Slashdot Mirror
Symantec Rethinks Firefox vs IE Vulnerabilities
chill writes "Last September security software vendor Symantec issued a report claiming IE had fewer critical flaws than Firefox and thus was more secure. Well, it seem they have now rethought that position. 'How we did it before wasn't a fair comparison,' said Oliver Friedrichs, the senior manager of Symantec's security response group. 'It wasn't an apples to apples comparison.' The key was vendor acknowledged critical vulnerabilities. Thus, if Microsoft (or the Mozilla Foundation) didn't agree it was critical, then it didn't get counted."
Weakest point, and amount of possible damage.
If one browser allows an attacker to read arbitrary files, and another allows an attacker to delete arbitrary files, then the one that allows the deletion is surely worse however many ways there are to read files.
If one browser can be attacked in a generic manner, and the other needs some knowledge of the victim, then the one that can be attacked in a generic manner is less secure.
Now, exactly how an easy to implement low impact and a hard to implement high impact attack compare is still going to be subjective, but wherever you draw the line, it's going to be better than simply counting the nuber of critical bugs.
Of course they're connected; there's no other possibility. Listening to Symantec's opinion on this would be like asking Philip Morris for an opinion on the link between cigarettes and lung cancer. So, how long until MS OneCare starts getting flagged as malicious spyware by Norton, or vice versa?
How can you trust these guys with your security?
No sane person would. By their own admission, it is clear that they gave a blank check to Microsoft. Whatever their motive for doing that, it shows a lack of devotion to the stated goal of their products.
If a company wants my money for securing my computers, they better show some integrity that doesn't shift depending on how their relationship with the bigger company is going that day.
I'm working in the IT industry myself, and one of the well-known problems with bug-counting is... well, counting bugs.
I have seen IT managers getting upset because there were 100's og bugs*.
Turned out all of them were because of ONE faulty thing.
I have seen bug reports of the form
1. pressing button A and then pressing button Y gets critical error.
2. pressing button B and then pressing button Y gets critical error.
3. pressing button C and then pressing button Y gets critical error.
etc etc
In other situations a manager was not upset, "there were only a few bugs*".
Later, this same manager became upset at a time that there were on the order of 50 or so "bugs*".
Turned out fixing those few bugs took more than o month, while those 50 were 'fixed' within a week.
So my professional view is that bug-counting doesn't count, the correct question is:
how sick did you get? (Compare getting bitten by a tsetse fly to getting bitten by a red ant...)
* To be honest: I am referring to a non-English term which is NOT equivalent to a bug, but more to 'a problem'.
So if you are a noob and don't patch your systems, you get by longer on Linux than Windows. No surprise there. My guess is that there are more Windows oriented viruses/worms circulating the Internet. The take home message is "patch your system". We Slashdotters know better, but does the regular home user?
On the Internet, it is possible to scan whole ranges of addresses looking for vulnerabilities. Automatically. 24/7. And exploit them automatically, 24/7.
What matters is whether the box has open ports or not.The system's security should be configured to account for the home user's non-patching.
Apple has. Their boxes, by default, have no open ports.
Ubuntu has. Their default install has no open ports.
No matter how many worms and infected machines are out there, a default Ubuntu box will never be infected by them.
The first step in security is to reduce the avenues of attack.
I know this might come as a surprise to some of you, but there's a few strange individuals who have integrity, who do really strange things like telling the truth even when it may not be in their best interests. I suppose that might not fit into your worldview
It is a miracle that curiosity survives formal education. - Einstein
... and now the tables have turned, and Microsoft is competing with Symantec. (Windows OneCare)
All of a sudden Symantec retaliates by deciding that Internet Explorer does indeed have more "critical" flaws than Mozilla Firefox does.
Complete bullshit, people do all sorts of things that are completely irrational, because at the moment that they did them they couldn't think straight (due to emotion, intoxication, haste, etc.). In a moment of irrational exuberence (or panic) a persion is at least as likely to act against their own best interests (whether we are talking monetary, psychological or even physical) as they are not to. This is the sort of circumstance in which a person might jump into a freezing cold river to save a drowning person or run into a burning house to save a person calling for help, even though ration thought would tell them that they are far more likely to perish themselves than to effect a successful rescue.
While this sort of action might benefit the species or society or the geneome, it is clearly detrimental to the individual, and can't be reconciled with some naive notion of pure utility and self-interest. Simply put, the absurd notion that people always act in some manner to maximize some intelectual goal (profit, moral integrity, etc.) depends upon the notion that people always act rationally, since it is clear that people don't always act rationally (in fact, many people seem to act irrationally most of the time) the proposition fails on it's own premises.
just a ghost in the machine.
People with integrity can't run big businesses. If a person with integrity starts a business and runs it ethically it will never get past the small to medium business range. Untethical people will always outcompete you because there is so much profit in sleaze.
So really there are no people of integrity (in charge) in a company with more then a 100 employees.
evil is as evil does