lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Nov 2003 03:20:14 +0100
From: Mikael Olsson <>
To: David Maynor <>
Cc:, martin f krafft <>,,
   full-disclosure people <>
Subject: Re: Re: Funny article

David Maynor wrote:
> Mikael Olsson wrote:
> > counting bugs in
> > the most commonly used [apps] is most certainly reasonable.
> >
> What about apps that run on both windows and linux? 

If it's a common enough app to count, its vulnerability count
should of course be included in both totals.  That was my point.

> When you start
> counting 3rd party apps in the equation, you are throwing a horrible
> slant into the mix. This is similar to getting a new 3rd party part for
> your car then blaming the carmaker when that part fails. Microsoft needs
> to include things like apache becasue the make both their OS and the
> webserver, so a comaprsion of security flaws broken down by responsible
> groups would make Microsoft look horrible.

I'm sorry to disappoint you, but the script kiddies don't care
about zealotry. I have yet to hear one say "Oh, this is a Linux
box, so I can't use this Apache bug to own it. That'd be rong."

If I expose N attack vectors, I want the vulnerability counts for 
all those vectors nicely summed up for platform options A, B and 
C before I choose which platform to use.

Saying "the linux kernel has only foo bugs while every microsoft
app combined has foo^3 bugs" makes no sense in a security 
discussion. You don't read mail or serve web pages with a kernel.

Again, I suspect we're in violent agreement of the platform of
choice for all relevant areas of use, but I prefer to make my 
choices on _relevant_ facts, and so, I suspect, does the 
majority of security-conscious people.  

Publishing an _unbiased_ report of total vulnerability counts 
for two or more OSes, with common apps installed, is a service
to admins everywhere.  (And no, I _really_ don't think comparing 
RH6 with W2K3 is "unbiased". I think it stinks.)


Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW:

Full-Disclosure - We believe in it.

Powered by blists - more mailing lists