Comments on: Vista vs Mac OS X Security: Why George Ou’s ZDNet Vulnerability Numerology is Absurd

By: softwareDev78

softwareDev78 — Mon, 07 Jun 2010 04:21:27 +0000

I really like the way this article questions the absurdity and ambiguity of security flaw reporting. While it’s not easy to provide an accurate summary of security flaws, it seems clear there is an obvious bias in favor of Windows over OSX.
As an experienced software developer and in depth user or all Windows operating systems and Apple OSX, I would state, in my humble opinion, that Apple’s OS X has been far more stable and secure than any version of Windows I have had the misfortune of using.
This is not to say I’ve never had any problems using OSX, however, I’ve not experienced any security issue with OSX and I’ve used all sorts of open source and third party software on it for years.

By: Microsoft’s Mojave Experiment Exposes Serious Vista Problems — RoughlyDrafted Magazine

Fri, 15 Aug 2008 08:28:59 +0000

[...] Vista vs Mac OS X Security: Why George Ou’s ZDNet Vulnerability Numerology is Absurd [...]

By: AppleMania.info » Numerologia da vulnerabilidade de George Ou é absurda, diz especialista

Fri, 04 Jul 2008 11:27:35 +0000

[...] detalhes no extenso e altamente recomendável artigo completo de [...]

By: CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security — RoughlyDrafted Magazine

Fri, 28 Mar 2008 14:06:39 +0000

[...] Vista vs Mac OS X Security: Why George Ou’s ZDNet Vulnerability Numerology is Absurd security.itworld.com – Microsoft vs. Apple: Who patches 0-days faster? PdfMeNot.com – 0-Day Patch Study Why the Swiss Study was Fatally Flawed. The main tipoff that the study was completely worthless is that it neatly compares “0-day” patches across unrelated platforms. Three main points below describe specifically why this is inherently flawed. As an introduction: a 0-day patch is one delivered the same day the exploitable flaw that it corrects becomes publicly disclosed. [...]

By: Tom Krazit of CNET and Eric Savitz of Barrons Deny the Jesus Phone — RoughlyDrafted Magazine

Sat, 26 Jan 2008 10:38:03 +0000

[...] The iTunes Monopoly/Failure Myth Who Was the Biggest Loser at Macworld? Vista vs Mac OS X Security: Why George Ou’s ZDNet Vulnerability Numerology is Absurd [...]

By: Bill

Bill — Thu, 10 Jan 2008 13:20:26 +0000

Actually Jabberwolf, You are both rude and stupid. If you can read above or at least know a little about statistics and valid data collection and evaluations, then you would understand that the assertions are invalid. Besides the fact that the Secunia doesn’t even find most of the data, only reports what they find, even when wrong, causing them to retract it when challenged. And the fact that the compilation was made by Mac bashers like yourself, who lack any credibility. Yes Jabbiemouth, you are the stupid idiot.
Windows girls go to Mac sites to badger, when Mac fans go to Windows sites to defend the Mac bashing. It so sad that you fools can leave us alone. If the market share is as low as you say, they why not ignore us? Oh yeh, you are all rude and stupid. Good luck with the Zillion viruses, trojans, and malware. I hope that opur 3 to 5 programs to try and prevent or eliminate them works. Talk about insecure! It’s Windows and winfans! Just to let you know, 4 friends with completely disabled Windows XP computers had over a total of 600 viruses and more malware and trojan horses. It’s real, unlike the crap that was published by Ou and company from an incompetent company that tries to prove it’s existence by listing wrongware [Secunia]. Secunia should be sued for fraud. One other thing dumbass, if you checked, most of the Apple data was from OS 10.3, which was 2 operating systems ago, and of course all patched. Microsoft, just doesn’t care to tell you how insecure Windows is, but the real tally of sucessful exploitations is the fact [you stupid butthead]

By: jabberwolf

jabberwolf — Thu, 10 Jan 2008 04:25:44 +0000

So?

Your ENTIRE article tries to make excuses for about 1/3 of the holes. That still leaves OSX with about 10 times the security breaches!!!

Its kinda sad then mactards cant face the truth!
But it only shows how pathetic they can be when faced with facts…. excuses excuses.

Thats the difference, Windows users arent fans, we dont make excuses, we just want a fix, not an excuse.

Someone said why OSX doesnt get many viruses. Just based on the market share they wont spread a virus as fast, nor will it actually make it to many of its users.

Simple math mactards lack, exponential versus linear spread. Macs are more linear contact by numbers, MS users more exponential.

By: lilgto64

lilgto64 — Fri, 04 Jan 2008 14:12:15 +0000

I think Mark Twain said it best:

“There are three kinds of lies: lies, damned lies and statistics.”

source: http://www.twainquotes.com/Statistics.html

By: avocade

avocade — Mon, 24 Dec 2007 13:43:30 +0000

Fraud is a big word. Agree about the general sentiment of the article, however.

By: danieleran

danieleran — Sun, 23 Dec 2007 02:57:43 +0000

[This article was posted to slashdot and received some interesting comments there]

http://it.slashdot.org/comments.pl?sid=396432&cid=21780042

Is Secunia presenting slanted information with the expectation it will be misused?

Here’s one even better: We use GeSHi [qbnz.com] (Generic Syntax Highlighter) in WikkaWiki [wikkawiki.org]. We often scour the so-called “security vulnerability” databases because we’ve found many inaccuracies. In this specific case, Secunia issued this statement:

> we noticed the following entry in the changelog for GeSHi 1.0.7.18 and
> are about to issue an advisory based on this information.
>
> “Committed security fix for htmlspecialchars vulnerability. Also makes
> supporting multiple languages a lot easier”
> http://sourceforge.net/project/shownotes.php?release_id=489035 [sourceforge.net]
>
> To serve our mutual customers best we would appreciate to receive your
> comments on this issue before we publish our advisory.

WTF? This was a vulnerability in PHP’s htmlspecialchars() function, NOT GeSHi. Yet, Secunia was planning on milking this vulnerability in order to boost its “vulnerability count” at the expense of a project that had absolutely NOTHING to do with the vulnerability.

You see, these so-called “vulnerability experts” try to wring out as many vulnerabilities as possible, because we all know that the most effective “vulnerability expert” will be the one with the most posted vulnerabilities. So they go on fishing expeditions to uncover vulnerabilities that really don’t exist.

Or an even worse practice: “bottom-fishing” changelogs and bug trackers in order to discover vulnerabilities that have already been addressed. Here’s another instance where Secunia was caught trying to boost its street cred through disingenuous reporting: They apparently scoured our bug tracking database and discovered an issue (already fixed!) and falsely implied in their report that the content of wiki pages marked private might be accessible via RSS. This was clearly false, as the original bug report indicated that the page name (not content) could be accessed. Secunia later corrected [secunia.com] the false report.

We’ve caught Secunia doing this on several occasions. My advice to anyone who is involved in an OSS project is to regularly scour the vulnerability databases and challenge each and every advisory that you believe is not accurate. You might be surprised at the amount of so-called “vulnerability intelligence” out there that is blatantly false, outdated, or inaccurate.