lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <3FB2EA5E.320DF631@clavister.com> Date: Thu, 13 Nov 2003 03:20:14 +0100 From: Mikael Olsson <mikael.olsson@...vister.com> To: David Maynor <dave@...yspray.com> Cc: dphull@...edu, martin f krafft <madduck@...duck.net>, bugtraq@...urityfocus.com, full-disclosure people <full-disclosure@...ts.netsys.com> Subject: Re: Re: Funny article David Maynor wrote: > > Mikael Olsson wrote: > > counting bugs in > > the most commonly used [apps] is most certainly reasonable. > > > > What about apps that run on both windows and linux? If it's a common enough app to count, its vulnerability count should of course be included in both totals. That was my point. > When you start > counting 3rd party apps in the equation, you are throwing a horrible > slant into the mix. This is similar to getting a new 3rd party part for > your car then blaming the carmaker when that part fails. Microsoft needs > to include things like apache becasue the make both their OS and the > webserver, so a comaprsion of security flaws broken down by responsible > groups would make Microsoft look horrible. I'm sorry to disappoint you, but the script kiddies don't care about zealotry. I have yet to hear one say "Oh, this is a Linux box, so I can't use this Apache bug to own it. That'd be rong." If I expose N attack vectors, I want the vulnerability counts for all those vectors nicely summed up for platform options A, B and C before I choose which platform to use. Saying "the linux kernel has only foo bugs while every microsoft app combined has foo^3 bugs" makes no sense in a security discussion. You don't read mail or serve web pages with a kernel. Again, I suspect we're in violent agreement of the platform of choice for all relevant areas of use, but I prefer to make my choices on _relevant_ facts, and so, I suspect, does the majority of security-conscious people. Publishing an _unbiased_ report of total vulnerability counts for two or more OSes, with common apps installed, is a service to admins everywhere. (And no, I _really_ don't think comparing RH6 with W2K3 is "unbiased". I think it stinks.) Regards, /Mikael -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists