Re: Security rankings
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 04/14/05
- Next message: John: "Re: Password protect folders or drives for lan"
- Previous message: Robert Moir: "Re: Security rankings"
- In reply to: Imhotep: "Re: Security rankings"
- Next in thread: Robert Moir: "Re: Security rankings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 14 Apr 2005 00:59:23 -0700
"Imhotep" <NoSpam@nothanks.net> wrote in message
news:OHn7e.1343$fP5.1217@fed1read03...
> Roger Abell wrote:
>
> >
> > "Imhotep" <NoSpam@nothanks.net> wrote in message
> > news:S837e.38833$Xs.11011@fed1read03...
> >> Roger Abell wrote:
> >>
> >> > "Imhotep" <NoSpam@nothanks.net> wrote in message
> >> > news:Bf27e.38821$Xs.13956@fed1read03...
> >> >> Galen wrote:
> >> >>
> >> >> > In news:MO_6e.38795$Xs.27418@fed1read03,
> >> >> > Imhotep <NoSpam@nothanks.net> had this to say:
> >> >> >
> >> >> > My reply is at the bottom of your sent message:
> >> >> >
> >> >> >> An interesting article...
> >> >> >>
> >> >> >> http://lwn.net/Articles/131788/
> >> >> >
> >> >> > Interesting, recently I've been ranting about this:
> >> >> >
> >> >> > Security Pipeline | Report: Linux Vulnerabilities More Numerous
...:
> >> >> > http://www.securitypipeline.com/159904465
> >> >>
> >> >> Your report has this header:
> >> >> "The report was Microsoft-funded, but researchers are providing the
> > full
> >> >> methodology and challenging Linux advocates to prove them wrong"
> >> >>
> >> >> Anything, that is sponsored by the entity that is being evaluated is
> > not
> >> >> worth reading....
> >> >>
> >> >
> >> > That is just not so. DoE, DoD, NSF, etc. do this all of the time.
> >>
> >> First I worked for the DoE for many years. Second the DOE, or any other
> >> government agency, do sponsor critiques of itself, this is true.
However,
> >> they are not a company. They do not have competitors...I do not see
your
> >> comparison/comment as being even remotely valid...
> >>
> >
> > In point of fact there is often quite a bit of internal competition for
> > continuted funding between those evaluated.
>
> Please, do you really think the DoE is going to replace the DoD? You
worked
Of course not. I meant competition by the parts of each within their own
little (yea, right!) silo. Two research projects in DoE are competing for
a pool of funds. They are rated by DoE sponsored review process. etc.
The gov then turns this model over into the commerical sector, such as
in the research and trial study requirements for drugs. The pharmaceutical
companies pay for the research and own the results. They choose to sit
on these or make available to FDA for review to get a drug blessed (but
the result remain not in the public record).
> there, as did I. There are lot of competition but, they both have there
> "piece of the pie". This argument is so flawed that continuing this line
of
> thought is pointless...they are governmental agencies not companies. They
> are not governed by market shares, sales quotas, etc. After all, if they
> were a real company they would be out of business. You know what I mean...
>
and on our dime too !
> >> > MS folks spent time going out of their way attempting to devise
> >> > and soliciting input/comments about a methodology that would
> >> > yield a little more validity than has been current in the "popular
> >> > ePress", and the researchers right up front disclose the funding.
> >>
> >> Not all of the time they do not. It usually comes out after a couple of
> >> days. And how do you think you are talking to with the "MS Folks"
stuff?
> >> I
> >
> > "MS folks" was an attempt to be more polite than saying the
> > more common "softies" term, meaning the MS employees that
> > drove the evolution of the methodology.
> >
> >> work in the industry, have for many years, and I am also a MS, Linux,
> >> Cisco, Nortel, Solaris, Firewall-1, etc, etc "folk" also...
> >>
> >
> > yes, but a different "folk"
>
> I am a regular "folk". I am neither interesting nor entertaining...ya`ll
>
> >> > That the popular media is so fond of speaking of "more secure",
> >> > as if they have a valid metric for that, is a sign that they really
> >> > do not have a clue.
> >>
> >> First calm the hell down.
> >
> > I can assure you that I am quite calm
> >
> >> Second, the "folks" that wrote that, if you bother
> > again, different "folks", and also different "that"
> > I was not commenting on "this" article.
> > I was making a broad statement of what I have seen in the
> > less-than-technical popular epress - the secondary, journalistic
> > article generation industry that in my estimation has published
> > many rather uncritical comments about security over the past
> > year or so. Yes, I am not making an absolute statement for all,
> > but a generalization (with all comprehension of the limits of
> > validity generalizations hold), that there has been too, too much
> > parrotting and uncritical "thought" spewed about with terms like
> > "more secure".
>
> First, some "e-maginzes" are not technical.
That is an understatement.
That section of the press I was describing as "popular"
> You are correct. However, many
> of them are.
Yes, thankfully. It would be interesting to see the distribution of
admins, IT mgmt, CIOs, etc. amongst the different type of info
sources !!
> You should not make such a broad statement like that. You
> should, in fact, reduce your scope to the particular "e-magizone" in
That is IMO not an appropriate, nor financially healthy, thing to
do in this public forum.
> question. After all how many real, so-called, computer magizines are there
> that are 50% advertisements 25 semi-technical articles and 25% fluff?
Many.
> To much in fact...Comparisons/critics should be done individually.
>
Fair comment. Again, I was speaking of the "popular" ePress.
I was trusting in the readership to have a concept of just what
fragment of e-* information sources that was meant to indicate.
> >> to read it, were technical folks not some journalist getting third had
> >> information...like most of them are. These were real technical people.
I
> >> suggest you actually take the time and read the article before you
> > comment.
> >>
> >
> > again, your assume the wrong "that"
>
> No sure what you mean by "that" :-)
>
You are defending authors of article of posted URL (i.e wrong "that")
I was speaking of hope that publication of alternative methodologies
for getting real measurables, i.e. something more than gut-feel warm
and fuzzies, put into use in the populist articles blasted about as
attention getters (yeah, yeah, I generalize again).
> >> > As already mentioned in this thread, it is
> >> > not just properties of the software involved (how does it do in
> >> > facilitating security, i.e. is it securable) but also, and arguably
> >> > more importantly, it is the patterns of configuration and usage
> >> > that combine to determine the degree to which something is
> >> > secure. Even then, there is a missing object: secure from or
> >> > against what?
> >>
> >> Sure. It is the sum of everything. Starting with the software
(including
> > the
> >> OS) to the policies and procedures that define how the administration
> >> will be handled to the peripheral equipment and more....much more.
> >>
> >> > MS has just attempted to provide a methodology that "flattens"
> >> > out some discrepancies that result in comparisons due to the
> >> > way vulnerabilities are reported and/or their patches bundled.
> >>
> >> I am not sure at what you are trying to get at here. Can you give an
> >> example?
> >>
> >
> > It states it plainly. Hopefully the popular journalists will find a
> > new methodology, or at least start to examine their approach and
> > in cases lack of empirical method.
>
> Sure. I agree with this statement. They should in fact use a more
scientific
> approach. This is what I have been trying to say all along. Except, that
> when you saying anything that can be construed as "anti Microsoft" the
> people in this newsgroup tend to start chasing after you with a cross and
> some nails in their hand. I have seen a dangerous trend in "reporting". It
> has become to media centric and influenced. It is not until one leaves the
> country do you see substantially increased quality of reporting. The UK,
> has strict advertising laws. For example, if you make a statement in and
> advertisement you must be able to back the data. We supposedly have such
> laws to, but they are not enforced...
>
I did not take up discussion here because the thread seemed anti-MS,
nor because I am pro-MS (which I am not, I am pro-cool technology
whereever that is to be found).
Rather, I am sick and tired of being asked by reporters
"So which is more secure? Windows or Linux?"
(I kid you not. Real event. Twice, with different reporters/eZines)
I believe that the MS sponsored study does add value to the current
art of assessing comparative degree of safety of OS offerings.
It is today and art, BTW, not a science. There are precious few
agreed upon metrics, and no real method that assesses the whole
picture without grounding on some reference implementation (another
factor that seems outside the vision of popular reporting).
> >> I know for a fact that people have reported security holes to MS. They
> >> verified it and have done nothing (going on 6 months now). These are
very
> >> significant security holes...
> >>
> >
> > Yes, you are by no means alone . . . There are even one or so that
> > will never be patched.
>
> ...or more...sadly..
>
> >> > The attitude that something funded by those reviewed makes the
> >> > result of null and void value seem only like a way to avoid the
> >> > challenge of taking the methodology to task. In a way it is a
> >> > statement of foolishness, not reviewing to see if there is a better
> >> > mouse trap included.
> >>
> >> Sorry but I totally disagree.
> >
> > Then we disagree. When I was working as a chemist it was not
> > possible to refuse to examine a study for validity of its method
> > just simply based on characteristic of the originator. Now, one
> > might come to discount and pay no attention to specific originators
> > over time, having seen their prior work. But off hand not looking
> > at any study just based of characteristics of the originators, no.
>
> Let me explain this in another light. You are a chemist. Another guy, I
> forgot his name, recently wrote to me saying "The Drug companies sponsor
> their own research then submit it to the FDA why not Microsoft"...Now my
> quote is not verbatim but the gist is correct...
>
I believe that was in a thread somewhere with Robert Moir . . .
> Here is the problem with the drug analogy. Recently, there have been many
> drugs pulled suddenly off the market, I am sure you know what I am talking
> about it has been all over the news. Some of these drugs in fact killed
> people. When the system was looked at closer it was found that, these
> companies were submitting faulty research data. After all, you are talking
> about millions of dollars in profit (or more). Looking even closer, it was
> found that many on the board, that oversees the research for the FDA, were
> in fact board members of the companies that were submitting this faulty
> research.
>
Sure. Points taken and I believe that had the way this study uses to
attempt to normalize out differences in bundling fixes, of notification
of vulnerabilities, etc. not turned out to assist the MS spin favorably
then they likely would not have funded a full-blown independent
study using techniques that included these normalization methods.
That does not change the fact that the method of the study does
assist in moving us from a world of apples to oranges comparisons
to one where we can count nickles and all nickles are relatively
equal.
> My point is this. You can not trust any company to submit research about
> itself especially when it equates to Millions (or more) of dollars. The
Maybe we should step back and look at the etymology of the term
"company" and then ask way would we ever expect anything different
> research must be done by a non biased entity for the real data, and
> results, to be revealed.
>
This reseach was done by an independent company, using data in
the public record.
The result may or may not have seen the light of day depending on
the final results. I do not know the terms of the contract or ownership
of rights to publish results. I am pretty sure MS knew the outcome
would be favorable going into it as the public record of problems
with OS makes that obvious.
As yourself I would assume, I am on a number of advisory lists
for vulnerabilities, and, like any other that sees these come by day
in and day out, there are a lot more for the likes of Debian, or of
Mandrake, etc. than MS products (including IE in that count!!).
>
> >> Anytime an commercial entity sponsors a
> >> comparison between itself and it's competitors it is invalid. I do not
> > care
> >> who the entity is. It can be Ford, Chevy, Sun, Sony. I do not care.
You see. I just cannot buy into that statement no matter how many
times I see it, nor in which ways I read attempts at supporting it.
To me that is just wrong and closed minded.
It is a broad generalization.
> >> Furthermore, you seem like an intelligent person. To debate this point
I
> >> have to ask why? It is just to obvious for me to even bother pointing
it
> >> out...
> >>
> >
> > Again, we have a fundementally different take on the matter.
> > Either "learn from others", or "know your ememy", or . . .
> > There are many reasons not to be close minded.
>
> There is difference. If I am a company, I will "know my enemy" by doing
> research about them. You are correct. I will want to know how I am doing
> against them too. Sure. I am disputing saying this. I am saying that this.
> The research being submitted to the media by Microsoft, is nothing more
> than an advertisement. This is what I am saying. It is totally different
if
> they do their comparison as some kind of watermark in house. Buying that
> paper and using it as an advertisement is yet something else. I listed the
> faults with the article I posted just before writing this one. Take a peek
> I list all the things I believe are faulty.
>
Your comments were to effect that it is not worth the time to read/review
ipso facto based on sponsorship.
That I reacted to. I feel that one should learn by being open to the works
of others in the field, by seeing where they add value or deceive.
> >> > I for one hope that the popular ePress take up the example and
> >> > see how flawed some of their evocative articles over the past
> >> > year have actually been.
> >>
> >> The article that I posted came from The Software Security Summit which
is
> > a
> >> group of software developers that meet every year to talk about
software
> >
> > again, you obviously have taken the posting I have made as saying
> > what it did not and was not attempting to state.
> >
> >> security. These were their findings. Again, this was not from some
> > reporter
> >> working at an "epress" as you put. Damn, read the article, please,
before
> >> you post......
> >
> > The comments were not about that article nor its originators.
> > The comments were about the all to highly visible and uncritical
> > "popular epress".
>
> Again, you have to be very carefully making such a blanket statement. Take
a
> look at most, not all, computer magizines. What percentage of the magizone
> are advertisements? What percentage are fluff technology meant for the
home
two comments, again
"popular", and, this forum is not appropriate for name tossing
> user? What is the percentage of real technology? My best friend of 15
> years, worked at a large news paper in the North East, were we both are
> from. While working there he wanted to write a story Digital Equipment
> Corporation revealing some problems withion the company. He had all his
> quotes, done his research and was ready to go. You know what happened? His
> editor killed the story, and I qoute, "We can't write that story. Dec
> (Digitial Equipment Corp) is a major advertising company with us.They also
> are our computer contractor." The story was killed. The problem with non
> "e-press" sources are they are to heavily influenced by money and politics
> to be overly concerned with real reporting. Have you traveled abroad? Have
> you not noticed the differences in the quality of news elsewhere?
>
> There are a lot of "e-magizines" that are much better than the regular
news
> sources.
>
>
> -- Imhotep
>
> >>
> >> - Im
> >>
> >> >> > See also:
> >> >> >
> >> >>
> >> >
> >>
> >
>
http://www.google.com/search?hl=en&q=linux+has+more+vulnerabilities+than+windows
> >> >> >
> >> >> > It's not the OS but the practices that make it insecure.
Ironically,
> > I
> >> > say
> >> >> > that in defense of Linux. <g>
> >> >>
> >> >> You are correct. Good security practices make a huge difference.
> > However,
> >> >> the OS and applications are equally significant...Why do you say
> >> >> "Ironically, I say that in defense of Linux"?
> >> >>
> >> >> > Galen
> >> >>
> >> >> - Im
> >> >
> >>
>
- Next message: John: "Re: Password protect folders or drives for lan"
- Previous message: Robert Moir: "Re: Security rankings"
- In reply to: Imhotep: "Re: Security rankings"
- Next in thread: Robert Moir: "Re: Security rankings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
