Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Annual US-CERT FUD Festival

Zonk posted more than 8 years ago | from the comparing-apples-and-pineapples dept.

Security 152

Joe Barr writes "Joe Brockmeier and I have teamed up in a story on NewsForge to point out how the mainstream and trade press misrepresent the annual summary of vulnerabilities from US-CERT. They're doing it again this year to make it appear as if it is more secure than UNIX/Linux. Pamela Jones did a similar report at Groklaw over the weekend." From the article: "One figure represents the vulnerabilities found in Windows operating systems: XP, NT, 98, and so on. The other represents a total figure not just for Solaris, AIX, HP-UX, the BSDs, and Linux, but for a hundred different versions of Linux. The sum of all the unique vulnerabilities from all the Linux distros does not equate to the sum of vulnerabilities in any single Linux distro, and one could say the same about the various versions of Windows. That's why it is a completely meaningless exercise to discuss those totals as if they present an accurate picture of the relative security of Windows and Linux. " We've reported on the US-CERT list already this year. NewsForge is a sister site to Slashdot.org, both of whom are owned by OSTG.

cancel ×

152 comments

Sorry! There are no comments related to the filter you selected.

Windows (0, Troll)

the computer guy nex (916959) | more than 8 years ago | (#14409217)

Every time you download a new security update for Windows you should consider that a new "version" if each Linux Distro is considered a version.

Re:Windows - EAT ME (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14409307)

Eat me

Well.. (1, Insightful)

Sheetrock (152993) | more than 8 years ago | (#14409220)

The sum of all the unique vulnerabilities from all the Linux distros does not equate to the sum of vulnerabilities in any single Linux distro

No, but it sounds like they're adding the vulnerabilities to represent Linux. Much as they're adding the unique Windows vulnerabilities to represent Windows.

Re:Well.. (3, Insightful)

theonlyholle (720311) | more than 8 years ago | (#14409279)

But that's not the same - we're talking about basically one Windows product with its associated unique vulnerabilities, but when we talk about Linux distros, we talk about several different ones that have the *same* vulnerability counted multiple times because it exists in multiple distros. Just one look at the CERT list and you will see all the duplicates in there. And then of course, even if you remove the duplicates, you are still left with vulnerabilities that were only present in one distribution, but got counted against "Linux/Unix" although 99% of the distros were never affected.

Patch Time (4, Insightful)

ndtechnologies (814381) | more than 8 years ago | (#14409325)

Good point and I'd like to add, What about the time length between when vulnerabilities are found, and then patched? Surely, they thought about that. Linux and Unix can continue to have more "reported" vulnerabilities than Windows, but if they are patched faster than Windows, doesn't that count for something?

Re:Patch Time (1)

Capt. Caneyebus (883802) | more than 8 years ago | (#14409735)

That really isn't the question at hand though. They released it to the public, it should have been patched up prior to release. That is what most complaints about Microsoft are about on here. If a Linux distro is released with the same amount of holes and they just patch them faster, they are still releasing unfinished software. that is just my 2 cents, wasn't attempting to troll

Re:Well.. (2, Informative)

rubycodez (864176) | more than 8 years ago | (#14409354)

heh, "several" Linux distros, there's over 90 of them!

Re:Well.. (0)

Anonymous Coward | more than 8 years ago | (#14409843)

Umm, I looked at the list and they weren't counting the same vulnerability multiple times. They had one entry for each vulnerability which listed each affected operating system, but it was still counted as one vulnerability. The list was inflated somewhat because they didn't filter out the update entries, but that applies to both the Windows and *nix lists.

FALSE. (4, Informative)

WindBourne (631190) | more than 8 years ago | (#14409978)

Umm, I looked at the list and they weren't counting the same vulnerability multiple times.

Very false. just look for Larry Wall Perl Insecure Temporary File Creation (Updated). Three instances of the exact same item. And only in *nix even though ActiveState perl for Windows had the same issue. So, there are LOTS of issue with this report. Cert is more SNAFU, than not.

Re:Well.. (1)

LnxAddct (679316) | more than 8 years ago | (#14409944)

You might be interested in this [slashdot.org] post of mine from the other day.
Regards,
Steve

Re:Well.. (0)

Anonymous Coward | more than 8 years ago | (#14410058)

Huh? Windows is not monolithic. Windows 95, Windows 98, Windows 98se, Windows ME (shudder), Windows NT 3.51, Windows NT 4.0, Windows 2000, Windows XP Home, Windows XP Pro, Windows 2000 Server, Windows 2003 Server, Windows MCE, Windows 2005 MCE ... please try to look past your personal biases a bit. I love how WHENEVER anything is written favorably about Windows relative to *nix it's FUD ...

Not true. (3, Informative)

fireboy1919 (257783) | more than 8 years ago | (#14409550)

They've got Apache vulnerabilities listed on the Linux side, but not on the Windows side - vulnerabilities that affected both places, I might add.

This is true of most of the *nix vulnerabilities, actually.

So what we're really seeing is Windows-only vulnerabilities being compared to ones that are OS neutral. Not that its very suprising, though. Its 2006.
With the exception of software written specifically for Windows, most software is cross-platform.

This is the only really meaningful way to do this kind of a report because of this characteristic. The important thing to keep in mind in that, though, is that Windows has all of its own vulnerabilities AND most of the others. :)

Re:Well.. (1)

Audacious (611811) | more than 8 years ago | (#14409655)

US-CERT on the fishing industries:

CERT: You have 62,000,000 fish caught last year.
Fishermen: No we don't. We have so many sardines, tuna, flounder, and what not.
CERT: They are all fish aren't they?
Fishermen: Yeah....
CERT: So you have 62,000,000 fish caught last year.

Re:Well.. (1)

Thuktun (221615) | more than 8 years ago | (#14409838)

From TFA: Microsoft wants you to read the headlines as "Windows 3X safer than Linux."

Did anyone else read that as "Windows 3.X safer than Linux"? I immediately thought, "Yeah, that's probably right; it doesn't DO anything..."

Downright Disingenuous (3, Informative)

TripMaster Monkey (862126) | more than 8 years ago | (#14409222)


The act of contrasting the vulnerabilities found in the few Windows operating systems with the vulnerabilities found in hundreds of Linux/Unix is bad enough, but when you consider that the Unix/Linux list contains duplicate items, it becomes positively shameful.

From the Groklaw article:
Second, the Unix/Linux list duplicates items, counting a vulnerability more than once in the list. For an example, note that it lists Eric Raymond Fetchmail POP3 Client Buffer Overflow (Updated). However, the same vulnerability is listed, under the same title, four times. That's because it was reported in the week of August 10-15, again in the week of August 17-23, in September 6-13, and the week of November 9-16. Worse, for any comparison purposes, the same vulnerability is also reported as Fetchmail POP3 Client Buffer Overflow, so in reality one vulnerability is listed 5 times, making the total of 2328 meaningless unless you carefully comb through it to weed out duplications.


I honestly expected better from the CERT [us-cert.gov] folks. I don't know why, but I really did.

Re:Downright Disingenuous (2, Interesting)

greg_barton (5551) | more than 8 years ago | (#14409322)

I honestly expected better from the CERT folks. I don't know why, but I really did.

Coming from the same government that denuded a slam dunk settled lawsuit against Microsoft? PuhLEASE!

Re:Downright Disingenuous (4, Informative)

User 956 (568564) | more than 8 years ago | (#14409347)

The act of contrasting the vulnerabilities found in the few Windows operating systems with the vulnerabilities found in hundreds of Linux/Unix is bad enough, but when you consider that the Unix/Linux list contains duplicate items, it becomes positively shameful.

It looks like we both posted at the same time. At any rate, you have a point to a certain degree. My post here [slashdot.org] shows that if you go through the list and subtract out all the items with "updated" after them, Subtract OSX and Solaris, the Linux/Unix group category is about par with windows, not 3x worse.

Whether "different" OSes should be lumped together is another discussion entirely (how "different" are they if they have the same kernel?)

Re:Downright Disingenuous (3, Interesting)

MyDixieWrecked (548719) | more than 8 years ago | (#14409643)

Whether "different" OSes should be lumped together is another discussion entirely (how "different" are they if they have the same kernel?)

then you need to consider the fact that x86 linux has a different kernel than PPC linux. And what about all the people running 2.4.x versus 2.6.x versus everyone still running older versions, still?

What about the fact that if a version of apache has some flaw that it [generally] affects the entire Apache installbase of that version. Whether it's BSD, Linux, OSX, Windows or BeOS. I say "generally" because some flaws may only affect x86 versions or PPC versions exclusively due to endian issues and ways that the kernels handle the stack and whatnot.

There really is no fair way of gauging and quantifying the number of flaws found in computers per-OS unless you go by installation package. Make lists of XP, make lists of win2k, make lists for OSX (10.2, 10.3 and 10.4 as well as server), make a list for each distro and every installation type for each of the lastest couple of versions. Sure it's a lot of work... but at least it'll be more accurate.

I prefer my way. (2, Informative)

khasim (1285) | more than 8 years ago | (#14410159)

Simply evaluate each vulnerability in a simple hierarchy. When evaluating a distribution or a version of Windows, use only the apps installed by default.

1. Remote--root access that does NOT require human intervention or other app running.

2. Remote non-root access that does NOT require human intervention or other app running.

3. Local root access that does NOT require human intervention or other app running.

4. Local non-root access that does NOT require human intervention or other app running.

5. Remote root access that requires some human interaction or some combination of apps.

6. Remote non-root access that requires some human interaction or some combination of apps.

7. Local root access that requires some human interaction or some combination of apps.

8. Local non-root access that requires some human interaction or some combination of apps.

9. Remote OS crash.

10. Remote app crash.

11. Local OS crash.

12. Local app crash.

There, now it should be easy to [b]exactly[/b] compare different systems. A thousand #12's (local app crash vulnerability) is still not worth a single #1 (remote root access).

SECURITY is about REDUCING the avenues of attack. A default Ubuntu install will never have any vulnerability above a #3 simply because it has no open ports, by default. This is extremely important when your machine is connected to the Internet.

Re:I prefer my way. (1)

charlesnw (843045) | more than 8 years ago | (#14410301)

This is a very good way to assess risk. A great way to build a threat matrix. A couple comments: I would add another qualification to your evaulation criteria. Has this bug been actively exploited and/or is exploit code (even proof of concept) available? So: A Level 1 or 2 would get immediate attention from me. I would drop what I was doing file an emergency ECN and then test and deploy the patch. Anything 3 or below would be updated during my next regular update cycle/maintence window (twice a month). However anything with an active exploit regardless of severity level would be patched immediately. Just my input.

Re:Downright Disingenuous (0)

Anonymous Coward | more than 8 years ago | (#14409648)

Whether "different" OSes should be lumped together is another discussion entirely (how "different" are they if they have the same kernel?).

It depends how you look at it. Most definitely the Darwin, FreeBSD, Solaris, Linux, and other Posix-like systems should be seperated. Even if they help each other out, they are definitely seperate source bases and different kernels. One should be able to compare FreeBSD to Linux just as people are comparing Linux to Windows. As for Linux and the ten ton of kernel versions, if we lump kernel versions together, does this mean we should lump all versions of Windows together? Do we lump all Linux distributions together to compare to all versions of Windows? These questions are much tougher since they really aren't comparable at all. And, we still havn't covered all the issues of seperating application vulnerabilities from OS vulnerabilities as well as what sort of damage can be done based on the vulnerability . These reports are good for two things: a useful overview of the vulnerabilities found in the past year (not from a "my OS is better" perspective, but from a "this is the sort of issues we should look out for in our code") and creating useless fodder than can be interpreted in many ways to push a point

Re:Downright Disingenuous (3, Insightful)

winterlong (321271) | more than 8 years ago | (#14409351)

I would have expected better *if* CERT was still in the hands of a university. I wouldn't trust a government analysis as far as I could throw a CRAY.

Re:Downright Disingenuous (3, Funny)

MindStalker (22827) | more than 8 years ago | (#14409465)

And yes I did just search the internet for a 1U or 2U cray for you to throw. Can't find any yet... I'll let you know when I do.

The answer is in your quotation. (0)

Anonymous Coward | more than 8 years ago | (#14409461)

"unless you carefully comb through it"

Want smart answers with minimal labor? Create smarter methods of storing, aggregating, and retrieving data. This is the future, and it's 1996. Could always outsource the tedious work to someone you doesn't make as much a cloth jockey at the local carwash, but still has the investment of time and expertise to understand the subject well enough to to do it for you. But really, that's a temporary economic solution that results in massive economic pain later at the expense of innovation now.

Re:Downright Disingenuous (4, Insightful)

MindStalker (22827) | more than 8 years ago | (#14409506)

Whats worse is the fact that a POP3 Client Buffer Overflow on Windows would not be included at all as one doesn't ship with Windows. Linux distros generally ship with thousands of clients and servers while Windows ships with the bare minimum. To do a true security comparion you would have to compare either just kernel exploits with OS exploits, then compare all popular software for windows with all popular software for Linux side by side in a catagory basis (POP3 clients being a catagory)

Re:Downright Disingenuous (0)

Anonymous Coward | more than 8 years ago | (#14410116)

I suppose, when you put it that way, Windows doesn't ship with a HTTP client either?

(here's a clue: Outlook Express)

Re:Downright Disingenuous (1)

poot_rootbeer (188613) | more than 8 years ago | (#14410178)

a POP3 Client Buffer Overflow on Windows would not be included at all as one doesn't ship with Windows.

Outlook Express...

Simple pre-processing would help (2, Informative)

Kelson (129150) | more than 8 years ago | (#14410298)

one vulnerability is listed 5 times, making the total of 2328 meaningless unless you carefully comb through it to weed out duplications.

They could have cut it down to a more manageable list by piping it through "grep -vF '(Updated)' | sort -u".

That brings it down to just 871, which is much easier to comb for further duplicates.

The same process on Windows vulnerabilities brings it down from 831 to 659. Both lists still need to be checked for duplicates with different names (say, "Apache HTTP Request Smuggling" and "Apache HTTP Request Smuggling Vulnerability"), but we're now looking at a much more comparable set of numbers.

easier (2, Funny)

Ragein (901507) | more than 8 years ago | (#14409229)

Simply just find out who counted the numbers and steal all his personal data, give him an option on which os to leave it on (add 100mb and no firewall) and there u go simple answers from statisticians.

Should Compare A Single Version Of Windows Too (5, Insightful)

Anonymous Coward | more than 8 years ago | (#14409234)

It's equally unfair to lump Windows 98, NT, 2000, XP all together. They could be looked at as different "distros" of Windows. Should pick the best or latest OS from each group with the least vulnerabilities to compare.

Re:Should Compare A Single Version Of Windows Too (2, Interesting)

theonlyholle (720311) | more than 8 years ago | (#14409304)

In principle, you are right - but you will have to agree that lumping say 4 or 5 versions of Windows together is an order of magnitude less stupid than lumping say 100 distros of Linux, plus assorted flavors of Unix (including MacOS) together...

Re:Should Compare A Single Version Of Windows Too (0)

Anonymous Coward | more than 8 years ago | (#14409446)

Here we go again... Mod someone down who makes a valid point about windows. Not that I don't agree with the parent post, but let's be fair about this.

Re:Should Compare A Single Version Of Windows Too (3, Insightful)

MyDixieWrecked (548719) | more than 8 years ago | (#14409585)

It's equally unfair to lump Windows 98, NT, 2000, XP all together.

well... you're half right. I'd say it's better to lump 95/98 together and NT/2000/XP together since most of the later versions of windows are pretty much the same thing on the inside...

however, it's really unfair to quantify the vulnerabilities for any OS as a whole. There are so many facets of any computer system that many vulnerabilities don't affect most people.

Saying that a exploit for Apache affects the entire linux/unix/osx install base is an unfair statement. Desktop linux users probably don't have apache running or a bug in X11/xorg won't affect most *nix servers. Likewise, a bug in MSSQL or web services won't directly affect most XP users, although a bug in explorer will affect nearly every windows user (who's running an affected version of explorer).

You can't even really create lists of vulnerabilities that affect "server" versus "desktop" users, either, because just because something is a server doesn't mean they're necessarily running every server daemon they can.

There needs to be a list of servertypes (ie: web, email, file, database, etc exclusively) showing not only the quantity of vulnerabilities but also the severity of said vulnerabilities. Perhaps even a table separating different applications.

I mean, you shouldn't really lump every proftpd vulnerability with every other ftp server software. All it takes is one bad egg to poison the overal results.

Re:Should Compare A Single Version Of Windows Too (3, Informative)

GuyverDH (232921) | more than 8 years ago | (#14409601)

It's valid, and yet invalid - all rolled into one.

No they aren't many different distros, only 2.

Windows 1.x -> ME are all different versions of windows management systems based on MSDOS.

Windows NT 3.x -> 2003 are all different versions of windows management systems based on NT.

So only 2 distros, with lots of versions.

Now Linux has had how many distros? I've read as high as 90, and no, I haven't done the research myself to come up with my own answer, but I know personally of at least 20.

Add to that the BSD distros, of which I know of 3 personally.

Then they lumped in 4 completely different Operating systems - not even distributions.
AIX, Solaris, HP-UX and MacOSX - all of these are true UNIX operating systems - not the complete list by far - Tru-64, Centix, C-TIX, the pre-caldera UNIXWare, OpenServer, Xenix, UNIX, etc...

Remember, Linux ISN'T UNIX. So why the hell would they lump them together. Here's why - it's the only way they could get the numbers to add up to anything close to a large margin above the count from the 2 distros of Windows.

Re:Should Compare A Single Version Of Windows Too (2, Interesting)

dpilot (134227) | more than 8 years ago | (#14409685)

For the moment, I'm going to lump a response to this together with "Skewed, Oh yeah..." thread ( http://it.slashdot.org/comments.pl?sid=173159&cid= 14409257 [slashdot.org] ) and say that it would be interesting to have a little better detail - for Windows and Linux both.

For instance, Windows has 2 distinct kernel families, Win9X and WinNT. Linux has 1. Within each of these families there is then versioning, Win95, Win98, WinME, WinNT, Win2k, WinXP, 2.4, 2.6, etc.
Beyond that, it appears that all Windows versions share things like GDI.dll (WMF, anyone?) while all Linux versions share things like glibc. Some are distinct, like Linux modutils, and I've heard that Windows has similar, but can't enumerate.

Then there are applications on top of both, both bundled with the OS, and not.

The CERT numbers are a mess, a disservice to all.

Re:Should Compare A Single Version Of Windows Too (1)

spitzak (4019) | more than 8 years ago | (#14409969)

I would agree, but including OS/X and Solaris as "Linux" is equivalent to including all bugs in WINE and FreeDos as "Windows" bugs.

