I think Tim is really stretching the definition of "professional research" in referring to the Aberdeen paper.

I'm a realist, I work in Information Security which means that I have to take disparate business processes and systems and mitigate the risks associated while allowing them to function. I work with MS/UNIX/Mainframe, etc, etc. All have their pros and cons.

But, to take a listing of vulnerabilities from CERT (not a comprehensive list by any means!) and say that Linux is a sign of insecurity because there are more Open Source advisories is laughable.

For one, there are more types of Open Source software out there than there are software packages from Microsoft. To attribute Open Source flaws to Linux is like blaming Microsoft for the holes in AOL Instant Messenger.

Furthermore, I remember a CERT advisory this past summer (http://www.cert.org/advisories/CA-2002-22.html) for MS-SQL that had FIVE vulnerabilities under one advisory. The Aberdeen researchers neglected to count them as 5, rather as one instance. Did the Aberdeen experts even read through the vulnerabilities?

I think the Aberdeen "researchers", and I use that term very lightly with the two that wrote the paper, should stick to their areas of expertise. The paper's findings are an embarrassment to the Aberdeen group, and really show the effort these "experts" put into their research.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/127/17267#17267