“The problem I have with Mr. Moody’s article is not the
conclusion he comes to, although I do disagree with it. It is
instead a problem with the methods used to reach that
conclusion.”
“The worst situation by far is when the statistics are not only
“massaged” to serve personal or corporate goals, but interpreted
incorrectly in the first place. The Bugtraq stats have been used
and referenced in various articles and endeavors, with varying
degrees of accuracy. The most egregious example of misuse and
misinterpretation by far to this point is in the article referenced
above, where Mr. Moody states that Linux is the most insecure OS
available. This is based on a gross misreading of the available
data.”
“The numbers for “Linux (aggr.)” reflect the total number of
reported vulnerabilities across all distributions of Linux; if it’s
a Linux, it’s in there, RedHat included. Also, if the same
vulnerability is present in more than one distribution, it counts
once. Therefore, for a representative number of all known Linux
security bugs, one would only look at the Linux (aggr.) statistic.
Therefore, since 84 (for Linux) is demonstrably less than 99
(for NT) I submit that these statistics can certainly not be used
to prove that Linux has more vulnerabilities than NT.”