Site hosted by Angelfire.com: Build your free website today!

Fred Moody and BugTraq: Lying About Linux

ABC News columnist Fred Moody has consistently praised Microsoft and dumped on their critics for years. This is not in itself a bad thing. But in the process, he has continually exhibited an utter disregard for facts, logic and basic fairness. I have no idea as to his underlying motives, but there's no denying his intent. He is a pro-Microsoft chauvinist, pure and simple. To him, praising Microsoft is an end unto itself, and the traditional values of responsible journalism simply don't enter into it. I suppose he has as much a right to his opinion as I have to mine. But when he starts misrepresenting the facts, I say he's gone too far.

Here's where he crosses the line:
Linux Sux Redux The Open-Source Platform Is Open to a Slew of Vulnerabilities

"But now comes news from BugTraq that gives the lie to the widely held belief that Linux is any less vulnerable than its competitors. Linux's known weaknesses turn out to be proliferating faster than its market share. BugTraq publishes "Vulnerability Database Statistics" (a list of bugs, essentially, that are discovered each year in various software products) that demonstrate rather dramatically how determined Linux is to join the Big Leagues - if not necessarily in market share, then in what might be called "vulnerability share."

BugTraq keeps these statistics on 22 different operating systems, from the mainstream Windows NT to various exotic flavors of Unix. Given that Microsoft's product is the runaway market leader, it is not surprising that it leads in vulnerabilities: In 1999, the year it took over the server market in earnest, Windows NT totaled 99 new vulnerabilities on the BugTraq list. (So far in 2000, the count at 37.) This looks like an alarmingly high number in comparison with Solaris' 34 or NetBSD's 10, but it is significantly less than the 122 racked up by Red Hat and the other Linuxes (their 2000 count stands at 47)."

Mr. Moody thoughtfully omits to provide any link to this purported study, or even to BugTraq itself. So I did some digging:

Bugtraq lives at http://www.securityfocus.com/. There are vulnerability reports listed for Microsoft and for Linux, On August 2, 2000, I counted incidences on these pages for the year 2000. I came up with 93 for Linux and 240 for Microsoft.

But what about that report?

I was able to find a report that might be the one that Fred Moody was referring to. It's right here. But this report gives somewhat different numbers from Fred's article. Actually, the numbers in the report don't match the lists I referenced previously. Must be a different criterion or something. The report seems to deal with OS vulnerabilities, plus vulnerabilities in apps that ship with the OS, whereas the lists cover all vulnerabilities, be they in the OS or an application. Given that Microsoft frequently shifts the blame for failures onto applications, this distinction is suspect.

Anyway, here are the relevant excerpts: 


Number of OS Vulnerabilities by Year
OS                  1997  1998   1999   2000
Debian               2       2    29       5
Linux (aggr.)       10      23    84      30
RedHat               5      10    38      17
SuSE                 0       0    21       5
Windows 3.1x/95/98   1       1    46      13  
Windows NT           4       6    99      37

Oh, I get it now.

He's adding the figures for Red Hat to the figures for Linux aggregate to come up with the 47. This is completely bogus of course. But that's never stopped him before.

A more valid figure for Linux would be 30, since this represents, in the report's words, "the size of the set that results from the union of all vulnerabilities for the components without duplication." That would serve the purpose of fairness. But it would not serve the purpose of Fred Moody.

Sloppiness? Wishful thinking? Lack of reading comprehension? Journalistic incompetence? Deliberate intent to deceive? Who knows? The bottom line is, this guy is crowing over numbers that don't stand up under even the slighest scrutiny.

Fred Moody has some explaining to do.

UPDATE

Ben Greenbaum at securityfocus.com has been alerted to Moody's misrepresentation of their report, and has set the record straight. An exceprt:

Mr. Moody ends his article with the sentence:

"As Linux zealots are beginning to find out, it's a lot easier to masquerade as a better product than it is to go out and be one."

I agree with that statement, and I believe that the Linux community has done an admirable job in many ways on both counts. In closing, I propose to the security community and to Mr. Moody that what is true for products is sometimes true for journalists as well.

Well said, Mr. Greenbaum.

Feedback: The OS Debate: It Does Not Compute