[PLUG] Windows versus Linux security
Carla Schroder
pluglist at bratgrrl.com
Sun Jul 21 18:42:17 UTC 2002
On Monday 22 July 2002 12:44 am, you wrote:
> On Sun, 21 Jul 2002, Neil Anuskiewicz wrote:
> > On Sun, 21 Jul 2002, Carla Schroder wrote:
> > > I think the fairest metric is the actual damage done. Measured in
> > > dollars, time, and aggravation, Microsoft is the undisputed world
> > > champeen.
> >
> > The only problem is how would you calculate that? It would be a
> > monumental task for each vulnerability and somewhat subjective also.
> >
> > My feeling is there should be a way to compare apples to apples if that
> > is possible.
>
> To be fair, it would also have to be weighted to factor into the metrics
> the number of servers installed for each OS - or the market cap of the
> companies affected.
>
> Sandy
Oh, I don't think it's that complicated. Total dollars tell the story quite
accurately. For example, how much money did Nimda cost? How much money has
any Linux, Unix, or BSD virus cost? That's the bottom line- how much has a
particular vulnerability cost the users? If you really want to go nuts,
calculate how much it cost the economy in lost productivity, sales,
additional labor, diverted resources, etc. But simply calculating actual
direct damages isn't that difficult, and certainly tells a compelling story.
Then compare how catastrophic individual vulnerabilities are, as Ed was
saying. What happens when, say, a new vulnerability is discovered in Apache,
and it is actually exploited? Certainly nothing like Code Red or Nimda. I
can't recall anything in the past few years that even came close.
Meaningful comparisons are easy, if a person really wants to make them. Most
of the articles discussing this topic are not interested in meaningful
analysis, they're just parroting the first person who did a count on bugtraq
two years ago.
Carla
More information about the PLUG
mailing list