Bob Beck wrote: > * Matthias Kilian <[EMAIL PROTECTED]> [2006-01-23 15:58]: > > On Mon, Jan 23, 2006 at 05:08:00PM -0500, Dave Feustel wrote: > > > Securia gives OpenBSD a pretty nice security rating at > > > http://secunia.com/product/100/ > > > > Those statistics say nothing at first glance. For example, I could > > argue that PHP 4.3.x is more secure than OpenBSD because there were > > > .... > > > > > And what's really missing at secunia.com is some data about response > > time wrt. to severity. > .... > > Well, the other thing is that their "severity" is often a bit > misguided too, for example on the OpenBSD page they list the sendmail > problem from 2003 as pretty severe, but it's the same as they listed > it for every other operating system... > > Here's the catch though - I remember this one - propolice caught it > on openbsd, so it actually WAS NOT EXPLOITABLE. > > so, given that it wasn't exploitable on openbsd, but was > on everything else that has it, why does it have the same "severity" > rating? make sense to you? > > These sorts of "glob it together and rank it" sites are > just collections of random knowledge. nothing more. > > -Bob
Just my opinion, but these "glob it together and rank it" <whatever>s seem to think that makes a substitute for actually knowing something. I will take issue with the "collections of random knowledge". Random collections of isolated statistics are NOT knowledge. Anything that makes something unexploitable that would be severe if it were exploitable, is certainly worth noting. If that is the calibre of whatever claims to be ranking security` ...
