Re: Security rankings

From: Imhotep (NoSpam_at_nothanks.net)
Date: 04/14/05 

Date: Wed, 13 Apr 2005 21:54:07 -0700

Galen wrote:

> In news:f8k7e.39881$Xs.17021@fed1read03,
> Imhotep <NoSpam@nothanks.net> had this to say:
>
> My reply is at the bottom of your sent message:
>
>> Is that the best argument you can muster. It happens with other
>> companies so therefore it is alright? You sound like a child "Oh! but
>> dad he did it so why can't I". I do not care if other companies do
>> this. I question the believability. How can you honestly trust any
>> company that pays for so-called research?
>>
>> I originally posted some data taken from over 6,000 plus software
>> engineers. These engineers gathered for a summit to discuss software
>> security. They come from many countries and program for many
>> companies. The information was not paid for. Nobody paid for it.
>> Which research do you believe? Do you still believe the paid for
>> study really has more merit? Please answer this question and do not
>> try to side-step the question again.
>>
>> - Im
>
> 6000 software engineers at a conference sponsored by whom? Who were the
> vendors at said conference? Who was invited to this conference? To deny
> that these events (and studies) are sponsored (and now to boarderline
> flame Mr. Moir) is not going to gain you any credibility. As I've said;
> I'm the only person you'll probably EVER meet who's converted from *NIX to
> MS... Who conducted the poll? What was the criteria for people asked to
> fill in the information?

I suggest you read the article....

> Hell hasn't anything to do with this, FUD does...

What is FUD?

> First look tells me that this was the first year for the show. I'm
> bothered by this... "A poll of 6,000+ software developers released today
> shows that Linux consistently tops Microsoft Windows in terms of security.
> The full survey results will be given today (Tuesday, April 12) at the
> Software Security Summit in San Diego, CA."
>
> That's a survey my link was a study. You want to compare the two? Whilst I
> am going to boarder on political here it wasn't that long ago that George
> W. Bush was shown to be considered an excellent president. Draw your own
> conclusions.

So, you are saying software engineers do not know software engineering?
Certainly, these are qualified people on which to conduct research...Are
you saying they are not? I guess I should go to a marketing "research"
company instead, yes?

>
>
> When you posted your link I didn't fret or bother. I simply resolved to
> show you that there were alternate opinions and that the facts could be
> skewed to show either ahead of the other and that the basic principle was
> that the admin was the basis of security and not the OS.

Well, at least we agree on one item. Yes, policies and procedures due play a
significant role in security...

> You posted a link
> to opinion and now are trying to cite it as fact. This is not an arguement
> in my opinion, in fact these people's opinions are based on their
> experiences or the information that they've been given.

Not at all. Again, are you saying that software engineers and software
architects are not significant enough in the software industry to qualify
as intelligent source of information? Are you really saying that?

I did not post this as an opinion. Honestly, I posted because I thought it
was good information that should be shared. That was, originally was, my
reason.

Let me tell you a couple of things. Since I posted that article, I have had
people call me a UNIX, I believe it was *NIX, religious zealot. I am still
not sure of exactly what that is....In either case, I have been
implementing design with Microsoft for 15 years. I have implemented many
projects with many vendors. I do not own any stock what-so-ever in any of
the companies. NOTHING. It is funny who people jump all over you, claim you
are something, when you are not, then call you some kind of OS zealot. I
comae from, and still am, a Microsoft guy but, I will work with any
solution that gets me the best result. Again, I do not own stock in any of
them...
Since posting the article that has made every, and I will now use the term,
Microsoft zealot, I have become asking just one thing. I want honesty. I
want reseach that is not purchased.

...and if this is the kind of response I get from my supposedly Microsoft
family, maybe I will start being more or a *NIX guy...

> You can tell me
> that "in your opinion the sky is purple all the time" and I can't argue
> that. That is fact because that's your opinion. The sky is still not
> purple all the time thus your opinion is wrong but it's still your opinion
> and your statement is correct.

Again, read the statement I wrote above. Here I will make it easy on you and
cut-n-paste for you.

So, you are saying software engineers do not know software engineering?
Certainly, these are qualified people on which to conduct research...Are
you saying they are not? I guess I should go to a marketing "research"
company instead, yes?

In conducting any kind of research, honestly, I consider these people more
knowledgeable about software. After all, they are software engineers...

> IN FACT: Careful reading of my post would have shown you that I support
> both *NIX and OpenSource. I think they're fine solutions for people who
> have the time and inclination to explore things beyond the normal
> offerings. Instead of being emotional about it I cite facts and findings
> based on people who are smarter than I. I can do no better considering I'm
> one of the true Microsoft supporters and yet I'm willing to support the
> other options as well.

Well, I am going to look at o-pen source more closely now. However, you
missed the my entire point. In fact you totally missed it. I could not care
less about any *NIX vs Microsoft vs Green Cows with large pink tails vs
(well you get the idea). I do not care at all. Never have, probably never
will. What I do care about is that fact that the company I have been
working with so closely for so many years is/has been lying to me....Do you
get it now?

> You cited cars. Okay, we'll use your analogy... The group that does the
> insurance ratings? Do you truly think they're bi-partisan? Of course
> not... They are in control of the current leading political party. Do you
> think Ford, Chevy, or Dodge don't contribute to the major political
> parties? Do you think they don't pay for the advertising in the magazines?
> Come now... Surely you jest if you do claim to believe that. However
> idyllic it's simply not the truth. If you're willing to listen I can go on
> for hours about the Microsoft suits and their previous lack of
> contributions to a political
> party... Had they been willing to pay lump sums of money to the <insert
> your opposite party here> then chances are the suits never would have made
> the Supreme Court and VM would still be available and our computers more
> secure because of it.

Again, you have totally missed the point. Simply saying "Well everyone does
it so why not us Billy-Bob"...Does not cut it. This is en excuse. Hell,
people rob, steal, murder, rape, etc everyday. I guess it is OK then. I now
know it is OK because everyone else is doing and you said so...

> Anyhow, I digress... If you're going to troll for a reaction then you
> picked the right way to do it. If you're going to come and try to
> influence then you should not point to opinions but rather to facts
> instead. The opinions of 6000+ people mean nothing compared to a study
> performed WITH the methods listed so that you too can perform the same
> studies.

It was 6,000+ SOFTWARE ENGINEERS not just people. After all, they are people
who write the software and are more than adequate is quick about software
(remember they write it) security...

> While I flag a number of answers and posts to learn I'm afraid
> you don't make that grade but you don't quite make deletion an option
> either.

> I will see this nonsense through for a while and wish, deeply, to
> hear your answers.

I am still waiting for your answers. To date I have not heard one that was
beyond the "Texas two step" dance ...

> Please, when you return, cite facts and truth instead
> of opinions which you're then going to turn
> around and try to claim are facts.

OK, let's review the facts:
1) 6,000 software engineers (not just people as you seem intent on labling
them but the people who write the software) were quizzed about software
security. They rated many things OSes, databases, desktops, etc, etc, etc
2) Microsoft did not get a good review. In fact they did miserable

These are facts not opinions....

Please read the article and supply some kind of real criticism. In stead of
childish comments of "If some are doing it must be ok". Or the other "He
must be some kind of *nix guy". Like to criticize Microsoft you MUST not be
a Microsoft guy. How could anyone criticize them and consider themselves a
"company" guy. This is about as foolish a thing as criticizing the Catholic
church because of the child molesters and being labled "A Bad Christan"...

Gee, I have given MS 15 years and I am asking for honesty in their data. I
have criticized them for being dishonest and misleading. I guess I am gonna
burn in Hell for blasphemy...

> When you posted your original content
> you posted an interesting site (which I read) about opinions. I gave you
> an alternate source for factual information or at least a study you could
> easily reproduce. Your response has been nothing less than maniacle and
> whilst claiming to be certified has no bearing on your education and I
> request better supported arguements if you feel you can support the
> statements made by 6000+ people you don't know.

Let's compare shall we:
1) I did not see any where a tabulation of what security "holes were found.
None. From the start it makes it suspicious that a security "paper" which
claims an exact number of security holes but does not list them. Hummm....

2) Instead there is a link ICat. Since the article does not list the holes
found, only the number, I am forced to go to ICat and search for "Windnows"
and "Red Hat". Upon searching for "Windows" the typical security holes are
listed. Nothing new or interesting found. After searching for "Red Hat" I
see some data. I looked closer and I see applications that are not really
Red Hat but instead from thrid party developers. For example,

Severity: Medium
   CAN-2005-0471
  Summary: Sun Java JRE 1.1.x through 1.4.x writes temporary files with
long filenames that become predictable on a file system that uses 8.3 style
short names, which allows remote attackers to write arbitrary files to
known locations and facilitates the exploitation of vulnerabilities in
applications that rely on unpredictable file names.
  Published Before: 3/14/2005
  Severity: Medium

How can, SUN's Java be considered a Red Hat flaw? Hummm..How can SUN's Java
be counted as a Red Hat flaw? SUN does not own Red Hat?

Let's look at another:
   Medium
   CAN-2004-0957
  Summary: Unknown vulnerability in MySQL 3.23.58 and earlier, when a
local user has privileges for a database whose name includes a
"_" (underscore), grants privileges to other databases that have similar
names, which can allow the user to conduct unauthorized activities.
  Published Before: 2/9/2005
  Severity: Medium

How can, MySQL be considered a Red Hat Flaw? After all, their is not
affiliation between Red Hat and MySQL.

Let's look at another:
   CAN-2004-0930
  Summary: The ms_fnmatch function in Samba 3.0.4 and 3.0.7 and possibly
other versions allows remote authenticated users to cause a denial of
service (CPU consumption) via a SAMBA request that contains multiple *
(wildcard) characters.
  Published Before: 1/27/2005
  Severity: Medium

How can, SAMBA be considered a Red Hat security vulnerability? True it does
not run, at least that I know of, on Microsoft but, SAMBA is not affiliated
with Red Hat.

Should I go on? I can go on for many, many more pages....

Please explain to me how your study is more believeable when:
1) Microsoft paid for you study
2) Neither Red Hat nor any of the other *NIXes, (not even sure if that is a
word *NIXes, paid for anything related to the other study i posted.
2) When your "paper" was written by one, that's right one person who was
paid, as compared to over 6,000 that were not
3) The paper, and I use the term lightly, only give a number of the security
vulnerabilities but does even list them
4) The source, ICAT, he used lists third party applications that have
nothing to do with Red Hat, as Red Hat security problems.
5) I can go on here to, but, this is enough for tonight

Please answer my question. Please explain to me how your study is more
believeable...

- Imhotep