Joined: 03 Nov 2004
Posts: 128
Location: irc.nfinate-irc.org
Posted: Sat Nov 06, 2004 6:54 pm?? ?Post subject: Humor at all levels
While scrolling though some news tidbits I cruised through several links in various places like www.IRC-Junkie.org and slashdot. I come across something I seen earlier but have yet to actually read until now.
Microsoft has a website called Get The Facts I have yet to read a good portion of the site however I stumbled across Windows Users Have Fewer Vulnerabilities Which in my opinion not exactly true. It talks about how Microsoft "On average, Microsoft had a fix available 25 days after a security issue was publicly disclosed." Which is not exactly great, since if there was a high risk Vulnerability that gives crackers and script kiddies nearly a month to exploit 90% of the internet users this of course being after the undisclosed time that the software is vulnerable before it becomes public knowledge. I commend Microsoft for being".. the only vendor to have corrected 100% of the publicly known flaws during the study's time period." However I find 25 days far too long. It makes me wonder what they actually do with the ever increasing license fee. Perhaps they should take back some of Bill Gate's $100B empire and hire a few more coders and cut that time drasticly. Instead they invest it in product key tracking to insure they get every penny they are entitled to .. but that's another story.
The website states that the study was done by 3rd parties. However, it was no surprise to find that none of the data from other venders was disclosed. I also find it amusing that the "facts" did not include that OpenBSD has had only 1 remote hole in 8 years versus the amount of windows updates that are available for Microsoft's Windows XP nor did they mention that Apple's OS X, which also happens to be BSD based, has a perfect track record. It seems to me that Microsoft only wants you to know the "facts" they want you to know instead of the whole report. Perhaps they simply "forgot" to evaluate any BSD products in the first place.
Hehe, marketing talk :) And people without too much technical knwoledge (read: often the people who make the descicions on what OS to go for), often will believe such 'independent third party' research ...
_________________
Asmo
Joined: 03 Nov 2004
Posts: 128
Location: irc.nfinate-irc.org
Posted: Sun Nov 07, 2004 7:05 pm?? ?Post subject:
agreed, I'm not claiming the 3rd party test is fake .. I am claiming that it appears M$ used only the portions they wanted, which in my opinion nullifies the study.
Joined: 27 Oct 2004
Posts: 23
Location: United States
Posted: Sun Nov 07, 2004 9:20 pm?? ?Post subject:
Quote:
I also find it amusing that the "facts" did not include that OpenBSD has had only 1 remote hole in 8 years
Yeah, it's a good thing the facts didn't include that, because it's an outright lie
You see, OpenBSD is like Microsoft nowadays. OpenBSD has TONS of security issues. However, they use a very precise definition of what exactly a security hole is. You will notice their site always says "in the default install." That's the key. The default install basically disables anything that could potentially have a security hole. For example, think of it this way. MS, by default, decides to disable IE, Outlook Express, File sharing, ICS, and many other features. Then MS declares that it has "no security holes in the default install" even though there are hundreds of security holes in IE and OE alone. That's what OpenBSD does, except they even go one step further. Like for example, OpenSSH is enabled by default. Doing a vulnerability search on securityfocus.com, I found 43 in OpenSSH. So how do they have only 1 remote hole in 8 years if OpenSSH (which is made by the OpenBSD people, btw) had 43? It's simple, those bugs were in features that were disabled by default. For example, there was a bug in PAM in OpenSSH, it allowed remote access. However, PAM was turned off by default. So even if the program is enabled by default, if the feature is not, they still don't consider that "serious." On the other hand, MS counts any remote hole as a serious problem. I like MS's way much better. I'd rather a company tell me the truth and say "we've had 1234 exploits" than a company manipulate it to say "we've only had 1" even though there are hundreds.
Just to prove my point, look at http://secunia.com/product/100/
It shows that from 2003-2004, 44 problems were found in OpenBSD. Out of those 44, 25% (11) were considered high or extremely high in danger. If you go through and read their report, you'll clearly see that 1 remote exploit is a total lie. So I'll take MS telling me the truth over OpenBSD lying anyday.
_________________
-- codemastr
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Powered by phpBB ? 2001, 2002 phpBB Group
Hotels in Frankfurt | Hosting services directory | Modded Xbox | Mortgages | Mortgage
???
