Full Disclosure mailing list archives
Re: Re: Funny article
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Thu, 13 Nov 2003 03:20:14 +0100
David Maynor wrote:
Mikael Olsson wrote:counting bugs in the most commonly used [apps] is most certainly reasonable.What about apps that run on both windows and linux?
If it's a common enough app to count, its vulnerability count should of course be included in both totals. That was my point.
When you start counting 3rd party apps in the equation, you are throwing a horrible slant into the mix. This is similar to getting a new 3rd party part for your car then blaming the carmaker when that part fails. Microsoft needs to include things like apache becasue the make both their OS and the webserver, so a comaprsion of security flaws broken down by responsible groups would make Microsoft look horrible.
I'm sorry to disappoint you, but the script kiddies don't care about zealotry. I have yet to hear one say "Oh, this is a Linux box, so I can't use this Apache bug to own it. That'd be rong." If I expose N attack vectors, I want the vulnerability counts for all those vectors nicely summed up for platform options A, B and C before I choose which platform to use. Saying "the linux kernel has only foo bugs while every microsoft app combined has foo^3 bugs" makes no sense in a security discussion. You don't read mail or serve web pages with a kernel. Again, I suspect we're in violent agreement of the platform of choice for all relevant areas of use, but I prefer to make my choices on _relevant_ facts, and so, I suspect, does the majority of security-conscious people. Publishing an _unbiased_ report of total vulnerability counts for two or more OSes, with common apps installed, is a service to admins everywhere. (And no, I _really_ don't think comparing RH6 with W2K3 is "unbiased". I think it stinks.) Regards, /Mikael -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Funny article martin f krafft (Nov 12)
- Re: Funny article dphull (Nov 12)
- Re: Funny article martin f krafft (Nov 12)
- vulnerabilities in fortigate firewall webinterface Maarten Hartsuijker (Nov 12)
- Re: Funny article Mikael Olsson (Nov 12)
- Re: Re: Funny article David Maynor (Nov 12)
- Re: Re: Funny article Mikael Olsson (Nov 13)
- Re: Re: Funny article David Maynor (Nov 13)
- Re: Re: Funny article Dave Howe (Nov 13)
- Re: Re: Funny article Volker Tanger (Nov 13)
- Re: Re: Funny article Frank Knobbe (Nov 13)
- Re: Re: Funny article Volker Tanger (Nov 13)
- Re: Re: Funny article vb (Nov 13)
- Re: Re: Funny article Valdis . Kletnieks (Nov 13)
- Re: Funny article martin f krafft (Nov 12)
- Re: Funny article dphull (Nov 12)
- Re: Re: Funny article martin f krafft (Nov 13)
- Re: Re: Funny article Ron DuFresne (Nov 13)