Re:Should Compare A Single Version Of Windows Too (1)

m50d (797211) | more than 8 years ago | (#14410181)

So divide the windows vulnerabilities by 5 and the linux ones by 400. But actually it won't really affect windows counts because the inflation of linux counts comes from different vendors announcing the problem at different times - something that won't happen with different versions of windows since they're all from MS.

the rich play, the poor pay (0)

Anonymous Coward | more than 8 years ago | (#14409245)

so, what did you expect, honesty and integrity ... sheesh, grow up

our institutions are corrupt, just get over it

So..... (0)

Anonymous Coward | more than 8 years ago | (#14409252)

Let's settle on ONE (1) linux distribution....You brought this on yourselves with appix, bppix, cppix, and so on....

Crying about it isn't going to make it go away.

Agreed! (3, Insightful)

Medievalist (16032) | more than 8 years ago | (#14409867)

Let's settle on ONE (1) linux distribution....You brought this on yourselves with appix, bppix, cppix, and so on....

I vote for the "solves-my-problem-but-not-yours" distribution, which is clearly the best.

Incidentally, I am also in favor of settling on ONE (1) tool for all mechanical uses.
I favor the two-handed hewing axe, but I might be persuaded to vote for the claw hammer.

Skewed? Oh yeah... (4, Interesting)

fak3r (917687) | more than 8 years ago | (#14409257)

Considering Linux is a Kernel, to say there were 1000s of bugs again Linux is silly. Let's see how many were against the Linux kernel vs all the userland apps that don't touch anything system level. Now I'll admit bugs show up, and I think that's Open Source's strength; there's constantly ppl combing over the code finding f'd up stuff that no one would think to look at. This is only achieved through constant gazing at the source code, whereas with Windows a bug is usually found out after it's a vuln. Also, I'm happy that MS patched the issue so quickly, even if they were beaten to the punch, perhaps they'll take things (security) more seriously now that they're pushing 'trusted computing'. Not that I care that much, I'm sold on Linux, OS X on the desk and freeBSD on the server, but I did play with ReactOS the other night, and see a future for x-Windows folks who don't want to lose Windows compat when XP support goes away...

Re:Skewed? Oh yeah... (3, Insightful)

Anonymous Coward | more than 8 years ago | (#14409379)

Considering Linux is a Kernel, to say there were 1000s of bugs again Linux is silly.

It would be interesting to see all of the Windows application vendors lumped into the "Microsoft security flaws" category in a similar manner. I've seen quite a few Windows applications from all sorts of software vendors with issues this last year and noticed they weren't listed. While one might argue at first that this would be unfair because of all of the commercial products available for Windows, I'm not sure Windows wouldn't still have an advantage. Just go to sourceforge.net and start counting up all the projects available there that could be lumped into Linux "security flaws."

Looking just at core operating system applications, Fetchmail doesn't make the cut. In fact, it's inappropriate to include GCC in there since I'm certain they didn't include Microsoft development environment tools in the Microsoft count. An apples-to-apples comparison isn't appropriate and perhaps for those uneducated technical journalists that like to make comparison stories, a kernel-to-kernel, browser-to-browser (e.g. IE vs. Mozilla vs. Opera), office suite to office suite, and other category-based comparison is the only appropriate approach.

Re:Skewed? Oh yeah... (1)

fak3r (917687) | more than 8 years ago | (#14409610)

...and I completely agree, Microsoft shouldn't be held accountable for crappy software produced by a third party causing issues; don't think I'm just defending Linux, this report is silly for everyone. Plus things like Gator can hardly be faulted to MS.

Re:Skewed? Oh yeah... (0)

Anonymous Coward | more than 8 years ago | (#14409957)

If Linux is a kernel then everybody needs to stop comparing it to any other OS. The reason being that without a partitioning program, a mkfs program, a boot-loader, an init program, etc. your Linux kernel does nothing. At all. Zero. Zip. Nada. Can't do a single thing. There is absolutely nothing that your Linux kernel can do by itself. NNNNOOOOTTTHHHIINNNGGGG.

So either you're being a pedantic asshat loser who has intentionally chosen the wrong "definition" of "linux" or Linux isn't more stable than Windows. It's not faster than Windows. So which is it? Is linux more than a kernel, that is an OS or are you an asshole?

The numbers are unimportant (4, Insightful)

Billosaur (927319) | more than 8 years ago | (#14409268)

Shouldn't we be asking the more pertinent question: why do all the various operating systems have so many vulnerabilities? When it comes to such things, this shouldn't be a competition. OS builders should be striving for zero tolerance to vulnerabilities and there shouldn't be an quibbling over the number that exist.

Re:The numbers are unimportant (3, Insightful)

jdunn14 (455930) | more than 8 years ago | (#14409394)

That sounds great and all, but do you have any idea of the complexity, and therefore cost involved? Ever tried to debug something consisting of 10000 lines, let alone something the size of an OS? No bugs is just not realistic, and truly a better goal is to ensure that when bugs are found they have minimal impact (like ensure users aren't running as root) and patch them in reasonable time (days to weeks, not months to years).

Now on the topic of this bug counting, if windows is lumped together then linux should be to some degree too, but on the same order of magnitude. A half dozen distros, maybe even mirror the windows counting a little more and make some of those distros be older but still supported ones. Also, the various unixes and linux are entirely different beasts. Just because they try and present a somewhat compatible user interface and APIs doesn't mean that they should be grouped into one object when counting bugs.

Re:The numbers are unimportant (1)

Coryoth (254751) | more than 8 years ago | (#14410000)

That sounds great and all, but do you have any idea of the complexity, and therefore cost involved? Ever tried to debug something consisting of 10000 lines, let alone something the size of an OS?

Interestingly there was just an article about exceptionally low defect rates [slashdot.org] for software, with cases running from a mere 10,000 up to almost 200,000 SLOC, all done for very reasonable time frames and costs. That, of course, is still signficantly less than the complexity of, say, the entire Linux kernel - but then no one said the whole thing had to be perfect, why not just start with the critical parts? Does it matter if every single obscure device driver is perfect? Under the circumstances that's forgivable, and porbably isn't so important. Making sure the core parts are exploit free using solid techniques does make some sense though. There are such projects underway - see Coyotos [coyotos.org] and Singularity [microsoft.com] .

a better goal is to ensure that when bugs are found they have minimal impact (like ensure users aren't running as root)

Indeed, but we can do better than this - there are more modern architectures for isolating problems, and they are available right now in Linux, SELinux being the most visible example. The problem is that right now applications often aren't written to respect, or take advantage of the benefits SELinux offers, so the improvement just isn't that great (a very loose policy is required). That is to say Linux is in a state with SELinux similar to where Windows is with Administrator accounts: the technology is there, and if used would represent a huge step in improving security, but because of lagging applications and users it's failing to take the required steps to e more secure.

