User: Password:
|
|
Subscribe / Log in / New account

RHEL, kernel vulnerabilities, and days of risk

RHEL, kernel vulnerabilities, and days of risk

Posted Mar 28, 2005 16:45 UTC (Mon) by Ross (guest, #4065)
In reply to: RHEL, kernel vulnerabilities, and days of risk by giraffedata
Parent article: RHEL, kernel vulnerabilities, and days of risk

What you say would only be true if the only way to find out about the
vulnerability were from Microsoft. Obviously that is not true given that
Microsoft is usually made aware of problems by third parties.

Obscurity is a poor substitute for security.


(Log in to post comments)

RHEL, kernel vulnerabilities, and days of risk

Posted Mar 28, 2005 17:16 UTC (Mon) by giraffedata (subscriber, #1954) [Link]

What you say would only be true if the only way to find out about the vulnerability were from Microsoft.

You misread my comment. When I said "if Microsoft can keep vulnerabilities secret," I didn't mean if Microsoft can avoid telling people about them (though I understand that's sometimes what "keep secret" means). I meant if Microsoft can keep the vulnerabilities from becoming general knowledge.

To the extent that Microsoft can't do that, because other people find and expose the vulnerabilities, my comment doesn't apply.

But the article suggests that Microsoft can to some extent keep the vulnerabilities secret, because it says Microsoft lessens its "days of risk" measurement by not disclosing bugs.

RHEL, kernel vulnerabilities, and days of risk

Posted Mar 28, 2005 17:23 UTC (Mon) by giraffedata (subscriber, #1954) [Link]

Obscurity is a poor substitute for security.

On the other hand, it's a great subsitute for no security and public knowledge of that fact. So I think the obscurity is worth measuring and using to gauge one's risk of using particular software.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds