SecurityFocus.com: Linux Sux Redux: A RebuttalAug 04, 2000, 02:44 (12 Talkback[s])
(Other stories by Ben Greenbaum)
"The problem I have with Mr. Moody's article is not the conclusion he comes to, although I do disagree with it. It is instead a problem with the methods used to reach that conclusion."
"The worst situation by far is when the statistics are not only "massaged" to serve personal or corporate goals, but interpreted incorrectly in the first place. The Bugtraq stats have been used and referenced in various articles and endeavors, with varying degrees of accuracy. The most egregious example of misuse and misinterpretation by far to this point is in the article referenced above, where Mr. Moody states that Linux is the most insecure OS available. This is based on a gross misreading of the available data."
"The numbers for "Linux (aggr.)" reflect the total number of reported vulnerabilities across all distributions of Linux; if it's a Linux, it's in there, RedHat included. Also, if the same vulnerability is present in more than one distribution, it counts once. Therefore, for a representative number of all known Linux security bugs, one would only look at the Linux (aggr.) statistic. Therefore, since 84 (for Linux) is demonstrably less than 99 (for NT) I submit that these statistics can certainly not be used to prove that Linux has more vulnerabilities than NT."