[AdA$tra]

Friday tech junkie post for fun and interesting conversation hopefully. I was apalled that anyone would think Linux, Unix and Apple OS's could be flawed in any way. Maybe shocked and perhaps a little saddened would be a more apt description of how I felt.

[AdA$tra]

Ima hollerin'

[mhking]

What you bet Micro$oft paid for the study to be done, and for the results that they wanted?

[TomServo]

Ping!

[ikka]

OpenBSD - www.openbsd.org. One security hole in the default install - in the last six years.

[Norman Conquest]

Microsoft had no NEW advisories in the period selected while Linux had two. But how many existing unresolved MS advisories from before that period are still out there? And what's the average resolution time for open-source issues vs. MS issues?

When a story highlights one bad data point like this, without context, it sounds like a Democrat attack ad. "Congressman Joe Linux never once denied his barnyard dalliances. Not once. Call Joe Linux and ask him why he won't tell the truth about romance with barnyard animals?"

[lelio]

No new advisories in the first 10 months? I must of been dreaming when I go to windowsupdate every month and see new updates for some security problem.
Does the open source include Sendmail and BIND bugs? IMHO, those should be thrown out of the count as they are the buggiest pieces of junk on a linux system. Well that and WU-FTP.

[per loin]

There are different sets of definitions being used here. Included under Linux flaws are all flaws found in all applications used with Linux. To get a more accurate comparison, all applications used with Microsoft systems should be included as Microsoft flaws. Unfortunately, there is no mechanism for effectively collecting data on such "Microsoft" flaws.

[That Subliminal Kid]

Linux sucks. Always has, probably always will. Like it or not Windows 2000 Professional is all-around the hands down best operating system in existance.

[cryptical]

If they only look at CERT releases, of course the sample will be flawed. Maybe they should take a look at bugtraq and nt-bugtraq as a more representative sample. That sample will also be flawed, but it will be a wider sample.

"Counting bugs" isn't useful IMO.

Perhaps if the bugs were weighted by total systems vulnerable as well as ease of exploiting the bug, you
might get a useful metric. Useful for what I'm not
sure, but it's better than counting the number of
bugs.

[Dominic Harr]

Yes, I saw some Microsoft vulnerabilities there that Aberdeen apparently missed, and one for Oracle.

From the above article.

The Aberdeen report "missed" some MS vulns.

This is funny stuff! :(|)

And some people wonder why MS has such a bad rep.

[chilepepper]

Here is what happens in the REAL WORLD, not in the world of "theoretical vulnerabilities", particularly those which require an inside job to trigger:

From SANS Institute newsletter #046

--6 November 2002 Bermudan Bank Site Defaced

Hackers may have exploited a Microsoft operating system
to deface two Bermudan websites, including that of the Bank
of Butterfield. Bank officials say no customer data was compromised.
The site hosts are recommending that their clients who work with data
that needs to be protected switch to their Unix based hosting platform. [Here is the article]

[Editor's Note Schultz]: The recommendation in this news item should add a considerable amount of fuel to the "whose operating system is most secure" debate.]

[HamiltonJay]

Well, I do concede that all OS's are vulnerable to illicite activity, not matter how well built and designed (ie no lock is perfect). My own personal experience of running networked machines for the past decade do not agree at all that Unix is less secure in any way that windows. I personally have had to deal with 1 act of vandalism against a unix machine that was not allowed (honey pot) in nature, and that was due to a failed firewall that let traffic through a port it should not have, and even then the script kiddie who tried to do it, was so unbelievably stupid and careless that it was obvious within 1 minute the system had been compromised.

I have had to spend more time keeping my networks from being overrun by code red packets, and perpetually updating IIS for security flaw after security flaw, than I have successful unix/linux attacks. I commend MS if they did pass this test, I just hope that they start shipping their software configured in such a way that joe public can expect reasonable security out of the box.

[usconservative]

I run Red Hat Linux 7.3 and WindowsXP both at home, and I have to tell you, I have received more security notices through Red Hat's auto-update notification service than I have WindowsXP in the last 6 months.

I'd have to go back through my email, but I probably get 2-4 RedHat Linux security fix notices a month, vs. the 2-3 that I've received from WinXP in the last .. 6 months?

Far as I'm concerned, it doesn't really matter which OS you run, they *all* have security holes & patches. some more than others, but they all do.