From owner-freebsd-questions Fri Feb 1 19: 4:12 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id C049337B404 for ; Fri, 1 Feb 2002 19:04:08 -0800 (PST) Received: from hades.hell.gr (patr530-a093.otenet.gr [212.205.215.93]) by mailsrv.otenet.gr (8.12.2/8.12.2) with ESMTP id g12345LA006801; Sat, 2 Feb 2002 05:04:06 +0200 (EET) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id g12342j07303; Sat, 2 Feb 2002 05:04:02 +0200 (EET) (envelope-from keramida@freebsd.org) Date: Sat, 2 Feb 2002 05:04:02 +0200 From: Giorgos Keramidas To: Dillion Klein Cc: freebsd-questions@freebsd.org Subject: Re: OS Vulnerability Statistics Message-ID: <20020202030401.GC4473@hades.hell.gr> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="45Z9DzgjV8m4Oswq" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.25i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --45Z9DzgjV8m4Oswq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2002-02-01 15:40, Dillion Klein wrote: > I was directed to a very interesting list of stats on OS vulnerabilities, > and was interested in any comments on FreeBSD's massive drop in vulns' > from 2000 to 2001.=20 >=20 > Just by chance, or were there massive changes in the way the code was > written, etc.? >=20 > According to the stats, Windows NT/2000 is more secure than Linux...=20 >=20 > Link: http://securityfocus.com/vulns/stats.shtml This type of statistics is not really very informative though. With security problems, what is more important is not just the number of them found. Having many vulnerabilities can mean one of many things, the most promiment among them being: a) The OS is a can full of worms, viruses and problems. b) The source code is being heavily audited and problems are identified, fixed as the world moves on to more interesting things. Which one of these two characterizes the numbers posted there for each operating system? I know it's hard to tell by just looking at the number of them vulnerabilities. What is more important to try and find out, given statistics like these is ``what is the average time that is required after a vulnerability has been identified, in order to have a fix available for all the users?''. It seems to me (but that is my own personal opinion, on the matter) that having one, just one, vulnerability that goes unfixed for more than a couple of years year, is far worse than having tracked down, spotted and fixed more than a dozen of them, averaging less than a few hours for each one. Cheers, --=20 Giorgos Keramidas . . . . . . . . . keramida@{ceid.upatras.gr,freebsd.org} FreeBSD Documentation Project . . . http://www.freebsd.org/docproj/ FreeBSD: The power to serve . . . . http://www.freebsd.org/ --45Z9DzgjV8m4Oswq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) iD8DBQE8W1ch1g+UGjGGA7YRAgOXAJ9BofIfeG0qx+wASvHRt3iIHQMGDgCfaEff 7R3MSNHhdcUhwXePYq9/mSQ= =2ixH -----END PGP SIGNATURE----- --45Z9DzgjV8m4Oswq-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message