The Annual US-CERT FUD Festival 152
Joe Barr writes "Joe Brockmeier and I have teamed up in a story on NewsForge to point out how the mainstream and trade press misrepresent the annual summary of vulnerabilities from US-CERT. They're doing it again this year to make it appear as if it is more secure than UNIX/Linux. Pamela Jones did a similar report at Groklaw over the weekend." From the article: "One figure represents the vulnerabilities found in Windows operating systems: XP, NT, 98, and so on. The other represents a total figure not just for Solaris, AIX, HP-UX, the BSDs, and Linux, but for a hundred different versions of Linux. The sum of all the unique vulnerabilities from all the Linux distros does not equate to the sum of vulnerabilities in any single Linux distro, and one could say the same about the various versions of Windows. That's why it is a completely meaningless exercise to discuss those totals as if they present an accurate picture of the relative security of Windows and Linux. " We've reported on the US-CERT list already this year. NewsForge is a sister site to Slashdot.org, both of whom are owned by OSTG.
Well.. (Score:1, Insightful)
No, but it sounds like they're adding the vulnerabilities to represent Linux. Much as they're adding the unique Windows vulnerabilities to represent Windows.
Re:Well.. (Score:4, Insightful)
Patch Time (Score:4, Insightful)
Re:Patch Time (Score:1)
Bug Days (Score:2)
Perhaps also there could be a factor for the seriousness of the bug. So for every day that a critical bug is unpatched, it's worth 14 days of a non-critical unpatched bug. Or something like that -- the factor is inherently arbitrary, but maybe we could agree on something
Re:Well.. (Score:3, Informative)
Re:Well.. (Score:1)
Regards,
Steve
FALSE. (Score:5, Informative)
Very false. just look for Larry Wall Perl Insecure Temporary File Creation (Updated). Three instances of the exact same item. And only in *nix even though ActiveState perl for Windows had the same issue. So, there are LOTS of issue with this report. Cert is more SNAFU, than not.
Re:FALSE. (Score:1)
One alert that lists six different vulnerabilities for Windows:
http://www.us-cert.gov/cas/techalerts/TA05-229A.ht ml [us-cert.gov]
Another alert that lists two (or three) different vulnerabilities:
http://www.us-cert.gov/cas/techalerts/TA05-180A.ht ml [us-cert.gov]
An alert that only summarizes previous vulnerabilities, but lists no new ones:
http://www.us-cert.gov/cas/techalerts/TA05-102A.ht ml [us-cert.gov]
An alert that covers a product for three operating systems, and inclu
Re:FALSE. (Score:2)
Not true. (Score:4, Informative)
This is true of most of the *nix vulnerabilities, actually.
So what we're really seeing is Windows-only vulnerabilities being compared to ones that are OS neutral. Not that its very suprising, though. Its 2006.
With the exception of software written specifically for Windows, most software is cross-platform.
This is the only really meaningful way to do this kind of a report because of this characteristic. The important thing to keep in mind in that, though, is that Windows has all of its own vulnerabilities AND most of the others.
Re:Well.. (Score:2)
CERT: You have 62,000,000 fish caught last year.
Fishermen: No we don't. We have so many sardines, tuna, flounder, and what not.
CERT: They are all fish aren't they?
Fishermen: Yeah....
CERT: So you have 62,000,000 fish caught last year.
Re:Well.. (Score:2)
Did anyone else read that as "Windows 3.X safer than Linux"? I immediately thought, "Yeah, that's probably right; it doesn't DO anything..."
Downright Disingenuous (Score:4, Informative)
The act of contrasting the vulnerabilities found in the few Windows operating systems with the vulnerabilities found in hundreds of Linux/Unix is bad enough, but when you consider that the Unix/Linux list contains duplicate items, it becomes positively shameful.
From the Groklaw article:
I honestly expected better from the CERT [us-cert.gov] folks. I don't know why, but I really did.
Re:Downright Disingenuous (Score:3, Interesting)
Coming from the same government that denuded a slam dunk settled lawsuit against Microsoft? PuhLEASE!
Re:Downright Disingenuous (Score:5, Informative)
It looks like we both posted at the same time. At any rate, you have a point to a certain degree. My post here [slashdot.org] shows that if you go through the list and subtract out all the items with "updated" after them, Subtract OSX and Solaris, the Linux/Unix group category is about par with windows, not 3x worse.
Whether "different" OSes should be lumped together is another discussion entirely (how "different" are they if they have the same kernel?)
Re:Downright Disingenuous (Score:4, Interesting)
then you need to consider the fact that x86 linux has a different kernel than PPC linux. And what about all the people running 2.4.x versus 2.6.x versus everyone still running older versions, still?
What about the fact that if a version of apache has some flaw that it [generally] affects the entire Apache installbase of that version. Whether it's BSD, Linux, OSX, Windows or BeOS. I say "generally" because some flaws may only affect x86 versions or PPC versions exclusively due to endian issues and ways that the kernels handle the stack and whatnot.
There really is no fair way of gauging and quantifying the number of flaws found in computers per-OS unless you go by installation package. Make lists of XP, make lists of win2k, make lists for OSX (10.2, 10.3 and 10.4 as well as server), make a list for each distro and every installation type for each of the lastest couple of versions. Sure it's a lot of work... but at least it'll be more accurate.
I prefer my way. (Score:3, Informative)
1. Remote--root access that does NOT require human intervention or other app running.
2. Remote non-root access that does NOT require human intervention or other app running.
3. Local root access that does NOT require human intervention or other app running.
4. Local non-root access that does NOT require human intervention or other app running.
5. Remote root a
Re:I prefer my way. (Score:1)
Re:Downright Disingenuous (Score:3, Insightful)
Re:Downright Disingenuous (Score:4, Funny)
Re:Downright Disingenuous (Score:5, Insightful)
Re:Downright Disingenuous (Score:2)
Outlook Express...
Re:Downright Disingenuous (Score:1)
To be fair, the Windows list isn't really an accurate list of Windows vulnerabilities either, not the way I would think of it. It also has duplicative items, such as for Microsoft ASP.NET Canonicalization (Updated). And it includes Apple, F-Secure, IBM WebSphere, McAfee and other third-party vendor issues. If it can happen to you if you use Windows and the third party softwa
Simple pre-processing would help (Score:3, Informative)
They could have cut it down to a more manageable list by piping it through "grep -vF '(Updated)' | sort -u".
That brings it down to just 871, which is much easier to comb for further duplicates.
The same process on Windows vulnerabilities brings it down from 831 to 659. Both lists still need to be checked for duplicates with different names (say, "Apache HTTP Request Smuggli
easier (Score:1, Funny)
Re:easier (Score:1)
Should Compare A Single Version Of Windows Too (Score:5, Insightful)
Re:Should Compare A Single Version Of Windows Too (Score:3, Interesting)
Re:Should Compare A Single Version Of Windows Too (Score:4, Insightful)
well... you're half right. I'd say it's better to lump 95/98 together and NT/2000/XP together since most of the later versions of windows are pretty much the same thing on the inside...
however, it's really unfair to quantify the vulnerabilities for any OS as a whole. There are so many facets of any computer system that many vulnerabilities don't affect most people.
Saying that a exploit for Apache affects the entire linux/unix/osx install base is an unfair statement. Desktop linux users probably don't have apache running or a bug in X11/xorg won't affect most *nix servers. Likewise, a bug in MSSQL or web services won't directly affect most XP users, although a bug in explorer will affect nearly every windows user (who's running an affected version of explorer).
You can't even really create lists of vulnerabilities that affect "server" versus "desktop" users, either, because just because something is a server doesn't mean they're necessarily running every server daemon they can.
There needs to be a list of servertypes (ie: web, email, file, database, etc exclusively) showing not only the quantity of vulnerabilities but also the severity of said vulnerabilities. Perhaps even a table separating different applications.
I mean, you shouldn't really lump every proftpd vulnerability with every other ftp server software. All it takes is one bad egg to poison the overal results.
Re:Should Compare A Single Version Of Windows Too (Score:4, Informative)
No they aren't many different distros, only 2.
Windows 1.x -> ME are all different versions of windows management systems based on MSDOS.
Windows NT 3.x -> 2003 are all different versions of windows management systems based on NT.
So only 2 distros, with lots of versions.
Now Linux has had how many distros? I've read as high as 90, and no, I haven't done the research myself to come up with my own answer, but I know personally of at least 20.
Add to that the BSD distros, of which I know of 3 personally.
Then they lumped in 4 completely different Operating systems - not even distributions.
AIX, Solaris, HP-UX and MacOSX - all of these are true UNIX operating systems - not the complete list by far - Tru-64, Centix, C-TIX, the pre-caldera UNIXWare, OpenServer, Xenix, UNIX, etc...
Remember, Linux ISN'T UNIX. So why the hell would they lump them together. Here's why - it's the only way they could get the numbers to add up to anything close to a large margin above the count from the 2 distros of Windows.
Re:Should Compare A Single Version Of Windows Too (Score:2)
I did a little research, and according to www.distrowatch.com, there are 359 distinct Linux distributions (as of 1/6/2006)
Re:Should Compare A Single Version Of Windows Too (Score:2)
350 Linux
7 BSD
1 Solaris
1 HP-UX
1 AIX
----
360 Distinct Linux/UNIX Distributions/Variants
With 6 times the bugs listed, divided by 360 that's only
Now factor that windows is 2 distros, that's
That appears to change the results a tad.
For each bug found in Linux/Unix, there's 32 in Windows.
Re:Should Compare A Single Version Of Windows Too (Score:3, Interesting)
For instance, Windows has 2 distinct kernel families, Win9X and WinNT. Linux has 1. Within each of these families there is then versioning, Win95, Win98, WinME, WinNT, Win2k, WinXP, 2.4, 2.6, etc.
Beyond that, it appears that all Windows versions share
Re:Should Compare A Single Version Of Windows Too (Score:2)
Re:Should Compare A Single Version Of Windows Too (Score:2)
Skewed? Oh yeah... (Score:5, Interesting)
Re:Skewed? Oh yeah... (Score:3, Insightful)
It would be interesting to see all of the Windows application vendors lumped into the "Microsoft security flaws" category in a similar manner. I've seen quite a few Windows applications from all sorts of software vendors with issues this last year and noticed they weren't listed. While one might argue at first that this would be unfair because of all of the commercial products available for Windows, I'm not sure Windows woul
Re:Skewed? Oh yeah... (Score:2)
Re:Skewed? Oh yeah... (Score:1)
There is also more than 5 or 6 versioins Windwos. There were probably 6 versions of Windows 2000 alone counting the server lineup. They lumped in Linux/UNIX, but the total figure for it was also about 3 times higher (812 vs 2328) than the figure for windows.
Also, while I am at it, I did a grep -i | wc -l for "Firefox" and "Internet Explorer" and found that there were 150 v
Re:Skewed? Oh yeah... (Score:2)
The numbers are unimportant (Score:5, Insightful)
Shouldn't we be asking the more pertinent question: why do all the various operating systems have so many vulnerabilities? When it comes to such things, this shouldn't be a competition. OS builders should be striving for zero tolerance to vulnerabilities and there shouldn't be an quibbling over the number that exist.
Re:The numbers are unimportant (Score:4, Insightful)
Now on the topic of this bug counting, if windows is lumped together then linux should be to some degree too, but on the same order of magnitude. A half dozen distros, maybe even mirror the windows counting a little more and make some of those distros be older but still supported ones. Also, the various unixes and linux are entirely different beasts. Just because they try and present a somewhat compatible user interface and APIs doesn't mean that they should be grouped into one object when counting bugs.
