ONJava.com -- The Independent Source for Enterprise Java
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button
Weblog:   Linux Users: Welcome to the World of Malware
Subject:   Remember
Date:   2005-02-17 13:24:50
From:   RickMoen
Response to: Remember

JustthefactsPlease wrote:


Remember that statistically Red Hat has hundreds more security holes than does Microsoft software


(I note in passing, without objection, that you changed the subject.)


"Software" is defined as several thousand bundled productivity suites, network daemons, and other applications in the typical Linux distribution being discussed, versus roughly nothing bundled with the Microsoft OS.


"Hole" is typically defined as anything that has been the subject of any sort of security advisory on the Linux side, whether it is remotely exploitable, locally exploitable, potentially exploitable only in highly unlikely configurations, probably will never be exploitable in any way but we might as well fix it, simply a DoS with potential impact ranging from feeble to strong (but not an actual vulnerability in any event), or a cross-site scripting opening (which likewise isn't any sort of site vulnerability). On the Microsoft side, it typically is defined to mean something Microsoft Corp. admits to -- which excludes some pretty severe problems -- which more often than not is already exploitable when the MS announcement comes out, rather than being fixed in anticipation problem as is typical on *ix.


As long as such "studies" do nothing more intelligent than count announcements, with no attempt to seriously gauge seriousness or exploitability, or to put the matter in context of a cornucopia of thousands of codebases on one side and almost nothing on the other, nobody with a grain of common sense will take them seriously.


there are some very good research articles out there on this


As suggested above, there are some laughably bad "research" articles on this. Gartner Group, Forrester Research? Notorious paid shills, and inept, to boot.


Get some research from independent research firms like Gartner and others....


Gartner became independent? When did that happen? Up until now, they've always been flacks producing "white papers" to flog to gullible members of the public the interests of whoever cuts them a sponsorship check. Did they suddenly transform themselves into something else, when I wasn't looking?


Rick Moen

rick@linuxmafia.com