On 3/22/07, Neil Joseph Schelly <neil.schelly@oasis-open.org> wrote:
quoted text
> On Thursday 22 March 2007 11:29 am, RedShift wrote:
> > Siju George wrote:
> > > Hi,
> > >
> > > http://www.internetnews.com/security/article.php/3667201
> > >
> > > Just for some entertainment, no troll :-)
> > >
> > > --Siju
> >
> > IMHO it's not a fair comparison, most linux distributions ship with alot
> > more software than microsoft windows does, and most bugreports indicate
> > an issue with third-party software.
>
> If you read the article past the summary, they mention that.  While Windows
> had far fewer bugs than say Red Hat, Red Hat only had 2 (out of 208)
> considered high/severe.  Windows had a very high percentage of its bugs
> labelled as high or severe (12 out of 39).  Similarly, I'm sure if you looked
> at the time-to-fix for just the high and severe bugs from each side, you'd
> see that the Microsoft ones were slower to get patched.  I'm just betting
> that the 200+ less unimportant bugs included many that really just didn't
> warrant any priority to fix.
>
> Unfortunately, the article doesn't really show this in the light that suggests
> the findings of Windows being the most secure commercial OS might be false,
> but it's not too hard to read between the lines.  78% of statistics are made
> up and 103% of statistics can say the exact opposite of what you think they
> should mean.

And *anyway*, measuring security by number of patches for bugs and
time it takes to patch is silly. Every OS, even OpenBSD as we just
saw, is probably full of undetected exploits that are constantly
getting fixed indirectly as overall code quality is improved.

-Nick