Re: Security rankings
From: Imhotep (NoSpam_at_nothanks.net)
Date: 04/13/05
- Next message: Robert Moir: "Re: Security rankings"
- Previous message: Gary S. Terhune: "Re: 891711/MS05-002 Updated (fixed) for Win9x"
- In reply to: Roger Abell: "Re: Security rankings"
- Next in thread: Roger Abell: "Re: Security rankings"
- Reply: Roger Abell: "Re: Security rankings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 12 Apr 2005 23:40:17 -0700
Roger Abell wrote:
> "Imhotep" <NoSpam@nothanks.net> wrote in message
> news:Bf27e.38821$Xs.13956@fed1read03...
>> Galen wrote:
>>
>> > In news:MO_6e.38795$Xs.27418@fed1read03,
>> > Imhotep <NoSpam@nothanks.net> had this to say:
>> >
>> > My reply is at the bottom of your sent message:
>> >
>> >> An interesting article...
>> >>
>> >> http://lwn.net/Articles/131788/
>> >
>> > Interesting, recently I've been ranting about this:
>> >
>> > Security Pipeline | Report: Linux Vulnerabilities More Numerous ...:
>> > http://www.securitypipeline.com/159904465
>>
>> Your report has this header:
>> "The report was Microsoft-funded, but researchers are providing the full
>> methodology and challenging Linux advocates to prove them wrong"
>>
>> Anything, that is sponsored by the entity that is being evaluated is not
>> worth reading....
>>
>
> That is just not so. DoE, DoD, NSF, etc. do this all of the time.
First I worked for the DoE for many years. Second the DOE, or any other
government agency, do sponsor critiques of itself, this is true. However,
they are not a company. They do not have competitors...I do not see your
comparison/comment as being even remotely valid...
> MS folks spent time going out of their way attempting to devise
> and soliciting input/comments about a methodology that would
> yield a little more validity than has been current in the "popular
> ePress", and the researchers right up front disclose the funding.
Not all of the time they do not. It usually comes out after a couple of
days. And how do you think you are talking to with the "MS Folks" stuff? I
work in the industry, have for many years, and I am also a MS, Linux,
Cisco, Nortel, Solaris, Firewall-1, etc, etc "folk" also...
> That the popular media is so fond of speaking of "more secure",
> as if they have a valid metric for that, is a sign that they really
> do not have a clue.
First calm the hell down. Second, the "folks" that wrote that, if you bother
to read it, were technical folks not some journalist getting third had
information...like most of them are. These were real technical people. I
suggest you actually take the time and read the article before you comment.
> As already mentioned in this thread, it is
> not just properties of the software involved (how does it do in
> facilitating security, i.e. is it securable) but also, and arguably
> more importantly, it is the patterns of configuration and usage
> that combine to determine the degree to which something is
> secure. Even then, there is a missing object: secure from or
> against what?
Sure. It is the sum of everything. Starting with the software (including the
OS) to the policies and procedures that define how the administration will
be handled to the peripheral equipment and more....much more.
> MS has just attempted to provide a methodology that "flattens"
> out some discrepancies that result in comparisons due to the
> way vulnerabilities are reported and/or their patches bundled.
I am not sure at what you are trying to get at here. Can you give an
example?
I know for a fact that people have reported security holes to MS. They
verified it and have done nothing (going on 6 months now). These are very
significant security holes...
> The attitude that something funded by those reviewed makes the
> result of null and void value seem only like a way to avoid the
> challenge of taking the methodology to task. In a way it is a
> statement of foolishness, not reviewing to see if there is a better
> mouse trap included.
Sorry but I totally disagree. Anytime an commercial entity sponsors a
comparison between itself and it's competitors it is invalid. I do not care
who the entity is. It can be Ford, Chevy, Sun, Sony. I do not care.
Furthermore, you seem like an intelligent person. To debate this point I
have to ask why? It is just to obvious for me to even bother pointing it
out...
> I for one hope that the popular ePress take up the example and
> see how flawed some of their evocative articles over the past
> year have actually been.
The article that I posted came from The Software Security Summit which is a
group of software developers that meet every year to talk about software
security. These were their findings. Again, this was not from some reporter
working at an "epress" as you put. Damn, read the article, please, before
you post......
- Im
>> > See also:
>> >
>>
>
http://www.google.com/search?hl=en&q=linux+has+more+vulnerabilities+than+windows
>> >
>> > It's not the OS but the practices that make it insecure. Ironically, I
> say
>> > that in defense of Linux. <g>
>>
>> You are correct. Good security practices make a huge difference. However,
>> the OS and applications are equally significant...Why do you say
>> "Ironically, I say that in defense of Linux"?
>>
>> > Galen
>>
>> - Im
>
- Next message: Robert Moir: "Re: Security rankings"
- Previous message: Gary S. Terhune: "Re: 891711/MS05-002 Updated (fixed) for Win9x"
- In reply to: Roger Abell: "Re: Security rankings"
- Next in thread: Roger Abell: "Re: Security rankings"
- Reply: Roger Abell: "Re: Security rankings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
