't in the same class, although these numbers seem to lump them all together. Something like this WMF thing affects every machine running Windows. It's not like the Linux kernel, Apache, etc have bugs of this class. (Plus, most "little PHP bulletin board package" things for Windows are proprietary, and there is no master list of vulnerabilities the way there is for open source stuff. It's almost like these numbers are more "found vulnerabilities" than anything else, and a higher number would be good.)
Sure, everyone enjoys a good bitching contest but this is not helping.
Formal request:
Someone needs to count the vulnerabilities in:
1) XP
2) Minimal SUSE linux install
3) XP with specific of Apps, servers, etc.
4) SUSE linux with specific Apps, servers, etc.
Give us these numbers and then we have something to talk about.
The government which is strong enough to protect you from everything is strong enough to take everything from you.
Whats worse is the fact that a POP3 Client Buffer Overflow on Windows would not be included at all as one doesn't ship with Windows. Linux distros generally ship with thousands of clients and servers while Windows ships with the bare minimum. To do a true security comparion you would have to compare either just kernel exploits with OS exploits, then compare all popular software for windows with all popular software for Linux side by side in a catagory basis (POP3 clients being a catagory)
Really, it is.
Yeah the spin is ugly, but if the *nix's "stick to their knitting" this too shall pass.
They do the same thing when they talk about Mac's too. The last time I saw figures (which was a couple of years ago) Apple was far and away the #1 shipper of laptops by brand. But, they would compare ALL laptops shipped by all brands to come up with Apple's "miniscule" market share.
The reality was that Apple was creaming the Windows-based brands. They would do this with all of the various market segments apple competed in. Funny how they don't do it with MP3 players.
OT Comment:
I never understood why anyone who branded computers wanted their numbers in the market research. It just gives HP a target to destroy.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
The "article" is not an article but rather an opinion piece. For example:
Microsoft wants you to read the headlines as "Windows 3X safer than Linux." (If Microsoft is being quiet about the US-CERT numbers, it's because the company is too busy trying to come up with a fix for the Windows Meta File (WMF) vulnerability.)
The authors apparently know what Microsoft wants, even though they admit the company hasn't commented on the summary of vulnerabilities. I guess the authors assume the MS marketing department is working on this bug fix, which at the time the article was posted was fixed (but no patch had been released).
Reading further, the authors reference the "Technical Cyber Security Alerts", saying, "That's quite a different picture than the one the Microsoft press machine wants you to see." Once again MS is referenced, even though they had nothing to do with the summary of vulnerabilities and have issued no press release on the matter.
MS is mentioned twice though the company has not issued any press releases or new ads reflecting these numbers. On the other hand, the article repeatedly mentions the press:
Everywhere you look in the trade press today, you'll find glowing misrepresentations...
...many scribes sympathetic to the Microsoft cause go out of their way to make sure the real picture never emerges...
...you'd think that the mainstream tech press could get it right when reporting on security...
...scribes in the trade press are once again playing the US-CERT FUD game...
Shame on them for purposely -- or ignorantly, as the case may be -- misleading their readers.
Yet in the links below the article there is only one direct link to an example of how the press has been misleading their readers.
Guys, if you're going to write something, call it an article, then post it to Slashdot, at least try to be a little more objective. I think most people are tired of MS vs the world now...it's so last year (this year it's Google vs the world). People are interested in performance, ease of use, security - getting the job done. Who has time for these pissing matches?
The piece does fit on a site named "NewsForge". Why report the news when you can manufacture it?
I vote for the "solves-my-problem-but-not-yours" distribution, which is clearly the best.
Incidentally, I am also in favor of settling on ONE (1) tool for all mechanical uses.
I favor the two-handed hewing axe, but I might be persuaded to vote for the claw hammer.
I can't believe that there are so many people posting about this.
You really had trouble figuring out what the article is about?
Shame on you! Admitting this at Slashdot too! All of these intellectual people here making a note of your name and marking it with a mental note of 'moron'.