>
http://www.wininformant.com/Articles/Index.cfm?ArticleID=23958>Rajesh
If you believe that then I have some land in Florida I'd like to sell you. ;-)
The "counting" method used in that 'news' was interesting....
Let's say you put a $100 bill in your left shirt pocket, then put that same bill in your right shirt pocket, then in your left pants pocket, then in your right pants pocket, then in your wallet and finally put that bill in your hat band. Now, total all the $100 bills you have by their counting method and it comes to $600.
All of the linux distro's use the same source for their kernel and general utilities files. So, if they all encorporate the latest version of sendmail in their distro, but that version has a security hole, do you count it as one hole or as 12 holes, one for each distro?
Here is the bugtoaster site, which tracks MS OS bugs live:
http://www.bugtoaster.com/DW15/Reports/OperatingSystems.aspOr, for Linux:
http://linux.oreillynet.com/pub/a/linux/2001/07/30/insecurities.html#linalthough this site is for bugs related to every app in Penquin land. To get kernel specific bugs
http://www.tux.org/lkml/ has kernel maintainer's mailing address. (There is a maintainer for each area of the kernel).
RedHat's bug list is at:
http://www.redhat.com/mailing-lists/redhat-watch-list/index.htmlIf you check out one of them, for example, you will see that a single bug affects 10 different apps:
http://www.redhat.com/mailing-lists/redhat-watch-list/msg00275.html so that running one patch update fixes them all.
BTW, The number of patches that need to be applied would be a better measure of how many bugs exist. If a single patch cleared up a bug that was on all the windows platforms then it was just one bug, not 10.
And, up until Microsoft created their 'security consortium' and got security companies to not post WinXX bugs 'until'..., most security sites kept lists of both WinXX and Linux bugs, which made count, frequency and repair time comparisons easy. Now, only Linux bugs seem to get public coverage. WinXX bugs aren't announced until MS publishes a patch to fix it, if ever. Sometimes they won't admit to bugs, other times they take a long time to fix them. Very serious bugs they seem to get right on, however. The longer they take to fix a bug the longer more sites are exposed to being compromised. Why? Crackers communicate among themselves on their IRC channels and through private emails. They don't wait to read about new exploits in security groups or tech papers. The news of a new exploit travels very fast through the cracker undergound, and they are quick to take advantage of them. The longer such bugs are kept secret from the consumer the longer they are ripe for exploit and the greater the odds that they will get hacked. When exploits were posted on security groups so were the code examples that demonstrated the bug exploit. When the patch was released a consumer could test the effectiveness of the patch by running the published exploit against it. Now, that's no longer possible and consumers in WinXX land are taking Microsoft's word for it that the patch does what it is supposed to do, and not something else, like add another backdoor to secretly download more demographic data. (pardon the name of the website)
http://www.fuckmicrosoft.com/content/ms-hidden-files.shtmlJLK
Nebraska Dept of Revenue
