Secunia is not the "number of vulnerabilities admitted by developers". It's the number of vulnerabilities that are made public one way or another - the company doesn't even have to acknowledge for something to be registered as a vulnerability.
Sure, it does. Until then, it's "unconfirmed".
All exploits are either exploits or not - e.g. any buffer overflow is a potential arbitrary code execution attack, unless proven otherwise.
Even buffer overflows now usually come in a more complex form than "someone left string on stack and didn't bother with size limits" -- it's off-by-one integers, integer overflows, weird unchecked dereferencing, etc. While still dangerous, they are now automatically labeled as "arbitrary code execution" and fixed without anyone bothering to dig any deeper. Likely only a very small fraction of those are exploitable, and even smaller fraction would be exploited even if every malware author in the world switched to writing Linux exploits.
That said, when a vulnerability is very hard to exercise, it would generally be given the appropriate severity
No. See above. All arbitrary data corruption in anything open source is automatically labeled as "arbitrary code execution". Windows doesn't have this kind of standard.
, so you can compare them on those. Or, if you don't trust their ratings, look at the details, and judge for yourself.
Then why don't Microsoft "security researchers" go and do just this? Take all known "arbitrary code execution" bugs, try to write proof of concept exploits, record success rate per time periods. See how many of those are comparable to known Windows vulnerabilities -- each with known exploits.
So, anyway, are we going to see some factual numbers, or not?
Not unless Microsoft geniuses already did that, and found something they like.
Because the number of vulenrabilities admitted by developers has nothing to do with number of vulnerabilities that exist. Linux developers label any bug as a security vulnerability if there is even a slightest suspicion that it may be exploited for something, somehow.
Users installing trojans is not a security vulnerability, it's users being stupid.
Making it UNNECESSARY for a user to install software by running a random executable found by google search is a good decision by OS developers and distributors. However security is only meaningful from the point of view of user who is aware of such as thing as "security" in the first place. What means, worms and drive-by installations of malware are true security threats -- a user who uses computer in a safe manner is still vulnerable to them if his system is insecure. "Run this executable as root/Administrator, and ignore all warnings" is not.
"This month" is not going to start until Microsoft will have any hope to recoup its massive initial expense developing those devices -- what is likely to be decades away. It's not profitable until then.
...I would welcome a 5-year prison sentence for a person who calls himself a physicist while entertaining idiotic superstitions. But this is a matter of incompetence and possibly fraud, not terrorism.
That's like crackhead spending $20 on booze and $100 on crack, then claiming that crack was subsidized by $100 that was not spent on booze because he would spend $120 on booze if he was a drunkard instead of crackhead.
Are you an idiot? Treaties with USSR are the origin of many, many limitations on both US and Russia's military policies. If US declared them all invalid or broken all of them, Russia would have to do many seriously unpleasant things for US, so if it was the case, they would have to re-sign them just to keep things sane. The whole point is that US didn't try to do any of that except suddenly decided to break one such treaty.
Well then Stalin better tell them to stop then.. of wait. How exactly, is Stalin part of this now?
I mean, it's a very old part of their policy, and it comes from the most extreme and hostile asshole of all assholes in USSR government. Outdoing Stalin is not exactly on anyone's agenda there.
Against North Korea it doesn't work because it's on the opposite side of the Earth. There is also a rather important detail that North Korea has no ICBMs in the first place. But most important, the given explanation is based on nothing but xenophobia -- it claims that there are governments (somewhere -- anywhere) literally full of madmen who intend to sacrifice themselves and whole population of their countries for a chance to kill some Americans.
It's obvious that missile defense is supposed to be against other countries that have nuclear weapons and ICBMs, and that US will eventually have disagreements with -- Russia, China, India, possibly even other European countries that will try to leave NATO.
Fun fact, no one actually believes in God. If they did they'd do lots of dangerous but fun things confident that if they die they'll got to a better place.
Maybe they are closer to Catholicism -- believe that no matter how hard they try, they will still go to Hell because it take a saint to truly avoid sin?
(of all things, _Stalin_ was the most loud opponent of expansion and influence beyond USSR borders -- at least until WWII when country's existence was threatened, first by its enemies, then by its former allies)
Umm... Rumsfeld? Cheney? Rice? Ashcroft? While I agree that other administrations were not much better overall, his combination of religious nuts and ideological warmongers still stands out.
No, they know Americans believe this thing actually works.
Remember, MAD only keeps countries from starting a war if they all know about it. If US leaders convince itself they can attack Russia or China safely, eventually US will attack Russia or China. To be honest, I am surprised how religious nuts in Bush administration didn't start a nuclear war -- they believed, God protects the US.
Things Google contributed are used by users other than Google or its customers. Things Red Hat contributed are mostly used by users other than Red Hat or its customers. Things Microsoft "contributed" are exclusively used by Microsoft or people suckered into crippling Linux by running it under Windows-based virtualization.
Linux is not designed to run under Windows. It's not a problem. Everyone who think, it's a problem for him, is welcome to fuck himself.
In fact, it's a (minor) problem that it's possible to run Linux in crippled virtualization on Windows-based desktop because Linux running in such environment looks horrible and creates an impression that Linux is a bad operating system when clueless newbies install it that way. If it was impossible, there would be no crippled Linux installations.
Same applies to "stable drivers ABI" and other bogus demands from Microsoft.
Slashdot Mirror
Linux distributions have maintainers.
There are not enough people in the world to verify that amount of software.
If there are enough people to write software, there certainly are enough to maintain packages.
Be glad that nobody uses Linux.
Oh, I see. More Microsoft marketing subcontractors.
Secunia is not the "number of vulnerabilities admitted by developers". It's the number of vulnerabilities that are made public one way or another - the company doesn't even have to acknowledge for something to be registered as a vulnerability.
Sure, it does. Until then, it's "unconfirmed".
All exploits are either exploits or not - e.g. any buffer overflow is a potential arbitrary code execution attack, unless proven otherwise.
Even buffer overflows now usually come in a more complex form than "someone left string on stack and didn't bother with size limits" -- it's off-by-one integers, integer overflows, weird unchecked dereferencing, etc. While still dangerous, they are now automatically labeled as "arbitrary code execution" and fixed without anyone bothering to dig any deeper. Likely only a very small fraction of those are exploitable, and even smaller fraction would be exploited even if every malware author in the world switched to writing Linux exploits.
That said, when a vulnerability is very hard to exercise, it would generally be given the appropriate severity
No. See above. All arbitrary data corruption in anything open source is automatically labeled as "arbitrary code execution". Windows doesn't have this kind of standard.
, so you can compare them on those. Or, if you don't trust their ratings, look at the details, and judge for yourself.
Then why don't Microsoft "security researchers" go and do just this? Take all known "arbitrary code execution" bugs, try to write proof of concept exploits, record success rate per time periods. See how many of those are comparable to known Windows vulnerabilities -- each with known exploits.
So, anyway, are we going to see some factual numbers, or not?
Not unless Microsoft geniuses already did that, and found something they like.
The "hack" was a mental experiment with assumptions that were implausible at the time and clearly invalid now.
Because the number of vulenrabilities admitted by developers has nothing to do with number of vulnerabilities that exist. Linux developers label any bug as a security vulnerability if there is even a slightest suspicion that it may be exploited for something, somehow.
Users installing trojans is not a security vulnerability, it's users being stupid.
Making it UNNECESSARY for a user to install software by running a random executable found by google search is a good decision by OS developers and distributors. However security is only meaningful from the point of view of user who is aware of such as thing as "security" in the first place. What means, worms and drive-by installations of malware are true security threats -- a user who uses computer in a safe manner is still vulnerable to them if his system is insecure. "Run this executable as root/Administrator, and ignore all warnings" is not.
While there is a lot of truth to what you say
Don't be an idiot. What hairyfeet says is nothing but Microsoft talking points. It has no validity whatsoever.
"This month" is not going to start until Microsoft will have any hope to recoup its massive initial expense developing those devices -- what is likely to be decades away. It's not profitable until then.
...I would welcome a 5-year prison sentence for a person who calls himself a physicist while entertaining idiotic superstitions. But this is a matter of incompetence and possibly fraud, not terrorism.
That's like crackhead spending $20 on booze and $100 on crack, then claiming that crack was subsidized by $100 that was not spent on booze because he would spend $120 on booze if he was a drunkard instead of crackhead.
Therefore my point about Elop acting on Microsoft's behalf against interests of Nokia.
Are you an idiot? Treaties with USSR are the origin of many, many limitations on both US and Russia's military policies. If US declared them all invalid or broken all of them, Russia would have to do many seriously unpleasant things for US, so if it was the case, they would have to re-sign them just to keep things sane. The whole point is that US didn't try to do any of that except suddenly decided to break one such treaty.
Well then Stalin better tell them to stop then.. of wait. How exactly, is Stalin part of this now?
I mean, it's a very old part of their policy, and it comes from the most extreme and hostile asshole of all assholes in USSR government. Outdoing Stalin is not exactly on anyone's agenda there.
Over the whole time the project existed, it's still billions in the red.
Against North Korea it doesn't work because it's on the opposite side of the Earth. There is also a rather important detail that North Korea has no ICBMs in the first place. But most important, the given explanation is based on nothing but xenophobia -- it claims that there are governments (somewhere -- anywhere) literally full of madmen who intend to sacrifice themselves and whole population of their countries for a chance to kill some Americans.
It's obvious that missile defense is supposed to be against other countries that have nuclear weapons and ICBMs, and that US will eventually have disagreements with -- Russia, China, India, possibly even other European countries that will try to leave NATO.
Russia accepted international obligations of USSR, including treaties.
Fun fact, no one actually believes in God. If they did they'd do lots of dangerous but fun things confident that if they die they'll got to a better place.
Maybe they are closer to Catholicism -- believe that no matter how hard they try, they will still go to Hell because it take a saint to truly avoid sin?
THIS IS WHAT AMERICANS REALLY BELIEVE.
(of all things, _Stalin_ was the most loud opponent of expansion and influence beyond USSR borders -- at least until WWII when country's existence was threatened, first by its enemies, then by its former allies)
Whose platform is burning now, E-flop?
Still more profitable than Xbox, so it's OK.
He is still a Microsoft employee, right?
Umm... Rumsfeld? Cheney? Rice? Ashcroft? While I agree that other administrations were not much better overall, his combination of religious nuts and ideological warmongers still stands out.
No, they know Americans believe this thing actually works.
Remember, MAD only keeps countries from starting a war if they all know about it. If US leaders convince itself they can attack Russia or China safely, eventually US will attack Russia or China. To be honest, I am surprised how religious nuts in Bush administration didn't start a nuclear war -- they believed, God protects the US.
insightful
No, it was more of a flamebait remark.
Things Google contributed are used by users other than Google or its customers.
Things Red Hat contributed are mostly used by users other than Red Hat or its customers.
Things Microsoft "contributed" are exclusively used by Microsoft or people suckered into crippling Linux by running it under Windows-based virtualization.
competitor
Enemy.
There is a difference.
NO ONE outside Microsoft ever compiled the code Microsoft "contributed". It's worthless. It's for running Linux on Windows.
Linux is not designed to run under Windows. It's not a problem. Everyone who think, it's a problem for him, is welcome to fuck himself.
In fact, it's a (minor) problem that it's possible to run Linux in crippled virtualization on Windows-based desktop because Linux running in such environment looks horrible and creates an impression that Linux is a bad operating system when clueless newbies install it that way. If it was impossible, there would be no crippled Linux installations.
Same applies to "stable drivers ABI" and other bogus demands from Microsoft.