Jedidiah.

Re:The numbers are unimportant (1)

Pollardito (781263) | more than 8 years ago | (#14409983)

take a look at the vulnerabilities list before you get upset. here's one from the UNIX list :
Clam Anti-Virus ClamAV Mac OS X Command Execution
someone is going to need to explain to me why an error in A. an add-on antivirus software for B. Mac OS X is in any way a reflection on the quality of UNIX. almost all the vulnerabilities are apps like this, there are about 15 tacked onto the UNIX list that are just errors with acrobat reader. so now Linus is responsible for the quality of Adobe's software?

From the sumary (0, Offtopic)

alex_guy_CA (748887) | more than 8 years ago | (#14409270)

The second "it" in the second sentence (below) refers to nothing at all in the paragraph.

"Joe Brockmeier and I have teamed up in a story on NewsForge to point out how the mainstream and trade press misrepresent the annual summary of vulnerabilities from US-CERT. They're doing it again this year to make it appear as if it is more secure than UNIX/Linux.

Re:From the sumary (1)

CodeHog (666724) | more than 8 years ago | (#14409408)

Actually it's the third "it" and I noticed this also. I had to read the summary several times to figure out what "it" meant. It also helped that I saw the CERT release this summary is referring to and thought it was strange that Linux beat out Windows for number of vulnerabilities. Now I know why, sigh!

Re:From the summary (1)

Medievalist (16032) | more than 8 years ago | (#14409954)


I am amused that you were modded "offtopic" when you commented directly on the newsitem and even included a reference.

But to clear up any confusion, the "IT" referred to in the OP is of course the famous Segway motorized scooter [tlb.org] . See how the whole thing makes sense now?

the thing about the list... (3, Insightful)

User 956 (568564) | more than 8 years ago | (#14409305)

Part of the contention is the repeat entries with the "updated" notation. So if you throw out all 141 "updated" occurrences in the Microsoft section, that leaves 671 (812-141=671).

If you throw out all 1437 "updated" occurences in the linux/unix secion, that leaves 891 (2328-1437=891). Subtracting Apple OS X (130) and Sun Solaris (77), Linux/Unix ends up with 13 more vulnerabilities than Windows (891-130-77=684), but it's for more operating systems, so it may be fair to divide that 684 further.

Re:the thing about the list... (2, Insightful)

hattig (47930) | more than 8 years ago | (#14409342)

So if I release ShitLinux(tm) and purposely put security holes in it, I can negatively affect every other Unix vendor (not just other Linux vendors, but Sun, Apple, ...), at least in terms of the US-CERT list?

Great. Where's me phone? Ah.... "Hey Bill, how much are you willing to pay ..."

The Register fell for it too (2, Insightful)

Anonymous Coward | more than 8 years ago | (#14409313)

Suckers ...

But it is true, engage intellect and you can see at a glance how useless the figures are.

- No ranking by severity levels, or weighting of overall score by severity
- No individual OS scores

I can't see how this 'report' is useful to anyone except marketing droids who work for Microsoft.

Huh? (-1, Troll)

Call Me Black Cloud (616282) | more than 8 years ago | (#14409319)

Joe Brockmeier and I have teamed up in a story on NewsForge to point out how the mainstream and trade press misrepresent the annual summary of vulnerabilities from US-CERT. They're doing it again this year to make it appear as if it is more secure than UNIX/Linux.

To what is the bold "it" referring? The previous "it" refers to the press misrepresentation of vulnerabilities. Is that misrepresentation more secure than Linux? Is the summary more secure? I hope the article passed by an editor as the summary sure didn't.

Maybe it's time for a new sister forge to NewsForge: GrammarForge.

Re:Huh? (1)

minus_273 (174041) | more than 8 years ago | (#14409445)

i was about to post the same thing. I guess the poster means OSX which i think is more secure...

Re:Huh? (1)

Call Me Black Cloud (616282) | more than 8 years ago | (#14409607)


But OSX is BSD-based, so wouldn't that fall under the Unix category? I assumed Windows, because that's usually what gets people worked up around here.

Re:Huh? (1)

honor, not armor (904095) | more than 8 years ago | (#14409729)

It seems to me as if you are getting a little bent out of shape over something so small.

Would you agree that I have made a valid sentence (even if you disagree with my statement)? The "it" I used at the beginning of that sentence is the same as the "it" you took issue with. This is a common English grammatical construction akin to the passive voice, and the "it" herein is typically understood to mean "the situation", "the current course of events", or something similar.

This is a fairly common construction, and I'm surprised you haven't run into it before. I'm guessing that you have, and simply didn't realize it. I'd love to point you to an article on it, but the wikipedia one is very unhelpful for this particular usage, and google didn't give me anything either, so you're stuck with just my explanation.

Re:Huh? (1)

Call Me Black Cloud (616282) | more than 8 years ago | (#14409902)

"it" herein is typically understood to mean "the situation", "the current course of events", or something similar

That doesn't make sense. Replacing that "it" with what you say it represents, the sentence now reads:

They're doing it again this year to make it appear as if [the situation] is more secure than UNIX/Linux.

See what I mean? That "it" has to refer to something. From reading the article I assume you meant "it" to refer to Windows, so the sentence could read, "...to make it appear as if Windows is more secure than UNIX/Linux."

What an admittance! (0, Insightful)

Anonymous Coward | more than 8 years ago | (#14409897)

I can't believe that there are so many people posting about this.

You really had trouble figuring out what the article is about?

Shame on you! Admitting this at Slashdot too! All of these intellectual people here making a note of your name and marking it with a mental note of 'moron'.

Re:Huh? (0)

Anonymous Coward | more than 8 years ago | (#14410127)

Maby it is time to get a damned life.
If you are that senceitive to the littlest damn think you need to live in a anal retentive bubble and leave normal people alone.

Take a deep breath and count to ten... (4, Insightful)

pieterh (196118) | more than 8 years ago | (#14409327)

They're doing it again this year to make it appear as if it is more secure than UNIX/Linux.

What is "it"? Slight tinge of paranoia here, maybe?

Let's review the score here:

  - It does not matter what material is published, the fact of the matter is that every Windows PC in the world regularly has visible and non-trivial security issues, while on Linux and OS/X these issues are generally theoretical.

