Slashdot Mirror
The Annual US-CERT FUD Festival
Joe Barr writes "Joe Brockmeier and I have teamed up in a story on NewsForge to point out how the mainstream and trade press misrepresent the annual summary of vulnerabilities from US-CERT. They're doing it again this year to make it appear as if it is more secure than UNIX/Linux. Pamela Jones did a similar report at Groklaw over the weekend." From the article: "One figure represents the vulnerabilities found in Windows operating systems: XP, NT, 98, and so on. The other represents a total figure not just for Solaris, AIX, HP-UX, the BSDs, and Linux, but for a hundred different versions of Linux. The sum of all the unique vulnerabilities from all the Linux distros does not equate to the sum of vulnerabilities in any single Linux distro, and one could say the same about the various versions of Windows. That's why it is a completely meaningless exercise to discuss those totals as if they present an accurate picture of the relative security of Windows and Linux. " We've reported on the US-CERT list already this year. NewsForge is a sister site to Slashdot.org, both of whom are owned by OSTG.
No, but it sounds like they're adding the vulnerabilities to represent Linux. Much as they're adding the unique Windows vulnerabilities to represent Windows.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
The act of contrasting the vulnerabilities found in the few Windows operating systems with the vulnerabilities found in hundreds of Linux/Unix is bad enough, but when you consider that the Unix/Linux list contains duplicate items, it becomes positively shameful.
From the Groklaw article:
I honestly expected better from the CERT folks. I don't know why, but I really did.
____
~ |rip/\/\aster /\/\onkey
Simply just find out who counted the numbers and steal all his personal data, give him an option on which os to leave it on (add 100mb and no firewall) and there u go simple answers from statisticians.
They fitted George Orwell's coffin with rollers so he could turn over more easily years ago.
It's equally unfair to lump Windows 98, NT, 2000, XP all together. They could be looked at as different "distros" of Windows. Should pick the best or latest OS from each group with the least vulnerabilities to compare.
Considering Linux is a Kernel, to say there were 1000s of bugs again Linux is silly. Let's see how many were against the Linux kernel vs all the userland apps that don't touch anything system level. Now I'll admit bugs show up, and I think that's Open Source's strength; there's constantly ppl combing over the code finding f'd up stuff that no one would think to look at. This is only achieved through constant gazing at the source code, whereas with Windows a bug is usually found out after it's a vuln. Also, I'm happy that MS patched the issue so quickly, even if they were beaten to the punch, perhaps they'll take things (security) more seriously now that they're pushing 'trusted computing'. Not that I care that much, I'm sold on Linux, OS X on the desk and freeBSD on the server, but I did play with ReactOS the other night, and see a future for x-Windows folks who don't want to lose Windows compat when XP support goes away...
fak3r.com
Shouldn't we be asking the more pertinent question: why do all the various operating systems have so many vulnerabilities? When it comes to such things, this shouldn't be a competition. OS builders should be striving for zero tolerance to vulnerabilities and there shouldn't be an quibbling over the number that exist.
GetOuttaMySpace - The Anti-Social Network
Part of the contention is the repeat entries with the "updated" notation. So if you throw out all 141 "updated" occurrences in the Microsoft section, that leaves 671 (812-141=671).
If you throw out all 1437 "updated" occurences in the linux/unix secion, that leaves 891 (2328-1437=891). Subtracting Apple OS X (130) and Sun Solaris (77), Linux/Unix ends up with 13 more vulnerabilities than Windows (891-130-77=684), but it's for more operating systems, so it may be fair to divide that 684 further.
The theory of relativity doesn't work right in Arkansas.
Suckers ...
But it is true, engage intellect and you can see at a glance how useless the figures are.
- No ranking by severity levels, or weighting of overall score by severity
- No individual OS scores
I can't see how this 'report' is useful to anyone except marketing droids who work for Microsoft.
Good point and I'd like to add, What about the time length between when vulnerabilities are found, and then patched? Surely, they thought about that. Linux and Unix can continue to have more "reported" vulnerabilities than Windows, but if they are patched faster than Windows, doesn't that count for something?
I have nothing clever to put here...
They're doing it again this year to make it appear as if it is more secure than UNIX/Linux.
What is "it"? Slight tinge of paranoia here, maybe?
Let's review the score here:
- It does not matter what material is published, the fact of the matter is that every Windows PC in the world regularly has visible and non-trivial security issues, while on Linux and OS/X these issues are generally theoretical.
- People's perceptions of Windows are very simple: it's a piece of crap that they use because it came with the box and everyone else uses it.
- The relative security of Windows vs. the World is not a deciding factor in most people's use of Windows. It's largely a captive, neutered market.
- For people who actually do care, no amount of statistics can change the visible and perceived situation. When I choose to ban Windows in my company, it's not because I read some website or article. It's because I'm sick and tired of removing spyware from people's PCs.
Complaining about these statistics is to give them credibility. Those who chose on the basis of security will ignore this data, and those who chose on other criteria won't care about this data.
My blog
I'm an automation officer in the U.S. Army, and I know for a fact that we're full of Microsoft shills and contractors with Microsoft loyalties. We don't employ Unix/Linux in an enterprise manner; the government sold its soul to Microsoft years ago. Unix is used on some Army tactical platforms, though. Food for thought.
They both have duplicate vulnerabilities listed in their totals.
It is also not a level playing field in the OS market.
Once more people are using Linux, it will be a more fair comparison.
He who knows best knows how little he knows. - Thomas Jefferson
- 11 of those alerts were for Windows platforms
- 3 were for Oracle products
- 2 were for Cisco products
- 1 was for Mac OS X
- None were for Linux
, and secondarily look at this quoteFolks, as other
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
Using the patent-pending method of determining worth by comparing terms plugged into Google, I get the following:
Search for "Windows Bugs": 45,800
Search for "Linux Bugs": 23,400
Search for "Bunny Bugs": 31,100
From this method, I can determine that I should NOT watch Looney Tunes cartoons on my Windows Media Center PC. Or drink while posting.
Vincent J. Murphy
Spandex Justice
have at it
http://www.us-cert.gov/contact.html
Considering Linux is a Kernel, to say there were 1000s of bugs again Linux is silly.
It would be interesting to see all of the Windows application vendors lumped into the "Microsoft security flaws" category in a similar manner. I've seen quite a few Windows applications from all sorts of software vendors with issues this last year and noticed they weren't listed. While one might argue at first that this would be unfair because of all of the commercial products available for Windows, I'm not sure Windows wouldn't still have an advantage. Just go to sourceforge.net and start counting up all the projects available there that could be lumped into Linux "security flaws."
Looking just at core operating system applications, Fetchmail doesn't make the cut. In fact, it's inappropriate to include GCC in there since I'm certain they didn't include Microsoft development environment tools in the Microsoft count. An apples-to-apples comparison isn't appropriate and perhaps for those uneducated technical journalists that like to make comparison stories, a kernel-to-kernel, browser-to-browser (e.g. IE vs. Mozilla vs. Opera), office suite to office suite, and other category-based comparison is the only appropriate approach.
I've seen these numbers, and wonder what counts as a "Linux" vulnerability - does every little PHP bulletin board package that generates hundreds of bug reports a month on bugtraq count towards the total? All vulnerabilities aren't in the same class, although these numbers seem to lump them all together. Something like this WMF thing affects every machine running Windows. It's not like the Linux kernel, Apache, etc have bugs of this class. (Plus, most "little PHP bulletin board package" things for Windows are proprietary, and there is no master list of vulnerabilities the way there is for open source stuff. It's almost like these numbers are more "found vulnerabilities" than anything else, and a higher number would be good.)
Actually it's the third "it" and I noticed this also. I had to read the summary several times to figure out what "it" meant. It also helped that I saw the CERT release this summary is referring to and thought it was strange that Linux beat out Windows for number of vulnerabilities. Now I know why, sigh!
Fat, drunk, and stupid is no way to go through life, son.
Sure, everyone enjoys a good bitching contest but this is not helping.