Re:The numbers are unimportant (Score:2)
Interestingly there was just an article about exceptionally low defect rates [slashdot.org] for software, with cases running from a mere 10,000 up to almost 200,000 SLOC, all done for very reasonable time frames and costs. That, of course, is still signficantly less than the complexity of, say, the entire Linux kernel - but then n
Re:The numbers are unimportant (Score:2)
Software has bugs. It's a fact of life. It is hard to find them and even harder not to write them in the first place. Start writing software for the real world and you will see what I mean. The larger the code base, the more bugs you will get. The more complex the code base the more bug
Re:The numbers are unimportant (Score:2)
Perhaps you should. You may well learn something useful. As you correctly point out,
The techniques used by Praxis are specifically intended to address specification and
Re:The numbers are unimportant (Score:2)
For projects that aren't as critical you can still get significant benefits from a slightly scaled back approach - things like Design by Contract help developers to spell out their intentions more clearly and can go a long way toward catching and isolating bugs ea
Re:The numbers are unimportant (Score:2)
someone is going to need to explain to me why an error in A. an add-on antivirus software for B. Mac OS X is in any way a reflection on the quality of UNIX. almost all the vulnerabilities are apps like this, there are about 15 tacked onto the UNIX list that are just errors with acrobat reader. so now Linus is responsible for the quality of Adobe's software?
Re:The numbers are unimportant (Score:2)
the thing about the list... (Score:4, Insightful)
If you throw out all 1437 "updated" occurences in the linux/unix secion, that leaves 891 (2328-1437=891). Subtracting Apple OS X (130) and Sun Solaris (77), Linux/Unix ends up with 13 more vulnerabilities than Windows (891-130-77=684), but it's for more operating systems, so it may be fair to divide that 684 further.
Re:the thing about the list... (Score:2, Insightful)
Great. Where's me phone? Ah.... "Hey Bill, how much are you willing to pay
Re:the thing about the list... (Score:1)
Both numbers decrease significantly at this point.
The Register fell for it too (Score:2, Insightful)
But it is true, engage intellect and you can see at a glance how useless the figures are.
- No ranking by severity levels, or weighting of overall score by severity
- No individual OS scores
I can't see how this 'report' is useful to anyone except marketing droids who work for Microsoft.
Take a deep breath and count to ten... (Score:5, Insightful)
What is "it"? Slight tinge of paranoia here, maybe?
Let's review the score here:
- It does not matter what material is published, the fact of the matter is that every Windows PC in the world regularly has visible and non-trivial security issues, while on Linux and OS/X these issues are generally theoretical.
- People's perceptions of Windows are very simple: it's a piece of crap that they use because it came with the box and everyone else uses it.
- The relative security of Windows vs. the World is not a deciding factor in most people's use of Windows. It's largely a captive, neutered market.
- For people who actually do care, no amount of statistics can change the visible and perceived situation. When I choose to ban Windows in my company, it's not because I read some website or article. It's because I'm sick and tired of removing spyware from people's PCs.
Complaining about these statistics is to give them credibility. Those who chose on the basis of security will ignore this data, and those who chose on other criteria won't care about this data.
Re:Take a deep breath and count to ten... (Score:2)
It could just be that everyone uses Windows because it is not such a piece of crap after all:
Windows XP had 72% of the market in December. Up 1% from November 2005. Linux 3%. Up 1% since March 2003. OS Platform Stats [w3schools.com]
This from a developer's site that shows very good numbers for Firefox.
Re:Take a deep breath and count to ten... (Score:2)
That's because they're upgrading from older unsupported versions of Windows. People are using Windows (all varieties) not because they think is isn't crap, but mainly because they think crap is a normal and unavoidable attribute of operating systems.
Take what the CERT says with a grain of salt... (Score:5, Insightful)
Re:Take what the CERT says with a grain of salt... (Score:2)
People REALLY need to watch what words they use. To many loaded sentences with words like "shill" tend to mark their speakers as fanatics, and do little more than cause others to discount their opinions accordingly. If you're going to convince people, do so with more facts and less rhetoric.
Otherwise, as Lindsey said in Th
No OS is perfect (Score:2)
It is also not a level playing field in the OS market.
Once more people are using Linux, it will be a more fair comparison.
From the article.... anti-FUD stats (Score:5, Informative)
- 11 of those alerts were for Windows platforms
- 3 were for Oracle products
- 2 were for Cisco products
- 1 was for Mac OS X
- None were for Linux
, and secondarily look at this quoteFolks, as other
Re:From the article.... anti-FUD stats (Score:2)
You do realize that Firefox runs on Linux too, don't you? ;)
Some part are Windows specific so some bugs could affect Windows only. But some other bug affect only Linux too, or any other OS that can run Firefox.
