Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Annual US-CERT FUD Festival

Posted by Zonk on from the comparing-apples-and-pineapples dept.

Joe Barr writes "Joe Brockmeier and I have teamed up in a story on NewsForge to point out how the mainstream and trade press misrepresent the annual summary of vulnerabilities from US-CERT. They're doing it again this year to make it appear as if it is more secure than UNIX/Linux. Pamela Jones did a similar report at Groklaw over the weekend." From the article: "One figure represents the vulnerabilities found in Windows operating systems: XP, NT, 98, and so on. The other represents a total figure not just for Solaris, AIX, HP-UX, the BSDs, and Linux, but for a hundred different versions of Linux. The sum of all the unique vulnerabilities from all the Linux distros does not equate to the sum of vulnerabilities in any single Linux distro, and one could say the same about the various versions of Windows. That's why it is a completely meaningless exercise to discuss those totals as if they present an accurate picture of the relative security of Windows and Linux. " We've reported on the US-CERT list already this year. NewsForge is a sister site to Slashdot.org, both of whom are owned by OSTG.

2 of 152 comments (clear)

  1. Windows by the+computer+guy+nex · · Score: 0, Troll

    Every time you download a new security update for Windows you should consider that a new "version" if each Linux Distro is considered a version.

  2. Revisionist history by Shoten · · Score: 0, Troll

    Does nobody remember when everyone was gloating over how these numbers showed many more vulnerabilities on the Windows side than on the Linux side? All those years we yelled at Microsoft, asking them to get better on security...were we ever planning to be happy if they actually DID? The notion that their vulnerability count is declining on a yearly basis isn't all that mysterious; they've really been doing a lot of work, from coding practices to architecture (for example, Microsoft Security Center, "Microsoft Update" replacing "Windows Update," their attempt at disabling raw sockets, etc.). So maybe they really are improving...what's so awful about that? It's not a zero-sum solution, everyone...if any single player in the OS field improves security, then that's good, no matter who it is.

    Or, is this not really about security, but just trying to bash Microsoft despite the stats? Nawwwwww.... :)

    --

    For your security, this post has been encrypted with ROT-13, twice.