[chat] Re: [SLUG] Take 1.5 hrs to learn why linux sucks. ;)

[James Gregory <james@xxxxxxxxxxxx>]

Moving this to slug-chat.

On Fri, 2003-07-11 at 17:56, Michael Lake wrote:
> I read...
> - "Linux has had more vulnerabilities during 2002 than all versions of 
> Microsoft OSs combined"
> - "Linux and Solaris have significantly more CERT advisories in 2002 
> than all Microsoft software combined"
> 
> There are no specific references to backup these statements - just 
> general refs at the end of the section. Whats the real situation? 
> Certainly I saw that SP$ for Win 2000 that I have at work has hundreds 
> of security pathches listed for that so how are they juggling figures to 
> come out with statements like that?

Yeah, see, I see that as a good thing. Perhaps I'm cynical, but I
suspect that most software has more bugs than the people who secure it
know about. What the statement really says is that there's more holes
that have been *found* in Linux etc. I know that Microsoft spent a huge
amount of money securing windows 2k3, to really fix problems that were
in windows 2000.

I'm not trying to say that either development model is better in this
regard -- I have my opinions on that. What I am saying is that the
statement works both ways.

I suppose the other question is whether or not a hole that hasn't been
found is a hole at all. You also need to remember that the real security
is the job of the administrators and the users of a system. Not a piece
of software.

The reason it has been pointed out of course is that numbers sound good
to management. They're writing stuff that appeals to their target
audience, that's just good marketing.

James.