Slashdot Mirror
6 Months On, Vista Security Still Besting Linux
Martin writes "Great report on security vulnerabilities for MS/Linux/OS X. This is a revised version of the one Jeff Jones did back on March 21: Windows Vista — 90 Day Vulnerability Report. This time he did what the Linux community had asked. Everyone complained that he did the report based on a full Linux distro including optional components, not on just a base OS install. So this time he did both; Vista still came out on top. I was shocked that Apple was even on the list as I believed all those Mac commercials!"
Full: http://216.239.51.104/search?q=cache:l2ZWLi31QdIJ: blogs.csoonline.com/node/218+http://blogs.csoonlin e.com/node/218&hl=en&ct=clnk&cd=1&gl=us&client=fir efox-a
: blogs.csoonline.com/node/218+http://blogs.csoonlin e.com/node/218&hl=en&client=firefox-a&gl=us&strip= 1
Text only:
http://216.239.51.104/search?q=cache:l2ZWLi31QdIJ
creation science book
http://www.microsoft-watch.com/content/security/mi crosoft_is_counting_bugs_again.html Updated response "Jeff Jones Vista security progress."
This has already been analysed at microsoft-watch, and several flaws are pointed out there, the most basic one being that counting flaws is not a good measure of security anyway.
I can explain it for you, but I can't understand it for you.
Here ya go! Let me know when you're finished, thanks!
Rather than take his word for it why not just check at Secunia.
Vista
Ubuntu 6.06
"We are all geniuses when we dream"
- E.M. Cioran
It's a pretty contrived review.
The bulk of it has already been debunked here http://seclists.org/fulldisclosure/2007/Jun/0528.h tml
"I've got more toys than Teruhisa Kitahara."
I looked at the user comments at the bottem of the article. One juicy tidbit was to this link..
i crosoft_is_counting_bugs_again.html
http://www.microsoft-watch.com/content/security/m
The biggest bug in Windows is between the chair and keyboard. The item in question is gullable, has admin privilages, and can run widely dispensed Windows specific code. As a sample of this, just look at the members of any botnet and the OS in use.
Anything that doesn't run Windows code and has the default of not running admin is more secure than patched Windows in most cases.
Vista still runs Windows code, it's biggest fault, but it seems to be driving towards better system security and user permissions.
The truth shall set you free!
No wonder Windows Vista is best in his review.
i crosoft_is_counting_bugs_again.html
I am not convinced, next please Mr Jones.
Someone else didn't like the numbers either and provided this link;
http://www.microsoft-watch.com/content/security/m
There are more patches in a month than there are fixed patches in the count.
The truth shall set you free!
Two points:
:-D
1) They wont accept outside contributions unless you sign their paperwork.
2) I have personally contributed, so I know that at least 1 person from outside has contibuted
aieee, the stuff in the exploits section is barely even related to linux. it's all third-party stuff. and by third-party i dont mean GNOME, i mean XOOPS. there's even Microsoft exploits listed here.
These comparisons are a joke. The number of bugs or vulnerabilities itself is completely meaningless because of the wide variety of issues you can have. For example, would you rather have 10 vulnerabilities that each enable a malicious Web site to crash your browser, or 1 vulnerability that enables a malicious Web site to browse your local disk?
Vista still encourages users to run with higher privileges than necessary, and the platform is still host to over 99% of the viruses and malware ever created. It is not even recommended to run Windows without third-party security enhancements such as anti-virus. Many will tell you to run it only in a virtualizer, not on bare hardware, so you can wipe the Windows "disk" every night and start fresh the next day. In fact, Microsoft will tell you to do that, it's what VirtualPC is for.
Anyone who believes this crap deserves Vista. Enjoy.
Fantastic sleuthing! here I was reading the article like a chump:
We give up, we'll go home now, and install Norton Antivirus and Windows Defender with the rest of the lemmings.
The *only* way to "measure" security is to "measure" breakins. You can talk about technological advances in architecture, but abstracting security to bug counting is goofy. Linux systems don't get broken into, because there simply aren't ways to get at them, particularly on the desktop. With things like AppArmor and SELinux your browser is isolated from other processes, every distro ships with the "desktop" version locked down (100% firewalled) by default, and samba, cups, and the other common network daemons (ntp? ssh?) are mature suites with excellent security histories.
I can't get the article to open, but I'm curious as to the vulnerabilities which he counted. How many of them actually have real world applications?
Here is how I would come up with a synthetic benchmark of security:
1. Admit that it will be synthetic, and is ultimately an exercise in mental masturbation
2. Count the bugs.
3. Remove all bugs that have no possibility to be exploited, and all "fixed" bugs.
4. Separate bugs into "server" and "desktop" bugs.
5. Multiple bugs by an index number between 0 and 1, with 0 being harmless bugs, and 1 being bugs that give you "root".
6. Total up bug indexes.
7. Now, count all fixed bugs (excluding impossible to exploit ones), multiple by a "damage index" (see #5), then multiple by (Time to fix bug, measured from release of software)/(Time software has been released). Add this to your result from #6.
8. Voila! You've now posted something that will most likely compete favorably with MS's bug number. It will also still be totally useless.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Having been formerly a maintainer for an open source project (see my sig), I can say that we at least (being even a small project) got way more submissions per week than we could possibly have integrated even if all we did full time was integrate them. Of course we didn't just accept simple patches, we reviewed every line of code and evaluated it for cleanliness, security, performance, and (since this is a game) game balance.
In addition to this, the truth is that at least 9 in 10 submissions which we did evaluate were rejected for various reasons, not the least of which were that many of the implementations were horribly ugly even when they did manage to pass all the other criteria. The people whose submissions got looked at most seriously were those who contributed regularly. My eventual development partner hounded me literally for months before I took him seriously (he was a pretty abrasive guy on the surface, with a lot of criticism for my work, and this turned me off to him at first).
The fact is that there's no way most OSS developers have the time to look at the submission of every Tom, Dick, and Harry. The way to get noticed is to provide features which are innovative, well coded, make sense (so many of our submissions were simply bad ideas), and to persevere. We want partners, not dump and run developers.
Slay a dragon... over lunch!
What's purple and commutes? An Abelian grape.
http://toastytech.com/guis/winvistawin101.png
"Beware of he who would deny you access to information, for in his heart he dreams himself your master."