The Annual US-CERT FUD Festival

← Back to Stories (view on slashdot.org)

The Annual US-CERT FUD Festival

Posted by Zonk on Friday January 6, 2006 @03:36AM from the comparing-apples-and-pineapples dept.

Joe Barr writes "Joe Brockmeier and I have teamed up in a story on NewsForge to point out how the mainstream and trade press misrepresent the annual summary of vulnerabilities from US-CERT. They're doing it again this year to make it appear as if it is more secure than UNIX/Linux. Pamela Jones did a similar report at Groklaw over the weekend." From the article: "One figure represents the vulnerabilities found in Windows operating systems: XP, NT, 98, and so on. The other represents a total figure not just for Solaris, AIX, HP-UX, the BSDs, and Linux, but for a hundred different versions of Linux. The sum of all the unique vulnerabilities from all the Linux distros does not equate to the sum of vulnerabilities in any single Linux distro, and one could say the same about the various versions of Windows. That's why it is a completely meaningless exercise to discuss those totals as if they present an accurate picture of the relative security of Windows and Linux. " We've reported on the US-CERT list already this year. NewsForge is a sister site to Slashdot.org, both of whom are owned by OSTG.

5 of 152 comments (clear)

Min score:

Reason:

Sort:

Skewed? Oh yeah... by fak3r · 2006-01-06 03:45 · Score: 4, Interesting

Considering Linux is a Kernel, to say there were 1000s of bugs again Linux is silly. Let's see how many were against the Linux kernel vs all the userland apps that don't touch anything system level. Now I'll admit bugs show up, and I think that's Open Source's strength; there's constantly ppl combing over the code finding f'd up stuff that no one would think to look at. This is only achieved through constant gazing at the source code, whereas with Windows a bug is usually found out after it's a vuln. Also, I'm happy that MS patched the issue so quickly, even if they were beaten to the punch, perhaps they'll take things (security) more seriously now that they're pushing 'trusted computing'. Not that I care that much, I'm sold on Linux, OS X on the desk and freeBSD on the server, but I did play with ReactOS the other night, and see a future for x-Windows folks who don't want to lose Windows compat when XP support goes away...

--
fak3r.com
Re:Should Compare A Single Version Of Windows Too by theonlyholle · 2006-01-06 03:50 · Score: 2, Interesting

In principle, you are right - but you will have to agree that lumping say 4 or 5 versions of Windows together is an order of magnitude less stupid than lumping say 100 distros of Linux, plus assorted flavors of Unix (including MacOS) together...
Re:Downright Disingenuous by greg_barton · 2006-01-06 03:53 · Score: 2, Interesting

I honestly expected better from the CERT folks. I don't know why, but I really did.

Coming from the same government that denuded a slam dunk settled lawsuit against Microsoft? PuhLEASE!
Re:Downright Disingenuous by MyDixieWrecked · 2006-01-06 04:29 · Score: 3, Interesting

Whether "different" OSes should be lumped together is another discussion entirely (how "different" are they if they have the same kernel?)

then you need to consider the fact that x86 linux has a different kernel than PPC linux. And what about all the people running 2.4.x versus 2.6.x versus everyone still running older versions, still?

What about the fact that if a version of apache has some flaw that it [generally] affects the entire Apache installbase of that version. Whether it's BSD, Linux, OSX, Windows or BeOS. I say "generally" because some flaws may only affect x86 versions or PPC versions exclusively due to endian issues and ways that the kernels handle the stack and whatnot.

There really is no fair way of gauging and quantifying the number of flaws found in computers per-OS unless you go by installation package. Make lists of XP, make lists of win2k, make lists for OSX (10.2, 10.3 and 10.4 as well as server), make a list for each distro and every installation type for each of the lastest couple of versions. Sure it's a lot of work... but at least it'll be more accurate.

--

...spike
Ewwwwww, coconut...
Re:Should Compare A Single Version Of Windows Too by dpilot · 2006-01-06 04:34 · Score: 2, Interesting

For the moment, I'm going to lump a response to this together with "Skewed, Oh yeah..." thread ( http://it.slashdot.org/comments.pl?sid=173159&cid= 14409257 ) and say that it would be interesting to have a little better detail - for Windows and Linux both.

For instance, Windows has 2 distinct kernel families, Win9X and WinNT. Linux has 1. Within each of these families there is then versioning, Win95, Win98, WinME, WinNT, Win2k, WinXP, 2.4, 2.6, etc.
Beyond that, it appears that all Windows versions share things like GDI.dll (WMF, anyone?) while all Linux versions share things like glibc. Some are distinct, like Linux modutils, and I've heard that Windows has similar, but can't enumerate.

Then there are applications on top of both, both bundled with the OS, and not.

The CERT numbers are a mess, a disservice to all.

--
The living have better things to do than to continue hating the dead.