On Full Disclosure, there's a negative analysis of Jeff Jones' six-month vulnerability report. "Conclusions that are drawn are built on a lack of understanding by the Microsoft researcher. I highly encourage him to go back and take another look, and pare down the results to essential information that is absolutely critical to the conclusions, rather than just 'Other OS's have more bugs, see, look at my graphs'."
To read all comments associated with this story, please click here.
Member since:2006-09-22
Fact #4: having more bugs disclosed is "the nature of bug reporting in open versus closed source
software". Wow! For years the nature of OSS was to be able to *FIX* bugs faster and "more eyes looking, more bugs fixed". Now that this is not happening, we learn the nature of OSS is to have more bugs publicly disclosed (without caring if they were fixed or not by mythological "Community")
You're absolutely missing the point. The true facts are that, while your average Windows user will not send any kind of bug report, the F/OSS community is way more agressive regarding bugs/flaws, even those which don't pose a threat for the segurity/stability of your system. But the fact that you have less disclosed bugs doesn't mean that you actually have less bugs than the competition.
"Mythological"? Hahaha, believe what you want. Once you're done spitting worthless flames, do some research. You might find that the community is a bit more real than you think.
Edited 2007-06-29 16:01 UTC
Member since:2006-04-21
You're absolutely missing the point. The true facts are that, while your average Windows user will not send any kind of bug report, the F/OSS community is way more agressive regarding bugs/flaws, even those which don't pose a threat for the segurity/stability of your system.
It's also way more aggressive regarding the unacceptability of bugs and flaws (Exhibit A: The Infamous Ubuntu Non-functioning-X11 Incident).
In Windows' users' defence, the last time I remember a bug which crashed Adobe Acrobat happening (which is not the only kind of bug that could happen), Windows attempted to send a bug report to Microsoft, not to Adobe. Unless MS have a means to correct that flaw, or provide Adobe with that information (which judging from the content of the "this is not an MS application" message, they didn't), that's not much use.
Member since:2006-01-06
You're absolutely missing the point. The true facts are that, while your average Windows user will not send any kind of bug report, the F/OSS community is way more agressive regarding bugs/flaws, even those which don't pose a threat for the segurity/stability of your system. But the fact that you have less disclosed bugs doesn't mean that you actually have less bugs than the competition.
No, you're missing the point. It isn't necessary for people to report bugs to Microsoft anymore. They can be reported to any number of widely available security bug tracking orgs (ntbugtraq.com, secunia.org, etc). Because it isn't possible to hide security bugs anymore. Security through obscurity doesn't work, it's been proven time and time again, so whether or not the bugs are reported to Microsoft is irrelevant. They WILL be found, regardless.
The F/OSS community needs to get a grip on reality and face facts. Vista is way more secure than its predecessor, and a lot of people don't like that because they think it reduces the value proposition of their preferred OS versus Vista. And, really, the author of this piece needs to avoid the usual character assassination inherent in putting "researcher" in quotes whenever referring to his analysis. It's childish. Want respect? Provide data to back up your assertions. I don't see any of that in the author's "debunking".
Member since:
2005-07-06
Number of vulnerabilities, even when only the critical ones gets counted, are always disputable. One releases numbers, others attach rationales to such numbers. It's a never ending story.
However, I've seen plenty of "numbers" flowing out other houses (Apple, Linux community et al) so I can't see why Microsoft should not play this game too.
Fact #1: Vista is proving to be more solid than XP. Bugs exist everywhere but this dude is not so vulnerable as XP was.
Fact #2: I don't like this guy's attitude. For years you tricked people into numbers then Hermansen say numbers could be misunderstood. Welcome to real world.
Fact #3: Hermansen negative analysis is not debunking those numbers. He goes abstract since he probably thinks his own numbers will not help him. I'm surprised he doesn't say "it's FUD", since "FUD" term is used everytime someone has nothing to say but he/she wants to write he doesn't agree.
Fact #4: having more bugs disclosed is "the nature of bug reporting in open versus closed source
software". Wow! For years the nature of OSS was to be able to *FIX* bugs faster and "more eyes looking, more bugs fixed". Now that this is not happening, we learn the nature of OSS is to have more bugs publicly disclosed (without caring if they were fixed or not by mythological "Community")
I have to say I don't like number per se. They don't explain anything real. I acknowledge that Microsoft might have fixed more bugs than they disclosed and we surely need to account that.
But now acknowledging Vista is proving comparable to other products in terms of security and probably now doing a bit better would be not being attached to reality of things.
I've been always sure that to deliver better products you have first to be able to acknowledge reality of things and then prove yourself better.