LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for July 2, 2009

RealtimeKit and the audio problem

VFAT patent avoidance and patent workarounds

LWN.net Weekly Edition for June 25, 2009

Apache attacked by a "slow loris"

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Counting vulnerabilities

Counting vulnerabilities

Posted Oct 3, 2007 13:48 UTC (Wed) by John_Emerald (guest, #48012)
Parent article: Counting vulnerabilities

First, remember that what was counted was "security patches".
It is completely irrelevant to count the number of "security patches" for many different reasons, as already mentionned. To name a few : Security breach are not all took to public attention, the count of known security vulnerabilities has almost nothing to do with the count of existing vulnerabilities (which in any case would be a lot more numerous), open source has more eyes to bring more "known vulnerabilities", etc.

So at the objective point of view this analysis is totaly meaningless to help compare the two systems and can't prove anything as acknowledged even on Mr. Jones's blog. Jones said the point was to explore "common misperceptions".

The error is that "security patches" has been translated to "vulnerabilities"... Instead of "known vulnerabilities", should it need to be translated. If you do the correction, you can see that this could completely invert the meaning of the statistics and of a great part of the text, at a "common misperceptions" level of course. We could for example say that some companies were more concerned about security and released more patches.

Objective deductible facts #1) So lets recapitulate and put things strait :
This analysis is either on one side meaningless or on the other totally wrong, misleading and the opposite of reality.

Objective deductible facts #2) Lots of these articles are based on this translation "error". So either we have a security director who doesn't understand a bit of what he is talking about, or we have a marketing campaign disguised as personal blogs (plus, comments are moderated so the truth cannot be revealed to the public).
The two cases are showing objectively that Miscrosoft is a bad choice regarding security. The first case would mean their security director cannot understand security analysis basics. In fact it would show that he is not able to run or understand any analysis at all. The second case would mean that they are disguising their actions and lying to give misperceptions to the public (their consumers), which would mean we cannot trust them as a company. Honestly, can anyone see another possibility ?

I tried to mention the translation "error" in the comments on one of the Miscrosoft employees blog, but of course the comment has been "moderated".

Each time we don't address the simple and basic problem/error/lie directly and argue at their level, we are helping them to push and hide the real problem/error/lie further into the dark and intoxicate the public with wrong beliefs.

So... Please be cautious, don't help them on their campaign if you don't mean to and / or aren't paid to do it.
I'm asking everyone who reads this : Please, if you comment on these articles start by uncovering this basic and critical error, don't give them too much credits.

(Log in to post comments)

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds