IWETHEY v. 0.3.0 | TODO
1,095 registered users | 1 active user | 1 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Patent Wars and Antitrust Forum / Microsoft: Don't use MoodyMath on us!
Post #61,990
by kmself
Picture of kmself
11/9/02 10:09:24 PM
11/9/02 10:24:57 PM
Reply
New Microsoft: Don't use MoodyMath on us!

Item: [link|http://story.news.yahoo.com/news?tmpl=story2&cid=77&ncid=738&e=10&u=/mc/20021108/tc_mc/microsoft_calls__foul__on_os_vulnerability_data|Microsoft calls 'foul' on vulnerability data], Paul Roberts, IDG News Service, Fri Nov 8, 8:16 AM ET (Yahoo News).

\r\n\r\n

Microsoft objects to having [link|http://abcnews.go.com/sections/tech/FredMoody/moody000802.html|Fred Moody's double-counting bugreport methodology] applied to its own projects:

\r\n\r\n
\r\n

In an interview, Mike Nash, vice president of the security business unit at Microsoft said that he feels those numbers are misleading.

\r\n\r\n

"Essentially what (mi2g) has done is look at a combination of vulnerabilities announced by vendors and new vulnerabilities reported by users," Nash said. "There's no way to determine if the same issue is counted multiple times, or if erroneous vulnerabilities are being reported."

\r\n\r\n

Products with more customers, like Microsoft Windows, are bound to have more vulnerabilities reported under such a system regardless of whether those products are less or more secure than the competition, according to Nash.

\r\n
\r\n\r\n

So...Microsoft's security focus is aimed at reducing apparent vulnerabilities by challenging bug counts rather than fixing problems?

\r\n\r\n

And for those with short memories, Fred Moody's "Linux Sux Redux" article is criticized and analyzed [link|http://twiki.iwethey.org/twiki/bin/view/Main/FUDMoodyLinuxSuxRedux|here at TWiKIWeThey].

\r\n\r\n

I can't help but close with a quote from Moody's essay: "As Linux zealots are beginning to find out, it's a lot easier to masquerade as a better product than it is to go out and be one." . Ben Greenbaum turned this around on Moody at the end of his [link|http://online.securityfocus.com/guest/2782|rebuttal]. I'll merely add: et tu, Microsoft.

--\r\nKarsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com]\r\n[link|http://kmself.home.netcom.com/|http://kmself.home.netcom.com/]\r\n
What part of "gestalt" don't you understand?\r\n
[link|http://twiki.iwethey.org/twiki/bin/view/Main/|TWikIWETHEY] -- an experiment in collective intelligence. Stupidity. Whatever.\r\n
\r\n
   Keep software free.     Oppose the CBDTPA.     Kill S.2048 dead.\r\n[link|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html]\r\n
Expand Edited by kmself Nov. 9, 2002, 10:24:57 PM EST
Expand All History
Post #62,030
by Brandioch
11/10/02 5:45:44 AM
Reply
New Just a total mess.
mi2g does not differentiate between:

On the Microsoft side:
Win9x
NT 4.0
Win2K
WinXP

So, WinXP could have ZERO vulnerabilities and Win2K could have all 500+ reported for "Microsoft Windows".

Not to mention that "MacOS" could mean the BSD derived MacOS X or a previous version.

Their data is MEANINGLESS.

Instead of breaking it down by PLATFORM vulnerabilites, they break it down by..... I don't know how to define that.

All Microsoft OS's in one category.
All Mac OS's in another.
All "Linux" distributions in another.
and so forth.

Not to mention that they even ADMIT that they're including APPLICATIONS and 3rd party programs in those totals. (Now, I don't have a problem with this IF the application updates system files as IE and MS Office do.)

For vulnerability analysis to be USEFUL it needs to be broken out as such:

The platform (Win95, Win98, WinME, WinNT 4.0, Win2000, etc).

The platforms would be broken down even FURTHER if a vulnerability was noted on the workstation version of Win2000 that did not exist on the server version.

THEN, I'd look at the various IE vulnerabilities. MS claims that IE is part of the OS, but it is possible to not update it.

THEN, I'd look at the various MS Office vulnerabilities. This is because MS Office is a MS product that updates system files. Also include any other servers / services that MS offers (IIS, SMS, Exchange, etc.)

Linux gets off A LOT easier under this model. This is because Linux apps do NOT (that I know of) update the OS.

Again, each platform would be evaluated. This way, if Red Hat included a patched kernel and that patch had a security flaw, it would not show up as a vulnerability for a distribution that did NOT apply that same patch.

The point is that, when you have a CHOICE in the matter, it is POSSIBLE to CHOOSE to NOT RUN applications that are from a known, crappy developer.

Example, running a WinXP based website. Which, historically, would have the fewest vulnerabilities:

#1. WinXP + IIS

#2. WinXP + Apache for Windows

Now, a bit further. Which, historically, would have the fewest vulnerabilites:

#1. The "winner" of the above choice.

#2. Debian Linux + Apache

Note the use of "historically" in those examples. Because that is all you're getting. The HISTORICAL comparision. The CURRENT versions MIGHT have COMPLETELY DIFFERENT characteristics.

PS: Fred Moody is an idiot who has seen all of his predictions about Linux proven wrong. My favourite is how Linux would get LESS STABLE as it gained MORE SUPPORT for MORE HARDWARE.
     Microsoft: Don't use MoodyMath on us! - (kmself) - (1) - Nov. 9, 2002, 10:24:57 PM EST
         Just a total mess. - (Brandioch) - Nov. 10, 2002, 05:45:44 AM EST

Ubersoft - Standing On The Necks Of Giants
46 ms