Linked by Thom Holwerda on Fri 16th Mar 2007 17:02 UTC, submitted by Shawna McAlearney
Privacy, Security, Encryption "Starting today, I plan on posting a monthly vulnerability scorecard for common server and workstation Operating System products. I'm going to keep these scorecards pretty clean of discussion, but you can review my methodology, sources and assumptions." Note that these results speak only of fixed vulnerabilities; the author aims to include information on non-fixed problems and the time it takes to fix problems as well. You should also read this, by the way.
Thread beginning with comment 221991
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: FUD FUD FUD FUD
by Thom_Holwerda on Fri 16th Mar 2007 18:47 UTC in reply to "FUD FUD FUD FUD"
Thom_Holwerda
Member since:
2005-06-29

Can we remove the whole article please. This article is flawed and should be treated as FUD by the authors own admission.

Can you PLEASE judge the article on its own merits? I have YET to find a SINGLE shred of a pro-Microsoft bias in this article (I still included the link to that page in the teaser, for completeness). The guy is honest about the shortcomings, and he intends on fixing those as soon as possible.

The fact that Microsoft comes out on top* in these results does NOT automatically mean the results are flawed. You should LOOK at the methodology before passing judgment on something. I know that in the present day internet world it is very uncommon to ask such a feat from readers, but you should try it for once.

* The results appear to be in Microsoft's favour, but since we do not yet know anything about unfixed vuln., it's impossible to call these results in favour of anything.

Reply Parent Score: 1

RE[2]: FUD FUD FUD FUD
by sbergman27 on Fri 16th Mar 2007 19:30 in reply to "RE: FUD FUD FUD FUD"
sbergman27 Member since:
2005-07-24

"""Can you PLEASE judge the article on its own merits?"""

Fair enough.

To his credit he does address the disparity in included packages between Windows and Linux. But he does seem to perform a bit of voodoo by claiming that he could just click a few check boxes in the install and magically come up with an apples to apples comparison.

If you read his responses in the blog comments (Yes, it's a blog!), it becomes apparent that he takes the rather bizarre view that only disclosed vulnerabilities are important. He also implies that most of the disclosed ones end up being fixed ones (and that the amount of time to release a fix is not significant) and so fixed vulnerabilities are all he really needs to take into account in his tallies . (Yes, it's another simple *tally*!)

Add to that the fact that he is a "Director of Strategy" for Microsoft*, and you have to admit that a reasonable person is well within his rights to start getting a bit suspicious.


*For those who subscribe to the view that MS treats security issues as PR problems rather than as technical problems, that would make him a "Director of PR Strategy", I suppose.

Edited 2007-03-16 19:39

Reply Parent Score: 5

RE[2]: FUD FUD FUD FUD
by markjensen on Fri 16th Mar 2007 20:40 in reply to "RE: FUD FUD FUD FUD"
markjensen Member since:
2005-07-26

* The results appear to be in Microsoft's favour, but since we do not yet know anything about unfixed vuln., it's impossible to call these results in favour of anything.

Don't we? Seems like there are places online that track these things, and those can be used to show "unfixed" vulnerabilities. Secunia, eeye, frsirt and others come to mind off the top of my head. Unpatched vulnerabilities are known. Just disregarded.

That makes this analysis rather incomplete. There should be consideration of unpatched issues. Days of Risk. Time to patch. Geez... This is a single metric being thrown out, then titled a "vulnerability" report, when it is really a "patches issued" report.

Reply Parent Score: 3