  - People's perceptions of Windows are very simple: it's a piece of crap that they use because it came with the box and everyone else uses it.

  - The relative security of Windows vs. the World is not a deciding factor in most people's use of Windows. It's largely a captive, neutered market.

  - For people who actually do care, no amount of statistics can change the visible and perceived situation. When I choose to ban Windows in my company, it's not because I read some website or article. It's because I'm sick and tired of removing spyware from people's PCs.

Complaining about these statistics is to give them credibility. Those who chose on the basis of security will ignore this data, and those who chose on other criteria won't care about this data.

Re:Take a deep breath and count to ten... (0)

DogDude (805747) | more than 8 years ago | (#14409416)

Complaining about these statistics is to give them credibility. Those who chose on the basis of security will ignore this data, and those who chose on other criteria won't care about this data.

Is that kind of like you complaining about Window's "security" while saying that your stupid users keep installing spyware on their computers? My company has -zero- spyware (I should know... I just checked each individual machine).

Re:Take a deep breath and count to ten... (0)

Anonymous Coward | more than 8 years ago | (#14409583)

Lies, damn lies, and statistics.

Take what the CERT says with a grain of salt... (5, Insightful)

dpmccoy (935032) | more than 8 years ago | (#14409328)

I'm an automation officer in the U.S. Army, and I know for a fact that we're full of Microsoft shills and contractors with Microsoft loyalties. We don't employ Unix/Linux in an enterprise manner; the government sold its soul to Microsoft years ago. Unix is used on some Army tactical platforms, though. Food for thought.

Re:Take what the CERT says with a grain of salt... (1)

shmlco (594907) | more than 8 years ago | (#14410160)

As opposed to other organizations who're full of F/OSS shills and Linux loyalists who've sold their souls to SourceForge? Oh, wait, sorry, I meant F/OSS supporters and Linux advocates.

People REALLY need to watch what words they use. To many loaded sentences with words like "shill" tend to mark their speakers as fanatics, and do little more than cause others to discount their opinions accordingly. If you're going to convince people, do so with more facts and less rhetoric.

Otherwise, as Lindsey said in The Abyss, "Hippy, I know you're trying to help, but get off my side."

As I said... (-1, Flamebait)

Odin_Tiger (585113) | more than 8 years ago | (#14409340)

As I said [slashdot.org] two days ago...

No OS is perfect (1)

digitaldc (879047) | more than 8 years ago | (#14409344)

They both have duplicate vulnerabilities listed in their totals.
It is also not a level playing field in the OS market.
Once more people are using Linux, it will be a more fair comparison.

From the article.... anti-FUD stats (5, Informative)

CodeShark (17400) | more than 8 years ago | (#14409355)

Not intending to "karma whore" here, but look at the stats from an already done analysis:
  • 22 Technical Cyber Security Alerts were issued in 2005
    • 11 of those alerts were for Windows platforms
    • 3 were for Oracle products
    • 2 were for Cisco products
    • 1 was for Mac OS X
    • None were for Linux
    , and secondarily look at this quote
  • "Here's more of the same. US-CERT's list of current vulnerabilities contains a total of 11 vulnerabilities, six of which mention Windows by name, and none of which mentions Linux.

Folks, as other /. posters have already discussed better than I can, most of the supposed Linux bugs are either duplicates or in user- space software. That would be akin to saying a Firefox browser vulnerability is a Windows OS security problem,as opposed to an underlying OS vulnerability that would affect any and all software on the platform.

So what? (0)

Anonymous Coward | more than 8 years ago | (#14409881)

Statistics can be produced to prove anything.
Understanding where those statistics come from is the more important action (which rarely happens in this day and age).

I'm absolutely no MS supporter, but in general and not refering to anything specifically...

Saying that a OS with ~90% of the desktop market share can be statistically compared to an OS with ~2% of the market in terms of vulnerabilities is bogus to begin with (regardles of which OS has the lion's share). The 2% share OS will never recieve the level of vetting or attention that the 90% share does.

No matter what the OS is, if you believe that the 2% share OS is more secure based on found vulnerabilities or alerts and would still remain that way if said 2% share OS suddenly moved to a 90% share OS, you are on quite shakey ground.

On a basic level, what constitues an alert?
Would a medium impact bug for the 90% share OS generate the same type of alert as a medium impact bug for the 2% share OS? I think not.

Quote all the stats you want, the real answer will never be there, it is in the code.

Re:So what? My job is what (1)

CodeShark (17400) | more than 8 years ago | (#14410132)

So what?

The company with 90% market share consisently and nearly constantly distorts every piece of negative press they get, and trumpets all the negative press about the 2%. But a vulnerability in the 90% software threatens not only my core business (if it is found on the WinX platform), but that of any and all of my customers if they are.

That's what.

Reading comprehension... (0)

Anonymous Coward | more than 8 years ago | (#14410250)

Again, read the post, it has nothing to do with who has the 90% share, it has everything to do with the environment.

The 2% share OS not having the number of alerts as the 90% share doesn't intrinsically mean the software is safer.

Don't switch the subject; your job is one thing, but claiming you are right because of intrinsically faulty statistical comparisons is another.

Re:So what? (1)

Nahor (41537) | more than 8 years ago | (#14410199)

The 2% share OS will never recieve the level of vetting or attention that the 90% share does.

I could the same thing against an OS for which you can't see the source code.

Re:From the article.... anti-FUD stats (1)

Nahor (41537) | more than 8 years ago | (#14410177)

That would be akin to saying a Firefox browser vulnerability is a Windows OS security problem

You do realize that Firefox runs on Linux too, don't you? ;)

Some part are Windows specific so some bugs could affect Windows only. But some other bug affect only Linux too, or any other OS that can run Firefox.

My Own Research (4, Funny)

vjmurphy (190266) | more than 8 years ago | (#14409369)

Using the patent-pending method of determining worth by comparing terms plugged into Google, I get the following:

Search for "Windows Bugs": 45,800
Search for "Linux Bugs": 23,400
Search for "Bunny Bugs": 31,100

From this method, I can determine that I should NOT watch Looney Tunes cartoons on my Windows Media Center PC. Or drink while posting.

Re:My Own Research (1)

muellerr1 (868578) | more than 8 years ago | (#14409759)

Google search for "bugs" returns 163,000,000

windows AND bugs: 41,000,000
linux AND bugs: 39,100,000

Then we subtract:
windows AND linux AND bugs: 3,570,000
TOTAL: 76,530,000


Windows and Linux together account for about 47% of the bugs in the world. The number of individual insects estimated to be alive in the world at any one time is 10 quintillion, or 10,000,000,000,000,000,000. [vic.gov.au] That's 4,700,000,000,000,000,000 of the Windows or Linux variety.

Get to work, programmers.

I am doing better than most (1)

WindBourne (631190) | more than 8 years ago | (#14410085)

I only had about 10 flies in my windows, and 1 fly in my door.

I wonder: Definition of security vulnerability? (2, Insightful)

scottsk (781208) | more than 8 years ago | (#14409380)

I've seen these numbers, and wonder what counts as a "Linux" vulnerability - does every little PHP bulletin board package that generates hundreds of bug reports a month on bugtraq count towards the total? All vulnerabilities aren't in the same class, although these numbers seem to lump them all together. Something like this WMF thing affects every machine running Windows. It's not like the Linux kernel, Apache, etc have bugs of this class. (Plus, most "little PHP bulletin board package" things for Windows are proprietary, and there is no master list of vulnerabilities the way there is for open source stuff. It's almost like these numbers are more "found vulnerabilities" than anything else, and a higher number would be good.)

Bitching contest and formal request (2, Insightful)

vettemph (540399) | more than 8 years ago | (#14409410)

Sure, everyone enjoys a good bitching contest but this is not helping.

Formal request:
Someone needs to count the vulnerabilities in:

1) XP
2) Minimal SUSE linux install
3) XP with specific of Apps, servers, etc.
4) SUSE linux with specific Apps, servers, etc.

Give us these numbers and then we have something to talk about.

SecurityFocus article (1)

alanxyzzy (666696) | more than 8 years ago | (#14409412)

There's another debunking over at SecurityFocus [securityfocus.com]

Post an article in Newsforge (0, Flamebait)

ch-chuck (9622) | more than 8 years ago | (#14409419)

Yeah, that'll set millions of high rolling executives straight.

"Newsforge? WTF's a 'Newsforge'???"

Let us know when it's above the fold on the Wall Street Journal.

Ignorant whelp (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#14409792)

Newsforge articles are read by many influencial people.

Even if this isn't true, your post here is pretty pathetic, and you're welcome to live in your ignorant little world.

Lots of Unixes (0, Flamebait)

dlefavor (725930) | more than 8 years ago | (#14409477)

The mere fact that there are many Unixes and Linux distros should be alarming in itself.

Anyway, "measuring quality by counting defects" is a fool's errand to begin with.

Jack Ryan is back ... (1)

thaerin (937575) | more than 8 years ago | (#14409531)

Jack Ryan returns in 2006 for "The Sum of all FUD" : 27,000 fact stretched FUDs. One is misleading. CIA analyst Jack Ryan hunts down a group of US-CERTs who plan to announce a hawguash of FUD at the Superbowl.

The list count flaws at windows app AND "unix" app (1)

bubulubugoth (896803) | more than 8 years ago | (#14409534)

FTA, there are 3 lists, Windows vulnerabilities, that count, from Iexplorer to Wheresjames camera software, incluiding Adobe...

The "Unix", incluiding, AIX, Mac OSX, Solaris, Linux, Freebsd, and any thing that looks like unix...

and Multiplataform vulnerabilities...

The main issue, is the way they pack together all kind and from different vendors the Unix thing... Also, there are reported vulnerabilities about Adobe and isnt listed as multiplataform vulnerabilities...

This article, DOESNT become a defacto FUD, it CAN be used as a "FUD Source" (You see, CERT reports that "unix" is worse than "windows")...

So to be carefull when PR announcements link to thi s "list"...

Did they mention how.... (1)

STDOUBT (913577) | more than 8 years ago | (#14409576)

You can *make* Linux more secure by customizing it, and how you can't do that with Windows (any version)?

Joe Barr is a writer? (1)

wk633 (442820) | more than 8 years ago | (#14409589)

Can someone please explain what the second 'it' in the second sentence refers to?

Joe Brockmeier and I have teamed up in a story on NewsForge to point out how the mainstream and trade press misrepresent the annual summary of vulnerabilities from US-CERT. They're doing it again this year to make it appear as if it is more secure than UNIX/Linux.


If the intro isn't clear, why bother reading the article?

How embarrassing! (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14409734)

If the intro isn't clear, why bother reading the article?

Let me get this straight, you're admitting that you're ignorant, on Slashdot?

At least the other people who complained about the 'it' claimed that the sentance didn't make sense. You've just ridiculed yourself by suggesting that you can't figure out what the article is about.

The best thing to do is stop copying what other people post up here, especially when you don't really understand what they're talking about. :)

The Press Does Not Get It!! (1)

cs668 (89484) | more than 8 years ago | (#14409613)

The mainstream press never differentiates the type of vulnerability. I would say that 1 remote root exploit is worth at least a 100 local root exploits, maybe more if there is no remote exploit for the system at all.

The mainstream media does not get this. But, neither do most computer users.

Revisionist history (0, Troll)

Shoten (260439) | more than 8 years ago | (#14409627)

Does nobody remember when everyone was gloating over how these numbers showed many more vulnerabilities on the Windows side than on the Linux side? All those years we yelled at Microsoft, asking them to get better on security...were we ever planning to be happy if they actually DID? The notion that their vulnerability count is declining on a yearly basis isn't all that mysterious; they've really been doing a lot of work, from coding practices to architecture (for example, Microsoft Security Center, "Microsoft Update" replacing "Windows Update," their attempt at disabling raw sockets, etc.). So maybe they really are improving...what's so awful about that? It's not a zero-sum solution, everyone...if any single player in the OS field improves security, then that's good, no matter who it is.

Or, is this not really about security, but just trying to bash Microsoft despite the stats? Nawwwwww.... :)

Re:Revisionist history (-1)

Anonymous Coward | more than 8 years ago | (#14409769)

Troll.

I'm richer than you are (1, Funny)

SHP (8391) | more than 8 years ago | (#14409629)

I've got fifty one dollar bills, all you have is two hundreds. I've clearly got more money than you. Shine my shoes.

-SHP

Uptime vs Maintneance vs Vulnerabilities (1)

BoRegardless (721219) | more than 8 years ago | (#14409637)

Anyone who uses multiple platforms knows where he has to spend most of his maintenance and fixer-upper time. I spend almost no time on MacOSX keeping it running. I gave up on my WinXP and it simply doesn't connect to the Internet, and it now has no maintenance time either. Bo

This Is Good News! (2, Insightful)

mpapet (761907) | more than 8 years ago | (#14409807)

Really, it is.

Yeah the spin is ugly, but if the *nix's "stick to their knitting" this too shall pass.

They do the same thing when they talk about Mac's too. The last time I saw figures (which was a couple of years ago) Apple was far and away the #1 shipper of laptops by brand. But, they would compare ALL laptops shipped by all brands to come up with Apple's "miniscule" market share.

The reality was that Apple was creaming the Windows-based brands. They would do this with all of the various market segments apple competed in. Funny how they don't do it with MP3 players.

OT Comment:
I never understood why anyone who branded computers wanted their numbers in the market research. It just gives HP a target to destroy.

What a bullshit "article" (2, Insightful)

Call Me Black Cloud (616282) | more than 8 years ago | (#14409822)


The "article" is not an article but rather an opinion piece. For example:

Microsoft wants you to read the headlines as "Windows 3X safer than Linux." (If Microsoft is being quiet about the US-CERT numbers, it's because the company is too busy trying to come up with a fix for the Windows Meta File (WMF) vulnerability.)

The authors apparently know what Microsoft wants, even though they admit the company hasn't commented on the summary of vulnerabilities. I guess the authors assume the MS marketing department is working on this bug fix, which at the time the article was posted was fixed (but no patch had been released).

Reading further, the authors reference the "Technical Cyber Security Alerts", saying, "That's quite a different picture than the one the Microsoft press machine wants you to see." Once again MS is referenced, even though they had nothing to do with the summary of vulnerabilities and have issued no press release on the matter.

MS is mentioned twice though the company has not issued any press releases or new ads reflecting these numbers. On the other hand, the article repeatedly mentions the press:

Everywhere you look in the trade press today, you'll find glowing misrepresentations...
...many scribes sympathetic to the Microsoft cause go out of their way to make sure the real picture never emerges...
...you'd think that the mainstream tech press could get it right when reporting on security...
...scribes in the trade press are once again playing the US-CERT FUD game...
Shame on them for purposely -- or ignorantly, as the case may be -- misleading their readers.


Yet in the links below the article there is only one direct link to an example of how the press has been misleading their readers.

Guys, if you're going to write something, call it an article, then post it to Slashdot, at least try to be a little more objective. I think most people are tired of MS vs the world now...it's so last year (this year it's Google vs the world). People are interested in performance, ease of use, security - getting the job done. Who has time for these pissing matches?

The piece does fit on a site named "NewsForge". Why report the news when you can manufacture it?

Fundamental Problems, not numbers (0)

Anonymous Coward | more than 8 years ago | (#14409995)

All this talk about absolute number of vulnerabilities gives me a pain in sensitive areas. Like most technical issues, it simply cannot be boiled down to a this number versus that number comparison.

One assumption behind these kinds of comparisons is that there is some sort of parity between the two OS's that implies that any problems in code cause equal damage to users of either OS.

This is simply not true and the latest Microsoft blunder (as mentioned in the referenced article by: If Microsoft is being quiet about the US-CERT numbers, it's because the company is too busy trying to come up with a fix for the Windows Meta File (WMF) vulnerability.) illustrates this perfectly.

If you look at this vulnerability closely, it is NOT a programming error, it is NOT a careless oversite that happens to allow access where none should be, it IS a deliberate and stupid design decision made by Microsoft with no concern for security problems!

WMF files are allowed to register a callback function that will be executed in certain situations. The code for such a callback function can be embedded in the WMF file itself! Allowing a graphics data file to execute arbitrary code when being viewed is the height of stupidity and just begging for an attack exactly like the current vulnerability.

Now, for a number of reasons, there probably will never be a similar problem for any *nix system.

First and foremost, standard file formats promoted and used in the *nix community are designed to be used cross-platform. There is no desire to lock users down to one specific OS or architecture. Why do you think this is called Windows Meta File (WMF)? This is a file format created and used by Microsoft, in defiance of all standard file formats that they might have used instead, that was crafted to run only on Windows, only on x86 architectures and doomed to fail (at least this feature of the format) anywhere else! Imagine, if you will, the necessity of building a format that would include error code specific to PPC, x86, SUN Sparc and every other processor that runs *nix.

Secondly, programmers for *nix systems are accustomed to thinking of data files as data files, not some arbitrary data on a disc that may be read, written or even executed without regard to a permissions system that the OS overlays on top of them. Imagine trying to view a file format like WMF from another user for which the current user had no execute priviliges. At Microsoft, this is a holdover from the old DOS and early Windows days when the only permission attributes for files was "read-only" or "system". NT (and by extension, XP) has added a much richer level of file security permissions settings BUT legacy code from the bad old insecure days of Win9x prevent them from even using file permissions to protect the OS as much as would be prudent! A little bit of logical thinking will tell you that MS simply cannot protect the OS from things like this WMF vulnerability without killing some functionality built into Windows in the days of 9x and migrated to XP.

In short, regardless of the sheer numbers of vulnerabilities that may be discovered, Windows has some severe security limitations that are designed in and nothing anyone can say or do will make *nix look as bad in comparison.

Lies, Damned Lies and Statistics (1)

erroneus (253617) | more than 8 years ago | (#14410141)

I don't care. I just know one thing. I'm not easily targetted. Vulnerabilities be damned -- I'm a minority [Linux] user and I don't suffer from the crap that Windows users do. Even if there were only 5 vulnerabilities in Windows and 5000 in Linux, at present, since I'm not being targetted, I'm still safer.

Vulnerability density (0)

Anonymous Coward | more than 8 years ago | (#14410144)

Since we all *know* how bloated Windows is, this implies that the Vulnerability per Line-of-Code metric must be dramatically better for Windows than it is for Linux. What does this say about the open source development model?

Depends on the meaning of what "it" is (1)

SiliconEntity (448450) | more than 8 years ago | (#14410277)

Joe Brockmeier and I have teamed up in a story on NewsForge to point out how the mainstream and trade press misrepresent the annual summary of vulnerabilities from US-CERT. They're doing it again this year to make it appear as if it is more secure than UNIX/Linux.

"it is more secure than UNIX/Linux"? What is it? I guess it goes without saying? (Or should that be, it goes without saying?)
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?