Formal request:
Someone needs to count the vulnerabilities in:
1) XP
2) Minimal SUSE linux install
3) XP with specific of Apps, servers, etc.
4) SUSE linux with specific Apps, servers, etc.
Give us these numbers and then we have something to talk about.
The government which is strong enough to protect you from everything is strong enough to take everything from you.
There's another debunking over at SecurityFocus
i was about to post the same thing. I guess the poster means OSX which i think is more secure...
The war with islam is a war on the beast
The war on terror is a war for peace
Jack Ryan returns in 2006 for "The Sum of all FUD" : 27,000 fact stretched FUDs. One is misleading. CIA analyst Jack Ryan hunts down a group of US-CERTs who plan to announce a hawguash of FUD at the Superbowl.
If big boobed women work at Hooters do one legged women work at IHOP?
FTA, there are 3 lists, Windows vulnerabilities, that count, from Iexplorer to Wheresjames camera software, incluiding Adobe...
The "Unix", incluiding, AIX, Mac OSX, Solaris, Linux, Freebsd, and any thing that looks like unix...
and Multiplataform vulnerabilities...
The main issue, is the way they pack together all kind and from different vendors the Unix thing... Also, there are reported vulnerabilities about Adobe and isnt listed as multiplataform vulnerabilities...
This article, DOESNT become a defacto FUD, it CAN be used as a "FUD Source" (You see, CERT reports that "unix" is worse than "windows")...
So to be carefull when PR announcements link to thi s "list"...
Â_Â
They've got Apache vulnerabilities listed on the Linux side, but not on the Windows side - vulnerabilities that affected both places, I might add.
:)
This is true of most of the *nix vulnerabilities, actually.
So what we're really seeing is Windows-only vulnerabilities being compared to ones that are OS neutral. Not that its very suprising, though. Its 2006.
With the exception of software written specifically for Windows, most software is cross-platform.
This is the only really meaningful way to do this kind of a report because of this characteristic. The important thing to keep in mind in that, though, is that Windows has all of its own vulnerabilities AND most of the others.
Mod me down and I will become more powerful than you can possibly imagine!
You can *make* Linux more secure by customizing it, and how you can't do that with Windows (any version)?
If the intro isn't clear, why bother reading the article?
But OSX is BSD-based, so wouldn't that fall under the Unix category? I assumed Windows, because that's usually what gets people worked up around here.
...and I completely agree, Microsoft shouldn't be held accountable for crappy software produced by a third party causing issues; don't think I'm just defending Linux, this report is silly for everyone. Plus things like Gator can hardly be faulted to MS.
fak3r.com
The mainstream press never differentiates the type of vulnerability. I would say that 1 remote root exploit is worth at least a 100 local root exploits, maybe more if there is no remote exploit for the system at all.
The mainstream media does not get this. But, neither do most computer users.
I've got fifty one dollar bills, all you have is two hundreds. I've clearly got more money than you. Shine my shoes.
-SHP
Anyone who uses multiple platforms knows where he has to spend most of his maintenance and fixer-upper time. I spend almost no time on MacOSX keeping it running. I gave up on my WinXP and it simply doesn't connect to the Internet, and it now has no maintenance time either. Bo
It seems to me as if you are getting a little bent out of shape over something so small.
Would you agree that I have made a valid sentence (even if you disagree with my statement)? The "it" I used at the beginning of that sentence is the same as the "it" you took issue with. This is a common English grammatical construction akin to the passive voice, and the "it" herein is typically understood to mean "the situation", "the current course of events", or something similar.
This is a fairly common construction, and I'm surprised you haven't run into it before. I'm guessing that you have, and simply didn't realize it. I'd love to point you to an article on it, but the wikipedia one is very unhelpful for this particular usage, and google didn't give me anything either, so you're stuck with just my explanation.
Really, it is.
Yeah the spin is ugly, but if the *nix's "stick to their knitting" this too shall pass.