Re:So what? My job is what (Score:1)
The company with 90% market share consisently and nearly constantly distorts every piece of negative press they get, and trumpets all the negative press about the 2%. But a vulnerability in the 90% software threatens not only my core business (if it is found on the WinX platform), but that of any and all of my customers if they are.
That's what.
Re:Reading comprehension... (Score:1)
My point about the statistics is merely an adjunct commentary, and if you will permit the biblical analogy, is that the 90% market leader is effectively trying to "point at the mote in the other guy's eye" while simultaneously "ignoring the beam" in his own, and using a faulty statistically analysis to do it. The question of safety favor
Re:So what? (Score:2)
I could the same thing against an OS for which you can't see the source code.
My Own Research (Score:5, Funny)
Search for "Windows Bugs": 45,800
Search for "Linux Bugs": 23,400
Search for "Bunny Bugs": 31,100
From this method, I can determine that I should NOT watch Looney Tunes cartoons on my Windows Media Center PC. Or drink while posting.
Re:My Own Research (Score:1)
windows AND bugs: 41,000,000
linux AND bugs: 39,100,000
Then we subtract:
windows AND linux AND bugs: 3,570,000
TOTAL: 76,530,000
Windows and Linux together account for about 47% of the bugs in the world. The number of individual insects estimated to be alive in the world at any one time is 10 quintillion, or 10,000,000,000,000,000,000. [vic.gov.au] That's 4,700,000,000,000,000,000 of the Windows or Linux variety.
Get to work, programmers.
I am doing better than most (Score:2)
CERT contact page (Score:1)
http://www.us-cert.gov/contact.html [us-cert.gov]
I wonder: Definition of security vulnerability? (Score:2, Insightful)
Bitching contest and formal request (Score:2, Insightful)
Formal request:
Someone needs to count the vulnerabilities in:
1) XP
2) Minimal SUSE linux install
3) XP with specific of Apps, servers, etc.
4) SUSE linux with specific Apps, servers, etc.
Give us these numbers and then we have something to talk about.
SecurityFocus article (Score:2)
Jack Ryan is back ... (Score:1)
The list count flaws at windows app AND "unix" app (Score:1)
The "Unix", incluiding, AIX, Mac OSX, Solaris, Linux, Freebsd, and any thing that looks like unix...
and Multiplataform vulnerabilities...
The main issue, is the way they pack together all kind and from different vendors the Unix thing... Also, there are reported vulnerabilities about Adobe and isnt listed as multiplataform vulnerabilities...
This article, DOESNT become a defacto FUD,
Did they mention how.... (Score:1)
Joe Barr is a writer? (Score:2)
If the intro isn't clear, why bother reading the article?
The Press Does Not Get It!! (Score:2)
The mainstream media does not get this. But, neither do most computer users.
Revisionist history (Score:1, Troll)
I'm richer than you are (Score:1, Funny)
-SHP
Uptime vs Maintneance vs Vulnerabilities (Score:2)
Re:Uptime vs Maintneance vs Vulnerabilities (Score:1)
Does that mean XP sucks?
I have XP on the internet and have never had a single problem. Not one. I also spend "next to no time keeping it up and running". Maybe your story means you're an idiot more than it means XP sucks.
Not knowing you, I can't say for sure. Just food for thought.
This isn't flamebait or a troll or whatever.
This Is Good News! (Score:3, Insightful)
Yeah the spin is ugly, but if the *nix's "stick to their knitting" this too shall pass.
They do the same thing when they talk about Mac's too. The last time I saw figures (which was a couple of years ago) Apple was far and away the #1 shipper of laptops by brand. But, they would compare ALL laptops shipped by all brands to come up with Apple's "miniscule" market share.
The reality was that Apple was creaming the Windows-based brands. They would do this with all of the various market segments apple competed in. Funny how they don't do it with MP3 players.
OT Comment:
I never understood why anyone who branded computers wanted their numbers in the market research. It just gives HP a target to destroy.
What a bullshit "article" (Score:3, Insightful)
The "article" is not an article but rather an opinion piece. For example:
Microsoft wants you to read the headlines as "Windows 3X safer than Linux." (If Microsoft is being quiet about the US-CERT numbers, it's because the company is too busy trying to come up with a fix for the Windows Meta File (WMF) vulnerability.)
The authors apparently know what Microsoft wants, even though they admit the company hasn't commented on the summary of vulnerabilities. I guess the authors assume the MS marketing department is working on this bug fix, which at the time the article was posted was fixed (but no patch had been released).
Reading further, the authors reference the "Technical Cyber Security Alerts", saying, "That's quite a different picture than the one the Microsoft press machine wants you to see." Once again MS is referenced, even though they had nothing to do with the summary of vulnerabilities and have issued no press release on the matter.
MS is mentioned twice though the company has not issued any press releases or new ads reflecting these numbers. On the other hand, the article repeatedly mentions the press:
Everywhere you look in the trade press today, you'll find glowing misrepresentations...
...many scribes sympathetic to the Microsoft cause go out of their way to make sure the real picture never emerges...
...you'd think that the mainstream tech press could get it right when reporting on security...
...scribes in the trade press are once again playing the US-CERT FUD game...
Shame on them for purposely -- or ignorantly, as the case may be -- misleading their readers.
Yet in the links below the article there is only one direct link to an example of how the press has been misleading their readers.
Guys, if you're going to write something, call it an article, then post it to Slashdot, at least try to be a little more objective. I think most people are tired of MS vs the world now...it's so last year (this year it's Google vs the world). People are interested in performance, ease of use, security - getting the job done. Who has time for these pissing matches?
The piece does fit on a site named "NewsForge". Why report the news when you can manufacture it?
Lies, Damned Lies and Statistics (Score:2)
Re:Lies, Damned Lies and Statistics (Score:1)
Depends on the meaning of what "it" is (Score:2)
"it is more secure than UNIX/Linux"? What is it? I guess it goes without saying? (Or should that be, it goes without saying?)
who is secure? (Score:2)
I don't get it. Are they saying that US-CERT is more secure than UNIX/Linux? Or is 'it' referring to the mainstream and trade press?
Come on guys. If you write this kind of stuff for a living, would it kill you to proofread?
(Never mind that the w
What is "It"? AKA Crappy Editors. (Score:2)
What the @#$@# does this (bolded) it refer to? Did someone clip out a reference to Microsoft Windows? Please -- 5 minutes of proofreading?
Disingenuous Discussion (Score:1)
If you don't tend to your garden, your vegetables may perish.
If you don't take care of your herd, you cattle might fall ill.
If you don't properly manager your systems, regardless of OS, your boxes might get compromised.
US Cert's connection with Homeland Security (Score:1)
The FUD starts here (Score:2)
Let it go already (Score:2)
Re:From the sumary (Score:1)
Re:From the summary (Score:2)
I am amused that you were modded "offtopic" when you commented directly on the newsitem and even included a reference.
But to clear up any confusion, the "IT" referred to in the OP is of course the famous Segway motorized scooter [tlb.org]. See how the whole thing makes sense now?
Re:Huh? (Score:1)
Re:Huh? (Score:2)
But OSX is BSD-based, so wouldn't that fall under the Unix category? I assumed Windows, because that's usually what gets people worked up around here.
Re:Huh? (Score:1)
Would you agree that I have made a valid sentence (even if you disagree with my statement)? The "it" I used at the beginning of that sentence is the same as the "it" you took issue with. This is a common English grammatical construction akin to the passive voice, and the "it" herein is typically understood to mean "the situation", "the current course of events", or something similar.
This is a fairly common construction,
Re:Huh? (Score:2)
That doesn't make sense. Replacing that "it" with what you say it represents, the sentence now reads:
They're doing it again this year to make it appear as if [the situation] is more secure than UNIX/Linux.
See what I mean? That "it" has to refer to something. From reading the article I assume you meant "it" to refer to Windows, so the sentence could read, "...to make it appear as if Wind
Re:Huh? (Score:1, Funny)
Agreed! (Score:4, Insightful)
I vote for the "solves-my-problem-but-not-yours" distribution, which is clearly the best.
Incidentally, I am also in favor of settling on ONE (1) tool for all mechanical uses.
I favor the two-handed hewing axe, but I might be persuaded to vote for the claw hammer.
Just curious (Score:1)