Slashdot Mirror
6 Months On, Vista Security Still Besting Linux
Martin writes "Great report on security vulnerabilities for MS/Linux/OS X. This is a revised version of the one Jeff Jones did back on March 21: Windows Vista — 90 Day Vulnerability Report. This time he did what the Linux community had asked. Everyone complained that he did the report based on a full Linux distro including optional components, not on just a base OS install. So this time he did both; Vista still came out on top. I was shocked that Apple was even on the list as I believed all those Mac commercials!"
Sure, if EVERY action you do prompts a "You are clicking your mouse, cancel or allow", or some other message, sure that is security, but then you are left with a crappy user experience. I think Linux and Mac have got a better balance between allowing actions in user mode without authorization and actions requiring authorization.
So what are you waiting for exactly? You could fix them today and then prove the author wrong. Oh wait, maybe you couldn't...
This game will waste your life. Don't clicky!
Look, Everybody! A company is trying to use statistics to make themselves look good, when that's not necessarily the case!
Nothing to see here, please move along...
On the back of recent news that less than half of Vista "issues" have been patched, yet alone publicly announced, we get another article touting the merits of two things that can't be directly compared.
Sometimes I see Open Source kicking itself in the face with all the transparency it offers, yet I'm overwhelmed with a sense of pride and happiness that communities can develop such a transparent process in the public eye.
Discovering problems and exploiting them in a closed source product is quite a daunting task - I'd say almost 4 times as much work as exploiting a system where you can compile debug symbols into the binary, and nothing short of 1000 times harder than if you had the source code. What these "reports" and discoveries show is that layers of obfuscation act to confuse people as to the actual level of vulnerability you're exposed to.
There are many vulnerability hunters out there, now, employed by governments across the world simply to "dive in" at a deepend of closed applications looking for exploitable code - closed source simply means that only wealthy, bigger teams will be successful. Open Source means that anyone can help thwart these hunters, makes vulnerability research fair game, and most importantly, accepts community involvement into the fixing and pre-emptive policy that makes OS software better software.
Matt
One canard trotted out by MS defenders *used* to be "Windows has more vulnerabilities discovered because it's so popular, everyone attacks it!". Watch for that line to be modified in the coming months as more MS proponents switch to "it's more secure by design". Keeping the "only more vulnerabilities discovered because it's so widely installed" would imply that Vista is not widely installed/used, which is not good PR.
So, when Linux had fewer vulnerabilities, it was because it was obscure. When Vista has fewer vulnerabilities, it's because it's fundamentally more secure. I'm not trying to be sarcastic here - it may very well be *true*. It's just something to keep in mind as you watch the never-ending stream of these 'vulnerability/exploit' reports come out every few months.
creation science book
There are still a lot of problems with this 'comparison'. For instance:
- The 'reduced feature set' used for the comparison still contains a lot of software not include with windows
- All information is based on what the company behind the software discloses. I believe that not all holes in Vista that MS knows about are disclosed. It is also not unlikely that what Microsoft calls 'critical' is not the same as what Canonical calls 'critical'. In any case, different measures are used for the different OS's, and you can't compare things that are measured in different ways.
- The usual 'less known holes != safer' discussion...
I personally don't know which OS is safer, but based on these numbers, I am not going to draw any conclusions.
Jan
He's not comparing vulnerabilities - he's comparing vulnerability disclosures.
It's not a measure of how secure the OSes are - it's a measure of how secretive the makers of the OSes are.
I approach this as someone who does not know a tremendous amount about how to measure security flaws, or what various security flaws really mean...
But the survey listed also shows Windows XP as the second most secure operating system of the ones surveyed.
I can believe that Microsoft improved their security with Vista. But if they also tell me their security was great with Windows XP, I have to conclude that they're fudging the numbers.
Philip Sandifer's academic website
https://209.34.241.68/user/Profile.aspx?UserID=780 3
No wonder Windows Vista is best in his review.
I am not convinced, next please Mr Jones.
-- "Genius is 1% inspiration and 99% perspiration" - TAE --
I suspect you've fallen into the falacy that just because people can look at the source, people actually do.
It's a fallacy? Shit. I guess that all these years that I have been working on open source software, fixing bugs, adding features, has actually been a big long dream. I'll wake up and finally see that I've been living in the Matrix, and finally see Bill G in his true Borg form hanging over me grinning...
Of course not EVERYONE looks at the source for every app, but collectively there are a HUGE number of people looking at and working with the source for just about every app out there. Unfortunately, not everyone working on open source is a qualified professional, and we do see some horrible code out there, but it's no worse than a lot of the commercial code I've seen over the years.
But back to the report. It's a shell game. Microsoft, having a closed development model, may have HUNDREDS of high threat level flaws that are UNDISCLOSED but may be known about by black-hat hackers. Open source by nature is ALWAYS disclosed. MS also has a habit of rating their flaws at a lower threat level than third party security researchers rated it. Yep, just goes to show that you can prove anything with statistics.
Here is a statistic for you... 99%+ of all the probing I get on the external side of the corp network are from windows boxes according to fingerprint analysis. Since most probing is done via compromised machines (botnet), and that windows has less than a 99% market share, that leaves me with one conclusion. The numbers are similar for spam.
How many vulnerabilities are known about and fixed in a certain time frame is meaningless. What would be meaningful, but an impossible statistic to gather, is exactly what percentage of installed Linux and Windows machines are currently compromised and being actively exploited (member of a botnet.) I've heard estimates that up to 50% of all windows machines are infected with serious malware of some sort or another...
Goddammit, Sir, why did you have to post after I used all my mod points? You have provided, not only for the OSS world but developers in general, the single most important point when it comes to maintainability.
I run several servers and desktop systems. Some open, some closed. I have tons of source code, some for open systems, some for closed systems where I participate as a maintainer, developer, or reviewer. Much of the OSS stuff is unusuable except by the team that developed it. Yes, an outsider can come in, look at the code and study it but he/she is going to spend a ton of time "getting up to speed". The only batches of code that I've been able to instantly access and work with are those from projects/developers who decided that they would rather take 3 months to turn out well commented and tested code rather than take 3 weeks to churn and burn crap code that is only marginally better than old BASIC spaghetti code.
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.