Linked by Thom Holwerda on Fri 6th Jan 2006 22:56 UTC
Privacy, Security, Encryption Open source experts have hit back at a study published by the United States Computer Emergency Readiness Team that said more vulnerabilities were found in Linux/Unix than in Windows in 2005, labelling the report misleading and confusing. The report has attracted criticism from the open source community. Linux vendor Red Hat said the vulnerabilities had been miscategorised, and so could not be used to compare the relative security of Windows and Linux/Unix platforms.
Thread beginning with comment 82762
To read all comments associated with this story, please click here.
flypig
Member since:
2005-07-13

When the original story about the US-CERT vulnerability was posted, I remember thinking that it was really obvious that all it represented was a list of the reported vulnerabilities for the year. There was no commentary or statistics, and CERT made no claims about relative security of systems. It was just a pure, factual, list of what had been reported to them in the last year.

The original report even states that "Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported..."

So to see Red Hat complaining that "the study is confusing and misleading" seems really, really odd. It wasn't a study, it was just a factual list of the reports CERT received.

The fact is that insinuations about relative OS security came only from commentators, not CERT. Surely anything else is just opinion that people have chosen to layer on top of it?

Reply Score: 1

dylansmrjones Member since:
2005-10-02

The problem is the way it's been reported.

The list could have been assembled in a better way - especially when considering the standard 'serious' journalism (aka sensationalism - the most common form of 'serious' journalism).

The study _is_ confusing and misleading, unless you know how to handle it. The medias don't or do not want to, and misinterpretes the list even when they know better.

Put it in the same league as "Ohh noooo another asteroid (or comet or whatever) is going close to the earth - perhaps this one will hit us, ohhhh nooooo" news items.

A certain part of the blame goes to CERT for putting out such a bad assembled list. The only good thing is it effects all OS'es in the list ;)

Reply Parent Score: 1

flypig Member since:
2005-07-13

I agree that there is always a danger that a list such as this one will be misinterpreted.

I'm just not sure how CERT could have done it differently. All they did was produce a factual list of vulnerabilities based on the information reported to them. It's just something that CERT does. They did the same thing last year, and maintain a running list as well:

http://www.us-cert.gov/cas/bulletins/index.html

Lists like this are important. It would be kind of absurd if they couldn't be produced just for fear them being badly misenterpreted by commentators!

Reply Parent Score: 1