Linked by Thom Holwerda on Fri 16th Mar 2007 17:02 UTC, submitted by Shawna McAlearney
Privacy, Security, Encryption "Starting today, I plan on posting a monthly vulnerability scorecard for common server and workstation Operating System products. I'm going to keep these scorecards pretty clean of discussion, but you can review my methodology, sources and assumptions." Note that these results speak only of fixed vulnerabilities; the author aims to include information on non-fixed problems and the time it takes to fix problems as well. You should also read this, by the way.
Thread beginning with comment 221974
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Sorry...
by Duffman on Fri 16th Mar 2007 18:22 UTC in reply to "Sorry..."
Duffman
Member since:
2005-11-23

Those charts show how many vulnerabilities were fixed. The fact that Vista hasn't received any fixes (a fact that I sincerely doubt, no matter how good it is, it can't be perfect) doesn't mean it doesn't have any vulnerabilities.

I agree but it prooves one thing, it's that Linux has serious security holes despite what are saying linux zealots.

Reply Parent Score: -3

RE[2]: Sorry...
by raver31 on Fri 16th Mar 2007 18:36 in reply to "RE: Sorry..."
raver31 Member since:
2005-07-06

Yeah ? Ok, can we have an example please ?

Reply Parent Score: 2

RE[3]: Sorry...
by Duffman on Fri 16th Mar 2007 22:02 in reply to "RE[2]: Sorry..."
Duffman Member since:
2005-11-23

Just watch the charts dude, can't you see the red color ?

Reply Parent Score: -1

RE[2]: Sorry...
by merkoth on Fri 16th Mar 2007 18:37 in reply to "RE: Sorry..."
merkoth Member since:
2006-09-22

I agree but it prooves one thing, it's that Linux has serious security holes despite what are saying linux zealots.

Since your only purpose with that post is to offend GNU/Linux users, I shouldn't give you any answer. But I'll try anyway:

1 - It has been already stated that pretty much any GNU/Linux distro includes hundreds of applications and utilities, ranging from simple CD-Audio riiping tools to webservers. Comparing that to an operating system wich includes pretty much nothing is unfair.

2 - Show me ONE source where an objective, common sense-ready GNU/Linux user states that GNU/Linux doesn't have ANY security holes and I'll give you (some) reason.

3 - Every distro uses software in different development stages: Some of them include more bleeding edge software (which usually has more bugs) and some of them only include well-tested, patched apps. Not-so-surprisingly, the all-time most secure GNU/Linux distro wasn't included in the review.

You, sir, aren't any better than any "Linux zealot".

Edit: Yes, my grammar sucks.

Edited 2007-03-16 18:39

Reply Parent Score: 1

RE[2]: Sorry...
by Doc Pain on Fri 16th Mar 2007 18:43 in reply to "RE: Sorry..."
Doc Pain Member since:
2006-10-08

"I agree but it prooves one thing, it's that Linux has serious security holes despite what are saying linux zealots."

That's a thing I would not disagree, but:

(1) The author compares "fixed vulnerabilites". If a vulnerability is fixed, it does not exist anymore. So he's counting things that do not exist. (So your statement should be in past tense: "Linux had serious security holes".

(2) Fixing vulnerabilities show how good / fast programmers work. Assuming this, the manufacturers of "Vista" hardly do anything, they don't care anyway. :-)

(3) As it has mentioned before, software included with the OSes (or installed upon them) are interesting, too.

(4) The source contains the vulnerabilites published by the manufacturers itself.

(5) The source contains only the vulnerabilites known, not the vulnerabilities existing in fact. :-)

My judgement: The article is interesting, but says nothing.

And, as you might know from reality, the biggest vulnerability resides between keyboard and chair. :-)

Reply Parent Score: 4

RE[3]: Sorry...
by sbergman27 on Fri 16th Mar 2007 20:18 in reply to "RE[2]: Sorry..."
sbergman27 Member since:
2005-07-24

"""
And, as you might know from reality, the biggest vulnerability resides between keyboard and chair.
"""

The engineer in me makes me want to say that we should eliminate that component, then. ;-)

Reply Parent Score: 3

RE[3]: Sorry...
by Duffman on Fri 16th Mar 2007 22:05 in reply to "RE[2]: Sorry..."
Duffman Member since:
2005-11-23

If a vulnerability is fixed, it does not exist anymore.
Yes, I agree, but if there is some fixes, it means there was some vulnerabilities before so it's quite the same.

And, as you might know from reality, the biggest vulnerability resides between keyboard and chair. :-)
Agreed.

Reply Parent Score: 1

RE[2]: Sorry...
by butters on Fri 16th Mar 2007 21:56 in reply to "RE: Sorry..."
butters Member since:
2005-07-08

All general-purpose server operating systems have vulnerabilities. OpenBSD proves that even if you obsess about security and only run the TCP/IP stack by default, eventually people will find holes in the TCP/IP stack. It's inevitable. If you consider vulnerabilities in all of the server packages distributed by the OpenBSD project, the number goes way up. And this is the most paranoid general-purpose server system that a security-minded sysadmin could choose.

This leads to the next point, which is that Windows Server doesn't come with that many actual servers, whereas most other server platform vendors distribute just about any server software you could want. This figures into any tally of vulnerabilities. Also, as somebody else mentioned, open source systems tend to have more reported vulnerabilities because everything is a white-box attack. Subjecting the code to widespread white-box analysis makes it much higher quality in the long-run, but it also raises the bar for quality because white-box attacks are far easier to craft. In other words, security through obscurity is far from optimal, but it does make the system significantly harder to exploit, and open source systems can't really take advantage of this.

Reply Parent Score: 3