Josh's Blog

So today Microsoft released something called Microsoft Security Essentials. It's basically a free anti-virus program from Microsoft.

Two things come to mind.
1) Why did this take so long?
2) Why do we still need this?

So as I've noted in the past, Coverity has been using their tool to scan Open Source software as what I presume is a rather clever marketing campaign. This is the third year they've been doing this and claim that there is a 16 percent reduction is flaws found. They are of course claiming that the software has become 16 percent better, not that their tool is 16 percent worse.

A story like this is probably misleading and can be really hard to understand. What the real story is that Open Source software has gotten better at fixing the sort of things that Coverity scans for. It's another debate of course if this is the result of Coverity scanning the source, or better upstream practices. I would be most interested in seeing how many bugs Coverity found were fixed, if that 16 percent lines up with their previously found bugs.

Understanding statistics is really hard to do and even harder to properly analyze. A story such as this is often misleading, and the organization writing it will make sure it's in their favor. This is best explained with an example. Imagine you have a group of people at risk for heart attacks. It's also quite likely that these people have poor diets that put them in this position. Now suppose you conduct a study where they eat oatmeal for breakfast. It turns out, the folks who ate the oatmeal had fewer heart attacks. So obvious oatmeal is a magic food that prevents heart attacks! ... right? So there are a few ways to look at this. The most likely is that these folks were eating terrible things for breakfast, so basically by eating pretty much anything other than what they were, it would reduce their risk for heart attacks.

I'm not saying that coverity ISN'T responsible for better Open Source code, they might be, but I'm also saying that we can't really know they are without more information.

So it would seem those clever virus writer types are now also leveraging the synergisticismly awesomeness of THE CLOUD.

It's no real surprise to anyone, if you're running a vulnerable web app, it's quite likely your server is going to be compromised. I'd even be surprised if this is the first web-app based worm, but it will likely get more press than others. The fundamental issue boils down to folks not keeping their systems updated. This is where leveraging things like distribution packages are a big plus, as when the distribution updates things all you have to do is install their updates.

So I'm back from the Red Hat Summit now. It was a good show. It's always nice to get some face time with customer folks and co-workers.

My talk went quite well, all things considered. The room while small, was full, which is always nice. My voice was a bit rough. The party the night before I spoke was very loud, which meant in order to talk, you had to yell. This left me with a rather weak voice. Good thing I had a microphone.

The most unexpected outcome from my talk I think was listening to customers talk about how annoying all the false positives they get from various security scanners. This is due to us backporting fixes. I plan to investigate this more in the near future, stay tuned.

Dan Walsh showed off some spiffy stuff. I expect he'll have some blog posts soon about his sandbox project.

There was a party at the Museum of Science and Industry on Thursday night. That place is always a pleasure to visit.