Subject: Re: Favourable Mention by Fred Moody
To: Curt Sampson <firstname.lastname@example.org>
From: Todd Whitesel <email@example.com>
Date: 08/05/2000 23:18:48
> Uh...in that article, we were the best. We won. Duh.
> But nevermind. I can see it's quite the wrong thing to point out
> that people are saying good things about NetBSD; it just puts NetBSD
> users on the attack.
Nah, this time it's just a perceived threat on my part. Anyone who double
checks Moody's data won't necessarily award us the same compliment that he
did, so I don't consider it good PR to make a lot of noise about the article.
Moody has added a small correction to the article, but the problem remains
that bugtraq numbers are not law! It is irresponsible to pretend that they
are accurate measurements of how secure the various systems are. Although
it is interesting that of the unixy systems, only SCO and OpenBSD had lower
numbers than we did. Who was lowest? MacOS, and Netware. (I don't count BeOS
or MacOS X because they are too new to compare multiple years.)
Bugtraq numbers are like stock prices, they measure a bunch of factors all
at once, and you can't separate them. So any conclusions you try to draw
are suspect at best. My academic instinct says it is not a good thing to
trust the opinions of someone who pounces on such unreliable data. Moody
really pounced on the Linux numbers as if he had an axe to grind, which
is another reason I don't like mingling our credibility and his.
IMHO the real measurement is how many people actually get their systems
broken into, discounting those that could (but don't) take reasonable
precautions. On that score, Microsoft is a total loser because of macro
viruses and ActiveX controls, and absolutely everyone else comes out so
far ahead it's ridiculous.
toddpw @ best.com