They do the same thing when they talk about Mac's too. The last time I saw figures (which was a couple of years ago) Apple was far and away the #1 shipper of laptops by brand. But, they would compare ALL laptops shipped by all brands to come up with Apple's "miniscule" market share.
The reality was that Apple was creaming the Windows-based brands. They would do this with all of the various market segments apple competed in. Funny how they don't do it with MP3 players.
OT Comment:
I never understood why anyone who branded computers wanted their numbers in the market research. It just gives HP a target to destroy.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
The "article" is not an article but rather an opinion piece. For example:
Microsoft wants you to read the headlines as "Windows 3X safer than Linux." (If Microsoft is being quiet about the US-CERT numbers, it's because the company is too busy trying to come up with a fix for the Windows Meta File (WMF) vulnerability.)
The authors apparently know what Microsoft wants, even though they admit the company hasn't commented on the summary of vulnerabilities. I guess the authors assume the MS marketing department is working on this bug fix, which at the time the article was posted was fixed (but no patch had been released).
Reading further, the authors reference the "Technical Cyber Security Alerts", saying, "That's quite a different picture than the one the Microsoft press machine wants you to see." Once again MS is referenced, even though they had nothing to do with the summary of vulnerabilities and have issued no press release on the matter.
MS is mentioned twice though the company has not issued any press releases or new ads reflecting these numbers. On the other hand, the article repeatedly mentions the press:
Everywhere you look in the trade press today, you'll find glowing misrepresentations...
...many scribes sympathetic to the Microsoft cause go out of their way to make sure the real picture never emerges...
...you'd think that the mainstream tech press could get it right when reporting on security...
...scribes in the trade press are once again playing the US-CERT FUD game...
Shame on them for purposely -- or ignorantly, as the case may be -- misleading their readers.
Yet in the links below the article there is only one direct link to an example of how the press has been misleading their readers.
Guys, if you're going to write something, call it an article, then post it to Slashdot, at least try to be a little more objective. I think most people are tired of MS vs the world now...it's so last year (this year it's Google vs the world). People are interested in performance, ease of use, security - getting the job done. Who has time for these pissing matches?
The piece does fit on a site named "NewsForge". Why report the news when you can manufacture it?
I vote for the "solves-my-problem-but-not-yours" distribution, which is clearly the best.
Incidentally, I am also in favor of settling on ONE (1) tool for all mechanical uses.
I favor the two-handed hewing axe, but I might be persuaded to vote for the claw hammer.
"it" herein is typically understood to mean "the situation", "the current course of events", or something similar
That doesn't make sense. Replacing that "it" with what you say it represents, the sentence now reads:
They're doing it again this year to make it appear as if [the situation] is more secure than UNIX/Linux.
See what I mean? That "it" has to refer to something. From reading the article I assume you meant "it" to refer to Windows, so the sentence could read, "...to make it appear as if Windows is more secure than UNIX/Linux."
I am amused that you were modded "offtopic" when you commented directly on the newsitem and even included a reference.
But to clear up any confusion, the "IT" referred to in the OP is of course the famous Segway motorized scooter. See how the whole thing makes sense now?
Very false. just look for Larry Wall Perl Insecure Temporary File Creation (Updated). Three instances of the exact same item. And only in *nix even though ActiveState perl for Windows had the same issue. So, there are LOTS of issue with this report. Cert is more SNAFU, than not.
I prefer the "u" in honour as it seems to be missing these days.
I only had about 10 flies in my windows, and 1 fly in my door.
I prefer the "u" in honour as it seems to be missing these days.
The company with 90% market share consisently and nearly constantly distorts every piece of negative press they get, and trumpets all the negative press about the 2%. But a vulnerability in the 90% software threatens not only my core business (if it is found on the WinX platform), but that of any and all of my customers if they are.
That's what.
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
I don't care. I just know one thing. I'm not easily targetted. Vulnerabilities be damned -- I'm a minority [Linux] user and I don't suffer from the crap that Windows users do. Even if there were only 5 vulnerabilities in Windows and 5000 in Linux, at present, since I'm not being targetted, I'm still safer.
