Slashdot Mirror
Vulnerability Numerology - Defective by Design?
rdmreader writes "RDM has a point by point disassembly of the security vulnerability story phenomenon. We regularly see these, comparing various vulnerability lists for different operating systems. ZDNet's George Ou, for example, condemns Linux and Mac OS X by tallying up reported flaws and comparing them against Microsoft's. What he doesn't note is that his source, Secunia, only lists what vendors and researchers report. Results selectively include or exclude component software seemingly at random, and backhandedly claims its data is evidence of what it now tells journalists they shouldn't report. Is Secunia presenting slanted information with the expectation it will be misused?"
Does Secunia present slanted information?
No, it just lists vulnerabilities. But it also lists them AND presents these two important things: (a) the importance of the vulnerability, and (b) whether or not it can be triggered through the network or not (local/remote vulnerability).
Furthermore, it separates Windows vulnerabilities in system and application vulnerabilities, if memory serves well. It's not able to do that with Linux, since different Linux distros incorporate different applications.
The matrix therefore becomes a lot more complicated. You can have a 'local only' problem (meaning: no remote exploitation) which can be considered as 'critical' on some Linux/BSD systems and not on others. You can have a remotely-exploitable problem which is critical on all systems that have application XYZ installed. But if I don't install XYZ (or if it's not activated by default) on my PC, I don't have a problem. And so on and so forth.
Which is why people that point at Linux/Mac and say: "Aha! More insecure than Windows!!" are not truly honest: I have Linux and OpenBSD machines with up-to-date SSH servers, no users, a good password, and no other network service running. These machines are almost perfectly secure -- except when it comes to an OpenSSH vulnerability -- even though there are plenty of applications on them that could be considered obsolete or vulnerable... if you can gain local access in the first place. The only point of vulnerability is OpenSSH. And I update it religiously.
All in all, don't blame Secunia: blame people (especially journalists) who know nothing about security and jump on meaningless numbers pulled out of thin air to blame Linux.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Exactly. IMHO, he's saying that Secunia vulnerability comparisons aren't any more reliable than numerology predictions.
And then unfortunately, their supporters like to bash Linux and Mac for actually working with security agencies and fixing their bugs as well as reporting them. This will forever be the bane of open source and it's benefit... that everyone gets to see its flaws but at the same time, everyone gets to contribute to fix them.
This is my sig. There are many like it but this one is mine.
Here's one even better: We use GeSHi (Generic Syntax Highlighter) in WikkaWiki. We often scour the so-called "security vulnerability" databases because we've found many inaccuracies. In this specific case, Secunia issued this statement:
WTF? This was a vulnerability in PHP's htmlspecialchars() function, NOT GeSHi. Yet, Secunia was planning on milking this vulnerability in order to boost its "vulnerability count" at the expense of a project that had absolutely NOTHING to do with the vulnerability.
You see, these so-called "vulnerability experts" try to wring out as many vulnerabilities as possible, because we all know that the most effective "vulnerability expert" will be the one with the most posted vulnerabilities. So they go on fishing expeditions to uncover vulnerabilities that really don't exist.
Or an even worse practice: "bottom-fishing" changelogs and bug trackers in order to discover vulnerabilities that have already been addressed. Here's another instance where Secunia was caught trying to boost its street cred through disingenuous reporting: They apparently scoured our bug tracking database and discovered an issue (already fixed!) and falsely implied in their report that the content of wiki pages marked private might be accessible via RSS. This was clearly false, as the original bug report indicated that the page name (not content) could be accessed. Secunia later corrected the false report.
We've caught Secunia doing this on several occasions. My advice to anyone who is involved in an OSS project is to regularly scour the vulnerability databases and challenge each and every advisory that you believe is not accurate. You might be surprised at the amount of so-called "vulnerability intelligence" out there that is blatantly false, outdated, or inaccurate.
We keep hearing this again and again and again.
It's very simple, really.
You can _never_ know the relative security of two systems. There simply isn't any way to measure it fairly.
Count disclosed vulnerabilities? What about the vulnerabilities that weren't disclosed?
Have teams search for vulnerabilities and compare the results? What does that tell you? Was one team equally good at finding vulnerabilities in one system as the other was at finding them in the other system? What if one system had many easy to find vulnerabilities, and the other had a couple of severe but harder to find vulnerabilities?
Count actual break-ins? Well, was that due to the system being vulnerable the way the vendor left it, or because of the administrator? What about break-ins you don't know about?
It's always a matter of what you don't know about. You don't know the vulnerabilities that weren't reported. You don't know the vulnerabilities that weren't found. You don't know the relative skills of the teams you used. You don't know if you tested for all possible classes of vulnerability.
And I haven't even mentioned the severity of vulnerabilities, the availability of exploit code, the way vulnerabilities are dealt with by the vendor, and a host of other issues.
The take home message is that you just _can't_ know. It's a hard pill to swallow, but you will just never know which system is more secure. All you have is flawed metrics and your gut feeling.
Please correct me if I got my facts wrong.
When I read the summary, I thought TFA could actually be interesting. But it's not any better than what it is criticizing.
Long story short:
ZDnet published an article comparing Secunia vulnerability counts in Mac OS X and Windows Vista/XP. They spun it the Microsoft way, so Mac OS X loses big time. A mac fanboy wrote a reply spinning it the Apple way.
TFA starts with a long-winded attack against the author of the ZDnet article without ever getting to the point. Let's just say that it talks about Zunes, XBoxes, train wrecks, ballet dancing and many more things.
Then it explains what Secunia does (in about two pages): they track software vulnerabilities which are - among others - reported by the vendors. So "honest" vendors get higher vulnerability counts. Who would have thought.
On it goes by saying that the "border" of an operating system is nowadays blurry; should the vulnerabilities in bundled applications be counted? Even if they are by another vendor?
Then he babbles about how most of the cited vulnerabilites in Mac OS X are related to what he calls "external software" - things such as python, java, perl, samba, tcpdump etc and that those same programs have the the same (or a similar) amount of vulnerabilities on other platforms. What he fails to point out is that Mac OS X *consists* of such "external software" for a big part, and that they are *part* of Mac OS X and cannot be removed easily.
Conclusion: a pointless (and extremely long-winded) article full of Microsoft bashing, as reply to an equally pointless article full of Apple bashing.
Look, it's really quite simple what he's trying to say: If you add the letters of "ROUGHLYDRAFTED.COM" (A=1, Z=26, . = 0), you get 195. Add those digits together and you get 15. Again, add a third time and you get 6. So after adding the digits together three times, we get 6. Six repeated three times is "666", which is specified in the Bible as being the mark of the devil.
Now, if you do the same thing with "SECUNIA", you get 72. 7+2 = 9. And 9, added to itself, is 18, and its digits also add up to 9. So nine is obviously significant.
What does this mean? It's quite simple. The Devil, as specified by the Bible, is also what tempted Adam and Eve to take an Apple from the tree of knowledge. You see where this is going? ROUGHLYDRAFTED.COM is essentially saying that Apple is the source of knowledge. Whereas SECUNIA's, like, nine, or something.
Does this help?
You are not alone. This is not normal. None of this is normal.
At one point, I looked over all the Secunia advisories about OS X and came across one which said that OS X would send passwords in clear text without warning when logging into Appleshare volumes and that this vulnerability was "unpatched". I thought this was strange since I had, in fact, seen such warning dialog boxes in OS X. It was in an unusual case where I was connecting from OS X 10.2 to an old 68k Mac running MacOS 8.1. I also remembered seeing that there is an options button when you make an Appleshare connection. If you hit that options button, you get a screen with check boxes for allowing clear text passwords and warning when a clear text password is needed. The default is to allow with a warning. I sent email to Secunia asking for clarification about what circumstances would lead to sending a clear text password without notice. Do those check boxes not actually work? Are the defaults less secure in some cases? I never got a reply but the issue disappeared from the Secunia site. No explanation. Just gone. I wonder if enough other issues have just disappeared to affect the numerology.