On Full Disclosure, there's a negative analysis of Jeff Jones' six-month vulnerability report. "Conclusions that are drawn are built on a lack of understanding by the Microsoft researcher. I highly encourage him to go back and take another look, and pare down the results to essential information that is absolutely critical to the conclusions, rather than just 'Other OS's have more bugs, see, look at my graphs'."
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2006-09-22
No, you're missing the point. It isn't necessary for people to report bugs to Microsoft anymore. They can be reported to any number of widely available security bug tracking orgs (ntbugtraq.com, secunia.org, etc). Because it isn't possible to hide security bugs anymore. Security through obscurity doesn't work, it's been proven time and time again, so whether or not the bugs are reported to Microsoft is irrelevant. They WILL be found, regardless.
But it doesn't matter where users (or any person/bussiness/entities for that matter) report the bugs. My point was that the people surrounding Windows doesn't usually spend a lot of time looking for errors and writing bug reports. As you say, most bugs will be found, and I agree, but that doesn't change the fact that F/OSS is likely to have more bug reports (including a lot of issues that many would coun't as real "bugs") at a given time than most closed source software. And that's OK, we are talking about two different development systems, each one with its own pros and cons. The problem I (IMHO) see here is that the MS researcher keeps comparing apples to oranges.
Yes, this "debunking" is way too short and looks to me more like a simple rant than a serious analysis. And it's pretty obvious that Vista is more secure than XP (not like its a great archievement, though), but the problem here is, as I've already said, that the MS "research" compares apples to oranges, wanting to show Vista as the most secure OS out there, when the only thing it can prove is that it's (for the moment) only more secure than XP.
But let's face it: comparing two different things just by raw numbers is pretty much only valid for sports matches and not, most certainly, for technology.
Edit: typos, as always >:(
Edited 2007-06-30 03:03 UTC
Member since:2007-02-22
Member since:2006-01-06
That would seem to be disproven by the stats for XP/Vista bugs versus Linux bugs or even versus OSX bugs. Unless having less bugs makes XP/Vista more insecure, somehow.
You're ascribing way too much meaning to the stats for the first 6 months of vulnerability reports. I never suggested that looking at any specific time period proves or disproves security claims. XP had few vulnerabilities when it was first introduced but, over time, lots were reported. So, evaluating statistics is only practically meaningful when you have a sufficiently large sample period (say, a couple years). That said, the security models for XP and Vista are fundamentally different. Under XP, most users run as Admin; under Vista, they run as standard users, which greatly reduces the attack surface of any potential exploit. Additionally, since IE is the primary attack vector for most Windows exploits, MS spent time making it possible for IE to run in an even lower-privileged "secure mode" that will make it very tough for malware to take root. It is THESE reasons that I assert that Vista will have a better security track record than XP, not on stats alone.
Member since:
2006-01-06
You're absolutely missing the point. The true facts are that, while your average Windows user will not send any kind of bug report, the F/OSS community is way more agressive regarding bugs/flaws, even those which don't pose a threat for the segurity/stability of your system. But the fact that you have less disclosed bugs doesn't mean that you actually have less bugs than the competition.
No, you're missing the point. It isn't necessary for people to report bugs to Microsoft anymore. They can be reported to any number of widely available security bug tracking orgs (ntbugtraq.com, secunia.org, etc). Because it isn't possible to hide security bugs anymore. Security through obscurity doesn't work, it's been proven time and time again, so whether or not the bugs are reported to Microsoft is irrelevant. They WILL be found, regardless.
The F/OSS community needs to get a grip on reality and face facts. Vista is way more secure than its predecessor, and a lot of people don't like that because they think it reduces the value proposition of their preferred OS versus Vista. And, really, the author of this piece needs to avoid the usual character assassination inherent in putting "researcher" in quotes whenever referring to his analysis. It's childish. Want respect? Provide data to back up your assertions. I don't see any of that in the author's "debunking".