Friday, January 06, 2006



CERT, vulnerabilities, and Slashdot

Slashdot posted an article pointing to one from NewsForge about how the press and trade press misrepresent the CERT reports of the numbers of vulnerabilities in each operating system by lumping every linux distro in along with operating systems like Solaris, OS X, etc.

I agree that this is bad and should not be done. Do I think the press-at-large is tech savvy enough to get it right? No. It’s possible (even likely) that they’re doing it to be more sensational (people love things that are “shocking”)

The thing that amused me were some of the equally incompetent comments from the Slashdot crowd as they were complaining about the injustice to linux.

(The following are rough quotes. I’m not digging back through the comments, though I assure you that the important parts are accurate. The only errors will be minor)

“Windows only really had 2 versions – everything from windows 1 through WinME and NT/2000/XP.“
Nope. If you want to look at it that way, they 3 – windows up until 3.x (and Bob – which was an interface for 3.1) was just a shell that used DOS as a backend. In fact, you had to launch it from dos (or add a line in autoexec.bat to do it at bootup). It wasn’t really even an operating system. Windows didn’t have a kernel, and therefore become an operating system, until Win95.

Yes, Microsoft made a product called Bob. Yes, you can giggle. We all did. It also sort of spawned what later became Clippy. If you want to know who to blame for that, talk to Melinda Gates. She was the project manager.

If you want to complain that someone is misrepresenting your tool of choice, don’t turn around and make the same mistakes yourself.

“The same vulnerabilities that affected programs in linux also affected those which were also implemented in windows (perl, apache, etc). Why weren’t they reported there too?”
This is true, but the reports of security flaws from these programs is generally only reported by *that product* and may then be passed onto the mailing lists, etc for various distros by “normal” people or as a heads up to the community at large.

The reason that windows doesn’t have these reported is that they aren’t *their* products so they (correctly) leave it up to the vendor to fix (they also don’t publish every vulnerability that they find, unfortunately). The reason it hits the mailing lists for linux distros is because people just sort of give each other a heads up about the problem or don’t know where to send it so they send it to their distro mailing list or bug list. (so it ends up on distro lists too. Bad CERT, bad bad CERT. Do more research before releasing the stats)

You could see this as sort of the difference between company and community (they each have different motives for what they do), but it’s kind of important to bring up. Both have their advantages and disadvantages (though the community way of letting you know something is wrong is really nice).

It’s one of the nice things/bad things about community. You’re pretty sure to see the issue *somewhere* but if you have multiple places that you check every day, you have a lot of repeat news. (Of course, you get the same problem if you watch CNN, NBC, and your local news program or read multiple papers. However, we don’t count a murder reported in 5 news papers as 5 murders while we do with bugs. Go figure…)

People do the same thing with Microsoft products too. It’s just that the MS people go “That’s not our problem. Talk to the people who make it.”

Oh, and the mac people keep pulling out the “OS X is BSD based” thing.
Only partially right. OS X has a Mach kernel but does BSD application layer stuff. They also have an api for OS9. This is something that probably doesn’t mean a lot to very many people, but it’s just a pet peeve of mine.

To wrap up, I just have to say a couple of things.
1) if you’re going to try and slam something, please try to know what you’re talking about
2) both sides of the fence have a lot they can learn from each other. Be practical, people. It’s not a religion (and even if it were, you should still be practical and tolerant).

Current mood: mildly amused
Current music: Hellsing soundtrack – World Without Logos

1 comment:

Karyl said...

Oh, good, you are still alive over there. I hadn't heard from you all day, so I was worried your were too sick to get to the computer or something. lol Have a dream about death, turn in early one night, then don't show up online the next day... *baps over the head* :P Bad monkey!

I'd comment on the post but I only understand the general gist of it and not the details. lol