Simply evaluate each vulnerability in a simple hierarchy. When evaluating a distribution or a version of Windows, use only the apps installed by default.
1. Remote--root access that does NOT require human intervention or other app running.
2. Remote non-root access that does NOT require human intervention or other app running.
3. Local root access that does NOT require human intervention or other app running.
4. Local non-root access that does NOT require human intervention or other app running.
5. Remote root access that requires some human interaction or some combination of apps.
6. Remote non-root access that requires some human interaction or some combination of apps.
7. Local root access that requires some human interaction or some combination of apps.
8. Local non-root access that requires some human interaction or some combination of apps.
9. Remote OS crash.
10. Remote app crash.
11. Local OS crash.
12. Local app crash.
There, now it should be easy to [b]exactly[/b] compare different systems. A thousand #12's (local app crash vulnerability) is still not worth a single #1 (remote root access).
SECURITY is about REDUCING the avenues of attack. A default Ubuntu install will never have any vulnerability above a #3 simply because it has no open ports, by default. This is extremely important when your machine is connected to the Internet.
I could the same thing against an OS for which you can't see the source code.
Joe Brockmeier and I have teamed up in a story on NewsForge to point out how the mainstream and trade press misrepresent the annual summary of vulnerabilities from US-CERT. They're doing it again this year to make it appear as if it is more secure than UNIX/Linux.
"it is more secure than UNIX/Linux"? What is it? I guess it goes without saying? (Or should that be, it goes without saying?)
one vulnerability is listed 5 times, making the total of 2328 meaningless unless you carefully comb through it to weed out duplications.
They could have cut it down to a more manageable list by piping it through "grep -vF '(Updated)' | sort -u".
That brings it down to just 871, which is much easier to comb for further duplicates.
The same process on Windows vulnerabilities brings it down from 831 to 659. Both lists still need to be checked for duplicates with different names (say, "Apache HTTP Request Smuggling" and "Apache HTTP Request Smuggling Vulnerability"), but we're now looking at a much more comparable set of numbers.
Joe Brockmeier and I have teamed up in a story on NewsForge to point out how the mainstream and trade press misrepresent the annual summary of vulnerabilities from US-CERT. They're doing it again this year to make it appear as if it is more secure than UNIX/Linux.
I don't get it. Are they saying that US-CERT is more secure than UNIX/Linux? Or is 'it' referring to the mainstream and trade press?
Come on guys. If you write this kind of stuff for a living, would it kill you to proofread?
(Never mind that the whole article looks to be nothing more than flamebait to generate ad revenues.)
If I don't put anything here, will anyone recognize me anymore?
"Joe Brockmeier and I have teamed up in a story on NewsForge to point out how the mainstream and trade press misrepresent the annual summary of vulnerabilities from US-CERT. They're doing it again this year to make it appear as if it is more secure than UNIX/Linux.
What the @#$@# does this (bolded) it refer to? Did someone clip out a reference to Microsoft Windows? Please -- 5 minutes of proofreading?
Why do you read it then?
Life is a gift. And my Karma couldn't possibly be 'Positive'
My point about the statistics is merely an adjunct commentary, and if you will permit the biblical analogy, is that the 90% market leader is effectively trying to "point at the mote in the other guy's eye" while simultaneously "ignoring the beam" in his own, and using a faulty statistically analysis to do it. The question of safety favoring OSS is much more in the realm that the more eyes that can see and test the code, the fewer bugs (which sometimes become vulnerabilities) exist and the shorter their surviveal time in "the wild".
Perhaps a more useful analogy is this: the Windows hegemony is more like the general populace in terms of risk -- the first uncaught airborn super-flu or other pandemic virus is likely to kill millions and cost billions of dollars to fight, control, etc.. But those millions are unlikely to include (statistically speaking) an equal amount of the first responders (the OSS 'nixes, etc.) who take the adequate precautions of masks, gloves, etc..
Now then, who do you want taking care of YOUR interests -- a first responder with all of the medical expertise in nasty bug stomping and control, or are you okay trying to survive with the Campbell's (hidden recipe) version of grandma's chicken soup?
