|
|
|
Measuring Computer Security
Microsoft's latest PR salvos in the war of words of over security have both the top men shooting their mouths off. First Ballmer, then Gates, then Ballmer again. Both saying that the Microsoft's security is "better" or Open Source/Linux's is "worse" or something like that and using FUD style language and obfuscated information in their statements. Neither offer any real support for their claims, nor do the Linux zealots who just as vigorously claim that the top guys are way off base -- that Linux is clearly more secure. Their reasoning is based on similar flawed logic. They use statements like: look at Sobig, look Swen ( or substitute here the latest Microsoft vulnerability that has hit the news) -- they are evidence that Linux security is "better". They compare Linux to Microsoft and list all Microsoft vulnerabilities but only Linux's, they talk about Microsoft having more reported vulnerabilities than Linux (even if that is true it is to be expected given the number of systems running Microsoft software), the pain the vulnerabilities inflict being more severe or any number of equally FUD dripping "arguments" What they all seem to forget(or maybe they understand all too well) in their petty infighting is that security cannot really be measured. It is not a quantitative. You can't "measure" security by turn around times on bug fixes, on number of problems reported and fixed, on number of systems affected or any measure that you care to think up. Security is a state of mind. It is a faith issue. Maybe that is the core of it-- both sides realize that this is a faith issue and are enthusiastically preaching to try and convert the non believers, and win converts from the other side. I wish both sides would just drop the evangelical PR mumbo jumbo, and the "my schwartz is bigger than your schwartz" posturing get off their asses and solve problems.
Comments: ()
|
