Scorecard or Blowhard

This ridiculous “scorecard” showing “OS vulnerabilities” was posted this weekend. The charts are terribly misleading because they look at monthly and year-to-date fixes rather than metrics like known pre-existing vulnerabilities, actual security warnings (with line charts showing what’s fixed and what’s not fixed — which is much more useful), criticality levels, etc. It also fails to address the fact that it’s comparing a cutting-edge distro like Ubuntu with a “mature” OS like XP (and it includes Vista even though it was only partially available during that period).

Fair enough, let’s see charts showing XP’s security fixes over its release life versus Ubuntu or any other Linux distro. And while we’re at it, let’s see a breakdown of criticality on a scale of 1-10 like certain security sites do. How many fixes were included in SP2? How many issues addressed in SP2 have been subsequently “fixed” again? And “fixed” again? How about that firewall bug in SP2, Microsoft? I think sharing my files with the outside world ranks as a pretty serious security issue — and that was a bug that came IN a security fix. Congrats! MS almost gave Napster a run for their money.

Also lost in translation is a very important measure of security and stability: the speed at which developers are (1) aware of an issue and (2) can get it addressed. In that sense, this chart is very useful because it shows that Ubuntu’s and Red Hat’s developers are on the ball and get issues fixed quite steadily. A chart showing fixes over XP’s release life would show us a lot, too: that MS has been dealing with certain issues that have continually plagued them from DOS and early Windows (~3.1) days.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: