You know, it really irritates me that almost every single day there is a new “report” or article out about Linux security… and more often than not it’s compared to Windows security. Not only has this topic been beaten to death, stomped on, kicked, buried, dug up, and beaten some more, all of these so-called “experts” and journalists are nothing more than hyping a topic that, quite frankly, is more than boring.
To top it all off, these idiots half the time don’t even know what they’re talking about. For instance, look at CERT’s latest report (which is a load of bung as far as I’m concerned). The “Cyber Security Bulletin” for 2005 is retarded. If you haven’t seen it yet, you can look at it at http://www.us-cert.gov/cas/bulletins/SB2005.html. The basic summary is that there were 5198 reported vulns, 812 of which are Windows and 2238 which are Unix/Linux, and another 2058 multiple-OS vulns. Well, just the summary has issues. I mean, why does Windows (one OS) get compared against “Unix/Linux” (multiple OS’s)? For instance, I recall some vendor-specific things… like SUSE’s YaST had some issues and Gentoo’s portage had a few issues as well. Those all get lumped in together, counting as (in the general totals) one OS. Then you get stuff from SCO that everyone else fixed in 2004 that they decided to get around to (come on guys… either do it or not but your lame attempt to show you care about security is fooling no one but you), stuff specific to Apple (a vuln in coreaudio on OS X would have nothing to do with any Linux or BSD, etc.). So now we’re comparing really inflated numbers on one hand to, perhaps, moderately inflated numbers on another.
Groklaw has taken a short stab at this as well, so I won’t go into too many details, suffice it to say that these reports are nothing more than senseless garbage. They’re not coherent, they’re not well formulated, and they’re just plain old nothing more than a bunch of numbers that mean less than nothing.
And let’s not forget that your average Linux desktop distro has 10-20x more applications bundled with it than Windows does, so of course the number is going to be higher. Toss in distros that bundle PHP applications (which I never understood, but ok) and that number explodes due to XSS vulns and other similar issues found in a lot of PHP apps out there.
So, despite the report being crap, why do people insist on doing the boring old Linux vs. Windows stuff still? There’s nothing new here. Instead of comparing them on technical merits, functionality, etc. everyone seems to be jumping on the security bandwagon and while I appreciate security is a big thing, it just gets boring to see it over and over and over again. Do people not have anything better to write about than to conjure up the same old boring blah that we’ve been reading about for years? Come on guys! Come up with something original!