The worst security problems?
About a month ago, the SANS Institute, in cooperation with the U.S. Federal Bureau of Investigation, released its list of "The Twenty Most Critical Internet Security Vulnerabilities (Updated) - The Experts' Consensus" for 2002.
The information provided was picked up and relayed to the public by many news sites and major newspapers across the United States and Canada. Although the SANS Institute notes, further down in the top-20 page, that this is actually two top-ten lists, even sophisticated publications such as Computerworld, which referred to the list as the "top 20" throughout its front page treatment of the story, didn't make that distinction clear to readers.
In addition, you have to dig fairly deeply into the announcement to see the top 10 Windows list is limited to a few current variants of major Windows-brand server operating systems, while the Unix list includes applications, desktops and bugs going back at least as far as 1990. More subtly, the title coupled with the silent omission of all information about the relative costs and risks represented by the listed vulnerabilities invites readers to impute a rational basis, such as cost or risk, for the rankings shown.
[ Read more ]
- News: Fixing the FBI's 'Top 20' security flaws isn't enough (7 October 2002)