Home > Privacy, Security > Examining Secunia Unpatched Warnings Examining Secunia Unpatched Warnings Submitted by Ricus 2007-01-18 Privacy, Security 7 Comments “Security, perception, reality. What security professional hasn’t struggled with the gaps between those three things? Is there anything worse for security than a false sense of security?” And part II. About The Author Thom Holwerda Follow me on Twitter @thomholwerda 7 Comments 2007-01-19 12:09 am david-craig I was very disappointed with this article as it seems to demonstrate the typical atittude of lazy reporting often seen in IT blogs posing as journalism. Part one disparaged Secunia’s reporting of vulnerabilites asking the reader to return later for the evidence. Part one seemed like little more than an advertisement for part two. While promised that part two would “explore methods for getting an accurate view of publicly disclosed, but unpatched vulnerabilities in products on any given day or over periods of time”, I found no such exploration. I did find another adverisment for “a paper” that is being written. However, the element that most annoyed me was the lack of evidence to support the accusations regarding Secunia’s database. Rather than evaluating a large number of possible vulnerabilities that may have effected a number of different products and compairing them against the information provided by Secunia, one product and one exploit is examined. The result of this examination is that the product *might* have been effected by it. In other words, the author has no evidence whatsoever. What I find most frustrating is that the author may very well be correct in his assumptions. He failed, however, to do the necessary work to prove (or even present a reasonable level of supporting information to back up) his claims. 2007-01-19 1:05 am flanque I agree. That’d constitute too much effort for a blogger. Edited 2007-01-19 01:06 2007-01-19 1:06 am sbergman27 “””I was very disappointed with this article as it seems to demonstrate the typical atittude of lazy reporting often seen in IT blogs posing as journalism.””” Bravo! I, too am growing weary of this “anyone can be a journalist and all you need is a web host and some blog software and a good solid gripe against someone” world. I’m even more weary of the “news” sites that seem to consider the resultant editorial tripe posing as real journalism to be newsworthy. If the guy had some real evidence and presented it, that would be great. But suggestion and innuendo intermixed with a bunch of “next week, I’m gonna…” is idle chatter, not news. Can this guy until he actually has something of substance to report. 2007-01-19 8:48 pm jrjones Gee, you guys have no sense of drama. It’s a blog, not an article. It’s in 3 parts because I a) work on it in my spare time, and b) didn’t want a single post to be too long. Anyway, Part 3 is up and does have charts/numbers, as some folks have asked for. http://blogs.technet.com/security/archive/2007/01/19/exposed-examin… or just http://blogs.technet.com/security Jeff 2007-01-19 5:35 am Soulbender “Is there anything worse for security than a false sense of security?” Yes, uninformed and contentless tripe like these two “articles”. 2007-01-19 9:44 am renox I agree, too bad we cannot dis-recommand this story, a waste of time. 2007-01-19 3:53 pm Tuishimi re: renox… That’s a good idea. Perhaps there should be a thumbs-up AND a thumbs-down button. No numeric ratings, just a count of clicked thumbs, the higher number being visible next to the article in the list.