The Pretty Pictures

Look at the pretty pictures in THG’s “New 3D Graphics Card Features in 2006“.

The US-CERT Bulletin Debacle

It has been all over the news for the past couple of weeks or so. The US-CERT released its Cyber Security Bulletin 2005 Summary and while I’m not one to doubt human incompetence the fact that this report was put together by someone who supposedly understands the concept of “operating system” makes me think it might’ve been more than just incompetence. At issue is the fact that the bulletin for some reason decided to divide the vulnerabilities by what operating systems they affected, to quote the report: “Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported“. So far so good. Unfortunatelly whoever put it together, apparently, doesn’t understand what an “operating system” is. So according to that Cyber Security Bulletin only two operating systems exist: Windows and Unix/Linux. And so under that classification, the US-CERT bulletin states:

“There were 5198 reported vulnerabilities: 812 Windows operating system vulnerabilities; 2328 Unix/Linux operating vulnerabilities; and 2058 Multiple operating system vulnerabilities”

We all know how competent and umm… competent the press is. There is no point in blaming this on the “Microsoft Press Machine” though I’m sure they were happy to give a hand to the more useless members of the press, the fact is they didn’t have to. Out of the majority of the reporters out there, the few that actually understand anything about what they are reporting on are usually incapable of doing anything more than just copying a press release into a text processing program and changing the words a bit as well as occasionally asking for quotes from “experts” – people usually attached to a big company that has something to lose by telling the whole truth. And I’m not even going to mention their need for sensationalist headlines… oh wait I just did. All this said, it was obvious to everyone with half a brain that the words in the US-CERT bulletin were going to be interpreted/transcribed by the press as “Windows is more secure than Unix/Linux” or even more appallingly as “Windows 3X safer than Linux“.
I don’t know what makes me more sad: the fact that the tech press still doesn’t know that security of an operating system cannot be effectively measured by number of vulnerabilities alone, the fact that they don’t know that “Unix/Linux” actually consists of a large number of different operating systems OR that the US-CERT doesn’t know it – or at least decided to pretend it didn’t know, in which case the question becomes “Is it worse to be incompetent or corrupt?”
And now, for the facts. First of, like I said before, “Unix/Linux” isn’t an operating system but rather a large number of very different operating systems like for example IBM’s AIX, Apple’s Mac OS X, RedHat Linux and NetBSD. As if this mistake wasn’t big enough, somehow, the US-CERT decided that a vulnerability in firefox was a “Unix/Linux”-specific problem even though the majority of firefox users are probably runing it in Windows. You can argue that most open-source OSes include firefox as the default browser and this a firefox vulnerability is more or less analog to a IE vulnerability in Windows (even though IE’s integration into Windows is much greater than FF’s in any Linux distro) but the bulletin in question makes no distinction between software integrated into the OS and third party software.
When the vulnerabilities are properly broken down by OS, the picture we get is quite different:

All of Microsoft’s discovered security exploits for Windows only amount to a pretty reasonable 44. Microsoft products in total (including MS Office, Internet Explorer, ASP.NET and the like) comes to 122.
(…)
Individual Unix distributions faired very well: Apple Mac OS X clocked in at 21 vulnerabilities, tied with IBM’s AIX. HP-UX had only 15 vulnerabilities. SCO had only nine.
For the top Linux distributions, things look peachy. Red Hat had seven vulnerabilities; Suse 12; Debian 10; and Gentoo a mere five.
Non-Linux open souce distribution FreeBSD clocked in with 13, while ultra-secure NetBSD maintained its reputation with two vulnerabilities reported.

And like NewsForge pointed out, US-CERT’s own Technical Cyber Security Alerts shows a different picture:

* 22 Technical Cyber Security Alerts were issued in 2005
* 11 of those alerts were for Windows platforms
* 3 were for Oracle products
* 2 were for Cisco products
* 1 was for Mac OS X
* None were for Linux

And more:

US-CERT’s list of current vulnerabilities contains a total of 11 vulnerabilities, six of which mention Windows by name, and none of which mentions Linux.

And like RedHat said comparing Linux with Windows: “fewer vulnerabilities were critical and patches were brought out more quickly.“.
And to make matters worse, all this talk about windows being more secure than the so called “Unix/Linux” operating system, the whole WMF drama is unfolding: first an Exploit Released for Unpatched Windows Flaw, then a New IM Worm Exploiting WMF Vulnerability, followed by Microsoft to Patch WMF Exploit Early and what is a drama without a hero? More dramatic. In typical MS fashion, the final exclamation point: Two New WMF Bugs Found. For 7 days a fairly serious vulnerability remained unpatched by Microsoft… what more can I say?
As a result the computer security community will be drinking its milk from a carton with the word “MISSING” in the back, right above a picture of US-CERTs credibility. Will it ever be found?

Cheating in Counter-Strike

Wikipedia has a very interesting article about cheating in Counter-Strike. It includes history, explains the different types of cheats and describes anti-cheating software.

Pure Pwnage

Pure Pwnage is, according to wikipedia,

a webisode series by ROFLMAO Productions featuring a Canadian professional video game player named Jeremy. The show portrays the making of one “gamer’s life”. Settings for the show include Toronto and occasionally Calgary or Montréal. Jeremy reveals to the viewers throughout the series what it is like to be a pro gamer. He claims to use “Über Micro” (an actual style of video gaming) which he displays to fellow gamers as a form of communication.

You might know them from the very famous “FPS Doug” episode from which quotes such as “I run faster with a knife” and “BOOM! HEADSHOT!” originated (or at least became popular).
Very funny.