Full Disclosure mailing list archives

Re: Re: Funny article

From: Mikael Olsson <mikael.olsson () clavister com>
Date: Thu, 13 Nov 2003 03:20:14 +0100


David Maynor wrote:


Mikael Olsson wrote:

counting bugs in
the most commonly used [apps] is most certainly reasonable.


What about apps that run on both windows and linux?


If it's a common enough app to count, its vulnerability count
should of course be included in both totals.  That was my point.

When you start
counting 3rd party apps in the equation, you are throwing a horrible
slant into the mix. This is similar to getting a new 3rd party part for
your car then blaming the carmaker when that part fails. Microsoft needs
to include things like apache becasue the make both their OS and the
webserver, so a comaprsion of security flaws broken down by responsible
groups would make Microsoft look horrible.


I'm sorry to disappoint you, but the script kiddies don't care
about zealotry. I have yet to hear one say "Oh, this is a Linux
box, so I can't use this Apache bug to own it. That'd be rong."

If I expose N attack vectors, I want the vulnerability counts for 
all those vectors nicely summed up for platform options A, B and 
C before I choose which platform to use.

Saying "the linux kernel has only foo bugs while every microsoft
app combined has foo^3 bugs" makes no sense in a security 
discussion. You don't read mail or serve web pages with a kernel.


Again, I suspect we're in violent agreement of the platform of
choice for all relevant areas of use, but I prefer to make my 
choices on _relevant_ facts, and so, I suspect, does the 
majority of security-conscious people.  

Publishing an _unbiased_ report of total vulnerability counts 
for two or more OSes, with common apps installed, is a service
to admins everywhere.  (And no, I _really_ don't think comparing 
RH6 with W2K3 is "unbiased". I think it stinks.)


Regards,
/Mikael

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Funny article martin f krafft (Nov 12)
- Re: Funny article dphull (Nov 12)
  - Re: Funny article martin f krafft (Nov 12)
    - vulnerabilities in fortigate firewall webinterface Maarten Hartsuijker (Nov 12)
  - Re: Funny article Mikael Olsson (Nov 12)
    - Re: Re: Funny article David Maynor (Nov 12)
    - Re: Re: Funny article Mikael Olsson (Nov 13)
    - Re: Re: Funny article David Maynor (Nov 13)
    - Re: Re: Funny article Dave Howe (Nov 13)
    - Re: Re: Funny article Volker Tanger (Nov 13)
    - Re: Re: Funny article Frank Knobbe (Nov 13)
    - Re: Re: Funny article Volker Tanger (Nov 13)
    - Re: Re: Funny article vb (Nov 13)
    - Re: Re: Funny article Valdis . Kletnieks (Nov 13)
    - Re: Re: Funny article martin f krafft (Nov 13)
    - Re: Re: Funny article Ron DuFresne (Nov 13)
  - Re: Funny article netcat (Nov 13)

(Thread continues...)