On Monday 30 December 2002 16:12, you wrote:
I think the key is Paragraph 4:
"During those same 10 months, only seven security problems were documented in Microsoft products."
What the article does not go in to is the severity nor the UNIX break down for the 16. Saying 16 were for Linux and Open Source is a pretty broad definition, where Microsoft is a much narrower area.
The article said "Linux software" and "Microsoft products". When you consider that a number of the bug/problems listed in the CERT advisories apply to both Linux and Windows, they are classified as "Linux software". However, they do not come from Microsoft and are therefore not "Microsoft products". The same bug **should** be counted against Microsoft, but isn't simply because it was not produced by Microsoft. However, since the software runs on Linux (and therefore "Linux software") it is counted as a bug against Linux. Also, counting the software bugs as "Linux problems" is like saying the PC-cillen bug is a Windows' bug simply because PC-cillen runs **only** on Windows.
I would say, look at the reports, and decide for yourself which is better for you. Inparticular, read the section on Vendor Information. For example: CA-2002-36 (December, hence no in the report) covers BOTH Unix/Linux/*BSD and MS implimentations.
Assuming I made no mistakes, from 1/2002 - 12/2002 and 37 total reports, I get:
<table snipped>
At least 1 of the SSH reports covers MS products, but if SSH is not used in your environment, you eliminate 4 reports that are of concern.
I cannot figure out how the article or Aberdeen came up with these exact numbers, no matter how you look at it. However, check out: http://cooper.stevenson.name/aberdeen.html. This addresses the issue of "absolute" numbers and puts the shoe on the other foot.
Some of the questions I would raise would be:
1) How many MS (and other) incidents are NOT reported?
An obviously key issue here. You can bet that unless MS has to, it will never report a bug that it discovers itself. It will just silently "fix" it in the next service pack.
2) Which community is better at diagnosing and responding to problems?
Obvious, for two reasons. One we Linux-folks typically have more technical skill than the average Windows user. Second, we have the source code.
3) In which area, does the functionality YOU need to worry about (either by choice, or necessity) has the fewest issues.
Careful. I would rather have 10 different bugs that crash a user's browser than a single virus that propogates via MS Outlook. Numerically fewer is not always better.
4) Which areas would cause your IT group the least grief? Personally, Chat, Email and Web-browsing based vulnerabilties are the most troublesome to me. They are hard to diagnose, hard to find, and virutally impossible to get the general user base to diagnose and report properly. If they even detect it. At least with a BIND flaw, something has to come attack you, directly. Virus problems propogate themselves!
That's the issue: What causes you and company the most problems?
5) How good are your security people?
Good enough to know that for security relevant issues, we don't rely on Microsoft products. Regards, jimmo -- --------------------------------------- "Be more concerned with your character than with your reputation. Your character is what you really are while your reputation is merely what others think you are." -- John Wooden --------------------------------------- Be sure to visit the Linux Tutorial: http://www.linux-tutorial.info --------------------------------------- NOTE: All messages sent to me in response to my posts to newsgroups, mailing lists or forums are subject to reposting.