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
If you don't tend to your garden, your vegetables may perish.
If you don't take care of your herd, you cattle might fall ill.
If you don't properly manager your systems, regardless of OS, your boxes might get compromised.
There is also more than 5 or 6 versioins Windwos. There were probably 6 versions of Windows 2000 alone counting the server lineup. They lumped in Linux/UNIX, but the total figure for it was also about 3 times higher (812 vs 2328) than the figure for windows.
Also, while I am at it, I did a grep -i | wc -l for "Firefox" and "Internet Explorer" and found that there were 150 vuls lited for Firefox and only 50 listed for IE.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
Some time back, I saw a speaker from US Cert at a data security conference put together by one of my coworkers. When the US Cert guy spoke, one of his first comments were that "US Cert" does not recommend that you use Firefox instead of IE. Our speaker did say that is what he used personally though. His explanation for this contrast was this: Homeland security is a part of the US Cert's goals and after the announcement to use an "alternative browser", Microsoft's stock went down a noticable amount. MS is a big part of our economy and this did not go unnoticed by his superiors. This latest press release from Cert does diminish my respect for their words. This line intentially left blank
How about Slashdot's own flamebait heading Linux/Unix Tops Charts for Vulnerabilities in 2005. Which was based on a similarly inflammatory Information Week article "Linux/Unix Vulnerabilities Outnumber Microsoft Windows' 3 To 1", even though in the final paragraph, they mention how fucked the counting is. All goes to show that news sites, and Slashdot, can't resist running an obviously bogus story. Integrity? They've heard of it.
"anal-retentive" should be hyphenated. That is all.
The number of known vulnerabilities isn't an accurate figure of merit for security anyway. So why bother complaining about the way vulnerabilites are counted?
Vote for Pedro
Yeah I'd be interested to see a metric of "bug days" per distribution/OS. If a bug goes unpatched for a day, that's 7 bug days. Maybe we could be nice and only count business days, but it's not like the virus writers are taking weekends off.
Perhaps also there could be a factor for the seriousness of the bug. So for every day that a critical bug is unpatched, it's worth 14 days of a non-critical unpatched bug. Or something like that -- the factor is inherently arbitrary, but maybe we could agree on something that seems to be a fair measure of how much effort a company ought to put into fixing a critical bug, relative to a noncritical one, and use that.
I'd be very curious to see even how various distributions of Linux stack up against each other in this regard.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
If a bug goes unpatched for a day, that's 7 bug days.
Should have read:
If a bug goes unpatched for a week, that's 7 bug days.
And I even used Preview that time...
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
In order to accurately compare the number of errata associated with a single typical linux distro and windows in terms of security vulnerabilities you would have to compare the linux distro with a windows OS fully installed with every piece of productivity and server software that exists for it ... like having photoshop, office 2003 full install, microsoft sql server, IIS, exchange, ssh/telnet daemon, printing services, audio editing software, and on and on and on. A typical linux distro represents the full gamut of roughly all software you will ever need to use in your linux life and they generate errata for all of it. Windows on the other hand is just an os. To be fair you would have to combine the bugtrackers from Windows XP with that of Adobe, MAcromedia, Sony, Cakewalk, Maya, Nero, etc -- a windows equiv of every application included in the distro and then present a real total.
Nice sig, I agree.
fak3r.com
is that to start with most of the Windows vulnerabilities are at a much higher risk level than most of the OSS holes.
Then never mind that the OSS community is more honest about reporting bugs, which in turn are patched long before even found in the wild.
When you manage both sides you quickly notice how much more of a problem Windows is. One can easily maintain lot's of OSS machines whereas one doesn't even know what's been broken with the last patch from MS and spend a lot more time maintaining just one Windows box.
With Windows you are forced to only have one single function on it. With OSS you can easily load it up with several functions that are not going to overload it, not going to conflict with each other, and easy to patch withour fear that something else has now been broken.
No, you could never compare the two sides. If you are going to rely on numbers only, you can only compare OSS s/w with other OSS s/w.