[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3FB2EA5E.320DF631@clavister.com>
Date: Thu, 13 Nov 2003 03:20:14 +0100
From: Mikael Olsson <mikael.olsson@...vister.com>
To: David Maynor <dave@...yspray.com>
Cc: dphull@...edu, martin f krafft <madduck@...duck.net>,
bugtraq@...urityfocus.com,
full-disclosure people <full-disclosure@...ts.netsys.com>
Subject: Re: Re: Funny article
David Maynor wrote:
>
> Mikael Olsson wrote:
> > counting bugs in
> > the most commonly used [apps] is most certainly reasonable.
> >
>
> What about apps that run on both windows and linux?
If it's a common enough app to count, its vulnerability count
should of course be included in both totals. That was my point.
> When you start
> counting 3rd party apps in the equation, you are throwing a horrible
> slant into the mix. This is similar to getting a new 3rd party part for
> your car then blaming the carmaker when that part fails. Microsoft needs
> to include things like apache becasue the make both their OS and the
> webserver, so a comaprsion of security flaws broken down by responsible
> groups would make Microsoft look horrible.
I'm sorry to disappoint you, but the script kiddies don't care
about zealotry. I have yet to hear one say "Oh, this is a Linux
box, so I can't use this Apache bug to own it. That'd be rong."
If I expose N attack vectors, I want the vulnerability counts for
all those vectors nicely summed up for platform options A, B and
C before I choose which platform to use.
Saying "the linux kernel has only foo bugs while every microsoft
app combined has foo^3 bugs" makes no sense in a security
discussion. You don't read mail or serve web pages with a kernel.
Again, I suspect we're in violent agreement of the platform of
choice for all relevant areas of use, but I prefer to make my
choices on _relevant_ facts, and so, I suspect, does the
majority of security-conscious people.
Publishing an _unbiased_ report of total vulnerability counts
for two or more OSes, with common apps installed, is a service
to admins everywhere. (And no, I _really_ don't think comparing
RH6 with W2K3 is "unbiased". I think it stinks.)
Regards,
/Mikael
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists