Re: Analysis of Microsoft Critical Patches

From: Arthur Keller <voting_at_kellers_dot_org>
Date: Wed Jan 11 2006 - 13:47:04 CST

Cameron, with all due respect, did you review the Washington Post
article that contains links to the actual hard data for 2003, 2004,
and 2005 for Windows? Will a Linux security person generate the
comparable list for Linux?

Best regards,

At 10:19 AM -0800 1/11/06, Cameron L. Spitzer wrote:
>I don't believe an apples-to-apples comparison is possible.
>(Windoze isn't an Apple, it's a lemon. Sorry, couldn't resist.)
>I subscribe to two Linux security bulletins: _Linux Today_
>(daily, usually nothing important) and debian-security.
>Over the years, the most obvious thing has been that the
>great majority of security bugs disclosed are discovered
>in code audits, and the fixes are released without any
>known "in the wild" exploits. It's one of the things
>the FOSS advocates justifiably brag about.
>That might be happening with Windoze and its apps as well.
>But if it is, it's happening among the few corporations
>and universities with Windoze source licenses, without
>any public disclosure, and nobody ever leaks.
>I don't believe it's happening, because MSFT generally
>seems to be reacting only to public disclosures of its
>security bugs. But that's a gut reaction, and we don't
>have the data to back it up. We don't have the information
>for an apples-to-apples comparison. Those who do
>are under NDA.

Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA  94303-4507
tel +1(650)424-0202, fax +1(650)424-0424
OVC-discuss mailing list
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Mon Jan 8 20:24:36 2007

This archive was generated by hypermail 2.1.8 : Mon Jan 08 2007 - 20:24:39 CST