lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Nov 2003 07:50:44 -0500
From: David Maynor <dave@...yspray.com>
To: Mikael Olsson <mikael.olsson@...vister.com>
Cc: dphull@...edu, martin f krafft <madduck@...duck.net>,
   bugtraq@...urityfocus.com,
   full-disclosure people <full-disclosure@...ts.netsys.com>
Subject: Re: Re: Funny article


On Thu, Nov 13, 2003 at 03:20:14AM +0100, Mikael Olsson wrote:
> I'm sorry to disappoint you, but the script kiddies don't care
> about zealotry. I have yet to hear one say "Oh, this is a Linux
> box, so I can't use this Apache bug to own it. That'd be rong."
> 
I don't think anybody said a linux box can't be owned with an apache
flaw. My arugemnt for count of bugs is the should be counted against the
people who actually WROTE the code. In Microsofts case it is becasue
they wrote IIS, 2000/XP/2003, and Exchange. In contrast the Linux kernel
projecn that just wrote the kernel. It sounds like you want a list of
opensource bugs vs. Microsoft Bugs.

> Saying "the linux kernel has only foo bugs while every microsoft
> app combined has foo^3 bugs" makes no sense in a security 
> discussion. You don't read mail or serve web pages with a kernel.
> 
No one is saying this. To be truely useful a list of bugs should be done
by developer, not by instance of software. This will help establish
trends in my software development practices.

> Publishing an _unbiased_ report of total vulnerability counts 
> for two or more OSes, with common apps installed, is a service
> to admins everywhere.  (And no, I _really_ don't think comparing 
> RH6 with W2K3 is "unbiased". I think it stinks.)
> 
I think blaming OS developers for code they didn't write nor have any
control over isn't unbiased. It would be a diffrent story if it was a
flaw in something like redhat-update. That is clearly a Redhat bug, but
that is still not a Linux bug.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists