The Annual US-CERT FUD Festival

Joe Barr writes "Joe Brockmeier and I have teamed up in a story on NewsForge to point out how the mainstream and trade press misrepresent the annual summary of vulnerabilities from US-CERT. They're doing it again this year to make it appear as if it is more secure than UNIX/Linux. Pamela Jones did a similar report at Groklaw over the weekend." From the article: "One figure represents the vulnerabilities found in Windows operating systems: XP, NT, 98, and so on. The other represents a total figure not just for Solaris, AIX, HP-UX, the BSDs, and Linux, but for a hundred different versions of Linux. The sum of all the unique vulnerabilities from all the Linux distros does not equate to the sum of vulnerabilities in any single Linux distro, and one could say the same about the various versions of Windows. That's why it is a completely meaningless exercise to discuss those totals as if they present an accurate picture of the relative security of Windows and Linux. " We've reported on the US-CERT list already this year. NewsForge is a sister site to Slashdot.org, both of whom are owned by OSTG.

Should Compare A Single Version Of Windows Too

It's equally unfair to lump Windows 98, NT, 2000, XP all together. They could be looked at as different "distros" of Windows. Should pick the best or latest OS from each group with the least vulnerabilities to compare.

Take what the CERT says with a grain of salt...

[dpmccoy]

I'm an automation officer in the U.S. Army, and I know for a fact that we're full of Microsoft shills and contractors with Microsoft loyalties. We don't employ Unix/Linux in an enterprise manner; the government sold its soul to Microsoft years ago. Unix is used on some Army tactical platforms, though. Food for thought.

From the article.... anti-FUD stats

[CodeShark]

Not intending to "karma whore" here, but look at the stats from an already done analysis:

• 22 Technical Cyber Security Alerts were issued in 2005
  • 11 of those alerts were for Windows platforms
  • 3 were for Oracle products
  • 2 were for Cisco products
  • 1 was for Mac OS X
  • None were for Linux
  , and secondarily look at this quote
• "Here's more of the same. US-CERT's list of current vulnerabilities contains a total of 11 vulnerabilities, six of which mention Windows by name, and none of which mentions Linux.

Folks, as other /. posters have already discussed better than I can, most of the supposed Linux bugs are either duplicates or in user- space software. That would be akin to saying a Firefox browser vulnerability is a Windows OS security problem,as opposed to an underlying OS vulnerability that would affect any and all software on the platform.