The surprisingly humble debate kicked off with Dr Richard Ford, a Linux advocate and professor at the Florida Institute of Technology, on the back foot as his opponent Jeffrey Jones, security strategy director in Microsoft's Trustworthy Computing, unveiled a concerning statistic: Redhat WorkStation 4 Operating System had 268 vulnerabilities fixed during the full last calendar year compared to Vista which had 45 fixed.
“No matter how you look at it,” Jones said. “There’s a ton of vulnerabilities there for anybody to be able to claim [Linux] is inherently more secure.”
In Linux’s defense, Ford served a number of arguments saying it was impractical to compare different operating systems and labelled the statistics ineffective.
"Comparing the two operating systems is worse than comparing apples and oranges but more like comparing apples and bananas," he said.
“There is a problem with measuring Linux or Windows security or any two security metrics across any two completely different operating systems. So many things change when you move from one operating system to another and it’s one of the reasons why it’s been so difficult to come up with really good metrics and cost offering systems,” he said.
Furthermore, these differentiators devalue the credibility of Jones's raw vulnerability counts. He said that raw vulnerability counts were a meaningless tool of measurement, adding “raw numbers themselves show very little."
Jones’s response: "It’s unacceptable to say that it’s apples and oranges [instead] we have to take some steps to say, ok then, how do we compare small round fruits?”
Still on topic, Ford made another point of defense, this time he highlighted the importance of the severity rating of vulnerabilities.
“Vulnerabilities were not created equal, some sort of small DDOS attack is not as severe as an SQL vulnerability. You have to look at the severity,” he argued.
In response, Jones urged Ford to advise the audience -- mostly IT administrators -- that they should only worry about critical vulnerabilities. Instead, Ford declared that administrators should deal with all vulnerabilities but making sure to do the critical ones first.
Coincidentally, Jones pulled another slide out of his hat which emphasised the number of critical vulnerabilities each vendor had had in the previous year. It suggested critical vulnerabilities in 2007 found in Redhat WS 4 were 22 and 12 in Vista.
Moving on, Ford took a stab at Microsoft’s practice of public silent fixes and rendered his statistics as being skewed. Jones posed the same question to Ford who admitted Linux may also have some examples of multiple vulnerabilities being silently fixed.
Meanwhile, Ford also argued Linux was much faster at getting out patches.
“When a vulnerability comes out, within about 10 minutes somebody’s posted a patch or workaround in the code. You can have a community approved patch where you’re not sitting there like prey,” he said.
But Jones hit back noting Microsoft customers wanted fixes tested before they were made public.
After an hour of to-ing and fro-ing the two called it a tie and said: "We clearly learn from each other."
Linux security v Microsoft security, the great debate
By Negar Salek, live at RSA on Apr 10, 2008 2:55PM