Further Perspectives on Symantec Vista "Research"

Since my original post on last week’s Symantec paper, they’ve released another one as noted by Joris Evers in Symantec continues Vista bug hunt. Now that I’ve read both of the first two papers, I note two perspectives from Symantec on this: 1) the perspective of the researchers in their paper, and 2) the uses that the Symantec marketing team may be attempting with the content. On the first perspective, the … Read more »

New Windows Vista Security Blog

Ben Fathi, the Corporate VP of the Security Technology Unit has kicked off a new blog focused on Windows Vista Security.  I’ve added a link on the side and you can read it here: http://blogs.msdn.com/windowsvistasecurity/. Also, while I’m on the topic of Ben, let me remind you that he also hosts a Technet Chat that allows you to connect and ask him and his extended team any question you want … Read more »

Symantec Stirs the Pot

UPDATE:  Several readers sent me a link to the paper, so I have it now.  Thanks!   I didn’t use “FUD” in my title, because it frankly gets used so often, and sometimes even applied to me.  FUD (or Fear, uncertainty, and doubt) is a sales or marketing strategy of disseminating negative (and vague) information on a competitor. Now, why I don’t think this applies to my recent vulnerability metrics posts is:   … Read more »

Apples, Oranges and Vulnerability Metrics

NOTE:  I am not asserting that my vulnerability analysis demonstrates that Windows is more secure.  Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows.  The “unsupported” part of that bothers me, so I check for myself.  What I keep finding is that Linux distributions have more vulnerabilities, more serious vulnerabilities and the data does not support the … Read more »

Windows vs Linux (Red Hat) – Workstation – 1st Half 2006

NOTE:  I am not asserting that my vulnerability analysis demonstrates that Windows is more secure.  Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows.  The “unsupported” part of that bothers me, so I check for myself.  What I keep finding is that Linux distributions have more vulnerabilities, more serious vulnerabilities and the data does not support the … Read more »

Debian Site Hacked Again

Debian developers learned this morning that someone had hacked into one of the project servers (gluck), so the debian team took all of the servers offline to investigate, flatten and rebuild.  Here’s the message: http://lists.debian.org/debian-devel-announce/2006/07/msg00003.html Please note that you should not confuse this hack of the Open Source debian project with the one from November, 2004, Hackers Attack Debian Linux.  That was a completely different incident.

FAQ (frequently asked questions) about Think Security Vulnerability Comparisons

This document will be updated as time goes on.  It is a repository for questions and answers related to analyses posted on my blog comparing vulnerability counts, days-of-risk and workload vulnerability indices for Windows and Linux distributions.  If you have more questions, post them as comments and I’ll update with an answer as appropriate. Best Regards ~ Jeff Q1.  Why is there a difference in “vulnerability fix events” and “unique … Read more »

Windows vs Linux (Red Hat) – Server – 1st Half 2006

NOTE:  I am not asserting that my vulnerability analysis demonstrates that Windows is more secure.  Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows.  The “unsupported” part of that bothers me, so I check for myself.  What I keep finding is that Linux distributions have more vulnerabilities, more serious vulnerabilities and the data does not support the … Read more »

Windows 98 – the End is Nigh and a Look Back

What OS were you using in 1998?  Windows 98?  Red Hat 5.1?  Something else? The MSRC blog recently re-iterated the upcoming end of life for Windows 98, Window 98SE and Windows ME, indicating that there will be no support after the July 11th patch Tuesday. (There’s more detail about this and other Support Lifecycle dates on the Support Lifecycle Website: http://www.microsoft.com/lifecycle.)  After a short new lease on life, the road … Read more »

Windows Vista User Account Control (UAC)

Jesper apparently stirred up things a bit with his latest post, Please don’t disable security features, at least while we are testing them, asking folks to recognize that a Beta is not a final product and that you should wait to see the final before making hasty decisions like disabling a security feature.  The UAC development team endorse what Jesper says as well. I’ve been running Windows Vista Beta2, so … Read more »