Linked by Thom Holwerda on Fri 16th Mar 2007 17:02 UTC, submitted by Shawna McAlearney
Privacy, Security, Encryption "Starting today, I plan on posting a monthly vulnerability scorecard for common server and workstation Operating System products. I'm going to keep these scorecards pretty clean of discussion, but you can review my methodology, sources and assumptions." Note that these results speak only of fixed vulnerabilities; the author aims to include information on non-fixed problems and the time it takes to fix problems as well. You should also read this, by the way.
Thread beginning with comment 221964
To read all comments associated with this story, please click here.
by merkoth on Fri 16th Mar 2007 18:14 UTC
Member since:

But some of you should RTFA. Those charts show how many vulnerabilities were fixed. The fact that Vista hasn't received any fixes (a fact that I sincerely doubt, no matter how good it is, it can't be perfect) doesn't mean it doesn't have any vulnerabilities.

It's obvious that FOSS software will have more fixes, after all, that code is reviewed by thousands of coders around the world and, hoppefully, those vulns will be fixed before anyone exploits them.

Edit: A typo.

Edited 2007-03-16 18:16

Reply Score: 5

RE: Sorry...
by jack_perry on Fri 16th Mar 2007 18:20 in reply to "Sorry..."
jack_perry Member since:

Right he does, and he is thereby deceptive. Otherwise, why call them "Vulnerability charts"? Having a vulnerability FIXED is no longer a vulnerability. He should also indicate how many vulnerabilities have been publicized.

Reply Parent Score: 4

v RE: Sorry...
by Duffman on Fri 16th Mar 2007 18:22 in reply to "Sorry..."
RE[2]: Sorry...
by raver31 on Fri 16th Mar 2007 18:36 in reply to "RE: Sorry..."
raver31 Member since:

Yeah ? Ok, can we have an example please ?

Reply Parent Score: 2

RE[2]: Sorry...
by merkoth on Fri 16th Mar 2007 18:37 in reply to "RE: Sorry..."
merkoth Member since:

I agree but it prooves one thing, it's that Linux has serious security holes despite what are saying linux zealots.

Since your only purpose with that post is to offend GNU/Linux users, I shouldn't give you any answer. But I'll try anyway:

1 - It has been already stated that pretty much any GNU/Linux distro includes hundreds of applications and utilities, ranging from simple CD-Audio riiping tools to webservers. Comparing that to an operating system wich includes pretty much nothing is unfair.

2 - Show me ONE source where an objective, common sense-ready GNU/Linux user states that GNU/Linux doesn't have ANY security holes and I'll give you (some) reason.

3 - Every distro uses software in different development stages: Some of them include more bleeding edge software (which usually has more bugs) and some of them only include well-tested, patched apps. Not-so-surprisingly, the all-time most secure GNU/Linux distro wasn't included in the review.

You, sir, aren't any better than any "Linux zealot".

Edit: Yes, my grammar sucks.

Edited 2007-03-16 18:39

Reply Parent Score: 1

RE[2]: Sorry...
by Doc Pain on Fri 16th Mar 2007 18:43 in reply to "RE: Sorry..."
Doc Pain Member since:

"I agree but it prooves one thing, it's that Linux has serious security holes despite what are saying linux zealots."

That's a thing I would not disagree, but:

(1) The author compares "fixed vulnerabilites". If a vulnerability is fixed, it does not exist anymore. So he's counting things that do not exist. (So your statement should be in past tense: "Linux had serious security holes".

(2) Fixing vulnerabilities show how good / fast programmers work. Assuming this, the manufacturers of "Vista" hardly do anything, they don't care anyway. :-)

(3) As it has mentioned before, software included with the OSes (or installed upon them) are interesting, too.

(4) The source contains the vulnerabilites published by the manufacturers itself.

(5) The source contains only the vulnerabilites known, not the vulnerabilities existing in fact. :-)

My judgement: The article is interesting, but says nothing.

And, as you might know from reality, the biggest vulnerability resides between keyboard and chair. :-)

Reply Parent Score: 4

RE[2]: Sorry...
by butters on Fri 16th Mar 2007 21:56 in reply to "RE: Sorry..."
butters Member since:

All general-purpose server operating systems have vulnerabilities. OpenBSD proves that even if you obsess about security and only run the TCP/IP stack by default, eventually people will find holes in the TCP/IP stack. It's inevitable. If you consider vulnerabilities in all of the server packages distributed by the OpenBSD project, the number goes way up. And this is the most paranoid general-purpose server system that a security-minded sysadmin could choose.

This leads to the next point, which is that Windows Server doesn't come with that many actual servers, whereas most other server platform vendors distribute just about any server software you could want. This figures into any tally of vulnerabilities. Also, as somebody else mentioned, open source systems tend to have more reported vulnerabilities because everything is a white-box attack. Subjecting the code to widespread white-box analysis makes it much higher quality in the long-run, but it also raises the bar for quality because white-box attacks are far easier to craft. In other words, security through obscurity is far from optimal, but it does make the system significantly harder to exploit, and open source systems can't really take advantage of this.

Reply Parent Score: 3