Showing posts with label vulnerabilities. Show all posts
Showing posts with label vulnerabilities. Show all posts

22 December 2008

I'm *Not* Linux

One of the most powerful aspects of free software is that its entire approach and mindset is orthogonal to proprietary software. It's not just better, it's profoundly different. That's one of the most important reasons that *everything* Microsoft has thrown against free software has not just failed, but failed dismally. The company can fight and win against more or less any conventional rival, since it has spent years honing its attack methods. But the latter are simply inappropriate when trying to compete against projects that are profoundly non-commercial: the community cannot be bought off or out; nor can it be undercut by selling goods at a loss against it. In fact, it is striking that along with undeniable strengths, the increasing commercialisation of open source has also brought with it vulnerabilities - notably legal ones - as some of free software's angularity has been smoothed down to make it more "acceptable" to enterprises.

On Open Enterprise blog.

03 December 2007

Will Microsoft Ever Learn This Trick Doesn't Work?

When you read this:

Perhaps more important than the overall numbers is the positive impact IE7 has made for our users. As you know, we focused a lot on improving security in IE7. We believe IE 7 is the safest Microsoft browser released to date. According to a vulnerability report published today, IE7 has fewer vulnerabilities than previous versions of IE over the same time period. What’s more, the report showed that IE7 had both fewer fixed and unfixed vulnerabilities in the first year than the other browsers we compared.

...you might not notice that the "vulnerability report" published at the imposing-sounding CSO site is written by a certain Jeff Jones, who, by an amazing coincidence:
is a Security Strategy Director in Microsoft’s Trustworthy Computing group.

So, Microsoft refers to a report that just happens to be written by one of its employees, but without mentioning that fact. Amazing how these things can just slip the mind, eh? (Via Mike Shaver.)

20 April 2007

BeThere? I'd Rather BeSquare

I've sometimes been vaguely tempted by BeThere's promises of "up to 24 Meg download" speeds. No more, if this is how it treats someone pointing out a serious vulnerability in its operations:

A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers.

BeThere took the retaliatory action four weeks after subscriber Sid Karunaratne demonstrated how the ISP's broadband routers can be remotely accessed by anyone curious enough to look for several poorly concealed backdoors. The hack makes it trivial to telnet into a modem and sniff users' VPN credentials, modify DNS settings and carry out other nefarious acts.

Here's a simple explanation: if someone exploits your vulnerability, they are crackers and deserve punishing; if someone points out your vulnerability so you can fix it and protect yourself, they are hackers and deserve rewarding. (Via TechDirt.)

15 July 2006

More Microsoftie FUD

Another comparative "analysis" of security flaws in Windows and Red Hat. The result: Windows is better - the figures prove it. Well, yes, but let's look at those figures at little more. The giveaway is this paragraph:


Because of the nature of the Open Source model, there seems to be a higher tendency (unscientificly speaking) to just copy a piece of code and reuse it in another components. This means that if a piece of code turns out to be flawed, not only must it be fixed, but also that maintainers must find every place they might've reused that blob of code. A visual inspection showed me that many of these were the multiple vulnerabilities affecting firefox, mozilla and thunderbird. In a typical example, firefox packages were fixed, then mozilla packages were fixed 4 days later, then thunderbird was fixed 4 days after that.

Note that it says "In a typical example, firefox packages were fixed, then mozilla packages were fixed 4 days later". So one reason why Red Hat has more vulnerabilities is that it has far more packages included, many of which duplicate functions - like Firefox and Mozilla. The point is, you wouldn't install both Firefox and Mozilla: you'd choose one. So there's only one vulnerability that should be counted. Not only that, but Red Hat is penalised because it actually offers much more than Windows.

I don't know what the other vulnerabilities were, but I'd guess they involved similar over-counting - either through duplication, or simply because Red Hat offered extra packages. By all means compare Windows and Red Hat, but make it a fair comparison.